Control Risk’s Lessons on Keeping Your Executives Safe

Welcome to C-Suite Perspectives, a signature series by The Conference Board. I'm Steve Odland from The Conference Board and the host of this podcast series, and in today's conversation, we're going to talk about corporate risk. Lots of things have happened over the past year or two to fundamentally change how organizations view risk, in general, and executive risk, in particular. We're going to talk about all these evolving trends and outline what companies can do to strengthen resilience, protect their executives, and safeguard their organizations. Joining me today is Bill Udell, the CEO of Control Risks Americas. Bill, welcome to the show. Bill Udell: Thanks, Steve. Thanks for having me on. Steve Odland: Yeah. So Bill, let's start with a little bit about what Control Risks does and, in particular, what you do for all of your corporate clients. Bill Udell: Sure, yeah. Control Risks is a 50-year-old operational risk consultancy. So we got our start in [00:01:00] 1975 out of the kidnap-for-ransom response business. And we still do that, but we've spread out into a wide variety of crisis management, security, investigative, business intelligence, geopolitical risk issues, as well. And we operate around the world, helping companies become more secure, more compliant, more resilient, helping them respond to crises and seize opportunities. And for the purposes of this conversation around executive security, we bring physical security, cybersecurity, threat monitoring, and crisis response together to help advise organizations on how to deal with these challenges and then build programs around them. Steve Odland: Yeah, and you've been doing this for a long time. You're an expert at it. You have experience with the CIA and other entities, so you're really an expert broadly, not only in the corporate world, but really geopolitically and globally, as well. Bill Udell: Yeah, and we have a wide variety of experts working for us. So, for [00:02:00] example, behavioral analysis experts from the behavioral analysis unit at the FBI. Geopolitical experts from intelligence agencies around the world and from governments. And then academics and a wide variety of other experts, as well. So trying to bring those together to create solutions for clients that address their real needs. Steve Odland: So, over the past couple of years, you can't pick up a newspaper or tap in online without seeing examples of corporate security issues. Maybe talk through what are some of the hottest issues for companies today? Bill Udell: Yeah, certainly the hottest issue and one of the most present issues for companies in the security space—I mean, we can talk separately about geopolitics, and I listened to your podcast on top risks for 2026 and focused on trade and tariffs. And we're obviously talking to clients a lot about those issues and the geopolitical implications of moving away from our old rules and to new rules and [00:03:00] crossing red lines that we thought might not have been crossed, and what that means for companies caught in the middle. But if I drill down into security, specifically, the biggest topic over the last year, particularly in the United States, has been around executive security. And very much, for a lot of executives, it's really the first time that they're thinking about this because of, the big reason for that being the shooting of the United Healthcare CEO, Brian Thompson, on the streets of New York just over a year ago, back in December of 2024. And the reason that this is such a big watershed moment in the security space for our clients is, the shooting was obviously a tragedy and a jolt in and of itself. But for a lot of CEOs and executives, they realized, hey, this is someone that is outside of the public eye, would've previously been low risk. And then the other thing is what happened afterwards, the resulting lionization of the shooter, the vitriol that followed, [00:04:00] the threats that centered first on insurance and healthcare and financial services, but then spreading out from there into what we've sort of been referring to as a series of threat waves. It's obviously not the latest incident. There have been many more since then. There's been a string of obviously targeted violence over the last year. So the NFL building shooting, the Charlie Kirk assassination, Minnesota lawmakers, and those are just the ones that make the news. What's really been consuming our clients and executive teams—and we'll talk about the sort of convergence of physical and digital in a little bit—but it's the enormous number of threats, both physical and online, that the Fortune 500 executives have been receiving, and the huge spike in those over the last year that really haven't been reported. Steve Odland: That's really an important point, Bill, because when these things happen, you don't want to advertise them. So companies are very quiet behind the scenes, and so the stuff that you see in the paper is just the tip of the [00:05:00] iceberg, isn't it? Bill Udell: Yeah. That's exactly right. And we've seen, and we can talk a little bit about what we would recommend our clients do, but we have seen a shift in the way that security teams and executive teams have been handling this because not just of the volume of the threats, but also the wider reputational impacts, the vitriol that goes along with it. And really driven by this mix of political polarization, personal grievance, online radicalization, mental health issues, leads to the sort of targeted violence and threats. And those didn't just start in December of last year. That was a trend that we saw coming, really, since the pandemic. You could see it in a number of metrics, whether it's the increasing numbers of open FBI investigations or similar indicators. And they can start with very benign things. A regulatory dispute. In the case of the BlackRock executive being killed in the NFL shooting, there was a huge amount of online [00:06:00] threats that were then aimed at Blackstone because of the naming confusion between Blackstone and BlackRock, and people getting their conspiracy theories mixed up. So it's really difficult for companies to predict when these swells of threats are going to occur and how they might impact, both physically and reputationally. Steve Odland: Yeah. And it used to be that when you traveled to Third World countries, that you were trying to protect against a kidnap for hire or kidnap for ransom kinds of situations. But that was always in quote-unquote dangerous areas. Now, as you said, we're talking about the streets of New York, which, that's home. It's not because this is a really bad individual or this person has done something, it's a little bit more about society and making demonstrations against people. So it's not necessarily entirely random, although some of it is, but it's feeling a little more random. And then the huge outpouring of support for blatant [00:07:00] murder is really frightening in our society. Bill Udell: Yeah. And that, if I sort of rewind back to December of 2024, that was something that caught executives really off-guard, was that kind of linkage between the actual violence on the street and the upwelling of anger at certain sectors. And how that can create this, what we call a threat wave, where you have an individual incident or something in the news that then causes a cascade of threats against maybe that company or that sector, but then spills over into a lot of other sectors and a lot of other people that had nothing to do with that. And we are seeing that time and time again. So it's critical that companies do the deep and dark web monitoring, do the open-source monitoring, reputational monitoring, and understand the profile of their executives to be able to predict when they might get caught in these threat waves, as difficult as that is to predict. Steve Odland: So this has become less [00:08:00] about this sort of niche security issue, which is a small business, but to really a corporate governance issue because if you're thinking about this from a board of directors perspective, or from certainly senior management, if there's damage to you key operators in the company, it can significantly damage the operations of a company, shareholder value creation. All of that is tied to individuals. So it goes beyond that to your ERM processes, enterprise risk management processes, and core governance issues. Bill Udell: Yeah, that's right. I mean, if you just rewind just a couple of years ago, for most companies outside of those that were founder-led, where the enterprise value was really tightly associated with one individual, I think executive risk and executive security was seen as a, as you say, that sort of niche security issue. And again, and back to the UHG incident, that was a watershed moment when you're really realizing the potential strategic impact that a [00:09:00] single issue can have. So after that incident, UHG lost a hundred billion in market value. And like you said, the loss of a key executive, it's been on the ERM register for years. We've talked to clients about it. We've helped them build ERM programs that included that. But it's always gotten honestly, a little bit of lip service until a year ago. We are very much in the last year in a new area where it becomes really strategic risks that executive teams and that boards are paying much more attention to. And it isn't just about the violence or the threat or the tragedy itself or the loss of the executive itself. It's about that wave of reputational damage and public hostility that often follows. And we've seen that several times in the last year. Steve Odland: Well, it then suggests that there needs to be a reframing of these protective services. Right Because right now, corporate security or a driver [00:10:00] for key executives or private air travel, that's all viewed as a perk for an executive, and is imputed in the compensation, reported in the proxy. And it's become a flashpoint of, gosh, we got to cut this cause this guy's, this person's overpaid. But in fact, we have to reframe this because private air travel, it's not a perk. It can be, and it can be abused. There are bad situations that have happened historically. But for the most part, it's about security and safety. And so, it requires that boards and proxy advisors and all the constituents think about this and frame it differently. Bill Udell: I mean, very much. And as you say, traditionally, executive security, in air quotes, meant executive protection, meant physical executive protection. It meant just security while traveling abroad or private travel or certain aspects of crisis response. And just the threat has become so much more, and the impact has become so much more multidimensional. So spanning [00:11:00] physical, digital, reputational, legal domains. I mean, a simple thing of a leaked address or a deepfake video can just dominate headlines overnight and erode shareholder trust. So both on the preparedness side and what you're actually doing and what you're defining as executive security, and then, but on the impact side, in terms of what the implications are of getting it wrong, it's radically changed. And those security measures that you mentioned, like private air travel or executive protection, they have to be tailored, they have to be fit to the actual risks that the executive faces, and it can be done very efficiently. But ultimately, the money that companies are spending on that is a drop in the bucket next to the implications for getting it wrong, when you look at shareholder value and reputation. Steve Odland: I suspect if, and you talk to boards all the time, boards of directors and management teams, I suspect that most people feel like they've done a good job and that they're covered. But there's always some new crisis, right? I mean, just [00:12:00] walking down the street is this latest example. Where do you most often see the gaps in risk preparedness? Bill Udell: After December 2024, we had companies coming to us in all sorts of states of preparedness and thinking that they were prepared or knowing that they weren't prepared or, in some cases, having done the right things as they saw this risk coming, and they truly were prepared. But I think generally, I mean, if I could make a broad statement about preparedness, I think generally there's an overestimation of existing preparedness and an underestimation of the complexity of the problem and the multidimensionality of the problem. I think companies often will kind of fall into the trap of trying to take a kind of a one-size-fits-all approach to security risk management, generally, and security for executives, in particular. But given that complexity and the drivers, the complexity of the drivers of the threat, too, that's really difficult. So the most basic level, and I [00:13:00] mentioned this earlier, but I think we still see a lot of companies that do not understand, basically, the risks that truly impact them. They understand threats generally in the world, but they don't understand the risks that truly impact them. So they may be over-egging or overpreparing in some areas and underpreparing in others. So those risks should be really categorized by likelihood and impact of them actually occurring. And that has to be dynamic, it has to be consistently assessed, and has to inform then everything that comes after. Then once those risks have been identified, we see too many companies that don't monitor for changes. So the world is moving really fast, and monitoring for changes and spikes and getting a real-time sense of how those risks have changed is critical. And then last thing I think is if we assume that those risks have been identified and are being monitored. Identifying a threat and risk is obviously not the same as being ready to respond. So the real difference lies in [00:14:00] how prepared the organization is, and that's about holistic governance. It's about agreed risk registers and audits and specific plans. We see, too often, risk management in the security space being really siloed, and it's just about the security team. And increasingly for executives, that now, like I said, needs to span cyber, it needs to span physical, it needs to bring in legal and ops and HR. It needs to be a very much a whole-organization effort. So I would say just in terms of where we see gaps, just at the very basic level, it's about understanding the real risks that impact you as a business, and then making sure that the response and the preparedness isn't siloed in one kind of niche part of the company. Steve Odland: We're talking about corporate and physical security. We're going to take a short break and be right back. Welcome back to C-Suite Perspectives. I'm your host, Steve Odland, from The Conference Board. And I'm joined today by Bill Udell, CEO of Control Risks for the Americas. [00:15:00] So, Bill, before the break, we talked a lot about all the emerging physical security risks and some of the corporate risks. The Conference Board just completed its 27th annual C-Suite outlook survey, and interestingly, with over 1,700 executives polled in the survey and over 770 CEOs polled, the number one geopolitical risk was cybersecurity. And you don't think of cybersecurity as being a geopolitical risk, but you're seeing that, as well. Bill Udell: Yeah, we absolutely are. And we've seen this, honestly, for many years. If we rewind 10 years, we saw state-sponsored cyberattacks that used highly advanced tools that then allowed for the escape of other highly advanced tools, and were very much driven by geopolitics. And the geopolitical great-power rivalry between Russia and the United States, or China and the United [00:16:00] States, ending up in the spilling over of previously very well-protected attack tools in the domain of cybercriminals. So I think for a long time, there's been an intersection of geopolitics, great-power rivalry, and cybersecurity and criminality. I mean, that has been a swirl for a while, but certainly what we're seeing now is this combination of, as I mentioned before, this political polarization in the United States, the issues of grievance of mental health. Then combining, and being accelerated by, increasingly over the last year in particular, the return of real great-power rivalry and companies being stuck in the middle of both of those forces—so both international geopolitics and then stressors at home in the United States, and that then having a direct impact on cybersecurity posture, on physical security posture. And what the definition of digital security and physical security [00:17:00] are, if we look at what we used to call cyber, those lines are very much being blurred. So something that starts as a cyberattack and is an information exfiltration or ability to access proprietary and privilege information internally, if you're targeting an executive, can very easily spill over into the physical world, and vice versa. Physical penetrations can help facilitate cyberattacks. So that convergence is as strong as it's ever been. And that line between those two things is quite blurred. Steve Odland: Yeah. And the FBI and the CIA have issued a lot of reports on this. Privately, they're sharing some of that information and the data with companies, as well. But the stuff that happens online on social media and so forth is increasingly being driven by state actors. You've got China trying to challenge the United States economically, primarily, but not solely, also militarily, but Russia more from a [00:18:00] military standpoint, and Iran and others. But most of the negative and provocative kinds of social media posts that are stirring this up are coming from bots that are foreign-sourced. And their intent is to undermine civil society, stir up the masses. A lot of the protests that are seen around the country are funded by these groups and outside sources. What you're saying, all of this stirs the pot, and it creates a tinder box for these kinds of issues. And then you have, as you say, you overlay the mental health issues, which also came up in our survey as one of the key things, and boom, you come up with some really wild stuff. So it's not just a one-off, it needs to be thought of more systematically. Bill Udell: And it really needs to be thought of in the, I mean, you're exactly right, the wider context. So there's the geopolitical angle, the great-power rivalry, the interference and covert action campaigns that might be done by state actors to influence our [00:19:00] information environment. That then combines with decades of decreasing trust in institutions in the United States that had pre-existed. And business in some ways, this was something that we saw coming out of the pandemic, business was one of the most trusted institutions in the US. And business leaders being increasingly asked to take stands on social issues, and then, as a result, being caught in the middle of these various forces when they did. And then you sort of fast forward to the present day, and you combine all the forces that you have talked about with the powerful emergence of AI and the difficulty to trust your eyes when it comes to deepfaked videos and information. So that then puts an additional pressure on business that is, again, caught in the middle of trying to ensure that the information that they are putting out into the world, and that is tied to their executives is even the real information. So, if you combine all of that into this executive security challenge: the [00:20:00] fidelity of information, the reputational management, the trying to navigate the geopolitical forces aligned with it, that makes cyber and physical security a big, big, big tent issue. And that's why we see it going from that security niche into what needs to be addressed at the executive and board level, because it all fits within that overall rubric. Steve Odland: Yeah. And in our survey, as I mentioned, the mental health issues came to fore, and that really was the first time. We've always talked about well-being, and CEOs have been focused on the well-being of their employees and their work environment, but it's really the mental health piece of that. And again, historically, it's been about, well, gee, the CEOs and then and senior management need to do something to reduce the stress in the organization. In other words, mental health or stress issues created by that environment. That's not the [00:21:00] case as much any longer. I mean, there's still a little bit of that, but mostly, it's mental health issues coming into the work environment. And so when you've got that situation, any little grievance at all, stoked by social media and all this other stuff, becomes a potential threat to corporate and physical security. So how should organizations monitor that and prepare for that. Bill Udell: Yeah, I would say one thing is that it is still, I mean, we are still looking at a lot of insider threats. So to where you started off the question looking at, working with HR to identify mental health and grievance issues from the inside, that is still very much a thing. And these two, the external and the internal, very much need to be married up into one risk management program. But you're right, the much higher volume of potential threats are coming from the outside. And the ability of those to become viral and spin out of control is very much accelerated by our media environment, by [00:22:00] social media, by the sort of echo chambers, by the availability of information online. So speaking really practically about what a company should do, we need to start with a baseline. So I mentioned that any program or any mitigation needs to be really addressing the real risks that face you as an executive. So we almost always recommend organizations conduct what we call a digital risks profile review for their key executives and family members, cause family is quite important in this. The threat actors as we call them, often use family information as a way in, so including the executive's entire ecosystem. And these reviews map an executive's digital footprint and give a baseline. So social media exposure, deep and dark web searches, any leaked information, and other kind of vulnerabilities that might appear. And then we would couple that with a residential security review. So looking at the physical [00:23:00] risk profile and a digital risk profile. But to your point, it changes really quickly. So setting that baseline, setting a program around that overall risk assessment, including both the physical and digital worlds. And then setting up monitoring that is geared towards identifying any indicators of a spike in activity or negative sentiment or increased threats or the potential for increased swirl and vitriol in an adjacent area to spill over to that executive. So the threat monitoring around this and the trying to predict changes in that threat and risk environment has become quite sophisticated. Steve Odland: Yeah, it really is a new world. So, final thoughts on what you would recommend in this period of time, for the next year or two. What should boards and executives focus on? Bill Udell: Yeah, I wish I could say that things are going to get better from a threat perspective, but I don't think it's a great news story. Political polarization [00:24:00] is, I think the indications are certainly it's not getting better anytime soon. Businesses generally, and executives in particular, will still be caught in the middle, along with other public figures. And then from a threat actor perspective, we're going to see more capability for threat actors to manipulate, to spread disinformation, to access executives and their families, to divulge personal or proprietary information via cyberattack, et cetera, et cetera. Their capabilities will continue to be enhanced. And then last, I think we're seeing a continued acceleration of geopolitics and geopolitical rivalries and flashpoints accelerating those risks. So the challenge on leadership is going to be for them to really stay ahead of the risks and, not just be forced to react and that creates what is going to be a mindset shift. And so that's a mindset shift from executive security as a kind of a niche [00:25:00] thing and stovepiped, into a strategic risk and governance issue that needs accountability to the executive team and the board. And to look at it as part of that bigger picture. Steve Odland: Yeah, well-stated. It's not about just the CEO when he or she travels to a remote location. It's about every day, and it's about the company, it's about employees, it's about the entire team. Bill Udell, thanks for being with us today and sharing these great insights. Bill Udell: Thank you, Steve. Steve Odland: And thanks to all of you for listening to C-Suite Perspectives. I'm Steve Odland, and this series has been brought to you by The Conference Board.