Today’s ever-changing global threat environment—shaped by factors including geopolitical upheaval, sanctions, cyberthreats and ransomware attacks, pandemics and natural disasters, and artificial intelligence and emerging technologies—demands that businesses take a proactive, predictive, and preventive approach to enterprise risk management.
Here we share the key takeaways from a recent high-level discussion we had with senior executives from leading multinational corporations on smart strategies for managing risk across an entire organization.
Plan by Design So Responses Aren’t “by Default”
Businesses must put more effort toward crises management before they happen. Effective planning requires clear thinking, prioritization, and discipline—specifically, a real understanding of risk exposure, buy-in from senior management, eliminating information silos, having a mechanism in place for elevating critical information, and cultivating a speak-up culture. Most importantly, companies must generate reliable and actionable intelligence before a crisis that will enhance the quality of their decision-making during and after a crisis.
Make “Rehearsed Reflex” a Habit
Once company leaders have identified and understand the full scope of the risks they face, they need to address them with the appropriate teams and subject matter experts. Enterprise-wide training and practice exercises are essential to developing trust, building relationships, and aligning around intended approaches to crisis response. At the same time, businesses must recognize that something might happen that they hadn’t prepared for (exhibit A: COVID) and embrace the value of “rehearsed reflex” so they can respond as a team quickly and effectively to even the unexpected.
Balance a Taste for Innovation with Risk Appetite
Companies are always juggling risk and opportunity. But beyond controlling for the obviously non-negotiable risks like criminal conduct, getting leadership and employees on board with risk avoidance can be easier said than done. They may fear that curbing the corporate “risk appetite” will stifle innovation. A good starting point for defining acceptable risk is encouraging them to think about it in terms of corporate values and priorities.
In fact, a well-structured enterprise risk management framework enables companies to be more agile and innovative. Improving the capability to predict and manage risks through systems and internal controls allows more resources to be focused on achieving business objectives.
Lean on Strategic Partners for Thoughtfully Curated Information
In-house corporate risk managers are constantly challenged to stay abreast of massive volumes of information, synthesize multiple sources and perspectives, and share crucial knowledge with a variety of key stakeholders up and down the chain of command.
Outside advisors familiar with a company’s business objectives and risk appetite can provide thoughtful, timely curation of relevant information and share it via regular briefings, links to relevant sources, and guidance.
Law firms, crisis management organizations, communication firms, and other strategic partners also have the experience and relationships to provide senior leadership with informed perspectives on key questions such as:
- Is a current crisis heating up—and will it flame out?
- Is our company over-indexing or under-indexing a particular risk?
- Are we leading or lagging our peers in risk management?
- What risks are emerging next and where?
Understand Global Trends, Anticipate Local Impact
For multinational companies, enterprise risk increasingly knows no borders. Cybersecurity, a top risk area for most multinational companies, provides a prime example of the need for cross-border preparation and response. The same is true of other risk areas, such as human rights violations and money laundering.
And what’s happening in other countries can be a harbinger of what’s coming next to the United States. Three factors are likely to have a large impact in the near future:
- Most countries are demanding more from companies in terms of disclosure and cooperation and are incentivizing these actions.
- Enforcers worldwide are becoming more sophisticated about scrutinizing compliance programs.
- Coordination between countries on enforcement also continues to grow, despite some hiccups due to geopolitical dynamics.
As a result, it’s valuable for companies to work with outside counsel who have good relationships with regulators in different regions, understand what the regulators are looking for, and can assist in promoting productive dialogue.
Make Sure Your Board Is On Board
Corporate boards typically are steeped in financial expertise, but how well are they equipped to deal with enterprise risk management? Are they familiar with the double materiality challenge? Double materiality encompasses not only the responsibility of managing risk to a particular business but also the growing expectation that businesses manage risks to people and the planet. Providing legal direction and appropriate updates to senior leadership around such evolving expectations plays a key role in effective governance.
