The challenges GCs tackle today go beyond the traditional legal advisory realm and go to the core of the resilience and sustainability of a business. In addition to reacting to threats to their organisations, GCs have played a central, proactive role in anticipating emerging and future risks and protecting the organisation against them. In order to help their organisations thrive in today’s evolving risk environment, GCs should focus on the following components as core to their role:
Identifying the risks critical to the business. Risk management is not one-size-fits-all. Every organisation is different, whether in terms of geographical or industry exposure, reputational risk, or regulatory change.
GCs need to institute ‘trip wires’ which can spot when legislative or regulatory changes occur in a jurisdiction that may impact the business. New regulations relating to data privilege, changes in fiscal regime or even civil unrest may impact staff or supply chain in a given country. Understanding and tracking the ‘near misses’ in risk terms helps one spot patterns in the noise. It is a dynamic approach, but requires a meticulously detailed knowledge of business operations. As a result, these risks should be picked up by regional or departmental teams with a deep understanding of regional nuances.
Managing risk appetite with strong infrastructure. Across sectors and regions, there will be different risk approaches as risk appetite will vary from one organisation to another. For example, smaller organisations may, from time to time, see themselves taking higher risks in order to stay competitive. However, there are common threads: The best mitigation strategies tend to be rooted in a solid foundation, and are holistic, dynamic, smart, easily communicated and understood, and involve an approach which accepts that risk is dynamic and multifarious. The formula for such a program will vary from organisation to organisation, but should include the following elements:
- Risk management governance, policies and controls should be both top down and bottom up and clearly understood throughout the organisation.
- Pragmatic and proportionate policies for frequently reviewing risk are crucial. The risk register should be reviewed regularly by the ARC ideally with a traffic light system so that if a risk is elevated, it is reflected in the risk register.
- The size and nature of a market does not equate to the risks, therefore a matrix for each market is important. What may not be a risk in the Asia-Pacific market may be more of an exposure in the North American market, and thus should be addressed as such in the matrix.
- All lines of ‘defence’ (audit committee, legal advisors, regional directors, internal audit, compliance, heads of security, regional hub leadership) must have a clear mandate to ensure that risks (identified in the register or newly emerged risks) are prioritised and communicated through a defined chain to the GC’s office.
Reinforcing culture. Reviewing and checking milestones is important. Each ‘owner’ of a risk, whether audit, commercial director, human resources, regional directors or others need to have within their department a similar visible, well communicated risk management strategy which feeds into the GC’s top level risk management strategy. Culture here is critical: organisations can have the perfect model in place, but it will fail, be subverted or just ignored (whether intentionally or through some kind of cognitive dissonance) if the culture does not support the risk strategy. It can be the subtle, or not so subtle things, which can let an organisation’s risk management strategy down.
The flow of information from the regional hubs, the ‘trip wires’ in place, the responsiveness of the line management and department heads, and clarity of roles and responsibilities (with accountability thrown in), all create a culture of risk resilience. In turn, this enables the business to embrace risk, while also mitigating and managing it.
Long term risk resilience. Companies approach risk differently depending on the sector and region. However, there are critical elements that should travel from program to program: smart infrastructure and software, regular discussion, clarity of policies, and regular meetings of stakeholders. There are a variety of tools that can help GCs guide risk resilience, from heat maps, to defining top ten risks, to categorising risk by geography or function. GCs may also lean on external risk advisors to provide in-depth geopolitical reporting in order to cross-check their internal risk-assessment across regions.
Whether it is legal and regulatory, geopolitics or security, to be resilient, GCs need to have a mitigation strategy – especially when a ‘black swan’ or similar event occurs that requires the GC to enact a mitigation strategy. Resilience requires an organisation to take a strategic position so there are no assumptions about when and where a critical risk will emerge. This is where the GC can lead. Training, scenario testing and ‘war gaming’ can assist in being prepared for an unanticipated event. For instance, if risk to supply chain is a critical item on the risk register, organisations might ensure there are alternative suppliers and routes. The biggest barrier to resilience is apathy, arrogance, complacency and ignorance.
‘Generals always fight the last war’. To avoid the trap of accepting dogma from previous risk events, it is vital for the organisation to horizon-scan and to anticipate and know the ‘unknowns’. Ambiguity and imperfect information requires critical thinking, which requires organisations to have a pragmatic and proportionate risk management process in place. Planning for a variety of risks need to be reviewed and tested, and because risk is dynamic and ever-evolving, so too must a risk resiliency program. To lead in an increasingly complex geopolitical world, organisations must make risk resilience part of their long-term business plan: the General Counsel is critical to the success of this plan.
Sarah Keeling, a Partner with StoneTurn, is a former senior British government official with over 25 years of experience in national security and risk management in the U.K. and overseas. She assists companies, family offices and their counsel on operational, reputational and investment risk matters worldwide.