Tackling risks to business resilience can be its own reward: report

Posted on 11 Oct 2023

By Greg Thom, journalist, Institute of Community Directors Australia

Fear of cyber attack tops the list of risks that organisations are most concerned about, according to a new study.

More than 68% of respondents polled for the Risk, Regulation and Resilience report by legal firm Maddocks cited cyber-crime as a leading business vulnerability worry.

This was followed by threats posed by employees (50%), reputational risk (37%) and regulatory breaches (34%).

The report’s authors said there had been a significant shift in recent years in the factors that drive business resilience.

The covid pandemic, ageing IT systems, increased penalties for regulatory breaches and heightened environmental, social and governance (ESG) risks have all made an impact.

While some organisations felt well prepared to handle any incident, budget constraints and a lack of crisis management planning remained a problem for many.

The Maddocks study surveyed 400 businesses across a range of industries to identify areas where they felt most vulnerable.

The probe also aimed to highlight what measures organisations were taking to boost their resilience.

Among the report’s key findings:

A third of organisations said they were well or very well prepared to handle an incident.
Under 25% shared risk information with their employees.
Less than half conducted incident simulations as part of their resilience regime.

About 34% of organisations cited budget constraints as the main barrier to having a robust resilience plan.

“When conducting threat assessments or crisis drills, do not assume you will only be dealing with one issue at a time. Test your resilience to deal with a confluence of events.”

The report said it was unsurprising that organisations identified cyber and privacy risks as their biggest vulnerabilities, given the “crippling nature” of recent high-profile attacks by hackers.

More than 87% of government sector organisations and 81% of educational institutions rated cyber threats as a key vulnerability.

“The threat landscape in Australia is constantly evolving and changing – and with changes to Australia’s Privacy Act, the penalties are very significant,” said Maddocks partner Sonia Sharma.

The report said recognising and understanding some of the most common features of a crisis is crucial to ensuring an organisation is well placed to deal with the consequences of an unexpected event.

Chief among these features is that teams will often need to respond to challenges without the aid of timely or accurate information.

The report said organisations should consider appointing a liaison person to deal with authorities and regulators; selecting crisis team members based on their abilities, not their titles; and seeking expert internal and/or external advice from those experienced in dealing with a crisis is vital..

The report highlighted that the worst threat or crisis involved the emergence of two or more risks simultaneously.

“When conducting threat assessments or crisis drills, do not assume you will only be dealing with one issue at a time. Test your resilience to deal with a confluence of events.”

While 71% of organisations that took part in the study had business continuity plans and more than half had crisis management plans, just 22% had procedures in place that were shared with employees.

Barriers to achieving business resilience ranged from budget constraints (34%) and lack of awareness of best practice (27%) to a failure to make it a business priority (17%).

The report includes a checklist to help organisations identify and manage business risks, and it recommends these actions:

conducting regular risk assessment and identification
fostering a risk-aware culture
establishing clear roles and responsibilities
creating a robust risk management framework
implementing a risk monitoring and reporting system
engaging with external experts where appropriate.

“By adopting these strategies,” the report says, “businesses can overcome barriers to managing risk effectively and build a resilient organisation capable of navigating uncertainties and seizing opportunities.”