Letters

Strengthening readiness for geopolitical shocks
Print

Purpose


Geopolitical shocks can affect the Australian financial system through multiple channels. These shocks can threaten the safety and resilience of regulated entities and their ability to provide critical financial services.

Strengthening readiness for geopolitical shocks requires action by entities, regulators and other public sector partners. APRA and other Council of Financial Regulators (CFR) agencies are working together on system-wide resilience and public-private coordination. Entities also need to act now through their own governance, risk management and crisis preparedness practices.

As Australia’s prudential regulator for banks, insurers and superannuation trustees, APRA is setting clear expectations on how entities should integrate geopolitical risk into governance, risk management and crisis preparedness practices to strengthen readiness for geopolitical shocks. These expectations are intended to inform how entities apply existing prudential requirements to the current operating environment.

Common gaps in readiness 


APRA found that, while many entities are alert to geopolitical risk, there are differing levels of maturity in how this awareness is translated into risk management practices and crisis preparedness. Work undertaken by APRA as part of its ongoing supervision and through the CFR identified common gaps across enterprise risk management, emerging risks and crisis preparedness, which include:

  • Entities give limited consideration to geopolitical risk as an amplifier of existing material risks. For example:
    • Financial risk: Entities often do not explicitly consider actions by nation states to impose sanctions, restrict market access or reduce capital mobility in their business plans, credit decisions, funding plans or investment strategies.
    • Non-financial risk: Artificial intelligence (AI) adoption is materially changing the global cyber threat landscape. Many Boards are still developing the technical literacy needed to provide effective challenge on these risks. Reliance on critical third parties, often located overseas, also makes it more difficult to assess, mitigate and manage these risks.
  • Risk management practices are not keeping pace with rapidly emerging threats. These include personnel-related security risks, such as foreign interference, and risks associated with disinformation campaigns that could undermine confidence in an entity’s resilience.
  • Entities make insufficient use of periodic crisis exercises to build confidence that they are ready to respond to severe but plausible geopolitical shocks. These exercises often do not test decision-making, escalation and communication protocols across multiple risk areas under conditions of heightened uncertainty.

APRA’s assessment of the significance of these gaps to entity safety and resilience has informed the minimum expectations for strengthening readiness for geopolitical shocks.

Entity expectations 


Financial resilience in Australia remains strong. However, the geopolitical environment continues to evolve, and the scope for shocks to occur and escalate is greater than before.

APRA outlines in Attachment A minimum expectations for how entities should manage the prudential risks from geopolitical shocks. These expectations are intended to support the resilience of the financial system and the provision of critical financial services across a range of geopolitical scenarios.

These minimum expectations have been informed by the CFR’s work on system-wide preparedness. Over the past 18 months, CFR agencies have engaged with large financial institutions to better understand potential impacts from adverse geopolitical events and opportunities to strengthen preparedness.

Attachment B provides examples of how the impacts of geopolitical shocks are expected to be considered as part of APRA’s existing prudential requirements. These examples are intended to help entities adapt existing risk management practices to the current operating environment.

Given the importance, APRA expects Boards to satisfy themselves that:

  • Geopolitical risk is reflected in strategy, risk appetite and Board oversight.
  • Management has identified and is addressing material gaps against the minimum expectations in this letter, with clear accountabilities and timelines.
  • Management is reporting on financial and non-financial exposures, offshore dependencies and service provider vulnerabilities that could be affected by geopolitical shocks.

APRA actions


APRA’s 2026-27 Corporate Plan will include a continued focus on lifting geopolitical risk readiness. As part of this work, APRA will include targeted readiness assessments into supervisory plans for a broader group of larger entities with heightened exposure to geopolitical shocks. These entities will be across the banking, insurance and superannuation sectors.

The assessments will require entities to identify gaps against the minimum expectations in this letter, with a focus on crisis preparedness, personnel risk and political risk. Entities outside this group remain expected to take a risk-based and proportionate approach, with supervisors engaging through routine supervision.

APRA will also confirm that all entities ensure that accountability for managing geopolitical risk is clearly assigned to relevant accountable persons and that Boards reflect consideration of geopolitical risk in their annual Risk Management Declaration, having regard to the entity’s risk profile and readiness.

APRA does not expect all entities to respond in the same way. Smaller and less complex entities should focus on the risks most material to their operations, counterparties, service providers and customers. Entities should engage with their APRA supervisor where they identify significant gaps or remediation challenges.

Entities should remain adaptable in an operating environment in which geopolitical shocks are likely to be more frequent, more complex and more consequential. Where APRA identifies heightened exposure, weak governance, or inadequate crisis preparedness, we will take appropriate supervisory action to address these gaps.

John Lonsdale
Chair

Attachment A: Minimum expectations


Geopolitical risk is defined as the potential for adverse impacts on the financial system from international tension, including trade restrictions, sanctions, grey-zone activities and conflicts.1 Unlike more familiar economic or market shocks, geopolitical shocks can build gradually, escalate quickly and be transmitted through multiple channels simultaneously.

Traditional risk management approaches may not fully capture stress that is interconnected, fast-moving and driven by external events. A single geopolitical event could disrupt critical suppliers, increase cyber threats, trigger sanctions obligations, affect offshore operations or investments, interrupt claims, administration or member services, and undermine customer, member and market confidence.

Entities therefore need to be able to identify interdependencies early, escalate issues quickly, make clear decisions under stress, and coordinate responses across business areas and with public sector partners.

Entities are also expected to give closer attention to emerging risks that manifest in new or different ways. This includes new risks and challenges with prudential consequences, such as foreign interference and disinformation, as well as preparedness for sanctions and other international policy actions that could disrupt funding, payments, operations or access to offshore markets.

Technological change can also interact with geopolitical risk. For example, frontier AI models may change the nature, speed, and scale of cyber, disinformation, and operational risks. APRA’s recent industry letter on AI, together with this letter, provides Boards with a clear basis to test whether risk management practices are adaptable and remain fit for purpose.

APRA expects Boards to take reasonable steps to consider these minimum expectations, focusing on the risks most material to their operations, counterparties, service providers and customers.

Minimum expectations to be considered relative to the size, business model and complexity of a regulated entity 
  1. Enterprise risk
  1. Geopolitical risk is incorporated into governance arrangements, risk frameworks, practices and culture, and is reflected in an entity’s risk appetite.
  2. The geopolitical environment is actively monitored to identify emerging threats relevant to an entity and inform timely risk assessment and strategic decision-making.
  3. Governance and communication protocols support coordinated decision-making and timely response during a crisis, including where false or misleading information could affect customers, members, policyholders or markets.
  1. Operational resilience
  1. Operational resilience is embedded in an entity’s risk management practices to support continuity of critical operations and effective management of service provider vulnerabilities across a range of geopolitical scenarios.
  1. Personnel
  1. Security and integrity policies  and practices are in place to identify, manage and respond to insider threats and foreign interference.
  2. Contingency arrangements are in place to support continuity of staffing and resourcing for critical operations during geopolitical disruption.
  1. Political 
  1. Processes are in place to identify, escalate and implement sanctions obligations and other material international policy measures that could affect an entity.
  2. At-risk offshore operational, asset and investment exposures are identified, and contingency plans are in place for disruption, freezes, restrictions or loss of access.
  1. Financial resilience
  1. Capital and liquidity planning, as well as investment stress testing, routinely consider severe but plausible geopolitical scenarios, including market closure, sanctions, capital trapping and funding stress.
  1. Crisis
    preparedness
  1. Crisis response capabilities, including playbooks, plans and exercises, are established and maintained proportionately to an entity’s risk profile.

Attachment B: Examples of application of minimum expectations under existing APRA Prudential Standards


The table below provides specific examples that are illustrative but not exhaustive of how an entity can strengthen their current risk management practices.2   They are intended to demonstrate how existing APRA prudential standards may be applied in practice.

The relevance of these examples will vary across entities. Entities are expected to focus on issues most material to their business model. In addition, entities are expected to continue to maintain robust financial and operational risk management, and progress improvements to strengthen broader cyber and third-party service resilience.

Enterprise risk3

CategoryEnterprise risk
Examples of relevant APRA Prudential Standard requirementsIllustrative geopolitical risk examples

Geopolitical risk

An APRA-regulated institution must maintain a risk management framework for the institution that enables it to appropriately develop and implement strategies, policies, procedures and controls to manage different types of material risks and provides the Board with a comprehensive institution-wide view of material risks.4

An APRA-regulated institution must identify and consider the material risks associated with the institution’s strategic objectives and business plan and must explicitly manage these risks through the risk management framework, including how changing these plans affect the institution’s risk profile.5

An APRA-regulated institution must maintain an appropriate, clear and concise risk appetite statement for the institution that addresses the institution’s material risks. The Board is responsible for setting the risk appetite of the institution and must approve the institution’s risk appetite statement.6

Geopolitical risk

  • Geopolitical risk factors relevant to the entity’s size, business mix, and complexity are incorporated into existing risk management frameworks and practices.
  • Geopolitical risk is considered within strategic business planning.
  • The Board sets and oversees the entity’s risk appetite in a manner that explicitly accounts for geopolitical risk.

Geopolitical environment

  • Regular monitoring of the geopolitical environment is conducted to identify emerging threats that could impact the entity (e.g. in enterprise-wide contingency plans).

Communication

  • Crisis communication protocols are maintained to support communication with depositors, policyholders, beneficiaries, counterparties and markets in geopolitical stress conditions.
  • Strategies to mitigate the risks of disinformation are integrated into risk management and crisis response arrangements, including depositors, policyholders or beneficiaries’ communication plans where relevant.

Operational resilience7

CategoryOperational resilience
Examples of relevant APRA Prudential Standard requirementsIllustrative geopolitical risk examples

Operational resilience

An APRA-regulated entity must manage its full range of operational risks, including but not limited to legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk and change management risk. Senior management are responsible for operational risk management across the end-to-end process for all business operations.8

An APRA-regulated entity must:

  • Maintain a credible BCP that sets out how it would maintain its critical operations within tolerance levels through disruptions, including disaster recovery planning for critical information assets.9

For each material arrangement an APRA-regulated entity must:

  • Identify and manage risks that could affect the ability of the service provider to provide the service on an ongoing basis.10
  • Identify and manage risks to the APRA-regulated institution that could result from the arrangement, such as step-in risk or contagion risk.

Operational resilience

  • Geopolitically driven operational risks are identified, assessed, and managed with effective internal controls, monitoring and remediation.
  • Critical operations and services can be sustained within tolerance levels through severe geopolitical disruptions.
  • Geopolitical risks associated with service providers are effectively identified and managed.

Personnel risk11  12

CategoryPersonnel risk 
Examples of relevant APRA Prudential Standard requirementsIllustrative geopolitical risk examples

Security and integrity

An APRA-regulated entity must maintain an information security policy framework commensurate with its exposures to vulnerabilities and threats.13

An APRA-regulated entity must have information security controls to protect its information assets, including those managed by related parties and third parties.14

An APRA-regulated entity must have robust mechanisms in place to detect and respond to information security incidents in a timely manner.15

Contingency arrangements

An APRA-regulated entity must:

  • Maintain a credible BCP that sets out how it would maintain its critical operations within tolerance levels through disruptions, including disaster recovery planning for critical information assets.16

Security and integrity

  • Policies and practices are in place to manage and report any incidents of foreign interference in governance, management or operations.
  • Critical roles are identified and subject to enhanced security and integrity measures.17
  • Security culture programs are reviewed and enhanced where needed to ensure personnel understand and make informed decisions on risks.

Contingency arrangements

  • Contingency arrangements are in place for offshore functions and third parties supporting critical operations, to ensure continuity in the event of geopolitical disruption.

Political18

CategoryPolitical
Examples of relevant APRA Prudential Standard requirementsIllustrative geopolitical risk examples

Sanctions preparedness

An APRA-regulated entity must manage its full range of operational risks, including but not limited to legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk and change management risk. Senior management are responsible for operational risk management across the end-to-end process for all business operations.19

Sanctions preparedness

  • Processes are in place to identify sanctions requirements and manage them in a timely and effective manner.

Offshore assets

  • At-risk offshore asset, investment and operational exposures are identified and assessed, and plans are maintained to manage the impacts of potential freezes, restrictions or disruptions.

Financial resilience20

CategoryFinancial resilience
Examples of relevant APRA Prudential Standard requirementsIllustrative geopolitical risk examples

Liquidity risk management framework

An ADI’s liquidity risk management framework must be formulated to ensure that the ADI maintains sufficient liquidity, including a cushion of unencumbered liquid assets, to withstand a range of stress events, including those involving the loss or impairment of both unsecured and secured funding sources. The source of liquidity stress could be specific to the ADI or market-wide or a combination of the two.21

Liquidity management – Contingent Funding Plan

An ADI must have a formal contingency funding plan that clearly sets out the strategies for addressing liquidity shortfalls in stressed situations. The plan must outline policies to manage a range of stress environments, establish clear lines of responsibility and include clear invocation and escalation procedures.22

Capital management – Internal Capital Adequacy Assessment Process

The ICAAP must include at a minimum: stress testing and scenario analysis relating to potential risk exposures and available capital resources.23

Capital and liquidity planning

  • Stress scenarios driven by geopolitical events should be considered routinely in capital and liquidity planning. For example, the impact of constrained access to global markets, challenges with accessing and repatriating capital to Australia, and sanctions.

Crisis preparedness24

CategoryCrisis preparedness
Examples of relevant APRA Prudential Standard requirementsIllustrative geopolitical risk examples

Crisis response capabilities

An APRA-regulated entity’s recovery and exit plan must include: 

  • a trigger framework for the early identification and monitoring of stress. The trigger framework must be relevant to the operating environment and risk profile of the APRA-regulated entity, and include a range of early warning indicators to support the effective activation and implementation of the recovery and exit plan.25
  • governance arrangements for the monitoring of triggers and timely activation of the recovery and exit plan or specific actions within it. Governance arrangements must include clear roles and responsibilities at a senior executive level for the preparation, maintenance and execution of the recovery and exit plan.26

Crisis response capabilities

Crisis management capabilities and plans are expected to include an activation model that includes triggers, thresholds and decision authorities for a range of geopolitical scenarios.

Governance arrangements are in place to monitor the ongoing effectiveness of triggers, thresholds and decision authorities to ensure they remain fit for purpose and reflect changes in the external environment.

Footnotes


1. See Reserve Bank of Australia, ‘Geopolitical Risk and Financial Stability’, RBA Bulletin, June 2026 for further detail.

2. Applicable prudential standards include Prudential Standards CPS 510 Governance, SPS 510 Governance, CPS 520 Fit and Proper, SPS 520 Fit and Proper, CPS 220 Risk Management (CPS 220), SPS 220 Risk Management CPS 230 Operational Risk (CPS 230), Prudential Standard 234 Information Security (CPS 234), Prudential Standards APS 110 Capital Adequacy (APS 110), Prudential Standard GPS 110 Capital Adequacy (GPS 110), Prudential Standard LPS 110 Capital Adequacy (LPS 110), Prudential Standard HPS 110 Capital Adequacy (HPS 110), Prudential Standard SPS 530 Investment Governance, APS 210 Liquidity, CPS 900 Resolution Planning, and CPS 190 Recovery and Exit Planning (CPS 190).

3. Refer to minimum expectations i- iii.

4. CPS 220, para 19. Also see SPS 220, para 14.

5. CPS 220, para 33. Also see SPS 220, para 18.

6. CPS 220, para 27. Also see SPS 220, para 19.

7. Refer to minimum expectation iv.

8. CPS 230, para 24.

9. CPS 230, para 34(c).

10. CPS 230, para 56(a) and (b).

11. Personnel risk is defined as threats associated with espionage, malicious insiders, and foreign interference; as well as the safety and availability of human resources employed or engaged by the institution. See also RBA Bulletin, June 2026 on security and capacity risks.

12. Refer to minimum expectations v- vi.

13. CPS 234, para 18.

14. CPS 234, para 21.

15. CPS 234, para 23.

16. CPS 230, para 34(c).

17. Better practice implementation may include enhanced controls for critical roles, access management, and escalation arrangements for personnel-related risks.

18. Refer to minimum expectations vii- viii

19. CPS 230, para 24.

20. Refer to minimum expectation ix.

21. APS 210, para 26.

22. APS 210, para 47.

23. APS 110, para 17(d); GPS 110, para 11(d); LPS 110, para 13(d); HPS 110, para 11(d).

24. Refer to minimum expectation x.

25. CPS 190, para 19(b).

26. CPS 190, para 19(c).

2026

Subscribe for updates

To receive media releases, publications, speeches and other industry-related information by email
Subscribe