Risk landscape

Surviving and thriving amidst the volatilities of the current operating landscape has been at the forefront of APRA’s focus on operational resilience as a key priority for regulated entities in Australia, culminating in the CPS230 – Operational Resilience Standard coming into force in July 2025. 

Operational resilience refers to an organisation’s ability to withstand and adapt to operational disruptions, while maintaining critical business functions, services, and processes and encompasses its capacity to anticipate, prevent, recover from, and adapt to various internal and external shocks. 

The constantly evolving, global, economic and regulatory environment within which today’s organisations operate, pose significant challenges which have redefined how companies view risks and their risk management practices. Striking the right balance between pursuing growth opportunities and managing risks in order to cater for consumer and shareholder expectations whilst keeping up with competitors is an onerous task for management. 

When it comes to enhancing operational resilience, implementing robust risk management practices and structures capable of managing existing risks, whilst anticipating emerging ones with adequate and appropriate resourcing, and remaining dynamic enough to adapt to the ever-changing operating landscape adds yet another layer of challenge for organisations. 

In the current risk landscape, organisations are faced with a multitude of risks including:

Economic and Financial Risks: Increased susceptibility to economic factors, including market volatility, exchange rate fluctuations, interest rate changes, and economic downturns mean organisations must be adequately prepared for potential disruptions to, supply chains, market demand, and financial stability, and have in place effective strategies to mitigate these risks. 

Regulatory and Compliance Risks: Australia has robust regulatory frameworks across its various industries, with financial services being one of the most heavily regulated. Ensuring compliance with applicable laws, regulations, and standards to avoid penalties, legal actions, and reputational damage is a necessity which places a heavy burden on organisations.

Along with adequate resourcing to fulfil these requirements organisations are increasingly focusing on the strength of their governance practices and structures to provide crucial gatekeeping and challenge to ensure that regulatory and compliance requirements are not only met in policies but also implemented and embedded in practice. 

Social and Consumer Risks: With the shift in the main consumer base from Baby Boomers to Millennials and towards Gen X and Gen Z, organisations are beginning to see changes in consumer expectations, stakeholder activism, and public sentiment. Effectively addressing issues such as diversity and inclusion, responsible business practices, and ethical sourcing with a demonstrated commitment to social responsibility and transparent communication with stakeholders are all essential for remaining competitive. 

Workforce and Talent Risks: In addition to compliance with labour laws, talent management strategies need to be geared towards attracting and retaining skilled talent in a tight labour market. A key part of this strategy is addressing workplace health and safety requirements, which now includes psychological safety considerations and implementing these within a hybrid work environment in order to effectively manage workforce and talent related risks. 

Geopolitical and Trade Risks: Australia’s position in the global economy exposes organisations to geopolitical risks, including trade disputes, changes in international relations, and geopolitical tensions. These risks can impact supply chains, market access, and regulatory frameworks. Now more than ever, organisations need to monitor geopolitical developments and proactively assess their potential impact on the organisation as a whole and its customer base.

Cybersecurity and Data Risks: With the increasing reliance on digital infrastructure, comes growing cybersecurity risks, including data breaches, ransomware attacks, and intellectual property theft, which can result in financial losses, reputational damage, and regulatory non-compliance. Recent high-profile breach incidents have demonstrated that even organisations with highly resourced IT and security functions are not immune in a continually evolving threat landscape. Changes to the Privacy Act poses increased obligations upon entities that collect, store, use and disclose personal information whilst also expanding the rights of individuals with respect to their privacy. The severity of the penalty recently imposed by APRA on Medibank for its recent data leakages, sends a clear message that organisations must invest in robust cybersecurity measures, employee training, and incident response plans to safeguard sensitive data and maintain business continuity.

Heightened pressure around cyber-security awareness and oversight has organisations considering the following: 

• The appropriateness and adequacy of policies and procedures to identify and manage cyber-security risks; 
• Management’s role in implementing cyber-security policies and procedures; 
• Appropriateness of staff education and awareness programs and the governance structures in place; and 
• Cyber-security risk awareness at the Board level and whether this is commensurate with the cyber-security risk exposure of the organisation.

Environmental Social Governance (ESG) and Sustainability: ESG and sustainability are two related but very district concepts but are often incorrectly used interchangeably. ESG factors are a subset of sustainability considerations and helps assess a company’s sustainability performance by examining specific aspects such as carbon emissions, resource management, labour practices, community engagement, board diversity, transparency, and ethical behaviour.     
ESG criteria are used to evaluate a company’s sustainability practices and its alignment with environmental and social goals. Environmental and social impact, as well as governance practices of organisations are increasingly influencing the decision making of customers, investors, employees, and other key stakeholders.     
Recognising the criticality of incorporating ESG and Sustainability considerations in their strategies, organisations are directing more resource towards, methodically defining Sustainability and ESG capabilities and understanding the level of current maturity in order to create and execute targeted roadmaps to meet relevant required reporting obligations.    
In the sustainability horizon, the Global IFRS Sustainability Standard was officially launched by the ISSB recently. Treasury is working closely with the AASB on the development of Australia’s own climate-related disclosure requirements. The proposed disclosure standards are expected to closely align to the requirements in the IFRS S2 Climate-related Disclosures. Although key decisions are still in progress, it is expected that the Standards will firstly apply to “for-profit” entities and General Purpose Financial Reports. 

Markets and Consumers: The markets and consumers are quick to punish organisations (particularly those in the highly scrutinised financial services sector) when an operational risk event signalling a failure of internal controls, processes and governance measures occurs. In addition to the significant financial consequences including sizable penalties, the reputational damage associated with the loss of consumer and shareholder trust and confidence can have more significant and long-lasting adverse consequences.

Organisations looking to bolster their operational resilience capabilities in this challenging risk landscape, are fast moving away from traditional strategies with narrow focus which are developed and executed in a linear, sequential manner with a fixed set of requirements and a predetermined timeline. Instead, they are adopting agile strategies that offer more flexibility and adaptability, enabling a proactive and collaborative approach to risk management to better allow businesses to navigate uncertainties and capitalise on emerging opportunities.  

The inherent iterative nature of an agile strategy allows for the integration of risk management at every stage so that organisations can identify, assess, and respond to risks effectively, to enhance operational resilience and increase the likelihood of successful outcomes in a rapidly changing business environment. 

FOR MORE INFORMATION

Please do not hesitate to contact Beenu Fernando or any others in the Risk Advisory team to discuss how we can help your organisation.