CEO’s All Sectors: A Few Thoughts on Lowering Risk…

For this week’s Guest Post Friday at Construction Law Musings, I am happy to welcome Greg George.  Greg (@gtiadvisors on Twitter) is managing partner of GTI Advisors Threat Management Practice Group. A senior advisor to executives, business owners, private equity investors, M&A teams and transaction lawyers, Greg provides guidance on matters of enhanced due diligence research, threat analysis, actionable intelligence, fraud avoidance, and espionage realities. Greg can be contacted directly at 734-527-9168 or greg@gti-advisors.com

After a recent two-week road trip presenting a few seminars and speaking engagements, I began receiving inquires from participants asking me to expand on various issues and subject matter content that was presented and discussed – we always get a rockin Q&A session rolling afterward and Always run out of time… so

I thought I’d pull together a collective balance of topic examples presented, illustrations and suggestions to questions asked as a blended theme for this short article –

Qualified Legal Counsel Is Worth Every Penny

Don’t skimp when it comes to the quality and expertise of legal counsel.  Get referrals, check references, and choose your counsel from among those at the top of their game who have a specialized practice in the areas you seek – such as private equity placements, assistance with negotiations, trademark, copyright, IP protection, and so on.  It may be more costly up front; however you will never regret it.

IMPORTANT: Never allow your attorney to make business decisions for you—ever.  We have experienced far too many ill-advised business situations with clients who have said, “Well, the lawyer told me . . . .”  Lawyers are not trained to make business decisions; they are trained to advise you of the law and how to best protect what you are doing.  Use your attorney as an advisor just as you would an accountant, engineer, Wartime Consigliore, or other professional.

Ask the following types of questions:

• If I do X, am I violating any laws?
• Is there a potential for criminal liability from this offshore matter? Will anyone go to jail..?
• What do you estimate it will cost to litigate this?
• If we find any of our sensitive information is compromised and take action, will the courts protect our trade secrets?
• Are our policies adequate to protect the company against a compliance issue or an investigation into employee misconduct?
• What additional language should be included in contracts with this new offshore vendor?  Can these contracts be enforced under Treaty?  What costs will be involved?
• Are there advantages to filing the action in this state or should I consider another?
• I know I’m on the edge here; will case law support my decision?
• Can you argue my case effectively?  (If he or she cannot or you have any doubts, fire ‘em, and find one who can – call me, I’ll help with your search).

It is your responsibility at the senior executive level to assess the risk and make the judgment call on all business matters, no one else.

The CEO’s Prime Directive

As the CEO, your prime directive is to protect the company, your customers and your shareholders.  While competitors and foreign governments continue to seek out and steal intellectual property, these same activities can also bring windfalls to cyber criminals targeting your IP (hackers for hire) banking and other activities.

Additionally, lack of transparency during negotiations can place a company equally at risk if the CEO and their advisors cannot recognize warning signs regarding internal threats or lack a true vetting process for key hires, suppliers, joint ventures or new partners.

It is not difficult to prevent the dark side from easing in to your operation.  Developing the right plan, together with a few simple, cost-effective policies and practices can save much aggravation, time, embarrassment, and financial loss later. 

Use Due Diligence Basics

• Vet all vendors and contractors and mandate the same in your contracts for their employees, subcontractors and/or substitutes.
• Routinely check the Patriot Act listing of disallowed persons and companies and Specially Designated Nationals before doing business.  It could be a felony if you get caught doing business with someone or a company on the list, which is updated daily at www.treas.gov/offices/enforcement/ofac/sdn/.  Also check Interpol, FBI, and other agency wanted person’s lists, alerts, business or financial institution entity sanctions, and lists of those that are barred from doing business in the United States or with U.S. companies or citizens.  For example, GTI provides a database search for our clients that combines all searches in one run under a specific name or entity, including the Bank of England, Bank of Australia, United Nations terrorist organization lists, and many other international and U.S. controlled databases.
• Research international fraud alerts such as the US Department of the Treasury Financial Crimes Enforcement Network (FINCEN), Interpol, the global financial intelligence networks, and other white collar crime resources for interests and ownership of offshore companies, suspected terrorist funding set ups, money laundering, and fraud lookouts/ alerts for individuals and companies before making any business commitment with any individual or company.

Carefully Select Outside Consultants

• Always use competent legal counsel with practice experience and expertise in your areas of special need.
• Use independent Subject Matter Experts, not managers or employees, for security audits, financial reviews, intelligence services, and guidance regarding internal sensitive matters.  The independent experts to report directly to the CEO and/or board committee.

Proactively Manage the Security of Your Company Information

• Do not store any data beyond required operating systems and programs on company laptops; use Virtual Private Networks (VPN’s) to link to internal servers.
• Never leave laptops unattended in vehicles.
• Advise all visitors and all employees to check all jump drives, iPods, and anything digital and portable at the door, unless it is to be used only internally.
• Remove batteries from cell phones in sensitive areas.
• Perform periodic computer forensic audits of key staff internet activities, including new data created and storage accessed [could be vital in an e-discovery matter under the new federal rules – it only takes one sexual harassment complaint causing costs to spin out of control of your not prepared].
• Install a threat intelligence analysis tool behind the firewall.  This can stop and/or identify threats that your anti-virus and spyware programs may be unaware of and instantly notify you of unauthorized data transfers, Internet contacts, emails, and other anomalies within your network.
• Back up all data off-site and at a significant distance from your primary geographic location; we suggest utilizing two off-site backup locations on different power grids.
• Establish a system-wide file and email recall management program so you can immediately access any piece of data or information you, your audit arm, or your counsel may wish to examine.  Setting up such a system in advance of a subpoena or visit from your local compliance regulator can save you a lot of stress and resources.  And just think about it – you should be able to look at what you want to when you want to anyway.

Know the Laws

• Familiarize yourself with the onslaught of new data breach laws and how to best mitigate your liability.  A breach or suspected breach in any form can be very costly.
• Work with counsel closely to establish employment polices appropriate to your industry.
• Become familiar with the FTC publications, the Fair Credit Reporting Act and related state legislation; all have some bearing on your customers and your employees, stay on top of other compliance issues that may affect your industry – congress is attempting to change many things daily.

Prepare Your Employee Policies with Care

• Use the U.S. Intelligence Community model to determine what your employees need to know regarding your company’s internal operations, trade secrets, negotiation strategies and protocols.  If an employee’s work duties have nothing to do with a particular project, then he or she doesn’t need to know about it.
• Craft your policies carefully to destroy any expectation of employee privacy in the workplace.  There is some wide-ranging case law on this issue and all situations may not always allow the employer full reign – so play it safe, review with counsel.

Prepare for Emergencies

• Define the line of authority within your company structure to know who does what in the event of a crisis.  Prepare for the fact that the CEO or other key staff may not be in that day, or for several days.

Carry Out Clear Negotiations

• Seek transparency in all negotiations; illuminate the darkness.  Men and women fear what they cannot see.

We encourage business leaders to pre-plan protection strategies for internal operations and growth, to mandate requirements of suppliers, and to learn more about the value of unique research support and actionable intelligence available on demand.  Many business professionals are unaware of the breadth of information that is available if you know where to look.  This knowledge will help to support the best litigation strategies, mitigate risk, identify threats and potentials for other liabilities, and keep the compliance police happy.

One closing thought: if you cannot demonstrate procedures, policies, and other prudent efforts that your company has undertaken to protect your trade secrets and other sensitive information, the courts won’t protect them either.

For further reading that will help you think things through a bit more; an excellent article from CSO Magazine –

Security Consultants and Lawyers: Don’t Trust Them to Manage Risks

Both Greg and I welcome your comments below.  Also, please subscribe to keep up with this and other Guest Post Friday Musings.