Originally published in SPS-Blog, December 21, 2018
In using the term “activist,” I am not referring to high-pressure tactics used by some hedge funds and private equity investors to influence management decisions at private and public companies. I am also not referring to the individuals or groups that protest for or against specific political, social, or business decisions. Rather, I see “activist” as someone who stays on top of current needs and conditions and who also looks to the future.
Interestingly, Merriam-Webster’s online thesaurus does not contain an entry for activist. Microsoft Word’s built in thesaurus, however, suggests several appealing synonyms: forward-looking, innovative, advocate.
A vulnerabilities activist works to stay on top of emerging risks and also works within the enterprise to review existing—and historical—procedures, business models, technology, and training to identify and reduce downsides while increasing the upside consequences of where risk taking is a good business move.
Every enterprise has vulnerabilities. In this context “vulnerabilities” are conditions and situations that do or might interfere with the enterprise’s ability to achieve its goals. For this process, the vulnerabilities faced by for-profit companies and nonprofit enterprises are remarkably similar: uncertain revenue/funding streams, legal and regulatory changes, local zoning laws, ability to reach target markets/clientele, qualified employees, and, of course, cyberthreats and physical security. In addition, every organization, company, and enterprise—whether for profit or not-for-profit—has unique vulnerabilities to explore and assess.
Risks that can hurt any enterprise
For any and every organization: Be risk aware! Make sure that you have controls and procedures in place for the handling of confidential employee and compensation systems. On September 18, 2018, for example, the FBI issued Alert Number I-091818-PSA describing “Social Engineering Techniques To Obtain Employee Credentials To Conduct Payroll Diversion.” Mitigating steps include Internet firewalls, anti-spam software tools, increasing employee awareness on avoiding attacks, and standard management controls on changes to payroll information. Always, establishing and enforcing clear procedures and authorities around any process that includes money can thwart such attempts.
Make sure that legally required processes and core insurance policies are in place: For example, money withheld from payrolls or collected as sales taxes must be paid in a timely fashion. Meet with a couple of insurance brokers to make sure that the firm is up to date on primary insurance policies such as workers’ compensation, general liability, and property coverage. Consider cyber insurance to cover the risk of losses via online operations as well as hacking or other loss of internally held data files. Firms with multiple owners and senior decision makers should price “directors and officers” (D&O) insurance and “key person” life insurance policies. Make sure you have more than one person who can cover all core functions… just in case. In a two-person firm this can be hard. In a larger firm, designate key back-up responsibilities.
Risks specific to your enterprise
Because the risks relevant to each organization differ from those of every other enterprise, planning how to reduce them will vary as well. All businesses along an ocean waterfront might face equal risk of flooding, but a food stand will lose more merchandise when electricity fails than will a t-shirt store. A business based on personal integrity, such as a medical practice or law firm, likely faces higher cost of reputational damage than, say, a bookstore.
A few questions to ask about your enterprise: What are your primary assets and relationships, what are they worth to you, do they have value to others, what would happen if they were lost or compromised? How are these primary assets — be they physical inventory, customer records, proprietary formulae, reputation, buildings, or land — backed up? Insured? Duplicate or triplicate files on site and in remote storage? Physical locks and keys?
Corporate culture matters!
Do your employees know which risks you want them to take or avoid? This applies to everyone, from core product development and production to internal operations to financial staff to customer service. Do employees report problems, potential problems, or problems avoided? If you know about potential and avoided problems you can change processes to avoid them in the future. Do company incentives support or undermine your preferences? Over the past few years, for example, a number of executive and middle managers at Wells Fargo Bank were forced out by scandals tied to pay incentives that rewarded untoward activities. These badly damaged the bank’s reputation. Actions, expectations, and rewards that don’t align create unnecessary risk.
Create a Vulnerabilities Activist Mindset
No small or mid-sized business owner or nonprofit director will spend time on a risk management review that feels like a paperwork exercise. Large firms should more easily institutionalize review processes. With less formality, mid-sized and smaller entities can also effectively use risk reviews. Once a year, have a conversation with all staff or representatives of all departments to identify internal and external factors that have changed and discuss whether these have introduced new risks or opportunities…or both. Gather views from across the enterprise to illuminate risks that senior managers might not see. Ask external advisors and board members to raise issues from their experience that might undermine the firm. Once a year, ask your insurance carrier to review coverage and services. Every so often — maybe every two to five years — ask another insurer to propose coverage to see if you’ve missed something. Finally, discuss the assessment and steps to address uncomfortable vulnerabilities with your board of directors. Be forward-looking and innovative. Advocate for future success by paying attention to current and evolving issues.