Compliance Programs Archives | Page 5 of 8

Besides managing risk, risk managers must also have a knack for good stakeholder management. In fact, in order to provide effective leadership in today’s corporate world, risk managers and those who have a risk management function, must understand the significance of good stakeholder management. Considering the high employee and investor turnover rates it is no wonder that risk managers must take the lead in providing risk management information to various stakeholders not only from a compliance perspective but from a profit/loss perspective as well.
Who are the various stakeholders that a risk manager must concern himself or herself with? Of course the more sophisticated a company is the more stakeholders there are. Nonetheless, the main stakeholders of any company or organization usually include:

1. Employees
2. Upper Management including the Board
3. Customers
4. Suppliers
5. Regulators
6. Investors
7. Business partners; and
8. Credit Analysts

Each group of stakeholders mentioned above is important to the overall success or survival of a company. They may have a key role in determining the strategy of a company and therefore need to understand relevant risk related information in order to understand the issues facing the company. Of course, depending on the various laws and regulations facing companies, it may be there are in fact reporting requirements that should be met. The Board as well as Upper Management has risk management responsibilities when it comes to addressing risk, and in order to provide effective leadership, Management must look at Stakeholder Management as part of good Corporate Governance.

The first step for any risk manager when dealing with stakeholders is to ask the hard questions such as: (i) Are you prepared to handle risk events relating to your stakeholders? (ii) In a crisis management event, are you ready to address your customers? (iii) In case of litigation, do you have the right information to communicate to your regulators? , and (iv) What are the risk management process to use in case you have major employment related issues?

Providing effective risk management leadership requires the risk manager to understand who the major stakeholders really are and what risk management reporting processes actually exist or should exist. Once you can answer these questions, you are on your way to provide effective risk management leadership.

One of the main drivers of my success over the years has been the ability to “change”. If you look around you, change is everywhere. In fact, it is the only constant in life. Everything changes whether we like it or not. I’ve been fortunate enough over my 40 year career to change-whether by changing my law practice or by changing my location or even both. In several instances, I even changed countries of residence. All of the change I have gone through has contributed to what success I have achieved.

Change in careers happens if one is willing to grow and experience new avenues of life. I started out as a public defender in Florida and ended up as a general counsel of one of the largest consumer electronics companies in the world. I never expected I would end up as a GC, but I did grasp the willingness to change.

Change not only happens in everyday life but in the workplace as well. Risk managers must always be on the lookout for change. As business changes so do risks. As regulations change so do legal threats. As employees change or as a company’s appetite for risk changes, so does the internal management of risk. In essence, risk is not static- it is always evolving and always changing. So the management of risk must change as well.

The concept of risk itself has changed over the years. Twenty five years ago, risk management was not perceived as a vital function in many organizations. Sometimes companies lumped risk management in with Insurance, Service or QA. But as the perception of risk has evolved along with compliance and SOX related laws, rules and regulations, risk is now deemed a major part of a company’s management structure.

Those organizations that perceive the need for an up to date robust risk management function are most likely to weather the storm of litigation, fines, audits and investigations facing most companies today. Crisis management (part of risk management) is now front and center in many large organizations as well. Companies are realizing that the perception by the public is far more important than in many cases the facts. How do you manage a crisis? When does a serious event become a crisis? How has crisis management changed over the last few years and why? How has compliance changed? All concepts of risk are subject to change as are standard processes for identifying and eliminating risk. Metrics used 20 years ago are no longer valid in many cases. Look what happened in 2008.

To handle risk and all of the consequences that it entails in an effective manner requires the willingness to accept change and in many cases to seek change out. Companies must be willing to change their concept of risk. They must be willing to change processes that may have been set in stone years ago. They must be willing to change not only how they perceive risk but how they address risk.

Yes, change is everywhere.

I found myself wandering around Seoul the other day. I stumbled across a backstreet filled with European restaurants, new coffee shops, boutique clothing stores with coffee shops, boutiques with restaurants and even a boutique that would take care of your dog while you shopped. One coffee shop had a French bakery inside and another coffee shop was inside a French bakery. In Seoul? I wouldn’t have known it had I not gotten off the beaten path. In fact I only discovered the remnants of a wall that once belonged to an ancient fortress near my apartment by walking along an old hiking path near Nam Mountain. When you deliberately leave the comforts of your regular haunts you find yourself discovering new places and even old ones you didn’t know still existed. Likewise, unless you go off the beaten path, when reviewing your company’s risk management processes and procedures you might not discover the new and maybe old problems and issues your company faces. In other words, you have to explore.

A legal risk management audit is a way of exploring all of the weaknesses your company has when confronted with outdated policies and processes. You will discover gaps in your processes you never thought existed. Perhaps divisions or departments you thought had no or little legal risk are far more exposed to risk than you once thought. What level of risk does your Board of Directors find acceptable? Has it changed? What are your company guidelines concerning environmental or child labor laws and are the guidelines being followed? What about your vendors and suppliers? Does your company have a code of ethics that the suppliers are supposed to follow? Have you looked at your risk scoring methods lately? Or even questioned employees about their perceptions of risk?

A legal risk audit can not only identify potential areas of risk but can identify specific areas that must be addressed internally and externally. However, to properly perform a risk audit you must not only look at familiar places but investigate unfamiliar ones as well. You must go off the beaten path. How?

An audit must not only target the major divisions but should also encompass those departments that are not deemed essential to the company. Maybe looking at the processes of a cost center instead of a profit center will result in discoveries you never thought possible. Sometimes you need an unbiased third party to conduct internal interviews for you even though you always conducted an internal investigation yourself. Maybe an outside third party can provide you with risk metrics or data that you never thought existed. A third party maybe able to conduct an internal investigation for you that you feel too uncomfortable to perform. Maybe a third party audit of your HR or service operations should be considered. Going off the beaten path may entail not only looking at different departments but using an outside risk management consultant to look at things differently. To go off the beaten path may entail using an outside consultant to ask different questions while using different risk management tools to identify and quantify risks not so visible from the inside.

There are many third party consultants to use when conducting risk assessments or audits. One such company in Asia is Erudite Risk. Erudite Risk provides services from due diligence, IP protection, business continuity and competitive intelligence. You may find out more about Erudite Risk at its website- Eruditerisk.com

Regardless of your decision on whether to use an outside risk consultant, get off the beaten path. It might surprise you.

Of all the risks facing companies in today’s business world, reputational risk is one of the most serious. Reputational risk can not only damage a company’s brand, but can even lead to the demise of the company. It is of primary importance to executives, in-house counsel and risk managers in many multinational companies and is seen as one of the top risks a company may face. In fact, in Aon’s recent Global Risk Management Survey, it is one of the top ten risks that are of concern to companies. Deloitte surveyed companies as well and found out that the majority of companies it surveyed rated reputational risk as more important than strategic risk. Many of those surveyed acknowledged they had suffered a brand risk or reputational risk event that resulted in a loss of brand value or a loss of earnings.
Damages caused by reputational or brand risk events are not tied to just domestic related issues. Approximately half of the executives that Kroll polled for its recent Global Fraud Report opined that their companies are at risk of vendor, supplier, or procurement fraud tied to overseas expansion. Many of those surveyed felt their companies were highly or moderately vulnerable to corruption and bribery risks which can of course lead to reputational risk or loss of brand as well as FCPA investigations and fines. According to the respondents in the Kroll Global Fraud Report, ethics and integrity (or lack thereof) was the major cause of reputational risk.
The reputational risk caused by supply chain issues can escalate out of control unless properly managed. Loss of brand value can happen quickly if a fraudulent event becomes public or if a bribery scandal is publicized in the media. Just look at the some of the crisis that happened over the last decade. Many people have been affected (some have died) because of the crises or mega-crises that have happened. Many of them also included reputational risks as well. Examples include:

The financial and housing collapse and major recession of 2008

Toyota implicated in recalls because of brake issues

Major Banks having their credit card customers’ names stolen by computer hackers

Volkswagen was implicated in a pollution emissions scandal

Target’s customers had personal data stolen due to lax security systems. Over 40 million
Credit and debit card customers effected

Sony Pictures- Sony as well as its employees had confidential information stolen

As you can see from the examples above, there are numerous kinds of crises that a company should be prepared to handle, especially in an international context. Among them are financial crises, natural disasters, product failures, workplace violence, cyber-attack, or hacking, and, of course, terrorism. However, most if not all have resulted in serious reputational crisis.

It is undisputable that a major crisis can pose serious threats to a company, and, therefore, the crisis must be managed. Crises can result in (a) government fines, (b) loss of retailer confidence, (c) loss of investor confidence, (d) loss of employee confidence, and (e) massive litigation, including class actions. In other words, the end of the company! Crises also result in reputational risks or damage to the company’s brand which may have a greater effect on the company’s bottom line than the damage caused by the original crisis itself.

The problem facing any risk manager or in-house counsel is that the media in today’s society has become very anti-business. As this anti-business culture of attack has gotten worse over the last twenty years, a crisis can no longer be handled by a simple PR or marketing statement. A full-fledged crisis management operation must be put in place. Damage control is now a very serious matter for any potential crisis, no matter how small. Today, more and more companies have to consider issues that negatively affect the company’s brand and how best to counteract them.

Key considerations when considering potential brand or reputational risk caused by ethical or fraudulent behavior within the company or within the company’s supply chain:

-Compliance- does the Company have a compliance program and is it up to date?
-Compliance- does the Compliance program and code of conduct promote an ethical culture within the company?
-Supply Chain- has the Company’s vendors involved in the supply chain been vetted? Do they follow the Company’s code of conduct? Do they have compliance programs?
-Is there sound corporate governance and control processes in place?

Major considerations for handling brand risk once a crisis has started includes:

-Is there a Crisis Management Plan in place to handle brand risk once a crisis starts?
-Does the Company have an effective internal investigation process in place that may shorten the time taken to discover internal risks and mitigate reputational harm?
-Has the appropriate decision makers been trained to handle PR and media issues once a crisis has occurred?
-Does the Company have appropriate 3rd party consultants, including risk management companies and media crisis companies in place to help mitigate reputational/brand risk once a crisis event takes place?
-Does the Company have an appropriate international Crisis Management Plan in place in case the crisis is international in scope?

Companies must realize that there are many risks associated with doing business internationally as well as domestically. Brand or reputational risk is very serious and can lead to the loss of money or even the destruction of a company unless the right steps to mitigate or prevent brand risk are in place. So when considering what risks should be addressed on a regular basis, remember reputational risk should be of primary importance.

When I managed the law department of a company, having data in the form of KPIs (key performance indicators) helped me manage the department. It also showed the risks my department and therefore the company was facing. It was in a sense a snapshot of the legal costs and expenses. The KPIs showed legal expenses incurred on a regular basis as well as litigation matters, cycle time for resolution of matters and of course outside legal spend. When summed up- the total legal spend of the company and therefore the approx. legal risk exposure can be ascertained. I had the KPIs displayed on my computer dashboard which allowed me to see all of the legal spend and associated costs, time, external legal spend, etc. on a regular basis as the appropriate data had to be inputted into the dashboard.

KPIs are an essential part of managing a law department. As a risk manager, KPIs when used as metrics also play an important function if used properly and of course if the associated data is properly inputted. Using KPIs, you can determine the number of legal related matters your department, division or company is facing on a regular basis. You can determine the number of compliance related reports that are generated in a given time period, you can estimate the money saved using loss control or the money spent in insurance related matters. If properly set up with accurate data, you can determine the legal risks you are facing or may face, you can determine the cost of or exposure to associated risks that your company face. Combine your KPIs with a Legal Risk Matrix and you can not only see the potential risks, but you can score and or categorize them. Create a heat map as well. This will show Management the legal risks and severity of those risks that the company faces.

So I counsel and advise all corporations as well as in-house counsel and risk managers to establish a set of KPIs that can ( if imbedded with the right data) measure your risk, legal spend, compliance issues, etc. on a regular basis as a tool or process to help manage your risk. For a law department, such KPIs can include:

-law departments total expense
-law department’s expense as a percentage of revenue
-expense of staffing for litigation matters
-number of litigation matters
-cycle time to resolve litigation matters
-total external spend on litigation matters
-number of compliance related matters
-number of insurance claims
-cycle time time to resolve HR related matters
-number of active non-litigation matters

These are but a few KPIs or metrics I would use to get a handle on law department expenses and compliance related exposure and risk. Obviously you can break down outside legal spend more using other metrics. Remember, KPIs if used correctly can help give you a snapshot into the legal risks and associated expenses you may face on a regular basis and therefore help you to manage them.

Recently, President Trump met with Kim Jong Un of North Korea for an impromptu talk. Expectations are high for a resolution to the nuclear dilemma, especially in South Korea. What the meeting of course amplifies, is the geopolitical risk facing those companies and organizations doing business in South Korea. No one knows whether or not the meeting between President Trump and Kim Jong Un was a success. No one knows if it will lead to nuclear disarmament. In fact, what happens next is anyone's guess.

For companies doing business in South Korea, the threat of war is always a risk they face. Seoul is not far from the DMZ and any altercation between North and South Korea would have an immediate impact upon Seoul and its surrounding cities. Companies doing business in South Korea not only have many risks to think about such as operational risk, market risk, legal risk and financial risk, but geo-political risk as well. Therefore, a company contemplating a business project in Korea must at least on a tactical level consider the implications of geopolitical risk as well as everyday market risks.

Considering recent geo-political events, many companies should review old risk management policies and procedures, in case updates are needed. Of course, some risk management processes that should be reviewed are not being considered as they are viewed as too expensive or impractical. Such is the case with political risk insurance.

Companies face many kinds of risks when engaged in offshore projects; of course geo- political risk is one of them. This comes about when a government changes its policy, ideology or even itself which creates instability, disorder, war, strikes, riots, etc. What must be done to manage such a risk? Political risk insurance comes to mind, but some forms of political risk insurance that are offered by capital –exporting nations ( such as OPIC, etc.) is subject to politically motivated conditions or motivations that may not take the needs of the investor into account. Case in point- OPIC can only operate in countries which have a bilateral investment treaty with the US. If you are a US investor trying to invest in a country which lacks a bilateral investment treaty with the US- you are out of luck when trying to obtain political risk insurance from OPIC. This is true of outer countries which supply similar political risk insurance through export development programs. For more on political risk see my previous blog: “Managing Political Risk” at Seoullegalriskmgmt.com.