Managing geopolitical risk in a more turbulent world — 7 things to consider

A decade ago, most companies could treat geopolitical risk as episodic and distant. It affected just a few specific sectors like financial services firms tracking currency fluctuations or energy companies modeling conflict-driven oil price shocks. Today, geopolitical risk is everywhere, touching every industry—and it’s not going away.

Shifting geopolitical alliances, cyber threats, tariffs, and other pressures on top of our interconnected global business landscape are increasing the onset and severity of disruptions. Companies need a new approach to proactively identify and handle these potential events. Yet elevating geopolitical risk on the leadership agenda means overcoming several institutional and individual barriers.

• Mental bias toward stability. Many leaders, especially in Western economies, are accustomed to decades of stable growth and assumptions. That mindset keeps some executives in wait-and-see mode, hoping policy shifts will stabilize and the business environment will return to “normal.”
• Bandwidth and temporal constraints. Short-term pressures often dominate attention. With leaders prioritizing the next month’s or the next quarter’s earnings report, they have less time to consider disruptions taking shape over the horizon.
• The “preparedness paradox.” Many leaders still view geopolitical risk as downside protection, not a source of strategic opportunity. They often struggle to justify meaningful investment, treating it as a cost with unclear ROI and channeling funds to growth initiatives with more obvious returns. But a sharper view of geopolitical risk could directly improve those strategic decisions.
• Organizational boundaries. In many companies, geopolitical risk doesn’t have a clear owner, and responsibility is often scattered across business leaders in affected markets with legal helping interpret local laws. The result is often fragmented and reactive. To move beyond this, companies need defined accountability, sufficient resources, and dedicated executive attention so geopolitical risk is managed strategically.

More comprehensive geopolitical risks require a more holistic approach—one that looks further ahead, considers a wider range of issues, gets the entire C-suite and board involved, and proactively plots responses. Here’s where you and your executive team should focus your efforts.

To understand the geopolitical environment, some organizations buy commoditized intelligence from third-party providers. That can be a helpful starting point, but it often doesn’t include enough depth or context and doesn’t factor in specific industries, a company’s footprint, vendor and customer base, or its organizational culture and strengths.

Some large global companies create in-house intelligence teams—researchers, analysts, economists, former intelligence officials—to generate more accurate, timely, and contextualized insights. That model won’t fit every company, but most need to apply more resources to the problem. Critically, this unit should have direct access to the CEO, with a two-way flow of information so the team can raise issues and the CEO can make targeted inquiries.

Boards should also play an important role. Many public company directors are seasoned practitioners with long track records of industry-specific insights. This is helpful, but leading companies widen the lens by adding directors with backgrounds and expertise in defense, national security, or a specific geographic market. These directors don’t just flag risks, they help uncover opportunities amid volatility.

Segment risks by their potential impact, using a tailored, company-specific lens that accounts for current exposure and existing safeguards. Some risks, such as “gray rhinos,” are high-probability, obvious risks often overlooked or not prioritized. These differ from “black swans,” rare events you don’t see coming. Both can bring major consequences, but your teams should be able to identify gray rhinos, understand the value at stake, and have a clear sense of the strategic options to reduce exposure (e.g., insurance, diversification, continuity/contingency plans).

At the other end of the spectrum are smaller risks that should be acknowledged but may not warrant immediate action. In some cases, the cost of addressing them outweighs their potential impact and could slow your company’s ability to move fast and grow. Their risk indicators should, however, still be monitored and periodically assessed.

Look at the big trends unfolding and how they might affect the critical areas of your business. Identify large-scale business disruptors and relevant business risk indicators to monitor and identify early warning signs. Develop a set of response options for each, and don’t just consider the downside. You don’t need a full playbook for each disruptor, but your first moves should be clear across the key areas of your business that could be affected. This exercise aligns senior people on key strategic assumptions that may diverge without a structured scenario-planning exercise. More importantly, it builds decision confidence and may even allow leaders to seize opportunities early, before the disruption occurs. And then when a triggering event occurs, you’ll have a roadmap of prioritized actions ready to go.

One big potential disruptor, cyber risk, is now an inherent part of overall geopolitical risk, and the threat is growing. Sixty percent of business and tech leaders are making cyber risk investment a top priority in response to ongoing geopolitical uncertainty. Unlike the relative stability that followed the Cold War, the world is shifting to a paradigm of strategic competition, with nation-states wielding far more technology than before. And because so much of the data they want sits in the private sector, companies end up exposed to espionage threats they never thought they'd have to deal with.

AI is compounding the threat. Bad actors can adopt and adapt AI faster than companies can secure it. Agentic AI adds another layer of risk—an automated user that can be manipulated and used to widen the attack surface. And cloud creates concentration risk, making hundreds or thousands of companies vulnerable if a key hyperscaler is compromised.

Even so, address growing cyber threats the same way as geopolitical risks. Scan the horizon, identify likely attack types—from ransomware and IP theft to hack-and-dump or collateral damage in an attack on critical physical infrastructure—build response playbooks, and refine them over time.

Notably, the vast majority of cyber attacks succeed not because of highly advanced tactics but because companies fail to consistently get the basics right. This is where investment can pay off. Revalidate baseline defenses such as multi-factor authentication and patches. Maintain deep visibility across critical assets. Segment high-value systems, retire unsupported legacy systems, and enforce strong endpoint controls.

Above all, make cyber defense everyone’s priority. A cybersecurity breach is not a cyber or IT issue—it's a business issue that demands shared accountability across the C-suite and the board.

Many executives believe they need contingency plans for every risk, but the odds of predicting a specific threat or disruption are low. A smarter approach is to focus on recovery and resiliency by looking internally—identifying the critical elements of the business, essential assets and resources, and the dependencies that keep operations running. Given that many of the mitigation and response measures are similar, this is a more manageable and effective way to attack the problem. It also prepares your company for disruptions beyond geopolitics, including climate-related events.

Resilience planning at this level entails asking some key questions well before a crisis hits.

• Where are our most important facilities located? Who is essential to keep operations running? How would we extract them safely?
• What are our core IT assets and applications, and where do they sit?
• Who are our critical vendors, and where are they based?
• Who are the core leaders on the response team? Who needs to be “in the room” when the company responds to a disruption?

Mapping a full operational network for a large organization, including critical services and upstream and downstream dependencies, can be a time-intensive and costly process that can take years to accomplish, so it’s essential to maintain momentum and focus throughout the process. And once your resilience plan is in place, it should be continually maintained and updated as the business evolves.

The pace of policy change—tariffs, tax incentives, drug pricing—requires companies to get a better handle on how to model continual shifts. Some companies are working to get better visibility across their supply chains, making them better equipped to assess geopolitical risks, but don’t understand how operational changes can cascade across the chain. Technologies like digital twins can help you close that gap.

Digital twins model an entire supply chain and operations, enabling leaders to look ahead and simulate conditions, crises, and potential responses. This gives your team a clearer sense of the implications before decisions are made, when there’s still time to adjust. Crucially, digital twins not only mitigate risks, they can also help you identify opportunities in disruption and strengthen resilience.

Once your risk management or scenario plans are in place, they shouldn’t sit on a shelf. Leadership teams should conduct regular exercises so plans are coordinated and decision-making remains strong under pressure.

A typical cyber tabletop exercise, for example, can be completed in two to three hours with a cross-functional group of senior leaders—CEO, CFO, COO, CIO, CHRO, chief risk officer, and chief legal counsel. These exercises should use realistic scenarios based on your company’s specific exposures and risks. You and other leaders should work through escalation protocols, response plans, and decision-making processes at key junctures and then document lessons learned and identify opportunities to strengthen resilience.

Board-level exercises are normally shorter and more high-level. Management generally briefs directors for 30 to 45 minutes, setting expectations about how information will flow and decisions will be made in the event of an actual crisis. And while cyber is often the focus of these exercises, the same approach can be applied to other critical risks like operational disruptions and supply chain crises.

Tax is always a factor in geopolitics, but many companies don’t use their tax teams for risk management in a strategic way. They’re often siloed—treated as a tactical afterthought once top executives have already chosen a course of action. That should change.

As companies take measures to reduce risk or seize opportunity—such as shifting operations into or out of specific markets—tax leaders should be part of discussions from the start. The tax implications of a specific move can materially change the economics of any option. When leaders are scenario-planning across different response measures, tax teams should help model out the tax consequences of each choice.

Tax leaders should also look beyond their traditional compliance mandate to speak the language of the business and to identify opportunities as well as risks. That kind of strategic, collaborative thinking often requires a mindset shift, one that will help your leadership team understand the full set of considerations as you work to proactively reduce risk.

Geopolitical risk can’t be managed piecemeal. It demands a united approach that connects intelligence, risk segmentation, scenario planning, technology investment, rigorous exercises, and strategic tax insight into one cohesive capability. When your executive team looks across these areas collectively, you build the foresight and agility needed to respond decisively, protect and capture value, and move ahead in a world where disruption is the norm.