The Expert View: business resilience in an increasingly risk-laden landscape

“It is clear that uncertainty and disruption are here to stay,” said Tom Holloway, of Sungard AS, introducing a recent virtual round table hosted by Business Reporter. He told an audience of senior executives from a range of industries that the value of global cyber-crime in 2021 was estimated at $6 trillion, equivalent to more than the GDP of the world’s third-largest economy (Japan).

Given the scale of the threat, it’s no surprise that almost 80 per cent of respondents in one recent survey said that ransomware was the greatest threat they expected to face over the next five years.

How can businesses remain resilient in this landscape? They must identify their critical data and implement backup and recovery plans, said Holloway. He added that when it comes to assessing risks there are plenty to choose from, so businesses need to establish which ones genuinely concern them and plan accordingly.

‘The pandemic has focused minds’

Perhaps surprisingly, the Covid-19 pandemic had some positive impacts, according to many of the briefing’s attendees. The switch to home working, for example, forced many companies to test disaster recovery plans that hadn’t been deployed before. Within days, companies where working from home had never been allowed had their entire staff doing so, which brought added cyber-security risks.

One attendee gave the example of a company that had not really done due diligence on its suppliers and found itself with a lot of dependencies from third parties that had to be dealt with at short notice.

“The pandemic has helped focus minds,” said an attendee. He said resilience was now high up the agenda for a lot of boards. Another attendee said his organisation now had a new resilience team, whose first task was horizon scanning, to make sense of the new risk landscape.

‘We’re almost regulated by our clients’

For those in the financial services sector, the operational resilience regulations which come into force at the end of March 2022 will have also focused minds. One attendee, who works in insurance, said that having a board that is already aware of regulatory issues, and of resilience, makes it easier to draw their attention to cyber-risk.

Several attendees said that working with clients in regulated sectors often requires them to demonstrate a higher standard of resilience and security than they would normally have to demonstrate to third parties. “We’re almost regulated by our clients,” said one attendee, adding that they were often expected to fill in enormous forms concerning their various processes and controls.

‘Who’s in charge depends on culture’

Form-filling isn’t enough on its own, however. As one attendee put it, “Policies and certificates are fine up to a point, but meaningful actions are what is required in the end.” That means making sure that everyone knows what you are trying to protect, what to do in the event of a disaster, and what controls are available.

It also means knowing where responsibility sits. Organisations need to decide in advance who will run an incident and that largely depends on culture. Holloway gave the example of one organisation where the CEO “acted almost like a client”, asking questions of a senior executive who was charged with managing the response. This would be someone from a section other than the one involved in the incident. So, the CTO wouldn’t handle a technology-related crisis because they would be too busy dealing with the actual issues.

Making all this work takes practice and planning but attendees warned not to place too much faith in any plan. “Have a plan but understand that the plan is not what is going to happen,” said one attendee. The plan is vitally important but only because it gets everybody to think about what might happen and how they will react.

Beyond the plan, organisations need to know what their first steps will be – typically that starts with gathering the people you will need. From there, organisations must trust their culture and be prepared for things to change rapidly. Uncertainty is the only certainty.