RISK MANAGEMENT - BLOG POST BY IVAN McCLELLAND

3 Types of Insurance you should consider for your small business.

 Insurance is essential component of your risk management toolkit, particularly in respect of mitigating the financial consequences of certain loss exposures. Business owners must continually balance their need to manage risks with the cost of obtaining peace of mind through insurance. In the past few years some types of policies have increased in popularity and consequently these policies may be more affordable that they were before. Here are three policies that every Small business owner should consider;

1.     Cyber Insurance. We all use technology to some degree and many business are highly reliant upon IT to sustain their operations. The financial impact and associated liability can be mitigated through cyber risk insurance. Although this type of insurance has been available in Canada since the mid 1990’s, its popularity has increased considerably in recent years. There are numerous insurers in Canada who offer cyber risk insurance and policies can be customised in respect of retention amounts and potential losses covered. 

2.     Key – Person Insurance. Does your business include someone whose contribution is vital to the survival of your company? If yes, then key person insurance should be a part of your business continuity and succession plan - especially if you're a small business owner. Numerous insurers offer this type of coverage and many group benefits providers will include this coverage if requested. 

3.     Overland Flood. Traditionally this type of insurance has not been readily available in Canada, and the few insurers who offered it charged excessive premiums. But that is changing!  A number of large insurance companies have started to offer overland flood insurance, and as these policies become more popular the premiums should start to come down to levels were it may be a viable risk management option. 

You should talk with your insurance broker or consider reviewing your enterprise approach to risk management, to assess if your insurance is aligned with your risk management objectives. The risk management team at Osborne are available to help with all your risk management needs.

Ivan McClelland (click to read Ivan's profile)

Principal

CYBER SECURITY RISKS - ARE YOU PROTECTED?

Cyber security risks are present in almost all organizations, irrespective of size, as we all become increasing dependant on information technology to manage operations, HR, financial and customer information. These operational risks should be considered by all organizations as part of their risk management program.

While Small to Midsized Enterprises (SME) don't have the luxury of dedicated information security teams and resources that large enterprises can afford, they still face many of the same threats. According to the Government of Canada, over 31% of cyber-attacks intentionally targeted small to medium sized businesses in 2012 and that number has increased in the past two years. They also report that the average financial impact to such businesses is in excess of $15,000 per attack, although this number is conservative when compared to other studies.

Customers and employees naturally expect personal and financial data to be kept secure, and a data breach can be a painful and expensive ordeal. But it can be daunting for a small business that may have a small IT department, to think about how to tackle IT security.

The response of many SME’s is the “security through obscurity” approach. In other words, we’re too small to be on anyone’s radar and the cyber-criminals are only going after the big guys. It is true that many of the well-publicized stories of data breaches have involved very large enterprises like Home Depot, TJ Maxx and JP Morgan. But these cases only represent a very small faction of the actual number of cyber security incidents that happen every day, which are increasingly focused on SMEs.

The reason why SME’s are increasingly becoming the victims of cyber criminals is the same reason why criminals target the vulnerable members of a society. Smaller companies are simply easy pickings and they don’t fight back like bigger companies. They represent a low risk of apprehension as SME’s would typically lack the monitoring, forensics, logs, audits, reviews, penetration testing, and other security defenses and warning systems that would alert them to a breach.

That being said, the most pressing IT security problem facing Canadian entrepreneurs is not computer hackers. The majority of security breaches actually come from a company’s own employees. They’re usually not doing it on purpose as most breaches are accidents, such as; an employee mistakenly emailing confidential client information outside the company, a cashier leaving a customer’s credit card information on a publicly viewable computer, or a manager inadvertently deleting important files. So where do you start?

IT Security has grown in complexity as IT systems and the methods used to compromise them have grown. There are however some first steps that can be taken to mitigate the risk. The following 6 steps are a starting point that a small business can use to evaluate its current cyber security risk and how to manage it:

1. Strategy and Human Resources Policies

• Does your company have a clear IT security policy that’s known to staff?
• Do you provide security awareness training to your staff, or promote a culture of security and protection within your organization?
• Do you have a policy on acceptable IT use, password guidelines and security practices?
• Do you have confidentiality agreements for contractors and vendors?
• Does your company have a privacy policy? Remember privacy law applies equally to how you protect employee information as well as customer information.

2. Data Backup

• For critical data (this is anything needed in day-to-day operations, including customer information), do you centralize it on a server and back it up nightly to a remote location?
• For important data (anything important to the business but that doesn’t get updated frequently), do you centralize it on a server and back it up semi-regularly off-site?

3. Desktop Security

• Do all computers have working anti-virus software?
• Do you have a security policy for downloading and installing new software?
• Do you have passwords with a minimum of eight alphanumeric characters that are changed every 90 days?
• Are all computers updated with the latest system updates and security patches?

4. Internet and Network Security

• Do you have a firewall and intrusion detection on all web connections?
• Do you use a virtual private network for remote access?
• Are all modem and wireless access connections known and secured?

5. Privacy and Sensitive Information

• Have you restricted access to applications and information to those who need it? Do you periodically review access levels?
• Is customer financial information encrypted and accessible only to those who need it?
• Are paper files kept in locked filing cabinets with controlled access?

6. Audit

• Do you do a periodic audit (every six months at least) of your IT security checklist?

These steps do not represent a comprehensive approach to IT security, but they will start you on the road to having a more secure and reliable network. Remember, technology is evolving very quickly and the methods used to compromise networks are evolving just as quickly, so managing your cyber risk must be a dynamic and iterative process.

The Government of Canada has published a useful guide for small businesses which can provide more information on how to protect your operations, systems and information. It is a very useful resource and it is available here.

Ivan McClelland (click to see Ivan’s profile)
Principal

Other Article Written by Ivan McClelland:
"No Risk, No Reward" - Identifying and Managing Risk Tolerance for Your Business

"NO RISK, NO REWARD" - IDENTIFYING AND MANAGING RISK TOLERANCE FOR YOUR BUSINESS

What is Risk Management?

As a small to medium business owner or executive, is risk management something you think about or do you even think it applies to your business? What is risk management anyway? In fact, what is risk?

Risk can be considered to be “the effect of uncertainty on your business objectives” and it is an inherent part of being in business. When you make investments in your business the hope is, that they will generate a positive return, but that return can be negative, positive or even far beyond your expectations. It is that type of uncertainty that we would call risk. The management of risk is concerned with reducing business uncertainty and the impacts arising when risk events do occur.

“It seems to be a law of nature, inflexible and inexorable, that those who will not risk, cannot win.”

John Paul Jones

The greatest challenge for small and medium business owners is to find the proper balance between risk, peace of mind and profitability. Trying to completely eliminate risk from your business is unrealistic and can be prohibitively expensive or cause you to institute policies that may be so risk averse that your business never grows. Gauging the correct level of risk will position a company to grow and be robust enough to withstand adversity.

So, Where Do I Start? - Identify & Assess
Risk management can be very complex, but it doesn't have to be, at first. The first step is to take a very honest and thorough look at your company and then to identify and evaluate the risk events that could impact it. Here are some of the questions that you should be asking:

- Do you really know our business objectives beyond mere profitability? 
The strategic objectives in your business plan are a good starting point here, but you need to think about those business objectives that support your strategic plan. Consider things like:

• Your ability to attract and retain the right staff
• Business processes
• Workplace safety
• The environmental impact of operations
• IT Systems
• Your relationship with suppliers and customers
• Regulatory compliance.

- What types of risks can impact our objectives? This involves identifying the risk events that can specifically affect your objectives and assessing both the likelihood of occurrence and the impact upon the organization. This goes beyond looking at the downside, the catastrophe, or major issues that can hit your business. You also have to look at what new sales or growth opportunities are out there and the risk of not achieving them or the risks of not achieving them well.

- How can I deal with our risks? 

We all deal with risk every day and the same strategies we use in our daily lives apply in the business context as well. If we decide that a motor vehicle accident is a risk event that we wish to manage then we can control or treat that risk in a number of ways: We can decide to drive during a snow storm and ACCEPT the risk of an accident or AVOID the risk by staying at home. We could put winter tires on our car to REDUCE the likelihood of an accident. We buy cars with safety systems such as air bags to REDUCE the consequences of the accident. We purchase insurance to REDUCE the financial impact of the accident or we could take public transit and TRANSFER the risk of having an accident.

The same principles apply to risk in a business context. The approaches of acceptance, avoidance, transfer, reducing the likelihood and reducing or mitigating the consequences, form the basis of risk management policies and treatments which can be used individually or in combination. You should decide how to manage the identified risks to fit within your risk tolerance and resources available. Most often a combination of approaches is the most effective.

- Peace of mind vs profitability?
In the risk management world this is often referred to as “risk tolerance”. Remember you cannot eliminate all risk, so you must decide how much risk your business can accept. Achieving the correct balance is at the heart of risk management.

These questions are the basis of the complex ISO 31000 risk management standard used by large companies to manage ERM when dealing with complex and dynamic risks. This simplified process should, however, provide the tools and insight, not only to allow you to quantify your risks but also your position your strategic business plan to be more resilient.

What’s Next? – Monitor & Review
Now you understand your business objectives at a comprehensive level, you have identified the risk events that can affect the achievement of those objectives, you have decided how to manage those risks and now you can sit back and run your business? Maybe not! To be effective, risk management should be a dynamic and iterative process, your business doesn't stand still and neither does the environment in which you operate. To be truly resilient you must take it a little further.

Monitoring your competition, customers, suppliers, technology and changes in the law or regulations will provide early indications of changes in your risk profile. Perhaps you may consider establishing some key risk indicators, such as commodity prices, competitor pricing or currency exchange rates. When these indicators fall below or rise above your indicator levels, certain actions may be initiated. For example lower fuel prices may prompt a shipping company to consider highway transportation for longer hauls, but at what point does it become more economical to switch to the railways? Similarly the fluctuations in the exchange rate for the Canadian currency may influence where a manufacturer sources raw materials or what market in which to concentrate sales activity.

Taking a few days periodically to review and update your risk management plan is a wise investment. The review should involve multiple levels of management from within your organization and (if warranted) a risk management consultant, to provide insights and perspectives that you may not have considered. To identify new and emerging risks ask questions like:

• Will a change in operations, or the addition of new equipment create new risks or change existing ones?
• Will a new supplier or customer change your supply chain risk?
• Does a fluctuating exchange rate present a commodity price risk or an export opportunity?

Having recognized that change may be occurring, an evaluation of your risk management plan is recommended. Are your policies and internal controls at the right level? Are you reaching your target market or have new markets become accessible and if so what new risks may arise? Do you have a plan A, B and even C if things change unexpectedly? Do you have a business continuity plan if you are faced with a catastrophic event? And finally, is your insurance coverage appropriate for your business today?

What About Insurance? – An Essential Component

When many business owners think about “risk management” it’s usually limited to purchasing standard insurance protection without much consideration for other ways to protect the business. Insurance is an essential part of any risk management plan but you must understand its limitations. Insurance can mitigate the financial consequences of a liability claim or of a loss event such as a fire, or windstorm or even a major operational loss if you have business interruption coverage. But, insurance will not reduce the likelihood of a risk event occurring nor will it help manage risks that are uninsurable such as supply chain risks or strategic risks.

The optimum level of insurance is attained when your insurance is structured to provide your desired level of coverage, specific to you risk profile at the lowest possible cost. This will raise the question of how much risk can I can accept? You may be able to lower your premiums by accepting a higher deductible or you may decide that you need a higher level of liability coverage to do business in the US. This comes back to that question of peace of mind vs. profitability.

The coverage and policy limits offered by your insurance should be reviewed at least annually as your business develops. It is important to look at the detail of your policies to make sure that you are not paying for coverage you don’t need and to confirm that the policies limits are reflective of your business today. If you merely renew your policy every year you run the risk of misalignment occurring between your expected level of compensation and your actual policy limits. Factors that lead to misalignment include, changes in the cost of building or equipment replacement, changes in the size of the entity insured, business development into new markets and new or emerging risks.

“One thing that makes it possible to be an optimist is if you have a contingency plan for when all hell breaks loose.”

Randy Pausch

Insurance is often considered to be a risk transfer mechanism but this is only correct insofar as it transfers the financial impact of a risk event to the insurance provider. Insurance is most effective when it is combined with activities that reduce the likelihood or occurrences, mitigate the impacts and business continuity planning that can provide for rapid recovery. For example, in the event of a major fire at one of your facilities, your insurance will provide with the financial resources to rebuild or restore operations, but a business continuity plan will give you the roadmap to business resumption, allowing you to recover quickly.

It’s Up to You – Manage the Risks or Accept Them?
There is no “one size fits all” strategy for risk management. Every industry has its specific risks and every company within an industry has its own unique risks based on its culture, maturity, market position and so on. The amount of risk management activity each company undertakes will be different as well. It could be as little as an annual review of insurance coverage and consideration of key business risks for a sole proprietor-ship, or as comprehensive as a department with a large staff managing claims, insurance and daily monitoring of key risk indicators for a large financial enterprise.

For you, however, taking these few simple steps can kick start your risk management program and help you define and align your risk appetite with your strategy and the way you operate your business. The end result is that you should have a business that is positioned to take advantage of opportunities when they arise and one that is more resilient when adversity strikes.

“Good Risk Management fosters vigilance in times of calm and instils discipline in times of crisis.”

Dr. Michael Ong

Ivan McClelland (click to see Ivan’s profile)
Principal

MENTORING - SUCCESSFUL PEOPLE NEVER ACHIEVE THEIR GOALS ALONE

In a quest to find a definition of mentoring, the term is often used inter-changeably with leadership. While it is true that good leaders can make good mentors, the two roles have very different purposes.

Leaders of organizations have one main purpose: to drive the bottom line to maximize shareholder value. While very good leaders can accomplish this through their people, this is often done at the cost of managing ongoing performance, rewarding the achievement of short-term goals and training on job specific knowledge and skills. In other words, the leader directs their people to achieve the leader’s goal.

Mentors, on the other hand, altruistically impart knowledge, provide wisdom and share experiences to help their mentee achieve long term professional and personal development.

Does this mean one is better than the other? Absolutely not. Successful people have many people in their corner, playing different roles. However, your current leader cannot also be your mentor at the same time. Mentorship needs a level playing field without hierarchy.

So what would make a good mentor? Skills and experience are obvious needs. More important is the ability to empathize with the mentee. Each mentee is different. Their background, level of job skills, self confidence and learning skills will vary widely. The mentor must be able to effectively manage the relationship. So how do you do that. 

1. Empathize
You must form a bond with the mentee. To do this you must feel a connection with them. Can you handle naivety, generational differences, cultural or gender differences to name a few? If not, it may not be the right match.

2. Listen and Learn
Focus on what your mentee is saying and analyze the content. Do not jump ahead to early conclusions but listen to the end. Then take a moment to formulate a response. You can do this by repeating the important points to be sure you have them correctly. This will also help you avoid assumptions.

3. Question
In support of “Listen and learn”, ask questions to be sure you understand what the mentee is saying. The questions should make the mentee open up. “Yes” and “no” are generally answers to poorly phrased questions. Question openly as you would to a friend. Do not interrogate.

4. Back to Empathy
Apply your soft skills. Listen for tone. Watch body language. The mentee may be embarrassed by the discussion, they may feel stupid or naïve. Respond accordingly remembering that your resolution helps their soft skills and builds trust.

5. Discuss
It is your turn to speak and impart knowledge and wisdom. Be direct and thorough in your responses but keep the tone that of discussion. If you do not have a direct answer, even the discussion will help your mentee assemble their thoughts. This is not a time to expound your great theory, preach, order or threaten. You must be direct even if you find the subject uncomfortable. Do not avoid the discussion.

6. Build Trust
Trust is the key in this relationship. Following the guidance above will help you do that. Other things that will help are the location of your meetings – best informal, the tone of the conversation, getting to know a little of your mentees personal circumstances, being punctual and being prepared.

7. Give Time
You must give freely of your time. Set meetings in advance and stick to them. Have an agenda however informal. When you can be accommodating as your mentee is likely much junior to yourself and less in control of their time.

8. Follow Up
Revisit previous meetings to see how your discussions played out. Use this as a learning tool. If you offer an article, book or contact then be sure you provide it.

Following this guidance will help you to get the most out of a mentor-mentee relationship. There are some pitfalls but most are easily spotted and avoided. You are not an emotional crutch, a job network, an accomplice or an all knowing guru.

In the next issue of The Osborne Observer, we will discuss how to set up an effective mentorship program.

Suzanne Wilson (click to see Suzanne’s profile)        
Principal            

Roger Andrews (click to see Roger’s profile)                                                          
Principal

RISK MANAGEMENT - BLOG POST BY IVAN McCLELLAND

Exporters - take a moment to protect yourself.

As the Canadian currency losses ground against the US dollar, Canadian products and services become much more attractive to purchasers in the United States.  Many Canadian businesses are capitalizing on this and are actively pursuing export opportunities. Whether you are selling goods and services directly to US customers or selling through your website you should take a moment to consider your liability risk.

Product liability risk is a type of legal risk that arises due to the manufacture, distribution or sale of products that are alleged to be defective, unsafe or dangerous. Claims can be brought against the manufacturer, distributor or retailer.  Although product liability may not be proven against any of the parties, the financial impact of the claim alone can be significant due to the cost of defending the action, particularly if you have to retain US-based legal counsel.

Exporters should consider:

• Becoming knowledgeable on consumer laws and requirements in the jurisdiction in which you intend doing business. Significant restrictions exist for certain types of goods being sold in the US so some research is essential. The Consumer Product Safety Commission is a good resource to start business research.

• Reviewing the terms and conditions of any contracts to ensure that they contain adequate protection from liability, at least to the extent allowed by relevant consumer protection legislation. Check with your legal representative to ensure you are adequately covered and that the terms and conditions of your contracts are appropriate for an export business.

• Review your liability insurance to ensure that you have policy coverage and liability limits that are reflective of the US legal environment. You should consider including defence costs and claims management coverage on your policy as the US can be a very litigious society and the costs of defending a claim, even an unjustified one, can be excessive.

 “It is not the strongest or the most intelligent who will 

survive but those who can best manage change.”

 - Charles Darwin

Ivan McClelland (click to see Ivan's profile)

Principal