‘The problem is that every morning some crazy thing has happened somewhere in the world’

Control Risks is an independent, global risk consultancy specialising in political, integrity and security risk. Richard Fenning has been with the firm for more than two decades and has been its CEO since 2005, so it follows that he’s well versed in a wide range of risk management issues. That’s why we asked Fenning to assess the global risk environment for our readers. And his observations might surprise you…

Welcome Richard. Can you start by telling us what are, in your opinion, the major risks facing organisations in 2017?
There are a whole range of issues that come to mind, but a good starting point is around international relations and geopolitics. The imperative for risk managers is to have a view of what is happening in the world. The problem at the moment is that every morning some crazy thing has happened somewhere in the world from a political or security point of view. It is easy in such an environment for people to lurch from one issue to another and not be able to place it in context and get it in proportion.

We have this extraordinary political situation in the US that is so headline-generating. We also have North Korea and what is happening in the rest of the Asia-Pacific region, particularly the way things are evolving in China. Then there is the drama in the Middle East. There is the Brexit situation and the European Union. Then there are issues which run through all of this, like international terrorism. So, there is a lot on the plate of someone who is trying to make sense of this and say ‘these are the things we should be worried about and these are the things which are just part of the daily soap opera that sells newspapers’.

If you are in the risk business, people ask you constantly about what is happening around the world and how it affects them. As it is so dramatic and so concerning to people, sometimes organisations overreact to the daily churn of ever more dramatic headlines. These events are a risk in themselves and also a risk in terms of being taken out of proportion.

Another area of risk is the whole issue of international and domestic regulations. Organisations are often finding themselves caught up in dramas that are not of their own making because something has gone wrong in their supply chain, or they find themselves embroiled in some form of regulatory problem or a reputational problem that they were not able to anticipate. This whole regulatory and crisis area is fuelled by too much data and not enough capacity to understand it.

The third area of risk involves technology, cyber security and information security. This can no longer a new risk. Anybody with a pulse knows that the whole cyber environment has changed quite dramatically over the past three or four years. This area has the ability to really unsettle senior management in terms of how they approach risk.

Are there particular countries in Asia where these risks are likely to be an even greater threat to organisations? For example, South Korean firms due to the threat from North Korea.
The Korea issue is interesting as it continues to ratchet up an already intense situation. Every time you think it has gone as far as it can, it goes up again. That is a risk that will play out regardless of what we do. So even if you have significant operations in South Korea, there is a limit to what you can do.

The bigger risks in Asia are if you have an operation in China and you find yourself on the wrong side of China’s anti-corruption clampdown, or you have a partner in Vietnam that falls out of favour with the regime. Perhaps you find yourself in a labour-standards scandal in Bangladesh, a corruption scandal in Malaysia, or with a supply-chain problem in Thailand. These problems are more immediate and there are things that we can do about them in a way that we can’t do something about what happens in Pyongyang.

What do risk managers need to do to prepare their organisations to face the major risks o 2017?
These risks are all, to varying degrees, insurable risks; although, geopolitics is the hardest in terms of taking out specific insurances. You can make sure your organisation is protecting itself with the right type of insurances so the resilience is in place to respond. It is also about making sure you examine your supply chain, for instance, as too often risk managers look within the four walls of their organisation and do not look over the fence. It may be an insulated organisation, but with a supply chain that stretches around the world that bring risks and vulnerabilities. It is about building up the most accurate picture possible and making sure the bosses in the organisation have these risks proportionally sized in their mind.

Are there any aspects of these risks that are unique to Asia or particularly prevalent to the region?
In general terms, there is nothing specific about Asia which makes it any more or less complicated than doing business in the Middle East or Latin America. However, China is a dominant world power now, after being a dominant power in Asia for a long time. The China-related risks have been felt more in Asia than elsewhere, but as China’s corporate tentacles spread around the world that is changing. What is different in the Asia-Pacific region is the nature of some of the international rivalries that fuel particular types of geopolitics. That can be around China and Japan, China and the United States, what is playing out now in Korea, and China’s territorial disputes with the likes of Vietnam, the Philippines and Taiwan.

How prepared do you believe the Asia-Pacific region is for these risks?
From a global perspective, you can see how differently parts of the world address cyber risks. For quite a long time, companies thought that if you were in a particular part of the world you had less cyber vulnerability than elsewhere. The whole cyber security industry was pioneered in the United States, where there has been some of the biggest attacks. In many Asian companies, you see a deficit in terms of corporate protection and the steps people are taking to mitigate cyber risk. If I had to make a huge generalisation, I would say that Asia itself still has some way to go to really address its cyber vulnerability. Weirdly, Japan has been slow to address its own cyber vulnerabilities despite its enormous technological advances in some aspects of its economic activities.

Have high-profile cyber attacks such as WannaCry pushed that risk higher up the agenda?
Every time there is a problem, there is the deafening sound of the stable door being bolted long after the horse has fled. The WannaCry event was a patch that should have been applied a long time ago for most affected organisations. This was not high-tech hacking, it was smart low-tech hacking. Every time there is one of these issues it is a wake-up call for people, but you would be amazed how quickly complacency reasserts itself. Risk management is like driving by looking in the rear-view mirror – you are conscious of what has happened previously, but you keep bumping into things that are ahead of you.

On the regulatory side, what is the major challenge for risk managers?
In many ways, this is the hardest of all these issues to deal with and is the one that catches our clients out with the greatest regularity. They need to understand their organisations well and also how and where regulations are changing in different parts of the world. Otherwise, it is possible to get caught up in a regulatory enforcement that wasn’t anticipated.

Finally, how do you see these key risks evolving in the future
There is nothing on a global stage to suggest any of these issues are going to get fixed anytime soon. The geopolitical risk is certainly going to roll on. The turbulence around the Trump presidency shows no sign of abating and will be a 2018 risk, too. China’s long-term trajectory as a global power means that it will continue to go through an extraordinary economic transformation. The European Union soap opera will continue.

For the next two or three years, it will be hard to predict the level of volatility in politics and, to a certain extent, economics. On the regulatory side, it will be more of the same. International companies will need to manage their own risk profile and there is more they can do there. Cyber will also continue to be a big issue for many boards of directors. Again, there is more organisations can do to manage their cyber risk and concentrate on their own vulnerabilities, prioritise them and take sensible steps.