Navigating Operational Resilience: From theory to practical
Practical lessons learned from the recent CPS 230 Operational Risk Management Morning Briefing in Sydney.
Picture your team—the CEO, CFO, CTO, Head of Compliance, Head of IT, and Head of Payments. It's a bustling day at your company, and you find yourself in a routine meeting with the head of compliance and the CEO when, suddenly, your IT manager bursts into the room, panic etched across their face.
Unveiling the reality: A cybersecurity breach scenario
"Sorry to interrupt, but I'm worried our customer data has been compromised. We've discovered unauthorized access."
How would you feel at that moment?
Moving past that initial 'shock' moment, you ask, "Do you think we've been hacked?" They reply, expressing suspicion of unusual access and activity that, on initial investigation, appears to have been ongoing for a few days.
As you glance at your CEO, there's a pause. No one says anything. What's your next move?
Trying to comprehend this unexpected revelation, your Chief Technology Officer (CTO) enters to confirm the breach. In a matter of minutes, it becomes clear—your organization is under attack by a determined hacker, breaching systems and gaining access to sensitive customer data.
Your Chief Marketing Officer (CMO) rushes in, inquiring about protecting the brand reputation. "How do we handle customer communication? Where's the plan for communications?"
Meanwhile, the legal team is in overdrive, searching for insurance details and assessing whether notification is required by law. The clock is ticking, and the pressure is mounting. Should you contact the authorities, or trust a cybersecurity partner?
As minutes turn into hours, a decision must be made. Do you announce the breach to the public immediately, or do you wait to gather more details? There's a tense discussion about the pros and cons of both approaches. The fear of damaging your company's reputation versus the potential for more data being stolen as you delay.
Just when you thought things couldn't get more intense, the hacker contacts you directly for a ransom. They demand a significant sum to prevent a data leak. Do you pay to avoid further customer data exposure, or refuse, risking the hacker going public with sensitive information?
Do you know your ransom policy or limit? Do you even have one? Who needs to be involved? Doesn't insurance need to be notified beforehand and be part of the discussion?
This story is a wake-up call, making you question your preparedness. Do you have the right people in place to handle this crisis? Is your media communication strategy ready? Do you have a defined plan to deal with ransomware attacks, including known limits for negotiation? And most importantly, are you equipped to take immediate action to contain the breach and protect your organization's future?
This scenario is not hypothetical; it happens daily. One Australian financial services firm experienced a similar cybersecurity breach in March 2023, affecting over 14 million customers. Their breach, initiated through a third-party provider, led to scathing criticism of their statements from cybersecurity committees. The fallout lasted 42 days, emphasizing the critical need for robust cybersecurity measures and comprehensive crisis response plans.
Testing Operational Resilience: Bridging the gap between theory and realityAt the event, the imperative to move beyond theoretical plans and embrace practical, scenario-based testing for operational resilience was emphasized. Drawing attention to a case study where a meticulously documented plan faltered during a crisis, it was highlighted that practical, real-world testing is crucial to validating and fortifying plans.
CPS230 emerged as a transformative tool, guiding organizations toward a proactive and integrated approach to operational resilience. The paradigm shift from governance, risk, and compliance (GRC) to governance, resilience, and compliance was discussed as a departure from traditional isolated silos. Implementing an inside-out approach, focusing on critical processes and integrated foundations, was underscored as a proactive strategy.
Operational resilience requires a step-by-step approach. Starting with planning, the importance of stakeholder engagement, gap analysis, and cross-functional workshops in the process was highlighted. The critical steps involved in identifying operations, mapping processes, and determining supporting resources were spotlighted as actionable measures. The significance of setting impact tolerances, aligning them with the maximum disruption period, extent of data loss, and minimum service levels during alternative arrangements, was explored. Implementing a customer-centric approach and considering different types and amounts of data were underscored as actionable steps, reflecting the interconnected nature of impact tolerances.
Foundations of Operational Resilience: Building step by step
Scenario testing was positioned as a proactive approach to preparedness, enabling organizations to simulate disruptions like cyberattacks, supply chain failures, or natural disasters. This approach helps identify vulnerabilities and weaknesses in operational resilience, encouraging a shift from theoretical plans on paper to practical plays in the field.
The role of Boards and ongoing governance: Shaping a resilient cultureThe role of Boards in operational resilience took center stage at the event, emphasizing the shift from a tick-box GRC approach to active responsibility. Implementing ongoing governance, involving the development of testing programs and monitoring regimes for continuous assurance, was discussed as a means to foster a resilient culture.
In conclusion, the presentation stressed that operational resilience is not just a regulatory burden but an opportunity to develop a resilient, adaptable, and forward-thinking approach to business continuity. Event goers were urged to seamlessly move from risk to resilience, with the introduction of Ansarada's Operational Resilience software as a practical tool for this transformative journey.