Today’s ever-changing global threat environment—shaped by factors including geopolitical upheaval, sanctions, cyberthreats and ransomware attacks, pandemics and natural disasters, and artificial intelligence and emerging technologies—demands that businesses take a proactive, predictive, and preventive approach to enterprise risk management.
Here we share the key takeaways from a recent high-level discussion we had with senior executives from leading multinational corporations on smart strategies for managing risk across an entire organization.
Businesses must put more effort toward crises management before they happen. Effective planning requires clear thinking, prioritization, and discipline—specifically, a real understanding of risk exposure, buy-in from senior management, eliminating information silos, having a mechanism in place for elevating critical information, and cultivating a speak-up culture. Most importantly, companies must generate reliable and actionable intelligence before a crisis that will enhance the quality of their decision-making during and after a crisis.
Once company leaders have identified and understand the full scope of the risks they face, they need to address them with the appropriate teams and subject matter experts. Enterprise-wide training and practice exercises are essential to developing trust, building relationships, and aligning around intended approaches to crisis response. At the same time, businesses must recognize that something might happen that they hadn’t prepared for (exhibit A: COVID) and embrace the value of “rehearsed reflex” so they can respond as a team quickly and effectively to even the unexpected.
Companies are always juggling risk and opportunity. But beyond controlling for the obviously non-negotiable risks like criminal conduct, getting leadership and employees on board with risk avoidance can be easier said than done. They may fear that curbing the corporate “risk appetite” will stifle innovation. A good starting point for defining acceptable risk is encouraging them to think about it in terms of corporate values and priorities.
In fact, a well-structured enterprise risk management framework enables companies to be more agile and innovative. Improving the capability to predict and manage risks through systems and internal controls allows more resources to be focused on achieving business objectives.
In-house corporate risk managers are constantly challenged to stay abreast of massive volumes of information, synthesize multiple sources and perspectives, and share crucial knowledge with a variety of key stakeholders up and down the chain of command.
Outside advisors familiar with a company’s business objectives and risk appetite can provide thoughtful, timely curation of relevant information and share it via regular briefings, links to relevant sources, and guidance.
Law firms, crisis management organizations, communication firms, and other strategic partners also have the experience and relationships to provide senior leadership with informed perspectives on key questions such as:
For multinational companies, enterprise risk increasingly knows no borders. Cybersecurity, a top risk area for most multinational companies, provides a prime example of the need for cross-border preparation and response. The same is true of other risk areas, such as human rights violations and money laundering.
And what’s happening in other countries can be a harbinger of what’s coming next to the United States. Three factors are likely to have a large impact in the near future:
As a result, it’s valuable for companies to work with outside counsel who have good relationships with regulators in different regions, understand what the regulators are looking for, and can assist in promoting productive dialogue.
Corporate boards typically are steeped in financial expertise, but how well are they equipped to deal with enterprise risk management? Are they familiar with the double materiality challenge? Double materiality encompasses not only the responsibility of managing risk to a particular business but also the growing expectation that businesses manage risks to people and the planet. Providing legal direction and appropriate updates to senior leadership around such evolving expectations plays a key role in effective governance.
Mayer Brown is a global legal services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown Hong Kong LLP (a Hong Kong limited liability partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) (collectively, the “Mayer Brown Practices”). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong LLC (“PKW”) is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong Pte. Ltd. More information about the individual Mayer Brown Practices and PKW can be found in the Legal Notices section of our website.
“Mayer Brown” and the Mayer Brown logo are the trademarks of Mayer Brown.
Attorney Advertising. Prior results do not guarantee a similar outcome.