It goes without saying that company boards should understand their company’s crisis and business continuity management plans. Yet PWC found that only 37% of directors believed that their board fully understood this.
That presents an opportunity for service providers to guide customers on resilience and mapping of responsibilities.
“Cloud, disaster recovery, continuity, redundancy, contingency, all these words need to be very well understood. And at the moment, I don't think they are,” says PwC Australia’s Director of Organisational Resilience, Jon McNish.
“What cloud offers versus on-premise, data, databases, applications – what's the difference? We see some of these being interchanged and used incorrectly,” he says.
McNish says that as the stakes escalate in terms of disaster recovery risk mitigation, the onus for defining and understanding accountabilities and responsibilities should be on upper management. As the rising requirement for boards – from a governance and security standpoint – accelerates, so does accountability and expectations of them to deliver at a time of crisis.
“The starting point for most organisations at the moment needs to be: let's just understand what we mean by what we've written in the past in our plans, and make sure we've got that well defined and make sure we understand what we need.”
“That's where thirst for information, from the senior leaders and board members is at the moment to better understand it because they are being held to account to make decisions on the day of the race,” McNish warns.
He sees a gap in many organisations’ disaster recovery and disruption strategic planning. Executive teams aren’t empowered with the knowledge required to make decisions about this quickly.
Of course, that’s a problem during a ransomware attack. Decisions during these incidents should take into account the organisation, not simply the act of data recovery.
“For that reason, boards, executive teams have become so much more interested in what disaster recovery means and what it looks like for them, as those instances – very recently with Optus, Medibank and others, and Covid – have made the board level suddenly exposed to something that they don't know and fully understand or fully appreciate, and [they] are expected to make critical decisions on behalf of the organization,” McNish says.
This knowledge base historically sat with ‘technology wizards', but should be communicated to more senior leaders who decide and execute on decisions, according to McNish.
“We've got to have an understanding at the uppers of management. Otherwise, how are we going to affect optimal decision making in the face of disrupt? Covid brought that home really quite clearly.”
That’s an opportunity for disaster recovery partners to provide guidance.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
