Shifting sands: how can internal audit tackle geopolitical risk?

The global economic consequences of Russia’s invasion of Ukraine starkly demonstrated how a new era of geopolitical risk affects business. The Chartered IIA’s ground-breaking recent report on geopolitical risk analysed these developments in detail. But at the core of the global geopolitical paradigm shift now under way is the transition away from post-cold-war US unipolarity, a period in which many businesses globalised their market footprint, operational support networks and supply chains, towards growing multipolarity.

Deteriorating US-China relations are at the core of this. Trade wars, sanctions and financial restrictions in key sectors, including technology, financial services and strategic commodities, have come to the fore, driven by growing concerns about developments in Hong Kong, Taiwan and the South and East China Seas.

Meanwhile, in the Middle East, new tensions are building on old volatility, while lack of diplomatic progress on Iran’s nuclear programme is increasing systemic risk in the region. Politics and fiscal arrangements in the Eurozone remain unsettled, and concern has risen about domestic politics in the US. While the war in Ukraine continues, Russia’s military activity will continue to influence global commodity prices and macroeconomic performance.

When I first got involved, political risk work in the private sector was generally viewed as an issue affecting some emerging markets. If a firm didn’t operate in these, exposure was not a concern. That has changed. Geopolitical risk is now:

• pervasive across the global economy, affecting developed/mature economies as much as (if not more than) emerging markets;

• a source of indirect exposure for firms through the transmission of second- and third-order impacts via globalised markets – geography is no longer the sole, or most important, determinant of exposure;

• characterised by the growing use of economic, financial and trade policy tools for national security purposes. As Janet Yellen, US Treasury Secretary, noted in a speech in April 2023, the US would not compromise on its national security objectives, “even when they force trade-offs with our economic interests.”

 

The complex ESG nexus

Organisations should also note that geopolitics increasingly affects the global environmental, social and governance (ESG) landscape. Many are aware that climate change may drive scarcity of key resources such as water across national borders and generate destabilising migration flows. However, fewer people appreciate the causal links in the other direction. Measures such as the EU’s Carbon Border Adjustment Mechanism and the Inflation Reduction Act in the US are regarded as thinly veiled protectionism in other countries.

The long-term stability implications of net zero aspirations for oil-exporting states in the Middle East, Africa and Latin America, and the political risks inherent in their attempts to diversify economic models away from fossil fuel dependency, are also not well understood.

In addition, access to the raw materials needed for green technology, such as rare earths, are already causing geopolitical friction and demand for these will grow. Organisations involved in their acquisition and markets, and those that will increasingly need them to decarbonise their own supply chains, will find geopolitics an increasing challenge.

 

Think holistically

How does this backdrop affect business more broadly? Observers tend to think of impacts on supply chains or enhanced sanction or cyber risks, with the corresponding assumption that managing these risks is primarily a job for procurement, legal or compliance teams.

These are pressure points, but the impacts go much wider. First, geopolitical volatility, and the associated use of geo-economic policy measures such as tariffs and investment restrictions, degrade the macroeconomic conditions on which corporate strategies are based. They also foster instability in commodities, FX and other financial markets that track straight through to a firm’s balance sheet, financial operating model and investor perceptions. The global macroeconomic and market consequences of the Ukraine invasion provided a definitive example.

Geopolitical volatility can also disrupt key consumer or client segments for firms, while longer term political uncertainty undermines investment strategies. The ESG nexus also adds reputational pressure for firms with external stakeholders such as investors, regulators and non-governmental organisations (NGOs).

Geopolitics therefore has consequences for balance sheets and financial performance, as well as for operational and non-financial risk and control functions. Strategy and reputation may also be affected.

 

The risk management challenge

Many business and risk management leaders developed their careers in the post-Cold-War world, essentially untroubled by geopolitical risk. But this can mean they lack the skills to respond to geopolitical instability and develop more sophisticated internal capacity.

Approaches within organisations face common challenges:

• Geopolitics is hard to measure, and what you can’t measure, you can’t manage.

• Organisations can’t control geopolitical risk at source. There is a corresponding tendency to say “we can’t do anything about it, so there’s no point considering it”.

• Few people, either in C-Suite, or risk functions, have a background or expertise in geopolitical issues.

• Informal analytical approaches abound, often driven by a chief executive or board chair’s views. On Ukraine, this often manifested as “Putin would be mad to invade Ukraine because costs outweigh benefits, so we don’t need to worry about this”.

• A variation on this theme is “I read the newspapers, so I know enough about geopolitics”.

• Despite the impacts of geopolitics crossing business lines and control functions, many organisations lack internal coordination and holistic mitigation of these risks (a problem exacerbated by organisational silos).

• Most fail to define internal ownership of the issue, or there is a vague sense that “this is something the board does”.

• National or external political sensitivities prevent objective discussion.

• Geopolitics often sits in a risk function’s risk register or emerging risks framework, but generates little analytical work or active mitigation.

The net result is that geopolitical risk management is often fragmented, reactive and poorly thought through. This can lead to substantial strategic and financial consequences – demonstrated by the multi-billion-dollar losses many international organisations experienced when exiting Russia in 2022.


Internal audit’s role

So how can internal audit teams provide boards with assurance that their organisation remains resilient to adverse external trends and shocks? This is not easy, partly because geopolitical risk management has rarely been prioritised by risk management teams or seen as core to corporate governance.

The Chartered IIA’s report is a welcome first step in developing internal audit skills in this area. Given the nature of the risk and its multifaceted, cross-functional corporate impacts, internal audit teams can start to build awareness by asking the following questions:

• Who in the organisation is responsible for work on geopolitical risk (if anyone)?

• What specialist analytical resources/expertise do they draw on?

• How are these resources deployed in the organisation – and in which areas of decision-making?

• Does the risk function’s remit include geopolitical risk and what activity is generated by any mention of geopolitics in risk registers or emerging risks frameworks?

• Do first-line management teams routinely draw on specialist expertise in strategic decision-making where geopolitical risk may be a factor?

• Does our ESG decision-making take account of geopolitical factors?

Internal audit teams can also seek guidance from the board, and help to shape board approaches and expectations on this topic.

 

Going further

This may be an unfamiliar area for some internal audit teams and business teams, but further resources are available to help develop stronger geopolitical risk approaches. Internal audit teams can consider undertaking training to develop their ability to scrutinise their organisation’s approaches to these risks, particularly when preparing an audit of their risk function.

They can also draw on our new board and risk function guidance in this area, ESG2, and consider whether they should recommend the organisation deploys an internal geopolitical risk management framework.

 

The positives

The geopolitical environment is becoming more “competitive” (to use the diplomats’ and intelligence analysts’ euphemism) and business will increasingly be affected. However, there is a positive aspect to this. Geopolitics will also generate commercial opportunities for agile organisations that have the geopolitical nous to identify and seize them. By recognising the changing political environment and asking new questions, internal auditors can be critical enablers for geopolitical risk adaptation in their organisations. ■

Derek Leatherdale is Founder and Managing Director of GRI Strategies Ltd.

He is the co-author of The Extra G – ESG 2.

This article was published in July 2023.