1

Risky Business Mitigating exposure through comprehensive risk

Remark Research from the Financial Times Group 2

Contents

Introduction 4

Methodology 5

Key findings 6

Section 01 Exposure to risk 8

Section 02 Managing risk on a global scale 14

Section 03 Risk mitigation is a group effort 20

Section 04 The future of risk management 30 RISKY BUSINESS MITIGATING EXPOSURE THROUGH COMPREHENSIVE RISK MANAGEMENT 3 4

Introduction

Sophisticated enterprises encounter But all risk management leaders In order to identify, monitor, and an ever-increasing and constantly agree: they must act quickly to mitigate or eliminate risks across changing spectrum of risks as they identify and remedy weaknesses, an organization, risk management expand their lines of business, enter collaborate more closely with professionals should undergo a holistic new geographic markets, and grow colleagues and global peers, and legal and regulatory assessment by acquisitions. Failing to comply remain vigilant as new threats arise. of threats facing their company, with anti-corruption, anti-money including issues in connection to laundering, cybersecurity, data BEST PRACTICES anti-corruption, antitrust, corporate privacy, and several other pertinent AND NEXT STEPS governance, intellectual property, laws and regulations can often lead to In practice, risk management privacy and cybersecurity, regulatory both financial and reputational loss. is a maturing discipline, with compliance, sanctions, supply chain As a result, comprehensive conflicting views about the best and corporate social responsibility, and risk management has never been way to proceed. According to our tax. This thorough evaluation will not so important, particularly in large survey, organizations are conscious only uncover key trouble spots, but organizations, where complex of the need to manage risk facilitate conversations that enable reporting structures, global throughout their global operations, management to improve compliance, jurisdictions, and shareholder bases including far-flung markets and open communication channels and demand accountability. With the right disparate sectors, but sometimes implement procedures that effectively risk management framework in place, struggle with the balance between reduce risk. including the proper technologies, centralized and localized risk models, workflows and processes, management practices. together with quantitative and In some organizations, dedicated qualitative analyses, comprehensive risk management professionals have risk mitigation is attainable. now taken control of risk across the Which legal, regulatory enterprise, while others prefer to and operational risks are most assign risk mitigation to managers critical? How are organizations throughout their operations. seeking to mitigate risks? How are There is no one-size-fits-all organizations evaluating exposure approach to risk management. in target geographies? And how Different organizations and are professionals coordinating industries have different motivations risk management across their for managing risk in the ways that global enterprise? they do. But as all risk managers will Ropes & Gray, together with attest, there are always challenges FT Remark, conducted a survey and complexities, and our research of 300 senior-level executives identifies several areas where large at corporations across many numbers of organizations believe industries, including banking, asset they have more work to do. management, private equity, life The survey also makes it clear sciences, healthcare and technology. that risk management work is never The results reveal varying degrees of complete. Businesses must reassess legal and regulatory readiness across and re-examine their practices on an individual organizations, industries ongoing basis to ensure their tactics and jurisdictions, as well as marked remain effective and that they are inconsistencies in approach. aware of the latest and greatest threats. RISKY BUSINESS MITIGATING EXPOSURE THROUGH COMPREHENSIVE RISK MANAGEMENT 5

FIGURE 1: WHERE RESPONDENTS CAME FROM

North Asia Latin America EMEA Pacific America Total

Banking 16 17 12 5 50

Private Equity 17 16 12 5 50

Asset Management 16 18 11 5 50 Life Sciences & Healthcare 17 17 11 5 50

Technology 17 16 12 5 50

Other 17 16 12 5 50

Total 100 100 70 30 300

FIGURE 2: IN WHICH COUNTRIES DO YOU CURRENTLY HAVE SIGNIFICANT OPERATIONS (SALES AND/OR SUPPLY CHAIN)? 4% 4% 6% 11% 31% 31% 17% 12% 35% 27% 14% 15% 32% 32% 67% 34% 56% 25% 23% 46% 28%

Methodology

In the second quarter of 2017, FT Remark, on behalf of global law firm Ropes & Gray, surveyed 300 senior-level executives across many industries, including banking, asset management, private equity, life sciences, healthcare and technology. The survey included a combination of qualitative and quantitative questions, and all interviews were conducted over the telephone by appointment. The results were then Argentina

analyzed and collated by FT Remark. Egypt Nigeria All responses are anonymized and United States Kingdom United China Germany Canada France India Brazil Japan Australia Mexico Italy Korea South Africa South Indonesia Russia Turkey Arabia Saudi presented in aggregate. 6

Key findings

Risk exposure: The big state of play picture

43%consider corporate social responsibility/supply chain management to be the types 28%of respondents say China is the of risks they are best prepared market they regard as most risky to manage to their business overall

78%say they intend to devote the most risk management resources to deal with regulation and compliance risks

say13% the UK is the riskiest market 29%say they are unprepared to deal for their business – second highest with anti-money laundering risks on the list – reflecting political and economic uncertainties stemming from Brexit

57%of respondents cite “regulation and compliance” as one of the top two types of risk they feel least prepared to address Nigeria, Russia and China are seen as the riskiest developing markets RISKY BUSINESS MITIGATING EXPOSURE THROUGH COMPREHENSIVE RISK MANAGEMENT 7

Who looks The future of after risk? risk management

87%believe that greater collaboration between their risk managers would improve the overall risk profile of their organization of respondents82% say their risk management and assessment training is innovative 52%say a proportion of risk is managed by each business unit

48% feel their current43% risk say risk is largely management policies and managed centrally within practices meet all of their their organization present needs

of60% respondents say their chief risk officer (CRO) is 69% primarily responsible for are not confident risk identification their current risk management policies and practices will be enough to meet their future needs EXPOSURE TO RISK 8 prepared to fully live toprepared to up challenge. that fully many competitive are And not their edge. disrupting without They asked are being of stakeholders. to other address risks abroad range and authorities, supra-national and national local, Businesses have never more scrutiny under felt from regulators, Exposure to risk 01 Section with anti-money laundering risks laundering anti-money with deal to unprepared are they say 29% 57% to manage to prepared best are they risks of types the be to management responsibility/supply chain consider corporate social 43% compliance risks and regulation with deal to most risk management resources the devote to intend they say 78% address to prepared least feel they risk of types two top the of one as compliance” and “regulation cite respondents of

over a large operation is always always is operation alarge over their preparedness. about concerned were they say respondents of 22% saw cybersecurity, concern, of area laundering (29%) – while the third –anti-money area cited commonly most next the as many as twice almost was 10). That page 4, (Figure face they challenges the for prepared well- least the feel currently they where areas two the of one as out it picked (57%) respondents of half than More well-prepared. feel to where respondents are least likely area the is it since especially survey, this in concern of area stand-out and reputational harm.” damage commercial avoid to how about worry of deal agreat is There up. going are figures resolution the and past, the in than coordination global more with higher, are stakes “The says. she before,” ever than consistently, or more extensively orjurisdictions, being enforced more different in or prominent more are that regimes regulatory of number a with increasing, is regulation and international businesses. for apriority is increasingly compliance that believes investigations, internal SEC enforcement matters, and securities litigation, US DOJ and private on focuses and Kong Hong in based is who partner compliant.” are investments and assets our all sure absolutely be must we with regulators, To problems avoid high. very are penalties and risks the compliant, not are we “If bluntly: puts it firm services financial European 3). (Figure survey our in respondents for concern greatest of factor risk the as list the top however, the list. down further abit sit but important as seen also are cybersecurity and privacy data like newcomers Relative survey. our in respondents for aworry are factors risk these of –all regulations laundering money and property intellectual tax, controls, export and Sanctions “Having oversight and control control and oversight “Having the is compliance Regulatory compliance on attention “Global &Gray aRopes Yang, Mimi one of officer risk chief The Regulation and compliance, being ethical in our approach, are we assure that protocols have we as risks anti-corruption handle antitrust risk. preparedness for competition and their about (31%) confident are investigations. And almost as many and enforcement (34%) cited third a than More management. risk for prepared better much are they where area an as management chain supply and responsibility social corporate out picked respondents (43%) half of almost example, For the risks their businesses now face. organizations feel more prepared for value.” market our lower could that and publicity negative face could we aconsequence, As surprise. by us catch can risk this and are many complications involved there but business, our safeguard to resources of short fall we that or time in arisk such to react to ability the lack we that Not rise. the on been has which theft, property intellectual to comes it when helpless left be can we Ifeel but risks for prepared are “We out, points Beijing in firm equity private one of CFO the As China. in concern particular of are issues property intellectual example, For intellectual property. to pointed firms science life and second area of unpreparedness; their as cybersecurity out picked firms technology and Banks risks. unprepared for money laundering feel to likely more were firms managers and private equity Asset industry. by varied factor cited commonly most second the contrast, By background. sector well-prepared whatever their least feel respondents where area the compliance is regulatory that reveals data the of analysis office. London firm’s the Ruchit Patel, an antitrust in partner partner &Gray for,” Ropes says control to difficult are that concerns compliance and regulatory create can location afar-flung in employee Ajunior seniority. of regardless arise can exposure where intensified is problem that But a challenge. “Our firm is well-prepared to to well-prepared is firm “Our many however, Elsewhere, apart. play also may Location Indeed, a more granular MITIGATING EXPOSURE THROUGH COMPREHENSIVE RISK MANAGEMENT RISK COMPREHENSIVE THROUGH EXPOSURE MITIGATING AND 10 = VERY HIGH IMPORTANCE) 10 HIGH =VERY AND 1-10 (RATE FROM LOW IMPORTANCE 1=VERY WHERE BUSINESS OVERALL YOUR TO IMPORTANCE THEIR OF TERMS IN RISK OF TYPES FOLLOWING 3:FIGURE 8.7 Regulation/compliance 8.4 Sanctions/export controls 8.4 AS BEST YOU CAN, PLEASE RATE THE THE RATE PLEASE YOU CAN, BEST AS Tax 8.2 Intellectual property 8.2 Anti-money laundering 8.1 Enforcement/investigations 8.0 Data privacy RISKY BUSINESS 8.0 Competition/antitrust 7.9 Cybersecurity 7.9 Anti-corruption/bribery 7.8

Corporate governance/shareholder activism 7.7 9 Corporate social responsibility/supply chain management

EXPOSURE TO RISK EXPOSURE TO RISK officer of a European technology technology European of a officer delays and problems.” have created already regulations and these capital, our invest we way the affect will regulations antitrust in changes “Recent out: points firm equity private a US of director managing The areas. these in problems no are there firm. management asset New one York-based of officer risk chief the says managers,” questioning our honesty as asset FOR WHICH IS THE ALLOCATION OF RESOURCES LIKELY TO INCREASE THE MOST OVER THE NEXT YEAR? YEAR? NEXT THE OVER MOST THE INCREASE TO LIKELY RESOURCES OF ALLOCATION THE IS WHICH FOR FIGURE 5:FIGURE 4:FIGURE 10 Currently allocated most resources most allocated Currently Least which stops regulators from Similarly, the chief technology say, that to however, not is This 78% 57% Regulation/compliance Regulation/compliance WHICH OF THESE TYPES OF RISK IS CURRENTLY ALLOCATED THE MOST RESOURCES? RESOURCES? MOST THE ALLOCATED CURRENTLY IS RISK OF TYPES THESE OF WHICH FOR WHICH OF THESE TYPES OF RISK DO YOU FEEL YOUR FIRM IS BEST AND LEAST PREPARED? PREPARED? LEAST AND BEST IS FIRM YOUR YOU FEEL DO RISK OF TYPES THESE OF WHICH FOR Best 8% 55% Anti-money laundering 29% 38% the next 12 months (Figure 5). (Figure 12 months next the over resources increased for priority a as out it (55%) pick half than more –and resources management risk most the devote they which to area the as compliance and regulation More than three-quarters (78%) cite area. this to –resources increasing are now allocating substantial – and for risk management, respondents area apriority as compliance and company.” the for costs increased management because regulation has risk chain supply in significantly invest to had have “We says: company 9% Resources likely to increase most over next year next over most increase to likely Resources Having identified regulation regulation identified Having Tax 36% 22% Cybersecurity 17% Competition/ antitrust 4% 11%

risk for which they feel unprepared, unprepared, they feel which for risk a as cybersecurity cite to likely most were which firms, technology and banks year; next the over spending increased for area as an 39% by out picked is resources, most the allocate currently they say 6% respondents of only where Cybersecurity, fore. the to ahead. year in the area this to resources more allocate to (36%) expect many as – almost out it picking (38%) of respondents athird than more with resources, substantial of consumer as a factor However, other priorities are rising rising are priorities other However, risk stand-out Tax other the is 17% 17% investigations Enforcement/ Tax 12% 10%

15% export controls (SELECT TOP TWO) (SELECT (SELECT TOP TWO) (SELECT 17% Sanctions/ export controls Sanctions/ 7% 14%

15% 10% corruption/ Intellectual Intellectual bribery property Anti- 10% 7% FOR WHICH IS THE ALLOCATION OF RESOURCES LIKELY TO INCREASE THE MOST OVER THE NEXT YEAR? YEAR? NEXT THE OVER MOST THE INCREASE TO LIKELY RESOURCES OF ALLOCATION THE IS WHICH FOR FIGURE 5:FIGURE 4:FIGURE WHICH OF THESE TYPES OF RISK IS CURRENTLY ALLOCATED THE MOST RESOURCES? RESOURCES? MOST THE ALLOCATED CURRENTLY IS RISK OF TYPES THESE OF WHICH FOR WHICH OF THESE TYPES OF RISK DO YOU FEEL YOUR FIRM IS BEST AND LEAST PREPARED? PREPARED? LEAST AND BEST IS FIRM YOUR YOU FEEL DO RISK OF TYPES THESE OF WHICH FOR

(SELECT TOP TWO) (SELECT (SELECT TOP TWO) (SELECT 14% Anti-money Anti-money Competition/ laundering 9% antitrust 19% 31% Intellectual property 11% Cybersecurity 6% 15% factors will also be important. important. be also will factors other troublesome elements.” and hackers to vulnerable them leave will and grow businesses way cybersecurity will go on shaping the issues surrounding privacy and current The problem. the of impact the reduce to regulations any with out coming not is government the and cybersecurity of alack to due Saudi Arabian bank. “Fraud is growing a of CFO the says us,” for challenge resourcing increases. planning be to likely the most also are 39% Naturally, industry-specific amajor is “Cybersecurity investigations Enforcement/ shareholder activism 9% governance/ Corporate 5% 34%

3% up their compliance infrastructures.” ramp really to them prompting is that and closely, very managers asset at looking now are “Regulators says. he changing,” is that but flexibility, investment opportunities with great seek to it allowed has which years, 30 past the over regulation of levels low pretty enjoyed has reality. anew facing now are firms says practice, risk international & anti-corruption global firm’s the of co-coordinator Dowden, Jim partner &Gray Ropes sector, management asset the in example, For “This is an industry that that industry an is “This responsibility/supply 5% chain management privacy Corporate social Data Data MITIGATING EXPOSURE THROUGH COMPREHENSIVE RISK MANAGEMENT RISK COMPREHENSIVE THROUGH EXPOSURE MITIGATING 3% 2%

2% shareholder activism governance/ Corporate 4% Data privacy 24% 1% in enhanced consumer welfare.” consumer enhanced in result cases these that clear always not It’s innovators. fast-moving of progress the decelerate to rivals strategically by slower moving used been has law “Competition objectives: commercial further to weapon astrategic as used been often has antitrust sector, technology points out that in the fast-moving 2% Ropes & Gray’s Ruchit Patel Patel Ruchit &Gray’s Ropes responsibility/supply chain management RISKY BUSINESS Corporate social 2% Anti-corruption/ 0% bribery 43% 2%

11

EXPOSURE TO RISK 12

In conversation with… RISKY BUSINESS MITIGATING EXPOSURE THROUGH COMPREHENSIVE RISK MANAGEMENT 13

Chan Lee North America , Sanofi

Q. WHAT ARE THE AREAS OF Q. DEVELOPING ECONOMIES companies like ours have made RISK CURRENTLY CAUSING ARE CONSIDERED ATTRACTIVE public statements about pricing YOUR INDUSTRY THE MARKETS FOR MANY and price increases, but this MOST CONCERN? BUSINESSES, BUT DO THEY is a developing area. Not all Drug pricing is a significant risk in INVOLVE GREATER RISKS? manufacturers have taken this our industry, particularly in the US. Developing economies have position and there continues to be Generating a return on investment developing laws and enforcement a lot of scrutiny at both the federal and incentivizing risk-taking has of those laws – that is, laws and state level on drug pricing. become a greater challenge. governing certain interactions may A number of market dynamics not be clear. They may also have Q. IS RISK MANAGEMENT have helped create this challenging customs and cultures that are not TAKEN SERIOUSLY ENOUGH? environment. We have more consistent with the long-armed The biopharmaceutical industry specialty drugs with higher prices. legislation of developed countries, takes risk management very We have consolidation of payers such as anti-bribery laws. seriously. Many boards are with increasing bargaining power, From that perspective, these interested in enterprise risk leading to higher rebates, especially markets pose significant risks. management and have robust in diseases with multiple approved However, my view is that the most processes to identify key risks and drugs to the exclusion of certain significant risks to our industry to manage them. And when I talk drugs in the formulary.We have are still in developed markets, about enterprise risk management, higher out-of-pocket payments by especially in the US. Certainly, I’m talking about innovation, patients, as payers look to shift the the greatest financial exposure patent protection, pricing and risk over to them, which has caused to litigation and government ease of patient access to drugs drug pricing to become a politicized investigations for our industry – all of which should reward the issue. We also have significantly continues to be in the US. risks taken to innovate. increased catastrophic payments Moreover, I believe that in Medicare Part D. significant compliance matters Q. ARE INVESTORS BEING These and other factors in developed markets could GIVEN ENOUGH INFORMATION have led to more scrutiny of have a substantial impact on ABOUT RISK FACTORS OR manufacturer interactions the reputation of the affected TOO LITTLE? with payers, patients, specialty company, as well as the industry. I believe that there are adequate pharmacies and other disclosures of risks in our public stakeholders, including greater Q. ARE RISK LEVELS GETTING filings. In fact, given the high scrutiny from government BETTER OR WORSE? number of risk factors in our investigators. We have focused If you are just looking at litigation industry, it may be difficult to our resources to conduct risk, I don’t think there’s been properly prioritize these risk additional risk assessment a significant change. From a factors. This is one of the roles of reviews of these interactions. reputational risk perspective, legal and compliance colleagues the pricing exposure in the US in our industry – to prioritize the has made it a very difficult operating various risks and properly use our environment. Pharmaceutical resources to mitigate them. MANAGING RISK ON A GLOBAL SCALE 14 risk just because they’rerisk because just amore in mature market. Businesses own shouldn’t problems. assume they’retheir not at developed that offer argue some markets – though counterparts more developed their developing as markets than riskier see still respondents most areasIn of risk management, riskManaging on aglobal scale 02 Section the country economic uncertainties in and political –reflecting list the on highest –second business their for market riskiest the is UK the say 13% overall business their to risky most as regard they market the is China say respondents of 28% palpable difference locally between between locally difference palpable a is there top: the from right set is tone and culture corporate right the that important so it’s why is “This Kong. Hong in based is who Yang, Mimi &Gray’s Ropes adds real,” very is risk compliance day-to-day the where example, for Asia, in are strict and well-enforced.” regulations such where markets in very demanding. We prefer investing now is regulation anti-corruption and laundering “Anti-money company: services financial American a Latin of executive chief the to according investments in certain markets, organizations are struggling to justify company.” the for risks increase also will this and well-developed not are Tax structures bank. our for problem a remain to is going risks these with and grow in the market. Dealing develop to difficult very is “It bank. management with one Nigerian risk of director the says corruption,” with problems to enforced not are that laws and good, very not are which polices, comprehensive of alack from government, the problems when dealing with corruption. as areas such in laws with international reconcile to difficult be also may differences uncertainty is often an issue. Cultural established, for example, and political well- be less may law of The rule findings. our reflected in is and this markets, mature most in resolved been that have issues with struggle to continue markets developing fact that 16). page 6, (Figure the scale of end opposite the at sitting Germany, Canada and Australia respondents’ businesses, with for markets riskiest three the as cited are China and Russia Nigeria, “There are a number of countries countries of anumber are “There some mean these as such Issues different many are “There the reflect findings the Overall, especially risky on anti-corruption, anti-corruption, on risky especially high risk ratings. compliance, and tax all attracting intellectual property, regulation and shareholder activism, cybersecurity, and governance corporate with competition and antitrust, general, in markets developed to compared factor risk every nearly on followed by Japan. operate, to which in markets developed riskiest the as US the developed markets. particular jurisdictions, including in difficulties more causing issues certain with market, to from market vary face problems organizations developing economies, the over concerns obvious Despite top.” the from right coming message compliance vocal and active avery have that companies RISK-FREE MEAN DOESN’T DEVELOPED The US, meanwhile, is seen as as seen is meanwhile, US, The above-average rated is UK The and UK the regard Respondents MITIGATING EXPOSURE THROUGH COMPREHENSIVE RISK MANAGEMENT RISK COMPREHENSIVE THROUGH EXPOSURE MITIGATING combined with their ambitions when marketplace, this in factors risk of range abroad about fears 7, their 17). page (Figure Clearly, China (28%) cite respondents of aquarter than more overall, business their to riskiest the as regard they privacy in Australia. data to point they and antitrust; and competition on problematic as Korea South see They Italy. in concern of area amajor as property intellectual out pick respondents example, For markets. notable hotspots in developed controls. export and sanctions and investigations, data privacy, enforcement and chain management, cybersecurity, supply and responsibility social corporate are areas high-risk Japan’s aggressive enforcement regime. an and regulations more over suggesting heightened anxiety issues, compliance and regulation anti-money laundering, and Asked specifically which market market which specifically Asked other several also are There

RISKY BUSINESS

15

MANAGING RISK ON A GLOBAL SCALE MANAGING RISK ON A GLOBAL SCALE UNDERLYING RISK) RISK) UNDERLYING RISK? OF TYPE EACH FOR LEVEL RISK UNDERLYING 6:FIGURE Competition/antitrust 16 responsibility/supply shareholder activism Intellectual property chain management Anti-corruption/ Corporate social export controls Cybersecurity investigations Enforcement/ governance/ Data privacy Anti-money Anti-money Regulation/ compliance Sanctions/ laundering Corporate FOR EACH OF THE COUNTRIES IN WHICH YOU HAVE SIGNIFICANT OPERATIONS, HOW WOULD YOU ASSESS THE THE YOU ASSESS WOULD HOW OPERATIONS, YOU SIGNIFICANT HAVE WHICH IN COUNTRIES THE OF EACH FOR bribery Tax

Total 6.5 6.8 6.9 6.6 6.6 6.1 6.1 6.7 7.3 7.2 7.2 7.0 81.0 Germany 6.3 6.8 6.9 6.6 6.6 7.3 7.5 7.5 7.0 7.0 7.1 7.1 83.7 Canada 6.5 6.8 6.4 6.8 6.9 6.9 6.6 7.5 7.5 7.2 7.6 7.1 83.8 Australia 6.3 6.8 6.9 6.9 6.9 6.9 6.6 6.7 7.6 7.6 7.1 7.7 84.0 France 6.3 6.8 6.9 6.9 6.6 7.5 7.2 7.2 7.4 7.6 7.1 7.1 84.6 South Korea 6.4 6.9 6.9 6.7 7.4 7.6 7.6 7.1 7.1 7.7 7.1 7.1 85.6 Italy 6.8 6.9 6.7 7.3 7.2 7.8 7.2 7.2 7.0 7.1 7.7 7.7 (RATE FROM 1-10 WHERE 1 = VERY LOW UNDERLYING RISK AND 10 = VERY HIGH 10 HIGH =VERY AND RISK 1-10(RATE FROM LOW UNDERLYING 1=VERY WHERE 86.6 Japan 6.8 6.9 7.3 7.5 7.8 7.2 7.0 7.6 7.0 7.6 7.1 7.1 86.9 US 6.6 7.2 7.8 7.2 7.4 7.8 7.2 7.2 7.0 7.0 7.0 7.7 87.1 UK 8.3 8.2 8.2 8.1 7.3 7.5 7.5 7.4 7.8 7.9 7.9 7.9 94.0 Turkey 8.3 8.3 8.2 8.0 7.5 7.8 7.5 7.9 7.9 7.9 7.6 7.7 94.6 Indonesia Lower underlying risk underlying Lower 8.2 8.2 8.2 8.0 8.0 8.0 7.5 7.5 7.8 7.8 7.8 7.8 94.8 Mexico 8.2 8.2 8.4 8.0 8.0 7.8 7.8 7.8 7.8 7.9 7.9 7.6 95.4 Saudi Arabia 8.5 8.2 8.2 8.4 8.4 8.2 8.2 8.0 8.1 7.8 7.9 7.9 97.8 South Africa 8.5 8.5 8.5 8.3 8.5 8.2 8.4 8.9 8.6 8.6 8.6 9.2 102.8 Brazil 8.5 8.5 8.3 8.5 8.8 8.8 8.5 8.6 8.1 8.7 9.0 9.0 103.3 India 8.3 8.8 8.4 8.2 9.3 8.6 8.6 9.0 8.7 8.7 9.1 7.7 103.3 Egypt 8.3 8.3 8.8 8.8 8.8 8.5 8.6 8.7 8.7 8.7 9.0 9.0 H igher underlying risk underlying igher 104.2 Argentina 8.8 8.8 8.4 8.8 8.4 8.9 8.9 9.3 9.3 8.9 8.6 8.7 105.8 China 8.5 8.8 8.5 8.9 8.9 8.9 9.5 8.9 9.2 9.0 9.1 9.1 107.3 Russia 8.8 9.3 9.3 9.2 9.2 9.4 9.5 9.8 9.9 9.6 9.6 9.1 112.7 Nigeria be a focus on direct consumer harm harm consumer direct on afocus be protectionism, and whether there will greater as such changes policy be will or less interventionist, whether there more become they’ll –whether react about how regulatory agencies may uncertainty “There’s says. he years,” of acouple in like look will market organizations a compliance headache. many causing is Brexit that confirms employees.” our of movement the and employees our to related problems from come will face we problems Other necessity. a become will EUregulations with comply to operations our change to need The well. as affected are assets our market, single the to access losing “By UK. the in firm management asset an with risk of head group the says risk,“ at companies put and pound the of well. go not do negotiations Brexit if lose to deal agreat has that industry an in operate they sectors; other from respondents than risk a as UK the see to likely more are many organizations. worrying are departure its terms of the over negotiations ongoing the and Union European the leave to year last decision The surprise. no as come –may list the on highest second –the businesses their to risk” significant “most poses the that market the as UK the cite respondents 13% of that fact The close. come upheaval, price volatility have caused major political and uncertainty commodity where 13% by respondents), of (cited developing economies, only Brazil Among mind. of front are economy, POLITICAL PRESSURE for the world’s second-largest second-largest world’s the for “Most are not sure what this this what sure not are “Most Patel Ruchit &Gray’s Ropes value the affected has “Brexit managers asset that notable is It firms point to the UK and the US. the and UK the to point firms equity private and Brazil cite firms Brazil and Russia jointly, technology choose firms science life India, to point banks market, riskiest second their as UK the pick managers asset respondents are more divided. While uncertain,” she says. on deregulation its agenda is very How the government executes deregulation. on focused is that administration an with we’re dealing clients view as overly-regulated, and far. so true been has opposite the optimism, for cause businesses many given have should rhetoric regulation anti- Trump administration’s the while says that, investigations, their executives in government corporationsmultinational and experience in representing extensive with apartner Conry, future. near the in deregulation perhaps or crisis, financial the since regulations new by caused centerbanking and consternation aglobal as US the of importance the reflect may geography. This riskiest the as US the sees which banking, is exception one The business. their for marketplace risky most the as China regards sector EUmarket.” large the to access get to markets different to operations our still preparing and are moving of parts are We risks. manage to ways different developing We are Brexit. of because access to difficult already is capital and follow, to regulations in a change “Weexpect UK. the in firm technology a with compliance of head the agrees company,“ our for problems others.” for opportunity an but some structures. The uncertainty is bad for competitive of impact the than rather Elsewhere, however, however, Elsewhere, our that environment an in “We’re Colleen &Gray’s Ropes Indeed, every almost Nevertheless, of alot caused has “Brexit MITIGATING EXPOSURE THROUGH COMPREHENSIVE RISK MANAGEMENT RISK COMPREHENSIVE THROUGH EXPOSURE MITIGATING 5% 7% 8% 11% 13% 13% 28% 7:FIGURE 0% 0% 1% 1% 1% 1% 1% 1% 2% 2% 2% 3% THE MOST SIGNIFICANT RISKS OVERALL? OVERALL? RISKS SIGNIFICANT MOST THE WHICH MARKET DO YOU SEE AS POSING POSING AS YOU SEE DO MARKET WHICH RISKY BUSINESS SOUTH AFRICA SOUTH SOUTH KOREA SOUTH SAUDI ARABIA ARGENTINA INDONESIA KINGDOM GERMANY MEXICO CANADA UNITED UNITED UNITED STATES FRANCE NIGERIA RUSSIA BRAZIL CHINA JAPAN EGYPT INDIA

ITALY

17

MANAGING RISK ON A GLOBAL SCALE 18

In conversation with… RISKY BUSINESS MITIGATING EXPOSURE THROUGH COMPREHENSIVE RISK MANAGEMENT 19

Brad Berenson & Joann Harris General Counsel & , TPG Global, LLC

Q. WHAT FACTORS ARE regimes in Western Europe and the We also have a very robust CREATING GREATER RISKS FOR regulatory volatility introduced compliance program in the YOUR ORGANIZATION? by things like Brexit all represent organization. Members of the legal As a private investment firm, three new risks. and compliance team in offices emerging risks come to mind across the US and globally are our immediately. First, protectionism Q. HOW DOES THE boots on the ground. We want the and restrictions on trade, whether ORGANIZATION DEAL organization to tap into that group that be CFIUS review of inbound WITH RISK? to help prevent, detect and deal foreign investment in the United We continuously evaluate with any risk scenarios unfolding in States or capital controls in foreign and develop new initiatives to real time. countries. An environment that strengthen our already robust inhibits cross-border trade flows is risk management and compliance Q. HOW DO YOU ENSURE not good for business and creates controls. We’re particularly focused THAT RISK AWARENESS AND more risk. on fostering an understanding, RESPONSIVENESS ARE PART OF Second, tax reform in the US throughout TPG, that risk YOUR CORPORATE CULTURE? and changing tax rules elsewhere management and compliance “Tone from the top” is always are a constant source of risk. are everyone’s responsibility. We important, and our senior Third is the political macro risk, want all TPG employees to feel leadership team does send a very for example the tides of populism free to raise concerns, secure in strong message. We want our and nativism sweeping many the knowledge that there will be business leaders, platform leaders countries, which has resulted in thorough and responsible follow-up and investment professionals to developments like Brexit. and remediation of any problems know that they are accountable for without any retaliation against compliance and risk management Q. WHICH OF THESE RISKS ARE concern raisers. as well as investment performance. UNIQUE TO YOUR SECTOR? We have an enterprise risk That starts with communication The investment sector’s greatest committee that is comprised of from our senior team to the rest risks are around tax and regulation, from around of the firm. from US tax reform to changing the firm. The risk committee But the cultural elements foreign regulatory regimes, such reviews potential risk areas and go beyond merely high-level as AIFMD and MiFID. Proposed meets on a regular basis with the communication and reflect steps like eliminating the heads of legal, compliance, internal everything that we do to ensure deductibility of interest payments audit and operations. that compliance is, and is perceived would have a dramatic impact on From a governance standpoint, as, of paramount importance. investment activity. it’s a powerful communication That includes things like our In emerging markets, anti- route because you’re sitting in the existing compliance program corruption is always going to be same room as the senior leadership and the way the firm makes its a significant risk to manage. But talking through potential risks that risk judgments in the course of expanding regulatory and tax you’re seeing on the ground. business day to day. RISK MITIGATION IS A GROUP EFFORT 20 entire enterprise is required to address it effectively. organizational in “silos”;is trapped across collaboration the issues risk But management stance. arise when function-based centralized take others amore localized while approach or ways: risk different Organizations in manage prefera some Risk mitigation is agroup effort 03 Section 60% centrally within their organization their within centrally managed largely is risk say their organization of profile risk overall the improve would managers risk their between collaboration greater that believe 87% unit business each by managed is risk of aproportion say 52% 48% identification risk for responsible primarily is (CRO) officer risk chief their say respondents of governance and shareholder corporate antitrust, and competition bribery, anti-money laundering, and anti-corruption for leader management risk cited commonly most the is CRO the Indeed, for mitigation. responsibility primary has (CRO) officer risk chief their say substantial numbers of respondents managing tax risk. for to responsibility have ultimate likely more is (CFO), contrast, by officer financial chief 8). The (Figure specialization is most obvious where the relevance to their privacy and intellectual property, data cybersecurity, as such areas in for mitigation risk responsibility have to likely most (CTO) is officer technology chief or (CIO) officer information chief the survey, keeping those risks in mind.” by managed best are goals and rate growth company’s The risks. with dealing of capable most are who and risks different the understand resources the to required dedicates company the market, the analyzing “When firm. management asset aCanadian at compliance of head the adds risk,” own their of aproportion managing is team each heads.” function different the all with works who officer, risk chief our by headed is that team management risk astrong developed we’ve so units, and operations our all in assessed be to needs risk that believe “We explains: China in standalone function. a as treated is it where itself, risk as well as finance, and IT, legal including functions, different of a range to are allocated responsibilities say their risk management or chairman.” CEO the means –that top very the from right tone the set that those are best issues these with grapple that “Organizations Gray. & Ropes with partner Dowden, Jim says leadership,” senior the with sits always responsibility models, most mature risk management the with clients those “Among However, in most areas of risk, risk, of areas most in However, this to respondents Among when managed best are “Risks executive abank example, For In practice, many organizations (SELECT ONE FOR EACH TYPE OF RISK) OF TYPE EACH FOR ONE (SELECT RISKS? THESE OF EACH 8: FIGURE Anti-corruption/bribery / Anti-money laundering Competition/antitrust Compliance department CEO shareholder activism responsibility/supply Intellectual property chain management Corporate social export controls IN YOUR ORGANIZATION, WHO IS PRIMARILY RESPONSIBLE FOR MITIGATING MITIGATING FOR RESPONSIBLE PRIMARILY IS WHO ORGANIZATION, YOUR IN Cybersecurity investigations Enforcement/ Data privacy Regulation/ compliance CFO/Finance department Sanctions/ Tax

1% 1% 11% 1% 1% 4% 4% 3% 4% 4% Legal department

5% 5% MANAGEMENT RISK COMPREHENSIVE THROUGH EXPOSURE MITIGATING 21% 29% 27% 32% 32% 37% 40% Chief risk officer risk Chief 44% 43% 33% 48% 49% Nobody 1% 37% 34% 30% 14% 21% 65% CIO/CTO 16% 25% 57% 17% 17% 15% 1% RISKY BUSINESS 13% 13% 11% 41% 37% 36% 35% 34% 31% 30% 21% 20% 20% 5% 4%

9% 9% 21 1% 1%

RISK MITIGATION IS A GROUP EFFORT RISK MITIGATION IS A GROUP EFFORT organizations getting into trouble some see we “Where says. he wide,” system be to has it but levels, multiple on operates management “Risk and digital health practices, agrees. sciences life the of co-chair Beauvais, argues. the executive process,” whole the complicates only management local level with dealing that vital so needed processes the and high so are risks of number the because centralized be should mitigation “Risk practices: centralized risk management for argues who American bank, aLatin of general counsel colleagues elsewhere. their to mitigation leave organization the within functions different as cracks, the between issues fall professionals is dangerous that management risk by expressed processes,” the executive says. and our risk management our principles, our risk framework, for setting responsibility takes that company. services financial US ofa officer compliance chief the argues effort, management risk organization’s an –of otherwise or – success the ultimately determine (44%). protocols continuity business (46%) and plans management crisis of development organization’s their manages CRO the say also numbers 9). Substantial (57%) (Figure prioritization (58%) and risk training risk (60%), identification risk for their CRO is primarily responsible say survey this to respondents the of half than More process. a day-to-day on risk mitigate organizations which with processes management risk the take the responsibility for managing it. alongside least at or legal, of out operating be may risk practice, In organizations, respondents point out. in many responsibilities substantial charge. in is CRO their say respondents, substantial numbers more by cited are individuals other where areas Even in controls. export 22 activism, and sanctions and Ropes & Gray partner Michael Michael partner &Gray Ropes the by shared is view That fear common one practice, In committee arisk have now “We will that processes these is It Similarly, risk and legal tend to has also function legal The YOU AGREE WITH? YOU AGREE 10:FIGURE (SELECT ONE FOR EACH FUNCTION) EACH FOR ONE (SELECT FUNCTIONS? MANAGEMENT RISK FOLLOWING THE FOR RESPONSIBLE PRIMARILY 9:FIGURE 48% 20% 40% 60% 80% 100% managed centrally is organization our in risk all Nearly risks own their of proportion a manages unit team/business Each Compliance department CEO

Development of business IS AT ORGANIZATION WHO YOUR WHICH OF THESE STATEMENTS WOULD WOULD STATEMENTS THESE OF WHICH continuity protocols CFO/Finance department

Development of crisis management plans Legal department Risk training

Chief risk officer risk Chief Risk prioritization 52%

Risk identification managers would improve the collaboration between their risk greater that (87%) believe research this in 10 respondents do much more. Almost nine in could they feel organizations 12). (Figure as low it 15% describe afurther moderate, is collaboration and communication say 54% –and while extent a great to communicate and collaborate managers (31%) risk a third their say than Less coordination. management risk their about complacent not are and danger the recognize through. get not will key messages that adanger is there organization, the of rest the and another one with effectively work management risk of elements different for responsibility communication. Unless those taking for strong collaboration and does increase the imperative responsibility for risk management the sharing but organizations, of number alarge for sense make 11). (Figure survey the in factor risk each for global local and both is mitigation say respondents the half than more level, aglobal at than level alocal at predominantly risks most manage organizations even (Figure 10). Similarly, while more (52%) pretty is unit business each by managed is risk of aproportion where those (48%) and centrally managed largely is risk say that organizations throughout the organization. risk confronting of imperative the with ”silos” avoid to need the balance to how about views different take operations. disparate with particularly in large global businesses down, top the from risk of details the all manage to possible not is also realizeorganizations it that years, recent in functions risk of standalone, centrally managed increasingly driven the development accountability.” of lines clear and organization the of levels senior the at resulting in not having good visibility approach, asiloed take compliance charged with individuals when is Against that backdrop, many survey this to respondents The will way this in Operating those between split The survey the in Respondents has concern this while However, AT A GLOBAL LEVEL? AT AGLOBAL MANAGE LOCALLY AND WHICH DO YOU MANAGE 11:FIGURE Managed at local level Anti-corruption / bribery 16% 52% 32% level global at Managed Anti-money laundering 16% 52% 32% WHICH OF THESE RISKS DO YOU DO RISKS THESE OF WHICH Competition / antitrust 18% 52% 30% Corporate governance / shareholder activism 20% 57% 23% Corporate social responsibility / supply chain 21% 55% 24% Cybersecurity 22% 57% 21% Both locally and globally Data privacy 21% 57% 22% Enforcement / investigations 17% 53% 30% Intellectual property 18% 54% 28% Regulation / compliance 16% 53% 31% Sanctions / export controls 16% 56% 28% Tax 16% 55% 29% GEOGRAPHIES? AND OPERATIONS ACROSS CREATE CONSISTENCY TO ORGANIZATION YOUR AT COMMUNICATE AND CFO) COLLABORATE OFFICER; DATA , COMPLIANCE CHIEF COUNSEL, (E.G., GENERAL MANAGERS RISK DO 12: WHAT TO EXTENT FIGURE to which they have access (Figure (Figure access have they which to risk about information amount of the with completely satisfied are sector their in investors that feel survey this to 6% respondents of Just area. this in do to work more is challenges. own its brings management risk to comes it when organization is outward-facing the ensuring However, investors. their crucially, and, peers their range of stakeholders, including abroad with work to required been increasingly have managers risk organizations, all for agenda the up risen has management risk As problems.” of lot a to lead can and manage to difficult are these issues; communication and understanding in differences to cost from ranging collaboration, to barriers many with struggle “We concedes: firm equity private aEuropean of counsel general The overcome organizational hurdles. to effort adeliberate require will 13). (Figure their organizations of profile management risk overall STAKEHOLDERS BROADER WITH WORKING To a great extent To agreat To extent alow extent To amoderate For many organizations, there However, achieving those gains MITIGATING EXPOSURE THROUGH COMPREHENSIVE RISK MANAGEMENT RISK COMPREHENSIVE THROUGH EXPOSURE MITIGATING 54% 15% 31% RISK PROFILE? RISK IMPROVE YOUR OVERALL MORE COLLABORATION WOULD 13:FIGURE business with itsshareholders.” the of interests the align us helped investor relations program has really our think –we openly more data risk shareholders closer and to share our our keep to hard really worked “We’ve American technology company says: aNorth of CFO the As made. be to gains are real there solutions, effective aware of our investment reasoning.” decisions, and shareholders are made our of outcomes the forecast and markets We evaluate value. deliver always and actions our of aware shareholders keep we as covered, well- have we that risk another is activism “Shareholder says: firm management York-based asset New this way. feel to likely more are managers asset –while 10 years past the over sector banking the in disclosure public and risk on focus regulatory the reflecting – perhaps satisfied as investors their describe to issues. Banks are marginally less likely these on ahead significantly industry single no with sectors, the across dissatisfied. investors are their (32%) concede athird to close disclosures, risk their happy with moderately least at are investors (63%) believe two-thirds 14, page 26). And while almost 13% Yes Still, for those able to develop develop to able those for Still, a of officer risk chief the Indeed, consistent are results the Broadly, 87% No DO YOU THINK THAT YOU THINK DO RISKY BUSINESS

23

RISK MITIGATION IS A GROUP EFFORT 24

In conversation with… RISKY BUSINESS MITIGATING EXPOSURE THROUGH COMPREHENSIVE RISK MANAGEMENT 25

PD Villareal Senior , Global Litigation, GSK

Q. WHAT ARE THE AREAS OF Q. HOW DOES GSK APPROACH in our different sites. We talk to RISK CURRENTLY CAUSING RISK ORGANIZATIONALLY? management about how they YOUR ORGANIZATION Bribery and corruption is a good would grade themselves in terms MOST CONCERN? case in point. When you’re doing of our values, and we ask the same For us, like many global enterprises, business in 125 or 130 countries question of the employees. Then one has to be concerned with the around the world, with lots of we write reports about it that go to challenge posed by bribery and different cultures, different levels the management team and to the corruption risks – whether it’s the of legal strength and different people above the management, at Foreign Corrupt Practices Act from types of commercial practices, the local management level. Fixing a US perspective, or the UK Bribery you’re never going to fully eliminate local problems, site by site, improves Act, or the many national laws that the risk, but we have significantly our risk posture and makes the are relevant. enhanced our ability to identify, company a better place to work. We believe we are managing respond to and remediate these well, but we must remain these issues. We’ve made Q. HOW DO YOU ENSURE AN vigilant. Competition and antitrust permanent additions to the global ENTERPRISE-WIDE CULTURE issues are perceived as a global risk infrastructure of our company that OF RISK MANAGEMENT? for multinational companies like us. aren’t about individual people, but The ultimate battleground is We spend a lot of effort making sure our whole corporate culture. people’s hearts and minds, not we are fully compliant. rules or organizational changes, And for the pharmaceutical Q. WHAT METRICS DO YOU USE so that’s where you have to go. industry, you would also have TO MEASURE RISK? But you do have to have a corporate to be blind not to understand Data analysis can be hugely useful as infrastructure that continually that we’ve got significant pricing another tool, but there isn’t a magic reinforces that this is the desired concerns being raised, especially, bullet to the process and no one behavior – that surrounds the but not only, in the US; this is thing is going to be the answer. But individual with the message beginning to manifest itself in quantitative analysis, for example, that there’s a proper way and an legal actions and investigations can help identify issues - anomalies, improper way of doing business, and political issues. say, in financial cash flows. and that only the proper way will One thing we do is town halls be tolerated and rewarded. And it with employees and management does still depend on leadership. RISK MITIGATION IS A GROUP EFFORT risk for organizations,” he warns. warns. he organizations,” for risk compliance greater even an creates a heightened enforcement regime, value-based healthcare, together with measures. performance-based methodologies for measuring certain understand and implement new to harder even work to having are organizations Beauvais, & Gray’s Ropes says industry, 16). that In (Figure three-quarters of respondents almost attracted have protocols some sciences, life in while protocols, sector’s their to subscribe example, higher. even are rates –subscription protocols certain for –and sectors some In responsibility. social corporate and management risk governance, corporate to relate that protocols industry to subscribe they say survey this in respondents the half than more price.” stock your in a drop causes that road the down issue an is there if areas in these robustness your up talking for trouble into run litigious jurisdiction, you may even a in –and risk and to compliance organization’s approach with respect credit for publicly talking about your much get don’t you States, United in certain markets, notably the “And Beauvais. &Gray’s Ropes says notice,” take and up sit them makes that news bad the be to tends it and satisfy, to audience a tough be can “Investors issue. this with grips to get to how with struggling standard. required the of is investors with communication ensure to done be to work of deal agreat is there communication, on lowest scores again which sector, minorities, in particularly the banking sizeable for –and improvement for room some least at is there communicator (Figure 15). agood as it describe just 4% while management, risk topic of the on communicator is a poor sector their believe respondents of investors. Twenty-nine percent their with effectively communicate to more do must they that 26 Many organizations recognize recognize organizations Many For example, “the convergence of of convergence “the example, For for managers, Two-thirds asset of peers, industry with work for As Many organizations are still organizations most for Clearly,

MANAGEMENT WITH INVESTORS/SHAREHOLDERS? RISK ABOUT COMMUNICATES INDUSTRY 15:FIGURE TO? ACCESS HAVE THEY RISK ON INFORMATION OF AMOUNT THE WITH SATISFIED ARE SECTOR YOUR IN SHAREHOLDERS 14:FIGURE 20% 40% 60% 80% 100% 20% 40% 60% 80% 100% Low communication satisfied Not Completely satisfied High communication High

Total Total HOW WELL DO YOU THINK YOUR YOUR YOU THINK DO WELL HOW DO YOU THINK INVESTORS/ YOU THINK DO Asset Asset Management Management

Banking Banking Moderate communication Moderately satisfied Life Sciences Life Sciences & Healthcare & Healthcare

Technology Technology

Other Other

Private Private Equity Equity MANAGEMENT? RISK ADDRESSING IN HELP PROTOCOLS INDUSTRY THAT THESE YOU THINK DO 16:FIGURE management strategies.” risk our we’re developing when useful really they’re and to adhere to companies for precedents set do protocols “These says: firm equity private aEuropean of counsel general The views. such share firms risk management. with help much offer don’t protocols such suggesting respectively 39% underwhelmed, with 40% and profess themselves particularly firms equity private and Banks low. as protocols these of usefulness the provided moderate help (Figure 16). have they 56% say afurther though extent, agreat to management risk address to help they say respondents of 10% Just management. risk their of effectiveness the helping organizations to improve in use limited only of be may 10% 56% 34% To a moderate extent To amoderate extent To agreat To extent alow Although, this is not to suggest all all suggest to not is this Although, (34%) describe athird over Just That said, these protocols protocols these said, That Total 20% 63% 17% Asset Management 40% 50% 10% TO WHAT EXTENT WHAT TO EXTENT Banking 60% 30% Life Sciences & 10% Healthcare 60% 30% 10%

Technology 49% 46% 5% Other 39% 55% 6% Private Equity FIGURE 17:FIGURE 07. 07. 06. 05. 04. 03. 02. 01. Asset Managers Asset Financial Transparency Reports (Sunshine Act) Physician (AMA) Association’s Medical American  (IFSWF) Santiago Principles Funds Wealth Sovereign of Forum International  FTSE4Good Index Series  The Equator Principles  Dow Jones Sustainability World Index  A Practical Guide Governance: Corporate Exchange’s Stock York New  Healthcare Professionals with Interactions on Code (PhRMA) America of Pharmaceutical Research and Manufacturers  TO WHICH INDUSTRY PROTOCOLS DO YOU SUBSCRIBE? YOU SUBSCRIBE? DO PROTOCOLS INDUSTRY WHICH TO 15 16 Banking 17 18 Life Sciences Life 19 13. 13. 12. 11. 10. 10. 09. 08. 14 13 20 & Venture Capital Association’s Walker Guidelines Walker Association’s Capital & Venture Private Equity Reporting Group / British Private Equity  Responsible Investing Responsible American Investment Council: Guidelines for  designation (AIMA) Chartered Alternative Investment Analyst Association’s Management Investment Alternative  The Private Equity Reporting Group’s Good Practice Practice Good Group’s Reporting Equity Private The  Pharmaceutical Manufacturers OIG Compliance Program Guidance for  Consumer Advertising PhRMA Guiding Principles on Direct to  12 21 Private Equity Private 11 22 60% 80% 40% 50% 30% 20% 70% 10% 10 (SELECT ALL THAT APPLY) ALL (SELECT MITIGATING EXPOSURE THROUGH COMPREHENSIVE RISK MANAGEMENT RISK COMPREHENSIVE THROUGH EXPOSURE MITIGATING Retail, Technology, Media and Telecom and Media Technology, Retail,

01 09 02 22. 22. 21. 20. 19. 18. 17. 16. 15. 14. 08 ILO Code of Practice in Safety and Health and Safety in Practice of Code ILO  Social Accountability International, SA Standard 8000  Labor Standards International (ILO) Organization’s Labor International  Electronic Industry Code of Conduct of Code Industry Electronic  Reporting Guide for Portfolio Companies Assessment Series (OHSAS) 18001 (OHSAS) Series Assessment Safety and Health Occupational Standard British  Invest Europe Code of Conduct of Code Europe Invest  OECD Guidelines for Multinational Enterprises  Ethical Trading Initiative  National Fire Protection Association  03 04 05 RISKY BUSINESS 07 06

27

RISK MITIGATION IS A GROUP EFFORT 28

In conversation with… RISKY BUSINESS MITIGATING EXPOSURE THROUGH COMPREHENSIVE RISK MANAGEMENT 29

Heather Mitchell Managing Director and Global General Counsel for Investments, The Carlyle Group

Q. HOW DOES Q. HOW DO YOU MEASURE RISK? In the run up to the EU CARLYLE APPROACH We conduct an annual risk survey referendum, we prepared for what RISK MANAGEMENT? at all levels within Carlyle to would happen if the Leave vote won On a daily basis, “tone from the top” assess and identify risks and their and the credit and equity markets comes first. Our founders recognize likelihood. We don’t take a checklist froze or dropped substantially. We the value of strong governance. approach. The culture that we’ve were able to close a deal on the Once that tone is set, you have to created is innovative, collaborative day of the referendum, knowing identify the risks, and estimate their and transparent. we had already done our risk likelihood and then their potential We have legal teams working assessment of the exposure, not impact on the business. on all of our deals. Our investment only to currency, but also to UK Risk awareness and committees look at each markets. We put in hedging and responsiveness are fundamental to investment, both on an individual other currency mitigation. We also our corporate culture. We’re doing basis and with a view to the rest had communications prepared for everything to make sure that our of the firm and each of the funds. our investors, as well as internal best practices are communicated Risk isn’t something reviewed in employees, to ensure that we throughout the organization. And isolation, it’s taken into account as immediately had open channels. we use that information not only to each deal moves forward and as anticipate and mitigate risk, but to each decision is made. take advantage of risks if they offer an opportunity. Q. WHAT DOES SUCCESSFUL We have a global risk RISK MANAGEMENT LOOK committee, and its role is to LIKE TO YOU? manage risk across the businesses The EU referendum in the UK and embed good practice. We also is a very good example of how have uniformity in our investment we manage potential global and committees. They identify and economic risks – although this could monitor risks consistently across apply to any catalyst for market Carlyle’s operations, to avoid shock. We have a snapshot of every problems associated with silos. deal, which shows everything from We try to take best practices from financing to the buy and sell side, so one area and apply it across the that we can pivot on a dime should investment organization. conditions warrant. THE FUTURE OF RISK MANAGEMENT 30 in years to come. answer, may the be perspective culture and aglobal now and to of risks? tide rising mitigate the Fostering acollaborative hope anyHow can scale organization aglobal on working The future of risk management 04 Section 43% 82% 69% their future needs needs future their meet to enough be will practices and policies management risk current their confident not are needs present their of all meet practices and policies management risk current their feel training is innovative management and assessment risk their say respondents of (43%) feel their current risk risk current (43%) their feel respondents of half than Fewer do. their training is innovative. say example, (82%), for quarters three- 19). than More (Figure risk of assessment and management their enhance to order in structure training and organizational technology, finance, as such areas say they are exploiting innovation in respondents of majority the survey, this In technologies. and tools organization. the of corner ensure this culture penetrates every to processes and structures build to management professionals will need Risk accident. by develop not supply chain. the of rest the example, for including, a broader range of stakeholders, mitigation and protection, along with in arole have they that conscious beyond; all employees must be throughout the organization and awareness risk of aculture create to need the stress professionals says Dowden. is by building relationships globally,” confront their organizations. that dangers the mitigate to possible everything doing are they confident be can industries, their across from peers their with and organization, the who collaborate with colleagues within those only alone: burden shoulder the increasingly coordinated.” become regulators as problem, aglobal become could problem local –a other each to talking all are bodies Indian regulators. Today, regulatory with speak they so India, in problem a have may amultinational example, For market. local a affecting issues individual on largely focused have companies 10 years, past the “Over Dowden. &Gray’s Ropes says tremendous convergence of risk,” higher. ever rise to likely is function management risk the of profile the evolving, rapidly and increasing is organizations global by faced now factors risk of seriousness and number the where aworld In However, there is more work to to work more is there However, new for arole be also will There does aculture such However, Many risk management risk that mitigate to way only “The Risk managers cannot be to going is there think “I (SELECT ALL THAT APPLY AND THE MOST IMPORTANT) MOST THAT THE APPLY ALL AND (SELECT RISK? MANAGING AND ASSESSING 19:FIGURE and those that will emerge in the future. in the emerge will that those and today – face they dangers the mitigate to effectively identify, quantify and are organizations if imperative all are structures management risk focused more and rigor process greater technologies, and tools new of use improved communication, innovative sharpened lines of responsibility, collaboration, Increased apriority. be now must work this but risk, of nature changing the with deal to improvement require constant monitoring and systems risk their recognize They warning signal for global organizations. on.” early issues identify to them enable to controls accounting internal robust of sets right the have to need Companies job. the of part and training will only accomplish “Policies says. she management,” risk strong of presence a palpable high-risk jurisdictions to generate to visits live with trainings on up following are they that sure making of also but programs, training and of establishing policies, procedures clients about the importance not only with talk “We approach: a holistic risk management culture requires astrong establishing that is Conry, consider their future needs. (31%) athird when respondents than less to drops proportion that 18). And meet all their present needs (Figure management policies and practices (special hardware or or hardware (special All that apply apply that All Technological 67% Those findings represent a a represent findings Those &Gray’s Ropes argues reality, The software) 31% IN WHICH WAYS WOULD YOU SAY THAT YOUR COMPANY IS INNOVATIVE IN IN INNOVATIVE WAYS IS YOU SAY THATCOMPANY WOULD YOUR WHICH IN

Most important (formalized processes processes (formalized 82% and/or workflow) Training MITIGATING EXPOSURE THROUGH COMPREHENSIVE RISK MANAGEMENT RISK COMPREHENSIVE THROUGH EXPOSURE MITIGATING 27%

43% NEEDS” FUTURE OUR OF ALL MEET TO NEEDS/LIKELY PRESENT OUR OF ALL MEET PRACTICES AND POLICIES 18:FIGURE 31% PRESENT NEEDS FUTURE NEEDS FUTURE True Not sure/false “OUR CURRENT RISK MANAGEMENT MANAGEMENT RISK CURRENT “OUR (formalized internal Organizational 67% collaboration or special roles) special 26%

RISKY BUSINESS (quantifying ongoing and potential costs of risk) of costs potential 66% Financial 16% 69% 57%

31

THE FUTURE OF RISK MANAGEMENT 32

In conversation with… RISKY BUSINESS MITIGATING EXPOSURE THROUGH COMPREHENSIVE RISK MANAGEMENT 33

Cynthia M. Patton Senior Vice President and Chief Compliance Officer, Amgen

Q. WHAT ARE THE AREAS OF Q. HOW DOES AMGEN Q. HOW DO YOU ENSURE AN RISK CURRENTLY CAUSING APPROACH RISK? ENTERPRISE-WIDE CULTURE OF YOUR ORGANIZATION We take an organizational approach RISK MANAGEMENT? MOST CONCERN? to risk. A cross-functional body We think in terms of lines of Current significant areas of is utilized to identify enterprise defense. The business is the first industry risk include privacy, risks, as well as how they are being line, monitoring is the second and cybersecurity and global mitigated and reported. auditing is third. We spend a good regulatory enforcement. For global deal of time educating the business companies, privacy is becoming Q. WHAT METRICS DO YOU USE about the regulatory landscape. much more important. Each TO MEASURE RISK? Someone from law, compliance country devises its own privacy We have calculations in the and finance is usually a member laws, some of which interconnect compliance organization to on all the leadership teams of and work together, and some of measure regional, country and our businesses so they can help which don’t. local risk, based upon a series the teams navigate the risks of Cybersecurity worries of questions posed to general particular activities. businesses more and more – and it managers and other relevant impacts privacy. If you are hacked, stakeholders. Once we determine there’s a chance that hackers will our residual risks, cross-functional access sensitive, private accounts teams led by compliance functions and essential intellectual property. define the measures we put in place As for the regulatory to mitigate those risks. environment, that area continues to evolve, in the US and globally. There was a time when you’d have a regulatory issue in one country and it would stay there, but regulatory enforcement agencies now talk to each other. An issue in the UK can morph into the US, China and then around the world. 34

About Ropes & Gray

Ropes & Gray is one of the world’s premier law firms, with more than 1,200 lawyers and legal professionals serving clients in major centers of business, finance, technology and government. The firm has offices in New York, Boston, Washington, D.C., Chicago, San Francisco, Silicon Valley, London, Hong Kong, Shanghai, Tokyo and Seoul, and has consistently been recognized for its leading practices in many areas, including private equity, M&A, finance, investment management, hedge funds, real estate, tax, life sciences, health care, intellectual property, business & securities litigation, government enforcement, privacy & cybersecurity and business restructuring.

About FT Remark

FT Remark produces bespoke research reports, surveying the thoughts and opinions of key audience segments and then using these to form the basis of multi-platform thought leadership campaigns. FT Remark research is carried out by Remark, an Acuris company, and is distributed to the Financial Times audience via FT.com and FT Live events.

For more information, please contact: Simon Elliott, Publisher FT Remark Tel: +44 (0)20 3741 1060 Email: [email protected]

Risk Mitigation and Management Contacts – James Dowden Co-coordinator, Anti-Corruption & International Risk [email protected] Ryan Rohlfsen Partner, Government Enforcement [email protected]

Ropes & Gray’s Risk Mitigation & Management model, a comprehensive suite of risk assessment and advisory services, offers an efficient, harmonized approach for mitigating complex risks. By evaluating risk across the entire enterprise, the model enables organizations to identify, monitor, and mitigate or eliminate risks across an organization, with a focus on anti-corruption and international risk, antitrust, corporate governance, health care, intellectual property, life sciences, privacy and cybersecurity, regulatory compliance, supply chain and corporate social responsibility, and tax. To discover potential risks, Ropes & Gray attorneys from the firm’s global practices interview key stakeholders throughout a company’s operations. The firm analyzes the responses to produce a visualization of risks in key areas, and then makes recommendations that enable management to improve compliance, open communication channels and implement procedures that effectively reduce risk across the organization. This new product expands upon the firm’s critically acclaimed Risk Matrix, recognized as a standout product by Financial Times Innovative Lawyers.