The Organisation
A privately owned Australian services business with approximately $85 million in annual revenue and operations across four states.
The company employed around 180 staff, including a small internal technology team of six supported by external vendors. Annual technology spend was approximately $1.4 million.
Technology was not the product. But it underpinned payroll, customer systems, operational reporting, and sensitive client data.
Following a broader governance review, the board identified cybersecurity and technology oversight as areas requiring more formal structure.
There had been no incident.
But expectations were rising.
The Challenge
Australian regulators have made it clear that directors can no longer rely solely on management assurance when it comes to technology and cyber risk.
The Chair put it plainly:
"If we were asked tomorrow how we know our technology risk is under control, what would we actually point to?"
The CEO trusted the internal team. The CTO was capable and committed. So the issue was not performance.
It was independent visibility and documented oversight.
The board wanted:
- A structured view of current technology risk
- Clarity on governance maturity
- Evidence suitable for board records
- Insight without triggering a disruptive, months-long audit
Engaging a large consulting firm would have required significant cost and time. The board was looking for something proportionate, fast, and defensible.
The Approach
StackUp was deployed to establish a documented baseline of the company's technology function.
The assessment required less than an hour of leadership input.
Within 48 hours, the board received a structured, independent overview covering:
- Core systems and infrastructure mapping
- Security controls and testing cadence
- Disaster recovery maturity
- Vendor concentration and third-party risk
- Governance and reporting maturity benchmarks
The output was designed for board-level use. It was not a slide deck prepared by management. It was a standardised, independent assessment that could be retained as formal evidence of oversight.
"This gave us evidence without turning it into a six-month audit exercise."
What Was Identified
The review confirmed several strengths, including stable infrastructure and appropriate access controls.
It also surfaced areas requiring attention:
- Disaster recovery processes existed but had not been formally tested in the past 24 months
- Vendor risk reviews were occurring informally but were not documented
- No consolidated technology risk view had previously been presented at board level
- The technology roadmap was operationally sound but not explicitly linked to risk appetite or governance reporting
None of these were critical failures.
But they represented gaps between operational competence and governance maturity.
The Outcome
Within one week, the board had:
- A documented baseline of technology risk and resilience
- A prioritised list of governance improvements
- A structured input to update the company's risk register
- Formal evidence of oversight suitable for board minutes
The CEO and CTO addressed identified gaps proactively, before they were raised externally.
Board discussions shifted from reassurance to evidence.
Insurance and advisor conversations became more straightforward.
The Chair described the process as "clarity without disruption."
No consultants embedded for months. No adversarial audit dynamic.
Just structured visibility at the right level, at the right time.