AWS specialist argues CPS 230 wrongly seen as multi-cloud mandate

An AWS specialist has argued that Australian organisations are “unnecessarily” pursuing multi cloud strategies in an effort to meet the upcoming CPS 230 operational risk standard.

Speaking at the recent AWS Partner Summit Sydney, AWS specialist security solution architect and former Australian Prudential Regulation Authority (APRA) risk specialist Julian Busic claimed that some boards or executives are “over-interpreting” a CPS 230 requirement regarding service provider risks.

He was referring to the requirement that an APRA-regulated entity “assess the financial and non-financial risks from reliance on the service provider, including risks associated with geographic location or concentration of the service provider(s) or parties the service provider relies on in providing the service”, before entering into or materially modifying a material arrangement.

The CPS 230 operation risk management standard is scheduled to come into effect on July 1, 2025. It is intended to ensure that APRA-regulated entities are resilient to operational risks and disruptions. 

In Busic’s view, some boards or executives were “over-interpreting” the word ‘assess’.

“The intent is that customers monitor, assess the concentration risk they're exposed to. It is a long horizon. Assess means assess. It does not mean act,” he told partners in Sydney.

“Unfortunately, with some customers, with boards, with execs who don't have the benefit of direct guidance from partners like you guys, from people like myself, we are seeing assess being interpreted - over interpreted - as taking action. And we're seeing customers and sometimes partners unnecessarily pursuing multi cloud strategies.”

Busic encouraged partners to “frame those customer conversations in the context of net risk position.”

“I'm not saying that concentration risk doesn't exist, but it is a long-term consideration, and even something that really is not for customers to consider as much as perhaps governments at a national level.

“Ask your customers, ‘Think about your risk profile running two or more clouds versus just specialising or standardising on one – particularly if you're early off in your cloud journey.’

“[I have a] strong view that you have a lower net risk position if you select and excel with one cloud provider, being AWS.”

In Busic’s view, the more pressing immediate considerations should include mitigating the biggest risks, which he argued included running multiple clouds, security, patching, resilience, governance and resource constraints.

“Make multi-cloud a longer-term consideration,” he urged partners.

This was one of several “regulatory myths and misunderstandings” Busic took aim at. They included ‘We're not allowed to build critical systems in the cloud’, ‘I've got to have multi-cloud solutions for critical systems’, ‘I can't use overseas regions for data backups’ and ‘I've got to use multiple providers to address concentration risk’.

“Critical systems are permitted [to be on the cloud] as long as risks are understood and managed. Regulators are principles based, they don't prescribe particular architectures or solutions, so I don’t have to go multi-cloud, I don't have to not use an overseas region, for example,” he told partners.

Beyond finance

While CPS 230 is a “hot topic” in the financial services industry, Busic argued it also provided “excellent industry agnostic guidance” and a “high bar” partners can use to improve risk management in other industries.

“This includes offering prescriptive advice and resource augmentation when it comes to resilience, recovery, building and testing, disaster recovery systems and platforms.”