Financial services embrace AI and automation to tackle third-party risks

Financial services organisations are facing growing challenges in managing third-party risks.

Despite nearly six years of compliance with APRA’s CPS234 regulation, which mandates robust information security standards for third-party service providers, these challenges persist.

Many organisations are now recognising that traditional compliance-focused processes fall short in addressing today’s complex cybersecurity landscape.

BDO in Australia Risk Advisory Director, Joseph Green, said a major shift is underway in how third-party assurance activities are approached.

“Organisations are moving away from audit-based relationships and toward more proactive, partnership-driven models,” he said.

“This shift allows companies to not only comply with regulations but also build long-term, strategic relationships with vendors that focus on real-time risk mitigation, continuous improvement, and shared goals.

“Rather than simply ticking boxes, organisations need to shift toward a more proactive, relationship-driven model that helps them better understand and mitigate third-party risks in real-time,” Joseph said.

AI and automation are vital tools in this transition. Joseph said that by automating low-value tasks, organisations can free up resources to focus on higher-value activities, such as deeper vendor engagement and ongoing risk assessment.

“AI is becoming an essential tool for financial services organisations looking to streamline third-party risk management. By automating routine, low-value tasks and low-risk vendors, AI allows teams to focus on higher-risk vendors, enabling a deeper dive into these relationships.

This shift frees up resources to concentrate on more strategic areas such as continuous improvement and more meaningful vendor engagement.

“Additionally, AI tools can help organisations automate the analysis of vendor risk assessments, flagging anomalies and identifying potential risks that would otherwise require manual review.

“For organisations with lean teams, AI offers significant advantages. By automating routine processes like data entry, vulnerability management, and compliance checks, AI empowers teams to focus on the high-impact tasks that require human expertise.

These advancements not only reduce the burden of manual work but also enable more proactive risk management.

Furthermore, AI can provide real-time insights and predictive analytics, allowing organisations to address emerging risks before they escalate into larger problems.

This level of agility is essential in today’s fast-paced and ever-evolving threat landscape.

The industry is moving past traditional, compliance-driven approaches that rely on static processes like questionnaires and assessments.

While these methods were a good starting point under CPS234, Joseph said they often fail to provide the depth and flexibility required to mitigate the increasing complexities of third-party risks.

“Despite significant time and resource investments, traditional methods often fall short, especially when it comes to strategic or material third parties,” he said.

“The industry needs a new approach—one that not only ensures compliance but also promotes ongoing collaboration, continuous improvement, and a deeper understanding of third-party risks.”

The forthcoming CPS230 regulation, which will expand requirements beyond information security to include operational risks, may exacerbate these challenges.

As such, organisations must shift toward a more integrated, cohesive approach to risk management, where AI and automation play a key role in streamlining processes and enabling real-time risk mitigation.

 


 

For media enquiries:
Tate Papworth 
Manager, Media 
E: Tate.Papworth@bdo.com.au 
Ph: 0433411189