Geopolitical chaos is causing significant cyber and supply chain exposures for organisations. To effectively manage the threats, risk managers must focus on breaking down siloes

We are in a state of polycrisis, and risk managers must break down internal siloes to survive.

This was the main message at the keynote panel on day two of the Airmic conference in Manchester.

War risks on the rise

Source: istockphoto.com

War risks on the rise

The speakers explored some of the key geopolitical risks facing global businesses, including the Russia-Ukraine war, concerns around China and growing supply chain issues.

One particular concern is cybercrime and escalating ransomware threats, which have been exacerbated by global geopolitics.

Nick Allen, CEO at Control Risks said: ”As a company that responds to cyber incidents and digital risk, we see that clear connection between what’s going on geopolitically and what companies are experiencing.”

”We’ve seen a very clear flow from the Russia-Ukraine tensions into cyber attacks, and 2023 is set to be worse than 2022.”

Another significant peril that stems from geopolitical risk is compromised supply chains.

Nick Allen pointed to the troubles faced by Jaguar Land Rover when lack of access to microchips meant production was halted, as a good example of the threat.

”We’ve seen a very clear flow from the Russia-Ukraine tensions into cyber attacks, and 2023 is set to be worse than 2022”

He said that while organisations are scrambling to deal with the aftershocks from the Ukraine-Russia war, forward-looking firms are seeing tensions in Taiwan Straits and wondering if China will pose similar issues in the near future.

He added:  “It’s all happened. From pandemics to war in Europe, to closed borders So what you’re seeing now is companies really digging into their supply chains to understand their risk exposure.

”Companies look at what happened with Russia where they’ve had to sell up or sell to friends of the state. And they’ve had to exit Russia. And I think they look at tensions in the Taiwan Straits and they think, wow, this could happen with China.”

What risk managers can do

When it comes to dealing with the threats, Tangy Morgan, advisor at Strategia said that organisations must look long and hard at their technology suppliers and usage.

She said: “Technology is a serious concentration risk across all industry sectors and I believe that boards are not necessarily having real discussions and understanding around outsourcing and use of the cloud. 

”What information are you putting in the cloud? What providers and outsourcers are you using? Because you’re only as safe from a cyber attack or ransomware attack as your weakest link… It’s really about being realistic because reputational damage can wipe out your market share quite quickly.”

”If you’re trying to translate it with heat maps and risk matrices and calculated or quantified risk scores, it’s not going to work”

Wetekamp argues that culture is critical, and risk managers must move beyond traditional tools to survive the new landscape of geopolitical threats.

He said: “If you’re trying to translate it with heat maps and risk matrices and calculated or quantified risk scores, it’s not going to work. It’s not going to translate… to how you work with your supply chains, how you communicate to your customers, how you report to your litigators or regulators.

“That only comes from believing that it’s not about if a bad event is going to happen, but when it happens, what are we going to do? Because it will to nearly every organisation.”

The panel agreed that the interconnected nature of threats is what makes them so hard for organisations to tackle. Therefore, to have an effective response to geopolitical risks, risk managers must break down inter-organisational siloes.

Wetekamp concluded: ”There’s not many things that can at one time be an IT risk, stop manufacturing, stop pipeline flow and at another time create misinformation and even put humans at risk or personal safety like a ransomware event can.

”As an organisation, if your health and safety organisation isn’t talking to your IT organisation isn’t talking to your logistics and supply chain organisation, then your preparation for that, your treatment for that and your response to that event will be suboptimal.”