Managing Risk and Leading Business Resilience

In this episode:

In this episode, we explore how businesses can take a proactive approach to resilience in an increasingly uncertain future. Moderated by Bryan Benjamin, Executive Director of The Ivey Academy, and featuring Laurel Austin, Associate Professor of Management Science, we delve into real-world examples of disruptive threats—ranging from cyberattacks to natural disasters—and discuss innovative strategies organizations have used to weather these challenges. Tune in to learn how companies can shift their priorities toward long-term resilience and thrive despite unpredictability. 

Other ways to listen:

• Apple Podcasts
• Spotify Podcasts

---

What is The Ivey Academy Presents: Leadership in Practice?

Hosted by the Ivey Academy at Ivey Business School, Leadership in Practice explores current topics in leadership and organizations. In this podcasting series, we invite our world-class faculty and a variety of industry experts to deliver insights from the latest research in leadership, examine areas of disruption and growth, and discuss how leaders can shape their organizations for success. 
To learn more about the Ivey Academy and the services we offer, visit us at IveyAcademy.com

 

---

Additional Resources:

Digital Infrastructure Resilience and Security by Serentschy Advisory Services GMBH

 

Episode Transcript:

SEAN ACKLIN GRANT: Welcome to lifelong learning in action, your trusted source for new research, insights, and practical advice on critical issues in business presented by the Ivey Academy. The world today is full of surprises, and once in a lifetime disruptions are the new normal. Getting proactive about risk management isn't just a nice to have. It's key to keeping your organization resilient, competitive, and future-proof no matter what comes your way.

For this episode, we're joined by three expert guests. Laurel Austin, associate professor in management science at Ivey Business School. Georg Serentschy, managing partner at Serentschy Advisory Services, and Paul Carroll, Director of operational resilience and business continuity for Scotiabank's global banking and markets. The conversation is hosted by Bryan Benjamin, executive director of the Ivey Academy. Together, our panel explores ways to build business resilience and turn challenges into opportunities.

BRYAN BENJAMIN: Today we're diving into a critical area for any business leader-- risk management through building resilience. In an era where the complexities of a global environment are ever increasing, understanding how to build resilience and build and sustain resilience is a key to navigating uncertainty.

This topic builds on a previous live stream where we explored the foundations of business resilience, focusing on how organizations can adapt and really go towards thriving, admits some of the challenges that they're facing-- real and anticipated. We discuss the importance of leadership, adaptability, and continuous learning in fostering a resilient organization.

Today I am joined by another exceptional panel. Laurel, would love to get your perspective on-- if we think about organizations and the increased focus that there is on resilience, what do you see as some of the biggest challenges that they're facing in both understanding as well as preparing for what is clearly a wide risk of potential challenges that may have either direct or indirect impacts on the organization?

LAUREL AUSTIN: Yeah, that's a great question, Bryan, because the threat landscape that organizations face is getting more complex, and that's a word probably a lot of organizations don't use, and it's a pretty negative word, but what it means is that on the horizon, on the landscape, in our landscape, there are these risks, and if they materialize, they might have big impacts that really affect our organizations. They kind of knock us down.

And when we talk about business resilience or resilience in general, we mean being able to take a hit, to get knocked down, to recover, to stand up, and to keep going. And the thing that's really, I think, challenging for organizations to understand is that the threat landscape for everyone is growing and that we need to all be thinking more about building resilience capabilities.

For a long time, organizations have had to think about certain kinds of risks. So maybe technology disruption, new entrants into their environment, financial risks, financial crises-- that kind of thing, but what we're seeing in recent years is that organizations have to worry about risks they didn't have to worry about five or 10 years ago. And so I want to talk about-- I'll mention three big ones.

So the first is extreme weather events, and no one organization can prevent extreme weather events. So risk management-- we like to prevent risks from happening. We can't do that. So what we need to do is be thinking proactively, what can we do to minimize the damage if it happens? And proactively, how do we prepare to respond if something happens?

The second sort of growing risk on everyone's horizon is cybersecurity risk, and I know we'll be talking about that more today. One thing I think it's important but hard for organizations to understand are who are the various threat actors that might be targeting them because there's different kinds of actors involved in cyber risk.

Increasingly, it's organized crime, which has a lot of resources, and they share resources, they share communications, and so on. We know of manufacturing companies, for example, here in Ontario that have suffered ransomware attacks that are due to criminal activity outside the country. So this is not something that is impossible.

Another threat actor, though, that's growing concern are nation states, and our viewers today might be saying, why would a nation state be interested in me or my organization? But if you think about, for example, the SolarWinds attack in 2020, which was the biggest hack ever at the time that it happened, that was carried out by a nation state that saw that SolarWinds had technology that was used by lots of government agencies in the US and in other countries, and they saw, well, if we can get into SolarWinds, we can get into those government agencies around the world. And so many of us are in supply chains where our technologies or our services might play a role throughout a large system.

And then the third risk I want to mention that's of growing concern is what Rob Austin, who's a professor here at Ivey Business School, and his colleague, Dick Nolan, called performance hacking, meaning when we focus on short-term financial performance, we hack away from-- we take away from-- putting resources into long-term performance. That's why they call it performance hacking. And they use Boeing as a prime example, and we all are seeing things in the news-- what's going on with Boeing as a result of what they call performance hacking.

So these growing threats-- these increasing numbers of threats in the landscape-- are challenging for people to even get their head around and to realize any one of these or multiples of these might impact me, and so how do I prioritize those and then how do I start to prepare for them?

BRYAN BENJAMIN: And maybe we can dig in just a little bit in terms of what organizations can do. So first of all, how do you interpret both the short term but also longer term as well, too, and just the sheer diverse challenges that they're facing? So you think about cyber, you think about performance hacking, you think about extreme weather events. It's like, oh, my gosh. Where do I even start?

GEORG SERENTSCHY: Yeah, that that's a key question for governments-- for organizations of all kinds. It's about both organizational structures and the availability of the necessary strategic competencies. And as far as organizational structures are concerned, the importance and criticality of the topic requires direct involvement and responsibility of the sea level in the organization. That is an absolute must, and that is very often overlooked.

And the second element is boardroom discussions on strategic risk management issues also require geopolitical and geostrategic foresight capacities, which are not always sufficiently available within the company. I think there is a huge gap in many organizations. This is the area where specialized advisors come in, help with these discussions, and helping with the decision-making because many companies, organizations, governments-- they rely on the analysis, which is provided by many different think tanks and so on.

But then it stops, and the analysis alone doesn't help you. Oh, we have a problem. We've got a problem, but what to do now? And that's the reason why a skilled advisor-- an advisor which is knowledgeable-- should go hand in hand with the client and help him to navigate through the fog. And it's a very, very complex threat landscape-- very dynamic-- changing all the time.

It is also important to understand the principle of hybridization. What we see-- what we observe-- is many, many incidents here, there, and not necessarily-- they seem not to be connected. So it's important to connect the dots to understand the hybrid events.

We have seen that-- when the Olympics started in Paris earlier this year, we have seen a series of attacks against the infrastructure-- the rail infrastructure-- in France, in Germany. That is not pure coincidence. There is a strategic plan of a state actor behind, and it's important to understand the mechanics. Otherwise, you cannot take action.

BRYAN BENJAMIN: I appreciate you bringing perspective. It's one thing to have an isolated event that you can draw a fence around. It's another thing to realize actually there are multiple events or connectedness, and maybe not always obvious, but it adds to that level of complexity, and I think we'll have a chance to dig in on that a little bit more.

So, Paul, let's go to you next and get your voice in the conversation. So given the increased complexity and operating environments, especially in large organizations where you clearly have a firsthand experience and perspectives, what are some strategies that can be employed to-- I don't know of the words. I just say simplify processes and improve decision-making. Simplify almost feels oversimplification, but to make sort of processes manageable and actionable and clearly be able to drive towards effective decision-making.

PAUL CARROLL: Well, I think simple or simplicity is actually at the root of how we deal with complex situations. Complex problems don't necessarily require complex solutions. In fact, it could be quite counterproductive because the people that have to deal with the complex situations can only absorb so many options when it comes to dealing with things. So having more incident-agnostic approaches, at least initially, to the multitude of different threat vectors that are going to come at us.

And to Georg's point about the hybridization, I would suggest that we are actually in a status of hybrid warfare. The definition of war used to be fairly clean-cut. When the bullets started flying, you were at war. Well, we've transcended that, and the line between war and peace has blurred.

So again, not to be alarmist, but these acts of sabotage that we're mostly seeing in Europe, how long before we start seeing those manifests closer to home? So we need to start considering that. And that's a tough pill to swallow. What do you mean we're at war? Well, quite possibly we are, because there's a changing world order afoot.

So let me get back to the original point. It's a complex environment. No one entity, no one think tank, no one organization can fully wrap their arms around it, so let's do our bit to simplify how we address a multitude of threat vectors. And again, if you invoke Hick's law, where if you have so many options to deal with, it causes delays in decision-making because you can't find the right solution.

So keep things as simple as possible. Bad thing happens-- you have some standard operating procedures to get the right people in the right room at the right time with the right decision-making authority, and then you start making sense of the information.

Now, information itself is now a pretty important commodity, and it is certainly an item to be attacked but an item to be leveraged. And even JP Morgan, the CEO, Jamie Dimon, has talked about the military concept of the OODA loop-- the observe, orient, decide, and act.

And if you can get into that cycle, managing the information that comes at you, then that allows you to make better decisions more quickly. And time will be of the essence in these complex environments. So if we're going to talk about anything, we need to simplify our internal processes to deal with an externally complex environment.

BRYAN BENJAMIN: So thanks for putting that finer point on simplicity. We live in a super complex world, and you're right, I think that's a really good perspective-- is the simpler we can keep it, the better where possible.

I'm going to pick up on your comment around efficiencies as well as simplicity, and I think about large organizations with multiple levels and multiple members of communities sometimes distributed all around the world. What can organizations do to get decision-making done at the right level? Like you could see a decisions-- some of them would clearly need to be escalated for obvious reasons, but can you decentralize it a little bit more? Can you speed it up? Can you empower?

PAUL CARROLL: Well, you can, and I think you must. So where decisions that are perhaps more strategic or irreversible, leave those to the c-suite. They're paid the big bucks for that reason. But wherever possible, you want to push decision-making down. Delegate that to the lowest levels possible.

Now that comes at a cost, both in training because you want to push decisions down to people that are actually qualified and able to make sound decisions, understand what risks are theirs to take when it comes to decision-making, and where escalations are obviously required. But if every decision has to be escalated up three echelons in an organization, then you are losing time and you're undermining, as I said earlier, that OODA loop.

[MUSIC PLAYING]

 

BRYAN BENJAMIN: What is the role of boards as it relates to the discussion at hand here around all of these risks? Is the role shifting in terms of governing bodies? What have you sort of collectively seen out there?

GEORG SERENTSCHY: As a formal regulator, what we see and what I have observed, and many others in his field, is-- I mean, regulators-- and I'm talking about telecom regulators-- that was a clear set of things to do to help liberalizing the market, to help make the competition running in the market, and help smaller players also to compete in that market.

And what we see over time-- and that was the original idea behind telecoms regulation as a sector-specific regulatory body, the general competition authority-- that is for everything-- for all sectors-- but this is a specialized body. And what we see is that the original earlier issues-- they are declining. So we have less and less on specific things to do, which means we need regulatory authorities 2.0 or 3.0 or whatsoever to reload them, give them a new mandate.

And I think that resilience and security of the digital infrastructure is a very important part and regulators know a lot about these things because they have all the details on their desk so they can help together with other authorities to increase the resilience and the security of digital networks, which are-- and this is one of my favorite sayings in that context-- telecommunication and digital networks are the central nervous system of our society.

BRYAN BENJAMIN: Yeah. We're going to dive into that one a little bit more shortly because you're absolutely right, and unfortunately, we often only realize just how important it is if something happens and it's not working. Laurel, Paul, any other sort of comments as it relates to the role of regulators as well as governing boards in this context?

PAUL CARROLL: Well, maybe piling on to the performance hacking, which I think is a very interesting concept, and certainly doing some reading on that. Much the way you're obliged to have a certain level of insurance coverage, forcing institutions to meet a certain threshold of investment in these types of things and taking away the subjectivity around that because again, when you're dealing with quarterly returns, there's a misalignment with certain incentives, and human nature being what it is, unless somebody tells you to invest a certain amount in a resilience or security aspect, you're going to default to the other incentives, understandably so. So help us help ourselves by giving us those parameters.

LAUREL AUSTIN: Yeah, and I think speaking to that, there's government regulatory agencies that can play a role in this. There's also the big investors-- the insurance companies, the big pension plans, those who control a lot of investment can also-- and are starting to have conversations about how do they address this issue. They don't call it performance hacking that I know of, but that's what they're talking about. And so they also can play a role in encouraging those they invest in to be thinking long-term, not just short-term.

The pressures are very strong because a lot of investors are thinking I'm in it for the short term. What do I get? And so that's a-- I think it's going to take a lot of cooperation between big actors to move us all to helping ourselves-- is what we're really talking about.

BRYAN BENJAMIN: Yeah, I'm glad you draw attention to that because they can have some pretty substantive influence in the ability to say, OK, investment dollars, and here are some expectations, and it is that mindset shift. But it feels like that duality of the next quarter, let alone the next 10 years, and how do we balance between the two of them?

Are there examples out there that any of you have come across of organizations or entities that have been able to either really exemplify simplicity in decision-making processes or find that balance between short-term and longer-term? Either ones that are already doing it or ones you feel maybe got the potential to do it and be a potential leader.

PAUL CARROLL: I'll use the military as an example, and while it's very clear that the Canadian Armed Forces has been underinvested in for decades and we're seeing that manifesting in capital projects and procurements and whatnot. The idea at the lowest levels of keeping things very simple and building resilience and investing in that bottom-up approach is a far more illustrative example.

Investing in the training of soldiers who are absolutely world class in adapting to ambiguous circumstances, largely because they use very simple processes, and it's a bit of a running joke-- keep it soldier stupid or soldier proof-- because they understand that the operating environment is very complex. You're going to be sleep deprived. There's going to be the fog of war, quite literally. There'll be weather impacts.

So keeping things as simple as possible at that level and investing in training-- hyper realistic training at that level-- allows a level of resilience and engagement there that I think could be a lesson for organizations more broadly.

BRYAN BENJAMIN: Around the OODA loop and the fact that it's been around for decades but yet not as well known maybe as we'd like at the senior levels. First of all, I guess, do you agree with the question is, do you feel that it's not yet as well known as we'd like it to be? If yes, great. How has it gotten there? If no, how can we increase the awareness?

GEORG SERENTSCHY: Probably statistically in the narrow sense of the terminology, statistics is not that telling, but my impression is between 20% and 30% of the big companies which we are talking with-- they are aware that this is a critical issue and they know that this is something which the sea level has to deal with.

And we see-- the majority of the companies still say, oh, that's interesting what you're telling me. That is something for my IT department. And that's a complete misperception. Complete misperception. It's not about cyber security alone. And this is something-- it's kind of denying the reality-- denying the threat-- which we are all dealing with.

So there is a long way to go, I would say, and a seminar like yours here is extremely important with the multiplier effect of your academy to train people, to make people understand that this is much more. It's a vital thing.

LAUREL AUSTIN: Yeah, and I want to address that too, then, because you're right. We do see in organizations leaders thinking, well, it's an IT issue, but it's not the IT folks who are really in a position to think about what does our company have, what does my organization have that's a value? What's the intellectual property that somebody might want? What's our role in critical infrastructure?

Critical infrastructure-- almost everything now is critical infrastructure. Health care, finances, telecom-- anything digital-- power, water, transportation. And if you think about where you sit in various ecosystems, depending what your service is or what you produce and provide to others, chances are you're somewhere in one of those supply chains, and you might have something that then makes you valuable-- that you have something valuable to these various threat actors.

So it's not-- your IT folks can help you implement solutions, but they are not the people who really can be figuring out, in most organizations, what do we have that someone might be interested in or what are the impacts and impact on us. How might it affect others? Or how might impacts on others affect us? And what are the problems that we have that we need to solve?

So you want your technical folks to solve the problems, but they aren't necessarily the ones who can identify that, and it's just because of everything being so interconnected, and as we've said, digital being the backbone of what almost everybody does now.

BRYAN BENJAMIN: Paul, you mentioned earlier-- is make sure the c-suite is truly doing the work where they earn the big bucks for doing the work. This is important strategic work. Yeah, and then make best use of the great resources that you have in functions like technology, but what is the strategic opportunity? What is the strategic position of the organization? Where do investment dollars flow through as well?

So telecommunications, we skirted around it a little bit earlier. But Eric, I'm going to go to you around-- you touched on it a bit, but let's elaborate on the role of telecommunications infrastructure in ensuring organizational resilience. And maybe you could even start with helping us understand just how vast and interconnected telecommunications is, and how reliant we are as a society on it. And then we can dig into the question a little bit more.

GEORG SERENTSCHY: So I like the paraphrasing, is the central nervous system of our society, and we are so dependent on the functioning of these networks. So here in Canada, the Rogers outage in '22, July '22, if I'm not mistaken, was a striking example of this dependence. So, that a unilateral dependence on one network for so many different services. But there are many other examples, one of the most spectacular, being the CrowdStrike incident that led to the disruption of vital digital services worldwide and a standstill in many public administration and businesses.

In both incidents, that was interesting. Human error was the cause. So, not an attack or something like this. But we see also, as Laurel also said, incidents triggered by climate-induced natural disasters, landslides, flooding, wildfires and so on. Cyber and cyber-physical attacks and sabotage against railway infrastructure against airport. Now we see in the underground system in London. So, London Underground is under attack now.

What can be done against it? And in my view, one of the most effective responses to these challenges is a higher level of redundancy in the network. There is a snag with that, because firstly, it runs, and I'm saying that as a former regulator, it runs counter to the prevailing paradigm that telecom services should become cheaper and cheaper. And secondly, it raises the question of who should pay for redundant. But redundancy comes with a price. And what we have seen in the-- I mean, from a competition standpoint, from a regulatory standpoint in telecom network, was network sharing, network sharing, network sharing, pooling, pooling, and so on and so on.

And this is exactly the opposite of redundancy. So, we are creating-- with this philosophy, we have created more and more single point of failure. And that's dramatic. And so, what can be done, and who should pay? And my answer to this is, what we need is a kind of partnership between private players and government agencies to address these challenges. Because the threat landscape is so complex, so dynamic, and so strong that governments alone cannot manage it, and neither can the private sector do it alone.

PAUL CARROLL: To your point, the Rogers outage, the concentration risk manifested out-of-cost savings, which makes perfect sense when you look at it through a lens of peacetime. But security costs money. And it's hard to convince somebody to open up their wallet and pay for that in the absence of a manifestable threat, or something you can put your finger on.

And in this current, I'll call it a transition period, from ostensibly a peacetime environment into this hybridization, as you call it, how do you convince people to put dollars behind something that is a bit ephemeral? That truly is the challenge. And if you raise the red flags too often or even at all, you might be accused of being alarmist. And of course, from a risk perspective, that is in part our jobs.

BRYAN BENJAMIN: Well said. Because it's a balance of, a lot of times, the urgency is created after something happens, and it's like, oh, geez hope that never happens again. OK, what do we need to do? Versus how do you create that same sense before something were to happen to, say, hey, can we better prevent it, or at least mitigate if it does happen?

[MUSIC PLAYING]

 

The role of human error will always be present as long as we have humans. When I think about some of the discussions that we've had, are there any learnings that you've sort of seen maybe leading organizations take that either learned from human error, or have done some things to lower the risk of human error factoring into some of these?

As we get more complex, it feels like the risk of human error only is going to increase. So what are we seeing from that standpoint? I think we touched on some of it earlier around simplicity, clarity. I think all of those pieces would likely lower the risk. But what else are we seeing in any organizations of leading the way?

PAUL CARROLL: If I may share a personally embarrassing story, which really--

BRYAN BENJAMIN: Those are the best ones.

PAUL CARROLL: They're mostly the stories that I can tell. I got hit with a phishing test by my employer. And normally, I'm very circumspect about these things, but I was so busy that I fell prey to a fairly obvious trap. So, the human error can often come from being overwhelmed with pressure to meet deadlines, et cetera. And the bad guys know that, and they're going to look for those vulnerabilities and take advantage of those people that are overwhelmed.

And it's another challenging dynamic to balance security through your workload, your ability to process multitude of threats coming at you. I had to catch myself and go, Paulie, you need to slow down and be smart. You do not want to be the guy that introduces a threat vector into your organization.

LAUREL AUSTIN: And I think that happens to all of us. You get something and you're thinking, oh, it's from somebody I know or an organization I trust, or whatever. And you click and then you say, oh, my goodness. Should I have done that? But it's too late, because the click only takes an instant, and it can't be undone.

This isn't really addressing your question, Brian, but something I do want to-- that occurs to me as we're talking is one of the things that makes this hard is if you do invest, you're investing in things for the long term, you're investing in resilience, you're investing in the things you need, and things go well, you can't really say, that thing I did is the reason that things went well. The things you prevent, the things that don't happen, well, maybe they never would have. Or you can't actually show that they would have but you prevented them.

And that makes-- that's another pressure on leaders, is you're being asked to invest in something that's going to help, and you just can't prove it. You can't show it. What you can show, and again, this comes back to those pressures, to do things in the short term. You can show those. You can show the gains there. And so that adds on the pressure to leaders. And so it seems to me, what we're talking about is really needing, as a culture, to shift our way of thinking, to shift what we value, to shift what we see as valuable, and reward others for, and recognize, you can't always see the effects, the results, of what we've done. But it makes it harder.

But I think there is-- we are talking about a need for a mind shift. And business schools play a role, because business schools have, I think, traditionally taught our students about shareholder value and the short-term value and the short-term gain. And we're starting to change that. But we've instilled it in a lot of places, I think. And it's not just the business schools, but we do play a role in trying, I think, to change the culture, change the mind shift.

GEORG SERENTSCHY: Yeah. I mean, picking up on what you said, Lauren and also Paul, I mean, one of the things which I learned is extremely important, because everybody should have the experience, what's at least without big consequences, that you can be fooled. That's a very important thing. Yeah. You're not immune against this. And I mean experiences which were interesting.

One is, a couple of years ago, I had to subscribe to a cybersecurity insurance for my company because one of my clients requested this. It's not cheap, and the insurance company was very strict. I had to undergo a training, which was very, very good. And in the meantime, I'm also working for a large American law firm. And we all have to go through an annual training. You see different ways how well-prepared phishing attacks can be done, combined with social engineering. It can be very, very convincing.

And one of the real dangerous things is time pressure. As Paul rightly pointed out, if you're under time pressure and not fully alert, then things may happen. And it's good to have, and this is one of the learnings also from the military domain, to have drills, regular drills that people learn what can happen and what are the mechanics behind, how you can see behind the curtain.

BRYAN BENJAMIN: Yeah, I think really important points and I appreciate the-- we've all been there. And I'm sure a lot of us, myself included, have clicked, and it is actually fine. But you have that moment where it's like, oh, maybe it wasn't. There was just something a little off. And with increased pressures, with increased workload, the risks go up.

Laurel, thank you for introducing culture and putting a call to action out in terms of, as we're preparing the leaders of tomorrow, what can we do in terms of what we're paying attention to, what gets valued. And that whole idea of, I may have prevented something that could have been substantially negative in terms of its impact to the organization, but maybe didn't. And how do we know? But understanding that we've at least reduced the risk of something like that happening, and valuing those actions.

I feel like we can't go through any livestream without introducing AI at some point to the conversation. And there was a couple of comments around the role of AI and resilience in the future. And I'm not putting anyone on the spot in terms of looking for AI expertise, but have you heard of anything, or are you seeing anything coming down in terms of AI supporting or enabling risk management looking forward?

PAUL CARROLL: Well, I think it's obviously a double edged sword in that AI is going to be used to enable the threat actors. And if we're not working it from the other angle to counteract that heightened level of engagement, deepfakes, what have you. In fact, I had to change my voice recognition protocols for online banking. I won't do that anymore, because it's too easy for it to be hacked. So, it is--

And I'm by far out of my depth talking about AI, but certainly, the threat is fairly obvious, and what we need to do to counter that. Offense-defense needs to be considered and the investments in that. And talking about the OODA loop, again, using AI as part of that, observe and orient to help decide with the sheer volumes of information. As good as some of our best thinkers are, they're never going to be able to compete with AI in terms of the rapid processing of multiple streams to allow us to make timely decisions.

LAUREL AUSTIN: I'm just wondering, as we were talking about, the first challenge for organizations is to figure out what is their threat landscape, I'm wondering if as an organization, if you could use AI to describe, what is my-- what do I do? Where am I sitting? What is my service? What is my product? What's going on with other organizations like me? What are the threats I should be worrying about?

I don't know. But I imagine that there's a lot of potential for using AI in managing risk, and that might be one people could play with right away. I don't know if you would get anything from it. But it might be able to help organizations figure out where they're situated and where to focus their efforts.

GEORG SERENTSCHY: We should not forget the bad guys, they are a very, very well-organized industry with distributed responsibilities, distributed specializations. And one of the real dangerous things, what I see, is SEO fraud in combination with deepfakes. You think that your CEO gives you a call, maybe a video call. Speaks like the CEO, looks like the CEO, and that will create a very, very strong impression on you as the person in charge for making a transfer, money transfer.

First of all, you can implement tools, AI tools to identify that this is a deepfake. That is one thing. Second thing is that nothing to do with AI. It's a simple procedure, a procedure which should be in the rules. Meaning OK, thank you, Mr CEO. I'll give you a call on your mobile now to verify that you have called me. So that should be a simple procedure. It's nothing to do with-- you can do it with simple means. So check and double-check.

What I've seen also is a lot of fakes coming via LinkedIn. You know this person. Gehrig, I have a very interesting business proposal. Please click on this link. So, don't click on this link. Call this guy and say, have you sent this? And then he tells me, my LinkedIn account was hacked. So, check and double-check.

BRYAN BENJAMIN: It's interesting how we're looking at both sides of these pieces, is earlier, we talked about sometimes just busy and lots going on and I make a simple mistake that I otherwise wouldn't make and how quickly that can happen. We just talked about, is sometimes actually verification is just as simple. But is it-- we don't often go that extra step to say, OK, yeah, you know what? Let me just call you back, or this seems to be a bad connection. I'm going to call you back and see if can get a better connection, if you're not comfortable saying it.

But the whole notion of anything, when we think about AI in any conversation, think it just shows the rapid changes that we're going through. And regardless of what an individual or team or organization does, they need to keep going. It's not a, OK, now we're set and we're set for life, because something's going to change in a month from now. And there's a new way of getting in, or there's a new approach, or there's something out there. So how do we keep the energy up and just build that ongoing habit?

It comes back to your comment, Laurel, around culture. And culture takes a long time to influence either way. And so what can we do now in smaller increments to build that heightened culture we're looking for? Either one sort of final insight or one recommendation, maybe one from an organizational lens, so recommendation to organizations, and one for individual leaders and their role within organizations. Who wants to go first? The benefit of going first is no one else will steal your idea. You have full carte blanche.

LAUREL AUSTIN: We're seeing more talk about resilience. And it's not just a buzzword, I think. I think it's because you think things are changing and they're changing rapidly. So organizations do really want to be thinking about building their resilience capabilities. And I love Paul's suggestion, thinking about keeping things simple. So a couple things are, communication is critical. If there's any kind of-- whether it's extreme event, whether it's a cyber attack, whether it's something else, if the telecom industry is attacked in some way, you lose your communication.

So planning ahead, having redundancies in communication, I think, is a really simple thing. Maybe not so simple, but how do you do that? Most of us don't keep pen-and-paper backup of our key contacts. Do you do that in your organization? Do you have a way, if you lose your voice over IP phone system to contact people? Or if you suffer a ransomware attack and you can't communicate at all, so do you have a backup? Yeah, so just thinking about some of those common things that maybe can-- simple things that don't cost a lot but can go a long way to get you started.

BRYAN BENJAMIN: Excellent. Thanks for getting us started.

PAUL CARROLL: Simplification is key. And then from a telecommunications or communications period perspective, again, another military concept is PACE. Primary, alternate, contingency, emergency. And you apply that to communication platforms, you can apply that to multiple different elements. You may never get to the E, but if you don't have an alternate, then you're not resilient at all.

What's an example of a simple process? Well, if you've got a fundamental such as having a PACE for multiple aspects of your organization, that's one simple process that organizations can adopt. And the other one is a standard formatting for sharing and receiving information. The military uses a concept called SMEAC, situation, mission, execution. It's a format so that everybody knows how messages are going to be delivered, and they also know how it's going to be received. So you don't have to interrupt the flow. You know we're going to get execution in three paragraphs.

So again, keeping it very simple and standardized. And I'm not talking about fonts and formats. I'm talking about the concept. And then for leaders, invest in training your people. It's not a cost. It is not an expense. It is an absolute investment.

BRYAN BENJAMIN: Thank you.

GEORG SERENTSCHY: The most dangerous attitude on all levels within an organization, whatever the organization is, is ignorance combined with complacency. This is a toxic combination, and we need to work on that.

BRYAN BENJAMIN: I think that the sum of what all three of you kind of highlighted is like, let's get going. Let's not wait for it to happen. Great tools and tips around, how do we keep it simple? How do we keep some things consistent? How do we get it repeatable? And I get, sometimes it's way more complex and so forth, but let's also focus on the things that we can impact right away with little acts as we move forward.

SEAN ACKLIN GRANT: Thank you for tuning in to Leadership In Practice. We'd like to thank our guests, Laurel Austin, Georg Serentschy, and Paul Carroll. Lifelong Learning in Action is produced by Joanna Shepherd, Rachel Jackson, and me, Sean Acklin Grant. Editing and audio mix by Carol Eugene Park. If you liked this episode, make sure to subscribe. You can also find more information by visiting iveyacademy.com or follow us on social media, @iveyacademy, for more content, upcoming events, and programs. We hope you'll join us again soon.

About The Ivey Academy at Ivey Business School

The Ivey Academy at Ivey Business School is the home for executive Learning and Development (L&D) in Canada. It is Canada’s only full-service L&D house, blending Financial Times top-ranked university-based executive education with talent assessment, instructional design and strategy, and behaviour change sustainment. 

Rooted in Ivey Business School’s real-world leadership approach, The Ivey Academy is a place where professionals come to get better, to break old habits and establish new ones, to practice, to change, to obtain coaching and support, and to join a powerful peer network. Follow the Ivey Academy on LinkedIn, Twitter, Facebook, and Instagram.