APRA released its inaugural System Risk Outlook publication on 20 November 2025
The publication provides us with APRA’s most comprehensive view on systemic risk and geopolitical risk together to date. In this article we review APRA’s observations and consider implications for the risk functions of APRA- regulated entities.
APRA’s article comes at a time when awareness of geopolitical risk in Australia and globally is increasing, accompanied by implications for Australia’s domestic risk profile. This article will primarily address geopolitical risk considerations for financial institutions.
Australia tends to lag other jurisdictions in maturity regarding geopolitical risk. This may have a number of root causes:
- A belief that Australia is somehow shielded from geopolitical risk due to its geographical distance from Europe, USA, and Asia
- The external source of this risk makes it harder for an entity to mitigate or manage; and
- Cognitive bias – many of the transmission mechanisms of geopolitical risk are less than pleasant and human beings often prefer to think and talk about pleasant things. (We acknowledge Governance, Risk and Compliance professionals and regulators may be less susceptible)
APRA’s publication signals that regulated entities need to increase awareness and uplift action on geopolitical risk. It also provides guidance on relevant considerations.
APRA makes the salient point that geography can no longer insulate Australia in the 21st century. The global economy, including Australia, is significantly interconnected, fostered by decades of free trade and capital flows, extraordinary advances in technology and – until recently – a sense of optimism about the global world order. Events in one jurisdiction can impact entities in another jurisdiction almost instantaneously.
PFS recently authored a paper on geopolitical risk to aid entities in their risk management journey.
We acknowledge that unlike many other risks, Geopolitical risk arises externally and therefore there are fewer mitigants and even fewer internal controls that can be designed & implemented.
APRA therefore logically turns its focus to resilience at an entity and system level.
At an entity level, APRA points to the requirements set out in CPS230 Operational Risk Management to help entities improve resilience in the face of shocks.
At a system level, APRA extends its analysis to consider system wide risks and concentrations of risks, including the impact of third parties.
The system wide stress test that APRA reports on is notable for being the first test of its kind in Australia. APRA reports a limited amount of information on its test, in contrast to peer regulators in other jurisdictions who have already completed other such tests, such as the ECB. Notably the ECB provides granular information on elements and parameters of the stress test. Such information may improve transparency and provide more guidance to regulated entities for testing and measuring their resilience.
The duration of the stress test is itself striking, conducted over a 12 month period, which contrasts with the duration of many conventional entity level BCP/DRP tests which frequently involve durations of less than 24 hours.
It covered large banks and super funds, apparently excluding insurers. While the role of insurers appears minimal in respect of the scope of this test, insurers typically act as shock absorbers and mitigate financial impacts of risk events, thereby playing a critical role in Australian and global economic activity.
PFS’ inaugural survey on CPS230 readiness in 2025 covered a range of topics including MSPs and Fourth parties. We intend to conduct annual surveys on CPS230 issues and trends.
PFS welcomes further information that APRA may seek to provide the industry regarding non traditional service providers outside APRA’s regulatory perimeter, concentrations of risk, and dependencies upon service providers based outside Australia.
APRA has not referred to the Security of Critical Infrastructure Act (SOCI) in this article. In our view, regulated financial institutions should consider risk and resilience implications of engaging service providers which are not regulated by APRA but do have to meet certain risk management obligations e.g. Australia’s payment infrastructure.
There are references in the publication to peer regulators with whom APRA collaborates and entities with a global or multinational footprint will be conscious of managing overlay of expectations from multiple regulators.
APRA does not explicitly mention AUSTRAC however regulated entities which are existing AUSTRAC reporting entities will be cognizant of the AML/CTF Act Tranche 2 reforms effective 31 March. These reforms impose additional obligations on entities, particularly banks and super funds and expand obligations regarding key topics relevant to geopolitical risk such as sanctions and proliferation financing.
How can financial institutions uplift their geopolitical risk management?
- Does your risk register include geopolitical risk?
- If your risk register includes country risk, political risk, sovereign risk and/or market risk, have you reassessed your risk profile and appetite for these risks?
- What transmission channels have you identified?
- How many MSPs do you have?
- How have you assessed the risk to your entity of material arrangements with third parties?
- Have you tested your resilience for a geopolitical risk event?
- If you are an AUSTRAC reporting entity, have you assessed the impact of Tranche 2 changes effective 31 March 2025?
- What expertise in geopolitical risk does your executive team and Board possess?
- What data do you use to measure geopolitical risk?
- What information does your executive team use to assess geopolitical risk and resilience, and what information is reported to your Board/Board Risk Committee?
