The origins of tabletop exercises date back to the Cold War era when civil defence drills became a key part of national security strategies. During this period, governments and organisations conducted drills to prepare for potential nuclear attacks, emphasising evacuation procedures, sheltering strategies, and emergency response protocols. These early exercises underscored the importance of coordinated responses, setting the stage for the modern tabletop exercises we use today to enhance organisational preparedness and resilience.

Today, tabletop exercises are a cornerstone of modern business continuity planning. They help organisations prepare for a wide range of potential disruptions, including cybersecurity breaches, natural disasters, and supply chain disruptions.

In this publication, we explore what tabletop exercises are, their benefits, how to structure and facilitate them effectively. We look at methods to identify strengths and weaknesses in your plan, and how to leverage post-exercise reports for continuous improvement.

What is a Tabletop Exercise?

A tabletop exercise is a discussion-based session where response team members meet (and their alternates in some cases) in an informal setting to discuss their roles during a disruption event, crisis, or emergency. These exercises aim to simulate a realistic scenario without the need for actual deployment of resources, making them a fast, effective, and relatively low-cost method for evaluating an organisation’s preparedness.

What are the Benefits of Tabletop Exercises?

Tabletop exercises are crucial for validating the efficacy of various response plans, providing an efficient method to review, assess, and improve emergency preparedness, communication, and response strategies. The five major benefits of tabletop exercises are:

1. Enhanced Preparedness: TTXs allow response teams to walk through their documented response plans, ensuring everyone understands their roles and responsibilities. This also enhances the team’s confidence in dealing with a realistic situation.
2. Improved Communication: They foster communication and collaboration among team members, departments, and external stakeholders. It is a great team-building exercise.
3. Identification of Gaps: Realistic exercises help identify gaps in plans and procedures that might not be evident without a simulated application to a specific scenario and under pressure.
4. Risk Mitigation: By practicing responses, organisations can mitigate risks and minimise potential impacts of disruptions by improving control gaps identified in the scenario.
5. Regulatory Compliance: Many industry regulators, including the Australian Prudential Regulation Authority (APRA), require regular testing of business continuity plans (BCPs).  TTXs help meet these requirements.  CPS 230 requires that an APRA-regulated “includes an annual business continuity exercise”.

Aligning Tabletop Exercises to ISO 22301

ISO 22301, Security and resilience – Business continuity management systems (BCMS) – Requirements, is the International Standard for implementing and maintaining effective business continuity plans, systems and processes. Clause 8.5 of ISO 22301:2019 defines the requirements for exercising and testing.  The clause outlines the requirements for planning, conducting, and evaluating exercises and tests of the BCMS.

The Standard recommends creating a comprehensive exercise program that outlines a schedule, objectives, scope, scenarios, participants, and evaluation criteria. This program should serve as the foundation for all exercising and testing activities.

Structuring and Facilitating Effective Tabletop Exercises

There are three critical stages to structure and facilitate successful tabletop exercises that ensure the exercise’s effectiveness and value – planning the TTX, conducting the TTX, and a TTX debriefing at the conclusion.

Designing and Planning the Tabletop Exercise

Planning the tabletop exercise is critical to success, serving as the foundation for a meaningful and effective session. Proper planning ensures that the exercise objectives are clearly defined, the scenario design is realistic and relevant, and all necessary logistics, materials, and participants are prepared. By meticulously planning each step—from selecting a scenario and developing a detailed script to briefing participants and setting a timeline—organisations can create a structured environment where team members can engage, collaborate, and gain valuable insights. The key steps in designing and planning the exercise include:

1. Define Objectives: Clearly outline the goals you aim to achieve, such as testing specific elements of your business continuity plan and/or improving team capabilities and confidence.
2. Degree of Difficulty: The degree of difficulty of a TTX can vary from relatively simple to complex. Select a simple TTX if the response plan is new or there are new members in the response team. Choose a more complex TTX where your organisation is relatively mature and the team is very capable.
3. Select a Scenario: Pick a relevant scenario that could impact your organisation, e.g. natural disasters, cyber-attacks, or supply chain disruptions.
4. Develop a Detailed Script: Create a comprehensive script that outlines the scenario’s progression, key events, and injects.  The injects are new information or events introduced during the exercise.
5. Identify Participants: Include individuals from all relevant departments and levels of the organisation to ensure a thorough evaluation of the response plan.
6. Prepare Materials: Gather all necessary materials, such as maps, charts, and communication tools, to support the exercise. In some instances, you may want participants to gather the information themselves as part of the exercise evaluation.
7. Keep it Confidential: In some instances, keeping the specific TTX scenario confidential preserves the element of surprise. Confidentiality prevents participants from preparing scripted responses, ensuring their reactions and decisions during the exercise are spontaneous and realistic. This helps in accurately assessing the organisation’s preparedness and understanding how team members will respond under pressure.
8. Set a Date and Venue: Schedule the exercise at a convenient time and place where participants can focus without interruptions.
9. Brief Participants: Provide participants with background information on the scenario and the exercise’s objectives before the session.
10. Assign Roles: Clearly define roles for all participants to ensure the exercise runs smoothly and all aspects are documented.
11. Conduct a Pre-Exercise Meeting: Hold a preliminary meeting to ensure everyone understands the exercise structure and expectations.
12. Review and Adjust: Based on feedback from the pre-exercise meeting, make any necessary adjustments to the script or logistics.

Conducting a Tabletop Exercise

On the day of the exercise, it is likely there will be a few nervous participants. It is important to get them to relax and enjoy the experience. Remind them that no one is being tested, and there is no pass or fail.

The process begins with the facilitator presenting the scenario and guiding participants through their roles and response actions. Throughout the exercise, participants discuss their decisions, collaborate on strategies, and address emerging challenges. Injects, or new pieces of information, are introduced to simulate real-time developments and test the flexibility of the response. A typical TTX Runsheet can include the following items:

• Kick-off and Introduction: Begin with a brief overview of the exercise objectives, agenda, and rules. Introduce the scenario to the participants.
• Scenario Presentation: The facilitator presents the initial scenario, setting the stage for the exercise.
• Role Assignments: Ensure all participants understand their roles and responsibilities within the scenario.
• Facilitate Discussion: Guide the discussion as participants walk through their response actions. Ask probing questions to explore different aspects of the response.
• Injects: Introduce new information or events (injects) at planned intervals to simulate real-time developments and challenges.
• Document Actions and Decisions: Have a scribe or team of scribes record key actions, decisions, and any issues that arise during the discussion.
• Encourage Participation: Ensure all participants are actively engaged and contributing to the discussion. Address any dominant voices to maintain balanced participation.
• Monitor Time: Keep the exercise on schedule, ensuring all key points are covered within the allotted time.
• Pause and Reflect: Periodically pause the exercise to summarise progress, address questions, and ensure everyone is on the same page.
• Conclude the Scenario: Once the scenario has been fully discussed, bring the exercise to a close.
• Summary and Next Steps: Summarise the key takeaways from the exercise and outline the next steps for improvement and follow-up actions.

Debriefing

While everyone is still in the room, it is critical to capture the lessons learned. There are two debrief methods often used:

1. Hot Wash: Immediately at the conclusion of the exercise, hold a debriefing session to gather initial feedback from participants.
2. Detailed Feedback: Use surveys or structured interviews to collect more in-depth feedback on the exercise.

A thorough debrief is essential to maximise the benefits of a tabletop exercise, as it transforms lessons learned into concrete improvements, ultimately strengthening the organisation’s readiness and resilience against future disruptions.

Techniques for Evaluating Your Plan’s Strengths and Weaknesses

There are several opportunities to identify strengths and weaknesses in your Business Continuity (BC) plan before and after a tabletop exercise:

• Pre-Exercise Gap Analysis: Review the existing plan to identify any obvious deficiencies or areas lacking comprehensive strategies.
• Performance Metrics: Establish metrics to measure performance during the exercise, such as response times, decision-making efficiency, and communication effectiveness.
• Post-Exercise Gap Analysis: Compare the exercise outcomes with your current BC plan to identify discrepancies and areas for improvement.
• Scenario-Based Evaluation: Assess how well the plan addresses the specific challenges presented by the scenario.
• Stakeholder Feedback: Gather feedback from all participants to understand different perspectives on the plan’s effectiveness.

Preparing Post Tabletop Exercise Reports for Continuous Improvement

Leveraging post-exercise reports for continuous improvement is a vital aspect of the tabletop exercise process, turning insights gained into actionable strategies. These reports provide a detailed analysis of the exercise, highlighting strengths, weaknesses, and areas for enhancement.  Improvements to the BCMS could include revising policies, enhancing procedures, training employees, or modifying physical infrastructure to address any identified gaps or deficiencies.

• Analyse Findings: Identify recurring themes, strengths, and weaknesses from the exercise.
• Develop Action Plans: Create actionable steps to address identified weaknesses and enhance strengths. Assign responsibilities and timelines for implementation.
• Compile a Comprehensive Report: Summarise the exercise, including objectives, scenario details, participant actions, and key findings.
• Update the BC Plan: Incorporate the improvements and lessons learned into your business continuity plan.
• Future Exercises: Plan future tabletop exercises to test the updated plan and ensure continuous improvement.

By systematically reviewing and acting on the findings, organisations can refine their business continuity plans, address gaps, and bolster their overall resilience. The iterative process of implementing improvements based on post-exercise feedback ensures that each subsequent exercise builds on past experiences, fostering a culture of continual growth and preparedness within the organisation.

How Often Should Tabletop Exercises be Performed?

Tabletop exercises  should be performed at least annually to ensure continuous preparedness and to keep the business continuity plan updated and effective. However, organisations in high-risk industries or those undergoing significant changes may benefit from conducting TTXs more frequently, such as semi-annually or quarterly.

Conclusion

There are various methods to exercise the different response plans, each offering unique benefits.

Tabletop exercises involve discussion-based sessions to review roles and responses without physical deployment. Walkthroughs ensure clarity of roles by going through the plan step-by-step with key personnel. Simulations mimic real-life scenarios to test the response plan in a realistic environment, while functional exercises target specific components like IT recovery. Drills focus on repetitive training for tasks such as evacuation, and desk checks validate individual preparedness.

Tabletop exercises are invaluable tools for ensuring business continuity and disaster preparedness. By understanding their benefits, structuring and facilitating them effectively, identifying strengths and weaknesses in your plans, and leveraging post-exercise reports, organisations can enhance their resilience and readiness for any potential disruptions. Regularly conducting these exercises and integrating their findings into your BC planning process will help maintain a robust and effective continuity strategy.

Can We Help?

Ready to ensure your organisation is well prepared for any disruption? Let us help you master the art of tabletop exercises and strengthen your business continuity plans.

Our expert team will guide you through every step, from planning and conducting exercises to analysing the results and implementing improvements.

Contact us today to schedule a consultation and take the first step towards enhanced emergency preparedness and organisational resilience. Don’t wait for a crisis to test your plan – be proactive and secure your business’s future now.

Add to this, the likelihood that severe shocks and catastrophic events will become more common, less predictable and unfold quickly through social media. The sources of risk will be wider and consequences more complex.

In this context, building, or in some cases strengthening resilience has become a top priority for companies striving for long-term success.

Shocks are real, not theoretical.  Organisations must be prepared.  The board of directors play a crucial role in steering the organisation through turbulent waters and ensuring the organisation’s ability to adapt, recover, and thrive.

In this article, we explore 10 essential strategies that boards can employ to build corporate resilience within their company.

What is resilience?

ISO 22316:2017 Organisational resilience — Principles and attributes, defines organisational resilience as “the ability of an organisation to absorb and adapt in a changing environment to enable it to deliver its objectives and to survive and prosper.”

Resilience in the corporate context refers to an organisation’s capacity to withstand and recover from adverse situations, adapt to change, and continue its operations effectively. It goes beyond risk management by encompassing a proactive and holistic approach to prepare for unforeseen events.

Resilience means both protecting against the downside of potential shocks and preparing to capture the upside.

Business resilience is crucial to achieve because it enhances the company’s capacity to protect its reputation, retain stakeholder trust, and capitalise on opportunities, ultimately contributing to sustained growth and success.

1. Strategic Vision and Adaptive Leadership

At the core of building resilience is a strategic vision that anticipates and embraces change. Boards should work closely with the executive team to develop and communicate a clear, flexible, and forward-looking strategy.  Adaptive leadership, characterised by the ability to respond effectively to new challenges, is essential.  Boards should foster a culture that values innovation and encourages executives to experiment with new ideas and approaches.

2. Skilled, Diverse and Inclusive Board

Collectively, the board must have a broad range of skills and experience. The diverse expertise and knowledge within the board contribute to informed decision-making, strategic planning, and the ability to navigate the complexities of the business environment.

Diversity and inclusivity are not only ethical imperatives but also critical components of a resilient board. A diverse range of perspectives, experiences, and skills can enhance decision-making processes, enabling the board to consider a broader spectrum of risks and opportunities. An inclusive culture fosters open communication and creativity, which are essential elements in navigating uncertain times.

3. Effective Risk Management

While risk management is a fundamental element of corporate governance, resilient boards go beyond mere compliance. They actively anticipate, identify and assess risks, considering both internal and external factors. Boards must establish a robust risk management framework that includes regular risk assessments, scenario planning, and stress testing.

The risk register should go beyond identifying risks and controls and include response strategies in the event the risk eventuate.  This enables the organisation to anticipate potential challenges and formulate effective response strategies.

4. Financial Resilience and Flexibility

A resilient company maintains a strong financial foundation and embraces financial prudence. Boards should work closely with the Chief Financial Officer and financial team to ensure sound fiscal policies, healthy cash reserves, and flexible financial structures.

Having sufficient capital and the flexibility to adapt financial strategies in response to changing market conditions allows the company to weather economic downturns and capitalise on emerging opportunities.

5. Stakeholder Engagement and Communication

Effective communication is pivotal in times of uncertainty. Resilient boards prioritise stakeholder engagement and transparent communication. This includes regular and clear communication with shareholders, employees, customers, and other relevant stakeholders. By keeping stakeholders informed and engaged, the board fosters trust and confidence in the company’s ability to navigate challenges.

6. Talent Management and Employee Well-being

A resilient company places a premium on its human capital. Boards should collaborate with the executive team to implement robust talent management strategies, including training and development programs, succession planning, and employee well-being initiatives. A satisfied and motivated workforce is more likely to weather challenges and contribute to the organisation’s resilience.

7. Technology and Digital Resilience

In an era of rapid technological advancement, resilient boards embrace digital transformation as a strategic imperative. This involves leveraging technology to enhance operational efficiency, improve customer experiences, and stay ahead of industry disruptions. Boards should work closely with technology leaders to invest in digital infrastructure, cybersecurity measures, and innovation initiatives that position the company for long-term success.

8. Supply Chain Resilience

Globalisation has interconnected supply chains, making them susceptible to disruptions. Resilient boards assess and enhance the resilience of their supply chains by diversifying sources, building strategic partnerships, and implementing robust contingency plans. Understanding and mitigating vulnerabilities in the supply chain contribute to the overall resilience of the organisation.

9. Adaptation to Regulatory Changes

The regulatory landscape is constantly evolving, and compliance is a critical aspect of corporate resilience. Boards must stay informed about changes in regulations relevant to their industry and geography. Proactive engagement with regulatory bodies and legal counsel helps ensure that the company is well-prepared to adapt to new requirements and navigate potential compliance challenges.

10. Continuous Learning and Evaluation

Building resilience is an ongoing process that requires continuous learning and evaluation.

Resilient boards establish mechanisms for regular evaluations, learning from both successes and setbacks. This may involve post-event reviews, benchmarking against industry best practices, and adapting strategies based on lessons learned.

The 6 Pillars of Resilience

In our view, an organisation needs to strengthen these 6 pillars of resilience.

1. Strategic Resilience – the ability to anticipate, adapt, and respond to changes in the business environment while maintaining a clear and forward-looking strategic vision.
2. Financial Resilience – the capacity of a company to endure and recover from financial challenges or economic downturns.
3. Operational Resilience – the ability to sustain its essential functions and adapt its operations in the face of disruptions.
4. Technological Resilience – the ability of a company to withstand and recover from disruptions related to its technological infrastructure and systems.
5. Workforce Resilience – the strength and adaptability of an organisation’s human capital in response to challenges such as changes in the labor market, organisational restructuring, or unexpected events like pandemics.
6. Brand Resilience – the ability to maintain a positive brand image and reputation, especially in the face of adverse events or crises.

Read our full article Seeking Resilience: How to Become a More Resilient Organisation to find out more about the 6 pillars.

How we can help you be more resilient

We are here to help strengthen organisational resilience.  Our resilience capabilities include designing and developing a wide range of response plans to enhance your resilience posture and capabilities.  These response plans include:

• Business continuity plan
• Contingency plan
• Pandemic plan
• Succession plan
• Crisis management plan
• Financial recovery plan
• IT-Disaster recovery plan
• Data breach incident response plan
• Emergency management plan

Be more resilient to a wide range of shocks and contact us to discuss any gaps in your resilience framework.

• An independent review into Australia’s response to COVID-19 identified five overarching lessons learnt and made six recommendations to be better prepared for the next health crisis.
• Various performance audits by the NSW and Victorian audit offices found major gaps in how agencies and councils prepare, update and execute their business continuity plans.
• Optus come under intense media and government scrutiny about several elements of their response to the data breach.
• Medibank did not pay a $15M ransom and sensitive, personal data was published on the dark web.

In a more complex and volatile world, organisations need to be well prepared and ready to respond anytime. Crisis management is not an optional extra!

There is a Zen proverb that says – It takes a wise person to learn from their mistakes but an even wiser person to learn from others.

There are many case studies of good and poor crisis management.  What are some of the things that can make the difference between good and poor crisis management? The InConsult team take a close look at some of the typical failure points in crisis management to learn from the failures and mistakes of others.

1. Failure to foresee and address the many possible disruption scenarios

A risk that has not been identified can be hard or impossible to manage.  Similarly, an unforeseen disruption can be a challenge.

Organisations need to identify the wide range of plausible disruption scenarios they may be exposed to.  Once the various risk scenarios are known, organisations must identify the controls that are in place designed to prevent, detect and correct the risk.

The identification and treatment of the various disruption risks should be evaluated in line with the organisations risk management framework. Formal risk treatment plans should be developed for the control gaps and weaknesses identified.

2. Failure to plan for a wide range of disruption scenarios

Having controls that are designed to prevent and detect disruption risks is only part of the solution. Each disruption scenario should have a suitable response plan that addresses all elements of the response from invocation to de-activation of the plan.  The extent of the response plan should be proportionate to the level of risk.  For example:

• An Emergency Evacuation Plan that deals with the safety of people is not only a legal requirement, but critical for larger workplaces e.g. hospitals, hotels.
• A Business Continuity Plan that deals with maintaining continuity of critical businesses via temporary workarounds is critical for organisations where customer tolerances for outages is very low or zero e.g. the payroll or front line customer service functions.
• An IT Disaster Recovery Plan and Data Breach Response Plan that deals with restoring business critical information and protecting privacy is essential for organisations highly dependent on information systems to transact business e.g. Financial institutions who operate 24/7 and web based businesses like Ebay, PayPal and AirBNB.
• A Financial Contingency Plan that deals with the various levels of financial stress is critical for financial service organisations such as banks and insurance companies.
• A Local Emergency Management Plan that identifies the key hazards impacting a community and making reference to the designated emergency management arrangements and responsibilities ensures emergency services are better prepared.

3. Failure to appoint a capable crisis leader

Crisis management needs strong leadership and a capable crisis leadership team.  Some organisations assume that the CEO should be the crisis leader, but this may not always be the case.

A good crisis leader should have a number of important personal qualities that include:

• Responsible enough to take ownership of the situation.
• Goal oriented to set short and long term goals, assigning them and following through to completion.
• The ability to stay calm and handle stress and uncertainty.
• A great listener to take in and analyse large amounts of information from different perspectives.
• Capable facilitator to draw out issues and possible solutions.
• Making decisions under pressure and sometimes with little or no information.
• Excellent communicator to articulate the complexities of the situation and response.
• Open minded to look at situation and solutions from multiple perspectives.

When pilot Chesley “Sully” Sullenberger decided his airplane could not execute an effective emergency landing at a nearby airport after losing power from a bird strike, he demonstrated crisis leadership when he made the courageous decision to land the plane in the Hudson River off Midtown Manhattan. All 155 people on board were rescued by nearby boats, with only a few serious injuries.

Also, the best crisis leaders we have seen have a very deep understanding of their organisation’s business activities, stakeholders, various response plans and the skills and strengths of the other crisis team members.

4. Failure to conduct a suitable risk analysis and business impact analysis

Disruption risks can have a different risk profile to other operational risks.  Many disruption risks often only rate as a medium level risk due to their lower likelihood rating, often rated as ‘rare’.  But nothing could be further from the truth.

Disruption risks require comprehensive analysis of the impacts, controls, dependencies, inter-dependencies and what-if analysis of possible failure points.  This is achieved through a more comprehensive business impact analysis (BIA). The objective of the BIA is to identify the effects of a disruption of business functions and objectives and provide strategies to mitigate and minimize the risk to your organisation.

The BIA can also be useful during a disruption.  For example, one client who did not have a pandemic plan at the commencement of the 2020 pandemic, used their comprehensive BIA spreadsheet, developed 12 months earlier, to inform the response. They were able to quickly identify critical processes and overlay a more specific pandemic related risk analysis, effectively saving them weeks in analysis.

5. Failure to regularly train your team to build confidence and capability

It can be a challenge to keep plans up to date and cover all possible disruption risks.  To compensate, you will need a highly capable and confident response team.

Building capability starts with regular business continuity awareness training.  The training helps to:

• Familiarise key people with your business continuity management framework and plan.
• Ensure members of the crisis management team/response team understand the organisations recovery procedures.
• Ensure key people understand their respective roles to guide the organisation through a major crisis

The training sessions should be regular (every 12-18 months) and more frequent if there is a change in staff or major changes to the plans.  This is what is often covered in the Business Continuity Awareness Training session.

6. Failure to update and exercise your plans

Having conducted the BIA, developed the plan and trained your response team, the next step is to exercise the plan and keep it updated.

Regular exercising of a response plan helps ensure:

• The plan and actions are appropriate.
• Any contact list information is accurate.
• The assumptions around recovery options and timeframes are reasonable.
• Any gaps in the plan are identified and remediated.
• Provide the response team confidence in their plan.

The exercise can range in scope and complexity.  For an inexperienced response team, we recommend starting small with a desk-top exercise that is more of a discussion.  As their confidence builds, introduce more complex scenarios, restrict the information provided and use more challenging injects during the exercise.

7.  Failure to conduct an initial impact assessment and start the response early

Acting quickly in a crisis is critical. A simple, scalable framework for rapid decision-making is a must.

Analysis paralysis is a major risk and can easily result is response delays.  The best leaders quickly process available information, rapidly determine what matters most, and make decisions with conviction.

It is rare that a response plan will contain all the answers you need in a crisis.  Every plan requires an initial assessment of the situation and a regular, ongoing reassessment.

At the commencement of a crisis, information can be limited, so decision making is hard, but necessary.  As more information becomes available, it requires analysis and possible refinements of the response.

The impact assessment should consider people, systems, infrastructure, processes and all internal and external stakeholders.

8. Failure to identify and consider the needs of all stakeholders impacted

An organisation will have multiple stakeholders and not all stakeholder interests are aligned.  The response must consider the needs of all stakeholders.

The response plan should typically identify all stakeholders and their interests.  We recommend considering the following:

• Stakeholder/stakeholder group.
• Interests/objectives.
• Key message content.
• Message delivery.
• Frequency of communication.

Better practice is to have a communication plan with templates for a range of scenarios for a range of stakeholders.

9. Failure to communicate quickly and honestly

We live in a 24-hour news cycle where the sharing of information doesn’t sleep and means companies have to act swiftly to manage issues in real-time.

Too slow to respond or responding poorly can have seriously negative reputational and financial impacts. The risks are falling share prices, loss of customers and the all-important social licence to operate.

What is required is a combination of good leadership, quick impact assessment, quick decision making and ready-to-go communication templates and methods.

If you don’t have all the information, you still need to communicate quickly and honestly by providing some holding statements.

10. Failure to provide regular updates

It is often said that the 3 most important things in crisis management is communication, communication and communication. Sure this is a bit ‘tongue-in-cheek’ but the importance of good, honest and regular communication cannot be emphasized enough.

In an age of social media and a 24-hour news cycle, taking control of the narrative through good communication via media releases and web-based press conferences is critical.

11. Failure to maintain situation awareness

Situation awareness during a crisis or disruption is critical. Situational Awareness is a concept that has been around in emergency and disaster management for many years.

Situational awareness is about knowing what is going on in the environment. It requires:

• Understanding what is happening.
• Knowing were to get the information from.
• Knowing what is relevant and what isn’t.
• Understanding the impacts of the event.

Ultimately, situation awareness helps the crisis leader make better decisions about actions. Without it, you could be blindsided.

12. Failure to use all available resources you have to respond

During a disruption, the crisis leader needs to evaluate not only what has been impacted by the disruption, but also what has not been impacted.  This allows the crisis team to use its systems and resources that are still operating normally to assist in the response.

The organisation should also look at resources outside the organisation.  For example, in the recent data breach at Optus, Optus made the decision to use the media as the fastest way to inform all its customers of the data breach.

13. Making assumptions without all the facts and decisions not made on best available information

This failure arises from a combination of poor situation awareness and being inadequately prepared for a disruption.

The combination of a risk analysis, comprehensive BIA, response plan, regular training and regular exercising are all designed to help you confidently make decisions during a disruption.

14. Failure to conduct a lessons learned

Soon after any incident or crisis, it is important to conduct a lessons learned review. Every disruption event and crisis presents an opportunity to improve different elements of the plan and response.

The lessons learned review should be performed as close to possible to close out of the event.  It should include all the people who participated in the response as well as representatives from the different stakeholder groups so everyone feels they have contributed.

Strengthening your crisis response and management capabilities starts here

Don’t play the waiting game. Be prepared.

We believe that improving crisis management and resilience should be a strategic goal for the board and the leadership team. Improving crisis management is also important for good governance, good business practice and effective risk management.

We have extensive experience in risk management, business continuity, resilience, cyber risk management, climate risk, crisis management, business continuity, third party risk assessment, emergency management, disaster management and pandemic planning.

If you would like support in becoming a more resilient organisation and better prepared to respond to a crisis, contact us to discuss your needs.

What is CPS 234?

CPS 234 is a mandatory information security legal requirement that took effect on July 1, 2019. It requires APRA-regulated financial institutions to strengthen their information security framework in order to protect themselves and their customers from the growing threat of cyber attacks. In addition, when a data breach or other security incident is discovered, businesses must respond in a timely manner and notify APRA.

Why is cybersecurity so important to APRA?

1. Financial institutions are some of the most attractive targets for threat actors due to the potential size of financial rewards and value of the personally identifiable information (PII) and protected health information (PHI) on the dark web.
2. During the 2020-21 financial year, the Australian Cyber Security Centre (ACSC) received 13 per cent more cybercrime reports than in the previous year.
3. Financial institutions are increasingly using third parties to support their critical business activities. According to a survey from the Ponemon Institute, 66% of companies surveyed had no idea how many third-party relationships they had or how they were managed, even though 61% of the surveyed companies reported having a breach attributable to a third party. Most of the breaches occurred because third parties had been given too much privileged access to data and systems.
4. APRA’s initial pilot of CPS 234 tripartite assessment that involved a small sample of banking, insurance and superannuation entities highlighted some concerns and the need for boards to play a more active role in:

• • Reviewing and challenging information reported by management on cyber resilience
  • Ensuring their entities can recover from high-impact cyber-attacks (e.g. ransomware)
  • Ensuring information security controls are effective across the supply chain

Clearly, APRA has grounds for concern and the mandating of broader tripartite reviews indicate that it has no appetite to deal with a major data breach or any other cyber security type incident.

What is the CPS 234 Tripartite Review?

APRA’s power to require financial institutions to undertake a tripartite review comes from Prudential Standard GPS 310 , Audit and Related Matters.

A tripartite review is an assessment that involves three parties. In this case, the three parties include APRA, the entity being reviewed, and an assurance practitioner (an independent reviewer). The assurance practitioner can be selected by the entity but must be approved by APRA prior to commencing the review. The firm selected to perform the tripartite review should have appropriate skills, capabilities, and experience in conducting ASAE 3150 Assurance engagements and appropriate independence to conduct the CPS 234 assessment.

The tripartite independent cyber security assessments are one part of APRA’s broader Cyber Security Strategy for 2020 to 2024 which aim to help improve the Australian financial system’s resilience against the ever-growing cyber threat.

For APRA-regulated entities with robust cyber security governance, documentation and practices, the CPS 234 tripartite review should be a relatively straight forward process. The entity will need to provide hundreds of important documents for the auditor to review to validate practices against the requirements of CPS 234 and report back to both APRA and the entity. The tripartite review will cover several elements:

• Roles & Responsibilities
• Information Security Capability
• Policy Framework
• Information Asset Identification & Classification
• Implementation of Controls
• Testing Control Effectiveness
• Incident Management
• Internal Audit
• APRA Notification

The Likely Challenges

The size and complexity of the financial institution is little indication of how much work is involved in co-ordinating or performing the tripartite review. All tripartite reviews must be performed to ASAE 3150 requirements, assessed against a comprehensive APRA provided assessment criteria/ CPS 234 checklist and the assurance report format must be in a “long-form” report that includes:

• An executive summary
• Details of the tests performed of each control objective
• Key strengths and good practices
• Exceptions & weaknesses identified and a risk rating in line with the entities risk criteria
• Recommendations
• Management response, agreed actions and timeframes

From our experience, larger institutions will have a significant amount of documentation to provide but smaller institutions (Australian local branches) will require the same level of validation from the overseas parent.

Having conducted CPS 234 reviews, remediated cyber security gaps and aided APRA-regulated entities to prepare for tripartite reviews, we have noticed some trends in the challenges faced by organisations in various industries. If you have received or expect to receive an engagement letter from APRA, consider these 7 challenges to gear up for a positive outcome:

1. Documented Processes

While many organisations have an Information or Cyber Security Framework in place, the documentation of processes is a common gap. A policy is supported by a standard and a standard is supported by a procedure… or at least it should be.

Typically, the response procedures are not well documented. Common shortfalls are – How to restore a backup, how to rebuild a server, how to transfer to a failover data centre, how to report fraud, how to escalate and properly report to APRA… the list is extensive.

The auditor will be looking for ‘hard’ evidence. Soft controls are good, but documented controls such as plans, test results and status reports are better.

2. Information Asset Identification and Classification

Information asset identification and classification was a first for many APRA-regulated entities once CPS 234 was introduced.

Traditionally, asset registers were kept by the IT department to manage physical assets in an environment where everything was hosted onsite locally. Under CPS 234, information assets are not just physical and require more than just identification and classification. To even classify an information asset, we need to understand what the definition of materiality is. Even then, there are multiple definitions of materiality in a single organisation depending on the context.

Clearly define materiality from an Information Technology perspective and build an Information Asset framework around that. As a starting point, ensure all assets are covered and include a description of the asset, the asset owner, the asset host, criticality of the data, sensitivity of the data, lifecycle of the asset and a risk rating aligned with the Risk Management Framework.

3. Processes based on Information Asset

We commonly see IT infrastructure that is built upon the knowledge and experience of senior IT architects. No complaint here, many are well designed and function beautifully, but there is no evident risk assessment in configurations. Criticality and sensitivity of assets should be used as a guide to configure traffic policies, interface setups, user access management and group policies.

The reasoning behind this is that the risk assessment of an information asset can be linked back to the risk consequences table of the organisation, making the risk quantifiable or measurable. This helps to not only respond to incidents but also better manage risk-taking. Organisations need to take some level of risk to grow. As a basic example, if all data was treated as overly sensitive, there would be hesitance to outsource hosting to a vendor to expand operations to a secondary office.

4. Third Party Information Security Capability

A term used commonly by APRA is “Information Security capability”. This term not only refers to the entity being reviewed, it also includes all vendors or third parties that are material or critical to the operation of the organisation. While third party assessment has been a hot topic in Australia in the last 12 months, the level of detail we are seeing in assessments is not sufficient. Performing the typical annual assessment and adding on “have you got a Business Continuity Plan (BCP)  or Cyber Incident Response Plan” is simply not enough. This does not paint the picture of the capability of the vendor and does not provide adequate assurance of continuity.

Additionally, there needs to be detailed and documented contingency plans for each vendor should their recovery processes fail. Vendors or third parties should be assessed to the same standard as your own organisation for you are only as strong as your weakest link. Outsourcing assets does not outsource responsibility or risk.

5. Evolving Position Descriptions

With the hybrid workforce being the new normal, flexibility is not only evident in working environments. The position description of a role is leaning more towards dynamic responsibilities and many Chief Information Officers (CIOs) we have spoken to agree. The issue with dynamic roles is occasionally they are not reflected in a formal document or the official position description of the individual.

As an example, we have seen cryptography custodians assigned responsibility without it being officially documented. One of the greatest risks to comprehensive cryptographic frameworks is the malintent or abuse of a privileged custodian. Critical responsibilities should be documented to allow the governance of appropriate vetting and ensuring individuals are appropriately assigned the responsibility. If documenting these responsibilities to a specific role is too difficult or time consuming, consider documenting them at a team level.

6. Frequency and Scope of Testing

Annual testing of all critical systems can be an arduous task and the unfortunate lack of certified Information Technology (IT) resource currently hitting the industry does not help. Whether it is a budget or resource issue, we are seeing infrequent testing and/or the exclusion of all critical systems in annual testing. Tests should not only include exercises and tabletop drills, they should also include the recovery testing of backups and failover solutions.

There is also nothing wrong with planning a full scope test of critical systems as part of a multi-year program due to resource limitations, as long as it is clearly documented. Multi-year roadmaps show a commitment to better practice and can be altered as higher risk or higher priority assets are acquired or created.

7. Evidence Methodology

IT teams understand the need for testing and evidence is well documented in the form of screenshots, results and reports for escalation to the leadership team. What is lacking in the evidence we see is the methodology that the testing is based on. Why was this system selected, what is the likelihood and consequence of an outage of such system, why was it tested in this manner and what were staff hoping to achieve? Be sure to include a test rationale, processes executed, review of results, or evidence of review of the testing program due to such results.

Continual improvement also seems to be a low priority. Testing and gathering forensic evidence should not be a tick-box activity, it should aim to improve systems, procedures and the testing program itself. Should you ever be faced with a real-world incident, you will be thankful for it.

Cost vs Benefit of CPS 234 Review

The CPS 234 Information Security Tripartite Review has a number of limitations.

Firstly, whilst the review is mandated by APRA, the cost is borne by the entity. With a shortage of cyber risk experts, coupled with the ‘great resignation’ phenomenon and the level of detail required by APRA, it is not going to be cheap. To help reduce costs, we are suggesting:

• clients first perform a self assessment
• allow some time to remediate ‘quick win’ shortfalls
• performing a series of workshops to gather information from multiple sources
• considering the comprehensive list of documents required during a review

Also, many elements of the review are only good at a point in time. Within 6 months after the tripartite review, the cyber risk environment will change.

Review Benefits

The CPS 234 Information Security Tripartite Review is a great initiative that we strongly believe will improve the maturity of financial services in Australia. APRA has based the review on three focal areas, hoping to achieve:

• The establishment of a baseline of cyber controls
• Enabling boards and executives of financial institutions to oversee and direct correction of cyber exposures
• Rectify weak links within the broader financial eco-system and supply chain

By aiming to improve an entire industry by acknowledging it is a shared effort, APRA is hoping to minimise the cascading effects of a cyber incident on an entire system or industry. By including all APRA-regulated entities in the scope, there is no way around it and the end-result should positively impact the financial sector in Australia.

Can We Help?

The InConsult team has a deep understanding of insurance and the APRA prudential standards including CPS 234 and the requirements of the tripartite review. Since the implementation of the revised APRA Prudential Framework in 2001, we have helped APRA-regulated clients navigate through the myriad of regulatory compliance requirements. Our cyber security experience includes:

• Independent CPS 234 reviews
• Preparing for CPS 234 tripartite reviews
• Remediating gaps in all elements of cyber security, including third parties
• Comprehensive independent reviews of the ICAAP, risk management and reinsurance framework

If you have been approached by APRA to take part in a tripartite review or are anticipating a review, contact us to discuss your needs.

APRAs focus on resilience is not new

There are already many prudential standards and guidelines that address different elements of operational resilience and financial resilience.  They include:

• CPG 110 Internal Capital Adequacy Assessment Process and Supervisory Review
• CPS 232 Business Continuity Management
• CPS 234 Information Security
• CPG 233 Pandemic Planning
• CPG 229 Climate Change Financial Risks
• CPS 231 Outsourcing

In recent years, APRA has also worked directly with major banks, general, life and health insurers to ensure they develop Recovery Plans (despite not having a formal standard). APRA have provided some good guidance in the Discussion Paper – Strengthen Crisis Preparedness.

APRA has now begun consulting on 2 new proposed prudential standards to help strengthen the preparedness of financial institutions to respond to future financial crises.

• CPS 190 Financial Contingency Planning PDF
• CPS 900 Resolution Planning PDF

The two proposed standards are aimed at ensuring entities are prepared to deal with the threats to their financial viability, thereby reducing the negative consequences resulting from failure.  Remember, APRA has zero appetite for a disorderly failure of a financial entity that can have a significant impact on financial system stability and the broader economy.  APRA and the federal government have no appetite to use taxpayer funds to stabilise the financial systems, thereby creating a moral hazard and pressures on federal government finances.

CPS 190 Financial Contingency Planning

CPS 190 Financial Contingency Planning (CPS 190) seeks to minimise the risk of entity failure by ensuring all APRA-regulated entities have plans for responding to severe financial stress.  CPS 190 will require all APRA-regulated entities to:

• Develop and maintain credible financial contingency plans for managing stress that may threaten their financial viability; this includes plans for rebuilding financial resilience or effecting an orderly exit. These plans would set out actions they would take in stress to restore financial resilience or exit the industry safely, while protecting depositors, insurance policyholders and superannuation fund members.
• Monitor indicators of potential stress and be ready to trigger activation of the contingency plan or the specific actions within it.
• Being able to effect an orderly exit from the industry, if recovery actions are not effective.  This is achieved through a credible plan, appropriate governance arrangements, maintaining sufficient resources to support the implementation of recovery and exit and periodic review and testing.

The proposed CPS 190 will apply to an entity whilst it is still a going concern to reduce the likelihood of entity failure.

CPS 190 will apply to smaller entities, but will be subject to less onerous requirements, in line with their size, complexity and business models. Entities determined to be significant financial institutions (SFIs) would be subject to higher requirements. APRA have defined the thresholds for significant financial institutions subject to higher requirements as follows:

Source: APRA

CPS 900 Resolution Planning

CPS 900 Resolution Planning (CPS 900) aims to minimise the impact of entity failure.  CPS 900 would require large or complex APRA-regulated entities to take pre-emptive actions so that, in the event of their failure, APRA can resolve them with limited adverse impacts on the community and the financial system.

Key requirements of CPS 900 will include:

• Conduct a resolvability assessment to identify any barriers to resolution. The resolvability assessment will typically assess any legal, structural, operational or regulatory barriers to implementation,  timelines for implementation and any execution risks to effectively execute the options.
• Develop and implement a pre-positioning plan to remove any barriers to resolution. The Board must provide oversight of and approve the resolvability assessment and the pre-positioning plan.
• Maintain capabilities to support APRA in effecting a resolution so that critical financial services can continue to be provided with minimal disruption. This may include the identification of all material business activities of the entity, and an assessment of whether any of these activities are critical functions based on their systemic impact, customer impact and the substitutability by other providers if they were to cease.
• Review and update the resolvability assessment at least every three years.

CPS 900 will only apply to an entity as a gone concern (after failure) to minimise the adverse impact of the entity failure.

As CPS 900 would only apply to large or complex APRA-regulated entities, APRA has sought to minimise any adverse impacts on smaller and/or less complex entities such as Australian branches of larger international financial entities.

Planned implementation

There will be a 5 month consultation period on CPS 190 and CPS 900. The consultation closes on 29 April 2022.

Following the initial consultation period, APRA will also consult on the supporting guidance material in 2022.

For banking and insurance entities, APRA proposes that the new prudential standards would come into force from 1 January 2024.

How we can help you on your resilience and crisis preparedness journey

InConsult previously published The Recovery Plan – A Guideline for Insurers which explained regulatory expectations and how it was intended to integrate and align with the ICAAP, Business Continuity Plan and other aspects of the risk management framework. It is pleasing to see that APRA has now relabelled the Recovery Plan as Financial Contingency Plan to avoid confusion with a type of Business Continuity Plan.

Aspects of CPS 190 will apply to all financial institutions. In order to support preparation for CPS 190,  all insurers should as part of their annual review of their ICAAP Summary Statement consider conduct a benchmarking exercise against GPS 110 Capital Adequacy and CPG 110 ICAAP and Supervisory Review. Remember, the ICAAP Summary Statement is intended to be a high-level document that summarises processes therefore documentation of detailed processes (business planning, capital monitoring and reporting and recovery action) is important to ensure conducted in a timely, consistent manner.

We are here to help strengthen crisis preparedness and resilience.  Our resilience support capabilities include:

• Helping you prepare a contingency plan (recovery plan) that is appropriate to your business environment and risk profile based on the APRA guidelines, CPS 190 and better practice guidelines.
• Helping you remediate any concerns or gaps identified by the regulator.
• Perform a comprehensive review of  the ICAAP and various response plans including BCP, IT-disaster recovery plan, incident response plan, contingency plan, recovery plan and pandemic plan to ensure it is in line with the APRA standards, guidelines and better practice.
• Conduct operational testing of the various response plans to identify opportunities for improvement.

Be more resilient to a crisis and financial stress and contact us to discuss your risk and resilience needs.

Severe shocks and catastrophic events will become more common, less predictable and unfold quickly. The sources of risk will be wider and cover climate change, cyber threats, technological revolutions, economic shocks and geopolitical instability.

Strengthening organisational resilience to prepare for a wider range of eventualities has never been more important. Understanding your risks and vulnerabilities is a crucial step in building a resilient organisation so that you can plan to continue in business. Unfortunately, many organisations have remained relentlessly focused on short and medium-term risks.

We believe that improving resilience should be a strategic goal for the board and the leadership team. Improving resilience is also important for good governance, good business practice and effective risk management.

What is resilience?

ISO 22316:2017 Organisational resilience — Principles and attributes, defines organisational resilience as “the ability of an organisation to absorb and adapt in a changing environment to enable it to deliver its objectives and to survive and prosper.”

Great definition but missing the word ‘anticipate’ the changing environment – although anticipate is included in the standard.

ITIL 4 on the other hand, defines resilience as “the ability of an organisation to anticipate, prepare for, respond to, and adapt to both incremental changes and sudden disruptions from an external perspective.” Again, a good definition, but what about disruptions from an internal perspective.

Lets not get too hung up on definitions.  A broader, hybrid definition or theme of organisational resilience is “the ability to anticipate, plan, withstand, survive and thrive in the face of anticipated and unanticipated shocks that are internal and external to the organisation.”  Why?

• ‘anticipate, plan, withstand, survive and thrive’ are actions the organisation can consciously take.  By anticipating shocks you are ready to respond if they are both incremental or sudden.
• shocks can be anticipated (like Donald Rumsfeld’s known, unknowns), unanticipated or improbable (like Nassim Nicholas Taleb’s black swan events)
• shocks can be internal (like the Enron scandal) or external (like the COVID-19 pandemic) to the organisation.

Shocks are real, not theoretical.  Organisations must be prepared.

The 6 pillars of resilience

Remember, anticipating and understanding the wide range of risk events and sources is a critical first step to building a resilient organisation. Implementing a range of preventative and detective controls that include plans, policies, procedures, actions etc) help to address the risks.  The response plans are often ‘corrective’ controls designed to restore and improve an organisations position after a disruption or shock.

To achieve resilience, the traditional Business Continuity Plan (BCP) can be helpful, but it may not be enough. In our view, an organisation needs to strengthen these 6 pillars of resilience.

Financial Resilience

If cash is king, then working capital is a God! Resilient organisations maintain a strong capital position and adequate liquidity to withstand abrupt decreases in revenue, higher costs, or credit difficulties. They undertake financial modelling, what-if-analysis and scenario testing exploring a range of financial eventualities. Regular monitoring of the financial position and financial ratios allow the organisation to identify early warning signs of most financial shocks.

Without financial resilience, operational resilience and technological resilience cannot be maintained.

The key response plan to a sudden financial shock is the Financial Recovery Plan which should identify a range of recovery options.

Operational Resilience

Resilient organisations retain robust production/service delivery capacity that can meet fluctuations in demand, scale up and down not just react to disruption.  They set and meet minimum quality standards and minimise interruptions from failures of individual suppliers or distributors from natural catastrophes and climate change to geopolitical events.  They can run lean using just-in-time principals, but also build redundancies and diversify within in their supply chain. They have effective insurance programs…just in case.

The two responses plans here include the Business Continuity Plan and the Contingency Plan for third parties, outsourced arrangements and key vendors.

Depending on the organisation, nature of its activities and range of stakeholders, Emergency Management Planning for a range of hazards is also important.

Technological Resilience

From listed companies to the local pizzeria, information technology (IT) is at the heart of any successful business. Resilient organisations invest in robust, secure, and adaptable information and communication infrastructure. They are security conscious. They have several redundancies. They are cyber resilient and well prepared to handle cyber risks and avoid technological and communication breakdowns. Its also about changing, adapting and aligning technology to customer demand and user service delivery preferences.

The response to a technology failure includes the IT Disaster Recovery Plan and Data Breach Incident Response Plan.  The IT Strategy Roadmap on the other hand will ensure alignment of technology to the strategy, business needs and user requirements.

Workforce Resilience

Talented people are an organisations most valuable asset. Resilient organisations employ the best talent they can afford, develop talent equitably, upskill or reskill personnel quickly.  They have a flexible, empowered and highly engaged workforce and maintain sound succession plans throughout the business. Strategy, vision, mission, culture and desired actions reinforce each other. Delegations, policies and procedures support business processes, but allow for fast and agile decision making when needed.

The key response plans to a sudden shock in workforce safety and capability include the Emergency Evacuation Plan, the Succession Plan and the Pandemic Plan.

Strategic Resilience

More resilient organisations have a robust yet agile business model. They seek innovation, embrace change and promote entrepreneurship. Their business model can respond to substantial changes in consumer demand, the competitive environment, technology advancements, and the regulatory landscape. Organisational resilience is integrated into strategic planning and considered in risk aware decision-making to take maximum advantage of unexpected upside or adapt to negative changes. They use what if analysis, rationalise the ‘why’ we do what we do.  They consider various options under different assumptions and reviewing and challenging of the strategy is a critical part of the planning.

They use a range of strategic management tools such as the SWOT analysis, Porters 5 forces, PESTEL model etc to inform their strategic planning.  They understand the value of taking risk and potential consequences if the strategic risks are not management well.

There is no single response plan here, but the Strategic Plan is the main playbook. But, the plan needs to be nimble and agile, outline specific activities with regular evaluation of key performance indicators and monitoring of the internal actions and external environment.  The Strategic Plan can also be complimented by a range of other plans, management projects and actions e.g. Business Plan, Marketing Plan.

A failure in other pillars such as financial resilience, operational resilience or technological resilience will require a revision of the Strategic Plan and effective implementation of the appropriate response plan to minimise the shock.

Brand Resilience

Brand resilient organisations keep their brand promise via their actions and words. They recognise the value of their reputation. They are open and transparent.  They understand, listen to and communicate with their stakeholders.  They anticipate and address societal expectations such as diversity and inclusion, social responsibility and respond to criticism in a timely and responsible manner that is in line with their brand promise.

The most important response plan to a sudden brand or reputational shock is the Crisis Management Plan.  Also important during crisis management and in all the responses to any shock is an effective Communication Plan.

All response plans should also include a ‘lessons learned’ action to allow the organisation to strengthen controls, enhance resilience and improve a future response.

Our 6 pillars should be a guide for most organisations.  The elements may change depending on the individual organisation.

What is your organisation missing?  Where are the resilience gaps?

Putting resilience into practice

In order to take your resilience framework from theory to practice, a number of activities outlined in ISO 22316:2017 are necessary.

1. Articulate a shared vision and clarity of purpose – This provides strategic direction, coherence and clarity in all decision-making.
2. Understand the organisation’s internal and external environments – This helps the organisation make more effective strategic decisions about the priorities for resilience, and think beyond current activities, strategy, and organisational boundaries.
3. Leadership – Organisational resilience is enhanced by strong leadership that develops and encourages others to lead under a range of conditions and circumstances, including during periods of uncertainty and disruption.
4. Supportive culture – Creating a culture that is supportive of organisational resilience demonstrates a commitment to, and existence of, shared beliefs and values, positive attitudes and behaviour.
5. Shared information and knowledge – Organisational resilience is enhanced when knowledge is widely shared where appropriate and applied. Learning from experience and learning from each other is encouraged.
6. Availability of resources –  Develop and allocate resources, such as people, premises, technology, finance and information, to anticipate and address vulnerabilities that support the 6 pillars of resilience (see above).
7. Management discipline – All management disciplines are coordinated so that they individually and collectively contribute to the organisation’s purpose and the protection of what it values.
8. Continual improvement – Resilience is improved when organisations continually monitor their performance against a pre-determined criteria to learn and improve from experience and take advantage of opportunities. Organisations create and encourage a culture of continual improvement across all areas.
9. Continually anticipate and managing change – Resilience is enhanced when an organisation has the ability to anticipate, plan, and respond to change.

It’s not too late

If your organisation fell a little short in resilience during the Covid-19 pandemic, it’s not too late. Crises should be catalysts for transformation and can create a unique opportunity to rethink resilience. So, what can you do?

Look for opportunities

As the saying says – ‘never waste a good crisis’.  Strive to gain an edge amid adversity by skilfully responding to new circumstances. Crises may also be the most effective pretext for hastening long-term revolutionary change.

Look ahead

A crisis may look tactical and operational in the near term, but in the long run, new business requirements and opportunities from failed competitors may arise.

Increase collaboration

Collaboration among employees, consumers, suppliers and other stakeholders is critical. Resilience requires an understanding of  these inter-dependencies and how the connections between various components within the organisation and its environment alter under stress.

Promote diversity of thought

Resilience is dependent on the ability to develop alternate responses to events, which is dependent on the ability to perceive things with new eyes. Resilient companies encourage cognitive variety and recognise the importance of different perspectives from different people.

Embrace change

Change is good. Resilience is more about creating organisations and supporting systems that are built on constant change and experimentation than it is about making occasional adjustments in extreme circumstances. This is done partly to avoid rigidity and partly because iterative incremental adjustment is far less risky than a massive one-time adjustment.

How we can help you be more resilient

We are here to help strengthen organisational resilience.  Our resilience capabilities include designing and developing a wide range of response plans to enhance your resilience posture and capabilities.  These response plans include:

• Business continuity plan
• Contingency plan
• Pandemic plan
• Succession plan
• Crisis management plan
• Financial recovery plan
• IT-Disaster recovery plan
• Data breach incident response plan
• Emergency management plan

Be more resilient to a wide range of shocks and contact us to discuss any gaps in your resilience framework.

Recovery planning is now being incorporated into the Australian Prudential Regulation Authority’s (APRA) supervisory approach for regulated institutions.  In order to prepare a credible recovery plan, an insurer will need to do a lot of analysis, workshops, communication, framework alignment and both strategic and tactical thinking.  Lets tackle some important questions:

• What are the objectives of the recovery plan?
• What should the recovery plan include?
• Where does it fit into resilience spectrum?
• How will regulators evaluate the quality of the recovery plan?

Regulators have no appetite for failures

Since the collapse of HIH Insurance in 2001, APRA has been one of the world’s most proactive and forward looking financial regulators. APRA’s vision is “to deliver a sound and resilient financial system, founded on excellence in prudential supervision”.

Many have said that APRA’s prudential standards and proactive regulatory approach helped minimise the impact of the GFC on the Australian economy from mid 2007 to early 2009 when, around the world, millions of people lost their jobs as the largest and most sophisticated and advanced economies experienced their deepest recessions since the Great Depression of the 1930s.

To help achieve its vision, each year APRA reveals it’s policy and supervision priorities or key actions. For 2021 and 2022, APRA will continue to develop policies to strengthen an institution’s resilience and preparedness for managing through periods of stress, including recovery and resolution planning, operational resilience, stress testing and climate-related financial risks.

For APRA, the resilience and recovery planning journey started back in 2018/2019.  APRA required all health insurers develop a recovery plan. Also on the agenda is the development of a new prudential standard on resolution and recovery planning, taking into account the results of a thematic review with a group of large and medium-sized general insurers and life insurers and lessons learnt from the COVID-19 pandemic.

The financial stress continuum

Organisations should understand the relationships between financial viability, early warning indicators, recovery triggers, the respective plans invoked, and the actions taken by the regulator.  This relationship is illustrated in figure 1 below as a guide – note the sample triggers are examples only.

Clearly, organisations should operate in the viable stage which is business as usual.  In this stage, the risk of failure is low, all triggers are within risk appetite and the normal target range.

As adverse events occur, organisations may move into the early stress stage or extreme stress range where the early triggers and warnings are outside risk appetite or the target operating range.  In this environment, a range of plans will come into play including the recovery plan.  Regulator monitoring is now more intensive.

Where recovery is not possible, the resolution plan is activated by the regulator. At this point, the insurer is no longer viable and has no reasonable prospect of becoming viable.

What is recovery planning

As defined in the IAIS glossary, a “recovery plan” is a plan that “identifies in advance options to restore the financial position and viability if the insurer comes under severe stress”. A recovery plan should at minimum cover three elements:

1. Credible options (menu of actions) to cope with a range of severe stress scenarios.
2. Scenarios that address capital shortfall and liquidity pressures.
3. Processes to ensure timely implementation of effective recovery options in a range of severe stress situations.

The recovery plan is developed, implemented, maintained, reviewed and tested by the insurer. For the plan to be appropriate and credible, additional analysis and information is required.

Recovery plan content

From our experience, better practice guidelines such as the IAIS Application Paper on Recovery Planning 2019 and APRA guidelines, we suggest the recovery plan cover, at minimum, the following sections:

Executive summary
This is a standalone summary of the material components of the recovery plan, including an overview of governance arrangements, early warning indicators and trigger framework, recovery options and communication strategy.

Background information
A brief overview of the organisation including core business, business model, structure, and interdependencies.  This helps to contextualise the recovery plan to the organisation.

The background information section will also help the regulator better understand the organisation to help assess the appropriateness of the trigger framework, scenario tests performed and recovery options included.

Governance
This section should include a description of the monitoring, review and testing activities, plan ownership, related frameworks, and respective roles and responsibilities of key stakeholders (and alternates) during the business-as-usual phase and the recovery phase.

Effective governance arrangements are critical when developing, maintaining and invoking the recovery plan.  It outlines responsibilities for monitoring and timely escalation processes for starting the implementation of recovery options.

Plan ownership should be clear, as well as all other responsibilities for key activities.

The recovery plan should be approved by the Board or  Senior Officer outside Australia for a branch general insurer.

The recovery plan should be integrated and aligned to other plans and frameworks an organisation has in place e.g. risk management framework, capital management plans, liquidity management, crisis management plan, business continuity plan, etc.

The plan should be be reviewed regularly and updated for material changes to the environment, strategy, structure or activities of the organisation.

Will the plan work when it’s activated?  At minimum, it is good practice the plan be operationally tested annually and any opportunities for improvement be incorporated in the recovery plan.  The key benefit of testing is to help calibrate triggers, scenarios and recovery options.

Trigger framework
A trigger is an early warning indicator to a potential issue.  Triggers are a red flag to a potential issue, but triggers may not result in activation of the plan.

This section should include a sufficient range of relevant early warning indicators and triggers, including both qualitative and quantitative metrics to allow timely escalation, decision-making and invoking the recovery plan.

In line with good practice, the key here is to have a range of metrics and timely trigger points in place to alert management, escalate if required and start the recovery planning process.

The trigger framework should be appropriate to the organisation, and hence the importance of the background information section.  The scenario analysis helps to inform the trigger framework.

Some examples of triggers that insurers may consider:

• large insurance losses
• catastrophic losses over the reinsurance limits
• failure or downgrade of a reinsurer
• large investment losses or deterioration in investment values
• deteriorating capital
• reduction in capital ratio’s
• material increase in minimum capital requirements
• material reduction in new business or renewals
• sustained decrease in profitability
• deterioration in liquidity
• credit rating downgrade
• operational event that threatens financial viability or severe financial loss e.g. cyber attack
• adverse judicial interpretations
• external market forces e.g. aggressive competition, new market entrant
• adverse macroeconomic factors e.g. changing interest rate, change in government regulation and fiscal policy
• any sudden change in net assets

Insurers should not rely on just one hard trigger.  Rather, a range of triggers that have a knock on effect are considered better practice.

Recovery options
This section would have to be the most important part of the recovery plan.  Why? This is where the insurer should outline the range of credible recovery options which aim to enhance its ability to restore itself to financial soundness and meet policyholder expectations.

APRA expects the menu of recovery options to be comprehensive and generate financial benefits to quickly restore the insurer to a sound financial position.

The combination of scenario analysis and regular testing will help ensure that the menu of recovery options are well and truly exhausted i.e. comprehensive.

Some examples of recovery options may include:

• raising non-equity capital
• raising equity capital
• reducing or suspending dividend payments
• reducing or suspending cash repatriation to holding company
• improving liquidity
• buying more reinsurance
• restructuring reinsurance arrangements
• restructuring the investment portfolio
• management actions such as restructure, cost savings initiatives
• exit unprofitable product lines
• partial or full portfolio transfer/sale
• partial or full portfolio run-off

Simply listing the recovery options is not enough.  Each option should contain assumptions, implications on strategy, details as to how it will be operationally implemented and the expected financial benefits.

Communication strategy
Ideally, the insurer should include tailored communication strategies which recognise the different communication needs depending on the recovery option(s) being taken. Timely communication helps maintain stakeholder trust and confidence.

The communication strategy should cover both internal communication e.g. board, staff, and external communication e.g. policyholders, agents, brokers, regulators, key third parties.

Insurers should also consider appropriate disclosure obligations under the Corporations Act 2001 and Australian Securities Exchange Listing Rules where applicable.

Scenario analysis
Scenario analysis helps assess the credibility of the recovery plan, and helps to inform and establish the trigger framework and feasibility of the recovery options.

This section of the plan includes a summary of a range of scenarios used, including the estimated financial impacts.

The scenarios should be tailored to the insurer’s business, risk profile, business model, group structure and needs to be adequate to help to activate the recovery plan.  In fact, severe but plausible stress scenarios that may ultimately affect the viability of the insurer are preferred.

When choosing scenarios, they should cover appropriately defined events that are most relevant to the insurer, taking into account the insurer’s risk profile, business model, group structure (if applicable) and other relevant factors.  Scenarios can include:

• Idiosyncratic stress events, where the negative impact is specific to an insurer or group.  For example:
  • mass lapse of policies
  • failure of material counterparties
  • severe losses through a rogue trader or another conduct risk
  • a material major cyber-security breach
• Market-wide stress events and/or macroeconomic events affecting the financial system and/or economy. For example:
  • a significant loss or stress in financial markets
  • a major change to the interest rate environment
  • a high-impact catastrophic event, such as a pandemic or climate-related event
  • a significant increase in longevity following a medical breakthrough
  • a spike in claims following and unfavourable judicial decision
• A combination of idiosyncratic and market-wide stress events
• Both slow-moving and fast-moving adverse events

Appendix
An appendix of relevant information that may be important to the effective execution of the recovery plan.  This may include detailed scenarios, key assumptions, sample communication templates that can be tailored once the plan is activated, a table of scheduled activities etc.

What will regulators look for in a recovery plan?

Regulators like APRA will review and challenge insurers and they will provide feedback.  Regulators will review a wide range of recovery plans and set some peer benchmarks.

Regulators will regularly undertake resolvability assessments that evaluate the feasibility of recovery and resolution strategies and their credibility in light of the likely impact of the entity’s failure on the financial system and the overall economy. Regulators will typically assess:

• the extent to which critical financial services, and payment, clearing and settlement functions can continue to be performed
• the nature and extent of intra-group exposures and their impact on recovery and resolution if they need to be unwound
• the capacity of the entity to deliver sufficiently detailed accurate and timely information to support recovery
• the robustness of cross-border cooperation and information sharing arrangements

Where insurers fail to achieve the benchmark or meet the guidelines, regulators will ask them to remediate the gaps and resubmit the recovery plan.

In their assessment of the recovery plan, regulators will typically ask the following questions:

• Is the recovery plan clear, comprehensive and complete?
• Is the plan appropriate and relevant considering the insurers risk profile?
• Is the plan well aligned to the risk management and capital management frameworks?
• Is the menu of recovery options sufficient i.e. wide enough range?
• Are recovery options credible?
• Are the recovery assumptions reasonable?
• Are the stress scenarios sufficiently severe?
• Are the early warning indicators and triggers appropriate for invoking the plan?
• Are the triggers aligned to the results of scenario analysis and stress tests?
• Can the recovery options be implemented in a timely manner?
• Are the execution timeframes feasible?
• Are the roles and responsibilities of the Board and Senior Management clearly defined?
• What evidence is there of engagement with the Board and Senior management?
• Does the communication include all key stakeholders?
• Is the recovery plan regularly reviewed and updated?
• Is the recovery plan tested annually?

What is a resolution plan?

This is really the last resort on the resilience spectrum. The resolution plans kicks in when recovery planning fails.

The resolution plan establishes how the regulator would use their powers to achieve an orderly resolution of the failed institution where recovery is not possible and institution has no reasonable prospect of returning to viability.  The resolution plan identifies in advance options for resolving all or part(s) of an institution to maximise the likelihood of an orderly resolution.

The development of the resolution plan is led by the regulator (APRA) and/or resolution authority in consultation with the insurer in advance of any circumstances warranting resolution.

How we can help you on your recovery planning journey

We are here to help strengthen organisational resilience.  Our recovery planning capabilities include:

• Helping you prepare a recovery plan that is appropriate to your business environment and risk profile based on the APRA guidelines and better practice guidelines.
• Helping you remediate any concerns or gaps identified by the regulator.
• Perform a comprehensive review of your recovery plan to ensure it is in line with the APRA guideline and better practice guidelines.
• Conduct testing of the recovery plan to identify opportunities for improvement.

Be more resilient to financial stress and contact us to discuss your recovery planning needs.

As a company director, you have a duty of care and diligence under section 180 of the Corporations Act 2001 and under the common law. Organisations are increasingly focusing on the impact of climate change and environmental issues on current and future corporate performance. The Board, CEO and leaders have started to realise that climate risks and opportunities are not abstract concepts, but are essential for creating a sustainable business model that delivers long-term value.

This guide aims to help directors understand their climate risk responsibilities, ask questions and take steps in the right direction. The guide includes:

• a valuable checklist that directors can use to evaluate their climate risk posture.
• a summary of the legal and regulatory climate reporting and disclosure requirements.
• typical climate risk assessment challenges that are often experienced.

What’s inside the Climate Risk Guide

• The Consequences for Breaching Directors’ Duties.
• The Regulatory Landscape and Climate Change.
• Recognising and Managing Climate Risks and Opportunities.
• Disclosing Climate Related Risks.
• Beware the Challenges Ahead.
• The Board’s Climate Risk Checklist

Download today

Our Climate Risk Guide is complimentary, download your copy.

How we can help you manage climate risk

We are here to help you on your climate change risk journey. Our services include:

• Climate-risk awareness and TCFD compliance training.
• Facilitating workshops and financial climate change impact assessments to identify and understand the threats that climate change pose to your organisation.
• Perform scenario analyses of the threats identified looking at different possible scenarios over the short, medium and long term over a particular asset, activity or area.
• Provide a roadmap to enhance the organisation’s climate change risk management strategy.
• Conduct reviews to ensure regulatory disclosures are robust and relevant.

How far do you want to go to minimise the impact of climate change on your business? Be more resilient and contact us to discuss your needs.

Unfortunately, this is not entirely true…

The extensive reliance on information technology to provide services or products is undoubtedly a cause of increased risk. Now take that IT infrastructure and place it in the hands of a third or fourth party and grant them access to an organisation’s private internal network. Without adequate assurance and some quality due diligence, organisations are exposed to a vast number of risks, with the most popular being a significant third party data breach. With over 50% of all data breaches being caused by third party vendor relations, and IT-related costs increasing by as much as $370,000 to remediate a data breach, organisations should be taking greater care to review their third party vendor expectations. (Ponemon Institute study 2019)

Now that we are aware of the potential outcomes of inadequately assessing third party vendor risks, how can they be avoided?

These are the top five areas to focus on to manage third party vendors and mitigate risk:

1. Old fashioned due diligence

Due diligence should be the bare minimum when selecting a vendor. Any third party vendor should align with the expectations of the organisation’s executive leadership team, more so if they will be handling confidential, personal or strategic data. Be cautious of the fact that the conditions of due diligence change over time. What was once considered acceptable compliance then, may be considered a partial compliance now. This highlights the necessity to re-evaluate existing vendors to ensure they still meet the expectations of the organisation. Conduct a formal risk assessment to evaluate delivery risks, financial risks, compliance risks and legal risks. Favour vendors who provide you transparency into their operations and allow you to audit their processes.

2. Communication

Establishing an open communication channel with third party vendors not only helps develop relationships and can result in cost benefits, it can also keep an organisation informed of changes to the vendor’s environment, future plans and even issues they are experiencing. It is worthwhile subscribing to a vendor’s newsletters as they may include a product road map including quarterly milestone projections. This can pave the way for predicting future risk and developing workarounds.

3. Regular review

Re-evaluating existing vendors is not only part of managing changes in vendor compliance, it should be a process performed annually to provide an organisation with the ability to benchmark vendors against each other and to compare a vendor’s performance against their own performance of the past. Through the use of security questionnaires, cyber security ratings (CSR) and acquisition of compliance reports (e.g. SOC1, SOC2, ISO27001), an organisation can leverage sensitive or crucial data to vendors that are the lowest risk. At the absolute worst, vendors can be provided with feedback for improvement. Select vendors who have a continuous improvement program and are responsive to feedback from you.

4. Vendor comparison

While long term vendor relations can have immeasurable benefits, complacency can get the better of us. The market is always ripe with competitors trying to establish their brand, and us such there may well be a vendor that can match pricing while boasting greater risk maturity. Don’t be afraid to let vendors go if the costs associated with a security incident outweigh service or product savings. While the probability is low and an incident may never occur, it only needs to happen once. According to the U.S. National Cyber Security Alliance, 60% of small organisations never recover from a cyber incident alone.

5. Planning for vendor contingencies

Many organisations have a business continuity management (BCM) framework in place that addresses all critical business functions internally. Unfortunately, many BCM frameworks fail to appropriately analyse third party vendor functions and the criticality of their services or products. As such, a lack of workarounds for a variety of third party contingencies puts the organisation at great risk of prolonging a disaster or worse. To simplify the process, third party vendor assessment can be included in the next annual BCM review to ensure a confident recovery strategy when an incident occurs.  Good practice is to have at least one other vendor selected where possible in the event of a failure of the primary vendor.

The future of third party assessment

As Software as a Service (SaaS) systems have engulfed every industry imaginable, one must wonder what SaaS systems offer when organisations attempt to simplify the task of adequately assessing third party vendors and their associated risks. GRC applications have been around for some time allowing comprehensive management of risks, some even including specific third party vendor management modules. In the last couple of years particularly, there has been the introduction of systems that manage online questionnaires, provide Cyber Security Ratings (CSR) and much more. These systems used in conjunction with a well founded BCM framework provide the ability to challenge vendors using multiple vectors and thinking far beyond the continuity of merely internal functions.

How we can help

InConsult is committed to helping organisations become more resilient to third party vendor risks.  We have extensive experience in risk management, cyber security, crisis management, business continuity, third party risk assessment, emergency management, disaster management and pandemic planning.

If you would like to know more about our third party assessment services or would like to see how you or your vendors score on the Cyber Security Rating scale, contact us to discuss your needs.

We have seen from the response to the COVID-19 pandemic that the countries that acted based on scientific and medical evidence and modelling, and acted quickly appear to have managed the threat to the health of their populations and health systems. They are looking as if they will restore business and economic activity quicker than those that didn’t.

We knew this pandemic was coming and it won’t be the last

Pandemics have been occurring for millennia and in the last 100 years we have seen the emergence of Spanish Flu (1918-1919), Asian flu (1957-1958), Hong Kong Flu (1968-1970), HIV/AIDS (1981-to present), SARS (2002-2003), Swine Flu-H1N1 (2009-2010), MERS (2015- present), Ebola 2014-2016 and COVID-19 (2019-present).

The Intergovernmental Science-Policy Platform on Biodiversity and Ecosystem Services warn that worse pandemics will come if we do not act to protect the environment. The number and diversity of infectious disease outbreaks are gradually but inexorably increasing. According to the World Health Organization (WHO), 7,000 new potential outbreaks occur each month, generating 300 follow-ups, 30 investigations and 10 risk assessments.

The spread of diseases to and by humans is increasing with the urbanisation of developing countries, with human activity putting pressure on the environment. Through rampant deforestation, expansion of agriculture into native forests, wildlife trade, mining, infrastructure development, and with climate change comes evolution in transmission patterns of infectious diseases. This is exacerbated by our digital hyper-connectivity and increased travel.

What risk lessons can we learn from COVID-19

The COVID-19 pandemic has provided a number of valuable lessons to business, many of which will help them to be stronger and more resilient.

Some of the lessons are:

• Be prepared for the unlikely, but catastrophic events.
• Know your vulnerabilities and exposure to the extremes of the hazard.
• Be agile and adaptable.
• Be prepared to innovative.
• Know and understand your supply chain and alternatives.
• Know your customers.
• Have clear and consistent messaging and frequent communication with stakeholders.
• Prepare for inconsistency of supply and demand.
• Try to understand the big picture, the risks, and how circumstances change as you gain more knowledge.
• Trust and use the science-based evidence and models.

Applying these lessons to Climate Change Risk

Climate change is also causing foreseeable financial and environmental risks. This fact that is not overseen by many organisations, regulators and central banks. The World Economic Forum Global Risks Report 2020 has listed climate action failure as the number one risk in terms of impact. The impact of infectious diseases is in tenth position, behind climate action failure, weapons of mass destruction, biodiversity loss, extreme weather, water crises, IT infrastructure breakdown, natural disasters, cyberattacks and human environmental disasters. The five environmental risks in this list also make up top five risks in terms of likelihood.

Climate change risks are physical in nature, brought about by extreme “natural” events as well as transitions resulting from the world adopting a low carbon economy.
Like the COVID-19 pandemic, climate change risks can be local and systemic. Globalised supply chains mean that disruptions far from a manufacturing plant or retailer can lead to critical delays and disruptions for organisations. These risks are compounded by growing complexity in supply chains, with visibility often limited to first-tier suppliers in a network.

Some of the systemic risk events that may result from climate change are:

• Conflict over water security resulting from long term droughts.
• Disruption in food supply caused by droughts, floods, fires, severe storms occurring simultaneously throughout different food production areas.
• Large scale migration triggered by environmental events such as drought, sea level rise.
• Pandemics effecting production and transport of a range of goods.

The lessons that the pandemic is teaching us about agility, innovation, understanding supply chains, identifying threats and vulnerabilities, planning and applying the science, should be applied to acting on climate change risks.

5 things to start to do now

So, what can you do right now?

• Develop a climate change risk action plan.
• Use any COVID-19 economic recovery measures to help your organisation to be more resilient to climate change risks.
• Conduct a high level scoping exercise to identify the types of climate threats that your organisation may be exposed to.
• Understand your organisation’s possible vulnerabilities to climate change threats using different possible scenarios.
• Comply with any reporting requirements that your organisation and/or the directors have for climate change risks.

How we can help

We are here to help in a number of ways as your organisation starts, or continues, its climate change risk journey. This can include:

• Climate-risk awareness and TCFD compliance training.
• Facilitating workshops and financial climate change impact assessments to identify and understand the threats that climate change pose to your organisation.
• Perform scenario analyses of the threats identified looking at different possible scenarios over the short, medium and long term over a particular asset, activity or area.
• Provide a roadmap to enhance the organisation’s climate change risk management strategy.
• Conduct reviews to ensure regulatory disclosures are robust and relevant.

How far do you want to go to minimise the impact of climate change on your business? Be more resilient and contact us to discuss your needs.