6 minute read
The concentration games
Now 1 July has come and gone, every APRA-regulated entity will be tested on their implementation of CPS 230. The question is whether it happens first in the boardroom or the newspaper? Either the regulator walks through your door for a deep dive as part of its well-publicised review series, or a material service provider goes down (another AWS cloud service outage for example), and your customers find out the hard way just how concentrated your dependencies really are.
Irrespective of which comes first the questions are the same: how well do you know your MSPs? And how many others are queued ahead of you when things go wrong?
An apology
CPS230 requires organisations to assess the concentration risk of potential material service providers before signing them up. The guidance document doubles down on this requirement but offers no help as to how this can be achieved. As an author of those documents, saying ‘sorry’ probably isn’t enough. The MSP registers submitted on 1 October gives the regulator a vantage point but that has not been extended to organisations. Battleground may be able to help.
The first thing APRA will do with the MSP register is look for concentration risk amongst the regulated population. Correction: that’s the second thing they will do, right after fixing the data quality issues that are likely to present. So in six to nine months expect to see something public from the regulator on MSP concentrations. Before then we offer the following observations from our MSP benchmark study.
Our study included 28 participants, of which six were significant financial institutions (SFIs). For comparison APRA oversees ~400 financial institutions of which 48 are SFIs. So remember that our findings are biased by being overweight on SFIs.
You are twelfth in line, please hold on
143 unique MSPs were submitted in our benchmark collection, and one stood out as most popular.
The most popular MSP served 12 organisations in our benchmark
The most widely shared MSP is a core technology provider used by 12 organisations, which would scale to 43% of the market if consistent across the full APRA population. With a client base that crosses all three of the regulated industries it is very likely to catch the regulator’s eye, but more importantly, imagine what it would feel like waiting on the line behind 42% of the market for your technology to be fixed.
The drawbacks of diversification
The average organisation had 20 MSPs, which quickly breaks down when looking at the three different industries:
- RSE licensee: 32
- ADI: 13
- Insurer: 11
One organisation uses ~90 MSPs, way above the average of 20
The number of MSPs used by RSEs is ruled by the number of investment managers used. Superfunds commonly hire multiple asset managers, each managing a slice of the portfolio for diversification benefits. In the benchmark each super fund spreads its investment management across a dozen or more external firms but at a systemic level pockets of concentration remain. As the Shield and First Guardian cases underline, a dozen managers multiply into many more fourth parties, all of which increases the oversight burden.
Look before you leap
How can any one organisation meet APRA’s requirement to assess concentration risk before entering into agreements with a service provider? Benchmark participants received information on how popular their MSPs are, with an indication of how many other participants use the same MSP. This report can go some way to meeting that requirement.
Participants received specific concentration risk numbers on their MSP list
Participants received a line-by-line indication of how many other survey participants used the same MSP as them (left hand table), how many of their MSPs are considered popular (middle bar chart), and the average popularity of their MSPs (right hand bar chart).
With this report participants are armed with the information needed to answer APRA’s questions, particularly where market dynamics limit their options.
Depending on others
Diving deeper into the data we proxied dependency by looking at how sub critical operations in an organisation relied upon MSPs. It demonstrated how dependency varies by the type of services being provided. Many MSP categories are inherently oligopolistic, served by a few specialist firms, whereas others are highly fragmented with dozens of providers:
- Highly concentrated categories: Custodial Services in superannuation is typically handled by a small number of global custodian banks. In our data, just two custodians account for 86% of all sub-COs. Similarly, Internal Audit is often handled by a short list of firms. Categories like Payments & Settlements and Reinsurance also show only one to three providers used per organisation, indicating concentration due to market structure
- Fragmented categories: in Financial Planning and Risk Management Consulting many niche providers exist, and no single firm has a large share. For instance, in Risk Management each provider in the dataset was unique to one client, implying no industry-wide dependence on one vendor.
Within organisations, several cases of multi-sub-CO outsourcing exist, particularly among banks. This dependency raises the bar for business continuity planning where MSPs are disrupted and many critical operations are impacted at once. The more ingrained a supplier is, the more important testing of business continuity plans becomes. Sequencing BCP testing is not easy, but can be prioritised for benchmark participants where they see dependencies and concentration risk.
Risk Management
From a risk management perspective, MSP choice requires a balance of competing risks against appetite: concentration, dependency and oversight burden. As with all risk-based decision making, having the right information to hand helps pick the providers that match your objectives and appetites. It can also help prioritise your BCP testing efforts into the areas the move the dial.
Truly linking risk and resilience requires management of three distinct but related layers of exposure:
- The inherent risk in what’s being done on your behalf, such as hosting sensitive data
- Can the MSP be trusted to deliver? Do they have the right capability, resources, and long-term viability to perform the task effectively?
- The quality of the contract, KPIs, SLAs, and governance that shape how the MSP relationship is managed
Effective third- and fourth-party risk management starts by recognising these three layers and managing them as integral parts of the organisation’s overall risk profile.
Next steps
The experts at Battleground are here to ensure your organisation is prepared for tomorrow, today, including:
- Verify your ability to detect, respond and recover through plans and exercises
- Review BCP and crisis testing plans to assess how you are incorporating MSPs
- Connect MSP resilience activities to MSP risk management
- Challenge the depth and appropriateness of your identified MSPs
- Map out nth party dependencies
- Build a view of your organisation that tells you what is disrupted in the case an MSP can’t perform.
Use this link to the benchmark survey should you wish to understand the concentration risk and dependency of your providers.
Looking to find out more? Want to know why you’re better with Battleground? Speak to the team at Battleground today, to prepare your organisation for tomorrow.
