Geopolitical risk is just one of the crisis scenarios directors need to plan for. A recent AICD webinar discussed what boards can do ahead of potentially catastrophic events.
Worst-case scenarios do happen. Directors have to battle denial and bias in the boardroom, as well as to balance being prepared, against being ready for something that might never happen. It can be a struggle.
John Macpherson, a cyber and technology risk partner at Ashurst, told a recent AICD webinar that expecting the unexpected and scenario planning could have positive impacts for an organisation’s customers. He said it was a regulatory expectation, improves the readiness and resilience of a business, uncovers blind spots and enhances a board’s ability to understand and govern foreseeable risks.
A poll during the webinar found 53 per cent of attendees said their board had a plan for a sudden catastrophic outage triggered by a third party. Macpherson raised the example of American cybersecurity company CrowdStrike, which in July this year distributed an update to its Falcon Sensor security software that caused widespread problems with Microsoft Windows computers running the software. Around 8.5 million Microsoft Windows operating systems crashed worldwide, causing global disruption of critical services.
“Roughly half of us on this call have a plan in place for that kind of sudden impact,” said Macpherson. “The impact in terms of what it means for CrowdStrike is a lot of legal action, a lot of share price damage and a lot of market share damage. But actually, the way regulators view this sort of thing is, what is the impact on the consumer?”
The impact on the consumer included missed flights, missed medical appointments and inability to pay at the supermarket checkout. That is what regulators are really focused on, he said. “That’s why planning for worst-case scenarios, whether it be your own or due to a third party, is an increasing consumer and regulator expectation.”
Build resilience
No one size fits all crises, warned Roger Chao FAICD, a non-executive director at the Victorian Emergency Relief and Recovery Foundation. Whether you’re a global manufacturing company or a locally based financial services firm, the scenarios to plan for will be quite different. To build resilience, boards need to understand the key drivers to some of the challenges that might impact the business — where there will be regulatory crises, where there can be technological crises, where there will be shifts in the geopolitical environment.
“The hard thing for a lot of boards is that they often stop there,” said Chao. “They’ve developed their scenario plans, they’ve got their response plans — and that’s it. The critical next step is to actually war-game some of these, to exercise them, to actually test them. When it comes to resilience and planning with boards, it is not just scenario planning, but also about scenario testing the simulation.”
Limited thinking
Planning for and simulating a “black swan” event — one that you can’t foresee, has extreme impact and, in hindsight, was unpredictable — can be difficult. Directors might find themselves in a boardroom full of denial and bias, attitudes that will ultimately prevent efficient and useful planning.
Niki Short, a risk advisory partner at Ashurst, said denial and bias limit people’s ability to think about scenarios and can be firmly anchored in what’s happened in the past.
“It’s really difficult for people to turn their mind to how severe this can actually be in practice,” explained Short.
The role of the board is to understand that planning is everything, culture is key and crises never sleep. To prepare, boards should align crisis planning with their risk framework and be involved in determining how much should be spent preparing for the unknown and unexpected, and what resources are required. They need to approve the response and recovery plan, oversee reviews and testing of scenarios, and supervise the response to an incident.
“I would love to have been in a room for CrowdStrike when they were doing their scenario analysis,” said Short. “I highly doubt that they would have foreseen the severity of their recent kind of incident.”
This is an edited version of the webinar discussion held on 28 August 2024.
This article first appeared under the headline 'Be Prepared’ in the October 2024 issue of Company Director magazine.
Latest news
Already a member?
Login to view this content