Crisis & Security Consulting — Control Risks

Autumn 2023 on the Crisis and Security Consulting team at Control Risks in Shanghai. Client work ran the gamut — from physical-security reviews to regulatory monitoring to crisis-management workshops — across a shifting geopolitical surface.

What the work was

Risk consulting looks, from the outside, like geopolitics. From the inside it is closer to translation. A client asks is it safe to keep our second-tier supplier in Xinjiang and what they mean is something like: we need a defensible answer for our audit committee, and we also need to know whether to move.

My job was to give them both.

A few of the engagements

• Itochu Taicang warehouse security review — site assessment, threat taxonomy, mitigation matrix; exec-summary compressed to a single page because executives do not read past page one
• Hong Kong cryptocurrency-firm regulatory research — mapping the post-2022 licensing regime and what it implies for outbound and inbound capital flow
• Foxconn and retail-mall security incident research — desk work across Chinese- and English-language sources, with sourced primary interviews where the desk work hit a wall
• CIFF Crisis Management Workshop and Exercise — supported design and delivery of a scenario-based tabletop with a corporate client
• Short memos on new-client prospects: background, strategic alignment, outreach opportunity

What I took away

There is a difference between risks and uncertainties, and a good memo refuses to blur it. If you can quantify the probability, you're writing a risk assessment. If you can't, you're writing a judgment. Both are useful. Neither is the other.

I left Shanghai with a better ear for the word exposure.