Monday, November 9, 2015

INTERIM MANAGEMENT IN THE AGILE ORGANIZATION

The English language has this remarkable capacity to generate “buzzwords”, ancient parts of our vocabulary that suddenly mean something they never did before. Business press and business internet sites are full of references to “agility” these days. While the term “agile” was always used to describe someone who was physically nimble and/or mentally acute, “agility” in the world of commerce now connotes what we previously may have termed “flexibility” or “adaptability”. And these are highly valued characteristics of enterprises coping with the frequency and speed of change in an increasingly complex and inter-connected business environment. Thus, we see frequent references to the agile organization, the agile business, the agile workplace and the agile workforce. There are many, many professional service enterprises that have incorporated the word “agile” into their corporate names.

This all seems to have started in the IT business as a new approach to software development. Agile development methods emphasize an adaptable, learn-as-you-go approach. Agile project management in IT breaks a project into small segments and looks for early results which are evaluated and made subject to adaptive improvements. Agile development is underpinned by the industrial engineering LEAN philosophy that concentrates on value adding activities, reducing waste of time, money and talent. IT professionals have their own support groups – in Vancouver, for instance, it’s the Vancouver Agile Methods Users’ Group (aka Agile Vancouver, www.agilevancouver.ca).

A lot of business service providers have subsequently adopted elements of the agile approach, promoting everything from agile office furniture to agile executives. They see opportunity in the desire of organizations, particularly in the knowledge-based economy, to keep management, staffing, infrastructure resources fluid and scalable to the pace, volume and quality of work required to meet short term business objectives. Competitive, growing enterprises no longer want to be burdened with non-productive, but expensive, resources that cause the business to maneuver like a battleship when it needs to be a speedboat. No half filled office space, no idle equipment, no drones on payroll repeating routine tasks that do not add value to the enterprise. Again, you can see the LEAN principles emerging here – insidious, those engineers. The result is a trend to using temporary resources to achieve results.

Here’s an example: from its base in Luxembourg, the Regus company has grown a worldwide network providing mobile corporate executives with access to facilities, administrative support and business technology. Clients make temporary use of Regus’ services on an as required basis and reap an “agility dividend” in doing so. The company’s website (www.regus.ca) states plainly, “Agility has become a mainstream way of working.”

Within the human resources management profession, there is much dialog about building the agile workforce. The discussion encompasses how, when and where employees work and, sometimes, the use of contractors and temps to accommodate peak activity. Temp services have always been with us (Kelly Services, for example, since the 1940’s). But the use of temporary workers remains focused on production and administration and still seems more tactical than strategic. However, the thought leaders in the field seem to be moving toward agile staffing as a component of an agile workforce which, in turn, is an essential building block of the truly agile organization.

Management teams, arguably, are the part of the corporate resource base that are most susceptible to the stresses of change and the pressures of transition. The plight of management teams struggling with rapid change seems to be drawing little attention in all this discussion about adaptation to change and the need to build agile organizations. Interim managers potentially provide flexible, scalable resources to the over stressed management team. Used strategically as required, interim managers have a lot to contribute to the leadership and development of the agile organization.

“Agile”, like other buzzwords, will soon become so over-used as to be meaningless. And some other terminology will replace it. But the concept of organizational flexibility, adaptation and effective transition in response to change will remain vital in building successful enterprises. Interim management should always aim to be recognized as a part of that.

Osborne Interim Management, on its Home Page and in its brochures, has adopted the inuksuk as a visual symbol of what we stand for. Visual symbols are generally more clear and more enduring than buzzwords. However, the theme of this short article has me thinking that we might trade our inuksuk for an acrobat.


Stephen Kendall (click to see Stephen’s profile)
Managing Principal, Vancouver


Other Articles by Stephen

Monday, October 5, 2015

FACING A CHANGING NOT-FOR-PROFIT WORLD

A wise man once said there are three kinds of people who  either manage or are on boards of not-for-profit organizations:
  • Those who say “I see change is necessary and I will make it happen”.
  • Those who say ”I embrace those changes and I want to be part of what is happening”.
  • Those who say “what happened?!”
Unfortunately too many not-for-profit leaders are in the third category. This means they are always in reactive mode and frequently when it’s either too late or requires crisis action.

Right now it would be hard not to be aware of the significant changes taking place in the economy in general and not-for-profits in particular. Regrettably, now is when the trickle down theory really does work. As corporations and governments deal with drastically reduced revenues they are looking for ways to reduce costs, and that trickles down to the not-for-profit sector very quickly. As inward cash flow declines, outward cash flow automatically has to be trimmed, and one of the first targets is corporate community investment budgets, followed by government grant budgets.  As people lose their jobs and face hardships in the Alberta energy sector, it becomes difficult  for companies to justify continuing the same level of charitable support.

In addition, one of the most notable changes that has been occurring even before the collapse of oil prices, is that of donors looking for demonstrable Return On Investment formulas for their charitable donations. It isn’t just about “what recognition will I get?” or “I will feel good for supporting this cause” - both of which are important - but more about “how will my donation make a difference, how will you manage it, and what will the outcomes be?”.

So how do not-for-profits not only survive but thrive in this new landscape? It will not be by implementing kneejerk reactions such as immediately cutting staffing and programming, although some of that will likely be necessary, but by rethinking staffing and programming and by a new approach to fundraising and overall development strategies. In other words, thinking differently.

What does this mean? First of all, it means embracing change and bringing new solutions to new problems. As has been said about Generals who are often fighting the last war instead of the current one, not-for-profit boards too often apply old solutions to new problems and a changed world. Adapting to this new set of circumstances means changing the way scarcer resources, financial and human, are deployed, not just pursuing a slash and burn policy which eventually could lead to a total shutting down of the organization. It  means not just cutting off investment in everything and eliminating all expenses except minimal programming, which is the traditional way of approaching a downturn, but rethinking what investment should be made to meet changed circumstances. For instance, investing in new ways of raising funds or obtaining sponsorship for programs, new ways of being competitive, new ways of partnering with other not-for-profit organizations and new ways of presenting a compelling case for the organization. 

There are approximately 24,000 not-for-profits operating in Alberta, and about 9,000 of those are registered charities who can issue charitable receipts. Every one of those organizations, from very large to very small, is chasing the same shrinking pie and clamouring for the same dollars. Not all of those will survive the current downturn and increasingly competitive environment and the ones who will are the ones who either have the capability to think innovatively and survive, or can invest in finding the expertise to provide different thinking. Being a “good cause” is no longer enough – your good cause has to stand out from thousands of other good causes.

It is not necessarily about discovering totally new directions, but more about looking at the existing model of the organization differently and from a new direction. One new direction that many not-for-profits are overlooking, but which can make a big difference, is that of thinking differently about the role of the Board of Directors. These are usually composed of private sector volunteers who bring varying degrees of commitment to their responsibilities as a Director. In the good times, it is only necessary to perform high level governance, but in these new and tougher times Boards need to be more involved in setting strategic directions and helping to find new sources of revenues. They need to be more involved in such decisions as whether or not to hold events, whether those events can continue to be strictly “friend raising”, and they need to take on a direct role in selling tickets and bringing donors to events. That may mean changing the board composition and recruiting more activist members. It also means rather than wholesale elimination of positions, looking at them differently so that some become combined and others are part time or contracted.

George Bernard Shaw once said “people who say it cannot be done should not interrupt those who are doing it”. In our world the not-for-profit survivors will be those who see the need for change and do not leave it to others to do the necessary different thinking and do not keep saying “we tried that once and it cannot be done”. The survivors will be those who think differently and positively and act.


Blane Hogue (click to see Blane’s profile)
Principal


Other Related Articles




Tuesday, September 8, 2015

A SUMMER OF REMINDERS FOR SUCCESSFUL NEGOTIATION

This summer has been full of significant sets of negotiation in the political arena at home and abroad. These events illustrate some of the key dynamics of negotiation such as power, time, information and compromise. These hold true whether negotiations occur between countries/provinces, organizations or individuals.

Let’s take a look at how our examples from the summer played out:

Alberta’s Rachel Notley after her very first Premier’s Conference in St John’s Newfoundland made this telling comment:

“Negotiations are not about standing in the corner and having a tantrum. Negotiations are about what you get at the other end. That’s what I’m focused on now”. She was  referring to her sparring with Saskatchewan Premier Brad Wall over how to make the sale with the Eastern provinces with respect to the Energy East Pipeline. What Notley had been trying to do is collect information in this case on how environmental concerns that Quebec has might be mitigated. The premier was criticized by some for taking too conciliatory an approach but really was simply displaying an understanding that if the government of Quebec was to change its stance, they would have to have a palatable “get” as well. Any successful negotiation involves compromise and concessions by both sides providing that they are part of a process of yielding to reasonableness. 

Where Premier Notley may have been naive is too suggest that tantrums have no place in negotiation. They may have no place in interpersonal dealings. However, they can be one of the tactics behind a strategy designed to be successful over a long and protected negotiation involving representatives from two sides.

Overseas in Vienna Austria the two camps led by America’s John Kerry and Iran’s Muhammed Javad Zarif had been clearing roadblocks by first of all focusing on what they could agree on. However, the elephant in the room remained. A major dispute lingered over whether a ban on Iran’s ability to purchase conventional weapons and missile technology would remain in place. With the Russians and Chinese aligned with Iran, which side had the most “power” was very debatable. Both countries had invested considerable time but  the Kerry-Obama camp was more reluctant to leave the table empty handed. There were shouts and confrontations over 17 days, some real and some staged. Although the two countries were negotiating with different agendas, what resulted in the 11th hour was a compromise that both sides could live with. Finally after a period of years, each side came to understand what mattered most to the other.

You couldn’t ask for a more lopsided setting for a negotiation than the one that faced Greece’s Prime Minister Alexis Tsipras. After a marathon 23-hour session August 11th in Athens, Tsipras agreed to bring forth a number of policy reforms in exchange for the third bailout by Euro Zone creditors, this one totaling up to 86 billion Euros. Tsipras was between a proverbial rock and a hard place. Negotiators for both sides faced the unenviable position of not being necessarily able to “deliver” on their side of the agreement. For the Germans who had contributed most to the two previous bailouts, throwing good money after bad was becoming intolerable. For the Greeks, it was accepting new terms of austerity they had long fought against or get thrown out of the Eurozone. They had run out of time, Eurozone negotiators had all the perceived power and once the Greek Finance Ministry had agreed to open up their books to outside inspectors, the information required to demand specific reforms was in abundance. Tsipras was dealing with a different set of cultural values and pressured by time tried to “split the difference” as pressure mounted from the EU nations. When you do that you end up working for your opposer’s needs who then tend to toughen their position. Tsipras reluctantly had to agree to a series of austerity measures that divided his party, forced a September 20th election and may yet isolate his country.


Power, time, information, and compromise; four key negotiating dynamics that were very much on display in these three examples.

We learn as kids how to negotiate. We also learn that when we go too far in with what we are asking for, or are unreasonable or disrespectful in our approach, we’re going to hear a resounding NO. One of the biggest lessons I have learned in business over the years is when to stop pushing. All parties to a negotiation should come out with some needs satisfied. Win-lose deals may be destructive to the loser at the time, but they also usually catch up to the winner in the long run.


Mark Olson (click to see Mark’s profile)
Managing Partner & Principal



Other Articles Written by Mark

Wednesday, September 2, 2015

RUSS TYNAN JOINS OIM

Osborne Interim Management is pleased to welcome Russ Tynan to the organization as a Principal.

Russ provides executive leadership for the resolution of organizational challenges and change. A trusted advisor and business leader; an innovative and creative problem solver. Noted for his successes in transitioning companies and organizations through new opportunities or difficult challenges. Russ works with the executive team at the strategic stage, then with employees and stakeholders through implementation. Outcome focused, he instills discipline by aligning brand, culture and strategies.

Monday, July 6, 2015

THE MOST COMMON PITFALLS WHEN AN EXECUTIVE DIRECTOR LEAVES AND AN INTERIM POSITION IS CREATED

“Anyone can be an Executive Director, especially when it’s a short-term fill-in position - how hard can it be, right?"

I have had that conversation more often than is good for my blood  pressure. As soon as a Board member of a not-for-profit says “how hard can it be, right?” I know they are headed for trouble. “We have a Board member (or colleague, or donor) who is retired and has time and won’t charge us anything, so he can fill in and we’ll save some cost. I mean, how hard…etc”.

Canadian author Margaret Lawrence once told of being at a cocktail party and talking with a neurosurgeon who said “you know Ms. Lawrence, when I retire I’m going to write a novel”. “What a coincidence” said Margaret Lawrence “when I retire I’m going to be a neurosurgeon”.

Well, it is hard to be an Executive Director and in some ways even harder to be an Interim Executive Director. The learning curve is very steep and an Interim Executive Director has to keep the organization strong, on track with its programs and strategies, manage all stakeholder relations, plus keep staff and systems  functioning positively while not making decisions that will have adverse consequences when a permanent  Executive Director is recruited. An Interim Executive Director is supposed to come fully conversant with and experienced in grant application processes and regulations, HR best practices for NFP’s, knowledge of fundraising and campaign methodologies, internal and external communications strategies, basic financial management, and the ability to deal with Board/Governance policies and procedures. Someone who has “a bit of time on their hands” and can volunteer for the position but has no direct experience in managing the complexities of a not-for-profit  (serving on a Board does not constitute operational experience) will at the very best be less than effective, and at worst leave a time bomb of financial, staffing (usually including plummeting staff morale) and other problems for the permanent person coming in. Like any rule there are of course exceptions, and I am aware of cases where a person with senior and somewhat related experience has been a successful Interim Executive Director, but it is rare.

In addition to the amateur Interim Executive Director issue, here are some of the other most common mistakes made in looking for either an interim, or even a permanent Executive Director:

Job Description – it’s the same but shorter, isn’t it?:  
Just taking the full time Executive Director’s job description and tacking “Interim” on to it is not a good idea. The interim position will have different performance measurements from the permanent position and it will have very different operational requirements. For example, an Interim Executive Director will not normally be required to create long-term strategies or program development and should not tinker with those already in place unless funding is in jeopardy or projected outcomes are not being achieved. Also, the emphasis on some aspects of the role will be different and may require, for example, paying closer attention to staff morale and retention  in order to maintain stability and continuity, while paying less attention to such aspects as, for example,  new capital or brand redefinition and new marketing programs.

We don’t need their advice on anything else, do we?:   
One mistake I have seen is the missed opportunity of failing to capitalize on the range of knowledge plus variety of experience that an Interim Executive Director usually brings to the position, or actively discouraging any consulting or advice outside the job description. Assuming this person does not want or is not considered for the permanent position, they can be objective and truthful in providing a point of view about the organization’s operations. Having an experienced and objective consultant as well as an operational leader can be a real bonus and the job description should include providing an assessment of the organization’s strengths, challenges and opportunities for improvement as an exit requirement.

Pay peanuts and you get monkeys:  
This, plus “you get what you pay for”, are two clichés that Boards still sometimes forget when hiring for an  interim position. Just like the “how hard can it be?” argument, Boards sometimes see hiring an Interim Executive Director as an opportunity to save money. The flawed reasoning is that the interim person will not have the same level of responsibility or skill requirements as a permanent position so they don’t need to be paid as much. Not true and can lead to bad hiring. Granted, the responsibilities are different in an interim role, but no less difficult or demanding and require the same level of expertise and ability as any permanent role. Don’t expect to pay less (or nothing!) and expect the same level of competence. Remember, the interim person is responsible for maintaining your brand, reputation and carefully built donor and other stakeholder relationships. No matter how much money you think you’re saving by hiring someone at a lower rate than the permanent position, a less experienced and low performing Interim Executive Director can cost an organization dearly if those areas are neglected or poorly handled.

Why hire anyone? We can just give a staff member the job for the interim: 
Sure, add a whole new job to an existing and presumably important one for someone who probably doesn’t want it and isn’t sure how to do it. Plus, when it’s over, that person drops back in status and presumably loses the few extra bucks you were paying temporarily. The job will not be done well, the staff will find it hard to   relate to a colleague who is now their boss for a while and the person will resent the whole situation. I have seen it done and it’s a lose/lose proposition. It’s in the same category as “we need someone to handle HR.  Susan, who does admin and bookkeeping, can’t be that busy – let’s put  her in charge of HR”. As the saying goes, it’s not a problem until it’s a problem. Suddenly the organization has a legal, ethical or performance failure or dismissal issue and Susan is totally out of her depth and the organization is in trouble.

Let’s just ask the outgoing Executive Director to find someone:
Even if the outgoing Executive Director is leaving on positive terms, they will either try to find someone just like them (which may or may not be good) or a friend they know who may not be suitable, or will often go for upgrading a staff member, particularly a close colleague who may have lobbied for the job. Hiring an Executive Director, either interim or permanent, is a Board responsibility. In almost all not-for-profits, the Executive Director is the only employee of the Board and reports directly to the Board, often via the Chair. It is wrong and usually against the by-laws to delegate this responsibility.

How does an organization avoid all those pitfalls and keep things running smoothly? The Board needs to:
  • Take on the responsibility for creating a job description and appropriate compensation level designed specifically for an interim position, ideally with professional help.
  • A committee of the Board needs to manage the search process.
  • The Board needs to review then approve the committee’s recommendation.
  • Staff need to be informed fully and positively once the decision is made and before rumours start.

How hard can it be, right? It needn’t be hard at all. Osborne Interim Management can provide a senior, experienced Interim Executive Director and can guide Boards through the whole process of job description, on-boarding and eventual transition to a permanent Executive Director.


Blane Hogue (click to see Blane’s profile)
Principal


Other Articles Written by Blane

  

Tuesday, April 7, 2015

HOW TO SET UP AN EFFECTIVE MENTORING PROGRAM

Early in my career, I learned about the value of having a mentor. Back “in the day” there were no formal mentoring programs at the financial institution that I worked at, but I found myself looking forward to spending time with two particular senior executives. I watched their interactions with employees and customers and listened to their messages and how they delivered them. I took note of how they dressed and how they carried themselves. I didn’t know the word for it then, but I was being mentored and my mentors didn’t even know it! 

Today, mentoring has come a long way in becoming a more formal program in most progressive companies. It also has become a critical function as a great deal of corporate knowledge needs to be transferred to the next generation. 

This article is a follow up to Osborne’s article in January about the merits of mentoring. It will help your company set up a mentoring program that is easy and sustainable. 

There are four parts to setting up a mentoring program. 

First, the company needs to articulate the purpose of the mentoring program. The purpose can be anything from sharing the knowledge of a senior employee approaching retirement to development of junior staff, preparing them for a future in your company or industry. Articulating the purpose of your program will allow you to be focused and avoid becoming too broad and diluted. For the purpose of an example, “our mentoring program is to develop young accountants in an organization, preparing them for future roles.” 

The second step is to define the areas of the company that will be part of the program. In our example, we are going to involve all departments of accounting in an effort to give our young grads exposure to all the area’s different disciplines. For each discipline, a check list of mentoring topics should be documented. This will assist the mentor in structuring their part of the program, making the learning consistent between mentors. 

The third step is to identify mentors. Previously, we discussed what would make a good mentor. In sum, a good mentor is a good listener, empathetic, very knowledgeable in their area of expertise and has time to dedicate to his or her mentee. A good mentor need not be a leader of people. In fact, being a mentor can assist an employee in becoming a good leader by developing coaching skills. Always identify mentors first before committing to a program. You will need to know you have the support and resources to make it happen. 

Once the mentors have been identified, the obvious next step is to identify the mentees. An ideal mentee is one that has already shown initiative, loves to learn and is obviously looking forward to moving up in the company. Never choose an employee who has performance or attitude problems. A mentoring program is a reward for those employees who want a challenge and have proven themselves in their current role. It is not the time to hand problems off to someone else to try and fix! 

The matching process is the next step. When considering whom to match with whom you should take into consideration the following: 

  • Personality – having the same is not always better. But be aware of total opposite personalities. 
  • Learning style, versus coaching style – exposing employees to different types of mentors will lead to a more rounded individual.
  • A mentor should never be an employee’s leader. 
  • An obvious factor is location. While proximity is best, current technology (i.e. Skype) allows you to expose employees to others in your organization from around the world. 

So here you are: You have defined the program, identified and matched your mentors and mentees. Now what? 

I recommend having a kick off meeting that has both a formal agenda and a networking component and includes all participants. The formal agenda should be led by an HR facilitator and every attempt should be made to have the most senior executive address the group at the beginning. The formal part of the program can outline expectations of both the mentor and the mentee and provide recommendations on meeting frequency and length. Every relationship will fall into its own rhythm over time, but initially, structure is important for sustainability. In order to get the mentors and mentees talking, I recommend, planting some questions with both parties. This may or may not be required. If there is initial awkwardness, having some prepared questions will really help the conversation flow. The goal of this initial session is to make sure that both the mentee and mentor have similar expectations and feel comfortable moving forward. 

The formal agenda should be followed by a less formal networking session, even over a lunch or dinner. The mentor should demonstrate their networking skills and introduce their mentee to others in the group. The meeting should not end without a commitment for a follow up conversation or meeting. 

The final piece of the mentoring program puzzle is the most important and the most difficult – sustainability. While it is inevitably up to the participants to keep the program going, you can assist by offering the following assistance: 

  • Regular check in’s with participant (monthly or quarterly). Are there any challenges? What are some successes? 
  • Give topics for discussion. 
  • Bring the group together six months into the program. Focus on results and if any improvements can be made. 
  • Follow up with the mentees leader to see if there has been any progress. 
  • Ensure there is a goal related to mentorship on the mentors performance reviews (what gets measured gets done). 
  • Provide a expense fund for mentors and mentees to go for coffee or lunch. 
  • Develop a year-end assessment scorecard that will assess the program from all perspectives. 
  • Start the cycle every year with a kick off. Consider changing up the mentors and the matches currently in place. If the current matches feel that want to continue, let that happen too. 


Suzanne Wilson (click to see Suzanne’s profile) 
Principal 

Other Related Articles 
Mentoring - Successful People Never Achieve Their Goals Alon
Leadership - The Holy Grail of Business 

Friday, March 13, 2015

IAIN DRUMMOND JOINS OIM

Osborne Interim Management is pleased to welcome IainDrummond to the organization as a Principal.

Iain is a highly experienced IT executive with an extensive background as CEO of both public and private companies. He is well-versed in all aspects of management, including running international operations for a large multinational computer manufacturer. As a result of his extensive earlier experience as a systems analyst and troubleshooter, Iain is used to creating high-value solutions to challenging business problems. He has a strong focus on sales, marketing, product development, budgeting and financial controls, and is a top-level presenter with strong verbal and written communication skills. He is a skilled motivator and people person, and is used to dealing at C-level with both government and private sector organizations.

Tuesday, March 3, 2015

RISK MANAGEMENT - BLOG POST BY IVAN McCLELLAND

3 Types of Insurance you should consider for your small business.

 Insurance is essential component of your risk management toolkit, particularly in respect of mitigating the financial consequences of certain loss exposures. Business owners must continually balance their need to manage risks with the cost of obtaining peace of mind through insurance. In the past few years some types of policies have increased in popularity and consequently these policies may be more affordable that they were before. Here are three policies that every Small business owner should consider;

1.     Cyber Insurance. We all use technology to some degree and many business are highly reliant upon IT to sustain their operations. The financial impact and associated liability can be mitigated through cyber risk insurance. Although this type of insurance has been available in Canada since the mid 1990’s, its popularity has increased considerably in recent years. There are numerous insurers in Canada who offer cyber risk insurance and policies can be customised in respect of retention amounts and potential losses covered. 

2.     Key – Person Insurance. Does your business include someone whose contribution is vital to the survival of your company? If yes, then key person insurance should be a part of your business continuity and succession plan - especially if you're a small business owner. Numerous insurers offer this type of coverage and many group benefits providers will include this coverage if requested. 

3.     Overland Flood. Traditionally this type of insurance has not been readily available in Canada, and the few insurers who offered it charged excessive premiums. But that is changing!  A number of large insurance companies have started to offer overland flood insurance, and as these policies become more popular the premiums should start to come down to levels were it may be a viable risk management option. 


You should talk with your insurance broker or consider reviewing your enterprise approach to risk management, to assess if your insurance is aligned with your risk management objectives. The risk management team at Osborne are available to help with all your risk management needs.

Ivan McClelland (click to read Ivan's profile)
Principal



CYBER SECURITY RISKS - ARE YOU PROTECTED?


Cyber security risks are present in almost all organizations, irrespective of size, as we all become increasing dependant on information technology to manage operations, HR, financial and customer information. These operational risks should be considered by all organizations as part of their risk management program.

While Small to Midsized Enterprises (SME) don't have the luxury of dedicated information security teams and resources that large enterprises can afford, they still face many of the same threats. According to the Government of Canada, over 31% of cyber-attacks intentionally targeted small to medium sized businesses in 2012 and that number has increased in the past two years. They also report that the average financial impact to such businesses is in excess of $15,000 per attack, although this number is conservative when compared to other studies.

Customers and employees naturally expect personal and financial data to be kept secure, and a data breach can be a painful and expensive ordeal. But it can be daunting for a small business that may have a small IT department, to think about how to tackle IT security.

The response of many SME’s is the “security through obscurity” approach. In other words, we’re too small to be on anyone’s radar and the cyber-criminals are only going after the big guys. It is true that many of the well-publicized stories of data breaches have involved very large enterprises like Home Depot, TJ Maxx and JP Morgan. But these cases only represent a very small faction of the actual number of cyber security incidents that happen every day, which are increasingly focused on SMEs.

The reason why SME’s are increasingly becoming the victims of cyber criminals is the same reason why criminals target the vulnerable members of a society. Smaller companies are simply easy pickings and they don’t fight back like bigger companies. They represent a low risk of apprehension as SME’s would typically lack the monitoring, forensics, logs, audits, reviews, penetration testing, and other security defenses and warning systems that would alert them to a breach.

That being said, the most pressing IT security problem facing Canadian entrepreneurs is not computer hackers. The majority of security breaches actually come from a company’s own employees. They’re usually not doing it on purpose as most breaches are accidents, such as; an employee mistakenly emailing confidential client information outside the company, a cashier leaving a customer’s credit card information on a publicly viewable computer, or a manager inadvertently deleting important files. So where do you start?

IT Security has grown in complexity as IT systems and the methods used to compromise them have grown. There are however some first steps that can be taken to mitigate the risk. The following 6 steps are a starting point that a small business can use to evaluate its current cyber security risk and how to manage it:


1. Strategy and Human Resources Policies

  • Does your company have a clear IT security policy that’s known to staff?
  • Do you provide security awareness training to your staff, or promote a culture of security and protection within your organization?
  • Do you have a policy on acceptable IT use, password guidelines and security practices?
  • Do you have confidentiality agreements for contractors and vendors?
  • Does your company have a privacy policy? Remember privacy law applies equally to how you protect employee information as well as customer information.

2. Data Backup

  • For critical data (this is anything needed in day-to-day operations, including customer information), do you centralize it on a server and back it up nightly to a remote location?
  • For important data (anything important to the business but that doesn’t get updated frequently), do you centralize it on a server and back it up semi-regularly off-site?

3. Desktop Security

  • Do all computers have working anti-virus software?
  • Do you have a security policy for downloading and installing new software?
  • Do you have passwords with a minimum of eight alphanumeric characters that are changed every 90 days?
  • Are all computers updated with the latest system updates and security patches?

4. Internet and Network Security

  • Do you have a firewall and intrusion detection on all web connections?
  • Do you use a virtual private network for remote access?
  • Are all modem and wireless access connections known and secured?

5. Privacy and Sensitive Information

  • Have you restricted access to applications and information to those who need it? Do you periodically review access levels?
  • Is customer financial information encrypted and accessible only to those who need it?
  • Are paper files kept in locked filing cabinets with controlled access?

6. Audit

  • Do you do a periodic audit (every six months at least) of your IT security checklist?

These steps do not represent a comprehensive approach to IT security, but they will start you on the road to having a more secure and reliable network. Remember, technology is evolving very quickly and the methods used to compromise networks are evolving just as quickly, so managing your cyber risk must be a dynamic and iterative process.

The Government of Canada has published a useful guide for small businesses which can provide more information on how to protect your operations, systems and information. It is a very useful resource and it is available here.

Ivan McClelland (click to see Ivan’s profile)
Principal

Other Article Written by Ivan McClelland:
"No Risk, No Reward" - Identifying and Managing Risk Tolerance for Your Business

Tuesday, February 3, 2015

"NO RISK, NO REWARD" - IDENTIFYING AND MANAGING RISK TOLERANCE FOR YOUR BUSINESS

What is Risk Management?
As a small to medium business owner or executive, is risk management something you think about or do you even think it applies to your business? What is risk management anyway? In fact, what is risk?

Risk can be considered to be “the effect of uncertainty on your business objectives” and it is an inherent part of being in business. When you make investments in your business the hope is, that they will generate a positive return, but that return can be negative, positive or even far beyond your expectations. It is that type of uncertainty that we would call risk. The management of risk is concerned with reducing business uncertainty and the impacts arising when risk events do occur.


“It seems to be a law of nature, inflexible and inexorable, that those who will not risk, cannot win.”
John Paul Jones

The greatest challenge for small and medium business owners is to find the proper balance between risk, peace of mind and profitability. Trying to completely eliminate risk from your business is unrealistic and can be prohibitively expensive or cause you to institute policies that may be so risk averse that your business never grows. Gauging the correct level of risk will position a company to grow and be robust enough to withstand adversity.

So, Where Do I Start? - Identify & Assess
Risk management can be very complex, but it doesn't have to be, at first. The first step is to take a very honest and thorough look at your company and then to identify and evaluate the risk events that could impact it. Here are some of the questions that you should be asking:

Do you really know our business objectives beyond mere profitability? 
The strategic objectives in your business plan are a good starting point here, but you need to think about those business objectives that support your strategic plan. Consider things like:

  • Your ability to attract and retain the right staff
  • Business processes
  • Workplace safety
  • The environmental impact of operations
  • IT Systems
  • Your relationship with suppliers and customers
  • Regulatory compliance.
- What types of risks can impact our objectives? This involves identifying the risk events that can specifically affect your objectives and assessing both the likelihood of occurrence and the impact upon the organization. This goes beyond looking at the downside, the catastrophe, or major issues that can hit your business. You also have to look at what new sales or growth opportunities are out there and the risk of not achieving them or the risks of not achieving them well.

- How can I deal with our risks? 
We all deal with risk every day and the same strategies we use in our daily lives apply in the business context as well. If we decide that a motor vehicle accident is a risk event that we wish to manage then we can control or treat that risk in a number of ways: We can decide to drive during a snow storm and ACCEPT the risk of an accident or AVOID the risk by staying at home. We could put winter tires on our car to REDUCE the likelihood of an accident. We buy cars with safety systems such as air bags to REDUCE the consequences of the accident. We purchase insurance to REDUCE the financial impact of the accident or we could take public transit and TRANSFER the risk of having an accident.

The same principles apply to risk in a business context. The approaches of acceptance, avoidance, transfer, reducing the likelihood and reducing or mitigating the consequences, form the basis of risk management policies and treatments which can be used individually or in combination. You should decide how to manage the identified risks to fit within your risk tolerance and resources available. Most often a combination of approaches is the most effective.

- Peace of mind vs profitability?
In the risk management world this is often referred to as “risk tolerance”. Remember you cannot eliminate all risk, so you must decide how much risk your business can accept. Achieving the correct balance is at the heart of risk management.

These questions are the basis of the complex ISO 31000 risk management standard used by large companies to manage ERM when dealing with complex and dynamic risks. This simplified process should, however, provide the tools and insight, not only to allow you to quantify your risks but also your position your strategic business plan to be more resilient.

What’s Next? – Monitor & Review
Now you understand your business objectives at a comprehensive level, you have identified the risk events that can affect the achievement of those objectives, you have decided how to manage those risks and now you can sit back and run your business? Maybe not! To be effective, risk management should be a dynamic and iterative process, your business doesn't stand still and neither does the environment in which you operate. To be truly resilient you must take it a little further.

Monitoring your competition, customers, suppliers, technology and changes in the law or regulations will provide early indications of changes in your risk profile. Perhaps you may consider establishing some key risk indicators, such as commodity prices, competitor pricing or currency exchange rates. When these indicators fall below or rise above your indicator levels, certain actions may be initiated. For example lower fuel prices may prompt a shipping company to consider highway transportation for longer hauls, but at what point does it become more economical to switch to the railways? Similarly the fluctuations in the exchange rate for the Canadian currency may influence where a manufacturer sources raw materials or what market in which to concentrate sales activity.

Taking a few days periodically to review and update your risk management plan is a wise investment. The review should involve multiple levels of management from within your organization and (if warranted) a risk management consultant, to provide insights and perspectives that you may not have considered. To identify new and emerging risks ask questions like:

  • Will a change in operations, or the addition of new equipment create new risks or change existing ones?
  • Will a new supplier or customer change your supply chain risk?
  • Does a fluctuating exchange rate present a commodity price risk or an export opportunity?

Having recognized that change may be occurring, an evaluation of your risk management plan is recommended. Are your policies and internal controls at the right level? Are you reaching your target market or have new markets become accessible and if so what new risks may arise? Do you have a plan A, B and even C if things change unexpectedly? Do you have a business continuity plan if you are faced with a catastrophic event? And finally, is your insurance coverage appropriate for your business today?

What About Insurance? – An Essential Component
When many business owners think about “risk management” it’s usually limited to purchasing standard insurance protection without much consideration for other ways to protect the business. Insurance is an essential part of any risk management plan but you must understand its limitations. Insurance can mitigate the financial consequences of a liability claim or of a loss event such as a fire, or windstorm or even a major operational loss if you have business interruption coverage. But, insurance will not reduce the likelihood of a risk event occurring nor will it help manage risks that are uninsurable such as supply chain risks or strategic risks.

The optimum level of insurance is attained when your insurance is structured to provide your desired level of coverage, specific to you risk profile at the lowest possible cost. This will raise the question of how much risk can I can accept? You may be able to lower your premiums by accepting a higher deductible or you may decide that you need a higher level of liability coverage to do business in the US. This comes back to that question of peace of mind vs. profitability.

The coverage and policy limits offered by your insurance should be reviewed at least annually as your business develops. It is important to look at the detail of your policies to make sure that you are not paying for coverage you don’t need and to confirm that the policies limits are reflective of your business today. If you merely renew your policy every year you run the risk of misalignment occurring between your expected level of compensation and your actual policy limits. Factors that lead to misalignment include, changes in the cost of building or equipment replacement, changes in the size of the entity insured, business development into new markets and new or emerging risks.


“One thing that makes it possible to be an optimist is if you have a contingency plan for when all hell breaks loose.”
Randy Pausch

Insurance is often considered to be a risk transfer mechanism but this is only correct insofar as it transfers the financial impact of a risk event to the insurance provider. Insurance is most effective when it is combined with activities that reduce the likelihood or occurrences, mitigate the impacts and business continuity planning that can provide for rapid recovery. For example, in the event of a major fire at one of your facilities, your insurance will provide with the financial resources to rebuild or restore operations, but a business continuity plan will give you the roadmap to business resumption, allowing you to recover quickly.

It’s Up to You – Manage the Risks or Accept Them?
There is no “one size fits all” strategy for risk management. Every industry has its specific risks and every company within an industry has its own unique risks based on its culture, maturity, market position and so on. The amount of risk management activity each company undertakes will be different as well. It could be as little as an annual review of insurance coverage and consideration of key business risks for a sole proprietor-ship, or as comprehensive as a department with a large staff managing claims, insurance and daily monitoring of key risk indicators for a large financial enterprise.

For you, however, taking these few simple steps can kick start your risk management program and help you define and align your risk appetite with your strategy and the way you operate your business. The end result is that you should have a business that is positioned to take advantage of opportunities when they arise and one that is more resilient when adversity strikes.


“Good Risk Management fosters vigilance in times of calm and instils discipline in times of crisis.”
Dr. Michael Ong

Ivan McClelland (click to see Ivan’s profile)
Principal

MENTORING - SUCCESSFUL PEOPLE NEVER ACHIEVE THEIR GOALS ALONE

In a quest to find a definition of mentoring, the term is often used inter-changeably with leadership. While it is true that good leaders can make good mentors, the two roles have very different purposes.

Leaders of organizations have one main purpose: to drive the bottom line to maximize shareholder value. While very good leaders can accomplish this through their people, this is often done at the cost of managing ongoing performance, rewarding the achievement of short-term goals and training on job specific knowledge and skills. In other words, the leader directs their people to achieve the leader’s goal.

Mentors, on the other hand, altruistically impart knowledge, provide wisdom and share experiences to help their mentee achieve long term professional and personal development.

Does this mean one is better than the other? Absolutely not. Successful people have many people in their corner, playing different roles. However, your current leader cannot also be your mentor at the same time. Mentorship needs a level playing field without hierarchy.

So what would make a good mentor? Skills and experience are obvious needs. More important is the ability to empathize with the mentee. Each mentee is different. Their background, level of job skills, self confidence and learning skills will vary widely. The mentor must be able to effectively manage the relationship. So how do you do that. 

1. Empathize
You must form a bond with the mentee. To do this you must feel a connection with them. Can you handle naivety, generational differences, cultural or gender differences to name a few? If not, it may not be the right match.

2. Listen and Learn
Focus on what your mentee is saying and analyze the content. Do not jump ahead to early conclusions but listen to the end. Then take a moment to formulate a response. You can do this by repeating the important points to be sure you have them correctly. This will also help you avoid assumptions.

3. Question
In support of “Listen and learn”, ask questions to be sure you understand what the mentee is saying. The questions should make the mentee open up. “Yes” and “no” are generally answers to poorly phrased questions. Question openly as you would to a friend. Do not interrogate.

4. Back to Empathy
Apply your soft skills. Listen for tone. Watch body language. The mentee may be embarrassed by the discussion, they may feel stupid or naïve. Respond accordingly remembering that your resolution helps their soft skills and builds trust.

5. Discuss
It is your turn to speak and impart knowledge and wisdom. Be direct and thorough in your responses but keep the tone that of discussion. If you do not have a direct answer, even the discussion will help your mentee assemble their thoughts. This is not a time to expound your great theory, preach, order or threaten. You must be direct even if you find the subject uncomfortable. Do not avoid the discussion.

6. Build Trust
Trust is the key in this relationship. Following the guidance above will help you do that. Other things that will help are the location of your meetings – best informal, the tone of the conversation, getting to know a little of your mentees personal circumstances, being punctual and being prepared.

7. Give Time
You must give freely of your time. Set meetings in advance and stick to them. Have an agenda however informal. When you can be accommodating as your mentee is likely much junior to yourself and less in control of their time.

8. Follow Up
Revisit previous meetings to see how your discussions played out. Use this as a learning tool. If you offer an article, book or contact then be sure you provide it.

Following this guidance will help you to get the most out of a mentor-mentee relationship. There are some pitfalls but most are easily spotted and avoided. You are not an emotional crutch, a job network, an accomplice or an all knowing guru.

In the next issue of The Osborne Observer, we will discuss how to set up an effective mentorship program.

Suzanne Wilson (click to see Suzanne’s profile)        
Principal            

Roger Andrews (click to see Roger’s profile)                                                          
Principal