In this episode of Resilience Rising listeners are invited to explore the complex world of cybersecurity and corporate risk with special guest Annie Searle. Annie will use her experience in operational risk management across the financial, IT and emergency services sectors to help risk and security leaders unpack their strategic challenges.
The discussion delves into some notorious corporate scandals, examining how the ‘tone at the top’ in organizations can significantly impact their approach to managing risks. Covering infamous cases like Theranos and Wells Fargo, the conversation sheds light on the multifaceted nature of corporate governance and cybersecurity.
Listeners will journey through various themes, including the influence of leadership decisions on corporate behavior, the evolving responsibilities of boards in overseeing risk, and the future challenges of risk management amidst the escalation of cybersecurity threats. This engaging dialogue offers valuable insights into the successes and failures of companies in navigating these complex issues, providing lessons and reflections on the ever-changing landscape of operational risk.
Highlights
Corporate Scandals and Risk Management
The Red Sift team and Annie discuss corporate scandals like Theranos, Credit Suisse, and Wells Fargo. They cover everything from ineptness and missed opportunities for course correction in corporate structures, with a specific focus on Wells Fargo.
Tone at the Top
The group discusses the influence of senior management and board decisions on overall corporate behavior. They cover the impact of ineffective leadership and oversight on operational risk looking at the 2008 financial crisis and Washington Mutual’s collapse as well as Boeing’s 737 Max crisis.
The Role of Boards in Risk Oversight
Annie Searle shares her perspective on board responsibilities and oversight in risk management – specifically through the lens of regulations like Sarbanes-Oxley. Boards need to be better informed and more proactive in managing risks – though it can be challenging to bridge the gap between technical experts and board members.
Cybersecurity and Corporate Governance
The evolving landscape of cybersecurity risks introduces different responsibilities and roles for the board – especially in light of the new SEC reporting rules. Boards must find a way to understand cybersecurity as part of operational risk and improve cybersecurity at various organizational levels.
Key Links
Follow Annie Searle on LinkedIn: https://www.linkedin.com/in/anniesearle/
Follow Sean Costigan on LinkedIn: https://www.linkedin.com/in/seancostigan/
Get Annie Searle’s book “Advice from a Risk Detective”: https://a.co/d/bbWHUpt
Transcript
Sean Costigan: [00:00:00] Welcome to Resilience Rising. I’m your host, Sean Costigan, Managing Director of Resilience Strategy at Red Sift. Today, we are delving into our recent exploration of the intricate world of corporate risk management and cyber security. We’re doing this with Annie Searle, a distinguished expert in the field of operational risk management.
In this episode, we’ll look into the intricacies of notorious corporate scandals, including cases like Theranos and Wells Fargo, and we’ll examine what companies can do to improve their understanding and management of cyber security risk.
It’s my pleasure to introduce Annie Searle, principal of Annie Searle Associates. Annie helps companies build world class risk programs. An internationally known expert in operational risk management with extensive experience in the financial, IT, and emergency services sectors, she thrives on complex challenges.
Annie spent the last decade teaching the next generation of risk and cybersecurity [00:01:00] leaders at the University of Washington’s Information School. While using her risk practice to write, speak, and publish through the ASA Institute for Risk and Innovation.
She’s a lifetime member of the Institute of American Entrepreneurs and an inaugural inductee of the Hall of Fame for the International Network of Women in Emergency Management and Homeland Security.
So thanks, Annie. And maybe you want to fill in a little bit more if I’ve missed anything or glossed over anything in your.
Annie Searle: No, it sounds like a eulogy at a funeral. I think that’s more, I think that’s more than it.
Sean Costigan: It’s very impressive. And I know you’ve done many things that are not captured properly in the bio. I’m sure we’ll have the opportunity when we talk, maybe more things will come out.
So Annie, what corporate scandals have really surprised or shocked you over the past few years? Can you give us any examples?
Annie Searle: The most interesting case to me that continues to be a case is that of Wells Fargo, which has been under the thumb of the Federal [00:02:00] Reserve and the Securities and Exchange Commission for how many years? The first attempts to correct problems in what was perceived to be the consumer banking area. where staff were made to invent accounts for customers who hadn’t asked for them to get up to
eight kinds of pieces of business with a customer. The CEO’s motto was eight is great. And supervisors in that area actually pounded on their people to go out and to cold call or to, Use members of their family or to dip into the customer database and just invent accounts for auto insurance and credit cards.
No one asked for a variety of things. And this is an old and valued institution [00:03:00] that had a great reputation and a pretty pristine credit quality for a long time. The regulators stepped in, they’re heavily fined, the size of the fines seem, sound large to us, but it’s like Kleenex to an institution that makes a lot of money every year.
They switched CEOs, brought in, promoted someone from within, who is part of that culture. He failed, so they brought in a man and the CEO now. Is in fact, one of Jamie Diamond’s successors at Chase. He came from Chase. I knew him because he handled the takeover of Washington Mutual when Chase bought Washington Mutual.
He’s tried as well, but we continue to see [Wells Fargo] in the eye of the hurricane where the regulators are concerned. They continue to be fined. They can’t seem to correct the culture. So that’s where the, [00:04:00] that’s where my analysis is that no matter how hard they try, the behavior at the top somehow does not mirror the behavior down below, which is the opposite of the way things are supposed to work.
Things are supposed to be monkey see monkey do, right?
Sean Costigan: Troubling and fascinating all at once. So what do you think that investors should be looking out for now?
Annie Searle: Let me go back or stick with Wells for a moment because the only time the Federal Reserve has really stepped in where a board is concerned, specifically, very, in a very tactical way, is with the Wells Board.
And they required that Wells replace three people on their board, and they required the kind of background, they specified the kinds of backgrounds those people had to have. And that would be an understanding, sufficient to provide oversight from a risk [00:05:00] perspective. Tone at the top means what your mission statement says, it means what your Code of Conduct says.
But past that, it is the exemplification of those values in behavior. And so what you often see and this would be true at Wells is managers at a lower level are concerned that they receive their annual bonuses, and so corners get cut and goals get modified and unacceptable behavior is frequently acceptable in the interest of the bonus.
Maybe the risk or the problem is reported to the manager above that person. But I find that increasingly as the reports go up in the organization, [00:06:00] not just to the C-suite, but to the board, the risks become more sanitized. So they don’t appear to be as problematic as they might be. At Washington Mutual, we were told that there were a few problems in the home loans department, that there was an Operational Risk Subcommittee, in California in fact, overseeing and disciplining people who wrote fraudulent loans or didn’t handle the paperwork properly would be the way that would be described. So the magnitude, for instance, was not known to me. I was a Senior Vice President. Was the magnitude, does that mean that if I was at that level reporting to the CIO and to the Chief Risk Officer, does that mean that it became even more sanitized when it went to the CEO?
It’s hard to know and it’s hard to piece all of it together in a kind of coherent narrative. I have a review of a very good [00:07:00] book that Kirsten Grin wrote called “The Lost Bank” about Washington Mutual. The review turns out to, I just used the four lenses for operational risk to examine the bank over time, what happened to it and why it went away.
And a failure to pay attention to signs that were imminent everywhere, not only in the bank, but everywhere in the financial services landscape. 2007, even as early as 2006. And then certainly in 2008 when most of the collapses happened.
The other thing was the Chief Risk Officer for several years… the first Chief Risk Officer that I reported to was the former CFO, where Wamu had pristine credit quality.
Things shifted at the bank. A new COO was brought in and he wanted to [00:08:00] put more risk on the balance sheet. One of the bank, he thought it was too conservative, and that’s where all of the inelegance, the fraudulent behavior with mortgages came in. But Bill Longbreak, who was the Chief Risk Officer, former CFO, had for many years been, he’s a PhD and an economist as well, had been presenting the board at monthly meeting at its quarterly meetings with as a Chief Risk Officer, an economic dashboard, and he had been pointing to a housing bubble for at least five years before it happened.
So very much not unlike what your FBI agent was saying on the steps of the capital. And I think there are other people, if you go back and look, you can see that there are many books written on how many signs there were. How many pieces could have been pulled together? Instead, you had many [00:09:00] leaders at banks saying, that’s not going to happen to us.
We have a solution for that. We’re going to work around this. We have a plan to get through this and we will continue. But for Washington Mutual, mortgages became too important. They became too much of a profit area for the bank. And so excuses were made, and you could make that argument with most banks that run into trouble, probably most companies that run into trouble.
I’m sure Boeing’s board said, and Boeing’s CEO said many times, that’s not going to happen to us. As they watch something, Airbus take a fine, that’s not going to happen to us. And in that case, you have a Board of Directors totally unprepared to get into a situation where safety and life become the two main issues and they affect not only the business that Boeing is in, the business Boeing is in [00:10:00] is actually selling airplanes to airline companies.
It’s not making sure that your ride is smooth from Seattle to Ireland or, it’s not any of those things, but they became enmeshed in issues that were larger issues that are fallout issues from the situation. Everything from training, how much training do pilots need to, how much disclosure do we have to make on changes we’re making to the architecture of the airplane?
Sean Costigan: So Annie, Boeing has been in the news quite a bit lately for quite a variety of problems. What do you think is happening at the top levels, particularly with the board?
Annie Searle: I think it’s when the first plane fell out of the sky, you have a large board. It’s a very diverse board. It’s not necessarily a technically brilliant board. A couple of people. You don’t have anyone who knows what to do. They’re [00:11:00] stunned and they’re waiting to see what the next step will be, waiting to see what the impact will be, waiting to see what the cause will be.
Remember when that plane fell out of the sky and even the second plane. There was an attempt in the media. I’m not saying it came from Boeing, but there was an attempt to blame the pilots because they were foreign trained.
They were not, they did not undergo the same rigor of training, shall we say, from an American point of view.
That was the point of view. And you had many Boeing employees smugly going around saying, just wait, we’ll see, pilot error.
So that’s an answer. And, that seemed to be sufficient to lead Boeing to do nothing for a long time.
Boeing never took a leadership position. Boeing has had to be pushed into every decision they’ve made, whether it’s more [00:12:00] training for pilots, whether it’s what’s up in the air, and Boeing is still, if you look, undergoing holds on certain things they can do and not do, not only with that model of plane, but with other planes, they’re having all kinds of trouble in manufacturing that they’re still grappling with.
Sean Costigan: It’s very interesting. To what extent do you think that groupthink is playing a role here?
Annie Searle: That’s the article that I wrote for the board risk committee, that’s, I’ve got a quote, in fact, at the top of the article. On groupthink probably is the worst thing that can happen to a board, not asking questions, not raising issues.
That to me is the chief responsibility of a board member. That’s what oversight means really questioning any major decision or any change of direction and looking [00:13:00] at both worst case and best case. for what might occur as a result of a decision that’s made.
Sean Costigan: I have some hypotheses, untested hypotheses that I’d offer here for why it’s challenging when things are seen as progressive, particularly like Theranos was seen as progressive.
It can be very hard for people, I think, to take a step back, even when things look obvious and in retrospect or there should have been due diligence. Again, there are many instances throughout new technologies where people look at things and say, that’s new so we’re willing to take risks in ways that are different when it appears new or progressive. And that’s my hypothesis, I’m going to assert that not suggest that’s a hypothesis, but okay.
On that note, from time to time when things appear progressive when there’s something new, it’s strange, but it seems like we throw out due diligence or we throw out various good models for how we handle risk.
So [00:14:00] any sort of new innovation if that’s a, that sounds like a redundancy there, but any sort of innovation, should receive the same treatment and that of any other development. But why is it you think Annie that when something is perceived as new or progressive in quotes, that it seems like we just don’t do the work that we could have that would have made it obvious that Theranos was odd, or perhaps there are problems with the plane, or there are other issues.
Help us unpack that.
Annie Searle: I’m speculating here. This is my hypothesis. I think that she was able to assemble a very distinguished board, none of whom had competencies in this area. Because, if you’re sitting next to the former Secretary of State in a board meeting or if you’re talking to a retired general, you just look at the board to [00:15:00] see that kind of thing.
You tend to have confidence that you’re in the right place with the right progressive company. Because of the other people who are there with you, and it’s a kind of I wouldn’t say deliberate at all, but unconscious ceding of the oversight responsibility that is yours as a board member, I think every one of those board members should be asked, no one’s going to ask them to do this, but to make statements about why they didn’t understand that they had. They had no product. That the product did not work as described. However, you want to put that they like the idea. It looked like something that was going to help everyone – it looked like a public service kind of product.
Sean Costigan: That’s why I say I think there’s something there. It’s, but it’s interesting when people outsource their brain on risk. They’ll step back and say, Oh, why am I no longer [00:16:00] asking critical questions when in my career, I would have always asked critical questions.
Presumably those people got to be in powerful positions because they thought about things and they thought it wasn’t just because of groupthink they had, they’d all, I’d like to think that they’d asked the right questions at the right time. And so something about these is peculiar to me.
And I think part of it is technology. And part of it is that they, and they may not be the right people. Because they can’t, they don’t know the technology or they don’t, but once you put two things together, public service, and you did that just now, you said there’s a public service that’s being done and other technologies are presented as that too, like planes that are more efficient.
So when I was looking at one of your articles you talked about informed board members bringing us one step closer to corporate stability. So what does that mean? What is the information that they should be getting? That would bring corporate stability in a better way.
What level of information are we talking about? And start with that question.
Annie Searle: I [00:17:00] think now I’m going to step into making generalizations when actually it varies according to sector and size of organization, but the first responsibility is laid out in Sarbanes Oxley. In SOX, a regulation now that’s so old, I think it’s 2000 or 2002 but it says that directors on boards are responsible for direct supervision of the company.
So that means everything from being able to read a balance sheet and ask questions about it, being able to take an inquiring, if not somewhat aggressive approach, to any new project proposed or change in direction and being willing to speak up. So only now are we coming out of the era that I was in when I was at the bank.
[00:18:00] It’s hard to believe it’s 14 years ago I left the bank. But at that time, CEOs were often the president of the board as well as being the CEO, and they really ran the nominating committee of the board, which is where your new board members come from when board members retire, someone has to be proposed.And that’s the committee that’s chummy with the CEO often in the company. You want a board that looks like you and sounds like you were now we’re pretty much past that we have more regulation, we can see from the latest SEC rulemaking that they’re going to tighten things somewhat, not as much as they might have, it looked like initially, but they’re going to tighten up on, on making companies describe the process by which decisions are made where risk is concerned.[00:19:00]
They’re not going to make them give a grade to every board member in terms of their competence to understand risk or oversee. But they’re going to make them describe the process rather clearly. And they’re also forcing companies, not as much as GDPR is doing, but close to that they’re forcing them on the disclosure requirement on breach.
How much of that does a board member have to understand? I think what I’m tending to see is often companies are taking their boards off site and spending days, or a couple of days, I think organizations like NACD where those are board members from a variety of companies, all in pursuit of better understanding, especially of cyber and risk.
So I think some of that is getting better.[00:20:00]
That isn’t to say that it won’t happen again, but the responsibility, the primary responsibility is to be able to attest and to sign off on a balance sheet that the financial reporting is accurate and truthful, and CEOs and CFOs can still go to jail and incur a large fine if that’s not true, because when they sign.
Past that, I think it differs, and I think the reason that often we don’t see more board members who are, say, former CEOs, or who are CISOs on boards is because that expertise isn’t really well understood.
The CISO expertise isn’t understood and also, frankly, we have, I’m sure you probably don’t want to take it in this direction, but we have a [00:21:00] long line of CISOs who are just not good at speaking or explaining at a high level. And if one can’t explain at a high level, it’s hard to reach a board member to get them to understand the gravity of the situation.
They don’t have a way to take the information you’re giving them and process it properly. Particularly if a breach has occurred. I think there’s a possibility there for really bad behavior from the board or the C-suite in terms of wanting to punish people.
If it’s happened in the United States, I’m not familiar with it. I can’t name a case, I guess I can from Enron, right? The CEO of Enron had a jail sentence, and I believe he died before he could serve the time or while he was serving the time.
That’s really in, in terms of my reading, that’s all I can attribute. We haven’t seen [00:22:00] seen, so we have SOX, which says the board has oversight responsibility. Then we have to go all the way to the Wyndham Hotel case, where the court said that the Board of Directors has a specific oversight responsibility where security and digital trust is concerned and they can be, and it says they can be fined for a lack of oversight.
Sean Costigan: And that’s personal, that’s personal liability then at that point, right?
Annie Searle: I think so. I don’t, I’m not aware of any prosecutions as a result of statements made on 10-Ks.
It’s just not to say that I don’t, it could be if one of those were levied that would snap things into place and people would stop, partaking in certain kinds of behavior, but it’s not clear. And I think [00:23:00] part of the reason is the difficulty in establishing blame or responsibility. Cyber is a really gray area for making things crisp.
This happened here and then this decision was made and that decision. I think the response generally still to breach is to clean out some of the C-suite and make sure they get a new CISO at the same time and probably call in a famous company to examine all of their practices and make recommendations.
Sean Costigan: It’s really deep, deeply challenging stuff as you think about. The pipeline for CISOs, there, there aren’t that many, so you addressed one issue, which was CISOs and their ability to, or inability to crosswalk to operations, largely to enterprise level operations.
[00:24:00] So many of them don’t have that skill set, right? They came from a different sort of career progression. And so that’s one issue. There aren’t that many. And I think that may also be one of the reasons, I’ve not read all the public comments on this, but one of the reasons that there’s… there have been so many questions about what the board should know about cybersecurity risk when it comes to the SEC rules.It just it’s not, and then you mentioned as well that there’s a gray area. There are a variety of gray areas. So let’s take one in particular, we get in the weeds a little bit perhaps, but on the four day rule. So the four day rule, as I understand it now, it’s four days after the company understands that it was a material incident.
So it’s not four days after an incident, right? That’s your first sign that it’s after an understanding of the incident, right? That it becomes material there and then they will want to report it. So this is, I think that’s an interesting shift. What do you make of [00:25:00] that?
Annie Searle: I think that firms lobbied hard and got an adjustment on, by explaining various kinds of ways breaches can occur and how long it takes sometimes to determine whether something is material or not.
The intent of the SEC was probably initially to be generous by 24 hours, right? Because they’re giving them more than 72 hours. But I think this is just something, and I’m sorry if I, I may just have gotten used to it from having looked at this stuff for a long time, this would be a normal pushback for financial services in particular, but really all large companies that suffer breaches to do to be, to argue that they should be given, the ability to determine materiality, and I [00:26:00] think we have to see what it looks like more particularly as it’s shaped to see whether or not the kind of reporting they’re going to have to do is going to give us a timeline for it at the same time.
This happened and then three weeks later, this happened, we didn’t put the two things together. And then this happened, and now we’ve determined they are all three related, and it is material, and that’s why we’re reporting it. I don’t know if that’s how the reporting will look, though.
The other thing to pay attention to seriously on the rulemaking is the out or the provision that says your breach is connected in any way shape or form with national security, you get another 30 days and the Attorney General can intervene to attest to the fact that there are [00:27:00] national security issues involved.
So that lets Microsoft, Google… you want me to keep going?… a number of companies… that gives them an extra 30 days from whenever, whatever they’re going to come up with past those four days, and the determination of materiality.
And, though the SEC is asking for a description, and I think this will be in the 10-K, of what the process is by which decisions are made and then conveyed or the board participates in the decision making.
I think that’s an important part that didn’t get changed. Probably most C-suite people saw that as harmless but actually that can be really useful.
Sean Costigan: So , I think, there, there’s, there, there are several issues that strike me when in this conversation that… the first is at the, at enterprise level risk, that we now know exists. [00:28:00]
Because of problems with cyber security for companies or problems broadly in cyber security that is there a path that you see, and how much time do you think it will take before we grow the necessary expertise.
At the board level, and I can give you some examples now of where I’ve seen boards be more proactive and you probably have seen this as well, right? So we tend to look at things negatively. We look at things that, the examples of things that didn’t go well, but there are examples where boards did well.
Most recently, Wall Street Journal had a great article of a CEO and a German firm, Evotech, that when, he was told there was a significant breach, he went out and made it part of his mission to talk to stakeholders, to talk to everybody who was involved, the company, regulators, anyone who might potentially be involved.
And I look at that and say, is that a new model? Is that the beginning of a new model? Do we always have to wait for regulation or can we see a possible [00:29:00] generational change in leadership at the C-suite and in the board, where they start to recognize, look, cyber is just part of the operational risk.
Or is that just too hopeful?
Annie Searle: No, I think that’s fine. I think.. You know, you take a company like JPMorgan Chase with Jamie Dimon.
Go back and look at the London Whale example, which is now in the past, probably 14, 15, 16 years, but it was something like a $6 billion fine they incurred for that.
Many white papers have diagnosed what was wrong, where in the organization, how Jamie Dimon could possibly have appeared on an investor call and said nothing was wrong, how he could have been let out to speak, it’s clear he believed what he was saying.
Nothing was wrong. Wasn’t a problem. They had it handled.
His [00:30:00] behavior since then, since that time, has been pretty exemplary. He has a really good board that challenges him a lot and he tends to speak up more, as the Potter familiar, for the banking industry.
He likes to say that J. P. Morgan Chase is the nation’s bank, because it’s bailed out other banks and has a good history. So I think that’s good. I think for all our sort of negative focus on examples we know about through the media, there aren’t actually as many examples of bad behavior or non behavior, or fines than there were in the past.
Even though we have regulatory agencies in the United States now, we have the Consumer Financial Protection Board as well, for example. We have the OCC with a much larger role than it had before in regulation. [00:31:00]
And we have the Federal Reserve and the SEC really strong, I think, for guidance.
Which, which goes back to, what can companies do? I think the mere fact that a CEO sends his board members to NACD meetings is a very good sign. And I think that’s a level at which board members should be oriented and trained. Then, they get an appreciation of what an appropriate level of information would be.
But in point of fact, we still have this gap operationally with the security apparatus where we’re not good at explaining what the threats are or why the investment will pay off, or assembling, a kind of research history of the threat in terms that even a C-suite [00:32:00] executive can understand.
Sean Costigan: You could make an argument that cybersecurity risk broadly against critical infrastructure, particularly critical infrastructure companies, you could make an argument that the government should take a more active role in defending, in defending critical infrastructure.
But that doesn’t jive very well with private control of critical infrastructure and all the challenges that are there when you have so much private enterprise and so you and I know and in our classes, you know where you’ve invited me to speak we’ve talked about this a bit too, but that tension doesn’t seem to want to give up, especially in the face of cybercrime that continues to grow.
At what point do you think this sort of security fatigue sets in, and people just say, “look, this, I can’t be responsible for everything, where is the government? Why isn’t the government protecting me?”
Annie Searle: You’re right in my, you’re right in my sweet spot now. That’s what, post teaching, I’m pretty determined on [00:33:00] going back to something I did before I started to teach, which was really exhorting people on public-private partnerships, particularly with how I see CISA as having become such an important agency over a relatively short period of time, really establishing strong relationships with private sector companies and being willing to, share, and, step down and onto a discourse platform rather than
“Here’s what you need to do. Here’s the kit we’ve designed for you for cyber hygiene. Here’s the kit we’ve designed for you, and that’s the end of it.”
So I’m very pleased about that. I think the government has done more. The government… Target probably to this day wouldn’t know they’d been hacked if it weren’t for the FBI.
They wouldn’t have a clue. And the [00:34:00] FBI’s been going around explaining that to a lot of people. A lot of companies.
The implementation plan, for, through the, Office of the National Cyber Director is huge that Biden has just laid that out pretty well, and I’m looking at the list.
So there’s 65 initiatives assigned to 18 agencies with timelines. And, the Ransomware Task Force is CISA and the FBI. Software Bill of Materials, CISA and International Work Group. International Interagency Cybersecurity Standardization is NIST And International Cyberspace and Digital Policy Standard is the Department of State, interestingly enough.
So I think things are moving there. And part of my job and going out and speaking, at least some of the speaking I’ll be doing will be really urging firms to assign a person, probably from their cyber [00:35:00] organization, directly to attendance in the Regional Infrastructure Security Group that SISA offers in each of the regions.
Sean Costigan: Deeply fascinating, Annie. So do you have any other recommendations as you think about what to do to improve cyber security for companies going forward, whether that’s at the board level or the C- suite or internationally?
Annie Searle: What I’ve recommended in some cases in off the record conversations with members of boards is that there be a committee of the board separate from the audit committee called something like the risk committee. Because I see risk, as overarching and including cyber and I think there ought to be a relationship between the board members on that committee at the board level and the cyber organization itself.
It has to be really carefully managed. And I know that breaks boundaries where you know, staff is not [00:36:00] ever supposed to interact with the board member unless they’re hauled in to make a report. But I think we need better advocacy from the board, the part of the board that is charged with the responsibility for risk.
Better advocacy to the rest of the board, especially if they’re not getting it from the CEO. And that still is the case. It’s no fun to be a CEO, right? You probably have 23 issues a day you deal with. Cyber is but one of them.
Sean Costigan: Brilliant. That’s a great way to end it. Thanks once again, Annie, for your expertise and generosity. For those who just listened to Resilience Rising, we trust you enjoyed our compelling conversation with Annie Searle. Many thanks for tuning in.