Most executive teams understand that having a data backup strategy is essential. But for organisations that manage sensitive or high-stakes data - particularly in the not-for-profit, health, or community sectors - the real question isn’t “do we have backups?” but rather:
“Is our organisation genuinely prepared to protect and recover our data in the face of disruption, failure, or breach?”
The difference between data backup, disaster recovery, business continuity, and data governance is more than semantics. These are distinct but interrelated disciplines, and when leadership treats them as check-box IT functions, the organisation is exposed - operationally, reputationally, and in some cases, legally.
Let’s unpack what executive teams really need to understand.
It’s a phrase we hear often. But when we dig deeper, the comfort quickly erodes. Consider:
What’s being backed up - and how often?
Many organisations still only back up business and transaction data, not configuration data, automations, integrations, or content repositories. Incremental backups may miss key context required for full recovery.
What’s a shared responsibility model?
Most infrastructure and platform cloud providers take responsibility for availability of their cloud services, but assume customers are actively managing safeguarding and archiving of their business data.
Where are those backups stored?
Relying solely on your primary cloud provider's backup carries its own risks. A serious misconfiguration, deletion, or access compromise can render even cloud-based backups useless. Actively controlling/monitoring your backup operations helps to fulfil your responsibilities towards business continuity. Cross-platform, immutable backups may also be required.
Can you actually restore from backup - and have you tested it recently?
Backups are not recovery. We’ve seen cases where the backup exists, but restoration scripts fail, or recovery takes days - crippling critical services in the meantime.
Many disaster recovery plans are written from an IT lens, not a business lens. Executives must own the business impact analysis (BIA) - defining what systems, functions, and datasets are critical, and how long the organisation can tolerate them being offline (Recovery Time Objective; RTO) or partially restored (Recovery Point Objective; RPO).
Key questions to consider:
Executives are now expected to understand and manage digital risks under frameworks like:
But many data governance efforts stall because:
What this means for executives:
Even in organisations with solid IT hygiene, we often find risk blind spots. Some examples:
SaaS data vulnerability
Many SaaS providers (including Salesforce, Microsoft 365, and Xero) follow a “shared responsibility” model - data protection is your responsibility, not theirs.
Backup for workflows and metadata
Complex configurations, automation rules, and system workflows are often not backed up or version controlled. If these are lost or overwritten, recovery may require costly reimplementation - not a quick restore.
Over-permissioning
Staff and volunteers often have excessive access rights to sensitive data. This increases insider threat and makes it harder to contain breaches.
Legacy integrations
APIs or file-based connections between systems are rarely documented or monitored for failures - yet they often underpin entire services.
Review your risk posture and assumptions.
Don’t assume backups are adequate unless they’ve been audited, tested, and validated against real-world scenarios.
Align your recovery plan with business outcomes.
Engage across departments to determine what’s actually critical. Tie RTOs and RPOs to business impact, not just technical feasibility.
Strengthen governance culture.
Appoint data owners for key domains (e.g., client data, finance, operations). Build governance into onboarding, policy reviews, and regular audits.
Modernise your continuity planning.
Move beyond paper plans and IT-centric models. Ensure plans include:
Engage the board and leadership.
Your board should be briefed on digital risk as part of its governance responsibilities - not only after something goes wrong.
As a trusted technology and business advisory partner, we work with executive teams to:
If you’re ready to shift from backup as insurance to continuity as a leadership strategy, we’d love to talk.
Book a free discovery session to review your current risk posture and next steps.
From Plans to Progress: Making FY26 Technology Projects HappenAs we launch into the new financial year, many organisations - particularly in the not-for-profit and purpose-driven sectors - have already done much of the heavy lifting: reflecting on the past year, setting strategic priorities, and finalising plans for what’s next. Chances are, you’ve already identified key initiatives for FY26. If you’re like most organisations […]
Salesforce Summer '25 Release: Enforced Updates You Can't MissIt’s that time again - Summer has sprung for our northern hemisphere neighbours, and so has the Salesforce Summer '25 Release! If you want the handpicked most exciting features for business users and admins, check out our recent blog, where we break down the highlights and what they mean for you! But today we've curated our […]
Salesforce Summer ’25 Release Date & HighlightsThe Salesforce Summer ‘25 release is here, and it's a significant one! There's a focus on AI, Flows, and enhancing setup tools, aimed at improving the configuration experience for Salesforce instances across the board. Depending on your instance, you'll be upgraded on one of the following dates: If you want to find out exactly which […]
