December 01, 2022 | 3 minute read

On this episode of The Bracewell Sidebar, hosts Matthew Nielsen and Seth DuCharme are joined by Brian Mich from Control Risk, a specialist risk consulting firm. Brian leads the regulatory risk and investigations practice for the Americas region, which includes North America, as well as Central and South America.

Tell us a little bit about yourself and what you do.

I’m a partner at Control Risk. I lead our regulatory risk and investigations practice for the Americas region, which includes both North America, as well as Central America and South America.

Control Risk, for those who don’t know, is a 47-year-old specialist risk consulting firm. We have an interesting history: We’re UK-based; we grew out of the insurance industry initially; and we started as — and are still — the premier kidnaping and ransom response firm in the world. We’ve grown into doing work in the crisis and security consulting world, where we do everything from complex cyber readiness and cyber response, all the way down to doing executive protection for our clients who are operating in difficult areas. My end of the business is more focused on integrity risk.

How do you see digital due diligence and data versus kind of boots on the ground?

Digital due diligence and using data helps certainly, whether it’s due diligence or investigations, or compliance monitoring and risk assessments. It certainly helps you to identify the areas of risk to some degree.

In our due diligence, we do a lot of work relying upon information that’s relatively accessible online and through publicly available sources. A lot of the places our clients operate, though, don’t always have the greatest amount of information or the most accurate information that’s available online, either because they don’t have the same sophistication in terms of the robustness or in terms of public records. Some work on the ground is often necessary just to get some basic information about who owns a company, who the shareholders are and things like that.

What kind of concerns and risks are associated with doing business with people in certain areas of the country?

A lot of due diligence we do is focused on a variety of different regulatory risks that might be in place. The Foreign Corrupt Practices Act of 1977, the bribery focus that has been so much part of it, that could be a focus. It could be money laundering related to a variety of different risks that you’re looking at. Part of the reason why you’re looking at those, depending upon the context of the relationship you’re looking at, is when you, for example, enter into a joint venture or you are acquiring a company or you’re engaging a party to act as your representative, as your agent, you assume that risk to a large degree of their conduct.

It’s important to try to understand who you’re dealing with so that you don’t have that risk of then maybe behaving poorly, or violating the law on your behalf. Of course, you also want to be able to indicate you’ve done that due diligence, because when it does happen, part of your defense is that you’re going to have to your potential corporate liability will be that we had a program in place, risk-based determining, based upon the risk of that party, which can be a lot of different factors.

Are you seeing more companies doing due diligence from an environmental, social and governance (ESG) standpoint?

Obviously, ESG is gaining greater regulatory attention. The FCC and other regulatory agencies are developing their approaches. The challenge with ESG to date has been a little bit of how do you quantify it, particularly the “G” part. Governance has always been something that we do, but the environmental and the social aspects of it is very difficult to figure out.

Have questions about regulatory risks and investigations? Email Matthew Nielsen or Seth DuCharme.

The opinions expressed in this podcast are those of the speakers and do not necessarily reflect the viewpoint of their institutions or clients.