Navigating

geopolitical risk
Building resilience
demands collaboration
in a challenging world

In partnership with

February 2023
Contents

Forewords 2

Key takeaways: Building geopolitical resilience 4

Introduction: Why should geopolitical risk matter? 6

1. Identifying geopolitical risks 7

2. What’s different today in geopolitics? 11

3. Risk and internal audit professionals in collaboration 14

4. Conclusion 30

Appendix 31
Case study: Economic meltdown: A global crisis on the horizon?
Case study: Conflict involving China: Taiwan and the South China Sea
Case study: War in Ukraine: Global implications
Case study: Climate change and geopolitics
Case study: US politics and democracy: Challenges to global stability
Case study: Cyber security and geopolitics

Authors: Hoe-Yeong Loke (Airmic) and Gavin Hayes (Chartered Institute of Internal Auditors)
2 Navigating geopolitical risk

Foreword
Airmic
Post the pandemic, global expectations and energy levels were high
and the mood for international cooperation was optimistic. There
was an expectation that people and societies would be re-energised
after the years of restrictions, and that a surge in the development
and use of technology would create a better digital ecosystem and
opportunities to thrive. Today, the future feels less secure and settled
than expected, and optimism is more restrained. Taking decisions in
such an uncertain and fragmented world is more difficult.

Most in the current employment pool have only lived in a period of relative peace and global stability.
The risk landscape has now been changed by more risks occurring and new and different risks emerging.
With an escalating velocity in change and an increase in the complexity and connectivity between risks,
we now find that risks considered beyond the horizon have arrived sooner than expected, and we now
discover that elaborate supply chains have significant fragilities that were exposed by the natural world
and the behaviour of some nations.

Business leaders need to look further over the horizon but not be frozen into inaction by what they find,
and they need to take time to assess the velocity and the nature and impact of change heading their
way. While understanding these dynamics will not solve anything, achieving greater clarity about risks
and their potential effects will make it easier to create appropriate interventions and to build a more
resilient business.

Risk and internal audit professionals share an inexperience in dealing with the current risk environment.
They must master new technologies, understand business and technology dynamics, and partner
the business and their other business peers to help synchronise business reactions with external
realities. However, with a tendency to be driven by schedules of work sometimes fixed up to twelve
months ahead, and with a degree of rigidity in many of the risk management and internal control
frameworks used, including the creation and management of risk registers, professional flexibility can
be inhibited at the very time when these professionals should be at their most agile. Risk and internal
audit professionals must be responsive to the pace and nature of change, and continuously consider
adjustments in their activities to reflect the purpose, culture and risk appetite of the business. They must
operate a feedback loop and have the courage to step up with informed and timely recommendations
for adjusting their approach collectively, where there are signals indicating they should do so.

In late 2022, McKinsey & Company reported that geopolitical risk was at the top of the CEO agenda. “In the
face of fragmentation and uncertainty, many business leaders are responding by intensifying their focus
on resilience.”1

Geopolitical risk is becoming far higher in profile on the risk radar of most businesses and is a board agenda
item – and according to our research conducted in support of this report, one which demands a collaborative
response from risk and internal audit professionals.

It is harder for businesses to plan for disruption. Businesses are monitoring and navigating the short-term
risk outlook, scenario planning for the longer view, but keeping an eye on strategic opportunities that
can emerge from volatility. Building resilience is imperative. Businesses need to be prepared to deal with
significant disruption caused by political incidents.

Julia Graham
CEO, Airmic

1. https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/how-to-build-geopolitical-resilience-amid-a-fragmenting-global-order
Navigating geopolitical risk 3

Foreword
Chartered IIA
Geopolitical uncertainty has for several years been ranked by Chief
Audit Executives as one of the top risks facing organisations, as
evidenced by the Chartered Institute of Internal Auditors annual
Risk in Focus survey. Indeed, last year it was elevated from seventh
biggest risk to third. However, despite its growing prominence and
severity, geopolitical uncertainty is still the risk that, according to
our research, internal audit spends the least time auditing. There is
growing recognition that this needs to change, and we hope that this
report will support those making that change.

There are three key messages that I would highlight to help aid internal audit’s thinking on
navigating geopolitical risk.

First, as we have seen from the War in Ukraine geopolitical risk does not sit in a silo and should not be
viewed as a standalone risk. In our increasingly interconnected world, geopolitical events exacerbate
and interlink with existing business-critical risks. Sanctions have exacerbated legal, regulatory and
compliance risk. Cyber-attacks originating from hostile states mean organisations are now facing an
increasingly weaponised cybersecurity landscape. Supply chains are being disrupted like never before
and organisations reputations are on the line unless they act swiftly to end their links with hostile
states. At the same time, the spike in energy prices is a threat to organisations’ financial stability and
in some cases their very survival. This means internal audit functions need to ensure they integrate
geopolitical considerations into their risk universe.

Second, internal audit cannot work alone in grappling with geopolitical uncertainty. In particular,
internal audit and colleagues in risk management need to work closely together to support their
organisations in navigating the perfect storm of interconnected risks in this new geopolitical era.
This is why we are delighted to collaborate with our colleagues at Airmic on this report.

Third, none of us has a crystal ball and can predict future events, and even ‘expert’ commentators
regularly get things wrong. For example, in 2016 few called the Brexit referendum correctly or that
Donald Trump would be elected as President of the United States. A year ago experts on Russia never
believed Putin would go ahead and invade Ukraine, and nobody could have predicted that the United
Kingdom would have three Prime Ministers in less than a year! That these things did happen goes to
underline the increasingly uncertain and volatile world we now find ourselves in. But what internal
audit functions can do is work with their colleagues in risk to make sure their organisations have
robust scenario planning processes in place, for when the unexpected does happen. Effective scenario
planning will help to support greater resilience.

Geopolitical tensions continue to rise around the globe and there can be no doubt that geopolitical
uncertainty is here to stay. I therefore hope this report provides you with ideas, approaches, and
practical tips to help you support your organisations in navigating geopolitical uncertainty.

Anne Kiem OBE

Chief Executive, Chartered Institute of Internal Auditors
4 Navigating geopolitical risk

Key takeaways:
Building geopolitical resilience
Geopolitics is used broadly to refer to international politics – and sometimes even to aspects
of domestic politics, especially when policy impacts relations between countries.

We are at an inflection point in geopolitics. The spectre of war has returned to Europe.
Decoupling between the economies of the US and China, the world’s two largest economic
blocs, is reversing globalisation as we have known it. The International Monetary Fund’s (IMF)
World Uncertainty Index readings have hit elevated levels in recent times.

This report demonstrates why risk and internal audit professionals need to relook at the way
they collaborate, as their organisations build resilience amid the maelstrom of geopolitical
risks. Elevated uncertainty created by an increase in volatility, complexity and pace of change
in a new geopolitical era calls for the following approaches to be adopted:

Be agile in responding to the challenges of ‘once-in-a-generation events’

1.
occurring with regular frequency. With Russia’s invasion of Ukraine happening
on the back of the pandemic, there is the danger of organisations making
long lists of all the things that could possibly go wrong in geopolitics. But
geopolitics is not a game of predicting the future. Some political observers have
been chided for advising organisations that Russia had no rationale to invade
Ukraine, but geopolitics is predicated on human behaviour – of leaders and
citizens – which does not always go to script. All of this calls for organisations to
be agile in responding to geopolitical crises and to be in a permanent state of
readiness that recognises the nature of the crises we find ourselves in today.

Scenario planning and horizon scanning are the keys to preparing for
2.
geopolitical risk. Organisations must resist the temptation to be events-led
and retain agility for when crises may strike. But agility is not a licence for
them to improvise their response on the fly. They have to constantly challenge,
stress test and update all of their baseline assumptions about the likelihood
and impact of the risks they face. Meanwhile, horizon scanning should focus
on assessing the velocity, impacts and likelihood of major trends. A key output
from this process would be a shortlist of risk scenarios captured in an emerging
risk register, which is used to stress test the business planning cycle and
development of future strategy.
Navigating geopolitical risk 5

Stereotypical profiles of risk and internal audit professionals need to be

3.
reviewed to ensure they meet future needs. Risk management and internal
audit have distinct responsibilities, but they must work together and at the
same pace. Synchronicity is critical to the successful use of the Three Lines
Model as adopted by the Institute of Internal Auditors (IIA), to achieve effective
alignment, communication, coordination and collaboration. Professional
education needs to balance soft and technical skills. The talent pool for the
professions needs to be adequate for the needs of the future.

4. Take a long-term view of geopolitics. ‘Long-term’ may be five years in certain

Financial Reporting Council (FRC) guidance, or it may be 30 years in energy and
infrastructure sectors. Nevertheless, organisations need to bear in the mind the
geopolitically-related risks relevant to them and their supply chains, and not
only in the short to medium term – reliable countries may no longer be friendly
ones further down the road.

Stay true to the organisation’s purpose. After Russia’s invasion of Ukraine,

5.
Western organisations were forced to make decisions as to whether to withdraw
their operations from Russia, often after decades of investment there. It is
imperative for organisations to be clear about their purpose, risk appetite and
strategy, while also being agile in their responses to crises.

Geopolitics is not just all about downside risk. Organisations must have the
6.
agility to seize upside opportunity, to cushion the impact of geopolitical crises,
and enhance upside growth potential where possible.

Risk and internal audit need to operate as strategic enablers by

7.
providing executive decision-makers in their organisations with information
that is appropriate and timely as they make difficult decisions in a
challenging environment.
6 Navigating geopolitical risk

Introduction

Why should geopolitical risk All of this means geopolitical uncertainty is

here to stay for the foreseeable future and will
matter? contribute to a more risky and volatile business
environment for the years ahead. Therefore,
As the word suggests, geopolitics is about how geopolitical and geoeconomic risks should matter
political power is linked to geographical space. to both risk and internal audit professionals alike,
But often today, ‘geopolitics’ is used broadly to as the respective third and second lines in the
refer to international politics – and sometimes Three Lines Model. Both have a vital role to play in
even to aspects of domestic politics, especially collaborating to address geopolitical risk.
when policy impacts relations between countries.

Geopolitical risks are rapidly becoming

more prominent, and more severe. They are
increasingly having a major impact on the long-
term sustainability of a range of organisations
and sectors.

The immediate geopolitical risks that many

organisations are currently grappling with relate
to soaring energy prices, rising inflation and the
consequential increase in interest rates, to name
just a few.

Some of these risks were already prominent and

growing in severity as the global economy began
to spring back to life following the Covid-19
pandemic. However, Russia’s invasion of Ukraine,
the biggest geopolitical event in decades, has
now magnified and broadened the range of
geopolitically related risks that organisations
are wrestling with. Indeed, the war in Ukraine is
arguably an event of historical significance which
has transformed the post-Cold War consensus,
with ramifications for years to come. In turn, it
will reshape the risk landscape and global trading
environment in which organisations operate.

With 2022 officially declared the hottest year

ever in the UK, following the record-breaking
temperatures last summer, accelerating
climate change could increase and exacerbate
geopolitical tensions further still. As well as
resulting in countries competing over resources,
increasing levels of mass migration from
uninhabitable regions could lead to humanitarian
crises and become a catalyst for military conflict.
Navigating geopolitical risk 7

1. Identifying geopolitical risks

Despite not having featured in the top 10 risks in 2020 or 2021,

according to Airmic’s annual survey of leading risk professionals,
2022 saw geopolitics rise to second place overall, in the wake of
Russia’s invasion of Ukraine.2 Internal audit professionals also
recognise geopolitical and geoeconomic risk as being key, as it was
identified as the third biggest risk in the Chartered IIA’s Risk in Focus
2023 report3 – yet we also know from this research report that it is
currently the risk that internal audit professionals are spending the
least time and effort auditing.

This suggests that while both risk and internal supply chain failure or the loss of reputation. But
audit professionals have clearly registered it is soon apparent that geopolitical risk in fact
geopolitical risk on the radar, they could be doing encompasses a range of interconnected risks, in a
more to deliver value through thought leadership way that cannot be said for supply chain risk, for
and guidance on how to effectively tackle it. instance. Russia’s invasion of Ukraine may have
been the realisation of a geopolitical risk, but
it has also directly brought about supply chain
failures, a spike in energy prices that has fuelled
“Every time there is a geopolitical event, there is inflation and cyber incidents, among other risks.
an almost immediate impact on pension funds
and the value of people’s retirement incomes and Indeed, geopolitical risk is different from other
risks in that it is a strategic risk, whereas some
savings. Even the rumour of a geopolitical risk of the other risks it is connected to tend to be
could have a significant and immediate effect. operational.
Nothing has to actually happen for it to have a One can think instead of geopolitics as a theme
massive impact on our everyday decision making – or specific occurrences such as the invasion of
as a corporate organisation. The velocity of Ukraine as events – under which a range of risks
can be mapped.
geopolitical risk is very, very high.”
Group Chief Internal Auditor, Asset Management Company Some organisations take their principal risks – for
instance, supply chain risk – and overlay themes
such as geopolitics, geoeconomics, pandemic and
climate across all of them. During the 2008 global
financial crisis, these organisations were finding
Geopolitics as a risk, that the crisis touched on approximately a third
a theme, or events of their top 10 or top 20 risks. When the Covid-19
pandemic occurred, organisations which did this
The question therefore is whether geopolitics exercise again found that the pandemic touched
ought to be treated as a risk, or a theme, or as much as 90% of their top risks.
whether it should be regarded in terms of events.
Regardless of how we resolve this debate, we will
In surveys, geopolitical risk may indeed be continue to refer to geopolitical risk in this report
regularly ranked alongside other risks such as for ease of reference.

2. https://www.airmic.com/technical/library/airmic-annual-survey-2022-risk-and-resilience-perfect-storm
3. https://www.iia.org.uk/policy-and-research/research-reports/risk-in-focus/
8 Navigating geopolitical risk

The impact of geopolitics on all other risks

We don’t really treat geopolitical risk as a primary risk. We see it as having an
impact on all the other risks that we manage. As a major global investor, credit
risk is our biggest risk by a considerable margin. But obviously, geopolitical risk
and the uncertainty it creates have a significant impact on credit risk, and on
credit markets and equity markets. We consider events as being geopolitical,
and they bring consequences to our existing, underlying risks.
Group Chief Internal Auditor, Asset Management Company

Geopolitics is not about But monitoring geopolitics is not about predicting

events before they happen. It may not always be
predicting events – scenario an exact science – which is more an indication of
planning is essential how the assumptions underlying our world today
are rapidly shifting, rather than an indictment of
Many of the best political observers read the political observers and pollsters. But it is certainly
situation wrong and did not expect Russia to not a crystal ball gazing exercise. It would be
invade Ukraine. Russian troops were indeed unwise to hedge your bets on just one possible
amassing on the Ukrainian border in the lead-up outcome, no matter the degree of confidence one
to 24 February 2022, but these observers did not holds in that reading. Rather, the focus should
believe it was in Vladimir Putin’s rational self- turn to scenario analysis and planning, which
interest to carry out his threat of invading his the next chapter of this report will look at in
neighbour. Nor was Putin preparing the Russian depth. In other words, we should be forecasting
population for war, judging by what was on state- several scenarios, rather than just betting on
controlled media in the lead-up to the invasion. one outcome.

Years earlier, the reputation of election pollsters

took a battering when most of them wrongly
called the result of the 2016 Brexit referendum
in the UK. They also largely did not expect
Donald Trump to be elected as US President
that same year.

Nobody can predict events

It’s a mistake to try to predict events. I don’t think anybody can predict events. The value
in forward thinking is to thoroughly understand what you might do if certain things did
happen, rather than to try to predict what exactly would happen.”
Head of Risk Management and Business Assurance, Mining Company
Navigating geopolitical risk 9

The ‘low-likelihood Things are indeed in a state of flux now, with

increased instability and complexity in
environment’ today geopolitics, and there is no clear answer as to
the importance we ought to assign to low-
We can easily agree that geopolitics should likelihood events. After all, an organisation’s
be more about scenario analyses than about preparations could not be effective if it were to
predicting the future. But even that requires prepare for an overly long list of scenarios.
difficult calls to be made. In prioritising the
scenarios to prepare for, how much weight are we What this means is that risk and internal audit
to give to low-likelihood events? professionals must constantly challenge, stress
test and update all of their baseline assumptions
We find ourselves today in what has been called about the likelihood and impact of the risks their
a ‘low-likelihood environment’, where once-in-a- organisations face.
generation events such as the pandemic and the
invasion of Ukraine have followed each other in
rapid succession.

Preparing for low-likelihood versus high-likelihood risks

At times, we tell senior executives that they are spending too much time
thinking about low-likelihood events. They were not thinking enough about
high-likelihood events that may be less interesting. Instead, most senior
executives are now worried about China invading Taiwan. We say to them:
‘Look, you’re worrying about the wrong thing.’ But they come back to us and
say: ‘But you told us that Russia was unlikely to invade Ukraine!
Political Analyst A

Don’t make long lists of what can go wrong

Through the Ukraine crisis, we have seen two approaches. Some companies try
to make the longest list possible of things that can go wrong, and make sure
that they are prepared for all of them. That’s probably not a very good use of
time. Others try to assign values to the likelihood of different types of events
occurring, and prioritising what goes to the top of the list through this exercise
Political Analyst A
10 Navigating geopolitical risk

Problems faced
in addressing It is difficult to measure geopolitical risk unlike, say, how one can
assign clear credit limits to an organisation’s exposures across the
geopolitical risk globe. The best way to tackle geopolitical risk is to have conversations,
and to get different views, voices and opinions – but depending on
Despite a deluge of information,
organisations are often none such qualitative methods of monitoring risks means that those lacking
the wiser as to what to make of expertise or knowledge in geopolitics may feel inadequate for the task
geopolitics. The key lies in how of prioritising and preparing their organisations for them.
risk and internal audit professionals
can tie geopolitical risks back
to their organisations to make
these risks relevant. Geopolitical risks sit very high up on risk registers in years like
2022, but the effort and time spent in managing and assessing
Other problems faced in addressing those risks is very low.4 This is partly as a result of the challenge
geopolitical risk, as shared by risk
mentioned above, which creates a vicious circle.
and internal audit professionals,
include the following:

Outside of highly regulated industries such as the financial services

sector, expertise in geopolitics tends to be less well developed.
There is a sense in some quarters that aside from those in financial
services, senior management tends to be led by instinct, which could
often be wrong. This may well be an unfair judgement, but the bottom
line is that in-house expertise in geopolitics tends to be more prevalent
in the financial services sector than others.

It takes a certain maturity for the organisation to think about

things that could go wrong and spend time discussing it.
Many organisations have literally been in a perpetual state of crisis
management since the pandemic. During such a polycrisis, most
organisations would be fixated on immediate operational challenges.
They may not have the luxury of time or resources to devote to
such discussions.

The upside risks to geopolitics with Brazil and prepared plans to invest. That seemed
counterintuitive at first. But because of the company’s first
Geopolitics is not just all about downside risk and avoiding mover advantage, it became the global leader in its product
those related risks. Rather than bemoan the state of within five years following the change in Brazil’s policy on
geopolitics today, much of which is beyond the control of foreign direct investment.
most organisations, they should tap into the opportunities
from upside risk where they exist. There can be gains to be The company had looked to the upside of political risk and
had even during periods of volatility if organisations are benefited from having highly skilled talent in Brazil and a
nimble and aware of their geopolitical environment. large market in South America. In contrast, its key competitor
lost 30% of its market share during this period and blamed
When a company became aware of a possible change in the this on the Brazilian government’s attitude to it. This
Brazilian government’s stance on welcoming foreign direct presents a clear case where political risk to one company
investment in specific sectors, it modified its engagement was an opportunity to another.

4. Risk in Focus 2023: https://www.iia.org.uk/media/1692518/risk-in-focus-2023.pdf

Navigating geopolitical risk 11

2. What’s different today

in geopolitics

Globalisation, and now deglobalisation?

Geopolitics has changed dramatically since the With the rise of populist politics, and now with
end of the Cold War in 1991, when the Soviet Russia’s invasion of Ukraine, ominous warnings
Union collapsed, leaving the US as the world’s have been sounded that we could be on the cusp
sole superpower. While the situation is still in of another major global conflict similar to that
a state of flux, we are now seeing the possible of the 1930s. Could organisations once again
signs of deglobalisation, after years of trade find themselves unprepared, just as many were
liberalisation which was made possible by the unprepared for the Covid-19 pandemic, despite
myriad of free trade agreements. pandemics being a regular occurrence throughout
history? Even if another war does not come to
Decoupling between the economies of the US pass, given the current geopolitical context,
and China, the world’s two largest economic there will undoubtedly be other major events on
blocs, is creating a host of risks. Could the world the horizon that will have the potential to cause
be fragmenting into blocs, each with different significant business disruption. If ever there was
payment systems, reserve currencies and a time for risk management and internal audit to
regulatory regimes? think the unthinkable, it is now.

“A whole generation had grown up since the 1990s, when international

interaction was basically a free ride. There was no great power
competition. The US Navy ruled the waves. People thought China was
going to go capitalist. The last five years have shown the fallacy of all
that thinking.”
Political Analyst B

“It has been riveting over the past year to watch how two completely
unrelated risks – the pandemic and Russia’s invasion of Ukraine –
combined to exacerbate all other risks. Before the Ukraine crisis, we were
already dealing with supply chain issues coming out of the pandemic. All
that has happened since has been exacerbated with inflation.”
Senior Internal Audit Advisor
12 Navigating geopolitical risk

Is geopolitics today just more The tools, techniques and skills for risk and
internal audit professionals to tackle geopolitical
of the same? risk have therefore all been around for some
time. They may need to adapt these for their
Despite claims that we are living in a ‘new’ era, contexts and to the present age – but they need
geopolitical risk is something we have been living not reinvent the wheel. They also need to be
with for a long time. Governments often change, more agile. For internal audit professionals, it also
whether because of elections or revolutions. That means moving away from fixed audit plans that
in turn has determined the direction of foreign or are set a year in advance. Risk and internal audit
economic policy. Industries also regularly evolve – professionals need to ensure the agility of risk
as the outcome of government policies or assessments and assurance, and ensure they
boom-and-bust economic cycles. have spare capacity, so they can react to events
more nimbly and flexibly to meet the needs of
the business and the volatile risk universe of
the 2020s.

Three questions
The three questions I focus on amid geopolitical risk are: How do I keep
relevant? How do I keep resilient? And how do I be responsible?
Non-Executive Director, Investment Company

Geopolitics and purpose issues of the day. Typically, most businesses try
to avoid becoming involved in anything political,
In the wake of Russia’s invasion of Ukraine, many but that stance is becoming increasingly difficult
Western companies were forced to make a stand to sustain.
and withdraw their operations and investments
from Russia. Consequently, public relations A clear definition of an organisation’s purpose
departments have found themselves under and stakeholders can provide a reference point
unexpected pressure to make statements on for managing and mitigating risks in these areas.
political issues. In a rapidly changing world, it is easy to lose
focus when running a complex business. In this
Businesses are more visible and more actively new environment, corporate purpose is taking
scrutinised than ever before. This has come as on a new salience. High-profile investment
the result of social and economic shifts in the firms are increasingly asking questions about an
wider society, and changes in attitudes, thanks organisation’s purpose, who it serves and who its
to rolling news and social media. Public concern stakeholders are.
over climate change and the disruption caused by
it will increase over the coming decade. Purpose, though, is more than just nice-sounding
statements. It is essential that purpose is
Avoiding political controversy is becoming more embedded within the organisation. Its purpose
difficult as consumers and campaigners demand statement should therefore inform its strategy, its
that organisations take a position on the key operating model, its performance measurement,
its culture and its reward systems.
Navigating geopolitical risk 13

Risk and internal audit

professionals in collaboration
Geopolitical risks often lie outside the bounds
of what businesses, and even the largest Economic meltdown:
corporations, can control. Geopolitics could cause A global crisis on the horizon?
a global shortage of microchips and, suddenly,
an entire sector could be in trouble. Businesses
are not able to go ferreting out single points of
failure in their supply chains. This transforms an
operational challenge into a strategic one.

This brings us to the rationale that led Airmic Conflict involving China:
and the Chartered Institute of Internal Auditors
to collaborate on this report. Risk and internal
Taiwan and the South China Sea
audit professionals need to work closer together
in order to navigate their organisations through
the perfect storm. During the pandemic, risk
and internal audit professionals stepped to the
forefront of their organisations. As the debates
and case studies in this report will show, greater War in Ukraine:
collaboration is needed to tackle the
heightened uncertainty and volatility of the Global implications
new geopolitical era.

“There are big strategic questions as the world

becomes increasingly divided. For instance, does Climate change
a globalisation strategy still make sense? And and geopolitics
these are very difficult questions to deal with
using traditional frameworks. This calls for risk,
internal audit, and strategy to work a lot
closer together.”
Political Analyst C US politics and democracy:
Challenges to global stability

Potential geopolitical risk

scenarios on the horizon
In course of the research, we explored six
thematic case studies based on geopolitical Cyber security
scenarios that are either happening right now or and geopolitics
could potentially be on the horizon. These are all
scenarios that both risk and internal audit must
take into consideration as they carry out their Each of the thematic case studies, included in
audit, assurance, and risk assessment work. the appendix of this report, are based on insights
that were garnered from a series of roundtable
discussions that we had with chief audit
executives, chief risk officers and geopolitical
experts from September to November 2022.
14 Navigating geopolitical risk

3. Risk and internal audit in

collaboration

How risk and internal audit

professionals approach Geopolitical risk as strategic risk
geopolitical risk
In our risk taxonomy, geopolitical risk sits under our
When it comes to how best to assess strategic risk. We always think of it like that because
geopolitical risk, there is no one-size-fits-
all approach, even among the largest and we are a global organisation with globally dispersed
most sophisticated organisations. The teams. We have risk professionals sitting in different
principle is to tie geopolitical risk back to
the organisation’s business. Geopolitical regions around the globe, and they are constantly
considerations need to be integrated feeding information back to us about what’s
into existing risk management and audit
frameworks, and in the risk areas where happening where they are. There are elections going
geopolitical events can have the most impact. on in some countries at any given point of time, or
some kind of political instability in each region.

Then we keep indicators – red, amber, green – on the

direction of travel of the trends they pick up. If there
are particular issues of concern, they go into another
framework we manage which looks at key
emerging risks.

From an operational point of view, this is our daily

business. It is also from a reputational point of view
that we are watching these things all the time, to see if
it all makes sense for us and for our strategy.
Global Director of Internal Audit, Consultancy Firm

Along with other external risks

We assess geopolitical risk along with the other external risks we face. We assess the impacts that
external risks could have on our business objectives – financial impacts in terms of revenue or cost,
or in terms of the impact they may have on our assets or liabilities, or our people. On the whole, the
approach we take is qualitative rather than quantitative.
Internal Audit Director, Multinational Electric Utility Company
Navigating geopolitical risk 15

Using the whole toolbox

I would say that there isn’t any risk out there that we’re not looking at. We have a team looking at
geopolitics, monitoring what’s happening in all territories of the world. From their research, we can
see what might become a geopolitical incident or a major risk. I don’t think there’s any tool out there
that we haven’t looked at, or that we haven’t used. Dealing with geopolitical risk is part of our
core business.
Head of Insurance, Technology Company

Tools are only as good as the time invested in them

Our risk team does PESTLE analyses, and a lot of horizon scanning. We also rely on our board
members, as well as other public bodies, for intelligence and to contribute towards those analyses.
I haven’t seen any particular tool that cracks geopolitical risk. What I have seen in organisations,
though, is where it isn’t done very well – because they don’t invest sufficient time in a particular tool
to make it work well.
Head of Internal Audit, Public Body

Probing the assumptions Asking the right questions

Audit should test the efficacy of processes, We don’t have any specific tool for
rather than tick boxes to say processes have identifying geopolitical risk. Once
been followed. When it comes to risk mapping, the risks are out there, the important
it’s really important to capture how the people thing is to ask: What does it mean for
contemplating the risks actually came to those your business? To me, that is the most
conclusions, rather than to just focus what’s critical and most difficult question
on the page.” to answer.
Business Unit Head, Insurance Group Group Audit Director, Telco
16 Navigating geopolitical risk

Remember to audit for alternative scenarios too

We already had geopolitical risk and the macroeconomic environment as among our principal
risks. To address these, one of our key mitigation actions has been to have very robust incident
management and crisis resolution procedures in place when a major geopolitical event occurs.

So as part of our plans this year, we did an audit of how well this process is actually carried out.
We had already been performing simulations of what could happen, so we went back to those
simulations and audited the whole process.

No matter the type of crisis that occurs – whether it was an invasion of one country by another, or
something else – we needed to provide assurance the process was in place and that it was working.
So while a Russian invasion of Ukraine was one of the key potential scenarios for the year, we also
had to be flexible and adjust our audit plan to test for other potential key events in geopolitics.

In providing assurance, it is critical that you are able to see what you can change in your audit
approach, in order to find alternative scenarios to test for.
Corporate Audit Director, Fast-Moving Consumer Goods (FMCG) Company

Demonstrating the value of risk management frameworks

How do we use the component parts of our risk management system to actively manage risk? We
have built great frameworks for managing risk. But when the conversation happens somewhere
else, we then have to update those frameworks retrospectively, rather than using them as an active
tool.

So, take for instance a tool such as risk sensing – how do we use it? How does it inform our risk
appetite? Do we change our risk appetite off the back of what risk sensing is telling us? How does
that tie into our strategy and our capital plan, so that there is a clear cause and effect for each
component part? Do we have to update our early warning indicators?

So as internal auditors, we need to ask these questions in demonstrating that the risk management
frameworks we built have a place and a value.
Chief Audit Officer, Pension Fund
Navigating geopolitical risk 17

Geopolitics and hedging to the US dollar

Every month, my team look at our net asset position, and we hedge all of our assets and liabilities
back into US dollars. Obviously there are some currencies in the world where we can’t do that. But
even if there are tax costs to doing so, we think it protects us in ensuring we have enough US dollars
in the organisation to meet all our liabilities. This is very closely aligned to geopolitical risk, but it’s
also just managing the overall balance sheet of the organisation.
Global Director of Internal Audit, Consultancy Firm

Tools, frameworks and Nevertheless, models still provide a useful

indicator of things and a guide as to how
approaches organisations should look at different scenarios.

Stress testing

Financial services organisations are used to “We can all be hit with new risks and
doing stress testing – and now even reverse stress issues. You just have to continue to
testing, because of the regulatory framework.
In determining the organisation’s capital levels
figure out the most effective ways
and the risks to that, which is what stress testing to grow your resilience and your
sets out to assess, a thorough understanding capabilities, while continuing to
of geopolitical risk and other external risks is
required. Risk culture and appetite shape the think about the latest challenges
decision-making processes of banks and fund coming your way that your research
managers, which would have their own research
departments. In contrast, smaller organisations,
is telling you about. Are you trying to
and smaller risk and internal audit functions, build resilience around that?”
would be less likely to have the skillsets to Head of Internal Audit, Large Financial Institution
monitor geopolitical risk in-house.

That said, some financial services organisations “It’s all about recognising the
are facing challenges auditing some of their
functions because they have to adapt much context in which your organisation
more quickly to the changes around them. A sits, and how you measure and
stress test model from even just three years ago manage the changes in that
would already be irrelevant today, so it would be
pointless to audit it. For all their sophistication context.”
and maturity in using stress testing models, even Non-Executive Director, Investment Company
financial services organisations know
they need to be much more agile in adapting
to the environment.

Models are a major component of what financial

services organisations use to perform some
of their analysis. Given the fast-changing
environment, the models need to be updated
more quickly, regarding the underlying
assumptions they use as well as their sources
of information.
18 Navigating geopolitical risk

Sources of information and intelligence experts can be engaged to weigh in. There then
arises the challenge of weighing the different
We cannot expect all risk and internal audit findings of each expert or report, especially when
professionals – or indeed people in any other they are contradictory.
roles within their organisations – to be trained in
geopolitics. Despite how prevalent geopolitics This is where roundtables can bring value,
may have been in the media headlines in recent particularly when they can coalesce different
years, it does still take a certain specialism to skills, roles and insights both from within and
follow developments in the space and to get to from outside an organisation. They bring experts
grips with these. and managers together to debate their various
findings, which may sometimes be at odds with
In this age of free-flowing information online, each other, and crucially to link these back to
there is no shortage of reports on geopolitics the organisation so that the outcome of the
and economics to keep up with. Subject matter roundtable discussion is always relevant.

You need a view

There is so much information out there, more than you can ask for. So, what you need is a process. To
navigate a shape-shifting world which constantly transforms itself, you need to have a view. It’s less
about your information sources, because you can always find them.
Non-Executive Director, Investment Company

Dangers of silos
Large organisations inevitably have different teams with deep specialism focusing on specific risks, or
even components of a risk. That is where collaboration becomes even more important, because of the
dangers of silos and blind spots in a large organisation.
Regional Insurance Manager, Food and Agricultural Company

Roundtables, diversity of thought

Our approach is much more about roundtable multidisciplinarity. The value that we have gained from
that is the diversity of thought. No one now thinks they have a monopoly on the good ideas, because it
has now been shown that black swan events are no longer once in 100 years or 200 years.
Chief Audit Officer, Pension Fund
Navigating geopolitical risk 19

The importance of aggregating Links with intelligence and

information diplomatic services
As an insurer, one of the things that is clearly We have a safety and security
important is to look at our aggregations. What we team which has close links with
have learned from this exercise is that there were the Foreign, Commonwealth
impacts which, on their own, would have been and Development Office, which
relatively benign. But when they aggregate with gives them privileged intelligence
other impacts across multiple lines and industries, information. Globally, we also have
and also considering time phasing – where the very close links with embassies
order of magnitude of the impact on day one might and high commissions in many
be very different from that on day six – that’s where countries.
real risk management capabilities need to come in. Enterprise Risk Manager, Public Body

Business Unit Head, Insurance Group

Disguising your sources in sensitive contexts

In each country that we operate, we have a corporate affairs presence whose role is to keep track of
what’s going on, and send feedback to the centre. In some countries, that’s a bit difficult.

So China being one example. What we have are people in China whose job it is to kind of look at
what’s happening in China. But as I was saying to some colleagues in our strategy team in the centre
today is that we have to be very careful, because there are certain things our Chinese colleagues
based in China can’t really say. They can’t say to us that the regime is in imminent danger of
collapse, if that were the case. They just can’t.

Interestingly, we segregate the information that our folks in China have, and the information held
in our centre. And when we run scenarios on China, we deliberately exclude our sources based in
China, almost to protect them so that they won’t be challenged by the authorities there. This would
allow our Chinese colleagues in China to say: ‘It was those guys in London [in the centre] who
dreamed it up’.
Head of Risk Management and Business Assurance, Mining Company
20 Navigating geopolitical risk

Intelligence sharing as a standing item on the board agenda

Intelligence sharing is key. One of the really good examples of best practice we have seen in the
past six months is where boards devote a slot of 15 minutes or so for updates on geopolitical threats
– primarily focusing on the Ukraine-Russia conflict, but also discussing wider issues including on
Taiwan. Having that standing item on the board agenda to share intelligence for people who need
to know, and to ensure that leads to actionable items, is really quite helpful.
Cyber Threat Analyst
Navigating geopolitical risk 21

The applicability of the Three o Accountability by a governing body to

stakeholders for organisational oversight
Lines Model to geopolitical risk through integrity, leadership, and
transparency.
The Three Lines Model provides a basis for
building and implementing robust assurance o Actions (including managing risk) by
across an organisation, including providing management to achieve the objectives of
transparency over the effectiveness of the organisation through risk-based decision-
governance, risk management, internal audit making and application of resources.
and control processes. It can apply to all
organisations, whether they are SMEs, o Assurance and advice by an independent
corporates or regulated entities. internal audit function to provide clarity
and confidence and to promote and facilitate
The purpose of the Three Lines Model is to continuous improvement through rigorous
protect and create long-term value, while setting inquiry and insightful communication.
out the expectations of different groups within
the organisation:

Risk management and internal audit are complementary but distinct. But in no way does this mean
that they should not collaborate. The successful use of the Three Lines Model requires effective
alignment, communication, coordination and collaboration, with all roles operating concurrently.

The Three Lines Model as adopted by the IIA (2020)

Governing Body
Accountability to stakeholders for organisational oversight

Governing body roles: integrity, leadership and transparency

External assurance providers

Management Internal Audit

Action (including managing risk) to Independent assurance
achieve organisational objectives

Second line roles:

First line roles: Third line roles:
Expertise, support,
Provision of Independent and objective
monitoring and
products/ assurance and advice on
challenge on
services to clients; all matters related to this
risk-related
managing risk achievement of objectives
matters

Key Accountability, reporting

Delegation, direction, Alignment, communication
resources, oversight coordination, collaboration

Copyright © 2020 by The Institute of Internal Auditors, Inc. All rights reserved.
22 Navigating geopolitical risk

Strategic, tactical and operational risks must be synchronised to avoid the creation of lags. Risk
management and internal audit must synchronise the different speeds at which geopolitical (or
external) risk, tactical risk and internal (or operational) risk run. The job of risk and internal audit
professionals is to challenge the organisation to make sure that lags do not emerge.

“As the second line, my role as “The internal audit function should be willing
risk management is to challenge to step up to the mark and say to the senior
the business, whether it’s about management, to whom they are providing reports:
strategic or operational risk. And if I ‘Are you coming up with Plan B or Plan C, in case
see something which is not properly something happens?’ The answer might be ‘no’ or
done, it’s my role to say so and ‘not yet’. The internal audit team should be happy
challenge it, and to work with the to say that’s not good enough. You may sometimes
business to tackle it.” incur the wrath of senior management in doing
Head of Corporate Sustainability Risk Management so. But I think you need to be quite brave and be
and Risk Transfer, Stock Exchange
willing to sort of stick your neck out, and say what
you think.”
Vice-President, Corporate Audit, Auto Parts Company
Navigating geopolitical risk 23

“Traditionally, auditors used to do things “For us, internal audit and risk are
such as testing operational controls and very much a part of the same team.
making sure that no one’s committing fraud We identify the risks. We also work
in accounts payable. I’m seeing the world very closely with the business as
of internal audit evolving. It’s not just about well. So yes, anything that we find
assurance – it’s also advisory. If I think of out in risk goes through into
topics that are not being talked about, or I internal audit and we get
think that management is doing too much information back from internal
navel-gazing, looking at the things that are audit and the business.”
happening on the day-to-day basis and Vice-President, Risk and Assurance,
Chemicals Company
not horizon scanning, that’s where I
think internal audit can play quite an
important role.”
Chief Internal Auditor, Financial Services Firm Engaging with the board
Risk management and internal audit must
“We have a risk council for EMEA [Europe, make sure that there is regular and open
the Middle East and Africa] which helps to communication with the board on geopolitical
risk. Geopolitical events can have a significant
identify geopolitical and other risks. We also impact on the business’s ability to execute its
have a risk council for middle management, corporate strategy and mission effectively, which
is why the board must take geopolitical risk
and that’s really quite important because seriously. Risk and internal audit professionals
sometimes, people don’t tell the C-Suite or should feel empowered to speak up and
the VP [Vice-President] level what’s going raise concerns they have about the impact of
geopolitical risk events with the board.
on. By gathering the heads of all the pillars
in your organisation in this two-layer When communicating with the board on
geopolitical risk, it is vital that risk and internal
format, it’s amazing what you will start audit professionals eschew technical language in
to see emerging that you wouldn’t have favour of clear, business-like speech – especially
on technical subjects such as cyber risk.
otherwise seen.”
Head of Insurance, Technology Company

“We collaborate closely with our risk “I think the biggest turn-off for
colleagues, and then we try to give our a board is to talk in a technical
input in terms of the internal aspects of the language which they don’t
organisation. And of course, they talk with understand. It’s really important
many other people at the senior level. When that we spend time and effort to
we prepare our audit plan, this is one communicate in business language.”
of the most important inputs that CEO, Trade Association
we have.”
Group Audit Director, Telco
24 Navigating geopolitical risk

Cyber and geopolitics: Two views

To protect the customer, data is at the core of our strategy. The board is fully focused on how we
protect data that comes from our customers. In at least every other risk committee meeting, we
focus on managing cyber risk in the business, talking about plans or potential incidents which may
have been raised in the internal audit reports we produce.
Group Audit Director, Telco

Some board committees are terrified by cyber security. Everybody’s saying it’s the biggest risk,
but they don’t fully understand cyber, so they could get very confused. The debate is usually about
whether we have done enough on cyber security. The result is sometimes a scattergun approach, as
opposed to a proper cyber risk management approach which would tell you whether or not we have
proactive assurance in these areas.
Head of Internal Audit, Public Body

Bespoke board sessions on cyber risk

There is a trend for board committees to have
bespoke sessions on cyber risk, splitting that out
from their broader conversation on risk. That way,
you can afford to spend a bit more time on building
knowledge to assess things such as your own risk
appetite as a company – and for board members to
upskill themselves on the cyber threat landscape.

That doesn’t necessarily mean you need to

articulate the deep technical aspects of cyber
threats to the board. Being able to talk through
how a breach works, being able to understand
which of your servers are encrypted and what data
has been stolen – all this will eventually help them
make a decision as to whether to pay a ransom or
not, after a ransomware attack.
Cyber Threat Analyst
Navigating geopolitical risk 25

Scenario analysis and planning: Risk and internal audit professionals can work
together by identifying geopolitical risks on the
The key to geopolitical risk horizon, mapping their potential impact on their
organisation and then running crisis simulation
Rather than focusing on predicting what would programmes to test the organisation’s responses.
happen next in geopolitics, organisations should
devote their energies to scenario analysis Collaboration should not stop there. When it
and planning. When risk and internal audit comes to issues relating to security and energy
professionals ask questions along the lines of supply, risk and internal audit professionals
‘what if?’, ‘so what?’ and then ‘now what?’, it should also work with governments and
helps their organisations adopt a mindset of regulators where possible. They need to recognise
being agile and adaptable, and thereby build that government policy will dictate or influence
resilience to tackle a range of risks in a volatile quite significantly some of the potential outcomes
and unpredictable world. from these issues.

Scenario planning: Making preparations in advance

It can be hard to get boards to look at something that isn’t imminent. They tend to look at the
immediate crisis in front of them, and then deal with the other crises when they happen. And of
course when they happen, it’s too late. You could have made all sorts of interventions in advance.
You could have made your life a lot easier by doing scenarios.
CEO, Trade Association

The how-to of scenario planning

To devise scenarios, we have a global network of experts, not just in politics or economics, but also
in a much broader range of areas. I think going broad is terribly important. You also need the right
set-up. You would definitely need good information sources, and we also need to be quite
all-embracing in that regard. We will then find the right people within the organisation who can
process all that information, disseminate it and contextualise it for the organisation. Beyond that,
it’s also important that you have the right structure and culture to use that information.
Political Analyst B

We build scenarios based on multiple inputs. We also do specific simulation exercises for particular
risk events, which we find quite helpful because it helps the executive team understand how well
equipped it is to deal with them. Usually there are deficiencies that show, and so one can then fix
them. We have a central capability looking at geopolitical risk – typically people with diplomatic
backgrounds. Some other companies would use people with an intelligence background.
Head of Risk Management and Business Assurance, Mining Company
26 Navigating geopolitical risk

Actions, not just analyses

It was of course predicted that there may be a pandemic and it was a very prominent risk. In the
UK, the government had that as a scenario, but people didn’t want to make the investments to be
sufficiently prepared for it. And I think that’s a critical point on risk analysis and risk assessment
– your risk analysis is only as good as the actions that you are prepared to take when that risk
materialises. It’s the actions that come out of your analyses that matter.
Head of Risk Management and Business Assurance, Mining Company

Simulation and practice are important Doing scenario

It’s surprising how many organisations don’t have a modelling with
well-defined crisis simulation programme, or they governments
only do that once a year. Every organisation should What has become apparent
regularly pretend something has gone terribly from the Ukraine crisis is that
wrong, and practise ‘flexing the muscles’ you need in scenario modelling really needs
response. Because if you flex those muscles, you build to be done with governments –
them up and when it actually happens, you will be and with corporates, as in our
better at responding. case as an insurer – particularly
when you are looking at those
When we were seeing the build-up of Russian troops at
kinds of security and energy
the border with Ukraine, one of our colleagues in the
supply issues. They cannot
cyber team asked: ‘What can we do today to
really be done in isolation by
pre-empt, just in case something goes wrong from a
individual risk managers in
cyber perspective?’ So, one thing we considered and
individual companies, without
put into practice was to seal Ukraine from the rest
recognising that government
of the cyber environment in which we operate. This
policy will dictate or influence
would ensure that if something bad were to happen
quite significantly some of the
in one territory, it wouldn’t affect another territory.
potential outcomes.
It’s the small things which come out of simulating
Business Unit Head, Insurance Group
unthinkable, complex scenarios that will matter when
push comes to shove.
Vice-President, Corporate Audit, Auto Parts Company
Navigating geopolitical risk 27

Don’t write too many scenarios Be agile, don’t follow the book
You can write a limited number of But the most important thing is having an
scenarios, and you might get lucky when awareness around you, and to be agile
one of those comes true. You can write a in adapting your responses. When crisis
huge number of scenarios, and it’s a library, strikes, you should not be saying: ‘Oh my
but they are basically unusable. There’s a God, what does the book say we should
point somewhere in the middle where you do next?’ Because the playbook is almost
should try to land. certainly not going to be right about the
Political Analyst B situation you are actually facing.
Political Analyst B

Unpredictable geopolitics and human beings

With scenarios in geopolitics, we are dealing with human beings, and they can be highly
unpredictable. What we are finding is that the data hasn’t caught up with the behaviours. So, in the
short term, we are moving away from a lot of detailed analysis and scenario planning to much more
qualitative overlays. So, we are using the data, but we are caveating its use.”
Chief Audit Officer, Pension Fund

Connecting geopolitics with

other risks
Having conducted a scenario analysis, it is
important to connect geopolitical risk with the
organisation’s other principal risks. In some of the
more technical types of scenario analyses such as
those relating to climate, it is also crucial to take
into account tipping points, step changes, and
macroeconomic impacts and trends, rather than
just making linear projections of the future.
28 Navigating geopolitical risk

What is it?
Climate Scenario Analysis 1.0
Climate scenario analysis 2.0
A climate scenario analysis 1.0 can be Engages with a core group, focusing on long-
term climate trends and impacts at a high-level
converted into a climate scenario analysis 2.0
where the outcomes are plotted on a linear basis.
to include risks related to geopolitics, cyber
Climate Scenario Analysis 2.0
security, financial credit markets, and so on.
The climate scenario analysis that companies Engages with the C-suite and senior
management through an interactive exercise
generally apply now has limited ownership
tied to the organisation’s strategy, assessing
– it is undertaken either by sustainability the implications of climate trends across all
teams or risk divisions to address reporting timeframes that are relevant to the organisation.
Crucially, it takes into consideration tipping
requirements basically. And it’s very technical, points, step-changes, macro trends, and
academic, and it comes up with outcomes that outcomes – which may not always be linear –
are very linear. to be more representative of the real world.5

What’s possible going forward is to embed

scenario analysis with stress testing, engaging
the C-suite and engendering more ownership, “We have a team that does nothing but just
in order to achieve some practical and come up with different scenarios. We work
out which ones we believe are most likely
tangible solutions to implement. Only when
to happen, and then different teams will
different business units come to the table to address them. With the Ukraine-Russia risk,
talk about decisions related to geopolitics, as for example, an American multinational
well as climate, would the scenario analysis corporation put together a cross-functional
group which included our organisation.
be representative of the real world. We can
We met on a weekly basis and looked at
then consider tipping points, step changes, how literally all of the impacts you would
macroeconomic impacts, and trends. This know about could happen. We also looked
means the company is actually taking a at longer-term things, things that haven’t
happened yet. For example, what happens if
strategic outlook rather than just ticking
China invades Taiwan?
boxes because of regulatory requirements, or
So we do have many different scenarios that
to satisfy a reporting standard. we plan in advance for, and we have active
Sustainability and Climate Advisor planning committees to deal with day-to-
day events when they happen.”
Head of Insurance, Technology Company

5. https://www.sustainability.com/globalassets/sustainability.com/thinking/pdfs/2022/climate-scenario-analysis-blueprint-nov2022.pdf
Navigating geopolitical risk 29

What are the skills and

competencies needed?
Interpersonal skills matter more
The sense among risk and internal audit
professionals is that specialist skills such as It’s not really about the skills or the qualifications
geopolitics expertise can be met through [when it comes to geopolitics]. It should be more about
partnerships with third parties – through an
expert or consultant in geopolitics, for instance. the ability to think outside of silos, and to network with
Rather, it is interpersonal management skills people, to listen and to collaborate. If anyone thinks
that are key for drawing the intelligence on
geopolitical risk back to the organisation, to they have got all the skillsets they need and can
understand how it will be impacted and what
steps need to be taken.
solve things on their own, they are the problem, not
the solution.
Head of Insurance, Technology Company

Future of the internal

audit profession
Many young auditors have
lived through a world of low
inflation, low interest rates Upskilling in the fast-moving
– and generally, a world climate space
of low volatility. And we’re There is not enough talent around the world who
bringing a young cohort into demonstrate these skills and understanding, or
the world of internal audit who have the necessary educational background.
where we’re throwing at them So, we harness the transferable skills that exist in
non-procedural, uncertain our company, and upskill those of our people who
topics. How do we deal with demonstrate intellectual curiosity, and who are willing
macroeconomic risk? How do we to be agile in an ever-changing topic. Because one
deal with a pandemic? How do day, it could be about environmental standards and,
we deal with war? We must look the next day, it could be about tackling the energy
after our young auditors, so that crisis, because topics move so fast. So, I think those
they would want to stay in this who demonstrate agility, adaptability, and who are
important profession. not afraid of uncertainty and change, are those who
will be successful in this space.
Vice-President, Corporate Audit, Auto
Parts Company Sustainability and Climate Advisor
30 Navigating geopolitical risk

4. Conclusion

Geopolitical uncertainty is here to stay and will contribute to

a more risky and volatile business environment for the years
ahead. Therefore, geopolitical risk should matter to both risk and
internal audit professionals alike. They need to relook at the way
they collaborate, as their organisations build resilience amid the
maelstrom of geopolitical risks. The conclusions from this report
include the following:

1 Geopolitical risk is not a standalone risk that sits in a silo.

It connects and exacerbates a wide range of business-critical risks including
reputation, legal and regulatory, cyber security and even financial stability and
liquidity, to name just a few.

2 Geopolitical risk should be viewed as a strategic risk.

One that exacerbates and heightens a wide range of risks, as we have witnessed
with disruption to supply chains, inflation, interest rates and cyber-attacks, among
other issues.

3 None of us has the power to predict future geopolitical events –

but we have the means to do scenario planning.
By making plans based on plausible potential events, organisations can be prepared
for geopolitical disruption. Simulation exercises and practice are therefore vital in
managing and mitigating geopolitical risk. Financial stress testing, as is common
across financial services and publicly listed firms, can also play a key role.

4 Risk and internal audit professionals must speak up and say the
unthinkable on geopolitical risk and scenarios.
Even where this risks them being unpopular with senior management or the board.
The bigger risk is of senior management or the board turning around and saying
‘Why didn’t anyone see this coming?’ or ‘Where was risk management and internal
audit – why didn’t they see this coming?’

5 Risk management, internal audit and the board must work closely
together as partners in good geopolitical risk governance.
The key to this is sharing intelligence and rendering it relevant to the organisation.
Navigating geopolitical risk 31

Appendix

Case study

Economic meltdown:
A global crisis on the
horizon?

Background One-third of interviewees, including chief

audit executives, audit committee chairs
Much as geopolitics refers to international and CEOs, who participated in the Chartered
politics, geoeconomics is about how countries use Institute of Internal Auditors Risk in Focus
their economic power to achieve political ends. 2022 research expressed concerns over
For instance, Russia has cut off energy supplies to macroeconomic uncertainty, with some
Europe in the midst of its invasion of Ukraine, as singling out rising prices as an area to watch.
a means to pressure Western countries over their
support for Kyiv. • The war in Ukraine has further exacerbated the
economic challenges many countries now face,
Macroeconomic risk derives from the behaviour putting even more pressure on the cost of
of industries and governments, and the energy, wheat, cooking oil and other goods,
relationships between them. It concerns fiscal all of which are likely to fuel inflation further
and monetary policies, trade and investment still, along with consequent interest rate rises.
flows, and political developments on a national
and international scale, and the effects of these • As a result, businesses will need to keep
factors on financial portfolios and company a close eye on their cost of production
valuations. Intermediate variables of particular and revenue management to determine
importance to macroeconomic risk include whether recent developments are merely
equities and commodities markets, business a blip or spell a more fundamental and lasting
cycle, unemployment, inflation, interest rates, macroeconomic pressure. In this context,
prices and exports/imports.6 internal audit is well placed to ask the right
questions such as:
• While economies recovered in 2021, following
the deepest global recession since World War o Is the business in an industry that is
II, the sharp return of demand caused prices to especially exposed to inflation?
soar, in some cases at rates not seen in decades.

6. Global Risk Institute https://globalriskinstitute.org/research/macroeconomic-risk/

32 Navigating geopolitical risk

o Is senior management having discussions • Nevertheless, given that the sterling has
about the potential for long-term inflation weakened, it does leave UK businesses
and what it means for the business? vulnerable to takeovers, as the price point of
the UK businesses becomes attractive. Mergers
o Is the revenue management function and acquisitions risk is therefore likely to rise
assessing any price increases that need in prominence.
to be made in order to maintain and grow
profitability without putting turnover • The board and executive level need to
at risk? understand the environment they are operating
in. Organisations need to understand their risk-
Meanwhile, the metrics clearly bear out the shift reward model and how that is changing –
of economic gravity from the West to the East. because that is what drives decision-making.
In 1970, the largest bank in the world was Bank
of America, with $25 billion in assets. As of 2021, • The role of governments has changed and,
the largest bank in the world is the Industrial with that, the expectation that people have of
and Commercial Bank Of China (ICBC), with $5.5 governments. During the pandemic – and now
trillion in assets. the energy crisis – it was governments rather
than banks who were the lender of last resort.
Macroeconomic and geopolitical uncertainty is This also signifies a new relationship between
having a strong impact on many other risk areas the state and businesses.
such as financial stability, reputation, supply
chain, business continuity, cyber security or even
human capital, diversity and talent management.
As businesses battle against soaring energy
prices, rising inflation, supply chain issues,
disrupted workplaces and so on, it seems that
internal audit should look at macroeconomic
and geopolitical uncertainty more closely than
it is at present.

The risk and internal audit professionals in our

roundtables shared the following observations:

• There may be a financial crisis looming, but

the banking sector is in a stronger position
than it was on the eve of the 2008 global
financial crisis – largely due to the measures
imposed on the sector since then, which have
built resilience and reserves. So, while there
is clearly a geopolitical crisis ongoing, there is
unlikely to be a global financial crisis, which is a
distinctly different situation.

• It will be more of a social crisis that is looming,

as the rise in the cost of living starts to bite.
Navigating geopolitical risk 33

Case study

Conflict involving
China: Taiwan and the
South China Sea

Background China are also in disagreement over the

freedom of navigation in the South China Sea,
• While underlying tensions between China, and there is a real risk of clashes between the
the US and other Western countries have been two sides.
ongoing for a long time, not least with their
fundamentally different political systems and • Tensions between China and the West have
their divergent views on international relations, heightened since Russia’s invasion of Ukraine.
the relationship took a definitive turn for the Partly because of the ‘partnership without
worse with the ‘trade wars’ when Donald Trump limits’ declared between Russia and China in
was US President. the lead-up to the Ukraine invasion, fears have
been stoked that China is getting serious about
• Chinese President Xi Jinping has been invading Taiwan.
increasingly bellicose about ‘taking back’
Taiwan, which he regards as a Chinese province, • Taiwan manufactures around two-thirds of the
raising fears of an imminent invasion of the world’s microchips, which are needed to make
island. The 2022 visit to Taiwan of Nancy phones, drones, and set up supercomputers
Pelosi, the then Speaker of the US and cellular networks, and even weapons.7 A
House of Representatives, which resulted in conflict that engulfs Taiwan will therefore cause
China conducting military exercises in the area, major disruption to the semiconductor supply
underlines the volatility and unpredictability chain and all the industries around the world
of the situation. that rely on it.

• China has also become more assertive in the

South China Sea, much of which it continues
to claim as its own territory, rejecting the 2016
ruling of an international tribunal. The US and

7. https://asia.nikkei.com/Business/Tech/Semiconductors/Taiwan-s-share-of-contract-chipmaking-to-hit-66-this-year-report
34 Navigating geopolitical risk

The concerns of organisations Trends to watch out for

regarding China: Friend-shoring
• Losing the licence to operate. “One of our
With an eye on China, US officials are leading
principal risks is losing our licence to operate in
a trend for organisations to shift their
China, because of the reliance of our business
manufacturing operations to countries with
on China.”
shared political values. This has meant moving
• Sanctions on China will be even more production and jobs away from China to ‘friendly’
impactful than sanctions on Russia. “The UK’s countries in the Asia-Pacific region such as
sanctions regime on Russia during the Ukraine Indonesia, Malaysia and Vietnam, as a means of
crisis has gone beyond what we have ever seen, safeguarding their supply chains and reducing
in terms of how deeply the professional their reliance on authoritarian regimes such
services sector has been drawn into that. We as China.
worry about how much more far-reaching
the impact would be of such a sanctions regime ‘Gray zone aggression’
potentially applied to China.”
Even when a state uses means short of military
• An overnight supply chain break with China action, they could still weaken other states and
following any acts of military aggression. cause losses for businesses. Elisabeth Braw, a
Besides the impact on the global senior fellow at the American Enterprise Institute
semiconductor supply chain that conflict in Washington DC, has termed this ‘gray-zone
involving Taiwan would bring, there would be aggression’, which could involve cyber-attacks,
widespread disruption in global supply chains intellectual property theft or coercive economic
affecting many industries, by virtue of how actions such as the cancelling of critical
much more China is integrated with the global sponsorship deals, all of which could inflict
economy than Russia has been. economic harm. Gray-zone aggression can be
hard to respond to because of the ambiguity
• Diminished trade would disrupt our markets. behind who exactly is involved and what their
“We have no major operations in China. But intent is – but such tactics could nevertheless
if a serious split between China and the West have the effect of exerting political pressure on
occurred, leading to heavily diminished trade the targeted country.8
between China and the rest of the world, that
would have a dramatic effect on the market for
what we produce.”

• A rise in anti-West sentiments within China.

“I have been interacting with colleagues at The risk of ‘fighting the last war’
a state university in China for more than 20 I think the scenario involving China and Taiwan
years. But over the past year, I have sensed a
real hardening of their views regarding the West is probably going to be quite different than what
… I picked up a lot of resentment and hostility happened between Russia and Ukraine. Everyone
coming from colleagues there as they watched
how Western countries responded to the is focused on learning the Russia lesson, which is
Ukraine crisis.” important. But at the same time, there is a risk that we
• “Damned if you do, damned if you don’t”. would be ‘fighting the last war’ and be caught out when
A mining company exited China because
the next war turns out differently. I think miscalculations
it wanted to ‘do the right thing’ in view
of reports about China’s human rights between the US and China are more likely in the South
violations, among other issues. However, its China Sea, rather than around Taiwan.”
credit rating was subsequently downgraded by
the international rating agencies, because of Political Analyst C
how its financial outlook worsened as a result
of exiting the lucrative China market.

8. https://www.wtwco.com/en-GB/Insights/2022/09/geopolitical-risk-gray-zone-aggression
Navigating geopolitical risk 35

Case study

War in Ukraine:
Global implications

Background As an insurance company, we looked at people

and the assets and operations that we insured
• While Russian troops had occupied the on the ground. In terms of the second order of
Crimea in 2014 and had more recently been magnitude impacts, we looked at how the
massing near the Ukrainian border since late events actually impacted our risks in a
2021, Russia’s invasion on 24 February 2022 broader sense. For instance, we looked at how
took many by surprise. There were no signs that Russia’s threat to reduce the piping of natural
Putin was preparing the wider Russian gas and oil products to the West would impact
population for the war – which he continues to our customers. And then in terms of the third
call a ‘special military operation’ – and indeed order of magnitude impacts, we were trying to
he kept plans for the invasion secret within a conceptualise what the proliferation of the war
tight group of close advisors. would bring about. Then we developed a
number of scenarios.”
• There is uncertainty over how long the war
will last. While Ukraine has retaken some of • Be prepared to respond with agility and
its territory lost to Russian forces in the early speed, for business continuity. “Within two
days of the war, one year on, the conflict weeks of the invasion, we withdrew our brands
continues and has drawn other countries in to a from Russia. It was very, very fast moving
certain extent. Therefore, a long-term view on indeed for a company as large as we are, which
the conflict is required. was deeply established in Russia. It was also
very important how ready we were to react
to the changes that are happening there.
How organisations responded What really helped was that we had already
to the invasion of Ukraine: established a team looking at incident
management and crisis resolution, which
• Prioritising different levels of impacts. “When we mobilise when major unexpected
the invasion happened, it was imperative for us events happen.”
to identify the first order of magnitude impacts.
36 Navigating geopolitical risk

• Mapping long-term scenarios. “A long war • Risk and internal audit professionals
was one of the four scenarios we modelled back are primed to think long term for
in February 2022 when the invasion occurred. their organisations. It is often observed how
We looked at revenue, military, supply chain, the corporate world tends to think short term,
energy crisis, economic, nuclear, cyber and because of the pressures of quarterly reporting.
other factors. In fact, the invasion itself could Risk and audit professionals, by the very nature
be said to be the outcome of a decade-long of their work, have to take a broader approach.
war going back to Russia’s annexation of
Crimea in 2014. We had already been asking
what the impact of such a decade-long war
could result in during the year 2022.”

• Disposing of assets in Russia. “Many Taking sides in Ukraine conflict

organisations have sold off their units or
operations in Russia, and do not plan
Companies and investors are having to take sides. We
on returning anytime soon – although there have seen many Western companies leaving Russia, and
are cases of some having written into their sale
contract a right for them to buy back the asset vice versa too – Russian businesses leaving the West. If
some years further down the line. you think about supply chain implications and talent
• Learning the lessons as we go. “We are issues, and all the other things they might touch on,
living through a ‘live’ stress test now and
learning the lessons. We spent so much time
there is major real impact on markets, businesses and
doing scenario analysis and building our national economies.
recovery and resolution plans – we are living
through a test of those documents now. One of Head of Internal Audit, Online Food Delivery Company
the things my organisation has really
appreciated from this is that theory and
practice are often quite different. And
approaching this as a siloed team would
not work. We have broken down some of those
internal barriers and approached the issue in a
more multidisciplinary way.”

Reflections and lessons learnt:

• The importance of scenario planning in an
unpredictable world. “We have had a Ukraine
invasion scenario in our analytics tool since
2018. What eventually happened wasn’t
exactly what our scenario said, but it was
close. What we didn’t anticipate was how
others would react – how our competitors
would react or how our employees would react.
On the eve of the invasion, we were still
receiving advice that there was a 90% chance
that Russia would not invade Ukraine. So, I’m a
big believer in scenario planning.”
Navigating geopolitical risk 37

Case study

Climate change and

geopolitics

Background • Ukraine and the energy crisis. The war in

Ukraine and the resultant impact on energy
• Most people may think of climate change and commodity prices, and inflation, have
action as primarily involving scientists and heightened the challenges in coming to a global
governments – but there is a clear geopolitical consensus at the subsequent COP27 summit
angle to it which keeps businesses and other held in Egypt. Governments have asked for
organisations up at night. coal-fired power plants to be kept open.

• Resistance from citizens. There was much • Developing countries and the issue of
progress made at the COP26 UN climate equitability. More climate finance needs to
summit in Glasgow in 2021, notably with be unlocked to help developing countries cut
the pledges on methane reduction and their emissions without negatively impacting
deforestation – but these pledges have been their economic development and to transition
a difficult sell to citizens, as countries emerge away from fossil fuel dependence. Developing
from pandemic public debt. There seems to countries have argued that it is not equitable
be a disjuncture between governments and for developed countries to demand that they
their citizens. cut their emissions, as developed countries
had polluted the planet during their economic
o For instance, in a June 2021 referendum development in earlier eras. Yet governments
in Switzerland before the COP26 summit, of developed countries struggle to convince
voters narrowly rejected a new law that their electorates that they need to unlock
would have helped the country meet its such climate finance for the benefit of
goal of cutting carbon emissions under the developing countries.
Paris Agreement on Climate Change. The
draft law included measures such as
increasing a surcharge on car fuel and
imposing a levy on flight tickets.9

9. https://www.reuters.com/world/china/swiss-voters-decide-pesticides-ban-terrorism-law-covid-19-aid-2021-06-12/
38 Navigating geopolitical risk

• A zero-sum game between energy prices and • Businesses appreciate the need for climate-
green investments? There are fears that the related regulation, but they want advance
rise in wholesale energy prices is having the notice of such regulation. Ideally, they
effect of reducing the amount of money would like governments to give early warning
available for green investment. of two to four years of when such regulation
would be imposed. Some businesses have been
COP27: The expectations

caught out in the past, where the introduction
of new climate-related regulation resulted in
of risk and internal audit the disappearance of some of their end-
professionals, and their

use markets. Having a handle on regulation in
advance would make a big difference to them,
organisations especially smaller businesses for which it would
help level the playing field.
In the lead-up to the COP27 UN Climate Change
Summit, which took place in Sharm El-Sheikh, COP27 was billed as the ‘Implementation COP’10
Egypt in November 2022, risk and internal audit – the moment to implement the pledges made
professionals shared with us the expectations at the COP26 in Glasgow – but observers were
they and their organisations had in terms of the disappointed on that front. The emissions cuts
summit’s outcomes, as well as their take on global pledged did not add up sufficiently to limit the
climate action more generally: temperature rise to 1.5 degrees Celsius above pre-
industrial levels.11 Nevertheless, there were some
• Businesses recognise the importance of bright spots, such as the fund established
achieving the target of preventing average to help countries facing severe damage from
temperatures from rising by more than 1.5 climate change.
degrees Celsius above pre-industrial levels.
But they sensed that the willingness, politically,
for governments to cooperate had been
dissipating since the COP26 summit in Glasgow,
due to increased geopolitical tensions. They
feared it would be harder to get that consensus Challenges today will seem like a
or nearer that consensus at COP27, and picnic in 50 years
therefore harder for governments and
businesses alike to achieve their targets. If you’ve got positions as a company, or if you’ve got
risk, the related things like achieving 1.5 degrees, that
• Businesses also recognise that if the
developing countries do not have enough doesn’t go away just because there’s a conflict and
funds for climate-related solutions, it would there’s terrible economic and societal consequences. It is
become a global problem which would sit
on the balance sheets of companies through indeed not easy, but the reality is that if we don’t sort out
the value chain, and through the
1.5 degrees, what’s going on right now with the climate
investment platforms.
will seem like a picnic in 50 years’ time. So, the challenge
• It is important to take an industry sector
approach when mooting energy efficiency is how to act when we have some tough short-term
solutions. Consider for instance the issues, while we still have our 1.5 degrees commitment.
construction sector, which has been
responsible for about 40% of the energy We are still working with customers and with investing
demand in Europe. If the construction sector companies to work on their transition plans and help
were to embark on a journey to utilise energy
efficiency mechanisms and new ways of them manage the risk associated with the transition.
sourcing the energy it needs, it would release
some of the energy supply for the other parts of Head of Sustainability Risk, Insurance Company
the economy and for the world.

10. https://www.un.org/africarenewal/news/cop27-outcome-reflections-progress-made-opportunities-missed
11. https://www.wri.org/insights/cop27-key-outcomes-un-climate-talks-sharm-el-sheikh
Navigating geopolitical risk 39

The case for renewable energy in times of crisis

We shouldn’t forget that technically, like every climate-related risk, the current
challenges with inflation and the rise in commodity prices also present
opportunity to the world to turn to renewable forms of energy, instead of going
back to the old ways of providing energy through coal power plants.
Sustainability and Climate Advisor

If the government invests in insulating properties, and promoting new wind and
solar farms, which can be built in one or two years, that would be far quicker than
launching a new gas field or to start fracking – that will actually increase our
energy security much more quickly than some of the higher carbon intensity forms
of generation. And we would reduce people’s utility bills much more quickly. So,
I think as long as the message is delivered in the right way, progress in climate
action is still possible at this time.
Internal Audit Director, Multinational Electric Utility Company

What businesses want • A roundtable participant from the financial

services sector found it key for regulators
governments and to unlock some of the capital their sector
regulators to do is required to hold for regulatory purposes,
and to allow them to invest more in research
• A roundtable participant from a utility and development into solutions to the
company wanted governments to be more climate crisis. Regulators in the financial
proactive rather than reactive. Businesses services space are indeed closely engaged in
understand that it would cost more to deal with dialogue and consultations with industry –
the effects of climate change when they strike, which is crucial – but the increased ability for
and it therefore makes sense for governments the sector to invest in climate solutions would
to be more proactive and reduce emissions in help ensure they do their part in climate action.
the first place.
• Where businesses look to regulators to lead:
• Governments need to include energy The cost implications of having solar panels
conservation within their climate change installed, for instance, are not widely accepted
approach, as it is one of the lowest-hanging by customers. Without regulation to force
fruit. It also represents the lowest marginal the construction industry to build to different
cost improvement that can be taken, with no standards and to enable them to pass on those
investment required for it. Energy subsidies are costs, it becomes very difficult for businesses to
all still going towards fossil fuels. In the words deliver the green proposition.
of one roundtable participant, “Governments
paying people to pay for more expensive
fossil fuel energy doesn’t make sense.”
40 Navigating geopolitical risk

Case study

US politics and
democracy: Challenges
to global stability

Background for the 2024 presidential election in favour of

Ron DeSantis, the Republican governor of
• As a major centre in the global security and Florida and rising star of the party.
economic architecture, the strength of
America’s public institutions and popular • US politics remains highly polarised, with
commitment to globalisation are key pillars of the continued propensity for political violence
the system of international norms and as unleashed in the attack on the US Capitol
protections that underwrite international trade. on 6 January 2021, as well as dysfunction in
policy-making due to more fragmentation and
• The US political landscape has been reshaped antagonism inside the major political parties.
since Donald Trump’s election in 2016. This
year, the US midterm elections in November • That said, Democrats and Republicans are in
2022 were keenly watched for indications as agreement on one major foreign policy issue:
to how the even more critical 2024 presidential the US’s relationship with China. Protectionist
election would shape up. US voters have trade policies are becoming increasingly
tended to punish the party of the president entrenched within both parties.
at midterm elections – in this case, Democrats
– so there were fears it would put Donald The views and concerns of
Trump in a good position to run again in 2024
on the Republican ticket. political observers
• While Democrats lost the House of • While the latest midterm elections did bring
Representatives, they performed better potential risks for businesses, they were
than expected, not least in retaining control mostly indirect ones. For instance, Democrats
of the Senate. Republican candidates who were had been accusing their Republican rivals
personally endorsed by Donald Trump of being a threat to US democracy, but that
performed badly, which will dent the former had been a line intended more for a domestic
president’s chances in the Republican primaries audience, rather than to cause panic around the
world – although it did to some degree achieve
the latter.
Navigating geopolitical risk 41

Rather, political observers were more businesses for adopting ESG principles in their
concerned about the implications of the investment decision-making. There are more
midterm election results for the 2024 states with similar legislation in the works.
presidential election and about issues of These developments will matter to business
democratic legitimacy in the US more generally. strategy, rather than just business operations.

• Protectionist policies are now fairly On the international front:

entrenched in both major political parties.
Questions are being asked as to what that is • There is bipartisan agreement in the US on
doing to America’s brand around the world – what to do about China and on related
for businesses looking to invest in the US, and aspects of industrial policy such as the
for US allies who are increasingly jittery about decoupling of supply chains. There is a sense
rising geopolitical tensions and unsure of that despite all the polarisation in US politics,
the US’s commitment to providing a stabilising the country has generally always pulled
presence in key regions. together on foreign policy and where its
interests abroad matter. This is most clearly
• There was concern about any one seen in how China is the one significant issue
party winning a landslide at the midterm on which Democrats and Republicans can
elections and unleashing another round of agree, amid their regular acrimony. The US’s
‘impeachment theatre’. The last two years of current policy on China means we are likely to
Donald Trump’s presidency saw a lot of see the US working more closely with its
political theatre with attempts to impeach the other international partners at China’s
president, whose position was relatively safe expense. For instance, the Trade and
because of a lack of power to remove him from Technology Council (TTC) was set up between
office. The impeachment of a president requires the US and the EU in 2021 to deepen
a high bar of a supermajority of two-thirds of cooperation, facilitate trade and develop global
the US Senate. standards on technology and security. The US
would also be keen to engage more deeply with
key Asian allies such as Japan and South Korea.
Mid-term scenarios for the US
• The US’s relations with the UK. The Biden
Domestically: administration has been reluctant to start
negotiations on a free trade agreement with
• Political violence. While unlikely to be on the UK post-Brexit, as was made clear in former
a large scale, there could yet be incidents of UK Prime Minister Liz Truss’s first meeting with
political violence like the 6 January 2021 attack the president in September 2022. While there
on the US Capitol, as US politics continues to are actors in Washington who are keen on a free
take a more populist slant. trade agreement, not least with the impetus for
reshoring critical industries to friendly
• Businesses may be increasingly forced to countries, the Biden administration and the
take sides. Companies increasingly are taking US Congress see the issues around Northern
sides on political positions such as abortion Ireland’s status as a problem. The US was a
or ESG regulations – and by doing so, they will broker to the Good Friday Agreement of 1998,
increasingly become targets of lawmakers and which was designed to end decades of violent
activist consumers. conflict in Northern Ireland, and the US’s large
Irish-American community means it continues
• Divergences on strategic issues and policies to take an active interest. It is also becoming
that matter to corporate strategy. As US clear that the US is more interested in striking
politics becomes more polarised, the a trade agreement with the EU, which presents
divergence on important policy areas between a larger market to them than the UK.
the states in the US will grow. For instance,
states such as Texas and Florida have
passed anti-ESG legislation which penalises
42 Navigating geopolitical risk

US foreign policy: The long- Where the UK and US have worked

term view well together
The US has torn itself apart at The UK still has a stronger partner in the US, in
moments throughout history over political and security terms. With initiatives such
domestic issues, such as during the as AUKUS, the security pact between Australia,
Civil War on the issue of slavery. But the UK and the US, the UK has worked hard to
when push comes to shove on major bind a lot of the other Pacific alliances over even
international issues or global crises, in the chaotic post-Brexit era. On the economic
the parties in the US somehow rally front – on issues such as the decoupling of
together. So, I think it’s important semiconductor supply chains from China, these
to keep a long arc on some of are areas where the US’s and the UK’s economic
these issues. interests align, and hence are more likely to gain
Political Analyst D traction than in trying to do a trade agreement.”
Political Analyst D

Views of businesses
Even where they may not be directly impacted in their roles by political polarisation in the US, risk and
internal audit professionals have conveyed their concerns over how global instability will not be well
served by a US that is domestically unstable. When posed with challenges from alternative political and
economic models, and in view of a US that is perceived to be withdrawing from its role since the end of
the Cold War as the ‘world’s policeman’, organisations are most concerned about the resultant volatility
and uncertainty for economies around the world.

The challenge from alternative political and economic models

Western societies have been underpinned by the principles of democracy for a long time. But if that
faith in democracy starts to erode, alternative political and economic models might come along.
The resultant volatility and uncertainty wouldn’t be the best thing for economies.
Chief Internal Auditor, Financial Services Firm
Navigating geopolitical risk 43

Case study

Cyber security and

geopolitics

Background attacks against key suppliers, third parties,

and energy and communications providers. The
• After Russia’s invasion of Ukraine in February targeting of organisations supporting Ukraine is
2022, cyber risk for most organisations sometimes intended as a signalling impact.
increased, especially for those related to critical
national infrastructure. This may well be a • There has generally been an increase in
short-term assessment, but as the conflict in cyber-crime threats as well in Europe and the
Ukraine continues and as Russia looks to US, as cyber-criminal groups – which may or
realign its cyber focus – which has been may not have linkages to Russia – change their
operational since the start of its war – the threat modus operandi to increasingly target energy
could stay at the current heightened level for infrastructure, be that oil and gas terminals or
some time. infrastructure for renewable energy.

• In the physical domain, Russia has potentially • The cyber threat in Asia-Pacific is not as
leveraged its capabilities to hit critical national acute despite US-China tensions over issues
infrastructure in Eastern Europe and the Baltic such as Taiwan. Nevertheless, there is a
states. Russia certainly demonstrated its growing cyber threat to organisations which
potency and capability in targeting critical have a presence in Taiwan, even if it is not as
national infrastructure at the start of the disruptive as that relating to the Ukraine crisis.
Ukraine war, when it hacked the US
satellite company Viasat, causing significant
loss of communication in the earliest days of
the war for Ukraine’s military.12

• For most organisations, there is a slightly

increased indirect cyber risk through the
targeting of Western states such as the US, the
UK, France and Germany, including cyber-

12. https://www.technologyreview.com/2022/05/10/1051973/russia-hack-viasat-satellite-ukraine-invasion/
44 Navigating geopolitical risk

Who are these hacking groups?

While driven by financial gain through collecting ransoms, these hacking
groups do tend to be aligned to a state which ensures that their infrastructure
and operations are maintained. In some cases, it has been a more systematic
kind of collaboration with a state.

What risk and internal audit Other cyber risks

professionals did in the early • Systemic internet failure. The sabotage
days of the invasion of Ukraine of the Nord Stream gas pipelines under the
Baltic sea in September 2022, blamed on
• For risk and internal audit professionals around Russia, sparked off discussion as to whether
the world, there was a critical need first to map countries and organisations were prepared
out where the organisation’s key cyber assets for a potential targeting of undersea internet
lay, and what its operations in Ukraine and cables, which would lead to a systemic internet
Russia were like – and then consider what the outage. Already in 2017, the former GCHQ
drivers and external factors were that would director Robert Hannigan warned: “In
impact those assets. Of course, those risk and hybrid warfare you could tweak the UK
internal audit professionals in Ukraine, out economy, even without bringing it to its knees,
of necessity, responded in different ways. The by just cutting a few [fibre-optic undersea
closer you are and the more you are impacted cables].”13 That threat has been on the UK’s
by the risk, the more dynamic the role of National Risk Register for a number of years
internal audit and risk becomes. as a potential risk for UK infrastructure, but the
security of these undersea cables continues to
• The next step was to undertake strategic be an underinvested area.
scenario planning while tapping on
intelligence techniques to better understand • The vulnerability of the smart aspects of
different scenarios – the best-case or worst-case industrial systems in the maritime sector.
baseline scenarios – with a view to identifying As ships are increasingly equipped with
the more operational side of cyber risk as complex automated systems that are
related to geopolitics. For instance, questions connected to the internet, they also face new
that were being asked included: What threat threats to their cyber security which have made
indicators and warnings should we be them vulnerable to cyber-attacks.14 There are
looking for in a given region or country? How cases, for instance, where the navigation
do we know if we are getting closer to that systems of ships have been tampered with,
worst-case scenario? placing the vessel in territorial waters where
they are not meant to be.
• Plausibility-based scenario planning: They
would also monitor online discourse – for
example, publications such as news articles
or intelligence reports – for any indications
that they were approaching a
worst-case scenario.

13. https://www.thetimes.co.uk/article/economy-vulnerable-to-russian-attack-on-undersea-cable-links-rqqf0fxj8
14. https://www.mdpi.com/2673-8732/2/1/9
Navigating geopolitical risk 45

Cyber: Preparing for a perpetually high risk

We have seen some increase in terms of cyber-attacks, but in a company as large as ours, we look
at millions of potential attacks [all the time]. So, it’s very difficult to say that we have seen a very
significant increase as a result of the Ukraine crisis. In most of these attacks, we don’t know the
origins of the hackers, so it’s very difficult to say which states they are linked to. So in that respect,
cyber continues to be a very high risk before and after the Ukraine crisis.
Group Audit Director, Telco

Cyber is what we’re all about, and protecting the cyber infrastructure is what we’re all about. So it’s
not an emerging risk, nor an increased risk. We get millions of attacks that we stop every single day.
In terms of what escalates into something that actually causes damage – no, we haven’t seen much
of an uptick in actual impact since the Ukraine crisis. Look, if you don’t put locks on your doors,
what do you expect?
Head of insurance, Technology company
About About About
Chartered IIA Airmic AuditBoard

The Chartered Institute of The leading UK association AuditBoard is the leading

Internal Auditors is the only for everyone who has cloud-based platform
professional body dedicated a responsibility for risk transforming audit, risk, and
exclusively to training, management and insurance compliance management.
supporting and representing in their organisation, Airmic
internal auditors in the UK has over 450 corporate More than 35% of the Fortune 500
and Ireland. members and more than 1,750 leverage AuditBoard to move their
individual members. businesses forward with greater
We have 10,000 members in all clarity and agility. AuditBoard
sectors of the economy. Individual members are from is top-rated by customers on
all sectors and include finance, G2, Capterra, and Gartner Peer
First established in 1948, we sustainability, information and Insights, and was recently ranked
obtained our Royal Charter in technology, internal audit, and for the fourth year in a row as one
2010. Over 2,000 members are legal professionals, as well as risk of the fastest-growing technology
Chartered Internal Auditors and and insurance professionals. With companies in North America
have earned the designation our partners, and in collaboration by Deloitte.
CMIIA. About 1,000 of our with affiliate associations and
members hold the position of institutes, Airmic supports To learn more, visit:
head of internal audit and members through learning and www.auditboard.com
the majority of FTSE 100 research; a diverse programme
companies are represented of events; developing and
among our membership. encouraging good practice; and
lobbying on subjects that directly
Members are part of a global affect our members and their
network of over 200,000 members professions. Above all, we provide
in 170 countries, all working to the a platform for professionals to stay
same International Standards and in touch, to communicate with
Code of Ethics. each other, and to share ideas
and information.
To learn more, visit:
www.iia.org.uk To learn more, visit:
www.airmic.com

Stay connected

Chartered Institute of Airmic

Internal Auditors Marlow House
14 Abbeville Mews 1a Lloyd’s Avenue
88 Clapham Road
London London
SW4 7BX EC3N 3AA

tel 020 7498 0101 tel 020 7680 3088

email info@iia.org.uk email enquiries@airmic.com