Significant changes have already occurred globally as a result of the COVID-19 pandemic and more changes are likely to come. As we consider re-entering the new everyday normal, the executive protection community is working to evaluate what this new normal will look like. From the perspective of public companies in the U.S., there will likely be some notable changes to consider. First and foremost, how companies evaluate risk may change. As many corporations have found out in response to COVID-19, standard risk assessments and resulting crisis planning do not match the global pandemic reality.
Many public organizations provide investors with insight into their anticipated risks through a U.S. Securities and Exchange Commission (SEC) form called a 10-K. Acting as a vehicle for risk disclosures, the 10-K offers investors in capital markets a clear understanding of the risks faced when investing in individual companies. This same report serves to inform executive protection professionals to understand what is top of mind for a company and perhaps even what is missing. Generally speaking, cybersecurity is one area where most organizations have responded positively to risk reporting over the past few years, reasonably as a result of policymakers or the investors themselves. Most corporate 10-Ks today speak to the extent of the threat and the impact of their cyber risks. Companies sometimes though miss the mark on clearly defining their future risk and mitigation plans. A publication titled “The Corporate Risk Factor Disclosure Landscape” noted these deficiencies, indicating “a company could enhance its disclosure by providing more description of its risk mitigation efforts.”
One risk factor traditionally found in a 10-K is language relative to natural and human disruptions. More specifically they may include language regarding natural disasters, significant weather events, climate change, earthquakes, fire, war, terrorism, health pandemics, and a laundry list of other global risks all cataloged under one risk element. This broad risk factor has been found as highly prevalent in reviewing corporate 10-K reports. The language associated with this general band of threats is typically at an extremely high level and absent of any real detail regarding how the company plans to mitigate this risk. Some organizations did callout the coronavirus risk (early in 2020) adding “Coronavirus pandemic” to their annual report as a specific item among a broad list of crises. But again, little mention is made regarding steps towards alleviating the effects on the organization. As has been evident in the current crisis, detailed mitigation plans were absent.
Some items to date continue to be missing as a whole or at least in detail from corporate 10-Ks. One surprisingly absent factor is any reference to key personnel. Fewer than 28% of corporate 10-K reports highlight key personnel in their risk factors. At the same time, as we look at the coronavirus outbreak and the unfortunate infection of Prime Minister Boris Johnson, we see a scenario where a pandemic, epidemic or even endemic event could have staggering costs and impact. It is reported that the British pound took a beating against the U.S. dollar after the announcement of his infection with a drop as high as .5%. Yet as we read through corporate 10-Ks, the risk of pandemics is vaguely referenced and even less so as it relates to key personnel.
A review of the current U.S. Fortune 500 list shows that out of the top 10 U.S. corporations, only three specifically call out key personnel such as Chairman of the Board, President or CEO. Companies that tend to focus more on this key personnel factor have historically been in the technology and telecommunications industries along with a few others. Not surprisingly, of those top 10 from the Fortune 500 list, two are technology companies. This begins to draw some discussion relative to how corporate risk is assessed and reported, how key personnel are identified, and whether the absence of the identified key corporate personnel and mitigation plans in 10-K reporting creates a gap.
Multiple definitions are available for key personnel. Some are specific to projects while others consider the full scope of risk to an organization. For many organizations, key persons are any officer, director or partner or person that holds more than 5% of equity in a corporation. The Securities and Exchange Commission does provide some clarity in the code for “Advisor Business Continuity and Transition Plans“, where it notes that “advisors generally also should identify which key personnel provide critical functions to the advisor or support critical operations or systems of the advisor such that the temporary or permanent loss of those individuals would disrupt the advisor’s ability to provide services to its clients.” The IRS even defines within its continuity manuals, “those positions essential to the organization or individuals whose absence would jeopardize the continuation of an organization’s Mission Essential Functions (MEF). An organization’s risk team should consider a few factors in their assessment of risk for the 10-K including, the impact key personnel could have on the continuity of operations, the shareholder’s perceived value that an executive holds for the brand, and competition within a market to secure industry leaders. This is evident in many 10-Ks within the technology sector that highlight the competitive nature of obtaining talent in a quickly evolving industry. The last factor an organization’s risk team should consider is interest or ownership in the entity. Whichever factors they select, once the company has narrowed down who is critical to the company they likely should turn to their business continuity unit or Human Resources team and ask the question: “If the executive left, how difficult would it be to replace them and how long would it take?”
Another effect of COVID-19 and the potential future impact on risk interpretation is that of the threat of espionage. Economic downturn, uncertainty of jobs, and financial security have long been recognized as key factors to elevate the risk of espionage. Supplementing this risk is an ever-growing uncertainty index. Before coronavirus, the uncertainty index in the world was at an all-time high in 2019 with U.S.-China trade tensions, Brexit, and political tension fueling fears. While a new World Uncertainty Index (WUI) hasn’t been released yet, we can be assured that index calculations post COVID-19 will launch into never before seen highs. Individual concerns over finances and corporate concerns over competition, trade, and profits will likely elevate the true risk of espionage for years to come.
With those questions top of mind, let’s pause and get back to the crisis at hand. COVID-19 has effectively hampered global trade in many ways and individuals and corporations alike have come to recognize its impact on the economy. So, as we begin to look forward to the new normal, do we expect that more 10-K reports will deepen their narrative relative to pandemics as they have on cybersecurity? Will the perceptions of future travel risks to key personnel limit where or how they travel based on biological surveillance reporting? Will the massive groupings of natural and human disruptions be altered, and authors of 10-K reports begin to more succinctly consider each of those categories more thoroughly? Perhaps they may begin addressing pandemics, espionage, terrorism, etc. more clearly. Lastly, will the inclusion of key personnel and their potential loss be re-evaluated post COVID-19? All these questions will likely remain on the table for months (if not years) to come. It is guaranteed that the executive protection market will change, too. Considerations for the professional protector should include:
Bio Surveillance – Most protection professionals are qualified first responders and understand the ABCs of life safety. Even more, they are very familiar with the tactics and strategies required to mitigate the risk of violence against their principal. Many could even name the most prevalent terrorist organizations domestically and internationally. But how many are familiar with the national strategy for bio surveillance or monitoring or reporting of infectious diseases globally? Do they take the time to research the prevalence of highly infectious bacteria, viruses, and associated toxins in a region before traveling? If not before, certainly now an understanding of a region’s bio-health risks has become significantly important to the protector.
Changes in Tactics – Many teams are now balancing the need for trading in tactical gear for respiratory masks, bleach sprays, hand sanitizer, and rubber gloves due to COVID-19. How we evaluate which risks are more likely based on the corporate 10-K and current intel will change as our experiences evolve as well. Risk is ever-changing, and protection professionals must remain vigilant and informed. What was traditionally in the “go bag” for every trip may now need to be modified based on a deeper understanding of strategic level risks. Instead of sweeping a room for just eavesdropping or dangerous objects, sterilization and cleanliness plans will now come into play.
Corporate SEC Reporting – The potential for future evaluation of shareholder perspectives on risk, the criticality of key persons, and stronger definitions within mitigation plans will impact how protectors understand risk assessment. Key persons may no longer be vaguely defined or absent from 10-Ks. The corporate interpretation may expand beyond the perceptions of the past to include not just what it costs to replace them, but what they know right now that could be targeted by competition. Interest in strategies to mitigate espionage, improve health and safety planning, and limitations on higher risk environments where no mitigation is available are potentially on the forefront.
The executive protection community has always cited the relevance of the current market and news as a bellwether for providing appropriate protection to the principal. The uninformed or worse, ignorant protector, risks stepping into something unknowingly if not properly informed about risks from credible and reliable sources. An executive protection team (or function) may be requested or required to provide input into these answers to help ensure shareholder confidence. It is important that the protection industry continues to learn and modify its own operations lessons alongside those we are retained to protect.