An Interview with Juan Muñoz: Analysing the risk environment for Spanish companies

18/12/2018

The following interview was published in the September 2018 edition of the AIG Spain Newsletter.

Since 2011, NYA has been retained by AIG to respond on a number of special risk and crisis management policies. The combined crisis management model and methodology adopted by AIG and NYA are very different from other companies existing in the market.

Juan Muñoz (CPP CSMP CSyP MBA) has been a part of NYA as a senior consultant since 2013 and is responsible for cases in Spain or involving Spanish clients globally. Juan has over 35 years’ experience in corporate security and more than 20 years’ in crisis management in Europe, Latin America, the Middle East and North Africa. We discussed with him the current risks facing Spanish companies.

What is the current risk environment that Spanish companies face when operating abroad?

In general, it is complicated and can become extremely complex in regions where a large number of Spanish companies focus on, including Latin America, the Middle East and North Africa. In recent years, international operations have become critically important to the performance of these companies and, by extension, for Spain. We are talking about an average of 60-80% of total income. The importance of international operations is likely to continue growing over the coming years.

According to recently published information, Spain aims to win EUR650 billion in infrastructure contracts (roads, transport, concessions, lines, power plants, etc.) by 2027, emphasising the experience of Spanish companies and their access to technology. Since 2013, the number of bids has increased by 43%. However, the environment of globalisation is very different from the local or even regional level and entails many more threats and security risks.

According to Robert S. Kaplan from the Harvard Business School, risks – including those related to security – can be classified into three groups. First, preventable risks, which are generated within the organisation and should be controlled, minimised and eliminated. Second, strategic risks – those that companies accept in order to generate higher returns. For example, operating in certain regions of the world where security conditions are challenging. These risks are very different from preventable ones, because they are not inherently unwanted and therefore cannot be handled in the same way. Finally, there are external risks that arise outside of the company’s jurisdiction and influence. This includes natural disasters and political risks, for example, but also terrorism or organised crime. These also require a different approach, and it is necessary for management teams to quickly identify those to minimise their impact. However, some traditional risks, such as terrorism, organised crime and violent crime, which evolve and can change quickly, are actually included in all three groups. Additionally, some of these are now combined with new risks such as cybercrime, corruption, political risk, etc. All these risks form a complex, changing, volatile, uncertain environment: the so-called VUCA (Volatility, Uncertainty, Complexity and Ambiguity) environment.

How does this scenario affect risk management in companies?

It directly affects them because of the locations the companies operate in – Mexico, Brazil and Colombia, but also in Saudi Arabia (where two of the largest infrastructure projects in the world are led by Spanish companies), Algeria, South Africa or Nigeria, and even in Pakistan, India, Bangladesh or other countries, where existing security and logistical problems coincide.

The scenario is also linked to corporate responsibility and good governance as well as good practices, including those derived from the duty of care. In this regard, the regulatory pressure is not limited. We are talking about a potential scenario with thousands of expatriates, many with families, tens of thousands of frequent travellers and hundreds of large projects in complex or isolated environments that require effective and reasonable protection. This represents an important responsibility for organisations.

According to a recent report, the number of expatriates worldwide has grown by 25% in the last decade, and it is predicted that it will have grown by 50% by 2020. In addition, we must take into account that, according to a recent survey, travel risk management falls under the responsibility of the corresponding security departments in nearly 70% of organisations, and only 20% depend on the corporate travel department. In 62% of cases, the importance of this function within the organisation had increased when compared to previously.

Obviously, this procedure carries higher costs and entails a different and formal management structure. Let’s not forget that companies operating in global markets are permanently exposed to incidents or crises of a different nature that require preparation and an adequate and immediate response. Security has evolved from providing protection to physical assets to also include intangible assets. Now it could become an element of added value in operations of companies, which is not always easy to explain and visualise, and also represents a radical change from the current model. Corporate security at a professional level has not only gone through an impressive evolution, but an almost complete transformation in comparison to models used just a decade ago.

Is the Duty of Care a valid management reference? 

Absolutely. The Duty of Care – closely linked to Corporate Social Responsibility and now as outstanding regulatory compliance – represents the financial, legal and moral obligation of a company to protect its workers, regardless of where they are, while working for the company both inside and outside of the usual geographical work environment.

The Duty of Protection, which is the strategic and operational objective that must be attained, is achieved through the development and application of travel risk management programs and crisis management. A comprehensive travel risk management program is usually made up of five elements (of which only one is reactive, the others are preventive), seven phases and ten critical indicators. These include policies and procedures, resources, training and tools, as well as intelligence and a robust risk assessment. It also includes the capability to respond immediately to any incident that affects an employee. We are talking about permanent processes, policies, and business culture, not just responses limited to specific actions.

What is the importance of crisis management insurance in these new models?

In my opinion, it is very important for different reasons. The first is the obvious reason of liability and good corporate governance. The second is the operational need, given the complexity and difficulty of managing this type of incident experienced in the coverage of the policy, if any of them should materialise. I would like to take this opportunity to emphasise the value of the response consultants and dismantle prejudices and presumptions that exist about them and about the different phases managing these types of incidents and also about their roles and responsibilities. The third reason is that these types of risks are, by definition, the most appropriate to insure: as they have a low probability of occurring (although this varies substantially depending on the region) but can have significant consequences in human, economic, operational and reputational terms. Finally, crisis management insurance is an essential element in several of the critical phases and indicators mentioned earlier, for example, in policies and planning, training and response, and even risk identification. It is possible that stakeholders might be forgiving of an organisation which fails to identify a risk (there is no doubt that the demonstration of this fact is in itself complex), but they would never be with one that has failed to respond effectively and as quickly as possible to an incident or crisis to minimise and limit its impact.

What is the role of the response consultants in crisis management insurance?

This type of crisis management policy is very much an integrated insurance service, therefore, as consultants are the ones responsible for responding, their role is critical. It can be said that these insurances have three essential components. First are the conditions, which can vary between different insurers and even change in relatively short periods of time. The second is the solvency of the insurance company that underwrites the risk. This factor is decisive, not only in terms of finance, but also in terms of experience in the transfer of this type of risk, the management of this type of claims and in the collaboration and work experience with response consultants. In this sense, AIG is an indisputable alternative.

The third component, and by no means the least important, is the accumulated and aggregated experience, knowledge and direct geographic coverage of the consultancy associated with the insurer in this type of insurance. For many clients, this is the key appeal of the consultancy, due to the nature of this insurance and the type of incidents it covers: kidnap for ransom, extortion, etc. The consultants are critical. We are talking about two main organisations that have accumulated several thousand cases’ worth of experience, and they are also very important in prevention through the provision of pre-incident training.

What is NYA’s experience in this type of consulting activity?

NYA is a global risk management and crisis response consultancy that has almost 30 years of experience and is one of the market leaders in this domain. It is a highly reputable consultancy with a large international footprint.

In the last five years, NYA has managed almost 500 insured cases of different nature, and we hope that our partnership with AIG continues for a long time to come. This accumulated experience represents an invaluable asset available to clients when managing crises.

Apart from the management structure and support (24/7/365 control and operations centre), located in London, NYA has offices in New York for the Americas and in Singapore for Asia, and has one of the largest response team of consultants in the industry, with an unparalleled individual and collective accumulated experience.

NYA is a diverse, multicultural and multinational organisation, with consultants permanently deployed to 14 strategic locations around the world giving them a sound degree of cultural and local knowledge. The two teams of consultants – prevention and response – operate jointly and sometimes integrally. NYA also has a Spanish consultant on its team, which we believe is unique in the industry. Namely these two factors taken together – multinational team with 14 nationalities and local deployment – represent an operative element that customers value as key to the selection of crisis management insurance.

Further, NYA exercises a wide and consolidated practice in SRM consultancy and crisis management, developed and practiced on a global level using NYA’s own methodology, grounded in industry best practice. In addition, we specialize in travel risk management and support for sensitive operations, such as cyber security. We have consolidated operations in these areas and they continue to progress quickly.

Both AIG and NYA maintain a common strategy. On the one hand, centralisation of management and decision; and, on the other, deployment and local action, and it cannot be otherwise in a global world like the present one.

NYA provides practical advice and training to help you build your crisis management capability

Find out more