Posts in Newsletter
Outsourcing IT Operations
Outsourcing IT Operations

We recently attended a very interesting seminar organised by the Global Association of Risk Professionals (GARP). The topic was to help finance companies address APRA’s CPS 230 standard that has come into force on 1 July 2025. The standard addresses the need for finance companies to develop business continuity plans and to prudently manage their operational risks. In light of the common approach to outsource IT operations to third parties, the standard focuses heavily on this trend. 

Speakers were from UniSuper, NAB and Deloitte and they spoke generally about their experience in preparing for the introduction of the new standard. 

The speaker from UniSuper focused on the company’s experience of having Google inadvertently delete the entire UniSuper Google Cloud subscription, impacting over 600,000 customers. This occurred even though UniSuper had duplicate infrastructure and data in two geographies.

The conversation settled primarily on the challenge of maintaining the resilience of IT applications and data, in light of the small number of vendors in Australia.

See below for a diagram that depicts the major vendors of IT infrastructure and applications in Australia.

By way of example, before cloud and SaaS, the four banks in Australia would own and operate their own data centres, IT systems, networks and purchase the application software licences to run their businesses. If one of the banks suffered a power outage, a fire in their data centre or an IT malfunction, only its customers were impacted. 

Today, it is likely that all four banks subscribe to the services of AWS, Microsoft and Google. So, if one of these providers suffers and outage, many more bank customers could be impacted. 

The dominance of Microsoft is particularly concerning because it operates cloud services and three dominant SaaS services – O365, Teams and SharePoint. For a large proportion of Australian organisations, employees working from home are especially reliant on Teams.

The other aggregation of risks results from the concentration of data centres in Melbourne. There are currently four large data centres located in close proximity to each other in Port Melbourne, with NextDC planning another very large data centre nearby. Port Melbourne is about 2-3 metres above the Yarra River, which is open to the sea.

Uncertainty in the US

Finally, Jeff Bezos and Mark Zuckerberg have recently substantially changed their policies governing The Washington Post and Facebook. It’s plausible that given the major changes occuring in the US, that other companies mentioned above in the diagram, could also initiate substantial changes to the way they operate, possibly impacting Australian companies.

What we used to take for granted is no longer!

We left the seminar believing that more Australian organisations should seriously consider APRA’s approach to managing their reliance on IT systems and data. 

The introduction of the Standard on 1 July 2025 adds urgency for Australia’s regulated entities!

PS: The incredibly impactful electrical sub-station fire at Heathrow Airport recently apparently also supplied a number of the UK’s data centres!

Newsletter, Emerging Risks, ResiliencePatricia ScheltusMarch, 2025
Floods and Resilience
Floods and Resilience

Reducing the impact of a flood

We often advise clients that the risks presented by climate change are increasing rapidly. For any organisation that has assets exposed to flooding, sea level rise or storms, mitigating these risks can be challenging. Here are a couple of success stories.

In May 2010, a major flood hit Coca-Cola’s 30,000 m2 bottling plant in Nashville, Tennessee. The facility is located in a high hazard, 100 year flood zone.

The flooded bottling facility during the 2010 flood which prompted the flood mitigation project.

Coca-Cola partnered with FM Global to develop a plan to protect their facility from future floods.

They decided they could not relocate the very large warehouse away from a known flood risk, so they developed a method to reduce the impact of the next inevitable flood. They protected critical production equipment within the facility using flood walls. This enabled them to let the flood waters flow into, and out of, the building.

Flood wall around the critical infrastructure and the flood door to allow the water to flow back out of the building.

Amazingly, they were able to verify the effectiveness of the solution during another serious flood in March 2021. See here for more details: https://www.fm.com/insights/coca-cola

Interestingly, the Reject Shop 26,000 m2 Distribution Centre in Ipswich, Queensland had a very similar experience. After the extensive flooding at the start of 2011, they installed a floodbarrier system around the DC. Again, they had the opportunity to test the barrier when another flood hit the area in 2013. There was no impact to the DC’s operations!

Resilience in the Cloud

The Uptime Institute recently published an excellent paper on the topic of the cost and benefits of purchasing increased resilience from cloud providers, using AWS as a case study. The baseline comparison was a system with no resilience installed. The study shows the cost of the increased resilience and the associated reduced downtime.

The author provides some wise advice:

"Unlike privately owned and co-located data centres, customers using the public cloud have no visibility or control over the datacentre used by their cloud provider. When architecting a cloud application, it is up to software developers to incorporate resiliency into their application architecture. Conversely, in amore traditional non-cloud application, data centre teams, infrastructure engineers and software developers should work together to meet resiliency requirements.”

"If customers use more resources to architect resiliency, they need to pay for those additional resources. The implication is that resiliency is neither included as standard nor guaranteed. Customers should design their applications to meet availability requirements and balance this objective against the cost."

As CIO’s are relinquishing control over the operation of their IT systems, it is imperative that the resilience requirements of each application and its data are fully specified in the service agreement with the cloud provider. APRA’s standard soon to come into effect, CPS 230, addresses many of the issues associated with outsourcing critical services to Third Parties. Source: https://intelligence.uptimeinstitute.com/resource/cloud-availability-comes-price

News item, Newsletter, ResiliencePatricia ScheltusJune, 2025
Operational Risk Management - CPS 230
Operational Risk Management - CPS 230

The Australian Prudential Regulation Authority (APRA) has released a guide that covers the new standard on Operational Risk Management - CPS 230. The standard came into force this month.

Although APRA’s standards are intended for companies operating in the Australian financial market, we think the standard and guide provide very good advice for most organisations that are concerned about their operational resilience.

The standard addresses the following:

  • The assessment and management of a wide range of operational risks, including legal, regulatory, compliance, conduct, technology, data and change management risks.

  • Business continuity and how organisations should identify time critical business activities and estimate their tolerance for having them unavailable. Importantly, the business continuity plan should document the recovery procedures and workarounds if any supporting resources (people, facilities and IT systems) become unavailable because of a disruption.

  • Development of a policy for dealing with material service providers. This policy should cover how to identify, manage and monitor the service providers that have a significant impact on the organisation’s operations. They should also evaluate the risks posed by these service providers, sign formal contracts with them, track their performance and carefully manage any major changes in their arrangements.

Managing outsourced IT services

We find that many organisations have outsourced large parts of their IT infrastructure to service providers and as a result they have often yielded management and control to others.

This makes it challenging for the CIO to ensure that the recoverability of IT systems meet the needs of the business. Some Software as a Service vendors will not warrant a Recovery Time Objective. Often, the outsourced system (and its data) only exists at one location, making it a single point of failure.

It is critical that business management identifies the time critical activities and their tolerance to disruption. These requirements should be communicated to IT management, so that the critical IT systems have the necessary resilience to support the business during disruptions.

CPS 230 outlines an excellent approach to achieve that!

News item, Newsletter, Regulatory CompliancePatricia ScheltusJuly, 2025
Newsletter February 2021
Newsletter February 2021

Re-assess your risks in 2021

The Trump presidency and more recently the COVID-19 pandemic has intensified competition between the US and China. It is likely that both countries will seek superiority in the digital realm and restructure their supply chains.

According to the Global Risks Report 2021, Middle powers like Australia are likely to be squeezed. We are already suffering from China’s decisions to limit imports of a number of important commodities. Hopefully, we will not be put in a position where we have to pick a side.

 
106fd45d-bd66-420e-9674-33226a8b4fb0.jpg
 

 We all hope that the Biden presidency can quickly repair the damage caused by the impact of the pandemic on the US. One of the salient lessons from the pandemic is the fragility of our supply chains and the prevalence of critical products being supplied from countries far from Australia – often a single source.

Use your 2020 experience to re-asses the resilience of your supply chains. If you have staff monitoring your modern slavery obligations, they may be able to assist.

The WEF Global Risks Report 2021 also identifies the ever increasing threat posed by hackers. The sophistication, number and funding of hackers (both criminals and nation states) continues unabated.

It is difficult for organisations to decide the extent of resources they should devote to this risk. The good news is that (like washing hands and wearing a mask) basic hygiene greatly reduces the risk from being the victim of a successful attack. The Australian Cyber Security Centre has an excellent guide to assist you implement these basic hygiene actions.

Is it time to review your cyber security approach in light of the ACSC guide?

The third and most prevalent risk identified was climate change. In the top seven global risks – climate change risks occupy four positions for impact and four for likelihood.

The seven hottest years on record globally all occurred in the past seven years.

 
LYFGG2JJ2FZ3WZWJEIFUXPQR6E.jpg
 

Although most of us will remember 2020 as the year of COVID, the impact of climate change on Australia was exceptional – starting with the bushfires that engulfed SE Australia.

Australia is particularly exposed to climate change. On January 4th 2020, Penrith was the hottest place on Earth at 48.9˚C!

These physical risks, caused by extreme heat, storms and floods will increasingly impact the operations of Australian business.

If your organisation has widely distributed operations, has large critical assets, is heavily dependent on a reliable power supply or has long supply chains, we strongly advise that you re-visit your Risk Register in light of the warnings from the Global Risks Report and locally from the Climate Council 
 
92ac22fe-2de3-4097-a6fa-d4c447e12339.png
 

The Biden presidency has wasted no time in aggressively re-setting the strategy the US intends to employ to tackle climate change. In addition, the UK and the EU have already warned trading partners that they will use carbon tariffs to punish countries that they deem are not acting on climate change. This is a large risk for any Australian company that exports to the UK, EU or the US.

As a result, the Australian Government may need to implement policies that impact the operations of Australian companies.

Please consider these transition risks in light of your business operations. The Australian Government may move quickly in light of pressure from its trading partners. Policy action by the government may have a substantial impact on some of these risks.

Please also remember that throughout the pandemic, critical decisions were made by Governments. The primary obligation of your Crisis Management Teams was to comply with the instructions issued by the various Health Department and Chief Medical Officers.

If your business suffers a major hack, a fire to the building or sells a product that makes your customer sick, there will be no Government to give instructions on how you should manage the crisis. Furthermore, your competitors and customers may actively seek to profit from your misfortune.

Please contact Continuity Matters if we can help you re-assess your resilience, develop a business resilience program or validate your plans by conducting an exercise. 
Newsletter, News itemPatricia Scheltus2021, February
Now is the time to tackle your business resilience.
Now is the time to tackle your business resilience.
sean-pollock-PhYq704ffdA-unsplash.jpg

With the annual budgeting setting time just around the corner, this is a good time to start preparations to build a case to have budget allocated to increase your organisation’s resilience.

Leaders often say “Don’t waste a crisis” in the wake of a disaster. The month of January in Australia has been extraordinary by any measure – and the crises continues into February. Whether it’s floods, fires, hail, unbreathable air, dust storms, extreme heat, drought (and drinking water scarcity), extreme wind and now the emerging coronavirus – we’ve had them all in Australia. The impact of the fires on our flora and fauna will take months to just assess. The impact on our social infrastructure, homes and businesses will be huge.

With these issues being discussed every day in the media, executives must be considering the possibility that a similar crisis could impact the viability of the organisation they lead. Who in Tennis Australia could have anticipated that the Australian Open would have been impacted by smoke coming from bushfires 1,000KM away?

If your organisation currently does not have an annual budget for business resilience – now is the time to have one approved! Increasing your organisation’s business resilience must be treated as an on-going program. It is not a project! You may need to re-establish a business continuity and crisis management plan initially and as a consequence there will be a project to carry out this work. You will also need to budget for its improvement over time and its on-going maintenance. As a minimum, you should seek budget approval over three years. Five years is preferable! The Business Resilience Program budget request should contain allocation for the following activities:

  • Allocation of an FTE (or part FTE) to be the person responsible for the Program.
  • Establishment of a Program Policy and Program Steering Committee.
  • Funds for projects to develop a Crisis Management Plan (CMP) and a Business Continuity Plan (BCP). If these already exist, estimate the effort involved in updating them – if required.
  • Allowance for the provision of workplace recovery offices – if required.
  • Budget for crisis communications software – if required.
  • Allocation of a legal person to review your organisation’s contracts with critical third party suppliers (particularly cloud providers).
  • Once the CMP and BCP are established, initiate an exercising schedule (at least annually) where key participants in the Program exercise their skills.
  • Improvement of the Program over time.
  • Annual review of your Business Impact Analysis (BIA) to ensure your Prioritised Activities have not changed since you last completed the BIA.

Please contact Continuity Matters if you need assistance in completing this work. We can also assist in the development of a business case to help justify the allocation of the funds. Your organisation could also consider using Continuity Matters to implement the Program “as a service”.

The April budget setting period is not far away – now is the time to start!

Newsletter, News itemPatricia Scheltus2020, February
Considerations for workplace recovery | Ben Scheltus
Considerations for workplace recovery | Ben Scheltus

There can be many reasons why your staff won't be able to work from their "normal" place of work ... flooding, power outage, internet disruption, fire and so on .... So, where will they go? Can they work from home? What are their technology needs? Here's a helpful article to get you started.

This article addresses the issues that business continuity professionals should consider when sourcing workplace recovery facilities as part of a business continuity plan. It addresses the needs of a medium sized office (several hundred staff) and that there is one office in the city. We are also assuming that the organisation has removed their IT infrastructure from their office and are now housing their computer systems in a datacentre or in the cloud.

Read more



News item, Newsletter, Workplace RecoveryPatricia Scheltus2019, September
Impact of risks from climate change on business resilience | Ben Scheltus
Impact of risks from climate change on business resilience | Ben Scheltus

At the recent BCI Summit in Sydney, Ben Scheltus gave a presentation on the impact of risks from climate change on business resilience.

A combination of factors makes climate change a particularly notable risk for Australian businesses. On a global basis, the World Economic Forum’s Global Risk Report has identified climate change as a “High Impact” and “High Likelihood” risk. Australian businesses should treat this serious risk in the same manner as any other business risk.

Australia is particularly exposed because it is already subject to extremes in weather; its distance from other global markets increases the fragility of our supply chains; the age of our power generation infrastructure and our heavy dependence on sea transport (for imports and exports). Recently there was a discussion as to whether climate change risks were becoming too great in Australia for the insurance industry to insure.

Read more


News item, NewsletterPatricia Scheltus2019, September
Newsletter September 2018
Newsletter September 2018

Welcome to the September edition of the Continuity Matters Newsletter!

As Florence bears down on the coast of North and South Carolina, it is a salutary reminder of the power of nature. There are 56 data centres in North Carolina and 11 in South Carolina. Apple, AWS, Google, IBM all have data centres in the area. Facebook has a 30,000m2 data centre (that’s 7.5 acres!). See here for a listing. The full impact of the storm is unknown – but the predictions are ominous. Authorities are expecting lengthy power outages and extensive flooding.

We have compiled some very interesting articles that discuss the key resilience issues facing data centre and cloud providers in the face of this enormous storm.

Don't forget to reserve you seat for our upcoming seminar in October!

Continuity Matters' Upcoming Seminar – “Compliance Without Control”

The increasing dependence of organisations on applications in the cloud has made it more challenging for risk and business continuity executives to satisfy themselves that the applications will be recoverable in the event of a disruption.

If your organisation has deployed critical applications to the cloud, how will you assure yourself (and possibly the regulator) that your systems are recoverable in the time and manner you require?

Hear from experts address this issue and work their way through a realistic scenario. We will present the perspective of an APRA regulated user, a provider and the regulator.

There will be plenty of opportunity for questions and networking at this interactive and stimulating session. Drinks will be served at the conclusion of the session.

Hit by the Azure outage? Watch out for Hurricane Florence!

“With Hurricane Florence bearing down on the Southeast US as I write this post, I certainly hope if your data center is in the path of the hurricane you are taking proactive measures to gracefully move your workloads out of the impacted region. The benefit of a proactive disaster recovery vs a reactive disaster recovery are numerous, including no data loss, ample time to address unexpected issues, and managing human resources such that employees can worry about taking care of their families, rather than spending the night at a keyboard trying to put the pieces back together.”

Lessons learned from past disasters

Robby Hill, founder and CEO of HillSouth, a Florence, S.C.-based managed services provider, told CRN: "During Matthew, we found we didn't have enough backup power for our office building, since then, we have implemented and tested our power. After Matthew, we were stuck with portable generators. Now we have one installed in our building. Matthew tested us. We were out of power for a week." 

Weather report

We can’t say we were not warned. Earlier this year, the World Economic Forum published the Global Risk Report 2018. On page 3 of the report, the Global Risks Landscape 2018 chart had 6 out of the 7 most likely and impactful risks attributable to climate change. This assessment has proved to be scarily accurate.

Why using the Potluck approach is a risky strategy

Many organisations make no formal workplace recovery arrangements for crisis management and the recovery staff. Many hope that their offices will never suffer a disaster and even if they do – intend to use the “Potluck” approach and go to a hotel if the need arrives.  
We believe this is a risky strategy - and here's why.

News item, NewsletterPatricia Scheltus2018, September