Geopolitical risks often lie outside the bounds of what businesses, and even the largest corporations, can control. Geopolitics could cause a global shortage of microchips and, suddenly, an entire sector could be in trouble. Businesses are not able to go ferreting out single points of failure in their supply chains. This transforms an operational challenge into a strategic one.
Risk and internal audit professionals need to work closer together in order to navigate their organisations through the perfect storm. During the pandemic, risk and internal audit professionals stepped to the forefront of their organisations. As Navigating Geopolitical Risk: Building Resilience Demands Collaboration in a Challenging World by the Chartered Institute of Internal Auditors (CIIA), Association of Insurance and Risk Managers in Industry and Commerce (Airmic), and AuditBoard demonstrates, greater collaboration is needed to tackle the heightened uncertainty and volatility of the new geopolitical era.
Adopting new frameworks and approaches, more varied sources of information and intelligence, applying The IIA’s Three Lines Model to geopolitical risk, and engaging in scenario analysis and planning are all ways risk and audit professionals can help their organizations achieve greater clarity about risks and their potential effects, create appropriate interventions, and build a more resilient business.
How risk and internal audit professionals approach geopolitical risk
When it comes to how best to assess geopolitical risk, there is no one-size-fits-all approach, even among the largest and most sophisticated organisations. The principle is to tie geopolitical risk back to the organisation’s business. Geopolitical considerations need to be integrated into existing risk management and audit frameworks, and in the risk areas where geopolitical events can have the most impact.
Financial services organisations are used to doing stress testing — and now even reverse stress testing, because of the regulatory framework. In determining the organisation’s capital levels and the risks to that, which is what stress testing sets out to assess, a thorough understanding of geopolitical risk and other external risks is required. Risk culture and appetite shape the decision-making processes of banks and fund managers, which would have their own research departments. In contrast, smaller organisations, and smaller risk and internal audit functions, would be less likely to have the skillsets to monitor geopolitical risk in-house.
That said, some financial services organisations are facing challenges auditing some of their functions because they have to adapt much more quickly to the changes around them. A stress test model from even just three years ago would already be irrelevant today, so it would be pointless to audit it. For all their sophistication and maturity in using stress testing models, even financial services organisations know they need to be much more agile in adapting to the environment.
Models are a major component of what financial services organisations use to perform some of their analysis. Given the fast-changing environment, the models need to be updated more quickly, regarding the underlying assumptions they use as well as their sources of information.
Nevertheless, models still provide a useful indicator of things and a guide as to how organisations should look at different scenarios.
Sources of Information and Intelligence
We cannot expect all risk and internal audit professionals — or indeed people in any other roles within their organisations — to be trained in geopolitics. Despite how prevalent geopolitics may have been in the media headlines in recent years, it does still take a certain specialism to follow developments in the space and to get to grips with these.
In this age of free-flowing information online, there is no shortage of reports on geopolitics and economics to keep up with. Subject matter experts can be engaged to weigh in. There then arises the challenge of weighing the different findings of each expert or report, especially when they are contradictory.
This is where roundtables can bring value, particularly when they can coalesce different skills, roles and insights both from within and from outside an organisation. They bring experts and managers together to debate their various findings, which may sometimes be at odds with each other, and crucially to link these back to the organisation so that the outcome of the roundtable discussion is always relevant.
The Applicability of the Three Lines Model to Geopolitical Risk
The Three Lines Model provides a basis for building and implementing robust assurance across an organisation, including providing transparency over the effectiveness of governance, risk management, internal audit and control processes. It can apply to all organisations, whether they are SMEs, corporates or regulated entities.
The purpose of the Three Lines Model is to protect and create long-term value, while setting out the expectations of different groups within the organisation:
- Accountability by a governing body to stakeholders for organisational oversight through integrity, leadership, and transparency.
- Actions (including managing risk) by management to achieve the objectives of the organisation through risk-based decision- making and application of resources.
- Assurance and advice by an independent internal audit function to provide clarity and confidence and to promote and facilitate continuous improvement through rigorous inquiry and insightful communication.
Strategic, tactical and operational risks must be synchronised to avoid the creation of lags. Risk management and internal audit must synchronise the different speeds at which geopolitical (or external) risk, tactical risk and internal (or operational) risk run. The job of risk and internal audit professionals is to challenge the organisation to make sure that lags do not emerge.
Engaging With the Board
Risk management and internal audit must make sure that there is regular and open communication with the board on geopolitical risk. Geopolitical events can have a significant impact on the business’s ability to execute its corporate strategy and mission effectively, which is why the board must take geopolitical risk seriously. Risk and internal audit professionals should feel empowered to speak up and raise concerns they have about the impact of geopolitical risk events with the board.
When communicating with the board on geopolitical risk, it is vital that risk and internal audit professionals eschew technical language in favour of clear, business-like speech — especially on technical subjects such as cyber risk.
Scenario Analysis and Planning: The Key to Geopolitical Risk
Rather than focusing on predicting what would happen next in geopolitics, organisations should devote their energies to scenario analysis and planning. When risk and internal audit professionals ask questions along the lines of ‘what if?’, ‘so what?’ and then ‘now what?’, it helps their organisations adopt a mindset of being agile and adaptable, and thereby build resilience to tackle a range of risks in a volatile and unpredictable world.
Risk and internal audit professionals can work together by identifying geopolitical risks on the horizon, mapping their potential impact on their organisation and then running crisis simulation programmes to test the organisation’s responses.
Collaboration should not stop there. When it comes to issues relating to security and energy supply, risk and internal audit professionals should also work with governments and regulators where possible. They need to recognise that government policy will dictate or influence quite significantly some of the potential outcomes from these issues.
For a deeper dive into the topic, download the full Chartered IIA, Airmic, and AuditBoard report, Navigating Geopolitical Risk: Building Resilience Demands Collaboration in a Challenging World, for ideas, approaches, and practical tips to help you support your organisation in navigating geopolitical uncertainty.