Rethinking risk in the new reality for global business
- Organisational Resilience
- Political and Economic Risk Monitoring
Rethinking risk in the new reality for global business
As the US and Canada steadily recover from the pandemic, we at Control Risks are standing shoulder-to-shoulder with our clients, providing global on-the-ground insight, sharing lessons learned from others and helping them see around corners. Assisting companies across sectors to manage a new set of dynamic risks and seize fast moving opportunities, we are committed to helping our clients fully capitalize on the rebound.
As organizations emerge into a changed world, they are wrestling with a dizzying and diverse set of overlapping factors with impacts both at home and abroad. Just to name a few, these include a localized and uneven global recovery, changes in business models, a supercharged litigation environment, disruptions to supply chains, uncertainty about return to travel, a changed regulatory environment, increases in ambient crime, complications surrounding the reintroduction of employees to the office, pandemic impacts on mental health, exacerbated social divisions and shifting geopolitical sands. These and other factors are redefining the culture of organizations and putting additional pressures on businesses when it comes to security, ethics and compliance.
In recent months, we have helped clients both in the US and Canada and across the world navigate each of these challenges and find the opportunities within the intense noise. Our experts have assisted in building capabilities to monitor, assess, mitigate, and respond to these multifaceted risks.
In this moment, companies have a critical opportunity to challenge their past assumptions about risk, re-evaluate their processes and procedures, and optimize their programs for risk management.
Below, the Control Risks team answers some frequently asked questions we’re hearing from our US and Canada-based clients as they aim to do just that.
How do I know when there is a shift in risk to my organization? How can I use technology and data to manage evolving risks?
- Ensure that entire organization, especially leadership, is aligned on risk identification, strategic risk tolerance, triggers for risk response and decision process on approved risk control actions
- Develop a risk methodology, matrix or risk register that can be monitored and tested regularly
- Utilize all available data sets (internal/external) to inform risk information in real-time
- Leverage human analysts to validate and enhance risk information
- Build data collection model that is aligned with corporate risk methodology; test and re-assess model, re-evaluate on an annual basis
- Communicate risk to stakeholders in a concise, easily actionable manner through data visualization or strategic report development
- Develop process for organizational response to risk (decisions and re-assessment)
How do corporate security functions need to evolve to meet the needs of a workforce that will be increasingly mobile and less office-based in the long term?
- Engage with cross-functional stakeholders (HR, Legal, Risk Management, BCP, IT, etc.) to re-examine and re-define what duty-of-care means for your organization. Ensure the organization is providing a safe and secure workplace for employees regardless of where they are, including extending that coverage to employees who are now working from home on a permanent or hybrid basis.
- Assess how many employees will work from home, when they will do so, and where they will do so, and whether those patterns will be stable over time.
- Invest in tools and technology to develop a data-driven security capability that supports risk-based decision-making through the collection of granular and near real-time intelligence.
- Assess the existing skillsets and capabilities of the security function, and identify any gaps in the ability to collect, analyze and disseminate intelligence. Consider what levels of training and/or recruitment or outsourcing are needed to meet the organization’s needs.
- Integrate human capital management platforms into mass notification/critical event management tools to ensure employee wellness check and response accounting capabilities are in place and that event notifications provide all-hazards coverage.
What measures need to be put in place to manage the cultural change that will be put in place post-pandemic due to remote work, return-to-office, or business restructuring? How can we assess and mitigate the risk of fraud or compliance breaches in the current environment?
The risk picture will vary significantly for companies depending on how they did through the pandemic. Some are overwhelmed and backlogged with more work than they ever could have imagined, while others are under significant pressure from a performance perspective because of negative financial impacts of the crisis. Those 2 positions play out very differently from a culture & risk perspective.
Understanding your risk profile and how it has changed at the enterprise, business unit, and transactional level is critical—and the effective use of data (auditing and monitoring capabilities) is necessary to do that.
In addition, it requires a combination of communication and messaging to reinforce policies and ethics. Facilitate speak-up culture so you get forewarning of problems that are existing from a cultural-change perspective in your business. (In particular, to ensure that any behaviors in the remote environment that might have been highlighted to management in a non-remote working situation are being adequately raised).
What are the primary workplace violence related threats associated with the post-pandemic transition back to the physical workspace? How can these be addressed proactively?
The most concerning issues pertain to the potential for employees experiencing a mental health crisis and potential for the spill-over of domestic violence issues from the home to the workplace. The best strategies for threat mitigation include ensuring employees and managers are reporting concerning observations and situations identified in the remote work setting, and that HR, Security, and others involved in the threat management process are made aware and able to monitor these situations upon the return to the physical workspace.
Also, by updating workplace violence policies to address domestic violence issues (e.g., notification of protection order) as well as to update definitions of “workplace” for those employees who will continue to work from home or have a hybrid schedule.
How can we expect US-China relations to impact business? What is the regulatory environment going to mean from a risk perspective?
- The US-China business environment will remain complex. The COVID pandemic has both contributed to bilateral tensions and expanded national security considerations to new sectors and supply chains.
- Geopolitics will continue to drive headlines and shape business risks. Companies should identify and focus on issues that are relevant to their sectors or specific to their operations. Scenarios can help companies understand how sensitive their operations or strategy are to US-China relations.
- Business regulation is evolving rapidly in both countries (especially in new areas like data protection, trade controls, and sanctions compliance). Companies may face competing regulatory requirements that demand careful consideration to ensure legal and regulatory compliance in both jurisdictions. Companies should also obtain and maintain a clear and detailed understanding of supplier and customer relationships.
- The US Committee on Foreign Investment in the US (CFIUS) continues to closely scrutinize investment from China and other countries for national security implications. The assessment of CFIUS-related execution deal risk is highly specific to the details of the investment activity. In general, companies should engage with the process early to identify potential risks and consider mitigations.
How can I prevent my company from suffering a ransomware attack?
- Ransomware is a business continuity event. Treat it strategically with executives and crisis management teams who are as rehearsed with Ransomware as they are with natural disasters and other crisis events.
- Invest in cyber security and focus on the fundamentals, such as:
- Personnel and material resources
- Network isolation, especially between corporate and manufacturing segments
- Zero Trust Architecture (ZTA): When every user is assumed to be compromised, the network should constantly assume it’s under attack
- Training and awareness of the user base
- Understand your risk exposure to all possible threat actors and capabilities through threat monitoring and internal, intelligence-driven risk assessments.
How do we as resilience professionals address complacency bias following COVID-19 (i.e. avoid organizational assumptions that just because we’ve gotten through the pandemic, doesn’t mean we’re necessarily well-placed to respond to the next major crisis)?
- Reframe the conversation with leadership to focus on a post-incident review to collect lessons learned on what went well/what didn’t, validate and improve crisis management and business continuity programs, and emphasize generating greater efficiency in managing the response to future crises.
- Remember that we’re still not in the clear! While things are improving in certain locales, the reality is that a true "post-pandemic" world is still a long way off, so we will have to continue managing through a highly fragmented situation across markets, with high potential for multiple concurrent crises (wildfires, hurricanes/tsunamis, violent social unrest, ransomware attacks, mass shooting incidents, etc.)
- Refresh risk registers to reflect a post-pandemic operating environment, and clearly define/depict both low probability-high impact events as well as the converse so there is clarity on how CM/BC programs need to be adjusted to meet a broader range of risk scenarios – both the known unknowns and the black swan events.
- Consider running an exercise on a completely different type of business disruption event to reinforce processes, decisions and actions that are similar, and those that will require adjustment. It’s incredibly important to reinforce the core tenet that not all crises are the same and each require distinct mitigation strategies and response actions.
- COVID-19 has been a once-in-a-century crisis that has impacted all facets of life in every corner of the globe for an extended period of time. By contrast, most crises aren’t universally shared experiences and can be more problematic for companies to manage - particularly on the stakeholder management front.
How should we monitor ESG risk to our supply chain as they get more complex (i.e., beyond just a few countries that we already know well)?
- ESG issues, standards, and performance metrics vary by industry and activity – but all companies should try to align ESG risk management with their business strategy and code of ethics. Companies also need a robust ESG management system with clear, senior accountabilities and clear policies and procedures for identifying, monitoring, and reporting ESG risk issues. ESG good practice guidance covering key risk areas like human rights, climate change, and anti-corruption is available from a range of government, civil society, and industry bodies.
- ESG risks evolve in response to political, economic, social, and technological dynamics where companies operate. As companies expand or incorporate more complex supply chains – especially in new jurisdictions – they should update their assessments of relevant and significant ESG issues and stakeholders. The COVID pandemic may also have introduced new issues or stakeholders into a company’s ESG lens.
- While many companies report under voluntary commitments or ESG disclosure frameworks, regulators may seek to make ESG risk disclosures mandatory in the future. US regulators, for example, are likely to require listed companies to assess and disclose climate-related financial risks.