Paddy McGuinness

Senior Advisor, London Brunswick Group

  • London

Paddy McGuinness advises on crisis and resilience issues, providing senior counsel to clients on ever-evolving business and political risk.

Contact

Brunswick Group

View more experts managed by Brunswick Group

Spotlight

4 min

Governing for Resilience

COVID-19 has raised the stakes for boards, argues Brunswick’s Paddy McGuinness, former UK Deputy National Security Adviser. We now live with COVID-19. Fewer business leaders are making the mistake of talking about “post-COVID” or “when this is over.” The better of them have factored in COVID-19 related constraints to their medium-term plans and are even thinking about how the world may change in the long-term. They are building capacity to take advantage of an early recovery within months, yet they are modeling and encouraging grit for current and indeed harder conditions to last much longer. In the past, when health emergencies—say the Spanish Flu pandemic of a century ago—subsided, there was a greater return to economic normality than had been expected during the crisis. Extreme events often heighten or even distort our perception of wider risks. That old journalistic cliché “one thing is certain, nothing will be the same again” is rarely true. But the pandemic has created the expectation that businesses will be resilient—that they will be able to respond to an event and recover to the state prior to the event, incorporating the lessons learned into business practice. Many business leaders feel they have not done too badly responding to a once-in-a-hundred-years event. Business Continuity Plans (BCPs), which were understandably sketchy for pandemics, were pulled out of second-line risk management and owned and improved in real-time by executive committees. The transition to remote working and, at least in Asia and some of Europe, the gradual return to offices again, has been managed. Services and even vital production have been maintained. Leaders have absorbed the personal and collective strain of this. Good reason then for some satisfaction as they delegate certain COVID-19 responses and focus on the economic tsunami that follows the pandemic. The public seems to largely agree with business leaders’ assessments. While many national and scientific leaders find themselves beset by “blamestorming,” corporate executives have been given more slack. They weren’t expected to have foreseen a pandemic. Their sometimes scrabbling responses are understood. However, behind this lucky pass lurks an expectation that businesses will now be more prepared for crises and foreseeable risks. Resilience cannot be relegated to BCPs and traditional risk-management structures. It is categorically a board issue—regulators, lawyers, politicians and the public say so. The reputations of individual board members and the collective are at stake. Think how fast leaders have been expected to respond to the issues raised by the Black Lives Matter movement. Alacrity will be required. The speed and scale of decisions in response to the pandemic leaves board committees playing catch up to assure themselves that risks have been managed. The move to working from home has been rapid, so too the digitization of the business. Some see these as new, streamlined ways of working, yet the negative consequences are not yet fully apparent. Working from home, for instance, is attractive to some employees as well as chief financial officers, who may relish the chance to reduce fixed costs. Concerns about the impact on the coherence of the business’s culture, its productivity and innovation, the security of data held at home, hardships for those in difficult home conditions, and, indeed, the needs of the younger demographic who seem to favor a return to the office, need to be given due consideration. It may be a case of “decide in haste, repent at leisure.” Resilience is categorically a board issue—regulators, lawyers, politicians and the public say so. The reputations of individual board members and the collective are at stake. Boards also need assurance that the business has regained its balance and can manage parallel or interrelated crises. In recent weeks we have been helping several clients respond to major cyber events unrelated to the COVID-19 outbreak. They have probably needed more external support than otherwise because their leadership capacity was inevitably denuded by pandemic response. And they have benefitted from us already knowing each other and having experience of how to work together in crisis. After the Great Financial Crash there was a heavy focus on balance-sheet resilience and having the requisite finance skills on boards. Business leaders are now beset by advice on the heightened obligation to be resilient in much a broader sense of the word. Regulators, lawyers and risk consultants are sharing checklists of factors for executive committees to take into account when managing risks and for boards to oversee. The challenge here is defining what changes your specific business needs and how to actually bring those about. Shareholders will be expecting a judicious move away from “just in time” systems to ones that can endure foreseeable risks. This isn’t just about potential legal liability or reputational risk. This is about setting your business culture for success. Undermanage risks and the business is wide open to damage from foreseeable shocks with all the loss of confidence and capability that follows. Overmanage and the business losses its competitive edge just when there is opportunity in the recovery. In order to track broader resilience, boards and their committees will need access to a wider set of skills and insight. Board membership emerges as an obvious area of focus. Yet each board will take more time and belonging to too many—“over boarding”—may well be unacceptable. Risk methodology and information flows will also have to be reviewed, alongside how to strengthen board members’ awareness and skills. Before the pandemic, chairs and CEOs were already wrestling with this for their difficult-to-price risks, such as data, technology risks and cyber. Individual experts on boards created siloed responsibility for what should have been a shared risk. A focus on process and method often led to a focus on the management, rather than genuine oversight of, risks. External advice didn’t always help (as we have learned from the plethora of competing advice around COVID-19). No single intervention will meet the new standard for resilience. Nor will simple prescription. A broader and more articulated approach is required if governance is to maintain stakeholder confidence and corporate reputation.

Paddy McGuinness

4 min

Resilience in the Face of COVID-19

Brunswick Senior Advisor Paddy McGuinness, former UK Deputy National Security Adviser, on how businesses can chart a course amid the fear and uncertainty. We are all becoming more familiar with this disease than we care to be—and may become yet more so. Still uncertainty remains. It began even with the terminology. Coronavirus is a descriptor, a general term. Under the microscope, the virus has crown-like spikes, hence corona. The common cold and variances of it are coronaviruses. COVID-19 (as in Corona Virus Disease 2019) is the effect that this particular coronavirus has on the human being—that’s the disease the world’s grappling with. That’s the distinction between the two terms. We’ve now spoken to more than 150 clients about their situation. That has given us a broad view of the corporate response across affected geographies from Asia, through the Middle East and Europe to the Americas, a window into how those responses have played out and the challenges continually unfolding. Here’s what we’ve been advising our clients: First, develop a single view that’s grounded in professional, well-sourced information. In government we called this “a commonly recognized information picture.” That view has to be based on the responsible medical experts: the World Health Organization, the Center for Disease Control, Public Health England and similar bodies. You do not get it from the newspapers, from social media, from friends, or even your local medic. You operate on the basis of informed medical and public health advice. The current vocal challenge to that advice in Europe and the US is not reason to depart from it as your foundation for the actions you take. A leadership team needs to develop the discipline to clarify that generic narrative into a specific frame for their business context and then operate within it. It’s dangerous for leaders to start pretending they’re epidemiologists. Have a single view and stick to it. I’ve been on calls with leadership teams where there’s agreement on that view and then someone says, “But I read that the disease ...” Don’t go there. Don’t work on that basis. The uncertainty is difficult enough to deal with. Don’t add to it. You will be focused first on the safety—the human consequences—of your course of action and then on the resilience of your business. That may cause you to anticipate some of the “Non Pharmaceutical Interventions” that government makes. Brunswick has. Having established your position, think through how you’re going to communicate it to employees, customers, and investors. What about your suppliers and regulators? How might you engage with local public health officials and local authorities? Exaggeration and understatement are equally unhelpful. These engagements need to be tailored, yet aligned within your broader narrative. Leaders also need to plan for reasonable worst-case scenarios. Covid-19 has already spread in a way that we hoped wouldn’t happen, and in a way that standard business continuity planning doesn’t cover. Now, many in the workforce have to work from home. Among other considerations, that produces additional cyber and data vulnerability. What if schools close and your employees have children at home they have to look after? What will your IT capabilities be if 20 to 40 percent of your team is incapacitated at any one time during the peak period? Are your HR teams prepared to deal with the most unfortunate case, where employees or their close relatives pass away? In extreme times, it can be tempting to take extreme positions. A lesson of crises is never to enter into something without knowing how you’re going to get out of it, how to reverse it. If companies are going to start shutting down their operations, how are they going to open again? On what justification? Taking fixed positions amid great uncertainty can prove restrictive—or counterproductive—when circumstances change. Resilience is the ability to respond and recover to the state prior to the event, having learned the lessons of the event. Respond and recover—that’s the long-term goal here. Covid-19 will pass. We know from other pandemics that recovery does come. How can you position yourself to take advantage of that recovery, to get back with speed and strength? Because some companies will. Now more than ever senior leaders need to talk about how things will be the other side of the crisis and to describe signs of recovery. This is easiest for enterprises with transnational reach. They recount what is happening in Asia as the disease passes so that European and US stakeholders can see beyond the immediate demands of emergency response. On a personal level, stick close to the medical experts and the people who know what they’re talking about. I may well get Covid-19 here in the United Kingdom. I assume that, like the vast majority of healthy people who get it, I will experience mild to moderate symptoms and recover just fine. If I don’t, I want health services to be available. I want the spread to be managed at sustainable levels, so I am doing what Government asks of me and avoiding all but essential contact with others and unnecessary travel. I expect that more will be asked of me, my family and colleagues before we are through this. I wouldn’t let Covid-19 overwhelm you in your daily life, given what we know. That’s certainly my intention: carry on with as much normality as possible, support others and use the unexpected circumstances to prepare for the recovery phase which will come.

Paddy McGuinness

Answers

How could a cyber attack affect my organization?
Paddy McGuinness

Regulatory repercussions. The General Data Protection Regulation took effect in May of 2018. We don’t know yet what fines for the worst offenders will be, but they could amount to 4 percent of global turnover. The regulator could also force companies to suspend business if they aren’t satisfied the proper steps to protect data have been taken.Loss of business. The June 2017 NotPetya attack aimed at the Ukraine caused material sales impacts for a number of global companies. They were simply collateral damage, the result of perhaps even just one user clicking on malicious links. Maersk has used the experience to warn others. They reported $265 million lost sales in a quarter following a 10-day period where the company was reduced to pen and paper while it reinstalled all of its IT systems.Share price impact. Breached companies see immediate share price impact and underperform the market in the long term. An analysis by Comparitech of 28 breaches showed that these companies underperformed the Nasdaq by 4.6 percent over the first 14 days and by 11.35 percent over two years.Lost productivity. Responding to cyber attacks weighs on your company’s performance. Production loss accounts for one-third of a company’s annualized costs due to cyber crime, the 2017 Accenture and Ponemon study found.Executives are collateral damage. Companies that have suffered major breaches, like Yahoo!, Equifax, Target and Uber, often see the resignations of either their CEO, CISO and/or General Counsel.Class action lawsuits. These are not limited to the US. We saw a firm threaten a group action suit against British Airways within days of the September 2018 data breach.

4 ways to prepare against cyber attacks
Paddy McGuinness

1. Align your response team. Swift coordination in a pressured situation requires a defined decision maker. The CEO needs to know when that decision-making power should sit with her and how the critical details to inform decisions will be shared. When facing a business unit incident that affects a global customer base and requires international regulatory alerts, that responsibility can get muddled.The smoother the public response, the shorter the public follow-up cycle and scrutiny. That only comes with practice.2. Consider the tough decisions. You want to be able to offer your customers something in response to a potentially protracted disruption. The first debate about exactly what that offer will be should not happen under the pressure of a tight deadline. As with any critical decision that could affect your long-term reputation with customers and employees, understand the likelihood of risks and weigh how you could respond.When would you advise customers of a potential risk? When should you inform the market, given that it may be some time before you have a complete picture? How often should you communicate during the disruption? How will disclosure affect different parts of the business? You have to be prepared to communicate clearly but cautiously and your first communication has to be accurate.How would issues in different regions drive decisions? Global companies must reconcile the different cultural and geopolitical pressures around the level of information expected in each market when hit with a cyber incident. Which of your markets will guide your response strategy? How would you respond to extortion? Does your executive team agree how you would respond to threats of extortion? Would you take a public stance around refusing to pay ransom, and is that more effective in your key markets?3. Get to grips with the potential consequences. With the right questions, you can understand where you are most at risk of a cyber incident. That should inform both how much you put toward mitigation of key risks and how you prepare to respond. If a phishing attack could grant access to sensitive IP critical to your business, extra defenses and training are required.Are those most sensitive systems the first ones your information security team would check at the notice of potential unauthorized access? Do you appreciate the level of complexity involved in understanding what could have been accessed? Where will you need to be prepared to offer compensation and how much?4. Increase your IT security literacy. There is a call to action for boards to increase their understanding of the cyber risks their companies face, and to do that they need to understand their current defenses. This extends to the preparedness of the members of your supply chain. In the case of a cyber incident, the brunt of the blame falls on the victim of the attack – not the perpetrator.

Can you earn a return from managing cyber risk?
Paddy McGuinness

Cyber resilience is not just a matter of risk management. Robust preparation across your business should be value enhancing.An informed executive team will demand higher standards from everyone in the business. If it is a theme heard from the top, information security will be echoed across the business making it a message your customers and partners hear too. Employees want to be part of a solution and understand the role they play.Good management appeals to investors. Our survey shows a very positive response to senior executives detailing how they’ve dealt with ongoing cyber threats and strengthened defenses and preparation.Cyber attacks can disrupt business and carry long-term consequences. Hackers work full time to get into your system. Advance planning and company-wide cyber awareness can make their job considerably harder.

Biography

Paddy joined Brunswick in November 2018 with extensive experience of crisis management, contingency planning for major risks and public communications around major national security issues, nationally and internationally. Drawing on his expert knowledge of security in its national, regulatory and geo-political context and his own networks, Paddy advises on crisis and resilience issues, providing senior counsel to clients on ever-evolving business and political risk.

Prior to joining Brunswick, Paddy was most recently the UK’s Deputy National Security Adviser, for Intelligence, Security and Resilience where he advised the Prime Minister and National Security Council on policy and decision-making on homeland security issues, including national resilience and crisis response, cyber security, counter-terrorism, and the UK’s response to action by hostile states. In this role Paddy worked with senior UK officials from across government, senior business figures and foreign partners, to build a coalition of common interests that broadened the UK’s national security capabilities and reach. He chaired COBR, on Homeland Security Issues, and led the development of the 2016 National Cyber Security Strategy. He was responsible for the interface between government and business on resilience and national security issues especially as it affects Critical National Infrastructure. He convened the cross-government body on the National Security aspects of Inward Investment. Latterly, he acted as the UK’s Envoy to the US tech sector, the US Administration and Congress on lawful access to data. He was also responsible for the funding, oversight and laws for the UK’s intelligence and security agencies.

Prior to this, Paddy was in the Diplomatic Service with leadership roles in the Middle East and Africa, Counter-Terrorism, Counter-Proliferation, and aspects of Cyber. He served in British Embassies in Rome, Cairo, Abu Dhabi and Sana’a.

Paddy was awarded an Officer of the Order of the British Empire (OBE) in 1997, and a Companion of the Order of St Michael and St George (CMG) in 2014.

Areas of Expertise

Crisis Management
Cyber Security
National Secuirty
UK Politics
UK Business Trends
International Relations
Counter Terrorism

Accomplishments

Companion of the Order of St Michael and St George (CMG)

2014

Officer of the Order of the British Empire (OBE)

1997

Media Appearances

The COVID-19 Crisis is an ESG Issue: Here's What That Means for U.S. Businesses

Triple Pundit  

2020-03-25

"Our understanding of what is critical national infrastructure and where we need to invest in our society is changed by these events," said Paddy McGuinness, a London-based senior advisor with Brunswick Group, who previously worked in resilience and security under two successive British Prime Ministers.

View More

PRWeek Brunswick hires former UK government security adviser

PRWeek  

2018-11-01

McGuinness said: "I am thrilled to join Brunswick and to have the opportunity to bring my experience to bear on clients’ issues in order to make their businesses more resilient in these uncertain times."

View More

Event Appearances

Presentation 'Unconsidered Cyber Realities for Business'

Secure Computing Forum  The RDS Events Centre, Dublin

2019-09-12

Cyber realities for Critical National Infrastructure

Australian Security Summit (AuSec 2019)  Hotel Realm Canberra

2019-07-09

Articles

Governing for Resilience

| Brunswick Group Perspectives (2020)

We now live with COVID-19. Fewer business leaders are making the mistake of talking about “post-COVID” or “when this is over.” The better of them have factored in COVID-19 related constraints to their medium-term plans and are even thinking about how the world may change in the long-term.

View more

Resilience in the Face of COVID-19

| Brunswick Group Perspectives (2020)

We are all becoming more familiar with this disease than we care to be—and may become yet more so. Still uncertainty remains. It began even with the terminology. Coronavirus is a descriptor, a general term. Under the microscope, the virus has crown-like spikes, hence corona.

View more

The View From Davos

| Brunswick Group Perspectives (2020)

Another year, another Davos. Every year there are meta-themes and subsidiary themes that occupy the global elite in the Congress Centre and the many meetings around town.

View more