1 Risky Business Mitigating exposure through comprehensive risk management Remark Research from the Financial Times Group 2 Contents Introduction 4 Methodology 5 Key findings 6 Section 01 Exposure to risk 8 Section 02 Managing risk on a global scale 14 Section 03 Risk mitigation is a group effort 20 Section 04 The future of risk management 30 RISKY BUSINESS MITIGATING EXPOSURE THROUGH COMPREHENSIVE RISK MANAGEMENT 3 4 Introduction Sophisticated enterprises encounter an ever-increasing and constantly changing spectrum of risks as they expand their lines of business, enter new geographic markets, and grow by acquisitions. Failing to comply with anti-corruption, anti-money laundering, cybersecurity, data privacy, and several other pertinent laws and regulations can often lead to both financial and reputational loss. As a result, comprehensive risk management has never been so important, particularly in large organizations, where complex reporting structures, global jurisdictions, and shareholder bases demand accountability. With the right risk management framework in place, including the proper technologies, models, workflows and processes, together with quantitative and qualitative analyses, comprehensive risk mitigation is attainable. Which legal, regulatory and operational risks are most critical? How are organizations seeking to mitigate risks? How are organizations evaluating exposure in target geographies? And how are professionals coordinating risk management across their global enterprise? Ropes & Gray, together with FT Remark, conducted a survey of 300 senior-level executives at corporations across many industries, including banking, asset management, private equity, life sciences, healthcare and technology. The results reveal varying degrees of legal and regulatory readiness across individual organizations, industries and jurisdictions, as well as marked inconsistencies in approach. But all risk management leaders agree: they must act quickly to identify and remedy weaknesses, collaborate more closely with colleagues and global peers, and remain vigilant as new threats arise. BEST PRACTICES AND NEXT STEPS In practice, risk management is a maturing discipline, with conflicting views about the best way to proceed. According to our survey, organizations are conscious of the need to manage risk throughout their global operations, including far-flung markets and disparate sectors, but sometimes struggle with the balance between centralized and localized risk management practices. In some organizations, dedicated risk management professionals have now taken control of risk across the enterprise, while others prefer to assign risk mitigation to managers throughout their operations. There is no one-size-fits-all approach to risk management. Different organizations and industries have different motivations for managing risk in the ways that they do. But as all risk managers will attest, there are always challenges and complexities, and our research identifies several areas where large numbers of organizations believe they have more work to do. The survey also makes it clear that risk management work is never complete. Businesses must reassess and re-examine their practices on an ongoing basis to ensure their tactics remain effective and that they are aware of the latest and greatest threats. In order to identify, monitor, and mitigate or eliminate risks across an organization, risk management professionals should undergo a holistic legal and regulatory assessment of threats facing their company, including issues in connection to anti-corruption, antitrust, corporate governance, intellectual property, privacy and cybersecurity, regulatory compliance, sanctions, supply chain and corporate social responsibility, and tax. This thorough evaluation will not only uncover key trouble spots, but facilitate conversations that enable management to improve compliance, open communication channels and implement procedures that effectively reduce risk. RISKY BUSINESS MITIGATING EXPOSURE THROUGH COMPREHENSIVE RISK MANAGEMENT 5 Egypt Nigeria Argentina Methodology In the second quarter of 2017, FT Remark, on behalf of global law firm Ropes & Gray, surveyed 300 senior-level executives across many industries, including banking, asset management, private equity, life sciences, healthcare and technology. The survey included a combination of qualitative and quantitative questions, and all interviews were conducted over the telephone by appointment. The results were then analyzed and collated by FT Remark. All responses are anonymized and presented in aggregate. FIGURE 1: WHERE RESPONDENTS CAME FROM FIGURE 2: IN WHICH COUNTRIES DO YOU CURRENTLY HAVE SIGNIFICANT OPERATIONS (SALES AND/OR SUPPLY CHAIN)? North America EMEA Asia Pacific Latin America Total Banking 16 17 12 5 50 Private Equity 17 16 12 5 50 Asset Management 16 18 11 5 50 Life Sciences & Healthcare 17 17 11 5 50 Technology 17 16 12 5 50 Other 17 16 12 5 50 Total 100 100 70 30 300 United States United Kingdom China Germany Canada France India Brazil Japan Australia Mexico Italy South Korea South Africa Indonesia Russia Turkey Saudi Arabia 67% 56% 46% 35% 34% 32% 32%31%31% 28% 27% 25% 23%17% 15% 14% 12%11%6%4%4% 6 Key findings Nigeria, Russia and China are seen as the riskiest developing markets Risk exposure: state of play The big picture of respondents cite “regulation and compliance” as one of the top two types of risk they feel least prepared to address say they intend to devote the most risk management resources to deal with regulation and compliance risks consider corporate social responsibility/supply chain management to be the types of risks they are best prepared to manage of respondents say China is the market they regard as most risky to their business overall say the UK is the riskiest market for their business – second highest on the list – reflecting political and economic uncertainties stemming from Brexit say they are unprepared to deal with anti-money laundering risks 78% 43% 57% 29% 28% 13% RISKY BUSINESS MITIGATING EXPOSURE THROUGH COMPREHENSIVE RISK MANAGEMENT 7 Who looks after risk? The future of risk management believe that greater collaboration between their risk managers would improve the overall risk profile of their organization of respondents say their risk management and assessment training is innovative say risk is largely managed centrally within their organization are not confident their current risk management policies and practices will be enough to meet their future needs of respondents say their chief risk officer (CRO) is primarily responsible for risk identification say a proportion of risk is managed by each business unit feel their current risk management policies and practices meet all of their present needs 48% 69% 60% 87% 82% 52% 43% EXPOSURE TO RISK 8 Section 01 Exposure to risk Businesses have never felt under more scrutiny from regulators, local, national and supra-national authorities, and a broad range of other stakeholders. They are being asked to address risks without disrupting their competitive edge. And many are not prepared to fully live up to that challenge. of respondents cite “regulation and compliance” as one of the top two types of risk they feel least prepared to address say they intend to devote the most risk management resources to deal with regulation and compliance risks consider corporate social responsibility/supply chain management to be the types of risks they are best prepared to manage say they are unprepared to deal with anti-money laundering risks 78% 43% 57% 29% EXPOSURE TO RISK RISKY BUSINESS MITIGATING EXPOSURE THROUGH COMPREHENSIVE RISK MANAGEMENT 9 Sanctions and export controls, tax, intellectual property and money laundering regulations – all of these risk factors are a worry for respondents in our survey. Relative newcomers like data privacy and cybersecurity are also seen as important but sit a bit further down the list. Regulation and compliance, however, top the list as the risk factor of greatest concern for respondents in our survey (Figure 3). The chief risk officer of one European financial services firm puts it bluntly: “If we are not compliant, the risks and penalties are very high. To avoid problems with regulators, we must be absolutely sure all our assets and investments are compliant.” Mimi Yang, a Ropes & Gray partner who is based in Hong Kong and focuses on private securities litigation, US DOJ and SEC enforcement matters, and internal investigations, believes that compliance is increasingly a priority for international businesses. “Global attention on compliance and regulation is increasing, with a number of regulatory regimes that are more prominent or in different jurisdictions, or being enforced more consistently, or more extensively than ever before,” she says. “The stakes are higher, with more global coordination than in the past, and the resolution figures are going up. There is a great deal of worry about how to avoid commercial damage and reputational harm.” Regulatory compliance is the stand-out area of concern in this survey, especially since it is the area where respondents are least likely to feel well-prepared. More than half (57%) of respondents picked it out as one of the two areas where they currently feel the least wellprepared for the challenges they face (Figure 4, page 10). That was almost twice as many as the next most commonly cited area – anti-money laundering (29%) – while the third area of concern, cybersecurity, saw 22% of respondents say they were concerned about their preparedness. “Having oversight and control over a large operation is always a challenge. But that problem is intensified where exposure can arise regardless of seniority. A junior employee in a far-flung location can create regulatory and compliance concerns that are difficult to control for,” says Ropes & Gray partner Ruchit Patel, an antitrust partner in the firm’s London office. Indeed, a more granular analysis of the data reveals that regulatory compliance is the area where respondents feel least well-prepared whatever their sector background. By contrast, the second most commonly cited factor varied by industry. Asset managers and private equity firms were more likely to feel unprepared for money laundering risks. Banks and technology firms picked out cybersecurity as their second area of unpreparedness; and life science firms pointed to intellectual property. Location may also play a part. For example, intellectual property issues are of particular concern in China. As the CFO of one private equity firm in Beijing points out, “We are prepared for risks but I feel we can be left helpless when it comes to intellectual property theft, which has been on the rise. Not that we lack the ability to react to such a risk in time or that we fall short of resources to safeguard our business, but there are many complications involved and this risk can catch us by surprise. As a consequence, we could face negative publicity and that could lower our market value.” Elsewhere, however, many organizations feel more prepared for the risks their businesses now face. For example, almost half (43%) of respondents picked out corporate social responsibility and supply chain management as an area where they are much better prepared for risk management. More than a third (34%) cited enforcement and investigations. And almost as many (31%) are confident about their preparedness for competition and antitrust risk. “Our firm is well-prepared to handle anti-corruption risks as we have protocols that assure we are being ethical in our approach, FIGURE 3: AS BEST YOU CAN, PLEASE RATE THE FOLLOWING TYPES OF RISK IN TERMS OF THEIR IMPORTANCE TO YOUR OVERALL BUSINESS (RATE FROM 1-10 WHERE 1 = VERY LOW IMPORTANCE AND 10 = VERY HIGH IMPORTANCE) Regulation/compliance Sanctions/export controls Tax Intellectual property Anti-money laundering Enforcement/investigations Data privacy Competition/antitrust Cybersecurity Anti-corruption/bribery Corporate governance/shareholder activism Corporate social responsibility/supply chain management 8.7 8.4 8.4 8.2 8.2 8.1 8.0 8.0 7.9 7.9 7.8 7.7 EXPOSURE TO RISK 10 which stops regulators from questioning our honesty as asset managers,” says the chief risk officer of one New York-based asset management firm. This is not to say, however, that there are no problems in these areas. The managing director of a US private equity firm points out: “Recent changes in antitrust regulations will affect the way we invest our capital, and these regulations have already created delays and problems.” Similarly, the chief technology officer of a European technology company says: “We have had to invest significantly in supply chain risk management because regulation has increased costs for the company.” Having identified regulation and compliance as a priority area for risk management, respondents are now allocating substantial – and increasing – resources to this area. More than three-quarters (78%) cite regulation and compliance as the area to which they devote the most risk management resources – and more than half (55%) pick it out as a priority for increased resources over the next 12 months (Figure 5). Tax is the other stand-out risk factor as a consumer of substantial resources, with more than a third (38%) of respondents picking it out – almost as many (36%) expect to allocate more resources to this area in the year ahead. However, other priorities are rising to the fore. Cybersecurity, where only 6% of respondents say they currently allocate the most resources, is picked out by 39% as an area for increased spending over the next year; banks and technology firms, which were most likely to cite cybersecurity as a risk for which they feel unprepared, FIGURE 4: FOR WHICH OF THESE TYPES OF RISK DO YOU FEEL YOUR FIRM IS BEST AND LEAST PREPARED? (SELECT TOP TWO) FIGURE 5: WHICH OF THESE TYPES OF RISK IS CURRENTLY ALLOCATED THE MOST RESOURCES? FOR WHICH IS THE ALLOCATION OF RESOURCES LIKELY TO INCREASE THE MOST OVER THE NEXT YEAR? (SELECT TOP TWO) Currently allocated most resources Least Resources likely to increase most over next year Best Regulation/compliance 57% 8% Anti-money laundering 29% 9% Cybersecurity 22% 4% Tax 17% 12% Sanctions/ export controls 15% 7% Anticorruption/ bribery 15% 10% Regulation/compliance 78% 55% Tax 38% 36% Competition/ antitrust 17% 11% Enforcement/ investigations 17% 10% Sanctions/ export controls 17% 14% Intellectual property 10% 7% EXPOSURE TO RISK RISKY BUSINESS MITIGATING EXPOSURE THROUGH COMPREHENSIVE RISK MANAGEMENT 11 are also the most likely to be planning resourcing increases. “Cybersecurity is a major challenge for us,” says the CFO of a Saudi Arabian bank. “Fraud is growing due to a lack of cybersecurity and the government is not coming out with any regulations to reduce the impact of the problem. The current issues surrounding privacy and cybersecurity will go on shaping the way businesses grow and will leave them vulnerable to hackers and other troublesome elements.” Naturally, industry-specific factors will also be important. For example, in the asset management sector, Ropes & Gray partner Jim Dowden, co-coordinator of the firm’s global anti-corruption & international risk practice, says firms are now facing a new reality. “This is an industry that has enjoyed pretty low levels of regulation over the past 30 years, which has allowed it to seek investment opportunities with great flexibility, but that is changing,” he says. “Regulators are now looking at asset managers very closely, and that is prompting them to really ramp up their compliance infrastructures.” Ropes & Gray’s Ruchit Patel points out that in the fast-moving technology sector, antitrust has often been used as a strategic weapon to further commercial objectives: “Competition law has been used strategically by slower moving rivals to decelerate the progress of fast-moving innovators. It’s not always clear that these cases result in enhanced consumer welfare.” FIGURE 4: FOR WHICH OF THESE TYPES OF RISK DO YOU FEEL YOUR FIRM IS BEST AND LEAST PREPARED? (SELECT TOP TWO) FIGURE 5: WHICH OF THESE TYPES OF RISK IS CURRENTLY ALLOCATED THE MOST RESOURCES? FOR WHICH IS THE ALLOCATION OF RESOURCES LIKELY TO INCREASE THE MOST OVER THE NEXT YEAR? (SELECT TOP TWO) Competition/ antitrust 14% 31% Intellectual property 11% 15% Enforcement/ investigations 9% 34% Data privacy 5% 3% Corporate governance/ shareholder activism 4% 24% Corporate social responsibility/supply chain management 2% 43% Anti-money laundering 9% 19% Cybersecurity 6% 39% Corporate governance/ shareholder activism 5% 3% Corporate social responsibility/supply chain management 2% 2% Data privacy 1% 2% Anti-corruption/ bribery 0% 2% 12 In conversation with… RISKY BUSINESS MITIGATING EXPOSURE THROUGH COMPREHENSIVE RISK MANAGEMENT 13 Chan Lee North America General Counsel, Sanofi Q. WHAT ARE THE AREAS OF RISK CURRENTLY CAUSING YOUR INDUSTRY THE MOST CONCERN? Drug pricing is a significant risk in our industry, particularly in the US. Generating a return on investment and incentivizing risk-taking has become a greater challenge. A number of market dynamics have helped create this challenging environment. We have more specialty drugs with higher prices. We have consolidation of payers with increasing bargaining power, leading to higher rebates, especially in diseases with multiple approved drugs to the exclusion of certain drugs in the formulary.We have higher out-of-pocket payments by patients, as payers look to shift the risk over to them, which has caused drug pricing to become a politicized issue. We also have significantly increased catastrophic payments in Medicare Part D. These and other factors have led to more scrutiny of manufacturer interactions with payers, patients, specialty pharmacies and other stakeholders, including greater scrutiny from government investigators. We have focused our resources to conduct additional risk assessment reviews of these interactions. Q. DEVELOPING ECONOMIES ARE CONSIDERED ATTRACTIVE MARKETS FOR MANY BUSINESSES, BUT DO THEY INVOLVE GREATER RISKS? Developing economies have developing laws and enforcement of those laws – that is, laws governing certain interactions may not be clear. They may also have customs and cultures that are not consistent with the long-armed legislation of developed countries, such as anti-bribery laws. From that perspective, these markets pose significant risks. However, my view is that the most significant risks to our industry are still in developed markets, especially in the US. Certainly, the greatest financial exposure to litigation and government investigations for our industry continues to be in the US. Moreover, I believe that significant compliance matters in developed markets could have a substantial impact on the reputation of the affected company, as well as the industry. Q. ARE RISK LEVELS GETTING BETTER OR WORSE? If you are just looking at litigation risk, I don’t think there’s been a significant change. From a reputational risk perspective, the pricing exposure in the US has made it a very difficult operating environment. Pharmaceutical companies like ours have made public statements about pricing and price increases, but this is a developing area. Not all manufacturers have taken this position and there continues to be a lot of scrutiny at both the federal and state level on drug pricing. Q. IS RISK MANAGEMENT TAKEN SERIOUSLY ENOUGH? The biopharmaceutical industry takes risk management very seriously. Many boards are interested in enterprise risk management and have robust processes to identify key risks and to manage them. And when I talk about enterprise risk management, I’m talking about innovation, patent protection, pricing and ease of patient access to drugs – all of which should reward the risks taken to innovate. Q. ARE INVESTORS BEING GIVEN ENOUGH INFORMATION ABOUT RISK FACTORS OR TOO LITTLE? I believe that there are adequate disclosures of risks in our public filings. In fact, given the high number of risk factors in our industry, it may be difficult to properly prioritize these risk factors. This is one of the roles of legal and compliance colleagues in our industry – to prioritize the various risks and properly use our resources to mitigate them. MANAGING RISK ON A GLOBAL SCALE 14 Section 02 Managing risk on a global scale In most areas of risk management, respondents still see developing markets as riskier than their more developed counterparts – though some argue that developed markets offer their own problems. Businesses shouldn’t assume they’re not at risk just because they’re in a more mature market. say the UK is the riskiest market for their business – second highest on the list – reflecting political and economic uncertainties in the country of respondents say China is the market they regard as most risky to their business overall 13% 28% MANAGING RISK ON A GLOBAL SCALE RISKY BUSINESS MITIGATING EXPOSURE THROUGH COMPREHENSIVE RISK MANAGEMENT 15 companies that have a very active and vocal compliance message coming right from the top.” DEVELOPED DOESN’T MEAN RISK-FREE Despite obvious concerns over developing economies, the problems organizations face vary from market to market, with certain issues causing more difficulties in particular jurisdictions, including developed markets. Respondents regard the UK and the US as the riskiest developed markets in which to operate, followed by Japan. The UK is rated above-average on nearly every risk factor compared to developed markets in general, with competition and antitrust, corporate governance and shareholder activism, cybersecurity, intellectual property, regulation and compliance, and tax all attracting high risk ratings. The US, meanwhile, is seen as especially risky on anti-corruption, anti-money laundering, and regulation and compliance issues, suggesting heightened anxiety over more regulations and an aggressive enforcement regime. Japan’s high-risk areas are corporate social responsibility and supply chain management, cybersecurity, data privacy, enforcement and investigations, and sanctions and export controls. There are also several other notable hotspots in developed markets. For example, respondents pick out intellectual property as a major area of concern in Italy. They see South Korea as problematic on competition and antitrust; and they point to data privacy in Australia. Asked specifically which market they regard as the riskiest to their business overall, more than a quarter of respondents (28%) cite China (Figure 7, page 17). Clearly, their fears about a broad range of risk factors in this marketplace, when combined with their ambitions Nigeria, Russia and China are cited as the three riskiest markets for respondents’ businesses, with Germany, Canada and Australia sitting at the opposite end of the scale (Figure 6, page 16). Overall, the findings reflect the fact that developing markets continue to struggle with issues that have been resolved in most mature markets, and this is reflected in our findings. The rule of law may be less wellestablished, for example, and political uncertainty is often an issue. Cultural differences may also be difficult to reconcile with international laws in areas such as corruption. “There are many different problems when dealing with the government, from a lack of comprehensive polices, which are not very good, and laws that are not enforced to problems with corruption,” says the director of risk management with one Nigerian bank. “It is very difficult to develop and grow in the market. Dealing with these risks is going to remain a problem for our bank. Tax structures are not well-developed and this will also increase risks for the company.” Issues such as these mean some organizations are struggling to justify investments in certain markets, according to the chief executive of a Latin American financial services company: “Anti-money laundering and anti-corruption regulation is now very demanding. We prefer investing in markets where such regulations are strict and well-enforced.” “There are a number of countries in Asia, for example, where the day-to-day compliance risk is very real,” adds Ropes & Gray’s Mimi Yang, who is based in Hong Kong. “This is why it’s so important that the right corporate culture and tone is set right from the top: there is a palpable difference locally between MANAGING RISK ON A GLOBAL SCALE 16 FIGURE 6: FOR EACH OF THE COUNTRIES IN WHICH YOU HAVE SIGNIFICANT OPERATIONS, HOW WOULD YOU ASSESS THE UNDERLYING RISK LEVEL FOR EACH TYPE OF RISK? (RATE FROM 1-10 WHERE 1 = VERY LOW UNDERLYING RISK AND 10 = VERY HIGH UNDERLYING RISK) Germany Canada Australia France South Korea Italy Japan US UK Turkey Indonesia Mexico Saudi Arabia South Africa Brazil India Egypt Argentina China Russia Nigeria Anti-corruption/ bribery TaxTotal 81.0 83.7 83.8 84.0 84.6 85.6 86.6 86.9 87.1 94.0 94.6 94.8 95.4 97.8 102.8 103.3 103.3 104.2 105.8 107.3 112.7 Intellectual property Enforcement/ investigations Data privacy Cybersecurity Corporate social responsibility/supply chain management Corporate governance/ shareholder activism Competition/antitrust Anti-money laundering Regulation/ compliance Sanctions/ export controls 6.1 6.3 6.6 6.3 6.3 6.4 6.7 7.2 6.6 7.3 7.6 7.5 7.6 8.1 8.6 8.5 8.2 8.6 8.9 9.2 9.8 6.1 6.6 6.4 6.6 6.6 6.9 6.8 7.6 7.0 7.9 8.0 8.0 8.0 8.2 9.2 9.0 8.8 8.7 9.3 9.5 9.9 6.8 6.9 6.8 6.9 7.2 7.1 7.0 7.0 7.2 7.5 7.9 7.8 7.8 8.2 8.5 8.7 7.7 9.0 8.8 8.9 9.3 6.6 6.6 6.5 6.7 6.9 6.7 6.9 6.8 7.0 7.4 7.5 7.5 7.8 7.9 8.2 8.1 8.4 8.3 8.4 8.5 8.8 6.5 6.8 6.9 6.9 6.8 6.9 7.1 6.9 7.0 7.5 7.7 7.8 7.8 7.8 8.3 8.3 8.7 8.3 8.4 8.5 9.1 6.7 7.1 6.8 6.9 7.1 7.1 7.2 7.0 7.2 7.8 7.5 7.8 7.8 7.9 8.4 8.5 8.7 8.5 8.6 8.9 9.5 6.6 7.1 7.2 6.8 6.9 7.1 7.2 7.1 7.2 7.9 7.9 7.8 7.9 8.0 8.5 8.5 8.6 8.8 8.7 8.9 9.2 6.9 7.0 6.9 6.9 7.1 7.1 7.3 7.1 7.2 7.9 7.8 8.0 7.9 8.2 8.5 8.5 8.3 8.7 8.8 8.9 9.2 7.0 7.0 7.1 7.1 7.2 7.4 7.2 7.3 7.4 8.1 7.9 8.0 8.0 8.2 8.6 8.6 8.6 8.8 8.9 8.8 9.3 7.3 7.5 7.5 7.7 7.5 7.7 7.7 7.8 7.8 8.2 8.3 8.2 8.2 8.4 8.9 9.0 9.3 9.0 9.3 9.1 9.6 7.2 7.3 7.5 7.6 7.4 7.6 7.8 7.5 7.7 8.3 8.3 8.2 8.2 8.4 8.6 8.8 9.0 8.7 8.9 9.0 9.6 7.2 7.5 7.6 7.6 7.6 7.6 7.7 7.6 7.8 8.2 8.2 8.2 8.4 8.5 8.5 8.8 9.1 8.8 8.8 9.1 9.4 Lower underlying risk Higher underlying risk MANAGING RISK ON A GLOBAL SCALE RISKY BUSINESS MITIGATING EXPOSURE THROUGH COMPREHENSIVE RISK MANAGEMENT 17 for the world’s second-largest economy, are front of mind. Among developing economies, only Brazil (cited by 13% of respondents), where political uncertainty and commodity price volatility have caused major upheaval, come close. POLITICAL PRESSURE The fact that 13% of respondents cite the UK as the market that poses the “most significant risk” to their businesses – the second highest on the list – may come as no surprise. The decision last year to leave the European Union and the ongoing negotiations over the terms of its departure are worrying many organizations. It is notable that asset managers are more likely to see the UK as a risk than respondents from other sectors; they operate in an industry that has a great deal to lose if Brexit negotiations do not go well. “Brexit has affected the value of the pound and put companies at risk,“ says the group head of risk with an asset management firm in the UK. “By losing access to the single market, our assets are affected as well. The need to change our operations to comply with EU regulations will become a necessity. Other problems we face will come from problems related to our employees and the movement of our employees.” Ropes & Gray’s Ruchit Patel confirms that Brexit is causing many organizations a compliance headache. “Most are not sure what this market will look like in a couple of years,” he says. “There’s uncertainty about how regulatory agencies may react – whether they’ll become more or less interventionist, whether there will be policy changes such as greater protectionism, and whether there will be a focus on direct consumer harm rather than the impact of competitive structures. The uncertainty is bad for some but an opportunity for others.” “Brexit has caused a lot of problems for our company,“ agrees the head of compliance with a technology firm in the UK. “We expect a change in regulations to follow, and capital is already difficult to access because of Brexit. We are developing different ways to manage risks. We are still preparing and are moving parts of our operations to different markets to get access to the large EU market.” Nevertheless, almost every sector regards China as the most risky marketplace for their business. The one exception is banking, which sees the US as the riskiest geography. This may reflect the importance of the US as a global banking center and consternation caused by new regulations since the financial crisis, or perhaps deregulation in the near future. Indeed, Ropes & Gray’s Colleen Conry, a partner with extensive experience in representing multinational corporations and their executives in government investigations, says that, while the Trump administration’s antiregulation rhetoric should have given many businesses cause for optimism, the opposite has been true so far. “We’re in an environment that our clients view as overly-regulated, and we’re dealing with an administration that is focused on deregulation. How the government executes on its deregulation agenda is very uncertain,” she says. Elsewhere, however, respondents are more divided. While asset managers pick the UK as their second riskiest market, banks point to India, life science firms choose Brazil and Russia jointly, technology firms cite Brazil and private equity firms point to the UK and the US. FIGURE 7: WHICH MARKET DO YOU SEE AS POSING THE MOST SIGNIFICANT RISKS OVERALL? 28% 13% 13% 11% 8% 7% 5% 3% 2% 2% 2% 1% 1% 1% 1% 1% 1% 0% 0% CHINA BRAZIL UNITED KINGDOM UNITED STATES RUSSIA INDIA MEXICO NIGERIA ARGENTINA ITALY JAPAN CANADA FRANCE INDONESIA SAUDI ARABIA SOUTH AFRICA SOUTH KOREA EGYPT GERMANY 18 In conversation with… RISKY BUSINESS MITIGATING EXPOSURE THROUGH COMPREHENSIVE RISK MANAGEMENT 19 Brad Berenson & Joann Harris General Counsel & Chief Compliance Officer, TPG Global, LLC Q. WHAT FACTORS ARE CREATING GREATER RISKS FOR YOUR ORGANIZATION? As a private investment firm, three emerging risks come to mind immediately. First, protectionism and restrictions on trade, whether that be CFIUS review of inbound foreign investment in the United States or capital controls in foreign countries. An environment that inhibits cross-border trade flows is not good for business and creates more risk. Second, tax reform in the US and changing tax rules elsewhere are a constant source of risk. Third is the political macro risk, for example the tides of populism and nativism sweeping many countries, which has resulted in developments like Brexit. Q. WHICH OF THESE RISKS ARE UNIQUE TO YOUR SECTOR? The investment sector’s greatest risks are around tax and regulation, from US tax reform to changing foreign regulatory regimes, such as AIFMD and MiFID. Proposed steps like eliminating the deductibility of interest payments would have a dramatic impact on investment activity. In emerging markets, anticorruption is always going to be a significant risk to manage. But expanding regulatory and tax regimes in Western Europe and the regulatory volatility introduced by things like Brexit all represent new risks. Q. HOW DOES THE ORGANIZATION DEAL WITH RISK? We continuously evaluate and develop new initiatives to strengthen our already robust risk management and compliance controls. We’re particularly focused on fostering an understanding, throughout TPG, that risk management and compliance are everyone’s responsibility. We want all TPG employees to feel free to raise concerns, secure in the knowledge that there will be thorough and responsible follow-up and remediation of any problems without any retaliation against concern raisers. We have an enterprise risk committee that is comprised of senior management from around the firm. The risk committee reviews potential risk areas and meets on a regular basis with the heads of legal, compliance, internal audit and operations. From a governance standpoint, it’s a powerful communication route because you’re sitting in the same room as the senior leadership talking through potential risks that you’re seeing on the ground. We also have a very robust compliance program in the organization. Members of the legal and compliance team in offices across the US and globally are our boots on the ground. We want the organization to tap into that group to help prevent, detect and deal with any risk scenarios unfolding in real time. Q. HOW DO YOU ENSURE THAT RISK AWARENESS AND RESPONSIVENESS ARE PART OF YOUR CORPORATE CULTURE? “Tone from the top” is always important, and our senior leadership team does send a very strong message. We want our business leaders, platform leaders and investment professionals to know that they are accountable for compliance and risk management as well as investment performance. That starts with communication from our senior team to the rest of the firm. But the cultural elements go beyond merely high-level communication and reflect everything that we do to ensure that compliance is, and is perceived as, of paramount importance. That includes things like our existing compliance program and the way the firm makes its risk judgments in the course of business day to day. RISK MITIGATION IS A GROUP EFFORT 20 Section 03 Risk mitigation is a group effort Organizations manage risk in different ways: some prefer a centralized approach while others take a more localized or function-based stance. But issues arise when risk management is trapped in organizational “silos”; collaboration across the entire enterprise is required to address it effectively. of respondents say their chief risk officer (CRO) is primarily responsible for risk identification say a proportion of risk is managed by each business unit believe that greater collaboration between their risk managers would improve the overall risk profile of their organization say risk is largely managed centrally within their organization 52% 87% 60% 48% RISK MITIGATION IS A GROUP EFFORT RISKY BUSINESS MITIGATING EXPOSURE THROUGH COMPREHENSIVE RISK MANAGEMENT 21 “Among those clients with the most mature risk management models, responsibility always sits with the senior leadership,” says Jim Dowden, partner with Ropes & Gray. “Organizations that grapple with these issues best are those that set the tone right from the very top – that means the CEO or chairman.” In practice, many organizations say their risk management responsibilities are allocated to a range of different functions, including IT, legal and finance, as well as risk itself, where it is treated as a standalone function. For example, a bank executive in China explains: “We believe that risk needs to be assessed in all our operations and units, so we’ve developed a strong risk management team that is headed by our chief risk officer, who works with all the different function heads.” “Risks are best managed when each team is managing a proportion of their own risk,” adds the head of compliance at a Canadian asset management firm. “When analyzing the market, the company dedicates the resources required to understand the different risks and who are most capable of dealing with risks. The company’s growth rate and goals are best managed by keeping those risks in mind.” Among respondents to this survey, the chief information officer (CIO) or chief technology officer (CTO) is most likely to have responsibility for risk mitigation in areas such as cybersecurity, data privacy and intellectual property, where the relevance to their specialization is most obvious (Figure 8). The chief financial officer (CFO), by contrast, is more likely to have ultimate responsibility for managing tax risk. However, in most areas of risk, substantial numbers of respondents say their chief risk officer (CRO) has primary responsibility for mitigation. Indeed, the CRO is the most commonly cited risk management leader for anti-corruption and bribery, anti-money laundering, competition and antitrust, corporate governance and shareholder FIGURE 8: IN YOUR ORGANIZATION, WHO IS PRIMARILY RESPONSIBLE FOR MITIGATING EACH OF THESE RISKS? (SELECT ONE FOR EACH TYPE OF RISK) Tax CEO Compliance department Legal department Nobody CFO/Finance department Chief risk officer CIO/CTO Anti-corruption/bribery 1% 1% 1% 1% 1% 1% 1% 1%4% 48% 17% 31% 5% 49% 15% 30% 5% 43% 17% 35% 29% 37% 13% 21% 32% 34% 13% 20% 4% 40% 14% 41% 4% 32% 30% 34% 4% 37% 21% 37% 11% 33% 25% 11% 20% 21% 65% 4% 9% 27% 57% 5% 9% 3% 44% 16% 36% Anti-money laundering Competition/antitrust Corporate governance/ shareholder activism Corporate social responsibility/supply chain management Cybersecurity Data privacy Enforcement/ investigations Intellectual property Regulation/ compliance Sanctions/ export controls RISK MITIGATION IS A GROUP EFFORT 22 activism, and sanctions and export controls. Even in areas where other individuals are cited by more respondents, substantial numbers say their CRO is in charge. The legal function also has substantial responsibilities in many organizations, respondents point out. In practice, risk may be operating out of legal, or at least alongside it. Similarly, risk and legal tend to take the responsibility for managing the risk management processes with which organizations mitigate risk on a day-to-day process. More than half of the respondents to this survey say their CRO is primarily responsible for risk identification (60%), risk prioritization (58%) and risk training (57%) (Figure 9). Substantial numbers also say the CRO manages their organization’s development of crisis management plans (46%) and business continuity protocols (44%). It is these processes that will ultimately determine the success – or otherwise – of an organization’s risk management effort, argues the chief compliance officer of a US financial services company. “We now have a risk committee that takes responsibility for setting our principles, our risk framework, and our risk management processes,” the executive says. In practice, one common fear expressed by risk management professionals is that dangerous issues fall between the cracks, as different functions within the organization leave mitigation to their colleagues elsewhere. That view is shared by the general counsel of a Latin American bank, who argues for centralized risk management practices: “Risk mitigation should be centralized because the number of risks are so high and the processes needed so vital that dealing with local level management only complicates the whole process,” the executive argues. Ropes & Gray partner Michael Beauvais, co-chair of the life sciences and digital health practices, agrees. “Risk management operates on multiple levels, but it has to be system wide,” he says. “Where we see some organizations getting into trouble FIGURE 10: WHICH OF THESE STATEMENTS WOULD YOU AGREE WITH? is when individuals charged with compliance take a siloed approach, resulting in not having good visibility at the senior levels of the organization and clear lines of accountability.” However, while this concern has increasingly driven the development of standalone, centrally managed risk functions in recent years, organizations also realize that it is not possible to manage all the details of risk from the top down, particularly in large global businesses with disparate operations. Respondents in the survey take different views about how to balance the need to avoid ”silos” with the imperative of confronting risk throughout the organization. The split between those organizations that say risk is largely managed centrally (48%) and those where a proportion of risk is managed by each business unit (52%) is pretty even (Figure 10). Similarly, while more organizations manage most risks predominantly at a local level than at a global level, more than half the respondents say mitigation is both local and global for each risk factor in the survey (Figure 11). Operating in this way will make sense for a large number of organizations, but sharing the responsibility for risk management does increase the imperative for strong collaboration and communication. Unless those taking responsibility for different elements of risk management work effectively with one another and the rest of the organization, there is a danger that key messages will not get through. The respondents to this survey recognize the danger and are not complacent about their risk management coordination. Less than a third (31%) say their risk managers collaborate and communicate to a great extent – and while 54% say communication and collaboration is moderate, a further 15% describe it as low (Figure 12). Against that backdrop, many organizations feel they could do much more. Almost nine in 10 respondents in this research (87%) believe that greater collaboration between their risk managers would improve the FIGURE 9: WHO AT YOUR ORGANIZATION IS PRIMARILY RESPONSIBLE FOR THE FOLLOWING RISK MANAGEMENT FUNCTIONS? (SELECT ONE FOR EACH FUNCTION) Risk prioritization Risk identification Risk training Development of business continuity protocols CEO Compliance department Legal department CFO/Finance department Chief risk officer 100% 80% 60% 40% 20% Development of crisis management plans Each team/business unit manages a proportion of their own risks Nearly all risk in our organization is managed centrally 48% 52% RISK MITIGATION IS A GROUP EFFORT RISKY BUSINESS MITIGATING EXPOSURE THROUGH COMPREHENSIVE RISK MANAGEMENT 23 overall risk management profile of their organizations (Figure 13). However, achieving those gains will require a deliberate effort to overcome organizational hurdles. The general counsel of a European private equity firm concedes: “We struggle with many barriers to collaboration, ranging from cost to differences in understanding and communication issues; these are difficult to manage and can lead to a lot of problems.” WORKING WITH BROADER STAKEHOLDERS As risk management has risen up the agenda for all organizations, risk managers have increasingly been required to work with a broad range of stakeholders, including their peers and, crucially, their investors. However, ensuring the organization is outward-facing when it comes to risk management brings its own challenges. For many organizations, there is more work to do in this area. Just 6% of respondents to this survey feel that investors in their sector are completely satisfied with the amount of information about risk to which they have access (Figure 14, page 26). And while almost two-thirds (63%) believe investors are at least moderately happy with their risk disclosures, close to a third (32%) concede their investors are dissatisfied. Broadly, the results are consistent across the sectors, with no single industry significantly ahead on these issues. Banks are marginally less likely to describe their investors as satisfied – perhaps reflecting the regulatory focus on risk and public disclosure in the banking sector over the past 10 years – while asset managers are more likely to feel this way. Indeed, the chief risk officer of a New York-based asset management firm says: “Shareholder activism is another risk that we have wellcovered, as we keep shareholders aware of our actions and always deliver value. We evaluate markets and forecast the outcomes of our decisions, and shareholders are made aware of our investment reasoning.” Still, for those able to develop effective solutions, there are real gains to be made. As the CFO of a North American technology company says: “We’ve worked really hard to keep our shareholders closer and to share our risk data more openly – we think our investor relations program has really helped us align the interests of the business with its shareholders.” FIGURE 11: WHICH OF THESE RISKS DO YOU MANAGE LOCALLY AND WHICH DO YOU MANAGE AT A GLOBAL LEVEL? Managed at global level Both locally and globally Managed at local level Anti-corruption / bribery Anti-money laundering Competition / antitrust Corporate governance / shareholder activism Corporate social responsibility / supply chain Cybersecurity Data privacy Enforcement / investigations Intellectual property Regulation / compliance Sanctions / export controls Tax 16% 52% 32% 32% 30% 23% 24% 21% 22% 30% 28% 31% 28% 29% 52% 52% 57% 55% 57% 57% 53% 54% 53% 56% 55% 16% 18% 20% 21% 22% 21% 17% 18% 16% 16% 16% FIGURE 12: TO WHAT EXTENT DO RISK MANAGERS (E.G., GENERAL COUNSEL, CHIEF COMPLIANCE OFFICER, CHIEF DATA PRIVACY OFFICER; CFO) COLLABORATE AND COMMUNICATE AT YOUR ORGANIZATION TO CREATE CONSISTENCY ACROSS OPERATIONS AND GEOGRAPHIES? To a moderate extent To a low extent To a great extent 15% 54% 31% FIGURE 13: DO YOU THINK THAT MORE COLLABORATION WOULD IMPROVE YOUR OVERALL RISK PROFILE? 13% 87% Yes No 24 In conversation with… RISKY BUSINESS MITIGATING EXPOSURE THROUGH COMPREHENSIVE RISK MANAGEMENT 25 PD Villareal Senior Vice President, Global Litigation, GSK Q. WHAT ARE THE AREAS OF RISK CURRENTLY CAUSING YOUR ORGANIZATION MOST CONCERN? For us, like many global enterprises, one has to be concerned with the challenge posed by bribery and corruption risks – whether it’s the Foreign Corrupt Practices Act from a US perspective, or the UK Bribery Act, or the many national laws that are relevant. We believe we are managing these well, but we must remain vigilant. Competition and antitrust issues are perceived as a global risk for multinational companies like us. We spend a lot of effort making sure we are fully compliant. And for the pharmaceutical industry, you would also have to be blind not to understand that we’ve got significant pricing concerns being raised, especially, but not only, in the US; this is beginning to manifest itself in legal actions and investigations and political issues. Q. HOW DOES GSK APPROACH RISK ORGANIZATIONALLY? Bribery and corruption is a good case in point. When you’re doing business in 125 or 130 countries around the world, with lots of different cultures, different levels of legal strength and different types of commercial practices, you’re never going to fully eliminate the risk, but we have significantly enhanced our ability to identify, respond to and remediate these issues. We’ve made permanent additions to the global infrastructure of our company that aren’t about individual people, but our whole corporate culture. Q. WHAT METRICS DO YOU USE TO MEASURE RISK? Data analysis can be hugely useful as another tool, but there isn’t a magic bullet to the process and no one thing is going to be the answer. But quantitative analysis, for example, can help identify issues - anomalies, say, in financial cash flows. One thing we do is town halls with employees and management in our different sites. We talk to management about how they would grade themselves in terms of our values, and we ask the same question of the employees. Then we write reports about it that go to the management team and to the people above the management, at the local management level. Fixing local problems, site by site, improves our risk posture and makes the company a better place to work. Q. HOW DO YOU ENSURE AN ENTERPRISE-WIDE CULTURE OF RISK MANAGEMENT? The ultimate battleground is people’s hearts and minds, not rules or organizational changes, so that’s where you have to go. But you do have to have a corporate infrastructure that continually reinforces that this is the desired behavior – that surrounds the individual with the message that there’s a proper way and an improper way of doing business, and that only the proper way will be tolerated and rewarded. And it does still depend on leadership. RISK MITIGATION IS A GROUP EFFORT 26 FIGURE 14: DO YOU THINK INVESTORS/ SHAREHOLDERS IN YOUR SECTOR ARE SATISFIED WITH THE AMOUNT OF INFORMATION ON RISK THEY HAVE ACCESS TO? FIGURE 15: HOW WELL DO YOU THINK YOUR INDUSTRY COMMUNICATES ABOUT RISK MANAGEMENT WITH INVESTORS/SHAREHOLDERS? Many organizations recognize that they must do more to communicate effectively with their investors. Twenty-nine percent of respondents believe their sector is a poor communicator on the topic of risk management, while just 4% describe it as a good communicator (Figure 15). Clearly, for most organizations there is at least some room for improvement – and for sizeable minorities, particularly in the banking sector, which again scores lowest on communication, there is a great deal of work to be done to ensure communication with investors is of the required standard. Many organizations are still struggling with how to get to grips with this issue. “Investors can be a tough audience to satisfy, and it tends to be the bad news that makes them sit up and take notice,” says Ropes & Gray’s Beauvais. “And in certain markets, notably the United States, you don’t get much credit for talking publicly about your organization’s approach with respect to compliance and risk – and in a litigious jurisdiction, you may even run into trouble for talking up your robustness in these areas if there is an issue down the road that causes a drop in your stock price.” As for work with industry peers, more than half the respondents in this survey say they subscribe to industry protocols that relate to corporate governance, risk management and corporate social responsibility. In some sectors – and for certain protocols – subscription rates are even higher. Two-thirds of asset managers, for example, subscribe to their sector’s protocols, while in life sciences, some protocols have attracted almost three-quarters of respondents (Figure 16). In that industry, says Ropes & Gray’s Beauvais, organizations are having to work even harder to understand and implement new methodologies for measuring certain performance-based measures. For example, “the convergence of value-based healthcare, together with a heightened enforcement regime, creates an even greater compliance risk for organizations,” he warns. That said, these protocols may be of only limited use in helping organizations to improve the effectiveness of their risk management. Just 10% of respondents say they help to address risk management to a great extent, though a further 56% say they have provided moderate help (Figure 16). Just over a third (34%) describe the usefulness of these protocols as low. Banks and private equity firms profess themselves particularly underwhelmed, with 40% and 39% respectively suggesting such protocols don’t offer much help with risk management. Although, this is not to suggest all firms share such views. The general counsel of a European private equity firm says: “These protocols do set precedents for companies to adhere to and they’re really useful when we’re developing our risk management strategies.” Total Total Asset Management Asset Management Banking Banking Life Sciences & Healthcare Life Sciences & Healthcare Technology Technology Other Other Private Equity Private Equity Completely satisfied High communication Moderately satisfied Moderate communication Not satisfied Low communication 100% 100% 80% 80% 60% 60% 40% 40% 20% 20% FIGURE 16: TO WHAT EXTENT DO YOU THINK THAT THESE INDUSTRY PROTOCOLS HELP IN ADDRESSING RISK MANAGEMENT? Total Asset Management Banking Life Sciences & Healthcare Technology Other Private Equity To a great extent To a moderate extent To a low extent 10% 10% 10% 10% 56% 34% 20% 40% 30% 30% 46% 39% 63% 50% 60% 60% 49% 55% 5% 6% 17% RISK MITIGATION IS A GROUP EFFORT RISKY BUSINESS MITIGATING EXPOSURE THROUGH COMPREHENSIVE RISK MANAGEMENT 27 01. International Forum of Sovereign Wealth Funds (IFSWF) Santiago Principles 02. Dow Jones Sustainability World Index 03. FTSE4Good Index Series 04. New York Stock Exchange’s Corporate Governance: A Practical Guide 05. The Equator Principles 06. Pharmaceutical Research and Manufacturers of America (PhRMA) Code on Interactions with Healthcare Professionals 07. American Medical Association’s (AMA) Physician Financial Transparency Reports (Sunshine Act) 08. PhRMA Guiding Principles on Direct to Consumer Advertising 09. OIG Compliance Program Guidance for Pharmaceutical Manufacturers 10. American Investment Council: Guidelines for Responsible Investing 11. Private Equity Reporting Group / British Private Equity & Venture Capital Association’s Walker Guidelines 12. Alternative Investment Management Association’s (AIMA) Chartered Alternative Investment Analyst designation 13. The Private Equity Reporting Group’s Good Practice Reporting Guide for Portfolio Companies 14. Invest Europe Code of Conduct 15. Electronic Industry Code of Conduct 16. International Labor Organization’s (ILO) International Labor Standards 17. ILO Code of Practice in Safety and Health 18. British Standard Occupational Health and Safety Assessment Series (OHSAS) 18001 19. Social Accountability International, SA 8000 Standard 20. OECD Guidelines for Multinational Enterprises 21. Ethical Trading Initiative 22. National Fire Protection Association FIGURE 17: TO WHICH INDUSTRY PROTOCOLS DO YOU SUBSCRIBE? (SELECT ALL THAT APPLY) Asset Managers Banking Life Sciences Private Equity Retail, Technology, Media and Telecom 40% 50% 60% 70% 80% 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 10% 20% 30% 28 In conversation with… RISKY BUSINESS MITIGATING EXPOSURE THROUGH COMPREHENSIVE RISK MANAGEMENT 29 Heather Mitchell Managing Director and Global General Counsel for Investments, The Carlyle Group Q. HOW DOES CARLYLE APPROACH RISK MANAGEMENT? On a daily basis, “tone from the top” comes first. Our founders recognize the value of strong governance. Once that tone is set, you have to identify the risks, and estimate their likelihood and then their potential impact on the business. Risk awareness and responsiveness are fundamental to our corporate culture. We’re doing everything to make sure that our best practices are communicated throughout the organization. And we use that information not only to anticipate and mitigate risk, but to take advantage of risks if they offer an opportunity. We have a global risk committee, and its role is to manage risk across the businesses and embed good practice. We also have uniformity in our investment committees. They identify and monitor risks consistently across Carlyle’s operations, to avoid problems associated with silos. We try to take best practices from one area and apply it across the investment organization. Q. HOW DO YOU MEASURE RISK? We conduct an annual risk survey at all levels within Carlyle to assess and identify risks and their likelihood. We don’t take a checklist approach. The culture that we’ve created is innovative, collaborative and transparent. We have legal teams working on all of our deals. Our investment committees look at each investment, both on an individual basis and with a view to the rest of the firm and each of the funds. Risk isn’t something reviewed in isolation, it’s taken into account as each deal moves forward and as each decision is made. Q. WHAT DOES SUCCESSFUL RISK MANAGEMENT LOOK LIKE TO YOU? The EU referendum in the UK is a very good example of how we manage potential global and economic risks – although this could apply to any catalyst for market shock. We have a snapshot of every deal, which shows everything from financing to the buy and sell side, so that we can pivot on a dime should conditions warrant. In the run up to the EU referendum, we prepared for what would happen if the Leave vote won and the credit and equity markets froze or dropped substantially. We were able to close a deal on the day of the referendum, knowing we had already done our risk assessment of the exposure, not only to currency, but also to UK markets. We put in hedging and other currency mitigation. We also had communications prepared for our investors, as well as internal employees, to ensure that we immediately had open channels. THE FUTURE OF RISK MANAGEMENT 30 Section 04 The future of risk management How can any organization working on a global scale hope to mitigate the rising tide of risks? Fostering a collaborative culture and a global perspective may be the answer, now and in years to come. of respondents say their risk management and assessment training is innovative are not confident their current risk management policies and practices will be enough to meet their future needs feel their current risk management policies and practices meet all of their present needs 69% 82% 43% THE FUTURE OF RISK MANAGEMENT RISKY BUSINESS MITIGATING EXPOSURE THROUGH COMPREHENSIVE RISK MANAGEMENT 31 In a world where the number and seriousness of risk factors now faced by global organizations is increasing and rapidly evolving, the profile of the risk management function is likely to rise ever higher. “I think there is going to be tremendous convergence of risk,” says Ropes & Gray’s Dowden. “Over the past 10 years, companies have focused largely on individual issues affecting a local market. For example, a multinational may have a problem in India, so they speak with Indian regulators. Today, regulatory bodies are all talking to each other – a local problem could become a global problem, as regulators become increasingly coordinated.” Risk managers cannot shoulder the burden alone: only those who collaborate with colleagues within the organization, and with their peers from across their industries, can be confident they are doing everything possible to mitigate the dangers that confront their organizations. “The only way to mitigate that risk is by building relationships globally,” says Dowden. Many risk management professionals stress the need to create a culture of risk awareness throughout the organization and beyond; all employees must be conscious that they have a role in mitigation and protection, along with a broader range of stakeholders, including, for example, the rest of the supply chain. However, such a culture does not develop by accident. Risk management professionals will need to build structures and processes to ensure this culture penetrates every corner of the organization. There will also be a role for new tools and technologies. In this survey, the majority of respondents say they are exploiting innovation in areas such as finance, technology, training and organizational structure in order to enhance their management and assessment of risk (Figure 19). More than threequarters (82%), for example, say their training is innovative. However, there is more work to do. Fewer than half of respondents (43%) feel their current risk management policies and practices meet all their present needs (Figure 18). And that proportion drops to less than a third (31%) when respondents consider their future needs. The reality, argues Ropes & Gray’s Conry, is that establishing a strong risk management culture requires a holistic approach: “We talk with clients about the importance not only of establishing policies, procedures and training programs, but also of making sure that they are following up on trainings with live visits to high-risk jurisdictions to generate a palpable presence of strong risk management,” she says. “Policies and training will only accomplish part of the job. Companies need to have the right sets of robust internal accounting controls to enable them to identify issues early on.” Those findings represent a warning signal for global organizations. They recognize their risk systems require constant monitoring and improvement to deal with the changing nature of risk, but this work must now be a priority. Increased collaboration, sharpened lines of responsibility, improved communication, innovative use of new tools and technologies, greater process rigor and more focused risk management structures are all imperative if organizations are to effectively identify, quantify and mitigate the dangers they face today – and those that will emerge in the future. FIGURE 19: IN WHICH WAYS WOULD YOU SAY THAT YOUR COMPANY IS INNOVATIVE IN ASSESSING AND MANAGING RISK? (SELECT ALL THAT APPLY AND THE MOST IMPORTANT) FIGURE 18: “OUR CURRENT RISK MANAGEMENT POLICIES AND PRACTICES MEET ALL OF OUR PRESENT NEEDS/LIKELY TO MEET ALL OF OUR FUTURE NEEDS” Technological (special hardware or software) Training (formalized processes and/or workflow) Organizational (formalized internal collaboration or special roles) Financial (quantifying ongoing and potential costs of risk) 67% 82% 67% 66% 31% 27% 26% 16% All that apply Most important Not sure/false True 31% 69% FUTURE NEEDS 43% 57% PRESENT NEEDS 32 In conversation with… RISKY BUSINESS MITIGATING EXPOSURE THROUGH COMPREHENSIVE RISK MANAGEMENT 33 Cynthia M. Patton Senior Vice President and Chief Compliance Officer, Amgen Q. WHAT ARE THE AREAS OF RISK CURRENTLY CAUSING YOUR ORGANIZATION MOST CONCERN? Current significant areas of industry risk include privacy, cybersecurity and global regulatory enforcement. For global companies, privacy is becoming much more important. Each country devises its own privacy laws, some of which interconnect and work together, and some of which don’t. Cybersecurity worries businesses more and more – and it impacts privacy. If you are hacked, there’s a chance that hackers will access sensitive, private accounts and essential intellectual property. As for the regulatory environment, that area continues to evolve, in the US and globally. There was a time when you’d have a regulatory issue in one country and it would stay there, but regulatory enforcement agencies now talk to each other. An issue in the UK can morph into the US, China and then around the world. Q. HOW DOES AMGEN APPROACH RISK? We take an organizational approach to risk. A cross-functional body is utilized to identify enterprise risks, as well as how they are being mitigated and reported. Q. WHAT METRICS DO YOU USE TO MEASURE RISK? We have calculations in the compliance organization to measure regional, country and local risk, based upon a series of questions posed to general managers and other relevant stakeholders. Once we determine our residual risks, cross-functional teams led by compliance functions define the measures we put in place to mitigate those risks. Q. HOW DO YOU ENSURE AN ENTERPRISE-WIDE CULTURE OF RISK MANAGEMENT? We think in terms of lines of defense. The business is the first line, monitoring is the second and auditing is third. We spend a good deal of time educating the business about the regulatory landscape. Someone from law, compliance and finance is usually a member on all the leadership teams of our businesses so they can help the teams navigate the risks of particular activities. 34 Ropes & Gray is one of the world’s premier law firms, with more than 1,200 lawyers and legal professionals serving clients in major centers of business, finance, technology and government. The firm has offices in New York, Boston, Washington, D.C., Chicago, San Francisco, Silicon Valley, London, Hong Kong, Shanghai, Tokyo and Seoul, and has consistently been recognized for its leading practices in many areas, including private equity, M&A, finance, investment management, hedge funds, real estate, tax, life sciences, health care, intellectual property, business & securities litigation, government enforcement, privacy & cybersecurity and business restructuring. FT Remark produces bespoke research reports, surveying the thoughts and opinions of key audience segments and then using these to form the basis of multi-platform thought leadership campaigns. FT Remark research is carried out by Remark, an Acuris company, and is distributed to the Financial Times audience via FT.com and FT Live events. For more information, please contact: Simon Elliott, Publisher FT Remark Tel: +44 (0)20 3741 1060 Email: Simon.Elliott@acuris.com About Ropes & Gray About FT Remark Risk Mitigation and Management Contacts – James Dowden Co-coordinator, Anti-Corruption & International Risk James.Dowden@ropesgray.com Ryan Rohlfsen Partner, Government Enforcement Ryan.Rohlfsen@ropesgray.com Ropes & Gray’s Risk Mitigation & Management model, a comprehensive suite of risk assessment and advisory services, offers an efficient, harmonized approach for mitigating complex risks. By evaluating risk across the entire enterprise, the model enables organizations to identify, monitor, and mitigate or eliminate risks across an organization, with a focus on anti-corruption and international risk, antitrust, corporate governance, health care, intellectual property, life sciences, privacy and cybersecurity, regulatory compliance, supply chain and corporate social responsibility, and tax. To discover potential risks, Ropes & Gray attorneys from the firm’s global practices interview key stakeholders throughout a company’s operations. The firm analyzes the responses to produce a visualization of risks in key areas, and then makes recommendations that enable management to improve compliance, open communication channels and implement procedures that effectively reduce risk across the organization. This new product expands upon the firm’s critically acclaimed Risk Matrix, recognized as a standout product by Financial Times Innovative Lawyers.