As 2022 starts to come into view, most organizations are knee-deep in annual planning, trying to prepare for the road ahead. As the long and murky pandemic fog starts to clear, finance teams are asking what comes next and where they might be at risk. The past year has offered glimpses of continuing storylines.
The “Great Resignation” is drawing attention to the scarcity of talent and the need for us to retain staff, cyber-attacks become more complex each day, supply chains are in crisis and even the cost of borrowing money could increase substantially soon. These are just the things businesses are aware of. How can they prepare for risks when they may not have knowledge of their existence?
We invited Irfan Rawji, CEO of MobSquad, to speak on these very things during IMUG 2021. In addition to running an innovative startup, Rawji is a managing partner at Relay Ventures, an early-stage venture capital firm, adjunct professor at the Sauder School of Business at the University of British Columbia, and sits on a number of private and public sector boards. He previously worked at McKinsey & Company, Onyx Corporation and Parkland Corporation.
Q: This conversation is about risk, and if you play a word association game, entrepreneur, startup and risk would all likely appear together. So, how did you approach the issue of risk of when starting MobSquad?
A: Being a venture capitalist I think about risk obviously, because we’re making investments. However, I actually look at risk in a very different way. Harvard Business School defines entrepreneurship & risk very differently, than how it’s discussed in the mainstream media.
We’re trained to think of entrepreneurs as risk-takers, whereas Harvard Business School would say that entrepreneurs are actually “risk mitigators”, who put themselves in otherwise risky situations. So, they may run into a burning room, which we would all say is risky, but they know the seven ways to get out, and they know that before they enter the room. I think that’s a really important distinction.
Q: You’ve served on a number of boards in your career. How do you ensure you understand, as a board member who is not in the business every day, what those risks are?
A: I think every board director has the same concerns. You have a fiduciary responsibility of ultimate governance and therefore the buck that stops at the CEO also stops at the board. And that’s what your shareholders expect. For me, it’s a couple of things.
One it’s making sure you’re asking all the right questions. It’s impossible to know everything. I mean, even the CEO of the organization who’s running the business, doesn’t know everything. Yet they also know what questions to ask. The most important thing is really being thoughtful around what should we be asking.
The second thing and this is going to sound very basic, but you need to read all of the corporate information that is shared at meetings and made available. I don’t know if every director on a board does this.
The third thing I try to figure out is peer organizations. Reading their material gives you an idea of the industry, it gives you an idea of the context and it gives you an idea of what other people are seeing.
Q: One of the things that many of our clients think about is malware and cyber risk. You hear about cyber and ransomware attacks every day. You’re not a technology expert and I’m not a technology expert, so where do you find resources to ensure that you’re getting the right level of that information and get comfortable?
A: This is what keeps me up at night. I think that these (cyberattacks) have become a business in certain parts of the world. I was at a conference just before COVID where they brought experts in that help protect companies against these risks. These experts say attacks on websites in North America usually spike between 8:00 AM and 5:00 PM local time in Moscow. It’s essentially a business. These people go to work and their job is trying to break through sites in North America. And it’s literally just a job. The fact that it’s become that mainstream is very concerning. And so, how do you deal with this risk?
Obviously, you have to do the baseline things. Make sure your business is not the lowest hanging fruit for these actors, whose day job is trying to hack sites. The second is to adopt a mindset of “It’s not an if, it’s a when”. If you adopt that mindset, you’ll think through, “When this happens to us, how do we react? What are the triggers? What’s the decision criteria?” Recognize the totality of the risks that your business potentially faces. This is different for different businesses. However, this allows you to also continue to think about how you’re protecting yourself against this risk.
Finally, understand that this world is moving quickly. It’s so specialized, so you will have to ask outside experts. I mean, it’s expensive obviously, but if you run the exercise you’ll see, is it more expensive to not hire that expertise? I’m on the board of a bank, I’d say we cannot have that risk happen without making sure that you have all the protections in place.
Q: One of the other big themes in the world when we think about risk and operations is employee wellbeing and productivity. We talk a lot about assets, understanding the risk to your assets, but for many organizations, employees are their number one resource. We have heard from executives talking about the staffing challenges in long-term care facilities. I’d love to hear how you’re thinking about that across all your different roles.
A: I’m also on the board of a long-term care facility, so I share that concern and that pain. I would say, universally, irrespective of if it’s a startup, a scaleup, a publicly listed company or a private company, the number one risk we all face right now is employee burnout.
I’m not an expert on this topic, but something that I think about a lot is, “How long will this go for?”. And the answer is, “none of us knows”. So we have to plan like this is going to go for 2, 3, 4 or five years. As a leader, you need to show confidence and be positive, because other people can’t follow a leader that’s not confident and engaged.
Q: How would you suggest someone learn about getting comfortable with the topic of risk, assessing risk? Because that’s such a critical piece of being a senior member of any leadership team.
A: I think that a lot of it is understanding. I really do think that understanding different industries really does help because there are analogs. I tell people all the time being an entrepreneur actually makes me a better investor because I understand how entrepreneurs think and I understand what makes them tick and I have empathy for them. But being an investor makes me a better entrepreneur because it allows me to understand how my investors think and what makes them tick. And they’re self-reinforcing.
And so, a huge part of why I feel lucky is that I’ve had an opportunity to be on both sides of the table in many industries. And so, that just allows you to be stronger in each of those situations because you understand how the other players are thinking.
Q: In your career, you’ve had a variety of different board roles, including serving with public entities. Talk to us about the differences you’ve seen in something like that where you’re bringing private and public together in one. How do you bridge that gap (in the way risks might be approached)?
A: I don’t think that many people think about that, which is, how do different players come at a project and assess the risks differently? The government and the private sector are on exactly the opposite ends of the spectrum in terms of their decision-making. People say that governments move slowly, that they don’t take risks. There’s a good reason for it. If you’re the bureaucrat and the project works, do you make any more money? Do you get any reward? They actually look at every situation and say, “Well, there’s no upside, only downside. So, it’s a risk, no reward, so why do I even take these risks?”
So you have to actually show that you’ve mitigated those risks because they don’t get the upside. They want to make sure they’re not getting the downside either because it’s not balanced. The converse is true for private sector entities working with the government. If it works, you get all the financial upside. So it’s recognizing that you actually have different financial incentives, and how do you actually mitigate that together? How do we make sure this thing doesn’t fail so that nobody is left holding the bag? That’s how you get progress, in my opinion.
Q: From your perspective, how has the field of risk management changed and the subsequent impact on organizations over the past five years. What’s your prediction of how organizations will assess and mitigate risks going forward?
A: You know what’s really interesting? When you shock systems, people realize that they’re subject to shock. I think people thought about their risks very differently after 9/11, after the global financial crisis, and after COVID-19. These experiences have us asking questions, which is good because it’s easy to become complacent. I think we’ll get better at the question of, “How are we going to assess and mitigate risk?” My worry is that some of us don’t see that our biggest risk right now is our human resource risk. I encourage people to really think about that one because that doesn’t become obvious until it’s too late.
If you would like to see more of Irfan Rawji’s talk at IMGU 2021, you can watch the recording below.
