In a year already unprecedented in its geopolitical tectonic shifts, twists, and turns, company boards everywhere need not only to up their focus on risk governance generally but do so specifically with respect to geopolitical and cyber risk. Whether or not a business is physically located in a geopolitical hot spot such as China, Taiwan, Russia, or Ukraine—directly or indirectly, through people, assets, or the supply chain—what happens in those hot spots doesn’t stay in those hot spots.
The year started with Russia’s invasion of Ukraine and continued with US-China tensions over Taiwan. Both dramatic geopolitical developments have had a series of reverberations globally including for the business community. For example, shifts in relationships between the United States, European Union (EU), and Russia, including ceasing to do business in Russia, protecting people and assets in Russia and Ukraine, and abiding by unprecedented sanctions, are only a few of the consequences.
It’s Time to Get Ready for Escalated China-Taiwan Tensions
The second half of 2022 has already witnessed another critical geopolitical moment. Perhaps prompted by the visit of US House speaker Nancy Pelosi to Taiwan, China’s hair-trigger response of using its military for an unprecedented show of force with live-fire exercises over and around the island of Taiwan is simply an escalation of tensions that were otherwise long under development. Whether these tensions result in an actual invasion by China of Taiwan or something short of that in the near, medium, or long term, good business judgment requires both management and the board to start planning now.
Smart businesses, such as some of the leading technology companies, are already deeply involved in searching for and securing alternative and diversified manufacturing sites both near China and Taiwan (for example in Vietnam), as well as in onshoring or reshoring their supply chains by building new manufacturing sites “at home.” Although such new facilities will not come online soon enough, leaders must stop planning only for short-term profits and start planning for medium- and long-term resilience which, ostensibly, should yield long-term profits.
Expect the Unexpected
Before 2022, few expected Putin’s Russia to invade Ukraine but it happened with alarming, serious, and immediately disruptive consequences. No one wants the same thing to happen from a deterioration of China-Taiwan relations.
Taiwan is a model democracy and market economy, and an incredibly important source of highly advanced, specialized chips used the world over in technology of all kinds including laptops, smartphones, security networks, and telecommunications networks.
US and global companies with Taiwan-based operations should be most concerned as their exposure isn’t only to the financial implications of supply chain and product or service failure, but also to the impacts on the health and safety of employees. It is also likely that cyberattacks will increase in volume and ultimately result in financial loss either due to denial-of-service attacks, lost productivity, or the need to spend more money and resources on cybersecurity.
With the rising tensions between the United States and China, global companies with a footprint in China could fall into the cyber war between the states. Many US- and EU-based companies are already deciding to close or relocate operations outside of China. If things deteriorate, China may even attempt to seize control of foreign company assets (as Russia has recently done with the remnants of foreign companies that have left that country).
Geopolitical and Cyber-risk Governance “To Dos”
Among the top “to dos” that company boards and management should consider from a geopolitical and cyber-risk governance standpoint are the following:
Ensure that the leadership team has access to real-time geopolitical, national, and local political data and advice relating to the company’s strategic footprint, geography, supply chain, and planning.Designate a member of management who will oversee geopolitical and political developments with the assistance of solid intelligence and advisors, reporting to the C-suite and board periodically and coordinating in real time with risk management efforts.Ask if there is a crisis management plan and team, including a board liaison or member. Is relevant crisis scenario planning integrated into such plans and periodically conducted with the board?Ask whether the risk and information security teams have the resources and tools necessary for foresight and future-proofing.Ensure that the enterprise risk management framework includes geopolitical and cyber-risk identification, analysis, and mitigation considerations.Ensure cyber hygiene. What is the state of cyber-risk management at the organization? Is it effective?Ensure that the organization is vigilant about information and data integrity in its products and services.Integrate digital chatter vigilance into internal and external communications strategy as well as enterprise risk management.Have directors that are risk-savvy, knowledgeable, and experienced.Have directors with specific risk expertise, depending on the company’s risk profile.Consider having a specialized risk and strategy committee.Receive quarterly risk reports from management and conduct executive sessions with the chief risk officer and chief information security officer to ensure organizational resilience and business continuity.
If boards follow the important path of upping or reupping their risk governance to include continuous learning related to geopolitical and cyber risk focused on a company’s specific business footprint, we think that their long-term resilience and sustainability will be seriously improved. Those who do not heed this advice will be at a distinct competitive disadvantage both tactically and strategically, and maybe even existentially, in this era of continuous and overlapping risks and crises.
Andrea Bonime-Blanc is founder and CEO of GEC Risk Advisory; a global ESG, risk, and cyber strategist; a board director; an NACD 2022 Directorship 100 honoree; and a life member of the Council on Foreign Relations.
Tomer Saban is the CEO and cofounder of WireX Systems, a network security company that is changing the way businesses respond to cyberattacks, and before that he worked in the homeland security space, developing defense systems for intelligence agencies.
NACD: Tools and resources to help guide you in unpredictable times.
Become a member today.