Legal and compliance leaders at US companies are facing increasing pressure as strong political, social and economic headwinds persist and companies become more vulnerable to an array of threats and risks.
In 2022, 34 percent of American companies received or investigated between two and five threats per week, compared with 14 percent of firms in 2021. Four percent of companies recorded more than six threats per week, while the number of companies dealing with fewer than one weekly threat fell to 19 percent from 24 percent last year.
This is according to the 2022 Mid-Year Outlook State of Protective Intelligence Report from Ontic, which surveyed 400 executives responsible for protecting businesses from physical and non-physical threats across four different departments at US firms.
The report points out that US companies are on track to miss up to half of the threats in the next six months predominantly due to a lack of data sharing and poor communication.
‘One of the biggest reasons companies miss threats is because of data silos and companies operating off multiple disparate point solutions instead of a holistic platform,’ says Chuck Randolph, vice president of security and intelligence at Ontic, in an interview with Corporate Secretary.
‘When data lives in silos, it forces departments to work in silos and sets an unconscious tone for work culture. Unsynchronized risk mitigation is ineffective and will lead to vulnerabilities and gaps within an organization. In addition to data collection, organizations are dealing with siloed tools and disconnected systems that prohibit all parties from having a unified view of the threat landscape.’
Who does what?
Companies face internal fundamental problems such as the confusion around who within the business is responsible for threat assessment and management. When it comes to legal and compliance departments, nearly 50 percent of those surveyed say their department is responsible for it, compared with 43 percent who think they should be responsible.
The picture gets more fragmented when looking at the 16 percent of legal and compliance executives who say that at their company, threat assessment lies with the physical and corporate security team.
Randolph points out that cross-departmental teamwork is paramount to avoid overlooking threats. ‘Another reason for missed threats has to do with communications and accountability,’ he says. ‘Confusion about what policies and practices are in place at a company is common. When everyone is not working from the same playbook, viewing the same data and receiving the same information, potential risks and threats will be overlooked.’
Furthermore, the report shows that 65 percent of respondents agree their firm downplays risk to emulate a safe environment. And when it comes to communicating risk factors to the investor community, the data shows that nearly 60 percent of legal and compliance leaders at public companies agree that risk factors in their company’s public SEC filings – such as the 10K form – ‘barely skim the surface’ of the scope and volume of security threats they face.
Interestingly, 73 percent say only recently their company started to include security threats in its public filings, while 62 percent reveal their company does not include them at all.
Missed threats have repercussions. The Ontic report shows that 47 percent of legal and compliance executives who missed threats in 2022 were warned by management of potential ‘severe ramifications to their role’ if threats continued to be missed.
What to do?
Randolph highlights six principles for legal and compliance teams to consider to mitigate risks of exposure and maximize their chances to address the threat in time:
● Conduct background checks as part of the hiring process to mitigate risk, including the potential for property theft and workplace violence
● Have clear policies and plans for keeping employees safe when they are performing work at home, in the office or while on company-related travel
● Conduct a behavioral threat assessment – or use an external expert to do so – before terminating a potentially violent employee
● Have a process for notifying physical security: IT/cyber-security, human resources, legal and compliance teams when a potentially violent employee has been dismissed
● Conduct workplace violence/threat assessments and implement security measures at work sites to mitigate liability for workplace violence
● Keep employees safe by having workplace violence insurance to cover expenses incurred from incidents. This includes the cost of hiring protective and public relations consultants, survivors’ death benefits and business interruption costs.
‘A substantial percentage of threats that disrupted business continuity or resulted in harm or death at companies in 2022 could have been avoided if all functions surveyed shared common operating information, language, and picture,’ Randolph adds.
‘Clarity around roles and responsibilities, communications, collaboration, processes and reporting and special training to address volatile situations is essential.’
