Building System Resilience to Future Risk

In this episode:

While we can’t exactly predict when the next catastrophic event will be – pandemic, climate disaster, cyberattack, financial recession – the one predictable element about crisis is that it is inevitable. The current model for how we often approach crisis events is unsustainable, and better system resilience is necessary for preparation and risk mitigation for catastrophic events in future. 

For this discussion moderated by Bryan Benjamin, Executive Director at The Ivey Academy, we're joined by guests: Jennifer Lynch, President & Founder, Lynch & Associates; Doug Westlund, Senior Vice President, Principal Consultant, Acumen; and Laurel Austin, Associate Professor of Management Science at Ivey Business School. Together, our panelists explore the importance of building resilience on organizational, community, and societal levels and consider the impacts of collaborative relationship-building and future-oriented policy across multiple sectors to create a more resilient system where organizations and communities are better prepared to withstand future risks.

Other ways to listen:

• Apple Podcasts
• Spotify Podcasts
• Google Podcasts

Q&A

During the livestream event, we had many audience members asking questions in the Q&A and chat that we weren't able to address live during the event. Below, Laurel Austin, Associate Professor of Management Science at Ivey Business School, provides some answers to questions from the session.

Q: How are mitigation plans/strategies for systemic risks different from other (possibly smaller scale) risk mitigation approaches?  

A: For systemic risks (e.g. extreme weather events, financial crisis, pandemic), there is more need to collaborate with other stakeholders to build community resilience, in addition to building organizational resilience.  This would even be true for cyber risk if there is any potential that an attack on your organization might impact other organizations (which is often the case). There is an opportunity for shared defences and shared plans for recovery, including communication plans. 

Q: Governments and large organizations often already invest in building resilience and taking proactive approaches through risk assessments, etc. How should we encourage small businesses to expend energy on building resilience when they might have higher-stakes stressors, such as keeping a struggling business alive?

A: This is a challenge, because that given systemic risks have large impacts, organizations already struggling are at the most risk. After the session, I received an email from a participant about this very challenging problem. He suggested that a low-cost risk assessment option is for members of a small organization to periodically sit down together to think about the risks they face, including systemic risks, and consider how they could be impacted if this risk materialized and what they can do to mitigate damage and be prepared to recover.  

He gave the example that small businesses that store files in cardboard boxes in the basement (or even the floor of the first floor) are at risk of losing information they can’t replicate if there is a flood. Having foreseen this possibility leads to low-cost solutions that could, in the event of a flood, make all the difference to a small business. Working with communities to build rain gardens throughout the community can be a fairly low-cost measure to reduce the risk of flooding. Many efforts require investment of resources, but some don’t and still have the potential to make a real difference. 

Q: What are organizations seeking when recruiting recent graduates to bolster their cybersecurity programs, particularly in terms of risk resilience and innovative perspectives?

A: Building resilience requires changing mindsets, as well as risk assessments. Organizations need to develop response playbooks, but people need to understand them and put them in place when needed. I have had students each year over the last three years tell me that my courses on Decision Making and Risk Management have played a role in offers they have received from consulting firms that offer cyber security and risk management services.  These companies are seeking technical expertise also, but our students bring an understanding of business and, through courses like mine, of how people perceive and respond to risk. Risk management is about getting people to proactively screen for risks, assess risks, and respond appropriately.  

Q: Have you seen examples of organizations developing financial incentive programs for CEOs/leaders who invest in risk identification, mitigation, and management?

A: The World Economic Forum report on building sustainability and resilience is about the need for the asset management and insurance industries to encourage CEOs to invest in resilience. An example related to this may be seen in the recent decision by RBC to start reporting how its fossil fuel funding compares with its clean energy funding in response to pressure from the New York City Comptroller. This might not be a perfect example in response to the question, but it is what came to mind.

Additional Resources

Global Risks Report 2024 (Mercer)

Global Risks Report 2024 (World Economic Forum)

Building a More Resilient and Sustainable World (World Economic Forum)

Occupational Fraud 2024: A Report to the Nations (Association of Certified Fraud Examiners)

IT/Cybersecurity Risk Management (NIST)

What is Cyber Risk Management (IBM)

How to Build an Effective Cyber Security Program by Doug Westlund (Acumen)

Podcast Transcript

DOUG WESTLUND: Small to mid-sized organizations typically feel they are too small to be attacked. And it's only after they have been breached where they regret not taking the proper precautions.

SEAN ACKLIN GRANT: Welcome to Leadership in practice, your source for new research, insights and practical advice on critical issues in business presented by the Ivey Academy. While we can never predict the unpredictable, climate events, cyberattacks, pandemics, financial crimes, recession, these kinds of crises are an increasingly frequent reality for businesses.

As leaders, we need a better way to anticipate, mitigate, and navigate risk. Enter systems resilience. In this episode, we're joined by Laurel Austin, associate professor of management science at Ivey Business School. Jennifer lynch, president and founder, Lynch and associates. And Doug Westlund, senior vice president and principal consultant at Acumen.

Together, our panelists explore the importance of building resilience on individual, organizational and societal levels, suggesting ways we can collaborate across systems to confidently approach future oriented risk management.

BRYAN BENJAMIN: Hello and welcome to our Ivey Academy live stream. My name is Bryan Benjamin and I'm the Executive Director here at the Ivey Academy. Our topic is building system resilience to future risk. As many of us, in fact, all of us have seen and experienced, crisis events such as pandemics, climate disasters, financial recessions and cyber attacks can have devastating impact on individuals, organizations, communities, nations, and even the world as a whole.

The current model for how we often approach crisis events is unsustainable, and a proactive approach to developing system resilience is necessary for preparation and risk mitigation for catastrophic events in the future. Today, our panel is going to explore the importance of building resilience on organizational, community, and societal levels. Together, we're going to discuss the impacts of collaborative relationship building, future oriented policy across multiple sectors to create more resilient systems where organizations and communities are both better prepared to withstand future risks, but also to support risks when they do happen and to bounce back.

For this discussion, we're joined by three terrific panelists, each who have extensive expertise and experience in this field. Our first panelist is Jennifer Lynch, who is the President and Founder of Lynch and Associates, a firm that specializes in forensic accounting, fraud examination, and business valuation services.

She teaches earnings management and forensic accounting course at York University's Master's of Financial Accountability program and management accounting at Schulich School of Business. In addition, she also teaches workshops for CPA Ontario. In March of 2023, LexisNexis has published her book, financial crimes in Canada, an overview of money laundering and fraud.

Next, we have Doug Westlund. Doug has 35 years experience in technology and cyber security, primarily in the utility and telecommunications markets. For the last 20 years, Doug has been focused on supporting critical infrastructure utilities across North America with operational and cybersecurity risk management.

As Senior VP and Principal Consultant at Acumen, he assists utility executive teams and their boards with strategic planning, risk management and operational resilience. Doug holds an engineering degree from the University of Waterloo and is an Ivey MBA graduate.

Our third panelist, Laurel Austin, is an Associate Professor of Management Science here at Ivey Business School. She is-- or sorry, as a behavioral decision theorist, Laurel applies decision science and behavioral science methods to understand how people perceive risk and how information framing predictability impacts choices. She builds on these insights to develop interventions and risk communications that improved informed decision making and risk management practices.

Her research interests include risk perceptions and behavior in high risk occupations, retailer decision making, consumer insurance decisions and computer supported collaborative decision making. Fascinating topics and I can't wait to dive into some of the most recent research and thinking that she's been exploring.

Building system resilience to future risk. Laurel you know, it is such a big topic. And when we've had previous conversations leading up to the live stream, there were no shortage of areas where we could dive in and start to uncover some really interesting, sort of, perspectives and conversations. But let's start by getting a good understanding of what do we mean when we talk about resilience. So what is resilience in-- from your perspective?

LAUREL AUSTIN: It's a good question and it'll help us as a foundation for the discussion that we're having today. In part, it's a good question because resilience is a fairly new term. You know, we're hearing it more and more, but it isn't something you really heard much about maybe 10 years ago.

And also because people sometimes confuse the term sustainability and resilience. Sometimes they're very related and other times they're not. So it is important to understand the difference and what we mean by resilience. And so sustainability really refers to allowing people today to meet their needs in a way that doesn't compromise the ability of people in the future to also meet their needs.

When we talk about resilience, we're really talking about the ability of a system, whether that's a person, an organization, an industry, what have you, to withstand a shock, to withstand some sort of disruption and to come out standing, to come out, standing strong, right. To be able to carry on. So it's really the ability to adapt and recover from a shock and to keep going.

In order to build resilience against potential shocks, we need to be able to identify what the potential future threats are. And then we want to think about how to either reduce the possibility of them happening or the possibility of them impacting us. Or if they do impact us, have ways in place to help us come back and recover from those.

I think one reason we're seeing increased focus on resilience-- I was reading something the other day that said, well, resilience is a buzzword. I don't really-- I don't think it is because what we're seeing is more and more systemic risks. So the pandemic, cyber risk, extreme weather events, right. These are systemic risks, meaning they're risks that threaten entire organizations or entire systems. It might be an entire community, it might be an entire industry. And so we're seeing more and more of that.

So cyber risk, certainly we cyber-- a cyber attack can impact an entire organization. But if we think about attacks like the one in February in the US on change health care, we see an attack on one organization that was responsible for moving money around within the medical system in the US and literally crippling revenue flow in a lot of the health care system. And so, you know, attacks like that don't just impact your organization, it can impact other organizations. Or an impact-- an attack on someone else can impact you.

And so these systemic risks or climate, you know, extreme weather events. So that's another form of systemic risk that impacts large systems. And when we think about those extreme weather events, I think that's where we see the relationship between sustainability and resilience.

I guess the last thing I would say is that as we think about resilience, you know, it used to be organizations could depend on insurance. If they suffered a shock, we depended on insurance to make us whole again. Increasingly, as we have these systemic risks impacting lots of organizations or communities, insurance isn't as able to pay out. And so we really do need to be thinking together about how to build resilience and reduce the need to depend on insurance to help us withstand risks.

BRYAN BENJAMIN: Thank you, Laurel, for getting us into the right, sort of, headspace around something that truly impacts everyone at some-- you know, at some level. And even, you know, you talk about weather events. It used to be, you know, the 100 year flood seems to happen every two or three years now. Like, there's no doubt about it that we're seeing the impact of these things more frequently.

I'm going to get your voice into the conversation here, Doug. Laurel did touch on it a little bit. But, you know, given your background and expertise and your work specifically in cybersecurity, which we definitely hear a lot about often after the fact. So an attack has happened or something has gone on. What are some of the issues that you've been seeing around business resilience and how this is manifesting in organizations from a cybersecurity standpoint?

DOUG WESTLUND: Thank you, Bryan. And just to frame cyber risk from an overall perspective. 10 years ago, cyber risk was rarely in the top 20 overall risks for any enterprise. Today, in many enterprises, it's a top three risk. But the disconnect that I see is and we have a term in the business, everybody is admiring the problem versus properly addressing it.

In case in point, small to mid-sized organizations typically feel they are too small to be attacked, not a target. That is not the case at all. In fact, they're a very attractive target because they're vulnerable. And it's only after they have been breached where they regret not taking the proper precautions.

And as an example, we were contracted by Utility in the United States who had been breached and we were brought in to help in the recovery efforts. And one of the board members took me aside and said, Doug, you know, I would do anything to dial that clock back to avoid that breach in the first place. It was super painful.

The damage that they sustained was operational damage, financial damage and reputational damage. And I would say for them, the reputational damage was the most pervasive. In fact, this happened four or five years ago, they're still dealing with that reputational damage.

BRYAN BENJAMIN: Yeah no, Thank you. How many times have we been in situations where you want to dial the clock back but you know, that gets magnified when you're thinking about it from an organizational lens or perspective or even broader. And we'll dig into this a little bit more in terms of what do we learn and how do we apply some of these learnings moving forward.

So Jennifer, so excited to have you with us here today. I had the pleasure of hearing you on a panel I guess a couple of months ago and was blown away by some of the things that you and your team do. So you bring a unique perspective to this with a background and a business and forensic accounting and investigating fraud.

So how would you frame the topic of resilience as it relates to the field that you find yourself and your team involved in day in and day out.

JENNIFER LYNCH: I'm sure many individuals have received many scam calls and maybe even lost money due to those scam calls. According to the statistics, in last year, the estimated loss to all the business due to fraud is about $5 trillion globally. So that's-- when we think about, you know, $5 trillion, that's like a huge number. And many of the fraud were actually uncovered by some of the organization.

And just like Laura said, nowadays insurance company cannot cover the majority of the losses. According to the statistics, 53% of the losses due to the fraud are actually not covered at all. And the rest, I believe, 30% only partially recovered. Only 13% were recovered due to the Fraud Loss. So I think for business organization, fraud risk is one of the biggest risk, you know, financial risk alongside with, you know, other natural disaster like pandemic and the environmental flood, and also like cybercrime.

Of course, there are some really bad examples of companies they don't want to invest money in preventing those kind of fraud, but in the end, lost lots of money due to the fraud risks.

BRYAN BENJAMIN: That's a lot of zeros when I hear that number. And even more shocking is the amount that is recovered or maybe I should frame as not recovered. That's pretty staggering.

So I'm going to stick with you, Jennifer, and I'm asking you to dig in a little bit more, especially because I look at Canada, and you look at-- yes, there's many large organizations and we will talk about large organizations, but there's also a tremendous number of small and medium organizations that makes up a lot of Canada. And something like this could be crippling to an organization from a financial and a business continuity standpoint.

So how do we help leaders get this at the top of their priority? And, you know, both in the medium and longer term, but also the short term. Any sort of comments or advice, Jennifer, on how do we make sure leaders don't wait till it happens to do something about this?

JENNIFER LYNCH: That's very, very good point, Bryan. And yes, fraud affect all the organizations. In fact, to small and medium organizations, they are actually higher risk than bigger companies because they have very weak, much weaker internal control. So for the leaders to improve and prevent or minimize fraud risk, first of all, they need to make sure they are up-to-date in their internal control system.

So they need to do up-to-date fraud, risk assessment maybe every year or every other year based on the environment, the technology advancement. And second of all, they need to make sure they look at all the stakeholders. Do they have a whistleblower program? Because according to the statistics, you know, maybe many of us will have misconception that external auditors, it's their job to catch the fraud but that's not the case. More than 50% of the fraud were reported by whistleblowers.

So it's important for the leaders to implement a whistleblower program. That whistleblower and also Protection program for whistleblowers, for them to have a safe channel to report those tips. So in the long run, the companies will not have a much bigger loss due to the fraud.

And the third of all is they need to be just like what Doug said about cybercrime. They need to work with, you know, people like Doug's company. Make sure their IT system is up to date and then they have a sufficient control system so the hackers cannot hack into their business, you know, easily.

Or maybe, for example, CE-- CFO or comptroller cannot manipulate the data or steal the company's asset easily through like easy access to the financial system. So those are the main, you know, focus that I think leaders should, you know, try to work on.

BRYAN BENJAMIN: Thank you for that. Really interesting comments and especially around a program where others can draw attention to something. Especially, you know, as organizations grow, it's very difficult for a leader to have eyes on everything. And so being able to create a safe space where people can identify potential areas of risk or concern makes a tremendous amount of sense.

[MUSIC PLAYING]

So part of this is still getting people to imagine a possibility that maybe hasn't occurred to them yet. And so, Laura, I'm going to go to you next. Getting leaders to imagine, you know, an outcome that maybe they can't even fully comprehend what it could look like or sort of oh you know that doesn't happen to me. That's not going to happen to my organization. So really helping them understand what's at stake so that there's an impetus here to really act and think and be quite deliberate.

LAUREL AUSTIN: Yeah. You know, there's a lot of ways, sort of, our psychology makes us not want to think about bad things that might happen.

BRYAN BENJAMIN: If don't think about it, it's not going to happen, right. I can cover my eyes.

LAUREL AUSTIN: Yeah, there's that wishful thinking. There's, sort of, taking this myopic view, focusing on what's going on. There's also just the daily pressures, that we all, you know, tend to focus on what we have going on today. What's the, sort of, immediate crisis that we have.

And so it can be really hard to think outside the box, to be thinking about what are the bad things that might happen. But, you know, some things leaders can do to help with that are sort of scenario planning, thinking about what these risks are, how they might impact the organization. You know, like Doug said, you know, small to medium sized organizations are at risk and often underestimate how likely that is, but they are good targets.

Again, thinking about the cyber risk, right. Thinking about what is my business-- what's my value proposition, how does it depend on it, how does it depend on the internet? And if you give it some thought, a lot of organizations will find that almost everything they do now does depend on that, which means they are you know-- they look attractive when we're thinking about that.

Thinking about those, you know-- the external-- the extreme weather events, how might that impact me? How does my supply chain depend on, you know, roads or water, transportation? How might I be impacted by that? So, yeah, I think what you say it is hard for people to think about what are the bad things that might happen.

But I think with this increase in systemic risks and with fraud and so on, organizations need to be thinking more about what are the risks they face and how might they be impacted. Because you can't really prepare to respond if you haven't given serious thought to what might happen and what it is you need to protect.

BRYAN BENJAMIN: Very I think important points that you draw attention to. And it's interesting. I've heard it a few times from the discussion so far. So there's, you know, my role within an organization and planning for organizational resilience and there's also the individual role. And understanding that, you know, potentially employees within my organization may be experiencing something. So the weather event could impact an organization, but it can impact a house.

You know, fraud can impact an organization or it can impact an individual cyber. Same thing. And just sort of recognizing that we're all navigating through this. And the more we can do collectively, I think, the stronger we are individually as well through this. There's a comment that I'm going to draw attention to and then we'll keep moving along.

But-- so the question around how does this topic differ or where does it differ and maybe not with disaster recovery and business continuity planning, enterprise management planning? Any one of the three of you can dive in and tackle this one.

DOUG WESTLUND: I'll chip in, Bryan. My perspective, we do a lot of DR plans, business continuity plans. That's an after the fact issue of OK, you have had some form of impact. You need to execute those plans. What we're talking about here today is the front of the piece, which is building your resiliency, so that doesn't happen or if it does happen, that you can recover as quickly as possible.

BRYAN BENJAMIN: That's a helpful phrase. Is we want to avoid if we can, I'm not even sure it's the right word, but avoid, mitigate, so minimize. And if it does, hopefully be able to navigate through and bounce back.

[MUSIC PLAYING]

Laura, you were very deliberate when you talked about bounce back strong. It doesn't have to always be stronger. That's the big aspiration but let's start with strong and then maybe there's a learning to be stronger.

LAUREL AUSTIN: I do think organizations that I've talked with who've had some major disruption find that as they recover from it, it makes them stronger. They find it makes them more resilient in general.

And so it isn't that you necessarily develop resilience toward one particular risk. But in thinking about your organization and how it interacts with other organizations, other stakeholders, it helps you-- and as you maybe do some scenario planning, thinking about what might happen, it just helps you create that mindset for being able to respond to crises when they happen. So it isn't like you have to try to prepare for everything, but think about what are the biggest things you want to prepare for.

And I think for leaders, you know, related to that question of what they want to understand is, you know, there's this tension, right, we have between short-term shareholder value or short-term profits and long-term resilience. Because building resilience does require resources. Human resources, capital, financial. You know, you have to invest in things to protect yourselves or developing ways to recover. And so there is that tension and that can be really challenging for leaders to walk that line.

BRYAN BENJAMIN: Yeah, that short-term, longer-term pull. Absolutely. Really important point there. There's a comment around reputational risk. So we've talked a little bit about financial impact to an organization and from a business continuity and a disruption. Maybe I'll give you a little bit of time to think about it as we dig in. But I'd really appreciate if you had an example of either an organization or an industry where maybe there was a reputational damage done and how an organization was able to move through it.

So have that in the back of your mind. And I'm going to come back to that one a little bit later. Or an organization that's maybe doing a really good job as it relates to their considering reputation in the context of risk and resilience.

So, Doug, I'm going to bring you back in here. And, you know, given some of the work that you've done over your career and are up to these days around more system-wide thinking, right. So, yes, we can go organization by organization, but there's something to be said for if we can help the system, those within the system benefit as well. So what are some of the things that we should be considering and maybe doing as leaders and organizations think about creating resilience for entire systems?

DOUG WESTLUND: Yes, it's a very good point. And once again, from a cybersecurity perspective, for critical infrastructure, you know, examples, electric utilities, water, gas, the transportation sector, and let's say banking, you know, any cyber breach in any of those sectors has significant or could have significant impacts on everything. So we need to understand that it's bigger than just any one entity.

So creating collaboration within industries is very important. Interest enough in the utility sector. There's a lot of that going on, but they're also non-competitive so it's more of an enabler. A little more difficult, if you're in the telco sector or financial sector. However, there are signs of that. And what I would look towards would be some more cross sector planning. So, OK, I lose power. How is the banking sector going to recover?

And I think that, you know, it's really about creating these collaboration networks, sharing practices, learning, being able to defend as best as possible. And then just to weave in the whole leadership theme here, you know, clearly it has to be, you know, right at the top, the leadership assumes responsibility, manages via risk management process and does some outreach to, you know, other peers, to other industries, you know, for a better overall approach.

BRYAN BENJAMIN: Are you seeing any sectors either leading the way or taking some important steps forward as it relates to more system-wide resilience planning?

DOUG WESTLUND: Certainly the electric sector, which I'm most familiar with, and that's actually good news because we all would want to hear that. You know, they have not only regulations now, but they have joint industry efforts.

They also have a cyber mutual aid program largely in the US. Canadian utilities can participate where one utility is knocked off from a cyber attack, other utilities can assist, just as they would in, say, a storm that knocks out power lines. So that's called cyber mutual aid. So that's one example whereby that industry has really stepped up in a collaborative fashion.

BRYAN BENJAMIN: Yeah, that's great to hear. And well, they impact many other sectors as well given how much we rely on what they do. I want to come back to the topic. I gave you fair warning around reputational risk. And I don't know if you had, you know, either a specific example, or where and how reputational risk is factored in to resilience. And again, I'll throw it open to any of you who want to tackle this one.

DOUG WESTLUND: I can jump in, Bryan. So one thing that's very prevalent today are vendors that are being breached that ultimately create damaging situations for their customers. And many of these vendors then have very difficult time, you know, repairing that reputational damage.

They have financial losses, some are going out of business. And for many of them, they clearly did not [AUDIO OUT] cyber security properly, didn't understand the impact eventually to their customers. And now that is coming back to bite them. So that's called the supply chain risk management issue up there. But it's around vendors.

LAUREL AUSTIN: Yeah. I mean, the one that comes to mind when Doug talks about that is SolarWinds in the US, which had, I think it's still considered the biggest hack that we've had. I'm not sure if it's still the biggest, but it was in 2020, right, where they were a vendor, right, with software that was used by over 18,000 customers in the world. Ultimately, I believe they figured it really impacted about 100 organizations. But those included key, you know, US government agencies that used their software. You know, when you're an organization suffering that kind of attack, it obviously impacts your reputation.

Some things they did was they really worked with-- they did try to build a community to-- they communicated a lot about what was going on, working with their suppliers, working with their customers. And, you know, really trying to make things better with respect to cyber risk. But yeah, it can clearly have huge impacts.

I think Bryan, in terms of your question earlier about community approaches. You know, as we think about climate risk and severe weather events, there's a really nice initiative in the US by the Army Corps of Engineers. They call engineering with nature, which is really about trying to use nature-based solutions to make communities more resilient to severe weather events. And they have a website with all kinds of information.

They're really dealing a lot with water infrastructure, which is, you know, critical to supply chains, critical to, you know, power generation and so on. Critical flooding. They deal a lot with flooding, which is impacting so many communities. You know, building ways for communities together to build resilience to those potential extreme shocks. So really something I would point people to as an interesting example of we can work together to try to reduce some of these impacts.

BRYAN BENJAMIN: Great example. And thank you for bringing that one forward. We're going to shift into to being able to talk about proactivity and measures that leaders can take. If somebody starts, it almost feels like it's endless, right. It's my gosh, I could go here, I could look at this and uncover this. It's like an onion. You keep peeling and peeling and peeling.

So without becoming overwhelmed, how can leaders and organizations who are actually taking this real proactive stance, but it could quickly become almost overwhelming in terms of what are the big and most urgent ones versus maybe, yes, this is a risk, but it's not as urgent or as pressing. And if I had to focus my energy, I'm going to start here and move there. How do we help people maybe prioritize and start to balance their risk mitigation efforts and discovery?

LAUREL AUSTIN: You know, I think one thing is, you know, leaders want to get in the mindset, I guess, of trying to monitor the environment and see what are the systemic risks that they face. So the World Economic Forum every year publishes a global risk report and they survey-- like this year they surveyed over 1,500 global experts on risk. And they-- one of the things they're asked about is to rank what are the biggest risks that organizations need to be concerned with in the next two years and in the next 10 years.

In the next two years, two that are in the top four are severe weather events and cyber risk. In the next 10 years, we see more and more of that focus, the concern about severe weather events, lack of resources, change in biodiversity. So, you know, for leaders to be able to use, you know, reports like that to see what are the future risks. Because to build resilience, you need to be thinking about not just what's going on today, but what do I think is coming in the future, and how do I imagine that, how might it impact me and then what do I do about it.

And then once we're thinking about those systemic risks, thinking about what are the system-- what do I have of value, what's my-- what's my business proposition, what am I concerned about. What are the other-- who are the other actors who influence how I'm impacted, who are the other actors who are impacted by things I do, what technologies are in place or might we need. And thinking from that systems perspective. So we've talked about systems to some extent.

There are nice tools available. There are methods to map out the systems that we're a part of, and who are the actors, the technologies, the things that really matter that influence what happens to us or how we impact others. There's nice tools for doing stakeholder mapping to understand who are all those other stakeholders who are influenced by me or who influence what I do or influence what I sort of experience.

So for business leaders to become aware of how to scan for risks, and then think about adapting, building a systems thinking kind of approach, which I think is quite different than we've had to do traditionally.

DOUG WESTLUND: If I could add to that-- to what Laura said. Also, you know, taking her perspective of the bigger picture. But in conjunction with formalizing a risk assessment process, because everybody's risks are a little different. So formalizing that risk assessment process where by identifying risk impact. And as we all in the, you know, the world of risk, it's all about prioritization. And there's no substitute for formalizing that risk assessment process.

BRYAN BENJAMIN: And the prioritization, I think, makes a lot of sense. You can't do it all. Let's not lose it all but let's figure out, OK, which are the non-negotiables that we need to address. Jennifer, I'm going to bring you back in. And I think there's some interest, not surprisingly, in your comments around whistleblower programs.

And any advice around, you know, organizations maybe that you've seen set up a program and how have you been able to-- you know, how have they been able to implement that and especially as it relates to making people feel safe and secure to be able to put something forward through a whistleblower program that maybe they've seen or experienced.

JENNIFER LYNCH: Yes, that's a very good point. And also I want to tie this into the risk assessment that Doug and Laurel just mentioned about. For many companies, which has very successful risk assessment and also fraud policy, they actually have a really detailed, comprehensive plan in place. They do risk assessment.

So, for example, organization, what kind of risk are the highest to this type of organization and do we have the system in place when this kind of fraud has occurred What are we going to respond. Because that will affect the reputation of the organization also financial impact as well. And for many companies, they do, especially bigger organizations, they do have whistleblower program.

Traditionally, whistleblower-- many is usually done by telephone hotline. But nowadays, because of technology and more and more people prefer to do it online or by email. So more people want to report by email. And also there is whistleblower protection law in Canada and the US. They are still pretty weak because, especially in Canada, it's just started, I think, you know, around 2007.

And still many people don't want to come forward because they face a lot of challenges like, you know, like termination of employment or being caught like spy or traitor. So those negative things or maybe lose their job. Or especially if they don't have the strong evidence to support the claim and the organization might sue them for defamation. So it's essential for the organization to build the culture from the top that they are protected.

And then also, you know, there's China. Very, very good China for them to report whatever wrongdoing they've noticed. And also for some-- I don't know if you guys know that recently Ontario Security Commission has started, you know, rewarding the whistleblowers financially. You know, sometimes I think they can receive up to $1 million, you know, for reporting fraud. I think that's a really good you know, motivation for the whistleblowers to come forward as well.

BRYAN BENJAMIN: Interesting. I'm going to do a bit more research on that. But I'm going to pick up on your comment around culture. And we know that culture is so critical in terms of building environments where people feel safe and protected and the ability to make sure that if they are seeing something or experiencing something that they're willing to share. And so for sure, it needs to be a tone set for the top, I think as you had mentioned. But ideally, something that's cascaded through all levels of leadership.

And whether it is a formal program like a whistleblower program or whether it's also just the confidence that I could have a conversation with somebody internally about something that is worrisome or concerning. Or, you know, we can also frame it to maybe an idea I might have to make an organization even more resilient or even stronger, and we just get people talking. I think it's always nice to be able to bring as much into the conversation as possible.

Let's go back so that we can dig in a little bit more in terms of what kind of proactive measures do we need to see from leaders really across all sectors and industries to continue to shift towards more system resilience? We've touched on some of them already through comments, and it's been, I think, quite helpful and enlightening. But let's really dig in here and go deeper on what are the proactive measures that you'd like to see or maybe that you are seeing already that you'd just like to see more of.

JENNIFER LYNCH: In terms of fraud, more proactive measures for the companies they usually take is more surprise audits. So sometimes, especially for small to medium-sized company, they don't want to invest in auditors or any-- they don't want to spend the money for, like, external auditor or even hire internal auditor. But it's essential for them to invest in internal auditor and also rotate the roles, separation of duties.

Many time-- a lot of times when smaller organizations lose money due to fraud is because they are reluctant of investing in like hiring more people or more auditors to monitor or, you know, to check other people's work. So that's, I think, one proactive.

And the second one is they need to have a code of conduct or like a policy in company policy in place. They can't just have a, you know, whatever standard policy. It's been there for 20 years. They have to update it, you know, yearly basis. They have to communicate the policy to the employee through training so that everyone in the company have this proactive, kind of, mindset to protect the company as a whole, also protect themselves as well from those kind of risks.

[MUSIC PLAYING]

DOUG WESTLUND: Picking up on the risk assessment. So that is a proactive measure of being able to understand where your risks are prioritized. But then after that, the understanding that there is an investment that's required, capex, opex, resource time priority, and that's something that needs to be, you know, accepted commensurate with the risk. But this stuff doesn't come for free. And that goes back to Laurel's earlier point that, you know, you do need to be investing in this resiliency program.

And, you know, once again, come back to the leadership team, the buck stops there. So the leadership team themselves need to be active and visibly supportive of such a resiliency program, and moving the ball forward.

LAUREL AUSTIN: I think one thing we need to do proactively is start thinking more broadly about risk governance, which risk management is sort of one part of that but risk governance really has to do with looking early for signs of risks, doing those risk assessments, understanding what we know and don't know about the risks. Any risk governance model, the international risk governance agency, the IRGC risk governance council has a nice white paper online with a risk governance model that has a lot of information about how to think systematically about managing risk.

At the center of their model is stakeholder engagement. And I think that's going to become increasingly important for organizations to understand how to think about who are the other actors, who are the other stakeholders that are relevant to the risks they face. Who do they need to work with. How where do we need to be making shared decision making.

You know, if we think about infrastructure and risks, threats to infrastructure, well, we're all interested in the infrastructure, right, that we depend on. And so for agencies, for organizations that run, that manage infrastructure that we all depend on, I think it's becoming increasingly important to have methods in place to proactively engage with stakeholders and make shared decisions.

Because these are big decisions. They take actions by a lot of people. There's a lot of resources needed to build community resilience or resilience within industries. And so how do we proactively identify, who do we need to work with, who do we need to talk to, who needs to be involved in shared decision making.

I think shared decision making becomes more and more important as we think about these, sort of, broad, you know, pandemic, you know, financial sector, cybersecurity, climate, extreme weather events, these big systemic risks. It really is kind of a new mindset. And it's not just managing my organization, but my organization within a system, and how do I act within that.

[MUSIC PLAYING]

BRYAN BENJAMIN: I can give you each an opportunity here to share a few final words around advice or important takeaways. We'll let you frame it how you want. But if you could help our participants, sort of, walk away with a few tangible pieces, whether it's about, you know, the insight or whether it's about an action they could take or whether it's about something that they just need to be aware of. I'm going to start with Jennifer on this one.

JENNIFER LYNCH: Thank you so much, Bryan. And I have learned a lot from the discussion myself. I really appreciate that. I really appreciate everyone joining. And my final thoughts are there's many risks, right. There's financial risk, fraud risk, natural disasters, operational risks. In general, I think leaders should take a proactive role. And building business resilience is not just like stand alone, kind of, strategy, it should be implemented as the company's strategy as a whole.

And it should be not just on the organization side, it should be the organization and also stakeholders as a whole to work collaboratively, you know, to continuously improving the system and how to prevent and minimize the losses from those kind of risks. And, you know, the second of all is to-- we mention a lot of time about risk assessment and policy. Risk assessment and implement proactive methods, you know, to adapt to the changes in the environment.

Thirdly, is the technology, as we know that, you know, especially now, the threats are more and more sophisticated, meaning that the companies, we also have to be more and more sophisticated in protecting us, you know, not just defend, but protecting us from cyber attacks, from fraud, from all other kind of risks by, you know, continuously learning the technology and the AI machine learning just up to date to the-- you know, with the technology.

DOUG WESTLUND: I'll just pick up on what Jennifer said. You know, leadership, of course, that's the key theme here today. That is, you know, in all forms of risk. And then if I go down the cyber path, the leadership team needs to assume that responsibility. Education and awareness is critical. Defining roles and responsibilities right up to the board of directors is very, very critical. In fact, most boards today don't understand what they should be doing in the area of cybersecurity oversight. And from there start to measure and quantify your risk cyber, in this case, and then start to manage those appropriately.

BRYAN BENJAMIN: The defining roles. That way, there's not that risk of well, someone else is paying attention to that and they're thinking someone else is paying attention to that. And wait a minute, you know who's paying attention? Is anyone paying attention? And within that, is, OK, I have this piece, they have this piece. So getting very prescriptive, I think of the different roles, as you mentioned, right from the very top.

Like anything, what gets measured gets done. And an element of being quite specific around what those measures and what our expectations and outcomes could look like. So, Laurel, you get the benefit. And the challenge of going last.

LAUREL AUSTIN: You know, some of my key final thoughts. One is for-- you know, for publicly held organizations or for, you know, sort of infrastructure organizations which are accountable to governments, often. You know, how do we acknowledge this tension between short term profit or short term, you know, managing our costs and long term building resilience.

You know, because as organizations, as communities, we need to be resilient, right, in the long term. And there's a lot of pressures to focus on short term. And so how do we acknowledge that tension and then how do we start to work within boards and with our shareholders, with our employees. What processes do we have to put in place to start rewarding, encouraging thinking about resilience and building for the long term and not just for the short term.

Which is a challenge to a lot of organizations, right. A lot a lot of performance measurement systems are built on what are our revenues, what are our profits this year. What kind of bonuses do we give people this year based on our performance this year, which focuses us all on the short term. So it really is a different mindset to be thinking about long term. How do we build resilience, how do we recognize that tension and how do we act proactively take it on.

To say, you know, we need to balance, balance this and that. That is a challenge, I think, for organizations. Bryan, you mentioned strategy and Jennifer mentioned strategy, and I do think that's important. I know Hydro One in Ontario has a really nice enterprise risk management system in place where they really start out saying, what are our objectives, what is-- what's our strategy. What are we trying to achieve? What are the threats to our strategy-- to the strategic objectives that we have and working as an organization?

And so there might need for more organizations to be thinking about how to implement enterprise risk management processes within their organizations. Traditionally, I think it's large organizations and financial organizations that really think that way. But, you know, maybe, you know, within reason, we want to be thinking about that more within smaller and medium-sized organizations as well.

So I think, yeah, just resilience. Big topic. Lots of-- but really thinking future thinking, right. Thinking about future threats, and how do we build our resilience to those threats.

BRYAN BENJAMIN: Yeah I really appreciate your calling attention to that sort of dynamic tension between the next 12 months, and the next 12 years and beyond. And the reality is, is you need both, right. So we need to pay attention to short term so that the organization, you know, kind of continues to move forward but we can't do it to the exclusion of thinking longer term and making some of those trade offs.

So, it's it's, I think, a real challenge and an opportunity for organizations to get the right balance between both. Thank you, Laurel. Thank you, Doug. Thank you, Jennifer.

JENNIFER LYNCH: Thanks for having us.

SEAN ACKLIN GRANT: Thank you for tuning in to Leadership in practice. We'd like to Thank our guests Jennifer Lynch, Doug Westlund and Laurel Austin. Leadership in Practice is produced by Joanna Shepherd, Rachel Jackson and me, Sean Ackland Grant. Editing and audio mix by Carol Eugene Park.

If you like this episode, make sure to subscribe. You can also find more information by visiting iveyacademy.com or follow us on social media at Ivey Academy for more content. Upcoming events and programs. We hope you'll join us again soon.

[MUSIC PLAYING]