Preparing for the unexpected

  • Date:01 Mar 2015
  • Type:Company Director Magazine
Risk mitigation and crisis management strategies have never been more important for Australian business. Matthew Sainsbury explains why continuity planning is fast becoming a critical skill for boards.


In 2014, businesses were given sharp reminders that in today’s connected world, technology risk is something that needs to be part of a disaster recovery strategy. This is because, in many cases, a technology crisis can itself be a business-ending event.

A recent example of this ocurred at the end of 2014 when Sony Pictures was hacked and over 100 terabytes of data was stolen from its network. This data included sensitive employment details, unannounced film scripts and films that had not yet been commercially released which were subsequently made available on the internet, costing the company in lost ticket sales.

At the time of writing, we do not know who was responsible for the hacking, although North Korean state-sponsored hackers are being held accountable by the American Government. However, there are equally compelling arguments that it was a disgruntled internal employee. Either way, the ramifications of the hacking will have an impact on Sony Pictures for years to come.

Similarly, in late 2013, US retailer Target was the victim of a hacking in which 40 million credit card numbers were stolen, causing the retailer significant and lasting reputational damage. These events might not be business ending for organisations of such a scale as Target and Sony Pictures, but for smaller organisations they could well be. Every company director therefore needs to be aware that they are exposed to equal levels of technology risk. As such, their business continuity plans need to take these risks into account.

Tessa Court, chief executive officer (CEO) of online information management company IntelligenceBank, says that for too long IT has been put into a box where it has been left to the chief information officer to manage, rather than forming part of the broader business continuity strategy.

“‘The internet of everything’ now means that even the most mundane, everyday devices are being connected to the internet, so every facet of an organisation is now involved in technology. And, while not every director on the board has to be an expert on IT, they should have someone who can have an IT conversation,” she says.

This understanding that IT is more relevant to an organisation’s security and continuity than installing a firewall to protect the network needs to extend to the company directors themselves, outside  the boardroom. People of malicious intent are able to use technology to research a company director’s online profile and track their real-world movements through their presence on social media.

In turn it is possible to locate their home address and break in when they are not at home, or even potentially create a risk to their personal safety. Such risks are small (though for organisations involved in highly sensitive industries it is more significant than many would like to think), but they need to be considered.

Directors should be aware of the potential impact that their activities can have on an organisation’s business continuity arrangements, Konrad Buczynski, director of consultancy firm Agilient, says. “In a previous role as chief security officer, I gave advice to a chairman of the board who was preparing to embark upon a trip through Asia with a group of top Australian industry businesspeople. There were particular arrangements that concerned us, both from an intellectual property and travel security perspective.

“To see the consequences of what can happen to a business when the board is personally impacted, consider Sundance Mining in the Congo a couple of years ago. The entire board was travelling on a plane that tragically crashed, and with no proper succession plan in place and no immediate way to appoint new members, the company required the assistance of the Australian Securities and Investments Commission to devise a solution to recruit a new board.

“Oftentimes companies overlook the criticality of succession planning, and perhaps in a different industry the implications for continuity of the company itself could have been much, much worse,” Buczynski says.

Threats are more than IT
With the focus that is being put into IT governance and its role in business continuity and disaster recovery planning, many organisations are perhaps focusing on the issue too much, to the exclusion of more traditional concerns, argues Stefano Masiello, marketing director ANZ at NGA Human Resources.

“Business continuity planning is not IT or general risk management, and that is often forgotten,” Masiello says. “Most organisations fall into this common thought trap. Business continuity is about planning for extremely unlikely but high impact events. It could be a critical IT event, sure, but it can also be banks failing, massive utility breakdowns, pandemics, and natural disasters”

Overall, the threats to business continuity have not changed over the years, Masiello says. However, the significance of the risks has changed and as some events have become more likely, some organisations have found their continuity plans exposed in recent years for not being adequate.

One local example was the Brisbane floods in 2011. Many businesses lost data and productivity and this is despite flooding being a known risk for the geography of the region. Another example was the recent hostage situation in Sydney’s CBD, which saw office blocks put into lockdown and supply chains for multiple businesses disrupted. With Australia being considered generally safe, few organisations had specific plans in place to handle an event of this type. “I don’t believe there are really many new disasters that haven’t been accounted for,” Masiello says. “But what I feel is changing – and needs to change – is the priority put into planning for some events.”

One of the most significant risks to business continuity does not come from outside threats at all – a single disgruntled employee is enough to be catastrophic to an organisation. Consider the embarrassment the National Security Agency in the US experienced at the hands of Edward Snowden who gave classified information to Wikileaks. These events are all sharp reminders to business to keep revising their disaster management plans to remain current.

“The insider threat is something directors need to have on their minds when preparing disaster management strategies,” Colin Panagakis GAICD, business development manager of ICSA Boardroom Apps, says. “Directors need to ensure that the management team has the proper frameworks and processes in place so that people in sensitive roles have adequate background checks done, and that sensitive areas of the business – such as its data centre – are access restricted.”

Planning for disaster
So, how can directors be assured their organisation has adequate disaster management plans in place?

Undertaking regular reviews and audits both from within and outside the organisation will help identify where the disaster recovery plan is inefficient compared to both the current environment and likely and unlikely risks that are on the horizon.

Additionally, organisations should prepare their responses to disasters well in advance. Having statements and releases vetted and cleared in advance can help to control the message outside the organisation in the event of a crisis, and minimise the risk of the event being exasperated by a hurried and poorly articulated statement.

And while technology is a risk that requires disaster recovery planning itself, it is also a key part of an organisation’s strategy, even if that is an accidental benefit to the organisation, says Paul Bakker MAICD, lead partner of business advisory at Crowe Horwarth’s Sydney offices.

“With cloud computing, businesses are becoming more blurred about where their data is being kept, they have inadvertently set themselves up with an important part of a business continuity – redundancy,” Bakker says.

In essence, redundancy is having a duplicate or “back-up” of information, data and processses so that if technology fails, the organisations can acquire new technology and pick up where they left off. Cloud computing enables this redundancy because the data hosted in the cloud can be accessed from any number of computers.

However, having data in the cloud is not enough, he adds. “Merely thinking ‘my data is off site so if my building burns down I am okay’ is not enough,” Bakker says. “What happens if your provider’s building burns down? Without the proper redundancy you still do not have a good disaster recovery strategy in place.

“A lot of third-party providers are now also guaranteeing their customers redundancy, which is a way for them to differentiate their service in the market.”

Bakker continues: “Ultimately, complacency is a common mistake with disaster recovery planning.
“Ticking all the boxes is good, but having the strategy tested and the substance behind it is important as well. The directors are the legally and strategically responsible individuals within the company.

“They need to ensure disaster management plans are being tested and that the newcomers understand those strategies.” 

Five key business continuity strategies

1. Understand the threat landscape
Likely and unlikely disasters will change on a yearly, if not monthly basis. It is important that all directors and executive management remain on top of what the current risks are and the most current strategies to mitigate them.

2. Remain vigilant for both internal and external threats
One of the most common mistakes that organisations make in disaster planning is ignoring the potential for a disgruntled employee to cause trouble.

3. Be aware of personal safety and security
Company directors are listed on their company websites by necessity, but a committed hacker can gain information on that person from even that short blurb. A director’s home and personal technology needs to be treated with the same need for security as their work devices.

4. Redundancy is key
Always have an alternative for every business process, supplier and technology project and make sure that alternative is located in an area that is geographically separate from the main location. Have robust plans in place to automatically roll over as a back-up in the event of a disaster.

5. Have full disaster management and succession plans in place
In a disaster, a chaotic environment can cause more mistakes and when that happens the impact of the event can be even greater. Having clearly laid-out and pre-prepared strategies for managing disasters will minimise the impact.