Even the most conscientious CSO could not have scripted a more implausible risk-training exercise than the reality that has faced many U.S.-based global companies since early 2020. However, for more than two years, global business infrastructure has endured a devastating worldwide pandemic, the most brutal war on the European continent since WWII, crippling supply chain disruptions, a rising threat of international right-wing extremism, worldwide economic uncertainty and double-digit inflation in the U.S. – the highest in more than four decades. While these scenarios may seem like a harbinger of Armageddon, for many risk managers and CSOs it is business as usual – to a point.
Global risk and security managers have regularly navigated precarious political environments. But as Michael Posner said in a recent article in Forbes: “Global companies generally have thrived in this environment not only because of their ability to take advantage of advances in transportation, communications, and other technologies, but also because of a law-based international order that facilitates the enforcement of contracts, the movement of goods, and the reduction of cross-border rivalries and bullying which can disrupt trade. Now, as Vladimir Putin’s ruthless invasion of Ukraine threatens to tear down that international system, global companies have a lot to lose.”
A New Era of Disruption
With all the challenges that are going on now; everything from the bloody conflict in Ukraine, raging global inflation, and the continued COVID threat to the incredibly arduous task of mitigating the risk of business interests in the line of fire, what’s the tenor of conversation as an organization’s risk team decides how to chart the roadmap to meet these existing and future disruptions?
“For us, it really starts by explaining that we believe we have entered this new era where disruption is the new business as usual. Companies cannot afford to take a stance where they're going to say, ‘Well, that will never happen.’ In fact, nobody could have projected the pandemic would've impacted us the way that it has. You never know what's going to come next and that's challenging. The good news, however, is that these last couple of years have a lot of companies going back to some basic fundamentals that they have often shied away from,” says Matt Hinton, a partner at global risk consultancy Control Risks, who stresses that any plan begins with truly understanding the risks that are right in front of you, but also having the insights to address what those emerging risks are, what they look like, how likely they are, and when and where they might occur.
“I think underpinning that is where we're increasingly starting to see customers move to when doing scenario planning. Thinking about some of those risks that we've talked about and asking the basic questions like, what are the best-case scenarios for us and what is the worst case? What are the most likely and what's our exposure as it relates to those scenarios? Finally, what are the things we think we need to be doing now to proactively try and get ahead of these (threats)? These are the key drivers,” Hinton says.
“The reality of all that though is it could be incredibly cost prohibitive to attempt to mitigate every possible risk out there. And quite frankly it would be impossible. That's where it's especially important to have robust and integrated response capabilities, whether it be crisis management or business continuity or cyber, or any of the different types of capabilities you need,” he adds. “If you're trying to reduce the risk of these things occurring up front, having those capabilities in place on the backend helps mitigate the impact of them or reduce the impact to the organization overall. A balanced combination of those two things is extremely critical.”
Russia’s Rubik Cube in Ukraine
Hinton admits that the pressures of global political intrigue and mounting confrontations have upped the ante for security and risk managers doing business abroad. Claudine Fry, a colleague with Control Risks stated in a recent blog post that “even before the Ukraine-Russia conflict, political risk had been rising ever higher on company risk registers. Despite this awareness, the impacts of political or geopolitical shocks to business have often been perceived as limited or localized. Some impacts were beyond the control of business leaders to manage. The catastrophic events in Ukraine have shattered such assumptions, and left businesses no option but to respond quickly and decisively.’’
Fry continued that “businesses are also trying to understand the impact of these events beyond the immediate term as it is clear their legacy will be lasting. No sector will go untouched. No part of the world will escape the effects, be they rocketing prices for food and oil; pressures on services and politics caused by migration; changed inflows and asset seizures influenced by sanctions; or a change in access to resources or influence.”
From a risk perspective, Hinton concedes that some global companies doing business in Ukraine and in Russia prior to the Kremlin’s invasion of the Donbas had gamed out the scenarios better than others. Still, the impact transcended the intensity of any business risk models most organizations had developed. The ferocity of Putin’s attack on eastern Ukraine in the opening weeks of the assault resulted in unprecedented financial sanctions on Russia and the exit of more than 140 global companies since the end of March. Such corporate giants as Amazon, McDonald's, Starbucks, Coca-Cola, Apple, Netflix, Shell, BP, Visa and Mastercard, American Express, American and Delta Airlines, AT&T, Boeing, Ford, General Motors, Mercedes Benz, BMW, Volkswagen, IKEA, Twitter, and Walt Disney have all ceased business operations in Russia as it increasingly becomes a global pariah.
“A lot of companies might not have been taking this as seriously as they could have. But we work with a lot of organizations that did take it quite seriously and ahead of these scenarios they were doing some of that situational planning that I mentioned. They were actually putting contingency plans together around that stuff, and in some cases, some organizations were doing simulations or exercises against these scenarios ahead of this happening so that they could be as prepared as possible,” admits Hinton. “A lot of these global organizations were faced with some challenging situations, both on the Russia front and Ukraine front. On the Ukraine front specifically, and uniformly and universally, people and their safety were their number one concern. There's just the challenge of how we move people out of a country to another one given all the standard challenges with visas, transportation and logistics. But companies also had to think about how far their duty of care extends.”
What is the End Game?
Hinton realizes that the current global situation is unique, and many companies caught in the riptide of economic and political upheaval are simply wondering what does the end game look like? These organizations are left to speculate what their collective futures hold once a semblance of risk normalcy returns.
What About Security?
The physical security challenges and their impact on business operations can’t be understated. Hinton says that many of their clients are working to keep lines of communications open between U.S. and European offices and those still anchored in Ukraine; many being aided by NGOs and other aid organizations that have sprung up along the bordering countries like Poland, Romania, Slovakia and Hungary providing access to essential resources, employee safety and even evacuations.
“The other element is that some companies are even thinking as far ahead as the possibilities of moving their eastern European headquarters out of there and shifting it to Warsaw or Budapest or somewhere in the area just so that they can continue to operate as an organization and have a better grasp on their employees. And should this be for the short term and the long term? But truthfully, it's an incredibly challenging situation for them right now to deal with. That's on the personnel side and physical asset side. But the focus has also been focused on safeguarding intellectual property and sensitive data as well,” says Hinton. “In many cases, companies might have left the intellectual property and sensitive data behind. Now there are concerns about who may be able to access it and what they'll do with it. It's a difficult situation because realistically speaking, getting back in there to get that information and retrieving sensitive data is going to be incredibly problematic. So, it actually comes down to how do you manage the fallout from it at this point.”