How Can Businesses Leverage Geo-Political Risk Intelligence?

While more and more international businesses understand the need to mitigate against geo-political risk, most are still grappling with how to do that. This note indicates how to integrate Geo-Political Risk Intelligence (GRI) into traditional business functions.

It is generally acknowledged that “geopolitics” affects international markets and business. Over a thousand major Western businesses exited Russia, with declared total losses of over $100bn, in response to Russia’s full-scale invasion of Ukraine. That conflict also led to a costly re-organization of European energy markets and to higher international food prices. More recently, attacks by the Houthi rebels in Yemen have disrupted shipping via the Red Sea. Finally, businesses are being caught in the crossfire of the China-US rivalry.

The “geopolitical risk” lens emphasizes the role of Great Power conflict and of geography and other material constraints in international politics. But international businesses also face “political risks” rooted in the internal workings of each country: a weak rule of law, business-political cronyism, red tape, adverse regulatory changes, social unrest, organized crime, conflict and terrorism, etc. To reflect both perspectives, this note adopts the spelling “geo-political” risk. (On how the term "geopolitics" is used in practice and on related conceptual shortcomings, see my article "Geopolitics": What Is It Good For?)

Geo-Political Risk Intelligence

In the broadest terms, Geo-Political Risk Intelligence (GRI) takes two forms - proactive and reactive:

Proactive

Proactive work starts by mapping out the specific vulnerabilities and goals of the individual business. This map needs to be constantly updated as the business and its external circumstances evolve. How do geo-political risks map onto the firm’s existing and planned geographical footprint, regulatory jurisdictions, sectors, processes, supply chains and sales channels? An “impact assessment” helps the business allocate finite risk mitigation resources efficiently, focusing where the main vulnerabilities are. Specifically, it allows a geo-political risk function to…

• Establish baseline risk ratings for each conjunction of: 1) country, 2) business function, and 3) risk dimension or issue - a 3-way nexus. Such ratings should reflect the overall propensity of each country-function-issue to produce a range of adverse outcomes for the business. These ratings are then actionable by different business functions in relations to different types of risks. For example, the firm’s compliance team may need to have a baseline sense of FCPA risks across jurisdictions and sectors of interest. Generic, off-the-shelf risk ratings won’t cut it.

• Conduct day-to-day monitoring of developments on the ground to provide tactical early warning of impending crises, such as the onset of social unrest, military conflict, etc. Monitoring can also track short-term shifts in each country/function/risk nexus.

• Conduct strategic “horizon scanning” to stay “ahead of the curve” and detect a wide range of emerging opportunities and threats that are relevant for the individual business.

These GRI tasks should be implemented in a continuous, iterative way: monitoring and horizon scanning provide findings that feed back into the mapping of baseline risks ratings, which then sets priorities for new collection and monitoring, and so on. Without a systematic and proactive approach, organizations risk preparing to “fight the last war” - i.e. mitigating against their most recent crisis, as opposed to preparing for the most likely and most impactful challenges.

Reactive

Even the best proactive intelligence work cannot completely eliminate occasional surprises. Once a crisis has broken out, reactive GRI helps estimate what is likely to come next, to the extent that the crisis has geo-political drivers or dimensions. In turn, this helps the business respond to the crisis. Supported by GRI, the firm would have devised principles and procedures for crisis response well in advance of a crisis, including via regular scenario exercises.

Integrating GRI into the business

A geo-political risk management framework would describe how proactive and reactive GRI is integrated with all business functions and teams across the organization:

Security and safety

Proactive GRI provides security managers with the threat assessments they need in order to prioritize the deployment of finite risk mitigation resources. Namely, they need to prioritize those threats that are relatively more likely and/or more impactful for the business. GRI can also help assess the intent and capability of a range of state and non-state actors for conducting cyber-attacks.

After a crisis occurs, reactive GRI provides quick interpretations of fast-moving developments that help security managers decide on escalating the issue, alerting senior management and recommending response actions, such as, in extreme cases, the evacuation of personnel.

Legal and compliance

Proactive GRI helps compliance managers assess the likelihood that new regulatory requirements, such as trade restrictions or sanctions, will target sectors, countries and entities that are important for the business. Geo-Politics is key because national security considerations often drive new regulatory restrictions. This helps the firm plan for the eventuality that it will lose access to markets or suppliers, for example. Such tailored “risk map” is revised regularly as the business’ footprint and goals evolve.

GRI can also help scrutinize the firm’s relationships with key third parties, including potential joint-venture partners, acquisition targets, suppliers and distributors, etc. While this due diligence is typically performed by specialized teams and external vendors, the level of scrutiny required in different situations also reflects geo-political nuances.

Strategy

Geo-political trends can also affect businesses indirectly, via second- or third-order ramifications over a longer time horizon. GRI can inform the C-Suite about the risks attached to various options, when the business is considering a new strategic initiative. It is important that this advice is sought early on in the formulation of new strategy, when GRI can still add value. For example, a strategy of diversification of manufacturing capacity, suppliers and shipping routes needs to be informed by a geo-political risk assessment of the alternatives.

Separately, GRI can offer continuous “horizon scanning” to pick up on slow-burning trends that have strategic import for the business, but are likely neglected by standardized risk-assessments and geo-political punditry. What could throw company goals and plans off course? Which kind of geo-political developments could disrupt or endanger the company’s relationship with key stakeholders across business lines and geographies, including customers, employees, suppliers, regulators, investors, media, and the wider public? How are seemingly unrelated vulnerabilities likely to interact and compound across the organization?

Operations

GRI can provide ongoing monitoring of critical vulnerabilities across the firm’s operations. It offers a nuanced and in-depth understanding of formal and informal business practices across places and cultures. It can alert the business to informal practices that ought to be avoided as corrupt, fraudulent or unethical, even if they are widely tolerated locally.

GRI can also help draft business-continuity or crisis-response plans that take into consideration the operational and cultural nuances of different locations. For example, this may entail tailoring crisis messaging to different societal stakeholders in various localities.

Finally, GRI can help direct due diligence into third parties, such as suppliers, vendors and distributors. Even where the “leg work” of such due diligence is usually performed by external providers, the business needs to ask the right questions and to ensure that investigations are conducted ethically and legally on its behalf.

PR and communications

In addition to the points above on business continuity and crisis communication planning, GRI can also support effective marketing and pre-empt brand damage. For example, GRI is well-positioned to assess salient and often divisive issues in different jurisdictions, including on political, social, gender, cultural, race and environmental issues. The goal is to adjust marketing and other messaging to local sensitivities, to make it more effective and to avoid local backlash, while still adhering to the firm’s global branding and communications principles.

How to conduct effective geo-political risk analysis?

In order to perform effectively across the wide spectrum of tasks highlighted above, GRI needs to leverage a diverse set of skills and backgrounds, including ex-military, ex-government, academic, and area-studies specialisms. Having a diverse internal GRI team would help, but relying on a network of trusted external sources and collaborators can provide a massive boost in capabilities.

Horizontal, cross-functional integration

As with other risk functions, it is important that GRI is not bottled-up in a silo within the firm. Instead, GRI needs to keep a continuous dialogue with all internal stakeholders. It needs to remain current on evolving business challenges, goals and priorities. A GRI function should consider those stakeholders as its “customers”, tailoring its services to different teams or functions within the business. For example, analytical products should be sent to the specific stakeholders for whom they are relevant. They should state clearly why the recipient should pay attention to them.

Questions and feedback should constantly flow to the GRI team (internal and/or external). This is very different from the all-too-common approach of sending the same general weekly report to all managers, who probably will not read it. Scenario exercises with senior management can showcase the value offered by the GRI function, in addition to helping business leaders think more systematically and effectively about geo-political risks.

Commercial awareness

Like other enterprise risk functions, GRI needs to act as a facilitator of commercial decision-making, as opposed to as a doomsayer or impediment to business growth. Ultimately, the firm’s survival depends on achieving its commercial goals. To be sure, occasionally, risk professionals have to recommend against a given plan or initiative. They need to be independent enough to be able to do so. However, most of the times, GRI is about enabling business initiatives to proceed on a more solid footing, with awareness of the risks and with risk mitigation measures in place.

In this sense, GRI allows business leaders to perform a more credible estimation of the risk-adjusted return attached to a given investment or project. This is why GRI is a source of competitive advantage for the business, not just a cost. Of course, risk mitigation strategies can never completely eliminate risk, so business leaders need to evaluate residual risks in light of their firm’s risk tolerance or risk appetite principles.

GRI is no crystal ball …and one is not needed

GRI is not about predicting precise events, but rather about identifying and tracking the processes and circumstances that are likely to bring about relevant outcomes, including challenges, crises or opportunities. Such forewarning enables sensible and proportional risk mitigation strategies, without the need for elusive pinpoint predictions. GRI is about risk prioritization, given that it is impossible to mitigate against all plausible threats. Buying into the “snake oil” of overconfident predictions will only reduce an organization’s preparedness for the future. Recognizing irreducible uncertainty has its own forewarning value. Regular scenario exercises can help organizations build the kind of “mental muscles” and risk culture required to distinguish between helpful forewarning and dangerous overconfidence.

[Originally released on March 1, 2024. Reposting as article]

Is your organization integrating geo-political risk intelligence into its key functions? Are company stakeholders making the most of this kind of expertise? Do they recognize its full potential?