Outsourcing IT Operations

We recently attended a very interesting seminar organised by the Global Association of Risk Professionals (GARP). The topic was to help finance companies address APRA’s CPS 230 standard that has come into force on 1 July 2025. The standard addresses the need for finance companies to develop business continuity plans and to prudently manage their operational risks. In light of the common approach to outsource IT operations to third parties, the standard focuses heavily on this trend. 

Speakers were from UniSuper, NAB and Deloitte and they spoke generally about their experience in preparing for the introduction of the new standard. 

The speaker from UniSuper focused on the company’s experience of having Google inadvertently delete the entire UniSuper Google Cloud subscription, impacting over 600,000 customers. This occurred even though UniSuper had duplicate infrastructure and data in two geographies.

The conversation settled primarily on the challenge of maintaining the resilience of IT applications and data, in light of the small number of vendors in Australia.

See below for a diagram that depicts the major vendors of IT infrastructure and applications in Australia.

By way of example, before cloud and SaaS, the four banks in Australia would own and operate their own data centres, IT systems, networks and purchase the application software licences to run their businesses. If one of the banks suffered a power outage, a fire in their data centre or an IT malfunction, only its customers were impacted. 

Today, it is likely that all four banks subscribe to the services of AWS, Microsoft and Google. So, if one of these providers suffers and outage, many more bank customers could be impacted. 

The dominance of Microsoft is particularly concerning because it operates cloud services and three dominant SaaS services – O365, Teams and SharePoint. For a large proportion of Australian organisations, employees working from home are especially reliant on Teams.

The other aggregation of risks results from the concentration of data centres in Melbourne. There are currently four large data centres located in close proximity to each other in Port Melbourne, with NextDC planning another very large data centre nearby. Port Melbourne is about 2-3 metres above the Yarra River, which is open to the sea.

Uncertainty in the US

Finally, Jeff Bezos and Mark Zuckerberg have recently substantially changed their policies governing The Washington Post and Facebook. It’s plausible that given the major changes occuring in the US, that other companies mentioned above in the diagram, could also initiate substantial changes to the way they operate, possibly impacting Australian companies.

What we used to take for granted is no longer!

We left the seminar believing that more Australian organisations should seriously consider APRA’s approach to managing their reliance on IT systems and data. 

The introduction of the Standard on 1 July 2025 adds urgency for Australia’s regulated entities!

PS: The incredibly impactful electrical sub-station fire at Heathrow Airport recently apparently also supplied a number of the UK’s data centres!