Risky Business

Business ownership involves risk. We all know that, but how much risk is too much risk? One's risk-tolerance is usually expressed, at least initially, as a qualitative statement about what one's "gut" says; something like "moderate", or "limited". Arguably, such statements are about as useful as a milk-bucket under a bull. So, the CISSP Common Body of Knowledge proposes a few quantitative formulas to help us out. Introducing the "Single Loss Expectancy" (SLE) and the "Annualized Loss Expectancy" (ALE).

Simply put, the SLE is the potential cost of a single event, and the ALE is the cost of such an event spread across all the years between events. Such formulas appeal to the executive members of organizations because they give actual numbers that can be used in making "fact-based" decisions. So, the cost of a particular event is $x, and the event can be reasonably expected to occur every y years. Your ALE becomes $x/y. Nice. Clean. Simple. Now we know what our risk on that given event will cost, and we can factor its management into the budget. Or can we?

Risk Management generally applies one or more of four strategies: Avoidance, Acceptance, Transference, and/or Mitigation. Avoidance means not doing whatever leads to the event in question. If the event is the loss of the entire executive team in a transportation accident, the risk can be avoided by not allowing the c-suite to travel at the same time. But if the risk is a breach of the computer network, deciding not to use networked computers may not be a viable solution. Acceptance means what you would expect; yes, there's a risk to the c-suite all traveling together, we acknowledge that risk but will keep doing it. This is an informed decision, no action required. Transference is making some other arrangement so that the risk is addressed in some other way. Buying what is known as Key-man Insurance on the entire c-suite would transfer the risk of them all being lost at sea to the insurance company (though I doubt this would be practical). Finally, mitigation is the handling of the risk. If the executive team never travel together, the risk of an empty c-suite due to a transportation accident is mitigated, though maybe not eliminated. Calculating the SLE of a particular threat is a natural part of the lead-up to a risk management plan. In order to determine a useful SLE however, one had better make sure the scope of the risk is adequately analysed.

As mentioned earlier, identifying the ALE is the process of determining how much a risk might cost over a given number of years. Common wisdom would say don't spend more than that amount trying to manage the risk. Furthermore, the more efficiently and effectively one can manage a risk, the better. The challenge however, is in accurately identifying all the composite parts of the risk event. Obviously, some risks have fewer moving parts than others. In the world of Cyber-security the knock on effects of an event can quickly become bigger than the event itself.

A case-in-point is the story of Danish hearing aid manufacturer Demant. On September 30th, ZDNet published the story discussing how a ransomware attack on Demant has cost the company $95M in one month. According to the story, Demant announced their trouble on the third of September, and by the publication date had not yet fully recovered. To be fair, I wouldn't begin to suggest that I know all that took place in this story, and admit that I am comfortably playing armchair analyst. However, I will make a few observations here as a thought experiment with the aim to help my readers avoid similar situations.

Of the risk management strategies discussed earlier, there is no way that Demant, or any other organization, could "avoid" a ransomware attack. Doing so would require disconnecting their computers from the internet, and maybe even getting rid of them all together. There is also no reason to suspect that Demant just "accepted" the risk and went about their business with their collective heads in the sand. Quite the opposite in fact. The story makes a couple of key points that illustrate that Demant included in their risk management a transference strategy. This is shown in that they have a $14.6 million cyber insurance policy. That is double the $7.3M required to recover and rebuild their IT infrastructure.

Demant Stock History (www.demant.com)

So if they had insurance for double the cost of their IT infrastructure, how did this event cost them $95M? According to the report, about half of that represents lost earnings, while the rest includes missed opportunity to implement a planned expansion. Demant seems to be a significant player in their field, and with stock prices still sitting at ~$25 per share, I would suspect they will rebound. But the question remains, how did this get so out of hand? Without inside knowledge, one is left to posit that the initial calculations of SLE did not take into account the amount of time it would take to restore the IT infrastructure and, by extension, the lost revenue during that time. I would also doubt that the individual calculating the SLE could have known that an expansion would be planned at the very time that the event occurred. It would be my guess that an assumption was made that new equipment would be bought, or existing equipment would be restored to factory defaults, and the back-ups would simply be applied. Done. Easy, right?

My grandfather used to say: "You don't get what you expect, you get what you inspect." While Demant can be credited for their implementation of a transference strategy, this story shows that transference is not necessarily enough. We can see that the risk from a ransomware attack could not be transferred to an insurance company because they only deal with the exchange of funds. In our earlier example, if the insurance company pays out the key-man policies, the company would still have to hire the replacements. Here, it would appear that though there were funds for the infrastructure, the restoration took significantly longer to execute than expected. This could be the result of corrupt back-up media, limited scope of back-ups, or any other number of failure points in the exercise. Unless one actually goes through the motions, and actually tries to restore from back-ups, one is rolling the dice. What would risk mitigation have looked like? Demant should have at least tested their ability to restore from back-ups. Or at an extreme, they could have had a complete segregated IT infrastructure sitting in the wings, ready to go at a moment's notice. While the setup of such an environment may have seemed cost prohibitive at the outset, the events that transpired over the past month show that greater mitigation was in fact warranted.

---

Photo credit: "Destiny" by Dave Gough (cc-by 2.0)

Minimum Wage - Another Piece of Straw

I read "Restaurants 'taking from Peter to pay Paul' amid minimum wage hike" by CBC Marketplace and thought "here we go." I knew that the minimum wage hike was not going to have the desired effect, but I am quite disappointed that businesses are taking their hardship out on their employees. Once again, those who can least afford to pay, are going to shoulder the burden for everyone. Maybe this is the time to review wages across the board.

Now, I can hear the business owner's cry out "yes, but it's not our fault, the government saddled us with this burden, and s**t rolls downhill." I'm sorry, that is not acceptable. The actions shown in this Marketplace report, and those of certain Tim Horton's franchisees are unethical. Not only should you not be surprised when the public blames you, should should be ashamed for having tried it in the first place. I have written extensively on Ethical Debt in the past, check it out if you don't understand. The citizens of Ontario need to be made to see this for what it is, an increased tax on business. Like all tax increases, it will work its way through the entire supply chain, and end with the person purchasing the final item.

If business owners feel hard-done-by, why don't you take it out on Kathleen Wynne? When June 2018 rolls around, the populous of Ontario will vote, and the Wynne government will be unaffected (or even rewarded) for this tax because people will not see the long-term impact of her actions. Any rage that is generated, will be directed to businesses who are seen to be greedy by those with little or no knowledge of the true costs of entrepreneurship.

Instead, I suggest that you embrace this increase, and propagate it throughout your organisation... and quickly. Ask yourself, why do some people make more money than others? Does the person who makes more than minimum wage really add more value? If so, how much more? Then adjust her or his wage accordingly. If not, this becomes a training opportunity. This is an opportunity to begin paying people based on the value they provide, rather than the minimum that is required. It may seem trite, but if you care about your people, they will care about your business.

Obviously, these increases will have to be reflected in the prices of goods and services. After all, you are in business to earn a profit, not as a charity. However, I am not proposing that you have carte-blanche to gouge the consumer, but it is appropriate that your expenses are covered. And when the consumers are upset by the hit on their pocket-book, they will direct their anger to the person who initiated the hit, Kathleen Wynne. If you hold off, and try to survive, you will not only be putting your business at greater risk, but you will be letting the Wynne government get away with this attack on your livelihood.

We are all camels here. Each one carrying a burden for the values that our society holds dear. Let us be careful not to transfer our straw to our neighbouring camels, but rather refuse any additional straw that is placed on us just to win votes.

Who's Your Best Teacher?

Unknown image source. Please advise if you know who to credit.

I saw this today, and initially thought "yeah, that seems true," but then I quickly changed my mind. While recognizing the lessons that a mistake teaches is important, there exist many better teachers. The problem with this statement is that some mistakes are so expensive that they may render the lesson useless.

I occasionally say "Nobody is completely useless, they can always serve as a bad example." A better teacher is someone else's mistake. The beauty of this teacher is that it doesn't cost you anything.

Now if you just spend your time looking at other people's mistakes, you may be making the mistake of not focussing on your own business. That's where Management Consultants come in. Yes I know, we're not free (in fact most are not cheap either), but the money invested in hiring a management consultant can at least be budgeted.

So, your "best" teacher may actually be a management consultant. You focus on running your business, and hire me to address the concerns that are keeping you up at night.

Let's talk. Give me a call for a free consultation.

Gambling on Bailouts

Credit: Phil Long

So, according to the Business News Network (BNN), "Canadian taxpayers [will] lose $3.5B on [the] 2009 bailout of auto firms". Does this surprise you?

If a company cannot make it on it's own, what made anyone think that bailing it out of trouble would change anything? It's just a matter of time before the big automakers come, hat in hand, looking for more. Of course, the unions wouldn't agree. As reported in the BNN story, the unions would rather see the government strong-arm the companies into expanding operations. After all, the unions are big business, and they want a bailout too. That $3.5B would have been much more usefully invested in public transportation, or some clean energy venture.

If you open a generic donut shop next to a Tim Horton's, should you be surprised that it fails? One of the reasons that the Future Shop stores are closing is because they are often located in the same neighbourhoods as Best Buy. I'm just glad that nobody from the government offered to bail them out. The fact of the matter is that poorly run companies close. Likewise, employees who demand concessions that force the companies into a bad position, lose jobs. It's all very unfortunate, but not very surprising.

There are many people with new clean energy ideas that don't have the funds to get started. If the federal and provincial governments are prepared to just throw away $3.5B, imagine the jobs that could have been created if they just gifted $1M to 3,500 companies in the clean energy sector. Imagine the progress that we could make on climate change? Rather than Canada being a manufacturer of greenhouse gas emitting machines, I for one would like to see Canada become the world leader in clean energy research and development.

WR

What's the FUTURE of SHOPping?

Based on photo by Andrew Todd Phillips (CC-BY-SA-2.0)

Here we go again! CBC is reporting that another 1500 retail jobs are lost in Canada as Best Buy shuts down its Future Shop subsidiary. Best Buy bought Future Shop in 2001. I would have expected them to have sorted out the competing stores well before now.

I get it, big fish eat little fish, and there will always be a bigger fish. As I understand it, the employees are being well treated and presented with choices. But this still annoys me. Another Canadian brand dies at the hands of an American company.

The Government of Canada should force any companies that buy Canadian businesses to leave the country if they find that they cannot make it here, and restore the brands they destroyed. In this case, it should be the Best Buy stores that are closing, and the Future Shop stores that remain. It may sound like semantics, but every day, Canada is losing a little of its identity.

Admittedly, the real trouble is that Future Shop shareholders valued the $580M more than the pride of owning a piece of a successful Canadian brand. I suppose in hindsight, they are probably happy to have been rid of it instead of having to do battle with the American giant.

In the end, this is another example of a retailer shooting itself in the foot. They say it's because they are losing to online shopping, but they are hosting online shopping websites. Retailers have to provide value to the consumer that cannot be matched in the online world, and focus their efforts on that. Here's a common scenario. You go into a retailer and stand in the aisle comparing two products. Magically, a sales associate appears and asks if you need help. You say "Yes, I'd like to know what's different between these two brands other than the $50 price difference." And the well meaning sales associate proceeds to read the two boxes. You walk away thinking to yourself: "I should have just read the reviews online and ordered it there."

The Art of the Start 2.0 - a Review

If you're looking for a book to show you the easy way to start a business, keep looking. But if you're looking for a book that will tell you how it really is, this is your book. In The Art of the Start 2.0, Guy Kawasaki breaks down the process of starting a business into clear steps. What he doesn't do is sugar coat it. This book should be required reading as part of every MBA program.

If you are not familiar with Kawasaki's writing style, you may be caught off guard... in a good way. It is decidedly refreshing to read an entrepreneurial book that cuts the crap, and tells it like it is. The world is full of Nike-preneur Evangelists telling you to "Just Do It", but very few telling you "How". Don't expect this book to take away the fear of starting a new venture, but you can expect this book to help you avoid certain key mistakes.

I have read the first Art of the Start ten years ago, this is much more than just a rehash of version 1.0. This book is filled with many new concepts that didn't even exist 10 years ago. To say that this is just a better Art of the Start is like saying the Ferrari is just a better Model T. In version 2.0, Kawasaki revisits several areas that were covered in 1.0, but where changes in society and technology require a new approach. Since my copy of The Art of the Start 1.0 grew legs and walked out of my library, I can't tell you how much of my impression that this version is better is attributed to the revision, and how much is attributed to me being ten years older and more mature. But either way, whether or not you read The Art of the Start, you owe it to yourself to read this revision. You won't be sorry.

#‎artofthestart‬

WR