“Cheap and Out of Date”, a Board-Level Resilience Question

A Senate inquiry into Telstra’s mass network outage will reportedly examine whether underinvestment in technology contributed to the disruption — including whether a cheap, outdated device played a role.

That makes this more than a telecommunications outage or regulatory update.

It raises a broader governance question: can leaders see when ageing technology, deferred investment, supplier dependencies or optimistic resilience assumptions are creating unacceptable exposure — before customers experience the consequences?


The 30-second take

The lesson is not simply that technology risk belongs on a risk register.

The real test is whether technology condition, investment decisions and resilience assumptions influence operational planning, funding priorities, supplier management, stress testing and board risk appetite discussions.

Risk maturity becomes visible when leaders can trace an emerging vulnerability through to a business decision — and produce the evidence behind that decision.


Operational failures often begin as accepted assumptions

Major outages rarely begin at the moment a service fails.

The conditions may develop much earlier.

An ageing device remains in service because it still appears to work. A replacement is deferred because other investments receive priority. A critical dependency sits several layers below executive reporting. A temporary workaround gradually becomes part of normal operations. Resilience testing assumes that backup systems will respond as designed.

Individually, each decision may appear reasonable.

Together, they can create a level of operational exposure that remains largely invisible until disruption occurs.

Boards and executives can use the Telstra outage as a scenario test. They do not need to replicate the circumstances of another organisation. They need to ask where similar conditions could exist within their own operating environment.

Where might ageing infrastructure, unclear ownership, weak challenge, informal workarounds, limited investment or optimistic reporting allow a vulnerability to remain unresolved?

Mature organisations do not treat major failures as someone else’s news. They use them to test whether their own planning, controls, reporting, accountability and assurance would identify the issue early enough for leaders to act.

Risk maturity is not proved by the framework. It is proved by the decision trail.

Resilience requires more than recovery plans

A weak risk conversation asks whether the organisation has a technology risk framework, asset register, business continuity plan or disaster recovery process.

A stronger conversation asks whether those mechanisms influence real decisions:

  • Did asset condition affect investment priorities?
  • Did resilience testing identify the dependency?
  • Did management challenge assumptions about the reliability of ageing technology?
  • Were known limitations visible in executive and board reporting?
  • Could leaders explain why the exposure remained within appetite?
  • Did assurance test whether recovery arrangements would work under realistic conditions?

Policies and registers may show that risk activity occurred. They do not necessarily show that leaders understood the exposure or acted on it.

The stronger evidence is whether risk information changed a decision, prompted challenge, triggered escalation or led management to reconsider an operating assumption.

Questions boards and executives must ask

  • Which ageing technologies, devices or infrastructure components support our most critical customer and operational services?
  • How does management identify when an asset has moved from being an operational issue to becoming a material resilience risk?
  • Which critical services depend on a single device, supplier, platform, data source or network connection?
  • Where have technology replacements or resilience investments been deferred, and what additional exposure has the organisation accepted as a result?
  • Do investment decisions consider the potential customer, regulatory, financial and reputational consequences of failure — or primarily the immediate cost?
  • How does management know that backup systems, recovery processes and operational workarounds will perform under realistic disruption?
  • What evidence would give the board confidence that resilience reporting reflects current operating conditions rather than documented design?
  • When does an ageing asset or unresolved vulnerability become a risk appetite decision requiring executive or board visibility?

A weak signal eventually becomes a business decision

Weak signals often build gradually:

  • A replacement is delayed, workaround becomes permanent, ecurring fault is treated as an isolated operational issue.
  • A report describes system availability but not the condition of the infrastructure supporting it.
  • A control exists on paper but does not change investment priorities or operating behaviour.

Over time, individual decisions can accumulate into a material exposure without any single moment appearing significant enough to trigger escalation.

When disruption eventually occurs, leaders are no longer explaining one failed device or one operational event.

They are explaining the maturity of the system surrounding it:

  • Who understood the risk?
  • Who owned the decision?
  • What challenge occurred?
  • What evidence supported the assumptions?
  • Why did monitoring, reporting or assurance not prompt earlier action?

What a mature resilience assessment should test

A useful maturity assessment does not stop at whether technology risks have been identified.

It tests whether leaders can demonstrate that:

  • ownership remains clear across the full lifecycle of technology, investment and resilience decisions
  • critical assets and dependencies remain visible to the people accountable for service continuity
  • controls reflect how work and technology actually operate, not only how processes are documented
  • investment decisions consider the cumulative operational and resilience consequences of deferral
  • monitoring identifies deteriorating conditions and weak signals early enough for leaders to act
  • challenge remains visible, timely and sufficiently independent
  • escalation occurs before an issue becomes a customer, regulatory or service failure
  • assurance tests evidence, operating behaviour and recovery capability — not only control design

That shift moves the organisation from risk activity to risk maturity.

Leaders stop treating an external outage as an interesting discussion topic and start using it to test their own decisions, dependencies and evidence.

The leadership question

The leadership question is not simply:

“Could this happen here?”

The sharper question is:

Where could this happen here — and would our governance, reporting and assurance identify the conditions early enough for us to act?

The final question…

Can your organisation demonstrate that leaders understand, own, test, challenge and escalate technology resilience risks across the full decision lifecycle — before a regulator, customer or major service disruption exposes the gap?

More from the Reading Room

The Qantas privacy finding: a positive lesson in third-party oversight

A serious data breach does not automatically mean governance failed. The more important question is whether an organisation can demonstrate that it understood the risks,...

APRA’s CPS 230 Tweaks: Small Amendment, Big Governance Signal

APRA has released final targeted amendments to CPS 230 Operational Risk Management. The item is current and sits within APRA’s prudential framework, so boards and risk teams should treat it as a live governance and…

Everyone Passed. That’s Not the Point.

APRA's inaugural System Risk Stress Test found four major banks and six super funds individually resilient, but exposed concentration risk and a super-fund liquidity mechanism that could amplify a system-wide shock.

APRA finalises reinsurance framework changes

APRA's finalised reinsurance framework eases access to catastrophe bonds and shifts capital-treatment decisions to the appointed actuary, changing what boards need to evidence before the 1 January 2027 start date.