When we examine the aftermath of the terrible murder of UnitedHealth CEO Brian Thompson, there come clear questions this raises for board members to consider.

The Risks:

One of the first questions we may want to ask ourselves is to address the risk or likelihood our CEO may be targeted.

I think that companies which “face the consumer” and where there’s potential consumer harm are at a higher risk.

If your company’s product could possibly harm a consumer or impact them negatively you’re subject to a bigger group of people who could be violent.

Health insurance, airlines, automotive, pharma, and food are examples. There are large pools of people whose life could be impacted very significantly by a real or perceived safety / health failure.

Controversial / gritty industries:

If your company is in the so called “sin industry” group often described as alcohol, tobacco, firearms, gaming, etc. it is conceivable that the nature of these industries may result in a more risky environment.

The business to business industries like chemical, energy, agriculture, industrial, etc. logically should be less of a concern. If your company makes valves that go into other industrial products and you compare it to health insurance, it is easy to see the potential difference in vulnerability of being targeted.

Preparedness:

Boards are all familiar with “key man” insurance and the annual safety preparedness that many companies do to brief their CEO and exec leadership team . Often a 3rd party expert comes in to go through a security briefing. This includes topics like how to respond if you’re caught in a fire in your hotel, how to get to the exit, how to be situationally aware to avoid kidnap, how to behave if you are kidnapped, etc.

Additionally, companies have policies on where / when they have bodyguards. For example, if your CEO and/or ELT is traveling to a dangerous country there is often special airport greeting protocols, bodyguard / escorts, bullet proof cars, etc.

The question of key man insurance is an interesting topic. Do you have a policy with Medevac Do you have kidnap extraction in your policy? Who controls the extraction team selection?

If the worse case scenario happens, have you got a crises management protocol in place? This is analogous to having a dedicated part of your crises management. We are all now increasingly knowledgeable on the NIST protocols for cyber ransomware prevention and escalation process for responding to a cybersecurity breach.

We may want to ask management to refresh and update the overall Enterprise Risk Management scope to include a review of the CEO vulnerability risk.

Empathy and humanization:

We appreciate the importance of our companies brand both externally and internally. We want our customers, investors, and employees to feel and believe in our company’s values and sense of mission. To truly have our brand resonate as authentic and “be real” we are impacted by our CEOs persona. Does our CEO feel transparent, honest, caring, sincere? Or does our CEO feel distant, stiff, robotic, indifferent?

Remember the cringeworthy response of the United Airlines CEO who lawyered up after the negative media attention of a puppy being suffocated in the overhead luggage compartment on a United Airlines flight, and the rough removal of a passenger from a plane. The CEOs perceived lack of empathy was harmful to the brand. Contrast this with the charisma of visible CEOs like JPMs Jamie Dimon, or the incredibly iconic and uniquely authentic Elon Musk.

My suggestion is that boards may want to encourage their CEOs to be mindful of the significance of showing their human side, warmth, vulnerability, humility, and concern.

I’m not suggesting that the tragic murder of UnitedHealthcare CEO Brian Thompson would have been avoided by publicly and empathetically addressing consumer complaints…but I do believe there is a “learnable” insight surrounding this tragedy, that the publics perception of you CEOs approachability may correlate to effectiveness.

Potential Prevention Forensic:

Hindsight possible lessons to consider is the analysis of the warning signs. Have your companies complaint volume intensity and threats have gone up? Have the increased issues correlated to a new specific policy change? If the threats have increased in severity have you upped your research to include boutique specialty firms that monitor the dark web? Have you considered boutique protection firms such as Black Cube? Who on your security team owns this threat assessment? Is it clearly in one organizations ownership or shared among the physical security, cyber security, customer service complaint teams? How does this information come together?

In closing, here is a quick listicle for a future board discussion – whether at your audit, ERM or full board:

1.       How vulnerable are we? How have we checked and assessed our threats?

2.       How are we updating / refreshing our CEO and ELT preparedness?

3.       Is the company perceived as “caring” about issues?

4.       Are we properly insuring and protecting our CEO and ELT? (I suggest directly asking our CEO if they have received threats).

Sadly, it seems timely to consider the subject of our CEOs safety and our leadership continuity.

Read original article