Geopolitical risk: Not if, but when

Whether it is news headlines about the ongoing war in Ukraine, spy balloons, the banning of TikTok on UK government devices, or turmoil in the banking sector following the collapse of Silicon Valley Bank, not a week goes by without some new geopolitical or geoeconomic incident. This underlines the fact that geopolitical and geoeconomic disruption is here to stay – and so are the increasing risks and uncertain, volatile business operating environment it creates.

As we have repeatedly seen in the past few years, a geopolitical risk incident can have major impacts on the price we pay for our energy, inflation rates, the cost of borrowing, and stocks and investments. All these can significantly impact an organisation’s long-term sustainability and bottom lines.

No wonder then that geopolitical and macroeconomic uncertainty is consistently recognised as one of the top organisational risks listed by chief audit executives in the Chartered IIA’s annual Risk in Focus survey. Last year it leapt from seventh most significant risk to third in the rankings. Yet we also know from this research that it is currently the risk area that internal audit spends the least time and effort auditing. With geopolitical tensions continuing to increase around the globe, there is a clear need for businesses to prepare for continual disruption from geopolitical incidents – so surely internal audit functions must start paying more attention to this risk? This is why in February the Chartered IIA published a new report in partnership with Airmic and AuditBoard entitled “Navigating geopolitical risk”.

How should internal audit approach geopolitical risk?

Often when I speak about geopolitical risk at internal audit events and conferences, I am challenged by delegates who argue that geopolitical risk is an intangible risk and therefore complex to audit. This is a fair point. However, geopolitical risk is a strategic risk that does not sit in a silo and it should not be viewed as a standalone risk. In our increasingly interconnected world, geopolitical risk interlinks with, and exacerbates, a wide range of other business-critical risks.

For example, sanctions placed on regimes and wealthy individuals exacerbate legal, regulatory and compliance risk. Cyber attacks originating from hostile states mean that organisations of all kinds operate in an increasingly weaponised cyber landscape. Supply chains may be disrupted (or severed) with little notice and organisations that do not act swiftly to cut links with hostile states may suffer reputational damage. Meanwhile, a dramatic and unpredicted spike in energy prices threatens organisations’ financial stability and even their survival – 30 UK energy suppliers have recently gone bankrupt, causing knock-on expenses and disruption for their former customers. At the very least, internal auditors should be integrating geopolitical and geoeconomic considerations into their audits of these key risk areas.

Scenario planning is also critical to ensure that organisations are adequately prepared for geopolitical risk events and incidents. This is not about attempting to predict future events, but about focusing on half a dozen or so plausible scenarios. These should then be used to challenge, stress test and update baseline assumptions about the likelihood and impact of the risks. Internal auditors should be providing assurance that scenario planning processes, including simulation and stress-testing exercises, are robust and fit for purpose. For example, they should review the efficacy of the processes and controls around stress tests, including aspects such as data quality, assumptions, modelling approaches and results aggregation. Global pandemics, wars and financial crises have happened before – there is no excuse for not preparing for these scenarios in future.

Managing in "permacrisis"

The extent of current geopolitical uncertainty and the speed with which events can develop (plus the global implications when they do) mean that many commentators now talk about businesses operating in a permacrisis. This demands increased organisational agility to respond swiftly to the challenges and disruption brought about by “once in a generation” events happening in quick succession. It is no longer a case of “if” the next event will occur, but “when”.

Internal audit should work with risk management and seek assurance that the organisation is in a permanent state of readiness. This should include ensuring robust business continuity and crisis-management plans and processes are in place, and that these are reviewed and updated regularly so they remain relevant and fit for purpose. What’s more, audit functions must themselves embrace and embed agile audit approaches so they can respond with assurance, insights and advice as soon as a crisis occurs.

However, it is no longer enough to be agile in response to an event. It is also essential to be truly “future-focused”. Organisations must look beyond the ends of their noses and take a long-term view of geopolitics. For example, Russia’s invasion of Ukraine is the most significant geopolitical event since the end of the Cold War. Its ramifications and impacts on organisations may continue for decades. Organisations and their internal audit functions must therefore look beyond the next three to five years.

Meanwhile, collaboration and a shift away from working in silos is the key to building greater resilience in a more challenging world. Internal audit should not attempt to grapple with geopolitical uncertainty alone. Internal audit teams should work more closely with risk management functions to help their organisations navigate geopolitical risk. Of course, the two functions have distinct responsibilities – and internal audit must protect its independence – but there is scope for the two functions to work more closely and to align and coordinate their work on geopolitical risk to support organisational resilience. Internal auditors should have regular conversations with risk management colleagues about geopolitical risk and how they can coordinate their efforts.

Lastly, every crisis will also present opportunities, so geopolitics is not all about downside risk. We must learn to seize these opportunities when they arise. As Barack Obama’s chief of staff once said: “Never allow a good crisis to go to waste. It’s an opportunity to do the things you once thought were impossible.” A good example of this is to use the current energy crisis as an opportunity to accelerate a transition to renewable energy and end our reliance on fossil fuel imports. Internal audit must highlight to management the opportunities that accompany geopolitical events, not just the risks.

As geopolitical crises occur faster and more frequently and have greater impacts on businesses, they are gaining a higher profile on organisations’ risk registers. Now is the time for internal audit to step up to the challenge and focus on this area as never before. 

Gavin Hayes is head of policy and external affairs at the Chartered IIA. 

This article appeared in May 2023.