Seven steps to build digital resilience in an uncertain world

May 2020  |  SPECIAL REPORT: BUSINESS STRATEGY AND OPERATIONAL PERFORMANCE

Financier Worldwide Magazine

May 2020 Issue

As COVID-19 spreads across the globe, impacting our health and wreaking havoc on businesses large and small, it is becoming clear that the world has become much more volatile, uncertain, complex and ambiguous. Compared with previous global shocks, as experienced in the 20th century, today the systems that we rely on to keep businesses, governments and our society in motion are primarily digital and perilously interconnected.

Macro-environmental threats are stark reminders that digital technology, while a panacea in good times, can be susceptible to failure in the hour of need, especially if the assumptions at the time of its implementation no longer reflect reality. Business executives need to consider what happens in the event of a large-scale disruption and, especially in such uncertain times, how they can build organisations that are digitally resilient.

Digital resilience can be thought of as embodying the rapid convergence of: (i) cyber security and protection against threats to digital assets; (ii) business continuity planning – companies preparedness to maintain critical business functions in the event of a disruption; and (iii) digital governance, risk and compliance (GRC), which enables companies to keep digital machinery ‘on track’ and aligned with corporate objectives.

Treating these areas as separate functions is no longer appropriate in 2020. The current business environment demands an integrated approach. To thrive and survive, every organisation needs to recognise its reliance on digital infrastructure to ‘keep the lights on’ and work toward digital resilience at every level, from the C-suite to the front line. The best way to capture all these areas and ensure uniformity of approach is in a digital resilience framework, which acts as an umbrella document.

Using the COVID-19 outbreak as an example, recent weeks have revealed how unprepared some businesses and governments are to respond to a pandemic scenario. Inadequate digital infrastructure and planning have weighed down business leaders trying to act decisively in response to the disruption, sending tremors up and down global supply chains. In the professional services sector, some firms are scrambling to build their response capabilities, preparing their workforces to work from home, conducting meetings by videoconference rather than in person and accessing business-critical information systems remotely. Digitally resilient businesses stand prepared to respond to these kinds of situations quickly with minimum fuss or disruption.

Below are seven steps to take on the digital resilience journey.

First, gather information and take stock of your ‘current state’, even if you already think you have visibility of this. This means conducting an internal audit, perhaps with external assistance, of all areas of digital risk. As businesses become more reliant on data, this is very likely to involve a privacy or data protection review, which involves data flow mapping for your entire organisation and an assessment of current practices against applicable privacy and data protection laws.

Second, strategise. To use a military analogy, an organisation must identify: (i) its most important assets – its digital ‘crown jewels’; (ii) who its enemies are (malicious actors or disasters); and (iii) how these enemies are likely to attack (any threat vectors). This involves a process of prioritisation so that expenditure and effort can be focused on the most important areas. This step is also forward-looking. It involves the high-level consideration of possible future directions and anticipating possible future digital risks.

Third, embed digital resilience and knowledge or awareness at every level of the organisation. That means conducting privacy and cyber security impact assessments (PIAs) for every new digital project, incorporating digital risk assessments into third-party due diligence for new outsourcing or service provider arrangements, establishing a tailored incident response plan (including a data breach response plan) and business continuity plan, setting up active cyber defences to stay ahead of malicious actors and monitor systems for irregular behaviour and preparing a communications plan for everything that could ‘go wrong’ with your digital infrastructure. Do not forget to plan for what recovery looks like – what services you will bring online, when and how. It also requires promoting digital resilience in corporate culture and through behaviours. From a systems perspective, it means choosing technology solutions that can be integrated with other solutions as and when they hit the market with minimal configuration. In the current context of the COVID-19 lockdown, it means using enterprise platforms that can be used remotely from any device. This is one of the most important steps and usually requires specialist expertise.

Fourth, insure. Since the introduction of the EU General Data Protection Regulation (GDPR), penalties for breaches of privacy and data protection laws around the world are on the rise and regulators are getting serious about protecting individuals’ rights and interests in that data that identifies them. Breaches of laws and regulations, whether they are directly ‘your fault’ or not, also have adverse reputational consequences. Cyber attacks can have disastrous implications for a business and can cost tens, if not hundreds, of millions of pounds. In 2020, it is advisable to obtain cyber and privacy insurance to ‘offload’ organisational risk down to a board-acceptable level.

Fifth, train personnel for digital resilience and knowledge or awareness. You might have all the right policies in place but often, for too many organisations, these do not translate into practice. It is sensible to run annual training, drills and simulations to help all staff build ‘muscle memory’ as to how they should contribute to digital resilience day-to-day and respond to incidents, such as data breaches, in line with documented processes and procedures.

Sixth, test your organisational response to disruptions. In previous decades, most organisations understood the need to test organisational responses to physical threats to safety, such as fire or equipment failure, but in the digital age, most organisations neglect putting their digital resilience to the test. Testing is sometimes done in a targeted way, such as penetration testing, but, in 2020, a more comprehensive and holistic testing approach is needed to see how people, technology and process stand up in a crisis.

Finally, continually review, revise and adapt. The world is changing at such a pace that best practice, in some areas, changes by the month. This does not mean a wholesale rewrite of your digital resilience framework every quarter. It simply means applying an agile mindset to the way you manage digital resilience. Start with a comprehensive framework that focuses on key strategic risks and constantly make minor adjustments and new iterations. The agile methodology works not only for digital transformation but for digital resilience too.

It is easy to fall into the trap of conceptualising digital resilience as relating only to risk. However, its role is much bigger than that. Digital resilience also acts as a firm foundation or ‘launchpad’ for digital innovation. Maintaining a real-time, high-definition picture of the status of core digital infrastructure, including from a compliance perspective, frees an organisation to innovate with confidence – a ‘risk dividend’ that can be reinvested in the company, if you will. Digital resilience is a strategic imperative and can underpin competitive advantage in an uncertain world.

Alec Christie is a partner and James Wong is an associate at Mills Oakley. Mr Christie can be contacted on +61 2 8035 7959 or by email: achristie@millsoakley.com.au. Mr Wong can be contacted on +61 3 8568 9637 or by email: jwong@millsoakley.com.au.

© Financier Worldwide

BY

Alec Christie and James Wong

Mills Oakley

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.