Geopolitical Risk: Best Practices in Enterprise Risk Management

By Christopher Hetner, Special Advisor for Cyber Risk, National Association of Corporate Directors; Dominique Shelton Leipzig, Partner, Cybersecurity, Data Privacy & AI and Leader, Global Data Innovation Practice, Mayer Brown; Elizabeth Wilson, Sr. Director, Head of Information Security Governance and Compliance, Nasdaq

Today’s geopolitical risk environment and governance landscape may be more unpredictable and challenging than ever. When layering on emerging technologies like artificial intelligence (AI), geopolitical risk governance quickly becomes an increasingly high-stakes, fast-moving and complex puzzle. For corporations, one misstep can wreak havoc on operations, financial performance, regulatory compliance, stakeholder trust and reputation.

Boards are under tremendous pressure to remain informed and vigilant on a wide range of issues and risks, such as political instability, divergent locality-specific regulations, global economic uncertainty and cybersecurity threats coming from domestic and foreign actors. To effectively oversee and prepare for geopolitical risk across such a diverse spectrum, corporations and boards should include geopolitical risk as part of a comprehensive enterprise risk management (ERM) approach.

The Nasdaq Center for Board Excellence recently explored this and some best practices in a recent webinar, "An ERM Approach to Geopolitical Risks and Uncertainty." Geopolitical risks present formidable challenges (and opportunities) that, as with many risks, do not impact just one facet of the company or organization. With this understanding, corporate board directors, CEOs and executive leadership teams that adopt an ERM approach can take a holistic perspective of risk throughout their company. While a traditional approach to risk management tends to view risks in silos, the ERM approach views risks in relation to the entire business and to each other.

Owning, tracking, and communicating geopolitical risk

Geopolitical risk is unique among risks in its complexity and unpredictability. Even when a geopolitical risk becomes an actual crisis, making qualitative or quantitative predictions about the short-term and long-term outcomes is challenging, and often they are incorrect. Given these challenges, staying up to date and maintaining active and proactive communication between the board, CEO and management teams is essential. What frameworks and tools should be deployed to help internal stakeholders understand the scope of geopolitical risk and build resiliency in the face of it? Who should “own” responsibility for geopolitical risk oversight and for driving communications across internal teams, to the CEO and the board about these risks?

The panel noted that there is no single or prevalent governance framework to point to. One proactive step to consider is establishing a dedicated risk committee responsible for reviewing and reporting to the board on all risk-related matters, including technology advancements, strategic shifts, digital transformation, ethical concerns, cybersecurity and data privacy.

Access to information and maintaining channels of communication is essential to effective risk oversight and risk management. Not only should boards leverage the expertise available within the company and around the board’s own table, but as the panelists noted several times, boards should also regularly invite external speakers and advisors with specific expertise to provide additional perspective and insight on the complexities of particular risks. Expanding on this idea, because the impact of a risk elevated to a crisis is likely to be significant, establishing channels of communication with local and national law enforcement agencies, whose expertise would be needed in the event of a crisis, should also be considered as part of a company’s proactive strategy.

While boards favor and appreciate the usefulness of models and dashboards for understanding and assessing many complex issues, because geopolitical risks are challenging to quantify through conventional metrics, scenario planning is a more practical and appropriate tool for understanding and evaluating these risks. An effective, comprehensive approach to scenario planning does not require being able to predict every possible scenario; rather scenarios chosen, ideally with the help of knowledgeable experts, should be plausible and realistic, and the board should focus on evaluating what impact those would have on the company. Even with exceptional preparation, however, preparing for all possible eventualities remains a formidable task. Therefore, it is important that lines of communication and delegation of responsibility are well-structured to manage unforeseen scenarios.

Monitoring areas of emerging risk and being aware of false positives

Although some risks may currently seem low or inconsequential, they at some point they may become substantial. Monitoring emerging risk areas involves considering potential threats that currently appear minor but could eventually have a significant impact.

From a technology and data perspective, especially for multi-national companies, an emerging area of risk is in the divergence and variability of technology standards across global regions, e.g., the European Union as compared to the United States. Maintaining compliance with various regulatory schemes that dictate standards for sharing, protecting and moving data and building compliant systems exacts high operational costs on companies. Developing a long-term strategy around data and technology innovation requires a sound and effective understanding of the associated regulatory, as well as other, risks.

A note of caution when assessing the likelihood of a relatively minor risk becoming something more serious: there is often a tendency to cling to “false positives,” that is, the belief that things are improving or will not be getting any worse. Coupled with various local conflicts with global impacts suggest that companies should focus on building resilience, mitigating overdependencies and diversifying trade partners and suppliers to create sustainable practices that advance their long-term competitiveness.

Emphasizing effective decision-making

Predicting geopolitical events is arguably extremely difficult and assessing geopolitical risk a challenging and time-intensive process. To drive effective oversight and decision-making, boards should prioritize understanding their corporation’s risk exposure, together with its risk appetite, operational exposure and financial resilience. Ensure that expertise and timely information are continuously available and leveraged effectively. Engage in risk scenario planning. Because preparing for or even analyzing every possible scenario is not feasible, focusing on the threats that are plausible and realistic and most likely to cause material business, operational and financial harm across critical business assets and having a playbook to help navigate through different crises is essential to being able to answer the question, “if this or this or this occurred, what would be the impact and how would we have to react?”

For more insights on ERM and managing geopolitical risk, click here to watch the full webinar recording.

Join the Nasdaq Center for Board Excellence to receive exclusive corporate governance insights and shape the future of corporate governance.

The views and opinions expressed herein are the views and opinions of the authors and do not necessarily reflect those of Nasdaq, Inc.