Skip to content
Journal

Navigating chaos: How Australian directors can enable systemic resilience for their organisations

By Rachel Riley, Co-founder and Head of GRC, Ansarada

  • Organisations and their boards are dealing with more risk and uncertainty than ever before.
  • The pace of regulatory change is increasing the potential for high-impact compliance risks and tick-box exercises aren’t cutting it.
  • An in-depth and holistic approach to governance, risk and compliance is the only solution for creating truly resilient businesses.
  • Regulatory expectations of what a reasonable director may do to oversee the management of risks are likely to increase.

Last month, Australia’s largest health insurer was obligated to report the private data of 9.7 million Australians had been stolen due to a suspected cyber breach. The attacker was able to access the highly sensitive data after compromising the login credentials of a trusted party with ‘privileged access’.

Medibank is not the only organisation currently making headlines due to a security compromise. Uber, Optus, Woolworths, Microsoft and the Australian Federal Police are just a few other household names who have faced major data breaches in the last three months alone.

While most companies have policies and procedures in place to address such events, along with checkpoints and tick-box exercises (e.g. having a BCP, having a Risk Framework, being ISO27001 and GDPR compliant), organisations and their boards need to go much deeper in scope to understand their overall threat landscape and be truly prepared – not just at a point in time, but always.

Embedding cybersecurity within an organisation needs to be a strategic long-term initiative rather than an application of tactical fixes and controls. However, cybersecurity is just one small aspect of building systemic resilience across the business. We’ve all learned the hard way – with March of 2020 holding particular significance – that disruption comes in many forms. And we can’t always predict what’s around the corner.

Ongoing pandemic implications, market uncertainty, economic volatility, supply chain struggles, talent shortages and climate risk are all concerning global trends for boards to watch into 2023 and beyond. The good news is getting this right means progressing on wider goals and increasing stakeholder interests such as ESG.

Keeping up with regulatory risk

The regulatory landscape is changing at a rapid rate so organisations can stay on top of these new and emerging risks. But the pace of complying with regulatory change needs to increase along with it.

Adjusting to ‘the new normal’ makes frequent regulatory change necessary. But the onslaught of new regulations brings its own set of challenges for organisations and their boards.

In the past two years, we’ve seen several regulatory changes significantly impact the Australian Financial services industry — some of which have required a total transformation of operations, business models and strategies for these firms to not only achieve compliance, but also remain highly competitive within their industry.

Besides the obvious toll on resources, most directors aren’t prepared to deal with these impacts or requirements.

In Deloitte’s recent report Managing Regulatory Change in the Australian Financial Services Industry (May 2022), 95% of respondents said they formally engage with the board in relation to current/future regulatory change initiatives, yet zero survey respondents said they provided their board with formal training on managing regulatory change.

The pressure is now on Directors to go that level deeper and truly look at the scope of their governance, risk, and compliance programs, and ensure systems are in place allowing the organisation to holistically manage and report on them.

Regulatory bodies APRA and ASIC have made it clear boards can expect ‘increased scrutiny, personal accountability, and far more sophisticated oversight’. (Deloitte)

In a recent article, APRA implored boards to ‘prioritise and address compliance risk with the same rigour as financial risks’. ‘Recent high-profile compliance risk failures have made headlines, with businesses having to pay record fines, board chairs and CEOs being forced to resign, and reputations being damaged, resulting in reduced trust from customers and the community.’ (APRA)

It’s no longer good enough to have a disaster recovery plan, ISO accreditation and yearly audits. Today, those checks are the absolute minimum baseline. Compliance standards do not consider the specifics, such as the organisation’s business model, strategy and value proposition. Being merely compliance-driven does not guarantee an increase in resilience, nor does it enable the build of governance processes that are fit-for-purpose.

Security and oversight of board management is just the start. boards can’t rest there. To create truly resilient businesses, they need to go much, much further.

Why operational resilience is at the forefront

Building a robust operational resilience capability enables businesses to manage adversities effectively. As previously mentioned, these adversities can range from pandemics and cyber attacks to talent shortages. Operational resilience takes a holistic approach in the identification of critical processes, systems, people and third parties, identifying issues proactively and adapting to changes effectively. In addition, operational resilience enables the bridging and alignment of cybersecurity, ESG and GRC priorities so that these – and other risks – are not managed in silos.

Operational resilience programs and regulations provide boards with the needed scope to ensure the business (and themselves) understand all of its critical processes, supply chains, and risk points, as well as how the organisation will perform in periods of disruption.

This full spectrum business mapping must be backed by stringent scenario testing and regular organisational assessments to ensure your framework is robust enough to withstand the uncertainty we operate in today.

The term ‘operational resilience’ has been around for years, but it has steadily been gaining more traction since the first waves of COVID-19 and the resulting digital risks; cyber attacks increased by over 200% within months of the pandemic hitting.

In the UK, the Financial Conduct Authority set out new regulatory standards for operational resilience on March 31, 2022. To maintain compliance with the new standards, Financial Services firms must be able to evidence they are operating within their impact tolerances no later than 31 March 2025. The European Commission is following suit with its Digital Operational Resilience Act (DORA).

Regulators are starting to expect organisations to have plans in place to enable them to resume important functions despite a major disruption. APRA is already taking steps to strengthen operational resilience in line with ‘the new normal’, taking into account evolving business models, COVID-19 learnings, and global best practices as they develop new operational risk management standards. ‘Disruptions to financial services — even temporarily — can have a major detrimental impact on the community,’ said APRA Chair Wayne Byres.

On the surface, the definition of operational resilience is simple: an entity’s ability to ‘withstand and recover from shocks’ (APRA). In reality, it’s significantly more complex, as it encompasses the ability to prepare for, prevent, detect, respond to, recover from and learn from disruptions to organisational operations.

http://bit.ly/3EtsNr5

This complexity means as an organisation you need to create an operational resilience framework taking a holistic view of your business, operations, finances, governance, regulation and compliance, information security, ESG impact and more. All core elements of the business need be ‘operationally resilient’ by design as organisations grapple with significant uncertainty and emerging risks.

You’ve got to be certain of the scope and the ways in which the business is looking at its risk and looking after those risks on a daily basis. Risk management is often undertaken by various teams in differing ways. For Directors to understand the organisation’s position, they need to be able to view all these risks together as a whole, understanding how they will impact the entire organisation.

Boards, Directors and management are facing an onslaught of issues, as this article highlights.  The good news is that the scope of operational resilience provides a thorough lens across these issues and how organisations can, and will, perform when (not if) a critical event arises — whether it’s a one-off event like a cyber breach or a sustained impact such as COVID-19.

ESG is simply good governance

The global spotlight has been put firmly on climate risk in recent years, with Environmental, Social & Governance (ESG) initiatives historically not being given the attention they deserve.According to APRA’s recent climate risk self-assessment survey, 23% of institutions have zero metrics in place to measure and monitor climate risks, yet almost 40% agreed climate-related events could have a material or moderate impact on their direct operations.

In the same survey, four out of five boards said they oversee climate risk on a regular basis, while 63% say they have incorporated climate risk into their strategic planning process.

As a relatively new area of risk management, setting ESG targets and reporting on metrics is posing a challenge for many organisations.

Understanding your organisation’s vulnerabilities means diving deep into areas of environmental and social impact as part of your overall governance plan. It all comes back to having a holistic view of your business and all the interconnected moving parts and processes that govern it.

On the positive side, operational resilience programs and compliance mandates not only allow the board, and the business, to ensure critical processes and risks are understood and tested but in doing so they allow for mapping of key ESG components, such as supply chain mapping, third party risks, modern slavery etc.

Get your business in order

Bringing order to the chaos is critical. That order doesn’t stop at building policies and procedures. In order for business to prosper in this new environment, it must have an ongoing view and assessment of its key risks and opportunities. It must ensure it knows every crack in the supply chain and that these risks are integrated into business resilience operations and tolerance.

Foundationally, identifying critical business processes, systems, and people, monitoring controls, and mapping critical processes are the first steps in navigating the chaos and ensuring organisations are prepared.

The lifeblood of your business is in its critical processes – the way day to day operations are set up to run, how information is distributed and secured, and ultimately, how decisions are made. Getting your Governance, Risk and Compliance (GRC) processes right is not only key to your success but is increasingly becoming a ‘ticket to play’ to stay on top of and address the ever-changing risk landscape and arguably, to exercise duty of care and diligence as these risks are now a core governance concern.

Today, Ansarada is a complete operating system for governing critical information. Our board management software was developed to empower boards to make better decisions and effectively run board meetings with the confidence coming from bank-grade security. Our TriLine GRC solution goes beyond the three lines of defence, allowing you to formalise and embed a robust GRC culture and framework into your organisation. Our ESG Pulse Check gives companies an overview of their ESG performance in order to establish priorities and targets.

We have over 17 years’ experience in information governance helping people get their businesses in order — from helping to transact over 1 trillion dollars in M&A deals and procurement on our platform, to technology enabling board meetings and GRC processes to run like clockwork.

Bringing order and governance into all aspects of how you run your business is the difference between average results and excellence, every time. The difference between failure and success, and the backbone of business resilience.

Book a demo to see how Ansarada can bring order to your governance processes: http://bit.ly/3EtsNr5

 

Rachel Riley can be contacted on marketing@ansarada.com.

 

Ansarada is a global SaaS platform that brings order through greater information governance.

Reforms to the Privacy Act 1988 brings significant penalties for serious or repeated privacy breaches

Next article