In a changing regulatory environment, the message is clear — directors cannot outsource responsibility for third-party risk, write McGrathNicol Partner Sara Deady and Head of Advisory Matt Fehon AM GAICD.
Presented by McGrathNicol
Third-party and supply chain risks have been identified as key concerns for Australian company directors. Legislative reforms, regulatory scrutiny and heightened stakeholder expectations make it clear — outsourcing does not permit offloading your responsibility.
The Australian Prudential Regulation Authority’s CPS 230 standard, effective from July, is a game changer for directors overseeing financial institutions. It expands oversight beyond traditional outsourcing to include all material service providers (MSPs), including those critical to operations and/or posing significant operational risk. Directors must ensure contractual safeguards, robust due diligence and ongoing MSP monitoring.
The Security of Critical Infrastructure Act 2018 (SOCI) requires many organisations in 11 specific industries to consider risk across key hazard categories. SOCI obligations require organisations to consider how their current frameworks and risk management plans align with “best practice standards” across cyber, supply chain, personnel, physical and natural hazards. This shift reflects a broader regulatory trend. Proposed reforms to the Privacy Act 1988 and the expansion of climate-related reporting obligations, among other changes, require organisations to account for data protection and ESG risks across their broader supply chains. The Modern Slavery Act 2018 is also under review, with civil penalties for reporting breaches potentially on the way.
Directors must understand legal liability does not end at their company’s doorstep. Courts and regulators increasingly view failure to manage third-party risks, whether cyber, legal, environmental or ethical, as a failure of corporate governance.
Own your supply chain risk
In cybercrime, threat actors are successfully targeting downstream supply chains after failing to infiltrate a larger intended target. Organisations have rightly focused on their own defences. However, too many don’t question how their assets and information are managed within their supply chain and by key counterparties. The 2025 McGrathNicol Risk and Security Survey found 71 per cent of surveyed organisations are not considering end-to-end supply chain security and 70 per cent aren’t conducting due diligence on their key suppliers and are overlooking vulnerabilities.
With the focus on resilience, directors should ask whether management have processes to embed third-party risk management into core governance frameworks. This includes identifying material service providers, assessing fourth-party risks and ensuring transparency in the supply chain. To do this, organisations need to adopt a multi-lens approach in ensuring upfront and ongoing financial and non-financial due diligence. Key risk areas should be identified and addressed into contractual terms, and performance against risk management frameworks monitored.
The message is clear — while services can be outsourced, accountability cannot. Directors must understand the threat landscape. Without active oversight, third-party vulnerabilities can snowball to a board-level crisis and costly remediation.
Learn more with McGrathNicol.
Latest news
Already a member?
Login to view this content