Families are different than corporations, so it’s no wonder that high net worth families – and the family offices that represent their interests – approach protective security differently than corporate organizations.
As you’ll see below, however, we believe there are many good reasons for family offices to take a page from the best corporate threat assessment and risk management practices.
Families view security differently than corporations
The dynamics of family life – whether high net worth or not – are obviously different than those of major corporations. Some of these differences are also clear when it comes to security and family offices.
For one thing, compared to corporations, single-family offices are smaller, have fewer staff, and often lack the deep bench of specialist expertise that corporations muster. Their focus is initially on wealth management and other financial services, but often extend to other areas such as estate management, concierge services, charitable giving, etc. Multi-family offices (MFOs), which do the same things for multiple families, provide economies of scale that can enable greater scope of services and greater ranges of expertise. Family offices sometimes have inhouse expertise regarding cybersecurity; they rarely have any such resources for protective security.
For another, as we have pointed out in a previous blog, high net worth families – like all of us – are subject to a range of biases that cloud our perception of security needs. It’s not just that you don’t know what you don’t know. We’re practically hardwired to avoid thinking about risk in ways that are analytical and objective.
Whereas duty of care, professional risk management, and corporate governance often put the protective security of corporate officers on the radar – despite any personal biases the principals may or not have – this is not the case for family offices. Unlike the key persons of publicly listed corporations, if high net worth individuals or families decide they are not at risk and do not need protective security, then that is usually the end of the story. Until it isn’t, that is. Then, protective security is added as a reaction to events rather than as proactive measures to mitigate predictable risks.
his indicates that for high net worth individuals and families, and their family offices, the probability and impact of non-investment risks are often first comprehended when something happens, and potential threats become real ones. In other words, family offices approach threat assessment and risk management very differently than major corporations.
While we imagine that all family offices engage in risk management practices to some extent or another, we would wager that most of this has to do with financial risk and investment portfolio management. In our experience, attention to non-investment risk is much lower in family offices than it is in corporations.
As protection specialists who have worked with a broad range of single-family offices, multi-family offices, and corporations for many years, it’s sometimes surprising to see just how different the approaches to threat assessment and risk management can be. Non-investment threats – and family members’ exposure to them – are rarely adequately understood.
Security risk management for high net worth families requires a different approach
As we pointed out in our blog on Enterprise Security Risk Management (ESRM), security risk management is essentially a process of
- Identifying and prioritizing assets
- Identifying and prioritizing risks
- Mitigating prioritized risks
While the frameworks for security risk management are similar for both major enterprises and individual families, the details are different.
Family assets are unlike corporate assets. This starts with people, of course, which includes not only the nominal principal, but his or her significant others, too. Depending on the circumstances, this could range from a group of one to a spouse, children, and extended families of all shapes and kinds.
The physical assets that matter to high net worth families are also as different as the families themselves. Some might have significant art collections, others nothing but their children’s drawings on the refrigerator. Some care only about the old mongrel of a family pet, others raise thoroughbred horses on private ranches. Some have only one residence, others several.
Risks within the family context should be understood in broad terms in order to better understand the range of potential threats (physical, psychological, reputational, financial, etc.) as well as the vulnerabilities to them (prominence, lifestyle, travel, time and place predictability, social media activities, etc.).
Here, again, families are different than businesses. It is hard enough for professionally run multinational corporations to comprehend and factor in everything that matters to risk management. For families that also need to consider intangibles such as teenagers and hormones, intimate relationships and their imperfections, feelings as well as facts, identifying and prioritizing risks take on whole new dimensions.
Last but not least, there are differences between families and corporations in how risks should be mitigated. What works in a corporate setting might not be appropriate or effective in a family setting. Beefy men in black might be appropriate for some security settings, but no parent wants their child to grow up in the shadow of a bodyguard. When it comes to family members and close protection, for example, this might mean including surveillance detection and covert protection in addition to traditional executive protection methods.
How high net worth families can proactively improve their personal security
In our experience, improved security starts with better awareness. And in our business, improved awareness starts with some kind of evaluation of the current security situation. Call this an RTVA (risk, threat, and vulnerability assessment), a security review or audit, a situation analysis, or whatever you want. But we suggest families, or their family offices, get this done.
hen performed properly, a good RTVA covers two of the three cornerstones of the security risk management process, namely identifying and prioritizing assets and identifying and prioritizing risks. Families and family offices will need the help of specialist partners to do this, but the effort is worth it. With this awareness, the family is better able to separate feelings from fact and lay down the foundations of the third component, mitigating prioritized risks.
But the initial RTVA is only a baseline, a “snapshot” of the current situation. Families and their protective partners must also ensure a process for ongoing risk evaluation. Given the everchanging nature of the family environment, threats and vulnerabilities, such a proactive approach is the only way to adjust and customize mitigation strategies and tactics over time – and sometimes very quickly.