How APRA’s CPS 230 is forcing Australian banks to rethink supply chain resilience — and what to do about it

Australian banking has always relied on third parties. What’s different now is that APRA is formally saying those third parties are no longer “outside the fence”. Under CPS 230, the resilience of your supply chain is part of your operational risk posture, and the board is accountable for it.

This isn’t a small compliance tidy-up. It’s a shift in how banks are expected to understand, manage, and prove the resilience of the services that sit underneath critical products and customer outcomes. In practice, it means banks must move beyond traditional outsourcing oversight and build a clearer, more connected view of end-to-end supply chain risk — from core technology partners to niche providers that quietly keep key operations alive.

Let’s unpack what CPS 230 requires, why it matters, and a practical way banks can review and uplift supply chain resilience without turning this into a never-ending program.

CPS 230 in plain English: what changed?

CPS 230 is APRA’s cross-industry operational risk standard that came into effect on 1 July 2025. It replaces the older APRA standards that separately covered outsourcing and business continuity. With CPS 230, APRA has pulled these themes together into one integrated expectation: operational resilience must be designed, measured, managed, and tested — and that includes the suppliers you depend on.

The standard sets minimum requirements across three linked areas:

1. Operational risk management
   Banks must identify and manage operational risks across people, processes, systems, data, and external events.
2. Business continuity and tolerance levels
   Banks must define their critical operations, set measurable tolerance levels for disruption, and maintain tested plans to keep those operations running within tolerance through severe but plausible events.
3. Service provider management
   Banks must identify material service providers, keep and submit a register to APRA annually, ensure legally binding contracts meet specific resilience clauses, monitor providers continuously, manage fourth-party dependencies, and be ready for orderly exit from any arrangement if it becomes unsafe or unviable.

The most direct impact for banks is that CPS 230 sees suppliers not as procurement relationships, but as operational dependencies. When a supplier supports a critical operation, APRA expects you to show that you can stay within tolerance even if that supplier fails.

Why supply chain resilience is now a board issue

“Supply chain resilience” in banking is easy to misunderstand if you come from a traditional procurement lens. It’s not about stationery contracts or branch consumables. CPS 230 is concerned with the supply chains that underpin critical banking operations. Think:

• payments and clearing systems
• core banking platforms and cloud hosting
• fraud, sanctions, and AML screening services
• customer contact centres and complaints handling
• cash services, ATMs, and networks
• identity verification and data feeds
• cyber monitoring and incident response providers
• property and facilities services that support critical operational sites

If disruption in any of those chains pushes the bank beyond tolerance and causes material customer or system harm, APRA will treat it as an operational resilience failing.

CPS 230 makes that accountability explicit. Boards must approve tolerance levels and the service provider management policy, and they must review risk and performance reporting on material providers. Senior management must be able to explain to the board how decisions affect critical operations, especially when those decisions change supplier arrangements.

So the upshot is simple: supplier risk is no longer something you “delegate down”. Under CPS 230, it is an executive and board-level resilience responsibility.

Critical operations: where the supply chain review starts

CPS 230 anchors everything around “critical operations”. These are operations where disruption beyond tolerance would materially harm customers or the financial system.

For banks, APRA sets a minimum list of critical operations, including:

• payments
• deposit-taking and management
• custody, settlements, and clearing
• customer enquiries and the systems and infrastructure needed to support critical operations

That list is not meant to be the whole story. It’s the baseline. Banks must consider how their own products, customer promises, and delivery model translate into critical operations in practice. For example, “payments” might mean multiple value chains across card, NPP, international, merchant acquiring, reconciliation, dispute handling, and fraud monitoring, all delivered through a mix of internal platforms and external providers.

The important point is this: a bank’s CPS 230 supply chain review should start with a clear map of critical operations and value chains, not a vendor register.

When you begin from the vendor register, you risk missing what CPS 230 is actually asking you to protect: the operational outcomes customers rely on.

Material service providers and material arrangements: APRA’s new line in the sand

Once critical operations are defined, banks must identify the service providers that matter most to those operations. CPS 230 calls these “material service providers”. Materiality is defined in two ways:

• providers you rely on to undertake a critical operation, or
• providers whose failure would expose you to material operational risk

APRA also prescribes a minimum list banks must treat as material unless they can justify otherwise, including providers involved in credit assessment, funding and liquidity management, and mortgage brokerage. Across all APRA-regulated entities, providers of risk management, core technology services, and internal audit are treated as material.

Two implications flow from this:

1. Materiality is about impact, not spend.
   A small provider that is a single point of failure in a critical operation is material even if it sits below normal procurement thresholds.
2. Material providers include fourth-party risk.
   CPS 230 expects banks to manage the risks associated with the providers your material providers rely on. That is a big step up in supply chain thinking.

Once providers are classified, banks must maintain a register and submit it to APRA annually. That register becomes the formal “resilience perimeter” for supplier oversight.

Contracts need to be “resilience grade”, not “commercial grade”

CPS 230 sets minimum expectations for contracts with material service providers. These contracts must be legally binding and must include clauses that cover, at a minimum:

• services and measurable service levels
• rights, responsibilities, and expectations, including assets and data ownership and control
• audit access, liability, and indemnity
• compliance obligations
• mandatory notification if the provider uses other material providers to deliver the service (sub-contracting)
• clear liability for sub-contractor failures
• force majeure continuity provisions
• termination and exit rights
• APRA access to information and documentation
• APRA on-site visit rights
• a commitment that the provider won’t impede APRA’s duties

Banks also need to perform due diligence before entering or materially changing a material arrangement, including assessment of geographic location risks, concentration risks, and the ongoing viability of the provider.

This is a long way from “set and forget”. APRA expects contracts to be enforceable operational tools that support resilience, not just commercial documents that sit in legal storage.

Monitoring must be closer to real time

CPS 230 requires banks to monitor material provider arrangements in a way that’s commensurate with risk. Monitoring must include regular assessment of:

• performance against service levels
• effectiveness of risk controls
• compliance by both parties with the contract

In other words, APRA wants banks to have reliable evidence of supplier performance and resilience controls on an ongoing basis.

That is difficult to achieve if your monitoring is based on:

• supplier self-reporting
• inconsistent data capture across categories
• dashboards that lag by weeks or months

For critical operations, banks need monitoring that is embedded in operational workflows. Supplier risk has to be visible early enough to act on, not discovered after a breach.

What “supply chain resilience” means in a CPS 230 world

When you roll the above together, CPS 230 effectively requires banks to answer these questions, with evidence:

1. What are our critical operations and value chains?
2. What tolerance levels apply to each, and are they practical?
3. Which suppliers and internal capabilities are essential to those operations?
4. Where are the single points of failure, concentration risks, and offshore exposures?
5. Do our contracts, controls, and monitoring enable us to stay within tolerance and exit safely if needed?
6. Are we testing severe scenarios that include supplier failures?

Supply chain resilience under CPS 230 is therefore about:

• dependency clarity
• measurable tolerances
• material provider oversight
• continuous monitoring
• scenario-based proof

A practical path for banks to review and uplift supply chain resilience

There is no one-size-fits-all program. But there is a sensible sequence that aligns tightly to CPS 230 and avoids unnecessary churn.

Step 1: Map critical operations into real value chains

Start with APRA’s minimum list and then map your own critical operations as outward-facing customer services and the internal machinery that delivers them.

Focus on value chains, not functional silos. A value chain map should show:

• customer-facing steps
• upstream and downstream dependencies
• systems and infrastructure
• internal shared services
• suppliers (including key subcontractors)
• failure points and “hand-offs”

Banks that do this well quickly see which suppliers are truly critical, and which risks are clustered across multiple operations.

Step 2: Define tolerance levels that drive action

Tolerance levels are more than policy statements. They must be measurable and meaningful. CPS 230 requires tolerances for:

• maximum outage time
• maximum data loss
• minimum service levels under alternate arrangements

Set these using real operational facts, not optimistic targets. If your tolerances are tighter than what your supplier ecosystem can realistically support, you will be out of compliance the moment a severe event occurs.

Good tolerances create clarity about where you need redundancy, alternative arrangements, or exit plans.

Step 3: Identify supplier dependencies per value chain

For each critical value chain:

• list tier-one providers (direct contracts)
• identify internal services that function like suppliers
• trace key tier-two or fourth-party dependencies that affect delivery
• highlight single points of failure or concentration

This step is where banks often uncover the hidden fragilities:

• multiple “independent” systems hosted in the same cloud region
• a niche provider embedded into several strategic vendor stacks
• reliance on one offshore delivery site for a high-volume process
• unclear ownership of supplier performance on the business side

CPS 230 expects this level of mapping, because you can’t manage resilience without knowing what you depend on.

Step 4: Classify material service providers and build the register

Apply CPS 230’s materiality definition using operational impact as your guide.

Your register should be built to support board and APRA oversight. It typically includes:

• provider name and service description
• critical operations supported
• nature and scale of dependency
• location and offshoring profile
• fourth-party dependencies
• concentration and substitution risks
• key contractual milestones and renewal dates
• risk ratings and monitoring approach
• exit readiness status

This register is not a compliance artefact. It is your control tower for supplier resilience.

Step 5: Uplift contracts progressively, starting with the highest-risk providers

Not every contract needs immediate surgery. Prioritise:

• providers linked to critical operations
• providers with known fragility or concentration risk
• contracts that are coming up for renewal
• arrangements where exit would currently be chaotic

Then work systematically through the required CPS 230 clauses. In many cases, banks will also want to reset the way service levels are structured so they are operationally measurable, not just contractual language.

Contract uplift is also a chance to clarify fourth-party expectations and ensure you have transparency into the provider’s downstream ecosystem.

Step 6: Embed monitoring in operational data and workflows

Monitoring should be designed around actual operational processes. The aim is to move beyond lagging, self-reported scorecards to a model where:

• KPI data is captured as part of the work
• service levels are visible near real-time
• early warning indicators are tracked before a tolerance breach
• risk, procurement, and operations share a common view

For example, if a supplier’s performance affects a critical operation, you should be able to see performance drift quickly enough to intervene — not learn about it in a quarterly review.

Step 7: Test severe provider-failure scenarios annually

CPS 230 requires annual testing of business continuity plans using severe but plausible scenarios, including those involving material service providers.

That means running supplier-failure scenarios that mirror today’s risk landscape, such as:

• cloud service disruption or region failure
• cyber isolation of a key platform provider
• failure of a major contact centre during surge demand
• telco outages affecting digital channels
• insolvency or withdrawal of a niche critical provider
• extended offshore site disruption

The purpose isn’t to prove “we have a plan”. It’s to show that your tolerances can hold under pressure — and to identify what must change.

Step 8: Strengthen governance and assurance

Operational resilience is cross-functional by nature. Banks need to ensure:

• clear board reporting on material providers
• alignment between procurement, risk, technology, and business owners
• FAR accountability mapped to CPS 230 duties
• internal audit coverage of critical outsourcing and BCP quality
• a practical escalation path when supplier risk pushes toward tolerance

Governance should support fast, informed decisions rather than create extra layers.

Common traps banks should avoid

CPS 230 programs can drift if banks fall into predictable traps:

1. Treating CPS 230 as a documentation exercise
   APRA expects operational evidence, not just refreshed policies.
2. Starting with spend-based vendor lists
   You risk missing low-spend, high-impact dependencies.
3. Ignoring fourth-party risk
   CPS 230 explicitly requires management of downstream dependencies.
4. Leaving contract uplift to renewal windows only
   Many critical contracts won’t renew before 2026. If they aren’t CPS 230-ready now, you’ll carry resilience gaps for too long.
5. Monitoring too slowly to be useful
   Lagged reporting won’t satisfy ongoing oversight on critical operations.
6. Scenario testing the “easy” events
   Severe but plausible scenarios should test real supplier fragilities, not hypothetical ones.

How Trace Consultants can help banks get CPS 230-ready

Banks need to comply with CPS 230, but they also need to do it in a way that strengthens resilience rather than distracts from the business. That’s where Trace Consultants supports pragmatic, operationally grounded delivery.

Our work typically focuses on four connected areas:

1. Critical operations and value chain mapping

We help banks define critical operations in a way that reflects customer outcomes and real delivery pathways. This includes:

• mapping end-to-end value chains for critical services
• clarifying hidden dependencies across systems, people, and providers
• identifying single points of failure and concentration risks
• shaping tolerance levels that are measurable and credible

2. Material service provider identification and supply chain risk assessment

We assist banks to:

• apply CPS 230 materiality consistently across value chains
• build a material provider register suitable for APRA submission
• assess geographic, offshoring, and concentration risk
• identify fourth-party exposures and blind spots
• prioritise remediation with a clear, staged roadmap

3. Contract and performance uplift

Working alongside procurement, legal, and risk teams, we:

• review contracts against CPS 230 requirements
• restructure SOWs and SLAs so they are operationally measurable
• embed CPS 230 clauses cleanly and commercially
• support go-to-market processes where re-tendering or supplier consolidation is required
• design data capture approaches that underpin reliable supplier KPIs

4. Monitoring, scenario testing, and operating model integration

We help banks embed resilience into day-to-day operations by:

• designing monitoring dashboards with leading and lagging indicators
• integrating supplier risk into business continuity and crisis programs
• building supplier-failure scenario tests that reflect current threats
• clarifying governance, RACI, and escalation pathways
• uplifting internal capability so CPS 230 is sustained, not just delivered

Trace’s supply chain and operational background means we focus on what actually happens on the ground — the only place resilience is ever really proven.

The takeaway

CPS 230 makes one thing clear: Australian banks are responsible for the resilience of their supply chains, not just their internal systems.

The banks that succeed won’t be the ones that rush out a policy update and a register. They will be the ones that:

• map critical operations as real value chains
• define tolerances that reflect practical delivery capability
• understand which providers (and fourth parties) truly matter
• contract for resilience, not just services
• monitor performance close to real time
• and test the nasty scenarios before the market forces them to

CPS 230 is a compliance obligation, but it is also an opportunity to lift operational resilience in a way that customers will feel the next time disruption hits.

If you want a structured, practical approach to reviewing supply chain resilience under CPS 230 — whether as a focused pilot on one critical value chain or a phased rollout across multiple operations — Trace Consultants can help.

‍

Why SRM deserves a seat at the executive table

Every organisation depends on suppliers for critical outcomes: continuity of service, product availability, safe operations, regulatory compliance, and innovation. Yet relationships with suppliers are often managed as a series of transactions, rather than as strategic assets. That gap shows up in avoidable stock-outs, creeping costs, missed sustainability targets, cyber incidents that start in the third party layer, and projects that slip because the operating rhythm with vendors isn’t clear.

A fit-for-purpose SRM framework gives structure to how you set expectations, collaborate, measure, improve, and protect value with suppliers. It’s not a new piece of bureaucracy; it’s a way to turn fragmented conversations into a disciplined operating model that delivers better outcomes for the business, for end customers, and for suppliers.

In Australia and New Zealand, the case for SRM is even stronger. Our long lead times, concentrated markets, regional logistics constraints, and evolving regulatory requirements (from modern slavery reporting to industry-specific safety and sustainability standards) increase the exposure and the upside for getting supplier relationships right.

What “good” SRM looks like

1) Clear segmentation. Not all suppliers are equal. “Strategic”, “critical”, “leverage”, and “tactical” suppliers need different treatment. Strategic and critical relationships get senior attention, joint planning, and structured improvement; leverage suppliers get performance discipline and competitive tension; tactical suppliers get simple, low-effort controls.

2) Defined governance. The right people meet at the right cadence with the right information. Roles and responsibilities are explicit, agendas are standardised, and decisions don’t drift.

3) Balanced scorecards. SRM elevates the discussion from “price and punctuality” to the broader mix that matters: service levels, quality, safety, sustainability, cyber posture, continuous improvement, innovation, and total cost to serve.

4) Joint value creation. Beyond compliance, top relationships run structured pipelines of improvements—SKU rationalisation, waste reduction, logistics optimisation, digital enablement, design-to-value, and demand/supply smoothing. Value is quantified and shared fairly.

5) Risk first. You maintain a live picture of supplier risk—operational, financial, cyber, ESG, geopolitical, and concentration risk—and connect it to contingency plans you actually rehearse.

6) Contract enablement. Contracts don’t sit in drawers; they underpin the cadence: data access, KPIs, service credits, governance meetings, audit rights, and targeted incentives for innovation and resilience.

7) Digital spine. Data flows reliably, dashboards are trusted, and collaboration isn’t trapped in inboxes. SRM tooling is lightweight but deliberate.

Where SRM typically goes wrong (and how to avoid it)

• One-size-fits-all: Applying the same governance to every supplier wastes time and alienates partners.
  Fix: Segment properly and tune the cadence.
• Scorecards without outcomes: Pretty dashboards that don’t change behaviour.
  Fix: Tie KPIs to decisions, incentives, and consequences.
• Heroic individuals, no system: Results rely on one relationship manager’s personal goodwill.
  Fix: Document the playbook: team roles, agendas, escalation paths, knowledge handover.
• Contract misalignment: Agreements lack the levers to support SRM (data sharing, continuous improvement clauses, joint innovation).
  Fix: Refresh your contract templates to embed SRM mechanics.
• Over-promising innovation: Big ideas fizzle without a pipeline method.
  Fix: Treat innovation like a portfolio: prioritise, pilot, scale, and measure.

The building blocks of your SRM framework

1) Supplier segmentation that actually drives behaviour

Segment on two axes: business impact (how much this supplier matters to your service, safety, brand, regulatory compliance, and cost) and market dynamics (supply risk, switching cost, alternative capacity, geographic/geopolitical exposure).

• Strategic: Co-create roadmaps, executive-level governance, joint innovation, multi-year pipeline, risk reviews.
• Critical: Tight performance control, risk and continuity focus, regular operations reviews, targeted improvement sprints.
• Leverage: Commercial optimisation, competitive tension, standard SLAs, quarterly performance reviews.
• Tactical: Simple contracts, catalogue rates, exception-based monitoring.

Tip: Reassess segmentation every 6–12 months and whenever categories shift (e.g., supplier consolidation or regulatory change).

2) Governance and cadence

For Strategic suppliers (typical):

• Executive QBR (Quarterly): Strategy alignment, risk review, roadmap, investment/innovation decisions.
• Monthly Operations Review: Service levels, incidents, corrective actions, capacity planning.
• Working Groups (fortnightly/weekly): Focused improvement streams (e.g., forecasting accuracy, DIFOT, safety).
• Annual Planning: Joint objectives, targets, and value pipeline for the year ahead.

For Critical suppliers:

• Monthly Reviews with disciplined KPIs, risk watchlist, and seasonal readiness.
• Fortnightly Tactical Calls during peak or transition periods.

RACI clarity: Name the relationship owner, contract owner, commercial lead, technical lead, risk/compliance partner, and executive sponsor on your side and ask your supplier to do the same.

Standard agendas work: Keep 70% of the agenda consistent to make trend analysis real, and 30% dynamic to tackle current priorities.

3) Balanced KPIs & targets

Go beyond “price and on-time delivery”. Typical SRM scorecard lenses:

• Service & Quality: DIFOT/OTIF, first-time-right, rework/returns, stockouts, response time.
• Safety & Compliance: TRIFR where relevant, safety incidents, audit findings, permit adherence, regulated standards.
• Sustainability: Emissions intensity for the service, waste diversion rates, packaging optimisation, modern slavery due diligence activities.
• Cyber & Data: Security questionnaire status, control attestations, incident reporting time, critical vulnerability remediation SLAs.
• Innovation & Productivity: Number of submitted ideas, trial conversion rate, quantified benefits realised YTD.
• Financial & Commercial: Total cost to serve, price variance vs index, payment timeliness, rebates/earnbacks.
• Risk: Heat map movement, continuity test results, supplier financial health indicators.

Make targets explicit and define actions when thresholds are missed (improvement plan, service credits, or escalation).

4) Contract terms that enable SRM

Build SRM into the contract so it’s enforceable and practical:

• Data & Access: KPI data rights, system connectivity, audit rights, cyber evidence.
• Governance: Cadence, roles, escalation triggers, and participation expectations.
• Performance: Scorecard definitions, service credits and earn-back mechanisms.
• Improvement & Innovation: Structured pipeline, BAU improvement obligations, gain-share options for identified efficiencies.
• Risk & Continuity: Business continuity planning (BCP) requirements, test frequencies, change-notification windows.
• Sustainability & Ethical Sourcing: Modern slavery risk assessments, traceability obligations where appropriate, reporting cadence.
• Exit & Transition: Knowledge transfer, IP, data hand-back, transition services.

5) Value creation: make innovation real

Treat improvement like a portfolio:

• Pipeline: Backlog of opportunities, with owner, impact estimate, complexity, and dependencies.
• Stages: Discovery → Pilot → Prove → Scale.
• Funding: Small internal budgets for pilots; clear decision gates to scale.
• Measurement: Record the benefits: cost, service, safety, sustainability to show momentum and justify reinvestment.
• Recognition: Acknowledge supplier contributions; embed fair sharing mechanisms where benefits are joint.

Typical quick wins include demand smoothing, packaging reduction, route optimisation, process digitisation, and SKU rationalisation.

6) Risk management is continuous, not annual

Keep a live supplier risk register and connect it to operational decisions. Areas to monitor:

• Operational: Capacity constraints, quality drift, subcontractor reliance.
• Financial: Deteriorating financials, credit insurance signals.
• Cybersecurity: Emerging vulnerabilities, changing control posture, third-party sub-processor risk.
• Compliance & ESG: Audit findings, unresolved corrective actions, supply chain traceability challenges.
• Geopolitical & Natural Hazards: Route disruptions, extreme weather impacts, import/export shifts.
• Concentration: Single-site exposure, single-source for critical components.

Plan and test: Alternate supplier readiness, safety stocks, cold starts, emergency communications trees, and incident drills aligned to your risk profile.

7) Digital enablers without the baggage

You don’t need heavy software to start SRM well. Aim for a lightweight digital spine:

• A consolidated supplier master and segmentation view.
• A simple SRM workspace for agendas, minutes, decisions, actions, and issue logs.
• KPI dashboards that draw from your existing systems (ERP, WMS, TMS, service management, incident logs).
• A shared innovation backlog and benefits tracker.
• Documented playbooks and contract repository with version control.

As maturity grows, consider integrating vendor risk tools, sustainability data sources, and workflow automation without turning SRM into an IT project that stalls momentum.

A practical rollout roadmap

Days 0–30: Foundation

1. Align on purpose and scope. What problems are we solving and where will SRM start?
2. Segment suppliers. Use impact and risk as primary lenses.
3. Choose the first 10–20 relationships. Focus on a mix of strategic and critical suppliers where results matter and access is possible.
4. Define governance cadences. Lock QBRs, monthly ops reviews, and working groups.
5. Draft a standard scorecard. Keep it achievable with 8–12 metrics.
6. Stand up the digital basics. Shared workspace, dashboards drawing from existing data.

Days 31–90: Stand-up & stability

1. Run the first QBRs and monthly reviews. Check the rhythm, refine agendas.
2. Baseline KPIs and set targets. Where data’s imperfect, start with directional targets and improve quality over time.
3. Launch the value pipeline. Capture 10–15 opportunities with rough sizes; start two quick-win pilots.
4. Map the risk posture. Build a risk heat map per supplier and identify top three mitigations.

Days 91–180: Improve & prove

1. Scale successful pilots. Quantify benefits; publish a short internal case note to build belief.
2. Refine contracts. Where useful, negotiate addenda to embed SRM mechanics (data sharing, cadence, incentives).
3. Measure cadence health. Track attendance, on-time actions, and decision cycle times to ensure meetings drive outcomes.
4. Upskill relationship owners. Practical training on commercial conversations, performance coaching, and conflict resolution.

Days 181–365: Institutionalise

1. Extend to more suppliers. Based on results, add the next cohort.
2. Introduce category-wide playbooks. Standard approaches to common issues (e.g., DIFOT recovery, cyber uplift, sustainability data capture).
3. Publish an annual SRM report. Summarise improvements, benefits, risk reductions, and next-year priorities to keep executive sponsorship strong.

What to measure (and report) to prove SRM works

• Service: Reduction in stockouts/service failures; improvement in OTIF; lower defect rates.
• Risk: Fewer critical incidents; improved time-to-recover; higher BCP readiness.
• Cost & Productivity: Reduced total cost to serve; fewer expedites; improved labour/productivity through process changes.
• Sustainability: Measured reductions in waste or emissions intensity where applicable; improved traceability and audit closure rates.
• Cycle time: Faster decision and escalation cycles; shorter lead times for change.
• Innovation: Number of ideas taken to pilot and scaled; quantified benefits realised.

Keep the narrative grounded: what changed, why it changed, and what’s next.

Sector nuances in ANZ

Government & Health: Strong governance and probity standards are essential. SRM must balance transparency with genuine collaboration. Expect robust auditability, clear conflict-of-interest management, and careful handling of joint innovation (IP, data).

Infrastructure, Utilities & Defence-adjacent: Safety, continuity, and cybersecurity weigh heavily. Contracts need enforceable requirements for testing, reporting, and right to audit.

Retail, FMCG & Manufacturing: Volatility and promotions drive demand complexity. SRM should obsess about forecast collaboration, inventory buffers, network optimisation, and packaging/logistics efficiency.

Universities, Hospitals & Precincts: Multi-stakeholder environments benefit from SRM’s clarity on roles, escalation, and performance baselines across cleaning, MEP, waste, catering, and other property services.

Playbook elements you can copy and tailor

Standard QBR agenda (90 minutes):

1. Safety & incidents (5)
2. Performance recap: scorecard trends, exceptions (20)
3. Risk register: changes, mitigations, continuity (15)
4. Value pipeline: wins, pilots, upcoming (20)
5. Strategic topics: capacity, technology, roadmap, regulatory (20)
6. Decisions & actions summary (10)

Monthly ops review (60 minutes):

• KPI deep dive, root-cause analysis
• Corrective actions status
• Forecasting & capacity outlook
• Upcoming changes or promotions/events
• Issues requiring escalation

Innovation pipeline fields (one line each):

• Problem statement, hypothesis, expected benefits, required data/systems access, owner, stage, next milestone, risks, go/no-go date.

Supplier relationship charter (one page):

• Shared objectives, behaviours, meeting cadence, data sharing principles, escalation path, contact list.

Common pitfalls to sidestep

• Trying to do everyone at once. Start with relationships that matter and where you’ve got access.
• Over-engineering the tooling. Begin with a pragmatic digital spine; evolve later.
• Unclear benefit logic. Agree on how benefits will be measured and attributed before pilots begin.
• Ignoring the people side. Equip relationship owners with the coaching, commercial, and conflict skills to handle tough conversations.
• No executive air cover. Senior sponsors must show up and back decisions; otherwise SRM stalls at middle management.

How Trace Consultants can help

Trace Consultants supports organisations in Australia and New Zealand to design, stand up, and embed SRM without unnecessary complexity. Depending on where you are on the journey, we can help with:

• SRM diagnostic & blueprint: Rapid current-state assessment, supplier segmentation, and a practical SRM design aligned to your risk, regulatory, and category mix.
• Framework & contract enablement: Scorecards, playbooks, governance packs, and updates to contract schedules so SRM is enforceable and usable.
• Digital spine: Light, sensible SRM workspaces and dashboards that pull from your existing systems. Where relevant, we can integrate Power Platform solutions and pragmatic automations to reduce manual effort.
• Stand-up support: Facilitation of early QBRs and operations reviews, coaching for relationship owners, and support in building a credible value pipeline with suppliers.
• Risk & continuity uplift: Practical supplier risk registers, test plans, and “cold start” rehearsals tied to local conditions and seasons.
• Sustainability & ethical sourcing integration: Incorporate sustainability and responsible sourcing into SRM in a way that’s feasible to measure and manage.
• Benefits tracking: Straightforward methods to quantify and report improvements so the program keeps momentum and sponsorship.

We keep it grounded, no bloated software projects, no performative governance, just the operating rhythm and artefacts that make supplier relationships work better. If you’d like a short, no-obligation discussion about your SRM maturity and quick wins, we can tailor a starting point appropriate to your categories and risk profile.

Putting it all together

An SRM framework isn’t paperwork. It’s the everyday structure that helps your team and your suppliers deliver on what matters: safe operations, reliable service, value for money, and meaningful improvement. It will:

• Make accountability and cadence clear.
• Ensure performance is measured and acted on.
• Turn improvement from “nice to have” into a pipeline of results.
• Expose and manage supplier risk before it becomes an incident.
• Build the trust (and tension) that leads to better outcomes over time.

Start small, focus on the relationships that matter most, and build belief through early results. Keep the framework human, the data useful, and the meetings purposeful. With those conditions in place, SRM becomes one of the most effective levers your organisation has, particularly in the ANZ context where geographic realities, supply concentration, and regulatory expectations raise the stakes.

If you’re ready to move from transaction management to relationship performance, Trace Consultants can help you stand up an SRM model that fits your business and sticks.

Quick checklist (to get moving this quarter)

• Agree SRM objectives and scope with executive sponsor
• Segment suppliers and select first 10–20 relationships
• Lock governance cadences and name the RACI on both sides
• Stand up scorecards for service, risk, cost, sustainability, and innovation
• Run the first QBRs and monthly operations reviews
• Launch two quick-win pilots and a simple benefits tracker
• Build a live supplier risk register and top-three mitigations
• Plan contract updates to embed SRM mechanics
• Publish a short internal update on early progress

Trace Consultants is an Australian supply chain and procurement advisory supporting government and commercial organisations across ANZ. Get in touch if you’d like a pragmatic SRM blueprint and the hands-on help to make it real.

How Universities and Schools Can Reduce Costs by Going to Market for New PPM Contracts

Why this matters now

Across Australia and New Zealand, education providers face a perfect storm: rising utility and labour costs, aging building stock, heavy compliance obligations, and heightened expectations for sustainability and student safety. Property Services—waste, vertical transport (lifts and escalators), mechanical/HVAC, electrical, plumbing, fire & life safety, and general contracting—sit right in the middle of the cost and risk profile.

Many institutions are still operating on legacy contracts signed years ago, often extended multiple times, with schedules and rates that no longer reflect actual demand, modern technologies, or today’s market pricing. A structured go-to-market (GTM) for Planned Preventative Maintenance (PPM) is one of the quickest, cleanest ways to reset costs, lift compliance, and reduce risk—while preserving the on-campus experience.

This article is a practical, copy-and-paste-friendly playbook you can use to plan and run a competitive procurement process. No hype, no jargon—just the steps that work in ANZ education environments.

The outcomes you’re aiming for

Before diving into tender packs and pricing schedules, get crystal clear on the five outcomes that matter:

1. Lowest total cost of ownership (TCO)
   Not just cheaper rates—fewer call-outs, less downtime, optimal replacement cycles, and energy-efficient operation.
2. Assured compliance and safety
   Meeting Australian and New Zealand Standards, Building Codes, WHS legislation, and fire/life safety rules—without administrative drag.
3. Performance you can see and measure
   Defined SLAs, uptime guarantees for lifts and critical HVAC, transparent reporting, auditable evidence, and clear abatement mechanisms.
4. Future-ready operations
   CMMS/BMS integration, data-rich asset registers, smart sensors where they create value, and sustainable practices aligned to institutional targets.
5. Minimal disruption to teaching and student life
   Planned works aligned to term dates, exams, events, and public access.

The business case in plain numbers

A well-run PPM tender often finds savings in three places:

• Unit rate optimisation: Competitive market pricing for standard tasks and parts.
• Scope rationalisation: Removing duplicate tasks, mis-timed frequencies, or activities that don’t materially reduce risk.
• Operating model improvements: Consolidating vendors, aligning service windows to demand, tightening escalation paths, and using data to prevent failures.

Beyond direct cost savings, the real prize is avoided cost: fewer breakdowns, faster recovery, less overtime labour, and lower energy usage from well-tuned plant and equipment.

What good looks like: the PPM procurement blueprint

Think of the process in six stages. Each stage has a clear deliverable and a go/no-go decision.

1) Mobilise and baseline

• Set the mandate: Confirm the contract list in scope (waste, VT, mechanical/HVAC, electrical, plumbing, fire/life safety, general contracting) and the campuses, precincts, or satellite sites included.
• Form the squad: Property/Facilities, Procurement, Finance, WHS/Compliance, Sustainability, IT/Systems (for CMMS/BMS), and key academic stakeholders.
• Baseline the current state: Gather contracts, rate cards, SOWs, performance reports, service history, abatement logs, and ad-hoc variation records.
• Define success metrics: TCO reduction target, compliance KPIs, uptime requirements, energy intensity goals, and service experience measures.

Watch-outs: Don’t let the process be data-blocked. If your asset data is messy (it usually is), plan a quick-and-clean uplift—not perfection—before market.

2) Fix your data (enough to move)

• Asset register uplift: For lifts, HVAC, switchboards, pumps, fire equipment, etc., capture make/model, age, criticality, and last major service.
• Condition and criticality tagging: Not everything needs the same frequency. Tag assets by student safety impact, teaching criticality, and compliance requirement.
• Demand profile: Overlay term dates, events, lab schedules, and holiday shutdown periods to rationalise service windows.
• Systems integration mapping: Confirm how vendors will read/write to your CMMS (e.g., Maximo, Archibus, SAP, TechnologyOne) and relevant BMS.

Rule of thumb: “Right enough” data is the goal—accurate asset lists, frequencies tied to standards and risk, and a clean service history for the last 12–24 months.

3) Decide your sourcing strategy

• Single integrated FM vs multi-category: Universities often benefit from category bundles (e.g., MEP + Fire) where synergies exist, but lifts and waste can remain separate due to specialisation and OEM constraints.
• Campus vs portfolio contracts: ANZ institutions with multiple campuses can consolidate to unlock buying power, while keeping local responsiveness in the SLA structure.
• Term and options: Typical PPM terms are 3+2 or 5+2 years. Align options to capex milestones and planned refurbishments.
• Performance and risk: Choose between prescriptive SOWs (exact tasks and frequencies) and outcome-based models (availability, compliance, and energy performance)—or blend them.

Tip: Keep incumbents honest by designing a process where service quality and continuous improvement matter as much as price.

4) Build the market pack properly

Your RFT pack should be simple to navigate and impossible to misinterpret:

• Instructions to tenderers: Timelines, site walks, questions protocol, addenda, and commercial terms.
• Scope of services by category:
  • Waste: Streams (general, recyclables, organics, clinical/lab, e-waste), expected volumes, on-site compaction, Container Deposit Scheme where applicable, contamination thresholds, and reporting.
  • Vertical Transport: Asset list with serial numbers, uptime targets per asset, response/rectification times, entrapment procedures, incident reporting, and after-hours cover.
  • Mechanical/HVAC: Compliance to standards, maintenance task lists by equipment type, performance tuning, filtration standards, seasonal changeover, and energy optimisation.
  • Electrical: Switchboard inspections, RCD testing, thermographic scans, emergency/exit lighting, generator/UPS testing, and statutory reporting.
  • Plumbing: Backflow prevention, thermostatic mixing valves, water quality testing (including Legionella management), pumps and tanks, and emergency response.
  • Fire & Life Safety: EWIS, sprinklers, hydrants/hose reels, extinguishers, passive fire systems, smoke management, evacuation drills, and mandatory certification cadence.
  • General Contracting: Minor works, patching/painting, small carpentry, flooring, glazing, and 24/7 make-safe protocols.
• Asset registers and drawings: “Read-only” canonical lists with IDs that match your CMMS.
• Service level regime: Response and rectification times, uptime targets for critical assets, and a clear escalation pathway.
• Performance and abatement: KPI scorecards, evidence requirements, and a fair abatement structure that rewards improvement and penalises persistent under-performance.
• Sustainability and social procurement: Recycling and circularity targets, waste diversion, Indigenous procurement commitments, modern slavery due diligence, local jobs and apprenticeships, and carbon reporting requirements.
• Safety and compliance: WHS documentation, permits to work, contractor inductions, working with children checks where applicable, and emergency procedures.
• Systems and data: API specs or data templates for CMMS/BMS integration, data ownership clauses, and cyber expectations for vendor connections.

5) Price it the right way

A pricing schedule that’s poorly structured is the fastest path to “apples and oranges” comparisons and hidden cost creep. Get these elements right:

• Fixed PPM: Annual fixed price for defined tasks and frequencies per asset (with inclusions/exclusions clearly marked).
• Reactive call-outs: Hourly rates by trade/qualification, min charges, after-hours multipliers, and call-out bands.
• Materials and parts: Discount structures vs list, preferred brands, OEM vs equivalent policies, and warranty handling.
• Quoted works: Mark-up caps, competitive quoting rules above thresholds, and a transparent variation process.
• Indexation: Define the index (e.g., CPI, Labour Price Index) and timing. Avoid compounding surprises by setting guardrails.
• Incentives: Share-in-savings or performance bonuses tied to energy reductions, uptime improvements, or waste diversion milestones—only where measurement is robust.

Pro tip: For lifts and fire/life safety, pay close attention to OEM proprietary parts and software. Design pricing schedules that limit monopolistic behaviour while preserving safety.

6) Run a fair, competitive process

• RFI/EOI (optional): Pulse the market for capability and shortlist if the field is large.
• RFT: Issue clear packs, hold site walks, and require Q&A through a formal channel.
• Scoring: Use weighted criteria covering price, methodology, compliance, capability, sustainability, and digital integration.
• BAFO/Negotiation: Invite clarifications, test alternative pricing structures, and tighten contract terms.
• Reference and safety checks: Validate safety performance, statutory compliance track record, and campus-like experience.
• Award and standstill: Communicate outcomes professionally and prepare transition plans immediately.

Category-by-category tactics to lower cost without lowering standards

Waste services

• Right-size your streams: Measure actual generation by building type (labs vs general teaching) and adjust bin sizes/frequencies.
• Tackle contamination at source: Clear signage, student ambassadors during peak periods, and vendor education cut landfill costs.
• Plan logistics: Consider BOH constraints, collection windows that avoid student congestion, and container deposit schemes where available.
• Data you need: Weights by stream, contamination rates, and exception logs. Use it to reset pricing annually.

Vertical transport (lifts/escalators)

• Uptime is everything: Tie PPM schedules to availability targets per asset, with response and rectification SLAs clearly defined.
• Independent lift consultancy (where needed): Use for scope validation, OEM neutrality, and major refurb planning.
• Event overlay: Exams, graduations, and open days drive load—align manning and standby accordingly.
• Spare parts & software: Clarify access, versions, and update rights to prevent lock-in.

Mechanical/HVAC

• Energy is the lever: Optimise BMS set-points, filters, and preventative tasks. Demand-controlled ventilation and season-appropriate schedules often yield quick wins.
• Indoor air quality (IAQ): Education spaces need healthy CO₂ and particulate levels; define the monitoring standard.
• Chilled/hot water plant: Condition-based tasks (e.g., vibration analysis) can reduce breakdowns and overtime.

Electrical

• Prioritise risk: RCD and thermography programs catch issues early. Align testing windows to low-occupancy periods.
• Emergency lighting: Move to LED and define failure thresholds to minimise call-outs.
• Generator/UPS: Include load testing schedules that won’t disrupt labs or data centres.

Plumbing

• Compliance first: Backflow and TMV testing regimes must be watertight (pun intended).
• Water efficiency: Leak detection and smart metering often pay back quickly, especially across large campuses.
• Legionella management: Define roles across HVAC and plumbing to avoid gaps.

Fire & life safety

• No grey areas: Clear delineation between active and passive systems, testing frequencies, and defect rectification timeframes.
• Evacuation and training: Tie vendor responsibilities to drill schedules and documentation, especially for residential colleges.
• Evidence pack: Certificates, logs, and photos stored against asset IDs in your CMMS.

General contracting (minor works)

• Make-safe first: Define a 24/7 make-safe protocol with caps and an approval ladder for follow-on works.
• Small works panel: For jobs above a threshold, use a mini-competition among pre-approved contractors to keep pricing sharp.
• Student-safe sites: Clear requirements for hoardings, traffic, and hours to minimise disruption.

Compliance and risk—done once, done right

ANZ campuses carry a unique mix of public access, heritage buildings, laboratories, and residential facilities. Your contract and governance pack should address:

• Statutory compliance matrix: Map each category to relevant Australian/New Zealand Standards and testing frequencies.
• WHS and child-safe obligations: Contractor inductions, worker clearances where required, and incident reporting templates.
• Insurance and financial surety: Appropriate coverage, performance bonds where proportionate, and rapid rectification provisions.
• Modern slavery and supplier ethics: Practical due diligence questionnaires, escalation steps, and audit rights.
• Cyber and data: If vendors connect to your systems (CMMS/BMS), set minimal security baselines and data ownership rules.

Contracts that actually work on campus

Choose a contract form familiar to the local market (many institutions use standard ANZ forms with schedules tailored to services). Focus on:

• Clarity on inclusions/exclusions: Especially for lift OEM parts, fire rectifications, and after-hours works.
• Performance regime: KPIs, evidence, abatements, improvement plans, and a fair dispute pathway.
• Change control: Simple mechanisms for adding/removing assets, frequency changes, and new buildings.
• Indexation and benchmarking: Annual resets against agreed indices with optional third-party benchmarking at mid-term.
• Continuous improvement: A formal process for proposing and approving savings and sustainability initiatives.

Transition and mobilisation—where tenders succeed or fail

Plan your mobilisation like a mini-project:

1. 90-day plan: Contractor onboarding, inductions, system access, asset verification, and PPM schedule upload to CMMS.
2. Site protocols: Keys and access, hot works, confined spaces, permits, and emergency call-out rosters.
3. Communications: Campus-friendly notices for noisy works, lift shutdowns, and system tests.
4. Safety first: Toolbox talks, SWMS reviews, and joint risk walks.
5. Evidence check: First month’s certificates and logs to validate processes work end-to-end.
6. Early wins: Energy tuning, bin right-sizing, and backlog triage to build momentum.

Governance and reporting that people actually read

• Monthly ops packs: KPI scoreboard, compliance certificates, top risks, and completed/overdue PPM tasks.
• Quarterly performance reviews: Trend analysis, energy/waste results, improvement pipeline, and upcoming risks.
• Campus voice: Feedback from facility managers, student representatives, and residence managers.
• Audit-ready records: Everything tied to asset IDs in your CMMS—no emails as “systems of record”.

How to avoid the five classic mistakes

1. Treating PPM as “set and forget.”
   Build in continuous improvement and benchmarking.
2. Over-specifying tasks that don’t reduce risk.
   Focus on statutory needs and criticality; shift to condition-based where justified.
3. Underweighting uptime and response times.
   For lifts and HVAC, availability is the value driver—price it and measure it that way.
4. Letting data drift.
   Make the vendor responsible for updating asset registers after every change, with QA checks.
5. Ignoring student and teaching calendars.
   Lock your service windows around term dates and exams from the start.

A practical 12-week tender timeline (indicative)

• Weeks 1–2: Mobilise, confirm scope, form the squad, collect current contracts and performance data.
• Weeks 3–4: Asset register uplift, compliance matrix, and pricing structure design.
• Week 5: Issue RFT; run site walks.
• Weeks 6–7: Q&A and addenda; bidders refine technical and pricing proposals.
• Week 8: Receive bids; screen for completeness and commercial compliance.
• Week 9: Evaluate; clarifications; negotiate BAFO.
• Week 10: Recommendation, approvals, and intent to award.
• Weeks 11–12: Contracting and mobilisation planning.

(For multi-campus portfolios or complex lift portfolios, add time for independent technical reviews.)

Digital enablers that pay their way

• CMMS discipline: One asset list, one job history, one source of truth.
• BMS and IoT: Use where they help you predict issues or save energy; avoid gadgetry for its own sake.
• QR on assets: Field techs scan to log works and attach evidence—no back-office paper chase.
• Power BI/analytics: Visualise uptime, compliance, and spend by building and vendor to steer decisions.

Sustainability that actually saves money

• Waste: Reduce contamination, right-size collections, and divert organics where practicable.
• HVAC/Energy: Seasonal tuning, demand control, filter strategy, and metering/monitoring.
• Materials: Preference long-life, repairable components and transparent supply chains.
• Vendor incentives: Link part of the fee to measurable energy or diversion improvements—with clear baselines.

What success feels like on campus

• Fewer student complaints about hot/cold rooms or out-of-service lifts.
• Faster response to reactive issues, with better first-time-fix.
• Predictable monthly costs and fewer surprises.
• Compliance evidence at your fingertips when auditors knock.
• A facilities team that spends less time chasing vendors and more time improving the campus experience.

How Trace Consultants can help

Trace Consultants supports education providers across Australia and New Zealand to plan and execute property services procurements that stand up to scrutiny and deliver measurable results—without making big promises we can’t evidence. Typical support includes:

• Rapid current-state and data uplift: We clean and structure asset registers, map compliance requirements, and build pricing schedules that make comparisons straightforward.
• End-to-end GTM execution: From strategy and RFT pack development to evaluation, negotiation, contracting, and mobilisation planning—aligned to term dates and campus realities.
• Performance frameworks and governance: Clear KPIs, SLAs, abatement regimes, and reporting that connect cost, compliance, and student experience.
• Sustainability and social procurement: Practical targets for waste diversion, energy optimisation, local participation, and ethical supply chains.

If you’re planning a refresh of waste, lifts, mechanical/HVAC, electrical, plumbing, fire & life safety, or general contracting—and want a pragmatic ANZ-specific approach—Trace can partner with your property, procurement, and finance teams to deliver a clean, competitive outcome.

Your action checklist (keep it on your desk)

• Confirm your portfolio in scope and the outcomes that matter.
• Lift your asset register enough to make the tender real.
• Decide your bundling (what to consolidate and what to keep specialised).
• Build a pricing schedule that kills ambiguity.
• Lock in compliance, safety, and data requirements from the start.
• Align service windows to academic calendars.
• Govern with simple, visual reporting and firm abatement rules.
• Plan mobilisation like a project with a 90-day clock.

Final word

Going to market for PPM is not about squeezing vendors for one-off savings. It’s about resetting how the campus runs—safer, simpler, cheaper to own, and easier to manage. With a disciplined process and the right partner, universities and schools in Australia and New Zealand can lower total cost, improve compliance, and enhance the student and staff experience—all at once.

If you’d like a sounding board or a second pair of eyes on your pack, Trace Consultants can help you get there—quickly, transparently, and with a method you can reuse across your property services portfolio.

‍