What were you hoping that 2020 would be about? What did your strategic plan or business plan say that you wanted to achieve this year? What underlying assumptions did you have in the strategic plan that no longer hold true?
I saw a statistic recently that 82% of the time a strategy fails can be attributed to misleading assumptions. Think of Kodak and how they were left behind in the transition from film to digital photography.
Many businesses have thrown out whatever strategic plan they had for 2020 and have been reacting day to day and month to month as the COVID-19 health crisis and related economic crisis have unfolded. Whatever you assumed in your strategic plan for 2020 has quite possibly already proven to be false.
It can be challenging to prepare strategy in a VUCA environment – VUCA stands for volatility, uncertainty, complexity, and ambiguity.
Even pre COVID-19, the more innovative organisations were questioning the value of a three to five year strategic plan given the likely changes to the operating environment over that period – meaning the shift to a more agile strategy process.
Now we have the COVID-19 health crisis, ensuing economic crisis, reduced travel and other social restrictions, and many geopolitical risks are escalating too.
Even in this ever changing and VUCA environment, organisations need to stay true to their ‘anchors’. In the absence of being able to operate to a structured plan, what are the things that are critically important to you as an organisation (could be values, client focus, impact etc)? These will provide your context for decision making when the external environment turns your strategy to dust.
Organisations often think about different strategic planning horizons – with the short, medium and longer term – but this is usually focused on a linear progression.
With this mindset, we think in strategic plans about the one desired future that we are working towards. What if instead we were to have multiple views of the future under different scenarios, and to develop a strategic plan on that basis?
In a recent presentation to members of peak body National Disability Services, futurist Professor Sohail Inayatullah spoke about a range of potential unfolding social and economic scenarios.
It is possible in the time ahead that a range of scenarios could play out: the coronavirus could mutate, wages growth be flat, nations could break apart, international travel could be restricted for years and/or we could fall in to a multi-year recession. Despite best efforts and bipartisan support, could a multi-year recession put budget pressure on the NDIS program to be reduced in size and scale?
Less dramatic but still significant, this current economic period could be a time of slowing down in order to speed up – with the potential for the crisis to drive innovation and reforms that will provide for greater economic growth and prosperity.
There may also be ‘sticky changes’ that flow from our present crisis, with changes made to personal and business behaviour becoming more mainstream: increased working from home, a greener economy to reduce pollution, added COVID safety/risk measures, increased domestic travel over international and increased telehealth or remote service provision.
Within the disability sector, there are other uncertainties like the potential impacts of the Disability Royal Commission on regulation and compliance, and continued changes to the NDIS marketplace including to the Price Guide.
For many disability providers, there is some surety in funding with the NDIS business model but COVID-19 has had an impact on the way services are delivered.
It’s more work to build out a strategic plan with possible different future scenarios, but if there is any time this is worthwhile it would be in the current situation. Successful organisations now will be the ones that spend more time planning and strategizing rather than being blown around by the changes.
Business recovery shape
As you look to the future of your own organisation and its growth trajectory (whether measured by customer numbers, revenue or staff numbers), what shape does it look like? Is it:
- V-shaped with a sharp decline and sharp recovery?
- U shaped with a more gradual decline and recovery?
- W-shaped with a double dip – perhaps corresponding to a COVID-19 scenario where there is a second wave of the virus outbreak?
- L-shaped with a sharp decline settling in to a new normal smaller size?
- Hockey stick shaped with a small decline but expectation that the trajectory will return to growth?
Making the right assessment of the future is important in preparing your organisation to be in the best position for the future. Getting this wrong could prove disastrous – for example, maintaining your existing cost base assuming a U or V-shaped recovery only to find down the track that it is L-shaped.
Organisations should be having regular conversations about unfolding risks, market changes and implications to strategic plans at a management and Board level.
Taking a view on future scenarios and the shape of the recovery are important strategic discussions to focus on.
CBB has a number of consultants with experience in business and strategic planning. We could help you with the whole strategic planning process, or just to workshop one or a few elements like this.
If you’d like any assistance with reviewing or developing elements of your strategic plan, please contact 1300 763 505 for an obligation free consultation with one of our Business Consultants.
In an interview the productivity consultant David Allen said that strategic thinking does not require large amounts of time (Clark, 2015). More importantly, it’s space that allows innovative ideas and decisions that will guide the future direction of your not for profit.
Being strategic is one of the most important behaviours that guarantee an organisation’s long term success and almost every leader would like to have more time for strategic planning (Clark 2018). We are all too busy, dealing with the daily fires, and now that many of us are working from home, we feel like we’re working all the time.
Keeping track of our time and setting a regular time aside for strategic thinking and planning can help to embed strategic thinking into our schedule (Clark, 2018). Getting away from our routine and ‘to do lists’ can create some mental space. Encouraging our managers and team leaders to set some time aside for strategy and offering opportunities to share their thoughts and ideas can also foster strategic thinking throughout our organisation.
Strategy needs knowledge
You would not buy new a family car without doing some research, a test drive and without asking a friend who knows more about cars to have a look under the bonnet. Yet, I am regularly meeting not for profit leaders who open a new office or start a new service based on their gut feel.
Gut feel and intuition are important instigators but once you have formed your idea you should also consciously and thoroughly evaluate your strategy. Time pressure can work against assessing a decision, however often it only takes a few hours of top line research and number crunching to find the necessary data and evidence that supports or dismisses the idea. If you or your leadership team doesn’t have the time or know-how, you could engage a student to do some basic data analysis, or for something more sophisticated seek assistance from a consultant with experience in the sector. Spending some more time and effort on researching your idea can open new alternatives or modified ideas that can lead to better outcomes and more effective use of your limited resources.
Strategy needs multiple views
‘The government representative or the consultant has told us that there is the future and there is great potential for us’. If this was the case why isn’t everyone doing this – or is everyone doing this? Good listeners tend to have more ideas, yet listening to just one source risks establishing a strategy on a distorted, or narrowly focussed reality. A stakeholder analysis can help us identify who has an interest and who will be impacted by the strategy. Talking and listening to all parties involved can help form a more realistic approach and lead to better outcomes. Engaging people who may influence the success of the project early on can help to overcome barriers and create more allies once you begin to implement the strategy.
Strategy needs empathy
Just because we have worked for many years in the sector and our clients tend to be loyal, it does not necessarily mean that we really understand and know the people we support. Do we know our clients’ aspirations, interests and passions? Do we understand what is currently working well and what is not? Do we understand the hardship, the barriers and the worries of our beneficiary? What are their physical and emotional needs, how do they think about the world and what matters to them? What would they like to achieve and how would they like to live their lives. We live in a fast moving world and while basic needs are likely to stay the same, external pressures heavily impact on barriers and support needs. Unless we ask the right questions and we are prepared to empathise we are unlikely to come up with a strategy that creates meaningful and lasting change. Defining and understanding the need will help us to establish a strategy that creates outcomes that are needed and wanted, and drive meaningful improvements in quality of life.
Strategy needs courage
‘We have trialled this and it did not work’ is a common sentence that I hear in strategy workshops. It is an effective innovation killer and indicates that we are too scared to do things differently. It also reveals that we are often too focussed on the activities, the ‘how’ of our strategy before we define the ‘what’. What do we want to achieve that creates lasting change?
Once we have defined the outcomes we require some courage to do things differently to the past. Our beneficiaries and other stakeholders could assist us to co-design the activities or clarify why our attempts in the past failed. Most importantly we should have the courage to make ourselves redundant. Does our work create dependencies or do we empower our beneficiaries, facilitate independence and create long term impact?
Strategy needs ideation
Have you ever done a home renovation or built a new house? Usually it takes several plans, discussions and modifications until the final plan can be approved. Strategy needs ideation and time to form. If we rush the approval process the end result will reveal many unwanted surprises. Gaining better knowledge, reviewing our internal strengths and weaknesses, listening to everyone involved and giving our beneficiaries a strong voice will necessarily lead to variations along the way. Engaging a critical sounding board can broaden our thinking, or adopting an outsider’s view can help us review our assumptions and biases to develop a strategy that is bigger and better.
If you need assistance with your next strategy workshop, market research or if you would like an outsider’s view, please contact 1300 763 505 for an obligation free consultation with one of our Business Consultants.
We’ve got a risk register and mitigation plans. We report to the Board on risk every meeting. We’ve got dozens of procedures that help us with compliance and work health safety. We’re accredited to the NDIS Quality and Safeguarding standards and maybe even another different accreditation body as well. We tick the boxes on what we need to do with clinical compliance. We even have a risk policy that was based on the international standard. Surely, we are doing everything we need to on risk management, right?
Maybe. If this example sounds like you, then you are certainly doing a lot of things right on risk management, and that is really important for minimising the risk of incidents and ensuring you achieve the objectives in the strategic plan that you are aspiring towards.
Maybe you don’t have many or all of the above elements in place, and that’s ok too. Every organisation starts somewhere, and risk management measures need to be scaled from small, low risk organisations up to larger, complex and higher risk organisations.
Deloitte produced The Risk Intelligent Enterprise Maturity Model about a decade ago and I think it provides a great perspective to look at your risk management activities, no matter the size or focus of your organisation.
Level 1 Tribal and Heroic is about ad hoc risk management which might be done well by one person or group within the organisation
Level 2 Specialist Silos is where there are some risk mitigations in place and steps taken to reduce risk. You might have insurance in place and a few simple policies, but risk is only thought about by a few people.
Level 3 Top-down is where the tone of risk management is set at the top and policies/procedures are in place, but risk management is still somewhat reactive. Many disability and aged care organisations are at this point now – the quality and safeguarding standards that we operate under have ensured that most organisations get to this point. However, accreditations are about setting minimum standards, and best practice requires doing more than the minimum.
Level 4 Systematic is where risk management is getting more sophisticated. By this point, risk is a factor in every business decision being made, staff take ownership bottom up in the organisation, and a cultural transformation has taken place where all staff view their decisions and actions through a lens of risk management.
Level 5 Risk Intelligent is the highest aspiration, and it is difficult to get an entire organisation to this level. I’ve seen some teams operate at this level, and when you do, you can make amazing decisions which boost profitability and remove the downside risks when things go wrong, as they sometimes do.
There is a big difference between being Risk Intelligent and Risk Averse. Being Risk Intelligent is about knowing what risks your organisation is better than anyone else at taking on, rather than avoiding risk altogether.
The international standard on risk management defines risk in terms of the effect of uncertainty on achieving objectives. Risk management is linked inextricably to your strategy and what you are aspiring to achieve. If your strategy and business model involve working in difficult situations or with challenging people, and you have the right people and systems in place, then you can operate a business model like that in a Risk Intelligent way.
I’ve been in workshops where this model has been shown and it is fascinating to see people look at it and calibrate the risk practices against all the different parts of their organisation.
We all want to be level five. It’s only human when you put up a model like this to think that you are doing well. However, more often than not, I have heard people reflect that there are functions or parts of the organisation which operate at different levels.
Maybe some of the clinical elements of the work are at about a level three or four, but other back office administration functions are more like a level two. If your goal is to put in place the minimum standards of quality and safeguarding for your industry sector, then you are likely only operating at level three at best. Achieving a higher level requires leadership modelling and an organisation commitment to resource it appropriately.
What are some practical steps you can take to improve your level of risk intelligence?
Stop and think – do we need to change? What needs to change? Who do I need to talk to about making changes? Have I got the right people or tools/technology to get there? Do I need to update or write a new risk policy? What do you need to do to improve the risk culture? Do you need some external help to map out a path to becoming more risk intelligent, or a specialist consultant to help with one element of it?
CBB consultants have experience in helping organisations plan their risk management activities. If you’d like any assistance with risk management, please contact 1300 763 505 for an obligation free consultation with one of our Business Consultants.
Reference: Deloitte – The Risk Intelligent Enterprise: ERM Done Right https://www2.deloitte.com/content/dam/Deloitte/global/Documents/Governance-Risk-Compliance/dttl-grc-riskintelligent-erm-doneright.pdf
We trust that this article has got you thinking more about the benefits of using the SOAR model instead of doing a SWOT because “that’s what we have always done”.
To make the learnings from this article more real, why not delay whatever you were planning on doing next just for 15 minutes and have a think about where your business is now. If you are like me, then pick up a pen and paper and put the four headings across an A4 page, or if you prefer, just open up a Word document and create a 2×2 table.
We’ve heard from many organisations at the moment that they are needing to review their current strategy as a result of the continually changing environment we find ourselves in with COVID-19. There’s never been a better time to stop for a few minutes and think about your strategy. I guarantee that the time spent writing this down now will provide some greater clarity for you in the priorities for coming weeks and months.
CBB has a number of consultants with experience in using different business modelling tools as part of the strategy development process. We could help you with the whole strategic planning process, or just to workshop one or a few elements like this.
If you’d like any assistance with reviewing or developing elements of your strategic plan, please contact 1300 763 505 for an obligation free consultation with one of our Business Consultants.
Has there ever been a more important time to be monitoring new and emerging risks to your organisation? Perhaps it is becoming one of 2020’s most overused words that we are living in “unprecedented” times.
The emergence of the global coronavirus pandemic this year has forced every organisation to review its business continuity plan and take a number of other steps to ensure the safety of employees and clients, modify operations, change marketing priorities and shore up the financial position.
On the subject of coronavirus, CBB have shared a link to some resources available through the South Australian Department of Human Services via our LinkedIn page which readers may find of interest. Other information is available from the NDIS Quality and Safeguards Commission.
However, even in the midst of this significant risk scenario unfolding, there are other emerging risks that also need regular attention.
We have seen the impact of the summer bushfires which has been a challenge in some regions, and put together with current job losses and share market volatility will put pressure on donations to some not for profits . Regulatory changes are emerging with the Disability and Aged Care Royal Commissions, and the NDIS continues to evolve and make changes almost daily. Cyber attacks have continued, and not for profits are not immune from events like this. Social behaviours have changed as a result of shutdowns within society now, and it remains to be seen how society will permanently change after the current crisis.
Last month we looked at the specific risk in relation to whistleblowing after issues at World Vision. You can click here to go back to that article. We have also written recently on steps to protect your organisation from cyber risk.
It is important that Boards and management committees regularly review and monitor for new and emerging risks, and that risks other than the coronavirus still remain part of regular board discussions.
The frequency of reviewing risks and the risk register will vary depending on the complexity of the organisation, pace of internal and external change, and risk exposure. Whilst lower risk organisations in a stable environment might review risks quarterly, many organisations should look at it more frequently.
However, best practice organisations make risk a part of the business as usual with regular monitoring of the internal and external elements of the organisation for changes, and then alerting decision makers to these changes in a timely way, so that appropriate actions can be taken.
We believe that best practice risk management monitoring includes the following:
- Ensuring a well-constructed risk register is in place and reviewed regularly for changes.
- Undertaking broad engagement across the organisation to identify new and emerging risks, ensuring that different perspectives are taken in to account and the full range of risks have mitigation plans.
- Risk appetite is discussed, understood and calibrated across the board and management, with changes made as context changes.
- Making a report on new/emerging risks a regular part of the board reporting template helps the Board and management team consider the risks in a timely manner.
- Including responsibilities within key management team member position descriptions to monitor and report on risk.
- Monitoring of relevant internal KPIs (staff turnover, safety incidents etc) to look for emerging internal trends and risks.
- Involvement in industry forums and conference attendance to hear from thought leaders on how the market is changing and new risks that are emerging.
In coming months and future editions of Foreword, we will provide more suggestions on how to develop your risk management to a greater level of maturity and integrate it into everyday decisions and business practices to provide a robust framework for managing risk.
If you have a topic that you would like us to consider when writing more about risk, then please get in touch with us and we will endeavour to include it in a future edition. HOW??
CBB consultants have had experience in helping organisations plan their risk management activities. If you’d like assistance with risk management, please contact 1300 763 505 for an obligation free consultation.
Question: Why did the thief rob the bank?
Answer: Because that’s where the money is.
In this situation, the thief understood enough about his market to know where to find the money!
It’s important for an organisation to have a solid understanding of where the money is in their own market segment before they can maximise their organisation’s potential.
Data on the market can be used to answer a number of questions that lead to better decision making. What is the size of your market? Is it growing or contracting? Why? How is the market evolving or changing? What disruptive forces are impacting the market? How are competitors’ actions changing the market? What are the bounds and scope of the market that you are operating in? Should we look to another market segment in order to continue growing the business? How much should we spend on acquiring the knowledge necessary to answer these questions?
Unfortunately, this is one area of business where it can be easier to ask a question than to answer it! Getting reliable and detailed information on your market is challenging in many sectors, but there is now considerable information available to providers working within the NDIS.
In some sectors, it might only be possible to find aggregate data on the whole of an industry rather than something specific to the sector of interest. In those cases, high level observations might be drawn about the market, but there would be varying degrees of accuracy.
Where can I get data on the market? Industry associations often publish reports with this kind of information. For disability providers, the NDIS quarterly reports provide a wealth of information – but this needs to be analysed closely to understand the relevant trends down to your market segment.
A robust market assessment is perhaps the most important part of the strategic planning process. Without it, the strategy can suffer from just being a plan about what direction you think the organisation should be heading in, without actually having the logical and rational thought to why that should be the right direction.
The market assessment involves a number of steps and exercises that create a critical analysis of the organisation which aids in understanding the market dynamics better and leads to better strategic decisions and direction.
We believe that a best practice market assessment includes the relevant aspects of the following:
- Understanding the market context at a macro level through using a tool like PESTEL.
- Considering your organisation’s place within the market context using a model like SWOT or SOAR.
- Internal Analysis – identifying critical internal issues that need to be addressed within the strategic plan.
- Market Size – projecting forward changes in the size and dynamics of the market segments you are operating in; and understanding how to adapt the business and services to fit that.
- Customer Analysis – understanding the changing needs of customers, and what makes them choose your services.
- Competitor Analysis – looking at the major competitors in the market and developing strategies for how you compete against them.
This approach can be scaled to small and large organisations with varying levels of detail.
A structure like this helps the Board and management team to focus on the myriad different issues impacting on the organisation’s strategy and ensure the strategic plan fits that context.
Last month we looked at how the market is continually changing; and how to ensure that the market conditions are monitored and part of regular management/board discussion. Click here to go back to that article.
In coming months and future editions of Foreword, we will provide more detail on these elements that make up the market assessment.
CBB has worked with a number of organisations to help them better understand the market they operate in. We can help your strategic planning process by preparing a market scan or review.
For providers working in the NDIS currently or planning to in future, we suggest you can sign up to the NDIS Success Program. This program aims to increase the supply of NDIS services in communities, with a particular focus on regional, remote and rural communities and Aboriginal and Torres Strait Islander communities. Delivered via webinars and online resources, we’ll give you all the tools and information you need for NDIS Success.
If you’d like any assistance with reviewing your market environment, please call 1300 763 505 for an obligation free consultation with one of our Business Consultants.
We live in unprecedented times with the business models of decades’ old organisations quite literally changing overnight.
The radical changes we have seen over the past few weeks have demonstrated the speed at which market dynamics can change, and the need for businesses to respond quickly.
Boards and management teams are needing to respond with urgency to scenario plan and make decisions with imperfect information as the situation unfolds.
The markets that we operate in and the customers we serve are always changing. Whilst the speed of change is not necessarily what we have seen recently, now is a time not just to focus on the immediate crisis at hand, but to think about how to structure management and board meetings so that market changes form part of the regular and ongoing conversation.
From our experience, we observe that management reports typically fall into one of three different categories:
- Activities completed or in progress in the week or month.
- Business KPIs which are typically backward-looking and reviewed to ensure the business metrics are on track, trends can be identified and corrective actions put into place. e.g. finance, HR, work health safety.
- Progress against the strategy which is often a table that lists out the: goals/objectives, comments on the status against them and an indicator (e.g. traffic light).
As part of aspiring to best practice, any discussion of the strategic plan and, in this case, progress against the strategy, is worth including an item to identify and (as required) discuss any changes to the market conditions.
The review of market changes can often be addressed simply with a few bullet points and identifies by exception, any material changes in the market environment since the last report. It is important to identify both what is going on in the external environment and the potential impact on the business.
Sometimes, where a significant change is occurring or has occurred, it might be appropriate to include a white paper or an article talking about the change, or set up a special meeting to consider those changes. A major technology change; action such as a significant merger or acquisition by a supplier, customer or competitor; or change in government/stakeholder funding might lead you to establish a separate meeting of the Board or a sub-committee like risk/finance.
Within the disability sector, we have seen changes every few weeks or months that impact on organisations. Changes to the NDIS price guide, the Royal Commission and new quality and safeguarding requirements are just a few recent examples.
Making a report on market conditions a regular part of the board reporting template can help to keep the Board and management team coming back to the important strategic matters, and not to just be stuck in the operational issues.
Next month we will share more about some tools that can be used to analyse and better understand your market.
If you’d like any assistance with reviewing your market environment, please contact Andrew for an initial obligation free consultation.
Former Director of the FBI Robert S. Mueller, III, made the famous quote that:
“There are only two types of companies: Those that have been hacked and those that will be hacked.”
And others have since moved to suggest that the quote should now be: “There are only two types of companies: those that have been hacked and those that don’t know they have been hacked.”
It is unfortunate that not for profit organisations are sometimes the target of a cyber-attack. Given that not for profits often hold a lot of personal data, they can be seen as a soft target. Attackers also don’t need to have a lot of data about a person in order to perform identity theft, so the consequences can be significant if personal data is stolen.
Being the subject of a cyber attack can have wide ranging impacts on the organisation; including damage to reputation, financial losses and an inability to service clients during any downtime caused by the incident.
On 28 February 2020, the Office of the Australian Information Commissioner (OAIC) released the latest Notifiable Data Breaches Report on the period July to December 2019. A few key statistics and observations can be made from the report:
- Nationally, there are approximately 80-90 data breaches per month which are “eligible”* and are reported to the OAIC
- Malicious or criminal attacks (including cyber incidents) are the leading cause of data breaches, amounting to 64% of all notifications in the past six months
- About a third of breaches are the result of human error
- The health sector has the highest number of breaches
- Most data breaches affect less than 100 individuals, showing the vulnerability of smaller organisations, including not for profits
- The most common data which is involved is personal contact information.
*Under the Notifiable Data Breach legislation, it is an “eligible data breach” where:
- there is unauthorised access to or unauthorised disclosure of personal information (or the information is lost in circumstances where unauthorised access to, or unauthorised disclosure of, the information is likely to occur)
- a reasonable person would conclude it is likely to result in serious harm to any of the individuals whose personal information was involved in the data breach, and
- the entity has not been able to prevent the likelihood of serious harm through remedial action.
If an entity suspects that an eligible data breach has occurred, they must undertake an assessment into the relevant circumstances, notify affected individuals and the OAIC as soon as practicable.
Ensuring that your systems are secure is fundamental to data security, but human error also presents significant risk. Human error can involve a staff member inadvertently opening a phishing email or clicking a link to a suspicious website. One of the other sources of data breach can be, for example, when a staff member accidentally selects the wrong email address and sends an email with personal details to the wrong person.
Cyber risks are often one of the risks that are identified in a risk assessment, but many organisations struggle to know what to do next to mitigate those risks.
Five steps to mitigate cyber risk
Not for profit providers can take these steps to prepare now and mitigate the risk:
- Ensure that cyber risk scenarios are identified in the organisation’s risk assessment.
- Look at your people and the role of training in mitigating the risk– it’s important that employees understand how to detect and report threats, protect their devices and the organisation’s data.
- Preventative technologies and processes – encryption, secure backups, multi-factor authentication and modern hardware/software will all help to minimise the risk of data loss.
- Work with a specialised external consultant undertake an independent security review and penetration testing.
CBB consultants have had experience in helping organisations plan their risk management activities. If you’d like assistance with risk management, please contact:
- October 2019 AICD Magazine – What boards can do in the event of a cyber breach
- OAIC Notifiable Data Breaches Report: July–December 2019
- OAIC Notifiable Data Breaches Scheme 12-month Insights Report