Beyond Backup: What Executive Teams Need to Know About Data Risk, Continuity and Governance

July 29, 2025
Nicholas Murray
By Nicholas Murray
Enterprise Digital and Strategy Consultant

Most executive teams understand that having a data backup strategy is essential. But for organisations that manage sensitive or high-stakes data - particularly in the not-for-profit, health, or community sectors - the real question isn’t “do we have backups?” but rather:

“Is our organisation genuinely prepared to protect and recover our data in the face of disruption, failure, or breach?”

The difference between data backup, disaster recovery, business continuity, and data governance is more than semantics. These are distinct but interrelated disciplines, and when leadership treats them as check-box IT functions, the organisation is exposed - operationally, reputationally, and in some cases, legally.

Let’s unpack what executive teams really need to understand.


It’s a phrase we hear often. But when we dig deeper, the comfort quickly erodes. Consider:

What’s being backed up - and how often?

Many organisations still only back up business and transaction data, not configuration data, automations, integrations, or content repositories. Incremental backups may miss key context required for full recovery.

What’s a shared responsibility model?

Most infrastructure and platform cloud providers take responsibility for availability of their cloud services, but assume customers are actively managing safeguarding and archiving of their business data.

Where are those backups stored?

Relying solely on your primary cloud provider's backup carries its own risks. A serious misconfiguration, deletion, or access compromise can render even cloud-based backups useless. Actively controlling/monitoring your backup operations helps to fulfil your responsibilities towards business continuity.  Cross-platform, immutable backups may also be required.

Can you actually restore from backup - and have you tested it recently?

Backups are not recovery. We’ve seen cases where the backup exists, but restoration scripts fail, or recovery takes days - crippling critical services in the meantime.

Many disaster recovery plans are written from an IT lens, not a business lens. Executives must own the business impact analysis (BIA) - defining what systems, functions, and datasets are critical, and how long the organisation can tolerate them being offline (Recovery Time Objective; RTO) or partially restored (Recovery Point Objective; RPO).
Key questions to consider:

  • Which datasets are mission-critical, and what’s the real cost of their unavailability?
  • Who decides what gets restored first?
  • Do we have pre-agreed protocols to authorise actions during a crisis - especially if key decision-makers are unavailable?
  • Are third-party vendors (e.g., managed services providers) contractually obligated to support recovery at the required speed and scale?

Executives are now expected to understand and manage digital risks under frameworks like:

  • The Australian Privacy Principles (APPs)
  • ISO 27001 or NIST CSF
  • State-based critical infrastructure regulations (for some NFPs)
  • Cyber insurance obligations and audit standards

But many data governance efforts stall because:

  • They rely too heavily on IT teams to define policies
  • Data ownership is unclear, particularly in federated or hybrid service models
  • There's no map of where critical data lives (e.g., CRMs, file shares, shared drives, personal inboxes, SaaS platforms)

What this means for executives:

  • You can’t protect what you haven’t defined. You need a current, business-owned data map.
  • You are legally and reputationally accountable. Delegating this to "the IT team" is no longer acceptable.
  • Governance is cultural. Embedding it means engaging people in their roles as data stewards - not just enforcing compliance.

Even in organisations with solid IT hygiene, we often find risk blind spots. Some examples:

SaaS data vulnerability

Many SaaS providers (including Salesforce, Microsoft 365, and Xero) follow a “shared responsibility” model - data protection is your responsibility, not theirs.

Backup for workflows and metadata

Complex configurations, automation rules, and system workflows are often not backed up or version controlled. If these are lost or overwritten, recovery may require costly reimplementation - not a quick restore.

Over-permissioning

Staff and volunteers often have excessive access rights to sensitive data. This increases insider threat and makes it harder to contain breaches.

Legacy integrations

APIs or file-based connections between systems are rarely documented or monitored for failures - yet they often underpin entire services.

Review your risk posture and assumptions.

Don’t assume backups are adequate unless they’ve been audited, tested, and validated against real-world scenarios.

Align your recovery plan with business outcomes.

Engage across departments to determine what’s actually critical. Tie RTOs and RPOs to business impact, not just technical feasibility.

Strengthen governance culture.

Appoint data owners for key domains (e.g., client data, finance, operations). Build governance into onboarding, policy reviews, and regular audits.

Modernise your continuity planning.

 Move beyond paper plans and IT-centric models. Ensure plans include:

  • Communications protocols
  • Chain-of-command in a crisis
  • Supplier risk assessments
  • Regular tabletop testing and scenario rehearsals

Engage the board and leadership.

Your board should be briefed on digital risk as part of its governance responsibilities - not only after something goes wrong.

As a trusted technology and business advisory partner, we work with executive teams to:

  • Facilitate risk and governance discussions at board, executive, and operational levels
  • Assess current-state data risk across systems, platforms, and practices
  • Design actionable data governance and business continuity strategies
  • Support implementation, from selecting backup and recovery tools to establishing data stewardship and culture

If you’re ready to shift from backup as insurance to continuity as a leadership strategy, we’d love to talk.
Book a free discovery session to review your current risk posture and next steps.

Related Posts

From Plans to Progress: Making FY26 Technology Projects Happen

As we launch into the new financial year, many organisations - particularly in the not-for-profit and purpose-driven sectors - have already done much of the heavy lifting: reflecting on the past year, setting strategic priorities, and finalising plans for what’s next. Chances are, you’ve already identified key initiatives for FY26. If you’re like most organisations […]

Read the Full Blog
Salesforce Summer '25 Release: Enforced Updates You Can't Miss

It’s that time again - Summer has sprung for our northern hemisphere neighbours, and so has the Salesforce Summer '25 Release! If you want the handpicked most exciting features for business users and admins, check out our recent blog, where we break down the highlights and what they mean for you! But today we've curated our […]

Read the Full Blog
Summer-25-Release-Feature-Image Salesforce Summer ’25 Release Date & Highlights

The Salesforce Summer ‘25 release is here, and it's a significant one! There's a focus on AI, Flows, and enhancing setup tools, aimed at improving the configuration experience for Salesforce instances across the board. Depending on your instance, you'll be upgraded on one of the following dates: If you want to find out exactly which […]

Read the Full Blog
1 2 3 8

Keep up to date.

Our email newsletter & LinkedIn is where we share updates, useful resources, and expert insights from our team and Salesforce.
In the spirit of reconciliation Enrite Solutions acknowledges the Traditional Custodians of Country throughout Australia and their connections to land, sea and community. We pay our respect to their Elders past and present and extend that respect to all Aboriginal and Torres Strait Islander peoples today.
© Enrite Solutions Pty Ltd. Salesforce, Sales Cloud and others are trademarks of salesforce.com.inc., and are used here with permission.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram