Since the pandemic, there has been a big demand for private equity firms to have risk assessed across their entire portfolio. To ensure proper security programs are in place across portfolio companies, private equity firms bring in Kroll to provide services such as vulnerability assessments and advise on best practices and master plans.
Firms have varied portfolios, and they want to better understand what their risk profiles are and ensure they don't have any liabilities because of disparate systems across their different portfolio holdings.
Today's guest is John Friedlander, who works out of Kroll’s Austin, Texas office, and is specialized in assessments done for our private equity firm clients.
Passages from the Episode
Portfolio Risk Assessments
“How do you perform portfolio assessments, and what are some of the issues that Kroll has to tackle to make sure that we were able to do this in an efficient and successful manner?” – Jeff Kernohan
“The great news is private equity clients are innately aware and informed of risk management principles. They get it, they get it as a strategy and as a practice, and they understand what it means to offset risk. The new component here, to my eye, is bringing in a security consultant to help manage risk exposures in independent or individual verticals. We have a private equity client that has exceptionally diverse holdings, as is common in this sector. They have retail, they have healthcare, construction and other holdings. Each of these have unique risk exposures, and certainly, if we look at healthcare alone, the nature of the duty of care there is considerably different than other holdings in this client's portfolio. Our job is to create a standardized level of attention for them to be able to assess, manage and mitigate individual risk exposures in their various verticals.” – John Friedlander
“That’s what makes it interesting when you're trying to do a, we'll call it, an apples-to-apples comparison of risk and what they've actually implemented as countermeasures between a medical clinic, with HIPAA requirements and everything that comes along with that, to essentially someone that makes tires. It's a very large difference when we're looking at what we're going to implement and what we want to actually assess.
What private equity firms really want to know is, “Where are our biggest risks and where do we need to actually perform some level of countermeasure work to make sure that we have a program across all of our portfolio that is commensurate with the risks that we face?”. That's where it gets very interesting in some of these cases, is that we have not seen a lot of the private equity firms bring us entire portfolios. We largely look at a representative sampling of some of their portfolio companies; we go look at a few other facilities of each of the companies and extrapolate from there on what their real issues are and what they need to do to protect themselves. Typically, historically, a private equity firm might bring us one of their companies that have particular risk they want us to look at. Today, they really want to have a better understanding of their overall holdings-wide risk level. It makes a lot of sense and it makes firms much better prepared to spend the money they need to, to protect all of these entities. It also limits some of their liabilities if they have great discrepancies from one to the next. What it really comes down to is they open themselves up to some issues there.” – Jeff Kernohan
Common Themes in Portfolio Security Risk Management
“What are you seeing as the big-ticket items that really the private equity firms are looking for today in their security risk management work?” – Jeff Kernohan
“It comes down to what the risk exposure is in the various holdings. Our practice is to apply the comprehensive nature of corporate security, corporate security standards and guidelines. We can adapt those to the various verticals that we see. For instance, are there prevailing policies, procedures and guidelines that inform the staff how to operate, whether that's from opening and closing to incident management, to other prevailing concerns that might be based on legacy incidents or foreseeable concerns.” – John Friedlander
“We also try to dovetail their individual efforts at various locations, making sure that whatever the individual vertical is that we offer consistency in terms of what risk levels we're evaluating and what mitigating controls we're inserting, so that at a corporate or ownership level, we don't have widely diverse standards and obligations that require different types of implementation, different types of management, different types of accountability. We want consistency, simplicity, if possible, and that's in singular mitigating controls, the nature of incident management, but also, equally importantly for us is that the individual companies that are held under the umbrella of private equity are able to report incidents or exposures so that they can be acted on at an executive level and acknowledged in the event of future concerns relating to claims of negligence or active litigation, that there is a reporting structure and a response mechanism to help mitigate those exposures.” – John Friedlander
“We are able to provide large holding companies with a company standard, wherever that may be, and we're also able to explain best practices we have seen when we were in the field that certainly can be used across other companies. We've seen that range in everything from protection on forklifts, to make sure that they're not using damaged equipment, all the way to how they're conducting their COVID-19 protocols. That’s a benefit that a lot of firms are getting that they did not foresee when they came into the project, was they were able to see that some of their companies have come up with some fantastic ideas that can be extrapolated across all of them.” – Jeff Kernohan
Security Programmatic Elements
“How do private equity firms put together their programmatic elements? How are they tracking their risk levels? How are they doing threat management when threats arise at one of their businesses? Are they sharing it across businesses? And really, how are they making sure that their emergency and incident management, which is a big part of what we're doing with these engagements, are all proper and extrapolated across all of their entities so that everybody's playing on the same game here when they're doing their protection of their properties?” – Jeff Kernohan
“We would categorize this as foreseeability, and that may vary by region or by a specific site or type of business. There's always a set of known risk exposures, and that can range from criminal activity if particularly a company or business unit has certain assets that appeal to potential offenders. It can also include competitive intelligence or other actions by adversaries. The other part of threatened risk exposure is knowing what the setting they're in holds for them. It might not be so much criminal as potential interruptions from severe weather or flooding or incidents that affect neighboring or adjacent companies or structures.” – John Friedlander
“In terms of threat management, emergency management and incident management, training of staff and training of leadership is absolutely critical. This helps individuals become aware of what they might face in a given day, in terms of potential interruptions or adversarial concerns. Training at an executive level and at a staff support level also allows for practice in decision-making under duress and decision-making under less than optimal conditions—whether that be a power outage, a communication interruption, or an emerging incident or active violence at a specific site.” – John Friedlander
“One of the things that I've noted, finishing up a couple of these large private equity portfolio reviews, is that the end result a lot of firms have a prioritized list of their largest vulnerabilities. One of the things that we do right when we walk in and we do our kickoff meeting is we find out what equipment, software, whatever they're using is mission critical to the facility's operation, what backup plans they have, if they don't have that piece of equipment, if they don't have redundancy for that piece of equipment, whatever it may be. We're finding a lot of the private equity firms might understand what their business is and how they're running their business, but they might not understand some of these single point of failures on the security side and on the business continuity side. When firms understand, if we're going to make an investment in all of our continuity of operations here, we need to make sure we have either the ability to back up this equipment that is our single point of failure or we have the ability to bring in some other version or operate out of one of our other facilities to make this happen.” – Jeff Kernohan
“When it comes down to some of the other big takeaways, are there any interesting findings that you've had in your reviews?” – Jeff Kernohan
“I think, a testament to our client base in this sector is that they have an appetite for looking both at a granular level and at a more macro level at these exposures. The primary dividend when we conduct security assessments and evaluations of business units or lines of business is you imbue the staff with a sense of confidence that their facility has been reviewed, that their corporate ownership pays attention and cares about them on a safety and security level, but also security enhancements can often lead to lower insurance costs. They can lead to a minimization of claims of negligence and they provide very, very good justification in the event of litigation or other claims against the company.” – John Friedlander
“That's always the case with doing the risk assessment. I think in this particular case with the private equity firms, they compile so many different companies that they are seeing a dramatic benefit when it really comes down to some of that limitation of liability and some of the minimization of risk across a portfolio that we historically have not seen them taking active steps to make sure that they had that in place. We're glad to see that happening, and I think we'll probably see a lot more of it because it makes sense on many levels, and it really does nothing but benefit the private equity group to make sure that their investments are protected and their investments are not a risk.” – Jeff Kernohan
“Kroll is good at conducting security assessments, and what we often find is that companies that have an appetite for the work product that we deliver will implement our recommendations, but it's prudent to revisit. What was applicable in 2016 or 2017 may no longer be applicable four, five, six years later, especially with the advent of pandemic concerns, other prevailing business concerns, and at times, not every recommendation has been implemented. It may be scheduled, but it may not yet be there. Whenever possible, to revisit a facility or an operation, and some of those can be conducted remotely if there haven't been significant changes in the physical layout or the constitution of a workforce or the occupancy characteristics of the building.” – John Friedlander
“When we obtain the endorsement of senior leadership, when we are endorsed by senior leadership for these initiatives, it carries a lot more weight at the local individual sites that we visit. It's as though there is a significant buy-in and direction to understand the nature of their business, their operations, but also their risk exposures. This can be as simple as after-dark lighting conditions in the parking lot, or the chronic failure of a lock on a door that leads someone to feel insecure, or to a much larger level, a resilience issue or an integration issue that creates the need for exceptions in daily operations that cause vulnerabilities.” – John Friedlander
Once a private equity firm has the ability to monitor and manage information from their holdings at more granular levels, particularly in functions that might not normally have reported up to them from all their diverse holdings, they can track and analyze trends that might lead to business operation interruptions or harm against individuals, things that might never have been able to be tracked or analyzed previously. This can go across all sectors of their holdings, whether it be a movie theater, a construction site, a healthcare facility or a food processing plant.” – John Friedlander
Talk to a Kroll Expert
Kroll is ready to help, 24/7. Use the links on this page to explore our services further or speak to a Kroll security risk management expert today via our contact page.