China’s Aid to Pakistan Increases Region’s Geopolitical Risk
Aggressive Security is Best Weapon in Fight for Cyberspace
Preparing for Disruption, Political Risk and Crisis in an Era of Uncertainty
Among technological disruption, geopolitical tension, and escalating cyber risk, the future will be defined by its instability. The best way for organizations to respond to this turbulent and uncertain vision of the future is to develop a robust plan that engages with the threats looming on the horizon.
Uncertainty and blind spots regarding risk were the key topics at the recent Marsh & McLennan Companies’ annual government contractors’ forum titled Growth in an Unpredictable World: Strategies for Resiliency. Alex Wittenberg, executive director of Marsh & McLennan’s Global Risk Center, emphasized that no single plan for the future could save an organization from disruption; risk managers have to be prepared for a multitude of scenarios.
“Mitigation response has to follow alternative views of the future,” Wittenberg said. “You can’t just build for a best-case scenario, and certainly if you just build for the worst-case scenario your shareholders are going to crucify you. If you only understand one or two versions of the future, I can pretty much tell you that’s probably not what’s going to happen.”
Cyber Risk is Soaring
Cyber risk should already be on every risk professional’s radar—but few are aware of the full extent of the problem. During the forum’s first panel, Technology Disruption’s Impact on Strategy and Risk, Philip Reitinger, president and CEO of Global Cyber Alliance, predicted that cybercrime would be particularly difficult to limit.
“This is bad math, but if you projected out [the compound annual growth rate in cyber losses] the entire world economy will be eaten by cybercrime in 2025,” Reitinger said. “Now that’s ridiculous, that’s not going to happen, but it’s hard to see where [cybercrime] is going to slow down.”
Unfortunately, dangerously few working professionals—especially risk managers and C-suite executives—appear to be aware of the disruptive forces on the verge of upending their industries. In a recent survey from Marsh and the Risk & Insurance Management Society, more than half of the respondents said that their organization had not conducted a risk assessment to expand their understanding of disruptive technologies.
Even more disturbing was the finding that many of those surveyed were unaware of technologies in use within their own organizations. Forty-eight percent of risk professionals responded that their organization wasn’t using or planning on using the Internet of Things; the actual use number was 90 percent.
Marsh’s Jim Holtzclaw, echoing Wittenberg’s keynote, argued that organizations need to develop plans that have a wide berth for future change: “Organizations need to be looking at ways to adopt these technologies, they need to be proactive, they need to plan accordingly.”
However, Holtzclaw also cautioned that adoption for the sake of adoption, without the appropriate due diligence, could be catastrophic.
“If you’ve ever pictured the iceberg that’s floating in the ocean, and you see the part that’s above the waterline, that’s what the vendor is telling you about,” Holtzclaw said. “What he’s not telling you about is that large chunk that represents the maintenance, the upkeep of that solution that sits below the waterline. That maintenance tail may not fit within your organization, and that technology will be a failure.”
However, when an audience member asked the panel about potential avenues for older companies unprepared for newer platforms, Holtzclaw responded frankly: “Those kinds of companies? We’re seeing them die every day. They have no choice but to innovate.”
Global Expansion Means Local Risk
As organizations expand and become increasingly international, they’ll need to adhere to local customs and regulations in the variety of countries they’re operating in. The second panel, titled Third-Party Uncertainty from Geopolitical Instability, addressed the risks of wading into new legal and regulatory environments in the local context.
Identifying potential crises and building response frameworks in advance must be every risk professional’s priority.
Nina Gross, head of BDO Consulting’s Washington, D.C., Global Forensics practice, explained that many organizations seeking to work abroad often lacked the local context necessary to operate legally.
“Whether I’m Nigeria, or Mexico, or Brazil, or Germany, or Switzerland, or fill-in-the-blank, I’m going to enforce my laws,” Gross said. “Many of us don’t even know what those laws are. And so I think the dynamic now is: We need to be aware of what’s happening—not just in the U.S. or where you’re headquartered— but what’s happening around the world where you do operations. That, I think, is the biggest risk right now.”
However, adherence to local laws can be complicated when countries have a record of corruption, crime, or terror risks. Beyond just knowing local laws and regulations, organizations need a clear understanding of the risk landscape in the country they are in or plan on working in.
Julie Martin, who leads Marsh’s Public Agency Team, gave a historical example: “Going back a couple decades, the only way that you could do business, for example, in Indonesia, is if you were in partnership with a Suharto family member. But when Suharto was toppled that then became a big negative. So you obviously need to consider who your partners are.”
The best approach, Gross explained, is due diligence well in advance of a deal. Mobilizing accountants to conduct audits and look into potential international partners isn’t an extraneous cost—it lays the groundwork for successful business operations going forward.
“When you start to pull back that onion, you realize, ‘well their business is dependent upon paying bribes, and the head of the business’s son-in-law is the head of trade in such-and-such ministry,’” Gross said. “You’ve got to start asking questions early on in the deal. Once you get too far in, you’re almost beholden and you have to complete that deal and it may end up being a big problem.”
Respond to Reputational Risk Crises
The final presentation at the forum, Social Instability: Optimizing Talent During the Storm, focused on reputational risk. First, Chandra Seymour of Marsh Risk Consulting put the worth of a reputation into concrete numbers.
“Reputation typically accounts for about 30 percent of a company’s actual stock price or value,” Seymour said. She cited a recent airline PR crisis, after which the company’s stock price took a 1 percent dip. “For that organization, a 1 percent dip represented $255 million,” she said. “So that’s a big number, especially when, what studies have also shown, is that typically a stock price will dip anywhere from 20 to 30 percent after a major reputational issue.”
Reputational risk can be increased by a number of factors, ranging from bad conduct and questionable business judgment, to internal and external attacks. These risks are amplified in a crisis due to a confluence of factors:
- Crises are inherently unpredictable, so most organizations aren’t prepared for them
- The 24-hour news cycle and social media have the potential to expand the crisis beyond its original proportions
- Social media also increases the expectations for a company response, which often runs counter to a desire for fact-finding or measured silence
- The unpredictable nature of crises makes accurate information difficult to come by
Seymour emphasized that most problems cannot be easily contained to any one department. A cyber issue, for example, is not an IT problem; it could easily spill over and become a business and communications problem.
Therefore, mirroring the suggestions of speakers before her, Seymour argued that the goal for any organization unwilling to risk its reputation would be to develop a streamlined, comprehensive response structure. That would entail identifying potential crises and response frameworks well in advance and training spokespeople and management to respond quickly and clearly.