by Lawrence Cunningham and Arvin Maskin

From left to right: Lawrence Cunningham and Arvin Maskin. Photos courtesy of the authors.

Enterprise risk management (“ERM”) and corporate governance are two sides of the same coin, being united by the importance of relevant decision-makers acquiring, interpreting and disseminating intelligence about risk and oversight. The goal of ERM is to help corporate managers visualize, interpret, contextualize and prioritize various forms of risk input in a timely and objective manner, and to convert it to insightful and actionable intelligence to enhance the quality, reliability and transparency of corporate decision-making and board oversight (“corporate governance”). This modern-day “distant early warning” system attempts to preempt crisis-level events and mitigate the impact of unexpected or unavoidable occurrences of consequence, while seizing on opportunities to be innovative, competitive, and resilient.

Given the highly dynamic threat environment in which most corporations operate, there is a need to systematically collect, process and disseminate high-quality predictive intelligence from a wide-variety of reliable sources; leveraging “lessons learned” and “pattern recognition” from across multiple disciplines, industries, and geographies, and producing objective and practical analysis that will support strategic and operational decision-making with respect to “high-priority” issues, such as business disruptions, cyber-attacks, critical supply chain issues, criminal conduct or scandals (real or imagined), product failures or recalls, disinformation campaigns, shareholder activism, labor disputes, loss of intellectual property, breach of privacy, serious loss of market share, changes in policies, regulations, and litigation, geopolitical upheaval, including sanctions regimes, natural disasters, pandemics, any threat to reputation, goodwill or brand, and so on.

Effective ERM entails forming specialized multidisciplinary teams, organized around high priority issues and expertise, to help generate a “real-time” ongoing threat assessment and a range of options, consistent with the individual enterprise’s risk appetite, resources, internal structure, culture, and business goals. This process is more than collecting and reporting on raw intelligence, data or trends. It may draw upon a full range of analytical, operational, technical, political, historical, legal, and experiential support from outside or within the organization, or from consultants and subject matter specialists, law firms, strategic business partners, and various stakeholders, including some on the government side. This process is at the core of keeping leadership informed and achieving a level of situational awareness, critical self-reflection, and avoidance of “denialism”.

Board oversight of ERM can assume multiple forms, but one instructive analog takes a page from the President’s Daily Briefing (“PDB”), or perhaps the “Annual Threat Assessment of the U.S. Intelligence Community”, prepared by the Office of the Director of National Intelligence. These are a distillation, analysis, and prioritization of potential global threats to support strategic and operational planning. Both illustrate the type of 360-degree threat assessment “snapshot” called for in support of board oversight in corporate governance – as well as management decision-making. Management benefits from creating such an assessment to strengthen ERM, and experience has shown that boards benefit from the discipline of preparing such ongoing assessments to strengthen oversight. It recognizes the need for timely, objective, actionable intelligence to support the generation of options and making informed choices. It also serves to reinforce the notion that ERM is the responsibility of all employees at every level of the enterprise and should be ingrained in the corporate culture.

Large multinationals have followed this approach for many years though the practice may be particularly beneficial today for many companies of all sizes and geographic reach. The practice dates to the early days of globalization, when one of the world’s first multinational insurance companies began publishing an executive’s daily briefing, akin to that presented to the President of the United States in the PDB. When offering coverage to multinationals for political risks, for instance, the “Business Protection Division” of AIG in 2005 began publishing its “Executive Briefing Book” (“EBB”) — a secure web-based source of country-by-country risk reports and commentary on industry-specific risk. Companies subscribed to the service to understand current and emerging threats and how to manage and mitigate them. Content was customized and synthesized to suit by teams of engineers, facility security specialists, risk managers, and recovery experts.

Many companies have developed internal versions of such risk assessments. Those operating across borders increasingly need to implement security measures and risk management programs designed to address exposures, reduce risk, and help ensure that their business can continue to operate should an adverse event occur. Such reports may be presented weekly or monthly, or more frequently as needed and can include special editions to address “hot topics”. Experienced staff can develop the report by maintaining contacts with different sectors of the business, technical experts, law firms, strategic communications specialists, government officials, key opinion leaders, and various stakeholders. The team can develop ideas to guide international business in the light of unfolding global developments. The team can also respond to questions posed by officers, directors, and managers, and develop topic ideas designed to prompt thoughtful discussion about the “real world” risk landscape and potential risks on the horizon.

While the methods and expertise are distinct, the EBB is akin to, and could be produced in coordination with, existing company staff, which often provide briefings for executives and officers. Companies commonly produce an executive briefing containing critical information, key performance indicators, analysis and recommendations of topics ranging from staffing inventory to acquisitions and capital deployment. The EBB reflects a similar philosophy of gathering, digesting, and synthesizing data to enable a sharp focus on issues, trends, intelligence, risk, and opportunities. It is a tool or process for identifying events, trendlines, movements, and conditions. It helps explain or understand what is driving such activity, as well as its direction and velocity. It assists in assessing the potential near and strategic consequences. And it can help in formulating a range of potential responses to change the direction, contain, or take advantage of such events.

For the EBB, as with other executive briefings, optimal content and approach varies with the company’s specific operating context, geographical mix, technological profile, industry norms, the regulatory and market environment, and other factors. They also vary with the personalities involved, and may lean towards diverse formats, such as data visualization charts and graphs, and in the ratio of summaries to original materials.

At the most basic, this process promotes breaking down information silos and minimizing operational knowledge gaps, optimizing integration, coordination, and prioritization of intelligence, clarifying risks, “trade-offs”, and alternatives and, most of all, maximizing candor and transparency. All of this also recognizes the inevitable scrutiny to which decision-making will be subject by a broad, diverse constituency of stakeholders who expect and demand oversight and management of enterprise risk.

Many risk categories will be common across the board including, for example, political instability, regulatory changes, trade disputes, employee retention, economic sanctions, emerging technologies, such as artificial intelligence, and other events that can affect a company’s operations, supply chains, distribution channels, market access, and so on. To highlight some commonly recurring topics for consideration:

• LOCAL ANALYSIS: An overview of the political and economic landscape of key areas of operation or expansion, highlighting government and regional stability, regulatory practices, trade policies and specific risks and opportunities.
• BROAD TRENDS: Review of recent geopolitical events, such as elections, political unrest, new regulatory trends, trade negotiations, or international conflicts, assessing their potential impact on the company’s operations or industry.
• RISK ASSESSMENT: A framework to identify and evaluate relevant geopolitical risks, gauge the likelihood and potential impact of different threat scenarios and how to develop contingency plans.
• COMPETITIVE ANALYSIS: A look at how geopolitical factors, emerging technologies and innovation, or financial uncertainty, affect rivals in relevant markets, illuminating alternative potential strategic responses.

As technology, the global economy, market conditions, geopolitical events, extreme natural occurrences, emerging technology, among other factors, have become deeply interconnected events which can ricochet rapidly and reverberate widely, EBB’s and the vigorous and disciplined process by which they are generated, are just one of the tools which can help a company’s alertness to underlying tensions, anticipation of disruptions, and advance planning of effective responses.

Lawrence Cunningham is Special Counsel at Mayer Brown LLP and the Henry St. George Tucker III Research Professor of Law Emeritus at the George Washington University Law School. Arvin Maskin is a Partner and Practice Leader, Global Enterprise Risk & Crisis Management at Mayer Brown LLP. 

The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright or this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).