Besides managing risk, risk managers must also have a knack for good stakeholder management. In fact, in order to provide effective leadership in today’s corporate world, risk managers and those who have a risk management function, must understand the significance of good stakeholder management. Considering the high employee and investor turnover rates it is no wonder that risk managers must take the lead in providing risk management information to various stakeholders not only from a compliance perspective but from a profit/loss perspective as well.
Who are the various stakeholders that a risk manager must concern himself or herself with? Of course the more sophisticated a company is the more stakeholders there are. Nonetheless, the main stakeholders of any company or organization usually include:

1. Employees
2. Upper Management including the Board
3. Customers
4. Suppliers
5. Regulators
6. Investors
7. Business partners; and
8. Credit Analysts

Each group of stakeholders mentioned above is important to the overall success or survival of a company. They may have a key role in determining the strategy of a company and therefore need to understand relevant risk related information in order to understand the issues facing the company. Of course, depending on the various laws and regulations facing companies, it may be there are in fact reporting requirements that should be met. The Board as well as Upper Management has risk management responsibilities when it comes to addressing risk, and in order to provide effective leadership, Management must look at Stakeholder Management as part of good Corporate Governance.

The first step for any risk manager when dealing with stakeholders is to ask the hard questions such as: (i) Are you prepared to handle risk events relating to your stakeholders? (ii) In a crisis management event, are you ready to address your customers? (iii) In case of litigation, do you have the right information to communicate to your regulators? , and (iv) What are the risk management process to use in case you have major employment related issues?

Providing effective risk management leadership requires the risk manager to understand who the major stakeholders really are and what risk management reporting processes actually exist or should exist. Once you can answer these questions, you are on your way to provide effective risk management leadership.

The US-China trade dispute as well as the Japan-Korea dispute have to a certain extent caught many companies as well as investors off guard. Considering these political and economic events, many companies should consider reviewing old risk management policies and procedures, if they haven’t already. Geo-political risks are now front and center, whether companies are prepared for such risks or not.

Companies face many kinds of risks when engaged in offshore projects; but geo-political risks can be the most serious if not handled properly. Such risks comes about when a government changes its policy, ideology or even itself which creates instability, disorder, strikes, riots, war, embargoes, etc. What must be done to manage such risks? Political risk insurance comes to mind, but some forms of political risk insurance that are offered by capital –exporting nations ( such as OPIC, etc.) is subject to politically motivated conditions or motivations that may not take the needs of the investor into account. Case in point- OPIC can only operate in countries which have a bilateral investment treaty with the US. If you are a US investor trying to invest in a country which lacks a bilateral investment treaty with the US- you are out of luck when trying to obtain political risk insurance from OPIC. This is true of outer countries which supply similar political risk insurance through export development programs.

The answer for some companies therefore, is to consider obtaining private political risk insurance. Due to the increased use by some companies of political risk insurance from government agencies as well as a lessening of perceived political risk, private political risk insurance offerings have exploded. Several markets provide private political risk insurance including Lloyds of London insurance syndicates as well as groups operating under a reinsurance treaty that are controlled by an underwriter. There are advantages to this.

As private political risk insurers have no political agenda to worry about, there are normally no political pre-requisites for the issuance of insurance. The host country doesn’t need to be poor and the investor can come from any part of the world. Also, the private insurance approval process can be much faster than the approval process of governmental agencies. Of course it should be noted, that unlike governmental agencies, private political risk insurers are in business and therefore the coverage offered by them can be more expensive than compared with their government counterparts.

All in all, political risk insurance should be considered when investing abroad, especially in markets that are uncertain. There are always ways to manage risk, and political risk insurance is just another form of risk management. It should be carefully considered, especially in today’s rapidly changing world.

One of the main drivers of my success over the years has been the ability to “change”. If you look around you, change is everywhere. In fact, it is the only constant in life. Everything changes whether we like it or not. I’ve been fortunate enough over my 40 year career to change-whether by changing my law practice or by changing my location or even both. In several instances, I even changed countries of residence. All of the change I have gone through has contributed to what success I have achieved.

Change in careers happens if one is willing to grow and experience new avenues of life. I started out as a public defender in Florida and ended up as a general counsel of one of the largest consumer electronics companies in the world. I never expected I would end up as a GC, but I did grasp the willingness to change.

Change not only happens in everyday life but in the workplace as well. Risk managers must always be on the lookout for change. As business changes so do risks. As regulations change so do legal threats. As employees change or as a company’s appetite for risk changes, so does the internal management of risk. In essence, risk is not static- it is always evolving and always changing. So the management of risk must change as well.

The concept of risk itself has changed over the years. Twenty five years ago, risk management was not perceived as a vital function in many organizations. Sometimes companies lumped risk management in with Insurance, Service or QA. But as the perception of risk has evolved along with compliance and SOX related laws, rules and regulations, risk is now deemed a major part of a company’s management structure.

Those organizations that perceive the need for an up to date robust risk management function are most likely to weather the storm of litigation, fines, audits and investigations facing most companies today. Crisis management (part of risk management) is now front and center in many large organizations as well. Companies are realizing that the perception by the public is far more important than in many cases the facts. How do you manage a crisis? When does a serious event become a crisis? How has crisis management changed over the last few years and why? How has compliance changed? All concepts of risk are subject to change as are standard processes for identifying and eliminating risk. Metrics used 20 years ago are no longer valid in many cases. Look what happened in 2008.

To handle risk and all of the consequences that it entails in an effective manner requires the willingness to accept change and in many cases to seek change out. Companies must be willing to change their concept of risk. They must be willing to change processes that may have been set in stone years ago. They must be willing to change not only how they perceive risk but how they address risk.

Yes, change is everywhere.

I found myself wandering around Seoul the other day. I stumbled across a backstreet filled with European restaurants, new coffee shops, boutique clothing stores with coffee shops, boutiques with restaurants and even a boutique that would take care of your dog while you shopped. One coffee shop had a French bakery inside and another coffee shop was inside a French bakery. In Seoul? I wouldn’t have known it had I not gotten off the beaten path. In fact I only discovered the remnants of a wall that once belonged to an ancient fortress near my apartment by walking along an old hiking path near Nam Mountain. When you deliberately leave the comforts of your regular haunts you find yourself discovering new places and even old ones you didn’t know still existed. Likewise, unless you go off the beaten path, when reviewing your company’s risk management processes and procedures you might not discover the new and maybe old problems and issues your company faces. In other words, you have to explore.

A legal risk management audit is a way of exploring all of the weaknesses your company has when confronted with outdated policies and processes. You will discover gaps in your processes you never thought existed. Perhaps divisions or departments you thought had no or little legal risk are far more exposed to risk than you once thought. What level of risk does your Board of Directors find acceptable? Has it changed? What are your company guidelines concerning environmental or child labor laws and are the guidelines being followed? What about your vendors and suppliers? Does your company have a code of ethics that the suppliers are supposed to follow? Have you looked at your risk scoring methods lately? Or even questioned employees about their perceptions of risk?

A legal risk audit can not only identify potential areas of risk but can identify specific areas that must be addressed internally and externally. However, to properly perform a risk audit you must not only look at familiar places but investigate unfamiliar ones as well. You must go off the beaten path. How?

An audit must not only target the major divisions but should also encompass those departments that are not deemed essential to the company. Maybe looking at the processes of a cost center instead of a profit center will result in discoveries you never thought possible. Sometimes you need an unbiased third party to conduct internal interviews for you even though you always conducted an internal investigation yourself. Maybe an outside third party can provide you with risk metrics or data that you never thought existed. A third party maybe able to conduct an internal investigation for you that you feel too uncomfortable to perform. Maybe a third party audit of your HR or service operations should be considered. Going off the beaten path may entail not only looking at different departments but using an outside risk management consultant to look at things differently. To go off the beaten path may entail using an outside consultant to ask different questions while using different risk management tools to identify and quantify risks not so visible from the inside.

There are many third party consultants to use when conducting risk assessments or audits. One such company in Asia is Erudite Risk. Erudite Risk provides services from due diligence, IP protection, business continuity and competitive intelligence. You may find out more about Erudite Risk at its website- Eruditerisk.com

Regardless of your decision on whether to use an outside risk consultant, get off the beaten path. It might surprise you.

If a company is involved with litigation in the United States, it has a duty to locate all relevant information, data, and documents—including ESI that are relevant to the case. This can be quite onerous, as it requires:

• Familiarity with document retention policies
• Involvement with IT personnel
• Communication to “key players” of the litigation hold
• Location and retrieval of all relevant information wherever that information might be

The legal risks facing a company that fails to handle the above requirements in an economical/efficient manner can be tremendous. Companies have been sanctioned millions of dollars for failing to abide by ESI requirements or, even worse, have lost the respective lawsuits, costing even more. What can a company do to mitigate the legal risks surrounding document management to comply with US legal requirements?

1. Plan of Action

A company must take steps to develop an adequate data and document management plan. It is not too surprising that even the IT Department itself may not have an adequate understanding of where all of the electronically stored documents are considering the plethora of handheld devices that may store documents and other electronic information. Therefore, a company’s management and IT folks need to sit down and map out where all of the documents are located if possible. A document management plan should take the following steps into consideration:

• Assess the company’s current use of technology documents.
• Locate all in the company’s possession.
• Use technology to leverage legal requirements.
• Retain experts or outside consultants to above or to help implement systems/processes.
• Implement policies and procedures addressing all legal risks posed by ESI.

2. Risk Assessment of ESI

To implement an appropriate plan of action, a company must conduct a risk assessment of its processes and capabilities by:

• Seeking proposals of vendors (outside experts)
• A top-to-bottom analysis
• ESI and paper documents
• Hardware and software
• Management of data
• Retention of data
• Litigation holds
• Disaster preparedness

3. ESI Implementation

The legal risks facing companies in today’s legal and regulatory climate, especially in the United States, are enormous. Failure to implement a data and document management program that not only addresses a company’s business concerns but legal obligations as well can be disastrous. The development and implementation of an LRM program addressing these concerns is not a luxury but a necessity. It is highly recommended that a company implement a data and documentation management program that addresses ESI and all of its issues.

Of all the risks facing companies in today’s business world, reputational risk is one of the most serious. Reputational risk can not only damage a company’s brand, but can even lead to the demise of the company. It is of primary importance to executives, in-house counsel and risk managers in many multinational companies and is seen as one of the top risks a company may face. In fact, in Aon’s recent Global Risk Management Survey, it is one of the top ten risks that are of concern to companies. Deloitte surveyed companies as well and found out that the majority of companies it surveyed rated reputational risk as more important than strategic risk. Many of those surveyed acknowledged they had suffered a brand risk or reputational risk event that resulted in a loss of brand value or a loss of earnings.
Damages caused by reputational or brand risk events are not tied to just domestic related issues. Approximately half of the executives that Kroll polled for its recent Global Fraud Report opined that their companies are at risk of vendor, supplier, or procurement fraud tied to overseas expansion. Many of those surveyed felt their companies were highly or moderately vulnerable to corruption and bribery risks which can of course lead to reputational risk or loss of brand as well as FCPA investigations and fines. According to the respondents in the Kroll Global Fraud Report, ethics and integrity (or lack thereof) was the major cause of reputational risk.
The reputational risk caused by supply chain issues can escalate out of control unless properly managed. Loss of brand value can happen quickly if a fraudulent event becomes public or if a bribery scandal is publicized in the media. Just look at the some of the crisis that happened over the last decade. Many people have been affected (some have died) because of the crises or mega-crises that have happened. Many of them also included reputational risks as well. Examples include:

The financial and housing collapse and major recession of 2008

Toyota implicated in recalls because of brake issues

Major Banks having their credit card customers’ names stolen by computer hackers

Volkswagen was implicated in a pollution emissions scandal

Target’s customers had personal data stolen due to lax security systems. Over 40 million
Credit and debit card customers effected

Sony Pictures- Sony as well as its employees had confidential information stolen

As you can see from the examples above, there are numerous kinds of crises that a company should be prepared to handle, especially in an international context. Among them are financial crises, natural disasters, product failures, workplace violence, cyber-attack, or hacking, and, of course, terrorism. However, most if not all have resulted in serious reputational crisis.

It is undisputable that a major crisis can pose serious threats to a company, and, therefore, the crisis must be managed. Crises can result in (a) government fines, (b) loss of retailer confidence, (c) loss of investor confidence, (d) loss of employee confidence, and (e) massive litigation, including class actions. In other words, the end of the company! Crises also result in reputational risks or damage to the company’s brand which may have a greater effect on the company’s bottom line than the damage caused by the original crisis itself.

The problem facing any risk manager or in-house counsel is that the media in today’s society has become very anti-business. As this anti-business culture of attack has gotten worse over the last twenty years, a crisis can no longer be handled by a simple PR or marketing statement. A full-fledged crisis management operation must be put in place. Damage control is now a very serious matter for any potential crisis, no matter how small. Today, more and more companies have to consider issues that negatively affect the company’s brand and how best to counteract them.

Key considerations when considering potential brand or reputational risk caused by ethical or fraudulent behavior within the company or within the company’s supply chain:

-Compliance- does the Company have a compliance program and is it up to date?
-Compliance- does the Compliance program and code of conduct promote an ethical culture within the company?
-Supply Chain- has the Company’s vendors involved in the supply chain been vetted? Do they follow the Company’s code of conduct? Do they have compliance programs?
-Is there sound corporate governance and control processes in place?

Major considerations for handling brand risk once a crisis has started includes:

-Is there a Crisis Management Plan in place to handle brand risk once a crisis starts?
-Does the Company have an effective internal investigation process in place that may shorten the time taken to discover internal risks and mitigate reputational harm?
-Has the appropriate decision makers been trained to handle PR and media issues once a crisis has occurred?
-Does the Company have appropriate 3rd party consultants, including risk management companies and media crisis companies in place to help mitigate reputational/brand risk once a crisis event takes place?
-Does the Company have an appropriate international Crisis Management Plan in place in case the crisis is international in scope?

Companies must realize that there are many risks associated with doing business internationally as well as domestically. Brand or reputational risk is very serious and can lead to the loss of money or even the destruction of a company unless the right steps to mitigate or prevent brand risk are in place. So when considering what risks should be addressed on a regular basis, remember reputational risk should be of primary importance.