You can’t eliminate risks because some of them can help you reach your objectives, but you can minimize them. Douglas Nelson’s guest in this episode is Francis Liska, the CEO of OTUS Group. Francis discusses with Douglas about creating a risk-aware culture, where an organization can recognize the risk before it threatens, mitigate a risk when it arises, and recover from damages from risks that might happen. Being aware of risks is never a one man’s job. Everyone in the organization needs to understand risk management and why it’s important for everyone. Tune in to learn more about risk management in the social profit sector!
Listen to the podcast here:
OTUS Group With Francis Liska
Our guest is Francis Liska. He’s the CEO of OTUS Group. OTUS Group works with social profit organizations in the area of financial management and risk management. Welcome, Francis.
Thanks, Doug. It’s nice to be here with you.
It’s great to have you. I wanted to have you on the show to talk about risk management in the social profit sector. Let’s get right into it. It’s a hot topic around board tables as organizations and boards look to reassess risk in their organizations, the sector, and the world around them as we emerge from this pandemic. What are you hearing about how organizations are changing their understanding of risk?
Organizations are certainly more aware of risks. That’s probably one of the biggest things we’re seeing post-pandemic. Nobody foresaw the pandemic and the severe impact it was going to have and people have lived through that. They’re going back to their organizations and taking a hard look at where they’re at in terms of managing risk and how aware they are of risks that might impact their organization.
How often is it the case when you’re working with or talking to an organization? Do you hear them say we need to eliminate risk or reduce risk?
We’ve heard that from time to time, but the truth of the matter is you can manage risk, but you can’t eliminate or reduce it to zero, nor do you want to, because it’s essential to take some risks to reach your objectives. What people are trying to do is to try to get a better handle on how they manage risk. We suggest to people that they want to try to create what we call and others call a risk-aware culture, where an organization can recognize the risk before it threatens, mitigate a risk when it arises, and recover from damages from risks that might happen.
As a sector, how well are we doing in terms of that risk-aware culture?
There’s room for improvement. We haven’t done a direct assessment to say where organizations are out on the risk-aware culture. Culture is not something you can measure, but you can talk about it. I’ll use an example from our 2020 OTUS Association Exchange survey of associations across Canada. We posted a question to people as to how often they review and update their risk register. The results were interesting. 50% of the respondents said they don’t have a risk register, another 7% said they don’t regularly review their register, and 7% said they review their risk register about every two years. 64% of the respondents we had aren’t paying attention or don’t appear to be paying attention to risks on a regular basis. That gives us some insights that there’s an opportunity for improvement in risk management across most organizations.
[bctt tweet=”There has to be a tone from the top of the organization that risk management is important. ” username=””]
In our work at The Discovery Group, we see organizations either have a risk register that they haven’t looked at or they are in the process of thinking about developing one. For those organizations that maybe have one that’s stale or haven’t developed one at all, how do they get started? What is your advice for the CEOs who will be reading and who have been hearing from their finance and audit committee, most likely, “We need to get a risk register?” How do you start?
A risk register is part of an overall risk management process. We recommend that when people want to get started or if they’re early into the process, you want to create an awareness of risk in your organization to start to get everybody involved. Risk management is not just the job of any person in an organization. What you want to do is to start to create that overall awareness in your organization by having people understand things like, “What does risk mean? What are key concepts relevant to risk management? How do you manage risk and why is it important for everyone? How can a risk management system help the organization to better manage strategically and operationally?” Within that concept and overall concept, the risk register plays a part in tracking the risks you identify and manage them to the point where they’re managed other out or sufficiently to a level that you’re comfortable with.
Where does that risk awareness culture start?
It has to start from the top of the organization. I went back many years and started my career as an auditor. We talked a lot about the tone from the top. There has to be a tone from the top of the organization that risk management is important. It has to be a tone from the top that senior management and the board is going to embrace risk management as being important to the organization. There has to be a recognition at the top of the organization that people are willing to hear the risks that may exist and help the organization manage them.
One of the things I’ve observed is that a lot of leaders are hesitant. CEOs, in particular, are hesitant to bring the discussion of risk to the board table or to put it in any place of prominence at the board table because they don’t want to give the board a reason to not do things or to use it as an excuse to not be as ambitious, to trim sails when the sailing may be good from the perspective of the CEO. How do organizations get to the point where they can boldly take these risks, understanding what it means to their organization with sufficient mitigation in place? How do you develop that confidence in understanding something as a risk and doing it anyway?
What you’re touching on there, Doug, should get the board and the organization greater confidence to take risks that are necessary and risks that matter toward reaching objectives. The reality is people might be hesitant to take something that looks risky to them. If they can see what the risks are relevant to the objective that they’re trying to achieve and then understand how they can manage the risks and mitigate their risks appropriately to an acceptable level. I would suggest they may be more predisposed to want to do something than stepping off the ledge blindly without knowing what they might be facing.
It gives organizations the confidence to take those risks that are most important for their mission. I love that phrase, risks that matter. How do organizations effectively determine what risks matter?
I was chatting with you previously. I talked about a client of ours that came to me some years ago. The client showed me a list of some 90 odd risks that they thought were facing the organization, which I thought was large. The truth of the matter was what they did is they probably went somewhere on the internet and found a compendium of all risks that might impact you and thought they were facing them all. That’s not the way to go those things. For risks that matter, there has to be an objective. There has to be something at risk. If nothing is at risk, you don’t have a risk. What you have to do is you have to figure out what are the, what is the objective you’re trying to achieve? Maybe you’re trying to grow your organization. Maybe you’re trying to expand a financial fundraising program. Those are your objectives. What are the risks that might preclude you from reaching the objective?
The other thing too, with risks that matter, is you have to put it in context. You’re in Vancouver. I’m an Ottawa. If I’m hosting an outdoor event in Ottawa and there’s a risk of rain in Vancouver, that risk doesn’t matter. If the risk is here, then it does matter. It’s very important that people start to look into the what. Focus and start on the objective, and what might preclude me from reaching the objective or conversely what has to go right for me to reach my objective. That gets us to risks that matter.
[bctt tweet=”You want everybody in the organization to speak the same language when it comes to risk.” username=””]
That’s a helpful lens for boards, in particular, to view risks as they are encountered in the planning or in the operation of these organizations. We often use a tool with clients in strategic planning that we call the pre-mortem, which is, if this doesn’t work, this plan, concept, initiative, program is unsuccessful, what will have gone wrong? It’s remarkable how well that second and third layer in an organization can pretty much nail what might go wrong. Sometimes the CEO, Chief Fundraising Officer, and Chief Communications Officer may miss it or may gloss over it. You can’t get what issues in our execution are going to get in the way and what external factors are going to determine the success.
One of the challenges I hear from leaders fairly often is translating those potential challenges to the board because the board doesn’t have the insight or doesn’t have the expertise around the operation of the organization. What may seem like a minor risk or a medium level risk for some appears to be red level alarm bells for the board that may not understand how straightforward the mitigation is. That’s the language of risk in an organization. How important is it to get the board and the management team to speak the same language when it comes to risk?
It’s really important. You want everybody in the organization speaking the same language when it comes to risk and sharing a shared view of how they go about managing it. You’re leading into a very interesting discussion, going back to an engagement I completed some years ago that focused on what role the board should play in risk management and where management should be involved. There was a bit of friction going on in terms of the board getting involved in operations and being concerned about what’s happening at that level.
There was an interesting report put together by a researcher at Harvard University that I like. It categorized risks into three buckets. There was the strategic risk. Those might affect strategic objectives. The board should pay a lot of attention to that level. There was the operational risk. That’s where management should focus their attention and report on that to the board to give them comfort those operational risks that are being managed. You want to try as much as you can for operational risks to reduce them down to a very low level as most times you can. We have this third bucket of risks, which are external risks. Those are things that are out there that we don’t have direct control on, but we want to be concerned about.
COVID was a classic example. Nobody could have controlled that happening, but we learned a lot from it. We might not be thinking about the next COVID, but what we want to be thinking about the next unlikely but high impact risk that might occur, and maybe do a bit of scenario planning to think about what’s going to happen if we can’t get to our offices for an extended period because we learned a lot about how to mitigate that during the COVID situation. What’s going to happen if we have a lot of staff who are off on sick leave, how are we going to deal with that, and how are we going to keep the organization going? Those are some of the things I want to be thinking about. You’d want to get that shared view. We should be paying attention to different risks, clear upfront, and then to start to get a clear understanding about the organization, define risk, and how we are going to manage it.
It can be helpful for management teams, CEOs, and CFOs to identify what those operational risks are to the board and how they are managed within the organization, in effect, so the board doesn’t need to worry about them or pay attention to them. “Look, we’ve got this.” Where do the strategic risks lie on the board? We typically see it’s in the finance and audit committee. Is that what you recommend or is there a different way?
I’ve seen it a lot in the finance and audit committees. Sometimes boards choose to have a risk committee. I don’t see that too often, but it’s often finance and audit committees were at glanced.
A lot of the risks sometimes come down to governance or reputational risk. How do organizations manage that or even talk about reputational risk? That does not typically at the finance and audit committee.
Again, it goes back to looking at your objectives. I’ll keep coming back to that point. What’s going to drive a reputational risk. In a lot of organizations I work with of late, one of the things they see reputational risk arising from is if they have a cybersecurity incident. The objective is to make sure we have proper controls in place to preclude a cybersecurity incident. I’m very general here. If something does happen and I now say these days, it’s not a matter of if but when. You see this being so prevalent. It’s how we are going to mitigate that reputational risk. Once you understand that’s one area it could come from, what you might want to do is to think about what do we need to have in place. You want to have in place proper insurance, a legal counsel that you can call if you need them right away, and if you don’t have that in-house, some public relations people you can call upon in a hurry to help you to mitigate that risk.
One of the conversations that you and I have had over the last couple of years is the importance of defining risk when you’re talking about it. Reputational risk is a good example of that. My phrase is often “write it down.” What is the definition of reputational risk? Everyone around the board table is going to have a different personal opinion and their experience are going to inform what they think the reputational risk is. The organization, the leader, and the head of marketing and communications will have an idea of what reputational risk is. The looseness of that definition is where I see a lot of organizations getting themselves tied into knots because, in effect, everything is reputational risk. If everything is reputational risk, nothing is reputational risk. How do you recommend organizations approach getting that definition around reputational risk or other risks written down and shared among all the decision-makers?
That’s come up in previous conversations I’ve had. The definition of the risk ties back to the objective you’re trying to achieve. That’s how I usually start to put a specific definition on the risk. Even though we look at reputational risk, it comes back to where it might arise from, if it’s something that relates to someone behaving inappropriately in the organization, then again, it might come from you have got to mitigate that. There should be guidance in place through a code of conduct or something of that nature. It could be operational, a behavior-type reputational risk. You start to look at the objectives of what you’re trying to achieve in the organization, figure out where that reputational damage might come from and start to put some definition around that relevant to the objective.
We’ve jumped in with risk as a problem and things that the sector is struggling with. I’m curious if you could think of an example or share an example of an organization that’s doing it well and how risk culture has helped guide them through either the pandemic or another crisis they may have faced.
I’m trying to think off the top of my head of an organization to give a specific example. I’m going to be a bit more general here. I think many organizations want to give themselves a pat on the back because you think about what has happened during the COVID situation, where all of a sudden, within a matter of a week, we all went home for a year. We quickly pivoted. Many organizations did that quickly. They have a lot of pain and challenges and probably still do, but they continued to operate.
[bctt tweet=”Risk management is all about improving your decision-making because you have more information to make decisions.” username=””]
That showed me that there was a lot of things in place in many organizations that, whether they realize or not, they’re already doing some risk management implicitly, but what they want to do now is build upon that to make sure they do risk management more overtly because of a great many benefits to do that. What risk management is about is improving your decision-making because you have more information to make decisions. To put it another way, risk management is about improving decision-making, so it’s more likely that you’ll reach your objectives, period.
I like that concept of improving decision-making because that’s one of the things that we see a lot of boards struggling. What are we here to decide? What are the decisions we get to make? Again, there’s a lot of often a variance of opinion around a board table about the level of decision-making the board should be involved in. In your experience, does that risk-aware culture help define that for organizations or help organizations get everyone on the same page in terms of this is what the board’s work and these are the decisions the board should be making?
It can. In some cases, it has. In some cases, it hasn’t. In cases where it has made the difference, people have embraced risk management for what it’s designed to do and had gone back to those three buckets of risks that I talked about previously. It does help the board to focus its attention. It helps the board make better decisions by understanding what has to go right and what might go wrong relevant to their objectives. The other point that I’d bring up here is that as we come out of COVID, we’re making more and more decisions. You’ve probably seen yourself throughout the run of the pandemic. There has been a lot of talk of a thing called decision fatigue, whether we realize it or not, we’re tired of making decisions and because there are so many coming at us.
The one thing you can do coming out of COVID is to make better decisions, get more information, and get better insight into the decision you’re making will help to reduce that decision fatigue and that we think even though restrictions are easing. Thankfully, vaccines appear to be working well to reduce the spread of COVID. We think that we’re done with this pandemic. We’re moving to another phase and that’s the recovery phase. We’re going to have all kinds of decisions to be made going back to the office.
There are a lot of things we have to talk about around that. How’s the organization going to look? What’s the model of the organization? Is it going to be a hybrid model, remote model, or back-in-the-office model? Has the mandate of the organization changed? All of these various things point to particular risk factors that should be considered or opportunities that may have emerged from the pandemic where the organization may have done more to help its members. Now they have to think about how we can expand upon that to get better results and what things that have to go right to help us to capitalize on that particular opportunity.
That’s a great look into the future and the opportunities that organizations are going to be facing. I’ll ask you to share your ideas around organizations that have that risk-aware culture. How do they operate? How do they talk about those risks differently than an organization that doesn’t have that mature risk-aware culture?
I’m going to refer to one of the people I follow in risk management. His name is Dr. David Hillson. He uses the tagline, The Risk Doctor. He’s got some great insights on risk management. What he’s trying to do is very similar to what we’re trying to do at OTUS Group, where I spent a lot of time on is what I call risk management made easy or simplifying risk management for organizations to try to remove some of the complexity. Back to Dr. Hillson, he came up with six questions and they’re very relevant here. It responds to your question in some way.
The first thing you want to think about is what are you trying to do? It is your objective and then to think about what might go wrong or conversely what has to go right, which are the risks you could be facing. Of those factors, what are the most important? That’s some prioritization. The next thing you want to decide is what are you going to do about them? If something’s important, you want to do something about it. The fifth thing you want to consider is if you’re going to do something about something, at some point, you want to come back and look at that to see, did it work? You want to be casting your eyes out there, doing a bit of scanning to see what’s changing and what’s different?
In an organization where they’ve got that risk-aware culture, when I talk to organizations and say, “We like this. We want to create that risk-aware culture.” How do we do it? I go back and talk about those six questions and keep bringing them up. When you sit back and think about that a little bit, we’re all doing it on a daily basis in our regular lives anyway. The things we’re going in on a regular day-to-day routine. If you can bring that into the organization at various levels, so when people are making decisions, I’m not talking about inconsequential decisions about which coffee shop to go to in the morning, but decisions in the organization that matter at every level. People are thinking about that and identifying the factors that come out of that thought process, carrying them forward, and perhaps into the risk register to track them. That’s where we start to get that risk-aware culture working. It’s a little bit like everything else in a little flywheel. You get some momentum working, it starts to catch on, and the organization can benefit from that.
[bctt tweet=”The first thing you want to think about is, what are you trying to do? ” username=””]
Do you find that particularly in social profit organizations, that fifth question, did it work? It’s something that organizations steer away from. I see a lot of organizations making significant decisions, moving in directions, but hesitating to look back and say, “Was this the right path?” There is a fear of getting it wrong or large mistakes may be fatal, so don’t check. Keep moving forward, don’t be a pessimist, be optimistic that we’ll fix it around the next corner. How do you encourage organizations to sustain that rigor and evaluate the decisions they’re making around the board table?
It goes back to the tone from the top in some ways, starting to go through and make sure that people understand that the organization accepts and embraces risk management and is willing to accept the risk because they want to reach their objectives. There shouldn’t be a fear factor thereof going back and looking back versus saying, “We’re going to do X. Did it work?” That’s part of the process. Sometimes things don’t work. People shouldn’t be fearful of that. If there’s a culture of fear that creeps into this anywhere in the organization, and I’ve seen this, it’s simply not going to work.
Risk-aware culture can reduce the culture of fear in an organization, not increase it.
I think it can. That’s one of the things I’ve been talking about in the broader sense of COVID. We are going to go back and look at some of the messaging that came out. We did so many things right in a broader sense in COVID. There was an awful lot of fearful messaging and frightful commercials that were on, which causes us to start to make decisions that are less than optimal. We don’t want fear to creep in. We want to be making decisions based on knowledge and information. Sometimes that knowledge and information can instill a bit of worry, but again, we’re doing things based upon a reasonable basis instead of something to be afraid of.
An advice that we give to CEOs and people that we get to work with is that when things don’t work out, that’s when you should tell the board things that don’t work. Often, and I’m sure you’ve had this experience talking to board members, they say, “We only get rose-colored glasses version of things. We only hear the good news. We don’t know what’s going on.” No organization operates as perfectly as these board packages indicate. We’re always encouraging people to tell them what’s not working and what didn’t work quite as well as you’d hope because it helps leaders and organizations build credibility with their key stakeholders. This conversation about risk is a way to make it easier to talk about things that don’t work if people are using those six questions to guide them.
We’ve gotten back to the fact that we’ve embraced risk management in the organization. We’re not fearful of having these conversations. We know how we’re going to do that, why we’re doing it, and we recognize the benefit of doing so. Hopefully, that strips away the fear factor and people can start to see the value in doing this.
Getting to the point where the organization has that risk-aware culture and understands these risks in a lot of ways will help accelerate decision-making, wouldn’t you say?
That’s the case because many times, you see people trying to get to the point of a decision. There was a lot of discussion going on and people might become hesitant for one reason or another simply because they don’t know what might go wrong. That’s where the fear factor comes in. Many organizations, by nature, are relatively conservative. Because they are conservative, they don’t want to do anything that might have a negative impact on the organization, which can be detrimental to taking advantage of an opportunity. Whereas if you have insight as to, again, what needs to go right or what might go wrong, then you have a greater sense of confidence when you’re making that decision, at least, you made it for a reasonable basis on good information.
Many of our readers are CEOs and board members discussing risk management around the board tables. Francis, I’m wondering if you could share that one piece of advice or the one thing you wish everyone knew and understood about risk management as they move into those conversations.
If there’s one thing I wish people knew or understood about risk management, it doesn’t have to be too difficult to do. A lot of times, we see organizations that aren’t taking an active role in understanding risk, doing risk management, or trying to get started. They think it’s too hard. It’s not the case. I’ve talked about this. In a lot of organizations, there’ll be something, some catalyst somewhere that might cost the organization to realize they need to do better at risk management. CEOs and board members are busy people. They might not have a full understanding of risk management or where to get started. I’ve used the analogy of someone going home at 6:00 or 7:00 at night. When they get a bit of time, they do a Google search on risk management. They’ll get 36 million hits or something of that nature because there’s lots of information out there. Some of it good and some of it not so good as the case is always with stuff on the internet.
They’ll find perhaps some good standards, the ISO standard or the coastal standard, which are very good sources of information, but they’re big, heavyweight, and complex with lots of terminology and jargon in them. All of a sudden, two hours have gone by and the time they have to even get to look at this has expired. That shouldn’t dissuade people from getting into risk management. What we’re trying to do is to take away that complexity, have conversations with people to explain what risk management is, how to go about doing it, understanding your organization a little bit so they can apply it there and making it easy for the organization to get started, and to start to create that momentum in the organization to create that risk-aware culture.
They can focus on the risks that matter so that they can make their mission matter more.
They can improve their decision-making. If you get to that point, give yourself a gold star because that’s where you want to get to.
I imagine it’s not a process that ends that the idea of the culture is this is an ongoing conversation.
That’s it. Like any cultural shift in an organization, it’s an ongoing thing that you can continue to improve on it over time. Let’s face it. Sometimes there will be ebbs and flows in terms of how well you’re doing, like everything else in life. When you think that awareness is something you can do and want to do it, see value on it and want to get better at it, that’s the key to being successful.
Francis, I appreciate you making time to be on show. If people want to learn more about you or OTUS Group, how can they get in touch?
The easiest way to probably do it is to go to OTUSGroup.com. You’ll find my profile there and more about us. You can find contact information there. You can find me on LinkedIn as well. If someone wants to have a conversation about risk management, I’m always interested.
You’re the person to talk to about it. Thank you so much for being on the show.
I appreciate the opportunity. Thanks, Doug.
About Francis Liska
Francis is a Chartered Professional Accountant, Certified General Accountant, Certified Information Systems Auditor, Certified Internal Control Auditor and a Certified Management Consultant. He holds a degree in Business Administration and a Post Graduate Diploma in Applied Information Technology. He has also completed graduate studies in decision analysis.
Francis’ areas of professional interest include risk management, financial management, information protection, project management, and financial reporting controls. He has over twenty-five years of professional experience and has helped numerous organizations in the public, private and not for profit sectors, both in Canada and internationally, to implement sustainable improvements to their operations.
Francis sponsors Plan Canada, and he strongly endorses OTUS Group’s sponsorship of KIVA – Loans That Change Lives.
When not busy assisting clients, Francis enjoys world travel and getting deep into the lyrics of great music.