By Anita Barker, Partner, Control Risks and Sorana Parvulescu, Partner, Control Risks
Introduction
In-house counsel have not traditionally played an active role in business development efforts or market-entry plans. On the rare occasions that they have, they have likely focused on legal due diligence: understanding local legal requirements to set up an entity and operate compliantly. Their next involvement in the Middle East will often be to tackle a crisis or some other critical issue. In-house counsel often save the day post-factum, as they're being brought into deal with a multitude of issues, such as sanctions breaches, corruption allegations and investigations, reputational crises, injuries or loss of life and insurance claims for business disruptions due to conflict or political risk. But it needn't be like that – in-house counsel are ideally placed within their organizations to lead and coordinate a proactive risk management approach for business development and market entry. Local and multi-national companies operating in the Middle East can build this approach.
BUILDING AN IN-HOUSE, MARKET-ENTRY RISK ASSESSMENT FRAMEWORK
Organizations that design and implement a market-entry risk assessment framework to apply to all new business ventures will improve decision-making, save money, avoid duplicated efforts, demonstrate adequate corporate governance to regulators, and ultimately be more successful. This approach is most effective when led by top management (executive level) and in-house counsel, as they understand all aspects of the risks that their organization faces. We recommend a simple, four-step process to design and implement this framework:
- Enlist all relevant stakeholders: Create an internal group of senior, multi-disciplinary stakeholders from sales/business development, security/health and safety, human resources, technology/information security and, compliance and insurance/risk. Each of these functions likely has some responsibility in managing risk in the market-entry process and, later on, operations in those new markets. Having them involved and invested from the outset is crucial.
- Establish and communicate the organization's risk appetite: Organize a workshop with your stakeholders to agree on the company's appetite for different categories of risk. Ask everyone: "What would be a showstopper for market entry?" The answers will be specific to your organization and will depend on sector, ownership structure, corporate governance, past experiences, among other factors. For example, an extractives company may be comfortable operating in countries with high risk security environments, whereas a pension fund may consider certain developed economies in Western Europe a high-risk market. Whatever your risk appetite, you need to make sure that everyone in your company's management and across key functions shares the same understanding of those red lines, that they apply this understanding in their work, and communicate it clearly internally and in interactions with external stakeholders. Having an established, clear risk appetite will inculcate a risk-aware culture in the organization and project a positive reputation in the market.
- Agree on a market-entry risk assessment process: Work with the same stakeholders to draft a process for assessing risks as you consider business opportunities. This will help you decide as a group whether you want to proceed with a business opportunity in a new market, and if so, what mitigation measures you can put in place across different functions as you plan your market entry. These could be contractual clauses, specialist insurance, different levels of due diligence and staff security provisions, or the frequency of audits. Create a risk assessment template that can be conducted either in-house in cooperation with the relevant functions, or commissioned to a specialized risk management consultant with strong knowledge of the market environment. Documenting these risk assessments will help you track progress and monitor key risks and will give you defensible proof of due diligence, should that particular part of the business face scrutiny.
- Monitor and refine: In markets where you have decided to establish operations, continue to monitor the key risks that could impact operations to identify early warning signs of a situation that could change and require additional action.
MARKET-ENTRY RISKS IN THE MIDDLE EAST
What are some of the key risks that your organization should consider when thinking about expanding into a new market, particularly within the Middle East? The four main categories of risk listed below are interconnected. Looking at them in isolation may prevent you from flagging key exposures.
- Regulatory Risk
This is a broad category of any potential restrictions or rules that could significantly alter your return on investment in that market or threaten the parent organization elsewhere. When considering regulatory risk, consider which aspects of local or international, current or future, legislation are likely to apply to your business in the new market. Sanctions are a highly relevant example in the Middle East. Companies entering these markets must check international sanctions by the Untied States (US), United Nations (UN), European Union (EU) that may apply to certain designated entities, but must also understand local sanctions and the overall trajectory of sanctions regimes. For example, the United Arab Emirates (UAE), Qatar, and Saudi Arabia maintain their own sanctions lists (which are not publicly available) targeting entities and individuals in neighboring countries, which adds another layer of compliance (and monitoring) for new market entrants – especially as local verification and enforcement mechanisms may be unclear.
- Integrity Risk
Integrity risk is another broad category of risk covering all types of issues that could affect your company's public reputation if not mitigated. Three integrity risks are of particular importance in the Middle East.
First, corruption risk may show up when conducting due diligence of potential business partners around the region Investigations under the UK Bribery Act (UKBA) and the US Foreign Corrupt Practices Act (FCPA)have dealt with corrupt behavior in countries across the Middle East. Companies sometimes face low-level administrative corruption and high-level corruption in government procurement. Many governments in the region do not define the notion of conflict of interest, and public officials may be prominent business players in the relevant markets. Some governments have launched their own anti-corruption initiatives, one of the most prominent of which is Saudi Arabia's recent crackdown on hundreds of business leaders and public officials in November 2017.
Concerns over labor risks have also become more prevalent among clients in the region over the past few years. Despite developments in local regulation on this issue, the region still witnesses cases of child labor or mistreatment of laborers, particularly those working in the Gulf's construction sector. Global businesses operating here are under scrutiny from labor rights monitors from their home countries. These businesses must also account for any potential exposure to the UK Modern Slavery Act, another extra-jurisdictional legislation.
Finally, human rights concerns may also need to be considered when entering some of these markets, particularly in post-conflict countries such as Iraq.
- Security Risk
There is no shortage of security risks in the Middle East. It is your duty to ensure that your people are safe in any new markets. Although this aspect of risk management is often led by your organization's security function, in-house counsel may want to support a broader discussion about risk exposure and mitigation options, to ensure, for example that, whatever solution you choose to keep personnel safe doesn't expose the organization to other key risks such as corruption or human rights abuses.
Organizations must also address information security in a cross-disciplinary fashion. Control Risks' recent analysis of cyber threats suggests that companies across the world – and in the Middle East in particular – will only face higher cyber threats in the years to come. This includes extortion by cyber criminals, campaigns by so-called "hacktivists" and state-sponsored cyber espionage. Mitigating such risks will not be limited to putting IT firewalls in place and should take into consideration your specific risk exposure, your critical assets, and your information security processes.
- Political Risk
Broadly speaking, political risks are any actions of state or non-state political actors (governments, militants, neighboring countries) that might impact businesses such as nationalization, non-payment, and direct action. Any market-entry risk assessment should take into account the geopolitical context of the applicable market and the political risks specific to that market – for example, is the international and local sanction regime in flux because of ongoing geopolitical rivalries, as in the case of Iran or Qatar? Or is the country going through significant transformation that may trigger substantial regulatory change (positive or negative) for businesses in the next few years, such as Saudi Arabia or Egypt? Is the government leaning towards restricting and limiting foreign investment in favor of local industries, such as in Algeria? Answering questions such as these will help you decide whether to invest in a market, and can help you identify ways to manage such risks, such as taking specialist risk insurance; introducing relevant contract clauses into local contracts; defining a government engagement strategy, to name a few.
CONCLUSION
Your organization is under more scrutiny than ever from shareholders, employees, regulators and the general public, all of whom will seek assurance that you can manage a multitude of risks in the markets in which you operate. Disconnected risk management processes embedded in specific organizational functions are no longer sufficient. As in-house counsel, you have the opportunity to reset the clock and bring risk management forward to the beginning of an investment or growth decision by building a market-entry risk assessment framework. This will save your organization time and money, help you as in-house counsel to be more alert and allow your organization to be better prepared to respond to the next midnight call.