Building Business Resilience What the Board of Directors Need to Know A Briefing for the C-Suite

The C-level executives of all organisations no matter how large or small, whether in the private or public sectors, have a responsibility to ensure their business is resilient to the impact of adverse risks. All organisations today are reliant on technology to deliver their services to their customers and manage their business, whether they are a large financial institution, manufacturer, retailer, public sector organisation, SME etc. Indeed, many of the more successful organisations are actually technology companies, totally reliant on technology to deliver their service. Uber, Airbnb, and Amazon are just a few names which spring to mind. In our ever increasing, always connected cyber age, they are therefore exposed to the risk of a cyber-attack. No longer can this issue be delegated to the IT senior management team, accountability rests with the C-suite, so they need to provide effective governance oversight to ensure that the business is as resilient as possible, in line with the organisation’s cyber risk. This briefing paper accompanies the ACCA’s “Cyber and the CFO report” which can be found at: https://www.accaglobal.com/content/dam/ACCA_Global/professional-insights/Cyber-cfo/pi-cyber-and-theCFO.pdf. However, managing an organisation’s Cyber Risk is complex and it is not just the responsibility of the CFO, it’s the responsibility of the all the C-suite of an organisation. The C-suite have to get to grips with the reality that just as they start their work day, thousands of organised crime firms wake up with the only KPI – breaking into your enterprise network. The C-suite have many other priorities to balance, as well as the issue of the Cyber Risk. Therefore, this paper provides some guidance on the basics. The C-suite should ensure that their organisations are: • doing the right things; • doing them in the right way; • doing them well; and • protecting business value, effectively managing the cyber risk and protecting the business. The C-suite, as company directors, have a legal responsibility to provide effective governance oversight and to ensure that the company is well managed, to protect its customers, employees, shareholders, and business partners. This extends to ensuring that the organisation fully understands their cyber risks and these are being adequately and effectively managed. The C-suite need to lead by example, not only in what they say, but more importantly, in what they do. This includes, observing the organisational security policies.