20 One business strategy: three different responses to risk This example represents the actions a company that “thinks differently” about risk would apply. The response, impact and events are based on actual experiences with our clients. A large consumer products company plans to make significant investments in social, mobile and digital platforms to improve its marketing and sales channels as well as its ability to bring products to market faster. Recognizing the importance of digital technology to its growth and brand, management is willing to accept a moderate level of risk. As part of developing their business plans, management identified several risks that could impact their investment in digital technology and developed three different responses to those risks. Strategic Preventable External ROI is heavily dependent on bringing the platforms to market quickly to increase market share and brand awareness. Legal and regulatory requirements governing digital marketing and sales channels (e.g.,Federal Communications Commission (FCC)) need to be addressed to avoid incurring fines or undergoing any regulatory scrutiny, especially given its desire to improve its brand recognition. Competitors are exploring similar digital platforms and avenues that could severely hinder efforts to enter the space. Advance • Management needs to act quickly, but does not intend to compromise quality or cost; they develop a plan to continuously review the project to make sure the expected benefits and ROI are realized. • Management should implement controls to incorporate the new requirements into its existing risk and controls framework. • Management needs to understand the potential impact of competitor actions and determine how to best limit it; they develop a strategy to conduct a series of “wargames” to assess and respond to potential moves by competitors. Optimize • Management tasks second and third lines of defense with reviewing the project at its initiation. • Management identifies and embeds experts within the lines of defense to help predict potential risks prior to the start of the project. • The second and third lines of defense will work with the first line to understand the project structure, governance and execution plan. In addition, the second line will work with the third line once the project starts to perform periodic assessments and benefits monitoring. • Management tasks the second and third lines of defense with consulting and assessing the first line’s changes to the company’s internal controls. • Lacking risk and compliance talent in this space, the company hires digital subject-matter resources within both lines to provide expertise and guidance. • Management tasks its second line of defense with facilitating the exercises with participation from the first line. • The third line is responsible for providing independent feedback and challenging the scenarios developed based on emerging trends. • The resources selected to participate understand the business and have backgrounds in marketing and technology. They are to divide into smaller teams on a quarterly basis, develop viable competitor scenarios and report their findings to management. Embed • The second line of defense conducts interviews with the project team and leverages predictive analytics to identify potential risks. Several risks are identified with the project’s execution and governance structure that would negatively impact the achievement of critical milestones. • The second line works with the first line to take remediation steps. • Going forward, the second and third lines work together to proactively identify risks before they arise, helping the company achieve its expected benefits under the desired timeline. • The second line of defense works directly with the first to enhance the company’s internal controls to address the new risks. However, rather than just increasing the complexity of the control environment, they optimize the controls framework by leveraging automated, preventive controls or controls that already exist. • The third line helps assess the design and operating effectiveness of the controls before they are fully implemented. The internal control environment is updated to address the new requirements and optimized to prevent related risks. • The combined team convenes quarterly and conducts wargames, identifying potential competitor actions. Each action is vetted and the most realistic are compiled by the second line of defense and shared with the executive management. • Management reviews the team’s findings adapting their strategy and level of investment as appropriate, helping to maximize their ROI.