APRA sets expectations for preparedness against geopolitical shocks

The six key areas are enterprise risk, operational resilience, personnel, political, financial resilience and crisis preparedness.

The risks are similar to a framework outlined by fellow council member the Reserve Bank of Australia on 9 June.

In a statement, APRA said common gaps in preparedness include:

• actions by nation states to impose sanctions, restrict market access or reduce capital mobility are often not considered explicitly in business plans, or credit, funding and investment strategies
• risk management practices are not keeping pace with rapidly evolving threats. These include personnel-related security risks, and risks associated with disinformation campaigns that could undermine confidence in an entity’s resilience
• many boards are still developing the technical literacy needed to provide effective challenge on technology-related risks such as AI. Reliance on critical third parties, often located overseas, makes it more challenging to manage these risks
• crisis preparedness exercises are not always strong enough to give boards and management confidence that the entity could withstand and respond effectively to a severe geopolitical shock

Lonsdale said the regulator is “mindful of our commitment to getting the balance right between safety and efficiency” as he clarified that the new expectations do not come with new prudential requirements and should be managed through the existing framework.

He said the expectations would be applied proportionally depending on each regulated entity’s size, business model and complexity.

He also stressed that smaller entities would be wrong to believe “they’re not big enough or sufficiently active internationally for geopolitical shocks to impact them”, as the recent spike in diesel prices in regional Australia have shown.