Thank you to William J. Kambas, Linda B. Meade, Amber Melville-Brown, Doron Goldstein, and Jacopo Liguori for this edition, the third of a periodic series of issues dedicated to topics related to private trust companies. Today’s article discusses risk management, introducing the 3P Framework as a method for private trust companies and other family enterprises to develop risk management infrastructure.

Cross-border wealth is on the rise.¹ Global markets may be open and accessible, but thorough risk management remains elusive, reflecting a persistent challenge for family enterprises: the gap between the ease of executing on opportunities and the difficulties of comprehensive risk mitigation.

While the general concept is well-recognized and widely discussed, implementation remains uneven and often unresolved, due often to variations in insurable risk and data privacy laws across jurisdictions. The core issue is not merely technical, but relational: who bears the responsibility for ensuring that risk is appropriately identified, calibrated, and managed?

Our perspectives as lawyers in the family enterprise space focus our attention on the roles and responsibilities within the architecture of legal entities. This article introduces a framework for understanding these roles and responsibilities, inviting readers to apply it across the diverse ecosystem of international family enterprise structures.

By grounding our analysis in legal doctrine and practical governance, we aim to illuminate both the dynamics of cross border risk management and the people and positions best placed address those dynamics.

A Unified Framework

Leaders in a family enterprise are well-advised to apply a multi-faceted strategy that incorporates comprehensive risk assessments, diversified asset management, and robust crisis management plans. Insurance coverage, where available, is often the first step, but only when it addresses identifiable and insurable events.

We recommend a framework that triangulates three P’s: the people (managers, officers, directors, trustees/fiduciaries, and advisors), their preparedness (isolating assets, recognizing events, and appointing roles, responsibilities, training, and expectations), and a predicable process (identifying who gets the first call, who sends information to whom and when, etc.) that can be activated at a moment’s notice to safeguard family wealth, protect privacy, and maintain operational consistency.

People are essential because they are the foundation of risk management. Preparedness involves anticipating threats and being ready to respond efficiently. Processes reduce (but rarely eliminate) questions and doubts.

Risk can be borne within the enterprise, or it can be shifted to others through insurance or third-party engagements. In any event, aligning the three P’s allows for appropriate calibration.

Regulatory Requirements

Some key regulatory guardrails are US Bank Secrecy Act (BSA), which is the cornerstone of US anti-money laundering (AML) efforts, privacy laws such as the EU’s General Data Protection Regulation (GDPR) and the EU Artificial Intelligence Act (AL Act), and US state laws like the California Consumer Privacy Act (CCPA), which governs the use and protection of personal data.

Private trust companies (regulated or unregulated) having a substantial nexus in the US must comply with the BSA by implementing an AML program that establishes internal controls, provides for independent testing, implements risk-based customer due diligence procedures, and ensures compliance with suspicious activity reporting filing obligations.

Family offices may be subject to the BSA if they provide investment advisory services. Even if not legally required, many family offices adopt AML policies to manage risk, with some opting to undertake annual external BSA/AML examinations.

Under the GDPR, any processing of personal data—whether of employees, clients, or beneficiaries—must ensure lawful, fair, and transparent data handling. This includes the following measures:

• Data Minimization: Only collecting data strictly necessary for the intended purpose
• Storage Limitation: Defining retention periods and secure deletion protocols
• Accountability and Governance: Appointing a data protection officer (DPO) or equivalent role to oversee compliance and risk mitigation

The EU AI Act introduces a tiered risk classification for AI systems, with high-risk applications subject to strict requirements such as transparency, human oversight, and robustness.

Evaluating which regulations apply and for whom depends on which jurisdictions’ laws apply to which data, and many leaders are surprised at the broad extraterritorial reach of laws like the GDPR. These laws require that a program is in place that addresses core obligations including processes for data minimization, storage limits, data integrity, confidentiality, and the adoption of appropriate technical, physical, and organizational safeguards. These measures are essential to prevent unauthorized access, identity theft, financial fraud, and reputational damage.

Risk Management Assessment

A cornerstone of a comprehensive global risk management plan is the implementation of integrated risk assessments. Regular audits addressing source and use country activities can uncover and help evaluate financial, operational, and reputational risks based on geography, services provided, and types of data involved, among other factors.

Development of a detailed global risk assessment strategy is beyond the scope of this article but is highly recommended. A starting point would include the following elements:

1. Regulatory Considerations: Effective risk management is both a regulatory expectation and a best practice for private family trust companies. In some states, annual AML/KYC risk assessments are required. Even when not mandated, prudent fiduciaries conduct regular reviews to identify and mitigate emerging risks.
2. Appropriate Leadership: A strong risk framework begins with visionary leadership. Aligning risk assessments with the family’s long-term mission ensures that risk management is not just reactive, but strategic.
3. Asset Identification: Diversified asset management is another cornerstone. Trustees and treasurers work together to reduce exposure to market volatility through portfolio diversification. Academic research has established that diversification is both a defensive tactic and a growth strategy.
4. Action Plan: Crisis management planning is essential for resilience. Clear response protocols and communication plans can be put in place to act decisively within the first 24–72 hours of a crisis, the timeframe recommended by the FBI.
5. Digital Data: Cybersecurity, privacy, and vendor management are increasingly critical. Creating a data map—understanding what data is held, where, and by whom—enables appropriate safeguards. This includes vendor due diligence, strong contractual protections, cybersecurity controls, cyber insurance, and regular system reviews.
6. Digital Tools: AI-powered tools are useful, but may also create risks including data leakage, bias, and IP concerns. Conducting impact assessments early and often helps ensure responsible and secure AI adoption.

Roles, Responsibilities, and Governance

Effective governance—whether focused on risk management or other objectives—depends on a clear, thoughtful, and appropriate distribution of responsibilities among individuals involved in leadership, in the right place, at the right time, and in a form of legal entity that is characterized consistently across geographies. One must recognize also that some EU and other civil law countries might have “mind and management” nexus tests that could inadvertently create tax situs for operations in unintended (or intended) places.

From an operational point of view, leadership might consider the following options:

• A founder and/or president to serve as the visionary, ensuring that risk management, privacy, and cybersecurity strategies align with the family’s mission and are embedded in strategic decision-making.
• A vice president or chief operational officer (COO) who might translate the strategic vision into operational effectiveness. Tasked with implementing plans and crisis-response mechanisms, a designated VP of risk might be the appropriate first responder and hold all key data for crisis response and management.
• A chief compliance officer (CCO) to manage legal, regulatory and reputational matters. A CCO would coordinate compliance with all regulatory requirements, develop and implement its AML policies, and oversee its ongoing risk assessments, thus promoting accountability, education, and training on AML and risk management.
• A chief learning officer (CLO) who would engage the human, intellectual, and social capitals in the family enterprise by designing programs, curating strategic initiatives, and fostering mentorship and collaboration.

Given growing significance of digital data, we would also recommend considering a dedicated AI, privacy, and security role—whether titled a chief privacy officer (CPO), chief information security officer (CISO), chief data officer (CDO), or data protection officer (DPO)—to ensure appropriate insurance coverage, if available, and careful processing of the data held.

Combining Assessment with Responsibilities: The 3P Framework in Action

The three interlocking pillars of people, preparedness, and process are the essential elements to effective crisis risk management. The assessment provides the landscape of risk for which to prepare. Recognizing responsibilities through appointments in a legal structure ensures that the right people are prepared for the role at the right time. Risks are not only identified but also proactively managed, ensuring the organization’s operational effectiveness.

For example, a family office managing philanthropic activities across Europe will regularly collect donor and beneficiary data. The 3P framework could be applied like this:

• People: The DPO ensures GDPR compliance.
• Preparedness: Staff are trained on data handling and breach protocols.
• Process: A clear incident response plan is in place for data breaches, including notification to authorities within seventy-two hours.

Take as another example a family enterprise using an AI-powered tool to screen investment opportunities or make HR decisions. The family enterprise may manage its risk by applying the 3P framework:

• People: The CDO or an external advisor assesses AI system compliance under the EU AI Act.
• Preparedness: An AI impact assessment is conducted to evaluate risks of bias, discrimination, or opacity.
• Process: Governance protocols ensure human review of AI outputs and documentation of decision-making.

These illustrate the combination of assessment and responsibility to enable organizations to remain resilient, agile, and well-equipped to navigate crisis risk management situations across jurisdictions.

Reference

¹ Illustrated in reports such as the AlTi Tiedemann Global and Campden Wealth “2025 Family Office Operational Excellence Report” and evidenced also by the authors’ own legal practices.

DISCLAIMER: The views expressed in this article are those of the authors only. The information contained in this article is provided solely for informational purposes. This article does not constitute legal or tax advice or create an attorney-client relationship.

About the Contributors

William J. Kambas is a partner on the private client and tax team at Withers Bergman. He focuses on tax planning for multi-national and multi-state personal, active business, and investment activities. Bill’s practice assists families and family offices with the formation, management, and evaluation of centralized control and management structures. https://www.withersworldwide.com/en-gb/people/william-kambas

Linda B. Meade is a senior associate in the private client and tax team of Withers Bergman. She advises US and non-US families, business owners, and investors on structuring, tax, and compliance matters, with an emphasis on the formation and administration of single-family offices and private trust companies. https://www.withersworldwide.com/en-gb/people/linda-meade

Amber Melville-Brown is a partner in the media and reputation team at Withers Bergman. She is a media law specialist, advising clients in respect of reputation, brand, communication and information issues. She is experienced in defamation, privacy, breach of confidence, data protection, harassment, and blackmail law. https://www.withersworldwide.com/en-gb/people/amber-melville-brown

Doron Goldstein is a corporate partner and US head of the Data Innovation, Privacy and Cybersecurity Practice at Withers Bergman. A former software developer and network administrator, Doron assists clients to address and overcome complex situations involving privacy, data security, and information technology. https://www.withersworldwide.com/en-gb/people/doron-goldstein

Jacopo Liguori is a partner at Withers Berman, leading the Italian intellectual property, technology & privacy team in the Milan and Padua offices. He has over twenty years’ experience in intellectual property, tech, privacy and data protection. He assists leading Italian and international companies and private clients across different sectors. https://www.withersworldwide.com/en-gb/people/jacopo-liguori