The resilience of a superannuation fund can be tested in any number of ways. It could be operational; it could be investment-related; it could be linked to board governance issues; or anything that has material flow-on effects to members.
Regulators, commentators, and of course members, have a deep and abiding interest in how funds are set up and managed to absorb setbacks and then to return quickly to a steady state of being.
APRA sets standards for super funds’ operational resilience in the main through Prudential Standard CPS 230 Operational Risk Management (and the associated Prudential Practice Guide CPG 230), but it touches on issues of resilience in other standards and in other work it does with funds besides.
A new version of the standard was released in June this year and comes into effect in July 2025, focusing on operational risk management, business continuity planning and bolstering the management of risks associated with third-party vendors and suppliers.
Chief risk officer and group executive, sustainability, at Aware Super, Jane Couchman, says operational resilience is “the ability to manage and recover from major failures or disruptions that could significantly affect the organisation’s core business operations”.
Couchman says this requires a fund to have strong practices around business continuity, disaster recovery, and crisis management both internally and with third- and fourth-party vendors.
Couchman says the fund aims to “ensure we manage our operational risks and minimise the impact of disruption or harm to members and the broader financial system”.
UniSuper’s resilience was put to the test when its Google Cloud account (and backup) were deleted by its provider in what UniSuper chief executive Peter Chun described as “an implausible planning scenario”.
Unisuper head of architecture and emerging technology Sam Cooper says that in all things technology-related “we adopt a risk-led approach to changes we make from a technology perspective. And this project was no different”.
“We did ensure that despite having multiple geographically redundant sites set up to cater for disaster, we asked ourselves the question, well, what happens if something happens to Google?” Cooper says.
“We had some quite robust debate internally within the technology space around what would happen? How would we handle that?”
Operational resilience isn’t only a technology discussion, though that’s sometimes the focus of it. Resilience also encompasses an organisation’s culture, although this issue is not explicitly addressed in CPS 230 (the closest it gets is probably its requirements around governance issues), and fostering a willingness to challenge colleagues on conventional thinking.
Cooper says the key to building operational resilience is not trying to accurately predict absolutely everything that can possibly happen in future.
“Culture is at the heart of resilience,” UniSuper’s Cooper says.
“I’ve spoken about being risk-led. That’s a cultural piece that is embedded within the organisation, not just technology but across the broader business. The whole members-first piece is the other one. They’re the two pieces that are really at the heart of what we do and [what] enabled us to recover in the way that we did.”
While there’s a tendency to think first about technology when a discussion about resilience begins, “it’s also about the business continuity side of things: How do you operate the business when you don’t have all the technology systems that you normally rely on?” Cooper says.
“Having a robust set of processes and accountabilities in place before something like this happens is critical to being able to service members whilst you get the critical tech back up and running again.”
Aware’s Couchman says any organisation’s resilience depends heavily on its culture, and culture is instilled at multiple levels across its business.
Accountability at the top
But of course there must be accountability at the top of the organisation, and Couchman says that CPS 230 requires roles and responsibilities be clearly defined for both the board and senior management.
She says that at Aware, senior management is defined as the group executive level, and the roles of these executives include guiding the board on decisions and activities that could affect the resilience of the fund’s critical operations, along with “receiving reports on the internal operating environment of their critical operations, as well as their material service providers – including performance, effectiveness of controls, compliance with the service-provider agreement, and monitoring operational risk via their risk profiles in the Aware risk management system”.
“We have clear accountability for the management and oversight of operational resilience; it’s incorporated into our strategic planning and budgeting; and then the importance of operational resilience is incorporated into our corporate communications and employee lifecycle, including induction and training for our staff,” she says.
“Operational and financial resilience are incorporated into our risk management and financial management frameworks and governance, as well as our recovery, exit planning and resolution planning.”
Couchman says that as Aware moves to implement the revised CPS 230 “change-management activities play a crucial role in embedding the uplifted practices into the business”.
She says this includes through training and information sessions to ensure staff are well-informed on the importance and objectives of the standard, along with a well-structured plan concerning project-related communication.
“By integrating these activities, the organisation fosters a culture of operational resilience, ensuring that all staff are aware of and committed to maintaining the standards set by CPS230,” Couchman says.
UniSuper’s Cooper says resilience is a” cultural piece that I would say is not part of a particular project or anything like that”.
“It’s part of, and embedded in, the DNA,” he says.
“It comes back to putting members first and asking ourselves the question of what would happen in this scenario if this information wasn’t available to our members, how would we how would we recover? Continually asking that question of ourselves as an organisation is how that type of design comes about.”