Risk: it’s what business people are supposed to thrive on and what every business book and self-help manual ever written tells us to embrace. However, risk for business leaders is rather like combat for military personnel—it’s the very thing you train for, and paradoxically the thing you do your utmost to avoid.
Risk management is defined by the International Organization for Standardization (ISO) as “the effect of uncertainty on objectives” as it pertains to the effect of incomplete knowledge of events or circumstances on an organization’s decision making. The ISO 31000 principles and guidelines pertaining to risk management identify four steps in the risk management process, namely:
- Identifying the social scope of risk management, the identity and objectives of stakeholders, and the basis upon which risks will be evaluated;
- Defining a framework for the activity and an agenda for identification;
- Developing an analysis of risks involved in the process;
- Mitigating or solving risks using available technological, human, and organizational resources.
The ISO standard on risk management was first released in 2009 and was subsequently revised in 2018 to reflect a number of new and emerging challenges faced by businesses and organizations, most notably the recent proliferation of digital currency and the growing threat of cybercrime. The revised standard also recommends that risk management be more formally incorporated into organizations’ structures, processes, objectives, strategies, and activities, while also placing greater emphasis on value creation, customization of risk management strategies for specific organizations, and greater consideration of human and cultural factors.
In short, ISO 31000 urges companies and organizations to do three things: be aware of one’s key objectives; assess one’s governance structure so as to allocate the right roles, responsibilities and reporting procedures; and ascertain what resources they are able to allocate to implementing or maintaining a risk management system.
The importance of risk management to large organizations in Alberta and elsewhere was graphically demonstrated in 2017 when MacEwan University fell victim to a $11.8 million phishing scam after fraudsters successfully impersonated Edmonton-based construction firm Clark Builders. This massive fraud was but the latest—and largest—in a series of scams perpetrated against Alberta post-secondary institutions. In 2016 the University of Lethbridge was defrauded of $368,000 in a similar incident, while the University of Calgary was forced to pay $20,000 in response to a ransomware attack.
All these, nonetheless, pale in comparison to Canada’s most notorious corporate cybersecurity breach in recent history, namely that incurred by Home Depot in 2015 that affected some 56 million credit and debit cards across North America and cost the company up to $3 billion.
Such catastrophes, while fortunately atypical, do nonetheless represent extreme examples of the same types of risks that companies and organizations both large and small face on a daily basis.
“Crime is a real issue for our clients,” explains Sean Morrow, executive director at Excel Insurance Group Inc. and an old hand at advising technology startups and venture capital firms on risk management strategies. “These days everybody is vulnerable to phishing scams, ransomware attacks, and other types of cybercrime. While you hear about it more when it happens to the likes of MacEwan or Home Depot, we’re finding it’s increasingly the mom and pop shops that are being targeted because they’re much more vulnerable.”
Digital vulnerability of this sort has added a layer of risk for companies and organizations who still have to contend with much older forms of risk management, such as safeguarding against employee theft and embezzlement – risks that can prove catastrophic to smaller companies without proper risk management strategies.
“Sadly, the most common situation we hear about is of theft and embezzlement being perpetrated by a company’s most trusted employee,” says Morrow. “In most such cases, companies have simply refused to consider such risks, and have paid dearly for it.”
Crime is, of course, only one risk with which companies and other organizations have to content. In Alberta, a jurisdiction long defined by sharp economic ups and downs, the need for proper risk mitigation is clear from the standpoint of economic unpredictability, with busts and boomtimes alike presenting their own types of risks.
“Risk is a reflection of uncertainty, and there’s more than enough of that these days when it comes to our economy,” says Andrew Leitch, director, ERM Programs with Risk Management Services at the University of Alberta. “What will happen to oil prices? Will the pipelines be built? What policy might the provincial government pursue in response, and what are the challenges and opportunities for a public university? When the economy is booming, we lose good staff, and of course enrollment is affected by the job market as well. Even philanthropic gifts, which are a huge help for people and projects, can diminish when the economy suffers. While I believe world-class institutions like the University of Alberta are as well prepared for such unknowns as anybody, there is still a tremendous number of unknowns ahead of us all and technology has evolved to a point where things happen much faster than ever before.”
Look Before You Leap
For most companies or organizations looking to develop risk management strategies, the first stop on the road to better security is an insurance company like the Excel Insurance Group. However, Morrow insists that such insurance brokers should always be viewed as a backstop, and a company’s last line of defence when every other safeguard has failed.
“The first order of business when developing a risk management strategy is to ascertain what your risks actually are, and then to determine how much risk you can handle, what risks can be avoided completely, and what risks, if any, can be deferred or transferred to other parties, such as an insurance company,” Morrow explains.
“When we work with clients, we start by recommending clear employment practices policies and the like to mitigate risks related to employee misconduct and damaging lawsuits by terminated employees. We recommend clear policies related to safety inspections. If you have company cars, are drivers required to back them into stalls so as to reduce the likelihood of parking lot collisions? If you’re a property manager, are you making sure tenants have proper insurance of their own? Do all your facilities have proper, well-maintained locks? These types of seemingly insignificant policies can go a long way in managing risk.”
The need for organizations and companies large and small to do their own risk management is further underlined by a cultural climate of increased risk aversion. “Our society seems to be growing increasingly intolerant of risk,” Leitch asserts. “People don’t want to accept the possibility that something bad could happen to their kids, their money, their health, or their possessions. Everyone gets caught up in the demand to prevent bad things from happening, including parents, corporations, governments, and regulators, and the result of this is that costs go up, processes take more time, and, in the case of a university, increased demands are placed on staff and faculty.”
From the standpoint of smaller companies and organizations, this can translate into punishing insurance costs.
“This is the first time since 9/11 that we’ve seen a hard market in this industry,” Morrow explains. “In this risk-averse climate we’re seeing fewer insurance companies interested in covering many of the risks out there, and, when they’re willing to do so, only at higher rates than ever. Even global warming-related worries are having an impact, with increased rates of natural disasters driving up insurance rates.”
Such pressures themselves, he continues, must be factored into companies’ and organizations’ risk management strategies. On this front, however, he adds that relationship management, involving all invested parties, is paramount and can help clients overcome many if not most obstacles.
“Rather than expending a lot of energy shopping around for just the right insurance policy, clients are far better advised to look at their own environment and practices for risk mitigation strategies and build strong relationships. Good policies and long-range relationship building can carry you through hard times.”