Preparing for risk is critical to ensuring organizational resilience, but what about the risks that can’t be planned for? Businesses frequently fall into the trap of strategizing only for known risks—those that are easily anticipated—while failing to recognize their blind spots in relation to unknown risk events. To counter this, an effective enterprise risk retainer allows businesses to maximize their response to both types of risks, and to do so at pace, by ensuring that the right expertise, support and breadth of resources are in place.
This article sets out types of known risks vs. those that are more challenging to anticipate, and outlines how an effective enterprise risk retainer enables greater resilience, even in response to acute unforeseen risk events.
Known Risk vs. Unknown Risk
“You don’t know what you don’t know” is an adage that applies as much to organizations as it does to people. In today’s volatile sociopolitical and cybersecurity landscape, not knowing what you don’t know can be a critical weakness. Yet businesses often underestimate the scope for the unexpected, often staying within a risk planning and strategy “comfort zone,” leaving themselves vulnerable to the impact of an unforeseen risk event. Not knowing what they don’t know leads to a failure to plan beyond their inevitable risk blind spots, significantly undermining organizational resilience.
While known risks are those that organizations can prepare for to a certain extent, unknown risks are those they cannot. The impact of unanticipated threats has the potential to undermine even the most careful planning and forecasting. The ability to not just keep pace but to stay ahead of current and emerging threats means businesses must adjust how they view, plan for and respond to known and unknown risk events.
Known Risks
While easier to anticipate, known risks still present a complex array of threats that companies need to measure, manage and mitigate. Types of known risk events include:
- Annual internal audits of compliance with security and data protection laws
- The introduction of new regulations, often with years to prepare
- Media announcements about cyber attacks
- Lists of common vulnerabilities and exposures (CVEs) published online
- Updates made to enterprise applications over the weekend or out of hours
Unknown Risks
The biggest risks are usually those that can’t be predicted in terms of scale and impact. This lack of insight then feeds into the ongoing consequences of an unexpected event because an effective response strategy plan is not in place. Types of unknown risks include:
- Disputes and legal battles, such as executives committing fraud, acquiring a company with falsified intellectual property, and insider data leakage
- Physical/operational disruption, such as power outages, workplace violence and unauthorized access
- Sophisticated cyberattacks, such as living off the land attacks that go unnoticed or attacks on artificial intelligence (AI) vulnerabilities, cryptocurrency or operational technology
- Regulatory changes, such as the announcement of new SEC examination priorities; Network and Information Systems Directive 2 (NIS2) being introduced as an evolution of the original NIS Directive; the European Union AI Act; and announcement of federal AI standards in the U.S.
- Online chatter and brand misuse (e.g., fake news campaigns and social media impersonation)
- Threats to executives, such as assassination attempts and cyber threats (e.g., ransomware, business email compromise and social engineering)
- Whistleblower complaints, especially those alleging misconduct by executives or senior leaders
- Insider threats (i.e., an internal bad actor compromising confidential information or committing economic espionage)
- Proxy contests or short attacks that impact publicly traded companies
- Sudden changes in business partner/supply chain risk profiles
- Intellectual property and trademark infringement, counterfeit products or brand impersonation
Navigating Known and Unknown Risks with a Retainer
Given the nature of the unknown and the many types of enterprise risks that cannot be anticipated, is it possible for organizations to preempt these and reduce potential impact on their business? It is, with an enterprise risk retainer that is flexible, responsive and expert-led. However, achieving a level of preparedness to address both the known and unknown depends on the nature of the retainer. To enable this, an enterprise risk retainer must offer increased and assured:
Flexibility
The very nature of unknown risk means that fixed parameters for a retainer become a limitation rather than an advantage in a critical situation. Conversely, being able to flex in an unexpected scenario actively supports the ability to adapt, enhancing organizational resilience. Organizations can plan for and respond to acute enterprise risks more quickly and effectively when they can use retainer credits for different types of risk management services across cybersecurity, financial crime, regulatory compliance, physical security, AI governance, due diligence services and more. A retainer that is truly flexible in terms of what organizations can access exactly when needed ensures that a business can move faster and with more assurance—even in the face of the most unexpected type of risk event.
Another advantage is that organizations can reach out when they require some ground cover in unexpected circumstances—for example, when they have an intensive workstream or unexpected gaps in their resources due to illness or resignations. As the organization delivering the retainer already knows the company, they can quickly pick up the strands of work the company needs help with, in accordance with the client’s risk appetite, until the intensity subsides.
Case Study: Kroll Corporate Compliance Advisory was retained to provide corporate compliance advice on sanctions and compliance risks raised by a Swiss client following their purchase of the Kroll Compliance Portal due diligence tool. The client required advice on opportunities across new distribution jurisdictions, and on controls and options when high-risk relationships were uncovered by the tool. The Corporate Compliance Advisory service allowed the client to ask ad hoc questions whenever an issue arose and helped define practical next steps for their strategy, legal and compliance teams to consider.
Speed of Response
With information free-flowing around the world, bad news travels faster than ever. In this context, time is not only money but reputation. A fast response time ensures enhanced management of even the most unexpected risk event, containing the issue itself and more effectively managing the public response to it.
Having an effective retainer in place enables an organization to move swiftly and decisively instead of scrambling to get the right support in place when internal resources are already overextended by an incident. It also removes the challenge of having to undertake lengthy and expensive recruitment of in-house specialists to deal with the risk event. A retainer that encompasses all facets of organizational risk and is supported with robust service level agreements can remove the delays caused by navigating multiple contracts or negotiating ad hoc specialist support during a rapidly unfolding event.
Company Insight: “As a Cyber Risk Retainer client, we have appreciated Kroll’s expedited response for potentially critical issues. Their subject matter expertise allowed us to contain a situation prior to it developing into a significant issue.”
– Option Care Health
Risk Mitigation Expertise
Responding effectively to unexpected risk events is key to organizational resilience. However, being unable to anticipate the nature of this type of event means that an organization cannot gather all the resources and expertise required ahead of time. Because it’s not always easy to access the high standard of expertise needed on short notice, another risk is having to rely on inadequate support in a critical situation. An effective retainer can address these issues by making sure an organization has access to the highest standard of expertise before any type of risk event takes place, ensuring the best level of response when it is needed most.
Case Study: Kroll provided compliance assurance for a U.S.-listed media tech company as part of their retainer through a significant (more than $700 million) M&A. The client was divesting tens of business units worldwide across four transactions. Through our deep knowledge of the seller and divesting entities, Kroll provided compliance advisory oversight to the transaction, including helping populate the data rooms, providing reps and warranties oversight, assisting in answering buyer and regulator questions, negotiating compliance software and services transition, and advising on regulatory requirements impacted by the sales.
Scale of Response
The nature of risk events means they don’t have set parameters, with their impact often extending far beyond cybersecurity. As a result, response not only has to be large scale but also capable of spanning many business disciplines. Having separate agreements and contracts with different service providers is challenging to budget for, meaning that delivery may be slowed—or even stalled—at a critical time.
Rather than being limited to an agreement that covers cyber incident response alone, an effective enterprise risk retainer should already have agreements in place to enable access to other areas of enterprise risk, such as legal, fraud and physical security, ensuring fast response to all aspects of a risk event.
Company Insight: “Kroll’s Cyber Risk Retainer program gave us the flexibility to utilize our retainer credits to help us accomplish some of our IT security goals during the year while having the peace of mind that we had a Tier 1 partner to quickly respond if we had some type of cyber incident.”
– NetScout Systems, Inc.
Prepare for the Known and the Unknown with Kroll’s Enterprise Risk Retainer
Kroll’s Enterprise Risk Retainer enables organizations to better prepare for and respond to known and unknown risk events. By consolidating risk management needs into a single, flexible retainer agreement, organizations can move faster, budget smarter, and respond effectively.
An Enterprise Risk Retainer with Kroll provides the following benefits:
- A pre-negotiated agreement to rapidly access a wide range of risk advisory expertise as needed
- Apply 100% service credits towards any enterprise risk management services across cyber security, physical security, regulatory compliance, financial crime, AI governance, data privacy, M&A due diligence, background investigations, and more
- Rapid incident response service levels by default
- Exclusive cyber threat intelligence briefings and reporting from 1000s+ Kroll incident response cases a year
