Crisis & Security Consulting — Control Risks

Autumn 2023 on the Crisis and Security Consulting team at Control Risks in Shanghai. Twelve weeks, four formal engagements, a half-dozen client memos, and one tabletop exercise. Reporting line to a senior consultant who had run security advisory work in the region for over a decade.

What the work actually is

Risk consulting looks, from the outside, like geopolitics. From the inside it is closer to translation. A client asks is it safe to keep our second-tier supplier in Xinjiang? and what they mean is something like: we need a defensible answer for our audit committee, and we also need to know whether to move.

My job was to give them both. The defensible answer goes in the deliverable; the move-or-don't-move judgment goes in the call.

The other thing risk work teaches you, on day three, is that a memo is a different object from a piece of journalism. A reporter is paid to find what is true. A risk consultant is paid to surface what is decision-relevant — which is a smaller and stranger universe. Most of what is true about a country is not actionable. The craft is figuring out the subset that is and saying so without overreach.

A few of the engagements

Itochu Taicang warehouse security review. A site assessment for a Japanese trading-house client whose primary concern was insider threat and continuity of operations, not perimeter. We did a full physical walk-through, built a threat taxonomy specific to logistics-warehouse environments, mapped a mitigation matrix to the taxonomy, and compressed the whole report's executive summary to a single page — because executives do not, in fact, read past page one. The most useful conversation of the engagement was the half-hour with the night-shift supervisor, who knew what the static security firm assessment hadn't captured.

Hong Kong cryptocurrency-firm regulatory research. Mapping the post-2022 licensing regime — the Type 1 and Type 7 SFC licenses, the AMLO requirements, the cross-border implications under the Securities and Futures Ordinance — and what all of it meant for a client trying to figure out whether to onshore, offshore, or wait. The research was 70% archaeology — going back through SFC consultation papers, FSTB position notes, and HKMA circulars to understand what the rules were actually meant to do versus what they say.

Foxconn and retail-mall security incident research. Desk research across Chinese- and English-language sources on a series of incidents the client wanted contextualized. Where the desk work hit a wall — and it always did — we triggered the firm's local network for primary interviews. I wrote up four of those interviews. Two were dead ends; one was very useful; one was too useful, and we worked with the senior team to figure out what could responsibly land in the deliverable.

CIFF Crisis Management Workshop and Exercise. Supported the design and delivery of a scenario-based tabletop with a corporate client. The scenario was a simulated supply-chain shock with cascading PR, regulatory, and operational consequences. My role was junior — note-taker and timekeeper — but the entire experience was the most useful three days of the internship: watching how a senior consultant facilitates without leading, how the client's own team's seams emerge under stress, and how the post-mortem conversation extracts the lesson without finger-pointing.

Short memos on prospect clients — background, strategic alignment with our service lines, outreach hooks. The genre of the memo was tight: half a page each. I wrote about a dozen.

The risk-vs-uncertainty thing

The single most useful distinction I took out of the internship is this: there is a difference between risks and uncertainties, and a good memo refuses to blur it.

If you can quantify the probability — even sloppily, even with a wide band — you're writing a risk assessment. There is a 5–15% probability of a regulatory action of this type within the next 18 months.

If you can't — because the situation is genuinely novel, or the underlying drivers are non-stationary — you're writing a judgment. We do not have confident probabilities here. The decision-relevant question is X. Our reading is Y, with these as the upside and downside cases. Here is what would change our mind.

Both are useful. Neither is the other. Most bad memos blur the two — usually by attaching false precision to a judgment, which is a way of laundering an opinion as an analysis. I left Shanghai with a sharper ear for that move and a real distaste for it.

What I took home

A better ear for the word exposure. A working knowledge of the difference between SFC Type 1 and Type 7 licenses. A short list of senior consultants whose memo style I still steal. And the conviction that the writing is the deliverable — the analysis is what gets the writing right, not the other way around.