Senior finance and risk executives make moves to reduce geopolitical risk and the FBI weighs in on cyber security.
The Corporate ERM Group met in May for its 2015 Annual Meeting. The agenda covered a wide variety of topics, including very practical matters of crisis management and getting quality risk intelligence from top executives, as well as those challenging in nature, such as cyber security and geopolitical risk in a volatile world.
1) Supply-Chain and Geopolitical Risk. There is no substitute for a thorough review of risks with input from all possible corporate stakeholders, such as legal, tax and security, before entering a new and potentially dangerous country.
2) Identifying Risk from Executive Managers and the Board. Whether you start at the top or end at the top is not important, as long as you ensure you include the top. Their engagement and support of the program and process is critical to its success operationally and strategically.
3) FBI Views on Cyber Security and Corporate Outreach. The most effective ways to protect yourself are to have strong passwords, back up your data regularly and not open emails from unfamiliar sources.
Supply Sourcing Caveats
Given the current geopolitical instability, MNCs are well advised to source supplies carefully and strategically. One practitioner offered several insightful recommendations:
- Don’t manufacture your latest technology in China. If you do, it is likely to be stolen.
- Establish redundancy in manufacturing. Don’t allow any single product to be manufactured in only one factory.
- Don’t rely on any single supplier. Dual source all supplies.
- Watch your ecosystem. After tsunamis in Thailand and Japan, the tech sector in particular has learned a lot about mitigating supply-chain risk.
- Don’t hesitate to leave a location if needed. One member left the Philippines because trucks of products were being hijacked.
Supply-Chain and Geopolitical Risk
Supply-chain risk is mentioned with some frequency in ERM, and it is hard to speak about it today without considering the effects and potential effects of current geopolitical instability. In fact, geopolitical risk was the top supply chain-related risk mentioned by members in the pre-meeting survey. This session covered some of the longstanding and nascent supply-chain risks members are grappling with, and the domestic and foreign affairs that could influence them in the future.
Key Takeaways
1) Look before you leap. The petroleum-based nature of one member company’s business is so capital-intensive and government-linked that it is crucial for the company to have a thorough understanding of what it is getting into before entering a new country. Consequently, the company performs a robust review process called the Above Ground Risk Assessment (AGRA). The AGRA involves review and input from some 15 different groups within the company such as legal, government affairs, tax and procurement, to name a few. The review is intended to identify all risks above ground that could have an adverse impact on the business.
To supplement their assessment, the company takes advantage of intelligence data providers such as Maplecroft and Business Monitor International.
2) “The local government is always a business partner.” Like it or not, this statement is true and the relationship must be managed effectively. One practitioner notes that trying to “strong-arm a government is not effective.” His company makes it a point to conduct humanitarian projects where it operates to build goodwill. He also notes that the in-country leadership engages with the local government and the company works closely with key US government agencies such as the FBI and NSA to assess risks in countries.
3) “Keep your friends close but your enemies closer.” Exemplifying this famous quote from The Godfather, another practitioner noted that her company has started partnering with local competitors in China to mitigate sovereign risk.
Outlook
There is no reason to believe supply-chain and geopolitical risk will become any less of an issue going forward. Therefore, members’ companies will need to continue to perform their equivalents of AGRA’s throughout their supply chain and geography. Partnering with competitors could be a bit much for some companies, but it is an activity that occurs routinely in a number of industries such as oil and gas, engineering and construction and banking, all for the purpose of spreading risk and in some cases watching each other’s backs.
ERM Programs: The Elusive Risk Appetite Statement
Sometimes, in running ERM programs, broader challenges arise that touch the existence of and support for the programs themselves. The elusive risk appetite statement is one of those challenges.
While most risk managers would appreciate a guiding document such as the risk appetite statement, the big hurdle always seems to come back to the legal risks associated with it. According to one practitioner in the group, “We don’t publish a number but it is there.” In fact, said one group member, “no one wants to put it on paper, but every guide you see says to have a statement for risk appetite, risk tolerance and to have a chief risk officer.”
Another practitioner noted that “we tried a risk appetite approach in 2010 but there was resistance to seeing it all on one page.” On the other hand, another practitioner’s board of directors, wanted the two-to-three-page document he presented whittled down to a one-page view.
If you do have a risk appetite statement, however, it has to be conservative, noted one group member, and you have to consider the materiality of any potential impact to financial statements.
Identifying Risk from Executive Managers and the Board
Determining which risks to report up and the best means to do so is an important component for effective ERM. However, communication goes both ways, and risks identified at the top also need to be brought down and addressed at the business level. Here’s a snapshot of how one member practitioner manages risk reporting in her organization.
Key Takeaways
1) Do you start at the top or end at the top? The process in this member company begins with one-on-one interviews with the chairman of the board, CEO and CFO. The practitioner uses their input as the starting point for building out the risk assessment and covers their top-five risks and a review of the prior year’s items to see what might carry over. She also incorporates into the discussion findings from her ongoing review of outside and inside research, such as the annual risk report from the World Economic Forum. The output from these senior executive level discussions is then communicated down the chain for further input and review, serving as the foundation for the annual risk assessment.
2) Taking it to the board. Once the practitioner has met with the chairman, CEO and CFO in December and the management committee in February, she then prepares those results for a “deep dive” review with the BOD subcommittee on each of the top risks. This is done in Feb/March and is shortly followed by a report to the full board. The BOD subcommittee has asked the ERM team to consider three additional elements in the process of assessments:
1- Impact of global climate change.
2- Should China be its own risk rather than a component of other risks?
3- How to see the unknown unknowns.
3) Confirming risk ownership. Identifying a top risk without establishing any ownership to it is obviously pointless. This member company’s process, like most mature programs, ensures that each risk is assigned to the appropriate operational executive. This is done following the management committee meeting and then again following the board subcommittee meeting.
4) When tools are not helpful. Everyone running an ERM program wishes there were better technical tools in the marketplace to aid the data-gathering, analytics and reporting processes. But for the data-gathering portion, this practitioner is not a fan of tools. “I don’t want the process to become a check-the-box exercise,” which is what she fears will happen if data-gathering becomes too automated.
Outlook
The views of the most senior leaders of the organization can either lead the ERM process or react to it. But regardless of which end of the process their input is focused on, it is critical to the success of any program. Some would argue that no one knows the risks better than those at the top. Others would argue that no one knows the risks better than those closest to the risks. It’s hard to say which is true, but both philosophies seem to work. The key, as many ERM professionals have indicated, is to simply have the conversations and get the right people thinking and talking. But the “right people” definitely needs to include executive management.
What Your Crisis Management Plan Should Cover
Everyone hopes not to have to deal with it, but managing a crisis is inevitable. Not having a thorough and documented plan for managing it can result in a crisis of its own. One group member has developed what seems like a reasonable checklist for what a crisis management plan should cover:
- An overall or enterprise-wide crisis management and response structure.
- A structure that supports consistent notification, escalation, and response process across sites and regions.
- A defined Corporate Crisis Management Team (CMT) and support teams as appro-
priate. - Clearly defined team roles and responsibilities.
- Reporting criteria and process.
- Screening and team activation procedure.
- Protocols for the operational concept of the team, including forecasting and strategy development, decision-making, meetings, documentation, staff support and team de-activation, and tools/forms.
- A defined program management approach to maintain the desired crisis management capabilities.
FBI Views on Cyber Security and Corporate Outreach
This meeting was unique in that it marked the first time a NeuGroup had the pleasure of hearing from the Federal Bureau of Investigation (FBI). They had two purposes in attending: to share with the group what they are seeing in the world of cyber threats and also to inform the group of their interest in understanding more about corporate enterprise risks and how they align with threats on the FBI’s radar. The thinking is that the FBI can get in front of certain threats by understanding what MNCs are seeing in their operations.
Key Takeaways
1) “We’re from the government and we’re here to help.” Ronald Reagan jokingly referred to this line as the nine most terrifying words in the English language, but that was essentially the message from Roger Austin with the Bureau’s Office of Private Sector Engagement. Mr. Austin explained that the FBI doesn’t feel like it is seeing all threats as comprehensively as it might otherwise if it had the views and perspectives of MNCs included in it risk mapping.
2) Protecting the big stuff. Ganpat (Gunner) Wagh, runs the FBI’s cyber squad in Cleveland, which is charged with protecting against three key threats: terrorism, foreign counter-intelligence and cybercrime. The FBI reports to the Department of Justice and the National Security Agency (NSA). While the FBI has a presence in over 60 countries across six continents, they have recently realigned their organization to cover specific threats rather than geographical coverage. The thinking is that if you give one risk to each office, they become very good at it very fast.
3) Are you the next Sony? “If you have not been a victim of a hack it is only because you haven’t discovered it yet.” Mr. Wagh made this startling statement to drive home the point of how pervasive cyber intrusion is. The damage done to Sony most prominently, and of course many others, such as Target and Home Depot, is any company’s worst nightmare. Ensuring the most robust protections possible has become a top priority for all IT departments, and cyber risk has become one of the top ERM risks for many companies.
4) Do you employ an Edward Snowden? Mr. Wagh noted that among the cyber threats to companies are their own people. Some may be disgruntled and become intent on inflicting harm. He also cautions against a sloppy practice of terminating an employee but not immediately removing their access to key systems. Any one of these risks can result in significant damage to a company and its reputation.
5) Basic mitigation goes a long way. Mr. Wagh encourages companies and individuals to do the following to reduce the risk and/or impact of security threats: (1) don’t open unfamiliar emails; (2) maintain strong passwords; and (3) back-up data regularly. A new threat to smaller companies is called Ransomware, where the attacker will take control of the business’s computer systems and demand money for its release. This can result in a significant loss of data if it is not properly backed-up, the cost of which can be much greater than the ransom paid.
Outlook
Unless something unforeseen improves the technology environment, this threat is only going to get worse as criminals become more sophisticated. Further, as the “internet of things” becomes more prolific in all types of products, such as autos, appliances, security systems, wearables, etc., the impact of a strategic hack has the potential to be massive. Employee training, system enhancement and protections, and vigilance on everyone’s part will be necessary to avoid being the next Sony.
CONCLUSION & NEXT STEPS
Managing risk is a broad notion that covers myriad activities in any organization, and those directly responsible for managing those risks are numerous. Enterprise risk management is particularly challenging because it can be a nebulous, subjective and qualitative discipline. But it is these risks that can bring down the enterprise and therefore deserve dedicated oversight and review processes. Given the increasingly volatile world in which we are living, gathering ERM leaders together to exchange their knowledge on such risks should prove quite valuable.