Purple Resilience For Real-World Risk

Show Notes

A pen test won’t save your business if the cleaner unplugs your backup server. We dig into Purple Resilience with Aris Zinc Group's Lizzie Christiansen and Michelle Carn to show how true operational strength blends cyber defense with people, process, and supply chain readiness. From tailgating and propped warehouse doors to vendor failover and business continuity drills, we share the simple fixes and smarter tests that keep small and medium enterprises running when things go wrong.

We talk through real scenarios that reveal where risk hides: friendly staff who hold doors open, outdated binders no one reads, third‑party providers that pass audits but fail under pressure. You’ll hear how to coordinate red and blue teams through a neutral “green” layer, why independent testing matters, and how to convert findings into clear playbooks your team can actually use. We also unpack ESG as everyday behavior—safety, inclusion, and ethics that reduce exposure and build trust—not a buzzword or a dusty policy.

AI takes center stage too, but with nuance. Lizzie argues AI should be an and, not an or: great for formatting policies, compliance monitoring, and surfacing signals, but never a replacement for professional judgment or local context. We examine pitfalls like automated CV floods and contract drafting without legal review, then outline where AI can genuinely help SMEs gain time without taking on new risk. Along the way, we explore regulatory shifts such as Fair Work and AML obligations, plus lessons from major outages, and why Australian SMEs can compete globally by tightening culture, process, and supplier assurance.

Walk away with a punch list: schedule short scenario drills, verify vendor failovers, enforce badges and no tailgating, modernize contracts, and adopt two tools that save time and shrink exposure. If this conversation helps you spot even one blind spot, share it with a peer who could use a stronger safety net. Follow, rate, and leave a review to help more business owners build resilience that actually works.

Chapters

• 0:17: Welcome And Guest Intros
• 1:37: Who Aris Zync Group Supports
• 2:35: Why Operational Resilience Matters
• 5:16: Defining Purple Resilience
• 8:10: People As The Weak Link
• 11:00: Tailored Solutions Across Industries
• 14:39: Local Competition And Supply Chains
• 21:52: Resilience Beyond Security
• 25:32: Testing Plans And Third Parties
• 30:59: Culture, Behavior, And Reputation
• 35:26: AI’s Role And Its Limits
• 40:17: Evolving Roles And New Regulations
• 42:25: Practical Steps For Sole Traders
• 46:40: How To Get In Touch

Transcript

SPEAKER_03: 0:17

Hello and welcome to the Canberra Business Podcast. I'm Greg Harford from the Canberra Business Chamber, and today I'm delighted to be joined by uh Lizzie Christensen, who's the global partner and chief technology officer for Aris Zinc Group, and Michelle Khan, the risk practitioner, a partner to Aris Zinc. So uh, ladies, welcome to the podcast.

SPEAKER_01: 0:35

Thank you for having us.

SPEAKER_03: 0:37

Now, in this episode, uh, we're going to dive into Purple Resilience, which is a pioneering approach to operational resilience and cyber preparedness uh led by Strategic Executive Solutions, a division of Aras Zync Group. Um perhaps though, Lizzie, just to start, um, for those of our audience who might not be familiar with Arasync, um, what is it that your business does and um how long have you been going for?

SPEAKER_01: 1:00

So uh this year we hit 25 years as Arasync group with our subsidiary um components. So we have two main subsidiary businesses. One is Arasync People Solutions that does payroll, recruitment, um, workforce planning, uh consulting, where we benchmark people for industry. And then we have strategic executive solutions, and it is what it is, it helps businesses provide solutions, answers questions that they might not even know the question to ask in the first place. Um, and we wrap solutions, particularly we focus on our government sector, and then we have a small-medium enterprise sector. Um, and that sector is really your your listeners, your people who who perhaps um are a bit overwhelmed with what's going on in industry, and we try to help them prepare and protect their businesses where they can.

SPEAKER_03: 2:00

Excellent. And how how big is the business? How big is your team here in Canberra?

SPEAKER_01: 2:03

Um, so we're quite nimble. We only have 10 employees in our business, but we have about 200 consultants nationally, mainly in uh government and defence enterprise. Um, and then we have a small NIMBO NIMBLE team here of two, of which uh Michelle is one of them, um, where we, as I say, support local uh business.

SPEAKER_03: 2:28

Fantastic. So um you're you're the CTO for Aris Sync Group and the operator of uh Strategic Executive Solutions. How did how did it all begin and what inspired you to begin working on operational resilience issues?

SPEAKER_01: 2:42

I think it was Michelle that really inspired me. We've known each other for 20-something years, and my background is in mergers and acquisitions and emerging technology, and we kept bumping into each other as you do uh from contract to contract. And uh we were chatting one day, and we said, you know, the biggest problem we're finding in industry is big things happen, um, and the ripple effect to small medium enterprise is huge. Um, big companies can pivot and bring in big uh cyber companies that to help them, but small medium enterprises sometimes get lost. And there's while there's um uh security companies that say they can help, they're expensive sometimes. So, what we're trying to do is create something that makes you resilient as a business, whether that's train upskilling your people, preparing for AI integration, um, looking at payroll services, when to outsource, when to not outsource, is it working for you? So it's not just about security, it's being resilient and future ready so that you can navigate through those things that happen. I mean, would you say, Michelle?

SPEAKER_02: 3:56

Absolutely, and I think the value of looking at resilience is basically minimizing your overall exposure. You know, people look at their risk profile or they look at um what they're doing from a uh planning perspective, but they don't really marry up everything that needs to be married in order to create a fully resilient organization, and that's irrespective of the size of the organization. You know, most people can't, you know, when when I go into a business and talk to them, most people can't really articulate what their key exposures are and how they're minimizing that exposure by either managing their risk or understanding their operational resilience and building that kind of um building that kind of I want to say resilience, and I think another word for resilience, um, building that uh strength within their operational area to be able to overcome these events.

SPEAKER_03: 4:52

And and is that that's looking both at the risk but also the opportunity side of the ledger as well?

SPEAKER_02: 4:57

Absolutely, and I think you know, businesses um want to grow, but it's about being able to prepare for that growth as well. How do they how do they get into the points that they want to get into while keeping their exposure at a minimum?

SPEAKER_03: 5:16

So tell us tell us about purple resilience, which sounds um sounds very grand but also very secretive. What what what is that all about and what's what's going on there?

SPEAKER_01: 5:26

So there is this thing called purple teaming that's been around for a little while with uh that came out of large companies um understanding what a pen test was. Um and it sort of came about from external companies which we call red teams, who try and penetrate the building and try and penetrate the cybersecurity that has been set up, while the blue team sits with the customer and points out the vulnerabilities in the system. And the idea is you then get together after an ethical hack and say, okay, these are your vulnerabilities, this is how you plug it. Purple resilience came out from a conversation with Michelle and I saying that's not enough. Because you've got to look at the supply chain. So what we do is depending on the business and depending on the appetite of the board, we might go to a board and say we want to do a full-scale attack. That might be hiring actors to get into parts of the building that they shouldn't be able to get in, taking pictures of someone sitting in a chair that they shouldn't be sitting in, or getting holding a picture of a document that they shouldn't be able to get hold of. So for government buildings, obviously, that's that's um important, but also medical uh people and medical businesses, legal businesses, accounting firms. Um, but is it affordable? So um a lot of what we saw in the market, people were talking about red team attacks, which is traditional pen testing, but they weren't talking about the whole piece. Um, is the workforce resilient enough to understand when they are uh being fished, for instance? So there are lots of training courses and whatever, and again, they're expensive. And nine times out of ten, what we've found is that it's people who let the company down. They prop open a door when the cleaner's there, or they're having a cigarette in the back alley with the security guard, and someone just walks in behind them through tailgating. And it's those kind of practices that affect a business. Um, so purple resilience is looking at all aspects, not just what's happening in the market and being operationally ready, but looking at what's happening from an IT stack point of view, an HR point of view, a finance point of view. And obviously, when you blend the red and blue team, you get purple. And purple resilience to us is is something that we are advocating becomes a standard.

SPEAKER_03: 8:10

So I'm interested just to unpack the um your point about people often being kind of the weak spot in a business or an organization. Um, I mean, I I think it's probably true that most people are not intending to create security weaknesses by leaving the door open when they when they pop out for a cigarette or what have you. But do you think that's because people don't realise the the potential consequences or the seriousness of of what might happen?

SPEAKER_01: 8:36

Yeah, I think I think you're exactly right. I think what I've certainly seen and what Michelle and I have shared from working with all different shapes and sizes of organizations is um they're always like, oh my goodness, I didn't realise. I'm so sorry. Um we had a situation uh recently where a cleaner was unplugging a critical machine to plug her hoover in at night. What that meant was backup wasn't happening. Now no one could figure out why backup was failing. They'd had all these expensive technology companies come in and said you need to upgrade, you need to do that. No, what it was is locking the door so the cleaner couldn't use the plug to plug her hoover in. And that's the difference. That's what we're saying, and that that is just you know um an assessment of a process, not necessarily anyone's particular uh fault or being malicious. And it's it's being aware that if someone's behind you um, you know, and they're not wearing a tag, being confident enough to say, in this building you need to wear a tag. I'm sorry, I I I'm gonna have to shut the door. Oh no, it's okay, I work in so and so. If you it's you're not being a bad person by saying, I'm sorry, I I can't let you in. Now we penetrate buildings using that very tactic, and I have to say, 100% successful, because everybody wants to be nice.

SPEAKER_00: 10:10

Right.

SPEAKER_01: 10:11

Um, and and security isn't necessarily, sadly, about being nice.

SPEAKER_03: 10:15

Yeah, and I guess that that flies in the face of of a generally polite way of behaving that that everyone would would like to to be, right?

SPEAKER_02: 10:24

Absolutely, yeah, absolutely. And I think you know, people don't really comprehend unintended consequences until those consequences occur and there is there is a follow-on from that. So, you know, you know, someone letting someone else in without the appropriate security checks has a ripple effect to the rest of the business. Um, you know, right down to where they can get, what they can see, but also, you know, who they are and whether they have a reasonable intent, good intent, or um malicious intent. There is still an intent behind that.

SPEAKER_01: 10:58

That's very true because another example, and this probably goes to some of your your listeners as well, is that one of the examples we had in uh Fishwick, there's a number of warehouse places there, and in the summer it gets quite hot, and not all these places have proper air con, so they prop open the back door. Um and we had a situation where money went missing, uh, people's belongings have gone missing because the door's propped open. So it doesn't have to be uh a major security event for a company, but what we're saying is everybody had the rights to an inclusive safe space, and of course we want to be polite, but we also want to be resilient, we want to protect our business because that protects our jobs. So um having the right procedures and practices and the right awareness for the scale of business and the and the businesses you're supporting, your customers that you're supporting is important. And we found that one solution does not fit many. Every solution we tailor specific to who their market is, what the activities they're doing, and the type of people they have working for them.

SPEAKER_03: 12:12

So, um what kind of organizations do you support and what industries are you working across?

SPEAKER_01: 12:19

Um so so predominantly, as I said, we have one half of the business that's in public sector, that we work on defence contracts, um, government agencies, large, medium, small. But the other side um we're finding more and more we're supporting um accounting firms, law firms, manufacturing firms who who really um need to have these ticks in the box. The other aspect to our business is we have an environmental social governance part of our business where certainly in these days we need to all be doing better with our environmental practices. And that's part of resilience as well, being prepared for the future. So, again, for us, ESG is very much part of that. And introducing ESG into small-medium enterprise, people are confused by it. They assume it means sustainability. It doesn't, it actually means inclusive behaviours, there's elements of um diversity and inclusion in there and um other aspects. Absolutely.

SPEAKER_02: 13:26

Um certainly from a doing the right thing perspective, generally throughout the organization, in terms of what that looks like for the individuals, their teams, and the organization as a whole. And you know, from an operational resilience perspective and from a purple resilience perspective, we certainly look at what that means. And as Lucy pointed out earlier, and I think it's worth repeating, this is not about having a thick document that sits on a shelf. It's about having people who are ready for the things that are coming at them and the speed of business in today's, you know, in today's environment. Things are changing thick and fast. We're getting new legislation, we're getting updates, we're getting new technologies, and we're getting people who can get around those new technologies and legislations. So small, you know, all businesses at any level, small, medium, or large for that matter, need to be prepared for this. And as said earlier, uh large companies have the deep enough pockets to pull in large companies that can look after that. But where the economy sits, though, is in the small medium enterprise. You know, that's where jobs are generated, that is where um money is generated for all kinds of purposes uh to be put back into the economy, and it's really important that that be protected. So from a purple resilience perspective, that's what really we're looking at the the protection and the ability for small-medium enterprise to have that opportunity to grow, to have that opportunity to contribute.

SPEAKER_01: 15:07

But equally, right? I mean, on an equal footing. Australian businesses have to compete with overseas businesses more. Absolutely. Absolutely. And and having that not just readiness, but also that pivot to be able to say, well, I'm an Australian business, I mean, we're an Australian-owned and operated business, and we compete every day with companies that are not. Um, and what frustrates us is government always says, oh yes, we support small medium enterprise. Not what we're saying at all. They don't. Um, so what we want to do is create a consortium, a community, if you like, where we help each other. We're a small medium enterprise, we need help. That's why we're here. We need to promote our business. Um, but equally we want to work with other companies and promote them. So we do that.

SPEAKER_03: 16:01

So on that resilience journey, I mean you make an interesting point about international competition. I think all Aussie businesses are are facing um global competitors essentially almost every day. Um how do you think we as a country stack up on that operational resilience uh journey compared to um uh jurisdictions overseas?

SPEAKER_01: 16:25

I think we do it better, um to be really honest with you. Um I think Australian businesses do a lot of things very, very well, especially at the small medium enterprise, because we've had to. We've had to roll up our sleeves and take on international business. Um, there's a lot of international business here in Canberra. Um I mean, you have the big four consulting firms that are now glorified recruitment consultancies, they're just body shops, they don't add value anymore, they add big documents. I mean, uh we had a situation the other day where a company was given a document written by AI that made the news, right? Um so we always say, you know, if you look at ethical practices, Australia does it better. Now, I bring in AI because AI is obviously going to have an impact, particularly on small and medium enterprise. People will say, Well, I don't need that anymore. I don't need uh an accountant, bookkeeper, lawyer in the future. I can get out AI to do it. I'm in technology, but I will tell you, I'm not an advocate for AI in its strongest sense. I think AI for me is always an and, not an or. So it sits to the side and it helps us shape our concepts. We use it uh in our organization where we will write things, we will put policies together, and then ask the AI to say, put that in a nice construct so it's easy for this customer to understand. But we're still tweaking it and it's our content and it's our thoughts realized. And I think overseas there are different regulations, um, different barriers, and in some instances less barriers. So we do have minimum wage here, for instance. We do have other constraints over technology here that other countries don't have. So I think what it should be is it's a choice. I think Australian businesses should choose Australian businesses in the same way that we make a choice to procure through First Nations organizations. Wherever possible our procurement is through that, but as part of our reconciliation plan. Um we choose to be a uh a diverse organization so we represent all aspects of local community, and that includes um immigration, you know, people coming here on four, five, seven visas. We we have internship programs where we're working with the local universities, we have uh veterans and first responders who have now decided to transition into another journey and another career. And when you look at overseas companies, they don't have that, they don't have that mateship that we have in Australian businesses. And what's missing for me is the mateship in Canberra needs to be better, and that's why we're sitting here today because for us, business chambers represents mateship of local community and local businesses working together.

SPEAKER_03: 19:39

Yeah, absolutely, and and that's ultimately the core of the chamber and everything that we do, right?

SPEAKER_01: 19:45

Yeah, and and it should be about we should be more uh steadfast in as local businesses appointing a local business. I mean, uh I'll use the the Canberra Light Railway as a classic where we're all pretty appalled that it went to a foreign company. If you look at what they did in Melbourne, um, they made sure that all that money and the technology and and was derived here in Australia. We could do this. We're Australians, we're really clever people. We've invented a lot of things, um, but we're very easy uh leaning into uh overseas or what the American uh businesses, and we really as Australians right now need to be more resilient. Uh if I can use that term again.

SPEAKER_02: 20:36

I think you totally can, and I think the the reason for that is because not only do we need to be actually resilient, but from a purple resilience perspective, I think that ties back into the strength of supply chain and making sure that um all of those, the handoffs between businesses are appropriately supported and appropriately rigorous so that we don't um have a higher risk profile than is necessary when dealing with with other businesses. We can keep um manuf, you know, we can keep whatever we need to produce locally or with component parts much more um closely closely managed than we do if we are looking at uh potentially remotely produced.

SPEAKER_03: 21:26

And I think that was the lesson through COVID, right? Absolutely if you've got dispersed supply chains, global supply chains, that can cause can cause challenges. Absolutely.

SPEAKER_02: 21:35

And I think that's that was a salient lesson for resilience for a number of organizations.

SPEAKER_03: 21:42

Absolutely. Um just to kind of bring this to life for our listeners, can you share a scenario where resilience planning has made the difference between disruption and continuity?

SPEAKER_01: 21:52

Yeah, so disruption can come in many forms, okay? So it can come from uh a regulation change, um, and I'll use fair work, good old fair work, um has helped and hindered small business um horribly in some instances. Um, it's very much for the employee. Now they may come onto your podcast now, and I'd love a debate, by the way, just putting it out there uh with fair work. Um but uh if you look at some of the legislation they've had, it really is against small medium enterprise in a lot of instances. We've had experiences working with companies where they've said, hang on, we've done the right thing, we've employed these people, market conditions have hurt us, an overseas player has come in, we've we're gonna have to downsize, we're gonna have to lose five people. So they go through their right processes, uh, they make sure that they do all the right things, being resilient against fair work regulation, making sure that they've um give these people that they're going to let go the right opportunities, um, go through all the checklists, do all those things, and do all the right things. And then they're forced down this path of going to fair work anyway, because those five people go to fair work and say, I want more money. And we've been told time and time again that oh, just offer them more money and they'll go away. But as a small business, that hurts. It you know, um a payout of five, ten, fifteen thousand dollars might hurt. So uh the legislation doesn't work, it's broken. So what we look at doing is working with organizations at their workforce planning, at their resilience planning. Um, do all the employees need to be on certain types of contracts? Can they be on casual-based contracts? Still giving them all the benefits that you should give as an employer where possible, but looking in detail at the contracts, how resilient are they? Um, a lot of contracts now are written on AI tools or uh by um legal firms, large legal firms, and then people have copied and pasted and you know, small businesses, we do what we can, we end up with our standard contracts. And how many people are listening now who haven't looked at their employment contract for some time? Um, and has it been adjusted to meet current conditions, current regulations? Um, I suspect not. And it's been weaponized against small business. So we've had multiple clients in that situation where we have gone in and amended contracts and made sure that again people are supply chain. I know that sounds mercenary, but people are your biggest asset in your organization, as well as the technology that's there and the tools that that they're doing. Absolutely.

SPEAKER_03: 24:56

And to be clear, right, most employers are wanting to do the best for their people and they want to reward them and help them grow and learn and keep them in the business.

SPEAKER_01: 25:05

But it should be symbiotic, it should be uh a yin and a yang. It shouldn't be just one way.

SPEAKER_03: 25:11

Like that, the yin and yang of employment relationships.

SPEAKER_01: 25:14

It's so true then.

SPEAKER_03: 25:15

Absolutely. Michelle, let's let's come to you and talk a little bit more about the purple resilience concept. Um, how does it combine, as I understand it, it combines cyber defense, crisis management, and operational readiness. What does that mean in practice? How do you bring those together?

SPEAKER_02: 25:31

I think in practice we're really talking about forming a protective structure around an organization that brings together all of the siloed elements. You know, people often, you know, we talked about pen testing earlier, people often treat that as a specific thing that they need to do to make sure their technology can't be hacked. But they don't think about how that marries to their processes or how that might look from a business continuity perspective. So if they are attacked and they are suddenly without a system, how do they then manage around that system? What processes do they bring into play? And how confident are they that that will work? Because again, you know, people will dust off a manual that they wrote 17 years ago and say, oh, we've got you know our business continuity planning. But things have changed since they wrote it. It's not, you know, they haven't treated it as a um something they need to continuously engage with throughout their, you know, throughout the life of the business.

SPEAKER_03: 26:41

Yeah, so have you got it have you got a tip on that for small business owners, though? Because there's plenty of people who do, as you say, think about business continuity and then plan goes on the shelf. How do people keep that at front of mind? What what what's the thing they need to do?

SPEAKER_02: 26:54

I think from a small business perspective, they need to allow time. And I know that is in small business, that is one of the hardest things. The commodity of time is one of the hardest things to manage and uh assign to things that are perceived as less important. And that's the thing about um about resilience until you go through it, you don't understand how valuable it is to have something that that strengthens it for you. And I think, you know, so the the tip would be allow enough time to manage the things that limit your exposure, that allow you to focus on protecting your business. Because, you know, most small business and medium or all business owners really are focused on let's increase our sales, let's increase the value of our business. But how do you protect the value of that business?

SPEAKER_01: 27:56

So having regular tests as well. Absolutely. We we we offer ethical hack, what we call hack attacks. So depending on the type of business you are, um, we will agree to attack your business. Um, whatever that may look like, it might be a physical and a cyber attack at the same time, um, to test the plan. And the reason why that's important is a lot of small businesses outsource their technology stack. Um, they might have a payroll company, they might have an IT company doing all their uh technical support, uh, they might even have a recruitment company doing all their recruitment. So, as a business owner, um you ask for those people when you sign the contract, have you got the right certifications? How often do you test your business? But where's the proof? So we've again found in certain situations people will sign a five-year contract and then we find out, well, when was the last time your IT company did a resilience test with you to make sure that they are doing right by you? And did they do the test or was an external people? So I'll give you an example of that. When we do a red-blue team attack, we don't use our company. We're what we call the green team. So we're in the middle and making sure that all the things are tested. We purposely use two different local companies. We use a blue company that we appoint for the for the right reasons, you know, the right categories, and then we have a red team. Um, we tend to use companies like Mercury ISS, which is a small growing uh security business. Uh, Ed and his team are fantastic, and we tend to use them as the red team. And the reason why we don't use ourselves and the reason why we don't engage the IT company that's on site is because this is about doing it and asking the right questions and not um not shaping the answers to satisfy a tick. Yes, we've done an annual test.

SPEAKER_03: 30:04

What do you think are the most or the biggest misconceptions that companies have about being resilient?

SPEAKER_01: 30:12

I think resilience always gets tagged with security. Um every time we talk to business echo, oh yes, we we do a pen test once a year. Um, oh yes, we have this company that come in and do it all. Oh, our IT provider does that. Um for me, resilience can't be outsourced. We supply the tools and sort of the hand holding, if you like, but our advocation for this is to sit with a business and do it with them, not for them, because they have to be resilient. It's their business. Absolutely. And they have to own it.

SPEAKER_02: 30:53

Absolutely. And I think one of the one of the biggest myths about resilience is that you're resilient. I think, you know, companies of any, again, of any size tell themselves that they're resilient and are surprised to find out they're not when something happens. And I think you know, one of the better casing points is the um AWS incident a few weeks ago. You know, Amazon's, you know, AWS had a worldwide outage, and it really, you know, made people realize how much of the internet goes through AWS. You know, so you know, companies large and small could not access the systems, could not make payments, could not conduct themselves to go about their daily business because they had no um available systems. Yeah.

SPEAKER_01: 31:42

Actually, that's a good point because we talk about OPTIS earlier and the emergency services. Now I can tell you, um, having worked for Office, uh, Optus in a very past life, um, they are very good at what they do. Um but why weren't wasn't the failover in place? Why why did resilience not kick in? Why did the business continuity plan not kick in? Now we've seen all the Senate inquiries and all those sorts of things that are potentially going to go on. Um, we've seen what they've said. But as small businesses, it makes you question well, hang on a minute. I use Optus. Am I resilient? Could they do this to my business? Um so I think that misconception that it's just about security is the biggest blunder. It's it's testing every aspect of your business to say, if something happened tomorrow, can I pivot and continue to operate? That's it. It's that simple.

SPEAKER_03: 32:44

So, what role do you think, Michelle, that people and culture play compared with technology in this? What's more important? Are they equally important or or is it actually really all about the people?

SPEAKER_02: 32:57

I think the as someone who is more people focused, generally speaking, um given my background in in resilience management, I'm gonna say the people are probably more important, and Lizzie will may disagree with me, is that I think ink qual.

SPEAKER_01: 33:13

It's a yin and a yang, I keep saying.

SPEAKER_02: 33:16

I I would have actually thinking about it, I would have to agree with you. And the reason for that is the exposure is the same, same but different in terms of um your exposure from the point of view of technology and from the point of view of people. So people will take the path of least resistance. People will, you know, as we said earlier, prop open the door because it's easier for them to get in and out. Um or they will go, oh, I'll just click this thing because it's simpler for me to do that. Or, you know, I'll take those papers home with me because I can read them in transit and then leave them, you know, on the bus on the bus, train, or plane. So, you know, people and from a behavioral point of view, people need to be very aware of their behaviors and what they're indicating, not just for themselves, but again for their company. How are they representing their company? Um, you know, some of the largest reputational damage to companies has been done by people doing things that are not 100% um ethical, for example. I mean, you just need to look at the reputation of certain industries around banks or real estate agents or um uh salespeople. It's not that there are not people who are ethical and are uh, for the majority, doing the right thing. It is literally the ones that are making unethical decisions and that are compromising the value and the culture and of that, those industries and the companies they work for. It is really easy for a company to lose reputation based on what its employees do. You know, all you need to do is look at um, you know, any kind of reviews that small businesses have. You know, if you have uh disgruntled employees or worse, disgruntled customers, you know, if you have a happy customer, they're not going to tell terribly many people. If you have an unhappy customer, they will tell everyone. It's so true. No question on that.

SPEAKER_03: 35:26

Yeah. So Lizzie, let's jump back to you and let's talk perhaps a little bit about the future of resilience in business. Um what we've we've talked a little bit about AI um automation, but but what's what are emerging emerging technologies uh meaning for the future of resilience planning, do you think?

SPEAKER_01: 35:44

Look, I think it's a scary time, but it's also an important time. So AI is is threatening, uh, small medium enterprise. There's there's no getting away from that. Um and what we're advocating is now is the time to put um things in place that protect your business. And like I said, it's an and not an all. We're seeing an awful lot of apps uh launch every day and being developed overseas and pushed upon us for things like payroll services, recruitment services. And those things still need to be personalized. Um, we uh we have a recruitment business within our construct where we work with local businesses. We don't use AI for that. We won't use AI for that. It makes mistakes. Um I had a client recently who said, Can you help me? I get 200 CVs a day. Or why? Because they've signed up to bigger recruitment companies that have fully adopted AI and it looks at all the things on a on a CV and just sends the CV. There's no contextualizing that person. And I'll give you a classic example. I got offered a service desk position the other day because I did work in a service desk many, many years ago. Congratulations. So I thought, hmm, do I want to uh go back 15 years in my career and go and do that? So um sometimes emerging technology can be fantastic. And look, in in certain aspects, especially when you look at renewables and the ESG aspect that we're looking at, it's quite exciting. And we we do use that in our environmental business that we offer businesses as well. But for recruitment, it doesn't work, it really doesn't, in my opinion. So I think it's looking at emerging technologies as a way of understanding them. Do they work for you? And so we do work with small businesses and and um we do get contacted where they say, Look, can you look at what we do? And is AI for us? Can we use it in some way? How do we meet our competition? Um, and we will do reviews, and I and I think more and more I'm seeing emerging technologies that are coming out, like digital currency. Um they're talking about you can use digital currency now to pay your mortgage, buy a house, you know, buy a car, etc. As that comes on, how does that impact small-medium accounting firms? Well, they have to pivot and now understand digital currencies, etc. Do they do that using tools? So, where does it have a home? So AI has a good home in terms of compliance. So, all these companies that I'm talking about, your law firms and your accounting firms, they need to have an automated monitoring tool in the back end because there's an awful lot of governance now to manage. So that can be very helpful, and we do help companies with that. We have a local business that we promote and work with, um, which has a piece of technology that's fantastic. We have our own proprietary software that does that as well, verify Global, that looks at um looking at uh new technology and people using technology and verifying their qualifications and its usability. So I think AI has a place. I think it's just not, oh, I use ChatGPT for this. Um, and and trust me, ChatGPT makes lots of mistakes. So it's built on the internet, so it's it's going to be biased. So I would always say to people, if you are going to use Chat GPT, for instance, writing your document, your legal document, um, still go to a lawyer, still get it checked out, still go to your local accountant, get it checked out, still go to your local recruitment person for support or payroll company. And again, supporting local businesses. I don't think emerging technology is always the answer. Speaking as a CTO.

SPEAKER_03: 39:57

So, Michelle, uh, from your point of view, um, you know, obviously resilience is increasingly important. We're in an increasingly uncertain world. There's technology changes all the time, there's there's big sort of geopolitical issues at the moment as well. How how do you see the role of CTOs, CIOs, and risk practitioners evolving over the next five years?

SPEAKER_02: 40:17

I think it's going to become more of a partnership, and I think the things that have been looked at in separate silos are going to have to work together and become more of a strategic approach. And that sounds, you know, quite heavy, a heavy burden for small and medium enterprise. But the reality is that any business plans, any plans for growth need to consider the value of emerging technologies, but also the risks and the exposures that they um they present as well. So I think it's going to become more of a partnership than anything else because the um the the require, you know, legislative requirements will change to put more emphasis on things that boards and managing directors and you know business operators will need to do over time. And that needs to be allowed for um, you know, over the next say five years, because you know, legislation changes on a regular basis. We know it's coming, but it's always a surprise when it gets here for people because they haven't had again, I allude back to time, they haven't had time to focus on that. So, for example, next year AML legislate AML CF2 legislation is coming into play. And you would think, well, that has nothing to do with me. But um in terms of how we manage that, it does play back to what the banks are requesting of business now in terms of how they identify, how they they practice their business, all of the associated reporting behind that. So, you know, legislative change has significant impact on businesses of all sizes, um, particularly on the smaller business, because again, it's about how they allocate the appropriate level of time and resource for that.

SPEAKER_03: 42:12

That's right. And and Lizzie, from a um from the point of view of a small business, I mean perhaps we've there's lots of people who will be listening to this who might be sole traders or perhaps, you know, uh husband and wife team or something like that. Um, you know, they don't have a CTIO, CTO and a CIO and a and a risk team that they are all of those things. Um what advice would you have for them about how you sort of should start preparing for for being more resilient?

SPEAKER_01: 42:39

Yeah, I think I think that's what we're finding is is we're not just an integrator of systems and tools. We've become sort of an advisor to small business where we sit down, we understand their business. And uh we had a situation recently where it was a plumbing business and it's a husband and wife team. And uh the wife sits there and does end-to-end. She is the CIO, CTO, COO, uh butler, uh housekeeper, you name it, she's it. Um, and her husband goes out uh to see clients and and and does the work and comes home, and at the end of the week she has to beg him to empty his pockets to uh empty out his all his receipts, which he's terrible for keeping. And I said to her, What are the things that bug you? What are the things uh that you need? And she said, I don't know what I don't know. That's my biggest problem. So if I don't if I don't get something like a receipt, I I don't know that it's been spent, so I don't know if I'm reconciling the books. Um, if legislation comes out, I find it confusing. I don't know what I don't know. So what we've tried to do is offer a sort of space where we do some initial free consulting to understand the business and say, okay, here's some advice, but you know what, you don't need us. Here's the things that I would do if I was sitting in your situation. So, first of all, put an app on your husband's phone to scan uh receipts at the point that he's buying something, you know, so that it goes to you immediately and you don't have to empty out his pockets, you know. As simple as that, um it could be. Um, but one of the other things that I do think is the big thing is is CIOs anyway are dying, um, and they're being replaced by ESGOs, environmental social governance, which is saying it's looking at the whole piece. And if you're a mum and dad business, you're already an ESGO because you're already thinking end-to-end. Um, bigger companies don't, they think in silo, which what what Michelle was talking about earlier. Um so for small businesses, particularly, um, we sit down and work with them and say, how can we make things a bit easier for the circumstances you are in? They can't sit down there and pay$25,000 to a consulting firm to come in and tell them how to better their business. They already know what they're doing, they probably do it ten times better than anybody else. Uh you know, uh these mum and dad uh businesses are the ultimate project managers. I mean, certainly the the men and women we've met are fantastic. Um, so it's about sitting there and offering them uh the right tools at the right price, maybe negotiating on their behalf and making sure that tool adoption is there. Um so a lot of uh what we do is not about um big contracts and winning big business. Sometimes our fees are as low as 80 bucks. It's sitting there and saying, Oh, look, you know, sitting down for an hour with a cup of tea, going, okay, um, I would look at these things. I wouldn't worry about these other things. But everybody's business, as as Michelle has said, is about being resilient and resilient to legislation change, resilient to banking conditions. I mean, the RBA have not come in with any relief again. Um, so inflation is what it is. I don't believe it's managed particularly well in Australia, but we can't do anything about it. So, how do we how do we meet the market to minimize the exposure for small business? And that's something that Michelle's team offer.

SPEAKER_03: 46:31

Yeah, excellent. Well, uh, ladies, thank you so much for being here on the podcast today. If people do want to know more about your business, how do they get in touch with you?

SPEAKER_01: 46:39

Yeah, so uh we have a website uh which has all of our businesses on it, which is um arisinkgroup.com, um, and they can go there, dot com.au, I should say, because that's our Australian business. Um, and uh they can go on there and search all our different services, but also pick up the phone and talk to us. There's a 1300 number on our website, they can contact us that way. Uh we you can contact us through uh business chambers. We're a proud member of Business Train Rooms and thank you for the opportunity of being here today. It's been wonderful. I'm hoping to be back with other services in the future.

SPEAKER_03: 47:20

Excellent. Well, we look forward to seeing both of you at one of our future events. Um, but in the meantime, thank you, thank you again for being here. I'm Greg Harford from the Canberra Business Chamber. This has been the Canberra Business Podcast, and I've been talking to Lizzie Christensen, the Global Partner and Chief Technology Officer for RS Zinc Group, and Michelle Kahn, the risk practitioner, a partner to ARS Zinc, uh, working on um uh purple resilience issues for business across the board. Thank you so much. Um, this is Canberra Business Podcast. Don't forget to follow us on your favourite podcast platform for future episodes, and we'll catch you next time.