In response to the Russian invasion, many countries are issuing a slew of unprecedented responses—a mix of economic incentives and sanctions—to dissuade escalation of violence and minimize humanitarian impact. The toll on citizens, industrial production and economic growth in several European countries is already evident and may become even heavier.
Businesses are on the front lines of the international effort. By last count, more than 400 companies have curtailed or stopped operations in Russia to comply with sanctions or to express their values. Meanwhile, technology firms are being enlisted on the communication and cyber front lines in allied and partner countries for a war that’s being fought not only on the ground but on social media as well.
This is likely just the beginning. The war in Ukraine is not an isolated incident. Other regional conflicts simmer. The Russian invasion of Ukraine may yet usher in a new international order, a multipolar world of economic competition. Russia has challenged the foundational security arrangement in Europe, ending a long-held belief that economic integration prevents war. Global companies must adopt antifragile strategies to survive these shocks and continue to grow and bring prosperity to their customers and communities.
In a period rife with international uncertainty, we offer guidance on how companies can use their risk management programs to maintain continuity of business operations, reallocate resources and make investments to critical areas. Beyond that, we provide guidance on establishing policies and processes that work in a world that anticipates and braces for strategic, social, political, economic and environmental turbulence.
In C-suites and boardrooms across the US, senior executives and corporate directors are talking about the war in Ukraine and determining steps their organizations must take in response.
Risk oversight is a key responsibility at the full-board level. Boards and their committees should work with management to understand and calibrate the risk profile and appetite of their organizations, especially in times of crisis, tumultuous change or significant risk events. Oversight of the response carried out by management is also the board’s responsibility. So, too, is actively participating in the company’s response when a significant risk event occurs. Boards should require timely reporting of early warning signals, confirming that management provides alerts as risk events evolve.
Having that enterprise-wide view can make the difference between being nimble and being disrupted. Coordinated actions and responses, based on a foundation of enterprise risk and control, allow businesses to deploy capital and resources more efficiently and effectively.
To illustrate the importance of the enterprise view, consider the ESG lens of investors and other stakeholders. Social considerations draw attention to the impact of a crisis on employees located in the region and the clamor from customers around the world who want the company to disentangle itself from Russian operations. Governance factors demand responses to the impact of sanctions and counterparty relationships. Environmental factors trigger planning for impacts on energy transition and climate-related transition risks. Reputational risks can stem from failure to address any of these factors.
Strategic, operational, financial and compliance risks are common level-one risk categories that board members and management need to consider. Reputational risk could be amplified if any or all of these risks are not mitigated properly.
The specifics of sectors and operating models matter because they create variance in risk exposure and impacts. The questions in each risk domain are not intended to be a check-the-box exercise. They’re meant to enable robust cross-functional leadership discussions specific to your industry and operating model and anchored on your enterprise risk management framework. Formulated as a bridge between the language of business and the jargon of deep specialties, the questions we offer are a starting point for shared understanding and collaborative action.
The safety and well-being of a company’s people are among its leaders’ most important responsibilities. Whether they’re staying the course, pausing operations or pulling out entirely, all companies operating in Ukraine or Russia or in the surrounding region should be looking for ways to protect their employees.
The war in Ukraine presents an operational and human capital challenge for many multinationals, but shareholders, employees, customers and other stakeholders are watching more than just the impact on your company’s bottom line. They want to see the company acting in line with its corporate purpose. This is a particularly acute priority, given the focus on the “S” in ESG. When actions and values don’t appear to align, it can create reputational risk that can lead to more than bad publicity — it can also hurt the share price or prompt consumer boycotts.
Refugees fleeing Ukraine are increasing populations of neighboring countries at such speed that’s overwhelming the capacity to feed, house, hire, and integrate them into the communities. Employees around the world have initiated individual responses to the burgeoning humanitarian crisis and may appreciate institutional support.
Other regional conflicts simmer. One can imagine similar situations elsewhere in the world in which western countries could face an even larger crisis. Keeping employees safe, not only within your core operations but also outside of work, is equally important. It’s essential to develop scenarios of what could go wrong, to understand how external issues affect your business and workforce, and to put in place communications tools to provide timely guidance to employees.
The continuing global pandemic should not be overlooked as companies provide a safe work environment. Responses to COVID-19 have been uneven from country to country. Between infrastructure limitations, lack of financial resources and even cultural issues, it’s not safe to assume your employees have access to an adequate safety infrastructure across all the areas in which you operate. Deep contingency plans, achieved through scenario analysis and a robust safety management system, go a long way to providing guidance on doing “the next right thing” when it comes to keeping employees safe.
|Questions to consider around people risks|
|1. What should your organization do with operations in Russia and in Ukraine?|
|2. Have you conducted a scenario analysis to understand the people risks you may face as the geopolitical crisis unfolds in Russia and Ukraine as well as in countries such as Belarus that have been drawn into the conflict, in countries receiving Ukrainian refugees, and in countries that may experience economic recession?|
|3. Do you have a safety management system in place that protects your people and continuity of operations? Have you considered the mental health, in addition to the physical safety, of your employees? How have you planned for ways to support them and allay their anxieties?|
|4. Do you have means to communicate with your employees in times of crisis via multiple channels (email, phone, text, social media, etc.)?|
|5. Do you have safety leaders in each geographical region in which you operate who are fully briefed on your safety management system and the immediate first steps to take in the event of a crisis?|
|6. How do you manage overall employee engagement and concerns across your geographical footprint and their sense of responsibility for what’s occurring in Ukraine? How do you conduct constructive and supportive discussions about geopolitical conflicts and business in your organization?|
|7. How do your decisions on whether to exit or suspend operations in Russia affect your ability to attract and retain talent?|
|8. Taking a broader view, how do you plan to contribute to addressing the humanitarian crisis that is growing in the region?|
In response to the Russian invasion of Ukraine, many countries launched a diplomatic and economic counter-offensive. More than 80% of Russia’s banking sector is subject to sanctions. These sanctions are causing significant challenges for financial institutions and corporations, particularly the increased burden of identifying exposure to sanctioned Russian financial institutions for business-as-usual activity (e.g., making payroll). Expanded controls on the export and re-export of US items prohibit certain listed and unlisted parties from receiving items from US and non-US sources. At the same time, export licensing policy has changed to severely restrict the ability of parties of concern, including military end-users in Russia and Belarus, from accessing US-origin items or technology. Both measures are having vast financial, operational and regulatory compliance implications across sectors.
|Questions to consider around the impact of sanctions|
|1. How well does your organization conduct internal assessments of connections and potential exposure to sanctioned parties, including suppliers and business partners?|
|2. Is your company equipped to implement enhanced controls to monitor for suspicious activity that may indicate an attempt to bypass sanctions, such as use of cryptocurrency, resubmitted (and stripped) payments as well as the use of IP blocking techniques?|
|3. What will your business do to evaluate and optimize global trade compliance technology to leverage automation when possible? How will your company review and fine-tune screening algorithms to include Cyrillic alphabet, known points of diversion, etc.?|
|4. Is your business anticipating the second-order impact of sanctions such as how they might affect suppliers or customers who maintain close economic relationships with Russian firms, particularly those based in China?|
|To learn more, read Russia-related sanctions continue over aggression in Ukraine. Follow Our Take for new developments.|
Cyber attacks have been a part of the military campaign, as President Biden noted in his March 21 statement. Collateral damage from this activity, similar to the 2017 NotPetya activity, is possible. The region also hosts many of the most prolific cyber criminal groups and patriotic hackers. These make up the bulk of the most significant ransomware groups operating today and could be used as proxies—or they could take advantage of the chaos to conduct operations themselves. Boards should be aware of these cyber attacks even if they’re not targeted at US companies, as future spillovers are possible as the crisis continues to unfold. If cybersecurity has not been a priority of the C-suite and board, this is the time to review and reinforce it.
|Questions to consider around cybersecurity risks|
|1. How exposed are your systems, people and assets in countries that are in or near to the region of conflict or associated with countries implementing sanctions? How closely are you monitoring the connections into and out of those countries in your corporate systems?|
|2. What’s the plan if you decide that you need to disconnect your systems? How quickly can you do it without harming your operations and your people?|
|3. Do you have a full inventory of the vendors and subcontractors you’re using across IT? Do any of them have resources in Russia or Ukraine? Are you able to continue using existing systems in Russia, given your reliance on vendors there?|
|4. Do you have a crisis and incident response (IR) playbook? Have you done exercises to test them? When was the last time you tested your IR and crisis plans?|
|5. How sophisticated are your threat detection capabilities? Are you able to detect intrusions in real time? How well do you monitor the crossover from your IT systems to the operational technology that runs your business?|
|6. Do you have strong relationships with national and/or local government agencies focused on cybersecurity?|
|7. Have you contacted any government agencies regarding additional intelligence? How involved are you in industry or private-sector groups that share information with government agencies? How do you distinguish between accurate information and disinformation?|
|8. How well do your employees help protect the organization against theft of account names and passwords via phishing and social engineering? When did you last scan your systems to detect unauthorized (even if dormant) access?|
|To learn more, read Cybersecurity + geopolitical conflict: What boards and CEOs should know and act upon. See Cyber and Privacy Innovation Institute to follow new developments.|
Already reeling from the impact of pandemic-induced shutdowns and restarts, supply chains have experienced another exogenous shock from the war in Ukraine, both directly from a disruption of operations and indirectly from sanctions. Ukraine and Russia are net exporters of agricultural goods such as wheat, corn and sunflower oil, and a prolonged conflict could lead to shortages of these commodities. The US imports significant amounts of metals, fertilizers and petroleum products from Russia, while Ukraine is a major producer of neon gas, a critical component for the semiconductor industry. Russia’s prominence as a supplier of uranium, too, could pose long-term supply issues.
As a result, the increase in the cost of energy and raw materials will likely remain volatile as the conflict persists, further amplifying the bullwhip effect felt throughout numerous value chains across different types of markets. Traditional lean, “just-in-time” inventory approaches face compounding issues, likely resulting in increased inventory to buffer disruptions and inconsistent product flows. Many companies are finding opportunities in the crisis, diversifying their supplier base while improving visibility, and establishing scenario-based inventory planning processes. Strategic sectors—from agriculture to semiconductors—should watch for policy and regulation that will seek to further secure national interests.
|Questions to consider around supply chain risks|
|1. Is your material or manufacturing extended supply chain directly or indirectly exposed to developments in Central and Eastern Europe and Russia?|
|2. Has the crisis driven material shortages or logistics bottlenecks? How will increasing prices on inputs impact your ability to add value, and have you determined whether this could mean passing costs through to customers?|
|3. How are you monitoring events? Do you, for example, have a dedicated geopolitical risk monitoring capability (in-house or outsourced) that includes analysis of future scenarios? How well have you mapped known supply chain nodes to identify, review and assess risk exposure? What is each node’s vulnerability to disruption, and what is your company’s capacity to absorb or mitigate each risk?|
|4. How quickly can your company mobilize and deploy a cross-functional team to assess and address supply chain risks?|
|5. Do your supply chain risk and planning models encompass relevant risks and "what-if" scenarios? Can you execute an alternative plan quickly should a risk event occur?|
|6. Do you have a plan in place to adapt business strategies and operations to changing global or regional conditions with little notice and incomplete information? Do you have contingency plans that secure redundant suppliers for key inputs and balance inventory between efficient just-in-time and shock-resilient, just-in-case strategies?|
|To learn more, read How to manage supply chain risk during geopolitical unrest.|
The increasing complexity of modern business relationships is also being tested by the war in Ukraine. The continuity of customer services could be at stake. Companies that rely on outsourced business and technology services and processes or on raw materials from Russia and other affected regions will need their third parties to have robust recovery and resiliency capabilities. Companies may have to pivot their sourcing of these products and services to avoid concentration risks.
Gaining visibility over the core and extended relationships for both suppliers and customers is a first step to enable your company to take proactive steps to mitigate future financial, operational and reputation risks.
|Questions to consider around dependence on third parties to nth parties:|
|1. Do you have an inventory of your third parties and other downstream suppliers (Nth parties)? How many of your key third (and Nth) parties have business operations in Russia or Ukraine?|
|2. Do your contracts have a “right to audit” clause to assess risks related to third parties you deem as mission-critical?|
|3. Is your company able to determine the source of origin for all of its inputs?|
|4. Have you determined if any service providers are funded by Russian entities or have ownership structures with exposure to sanctions?|
|5. Have you assessed how to terminate contracts, if needed, with minimal legal backlash or financial penalty?|
|6. How will your organization identify any vendors or contracts that have an ownership stake from a Russian entity for potential future action?|
|7. Are you monitoring emerging regulations and sanctions around vendors and contracts (see “Sanctions” section for additional detail)?|
Financial exposures from the war in Ukraine can be far reaching. We have already seen volatility in global markets and uncertainty will likely continue. Companies with operations in Russia may have trouble funding operations, collecting customer receipts or making vendor payments as sanctioned governments and banks feel the pinch. Nationalization may impact the valuation of investments in Russian assets or subsidiaries, potentially requiring a write-off of the associated value. Investments in assets or subsidiaries in Ukraine may be impacted by damage from the war resulting in a rapid decline in value with uncertainty around the time to recover. Companies with non-US denominated exposure in Russia and Ukraine may see a sharp decline in the Russian ruble and Ukrainian hryvnia currencies. Expect supply and price volatility for commodities (e.g., oil, natural gas, metals, wheat, soy beans) sourced from global markets or directly from Eastern Europe. Companies may be affected by the inability to repatriate cash from subsidiaries or joint ventures in the region as well as deteriorating counterparty risk from affected banks.
|Questions to consider around financial risks|
|1. What exposure do you have to the financial markets impacted by the conflict? Have you considered additional volatility through your scenario planning?|
|2. Do you have potential “trapped cash” or liquidity shortfalls?|
|3. What is your exposure to counterparty/liquidity risks arising from sanctions?|
|4. Have you forecasted the currency exposure impact and considered altering hedging strategies to reduce currency volatility in the short term?|
|5. Have you evaluated your commodity purchase agreements and existing commodity hedging programs to determine if there is exposure to rising commodity prices?|
|6. Do you have payment methods that are impacted by sanctions? Could that hinder your ability to meet supply chain or customer/employee obligations?|
One month into the war in Ukraine, we know that the risk environment is evolving rapidly. Companies need to exercise vigilance in understanding emerging risks and in acting to reduce exposure and preserve value. Across all risk segments, companies should consider actions to assess, evaluate and plan for the impacts of emerging risks from the crises.
Evaluate your company’s risk appetite through discussions between executive leadership and the board. Evaluate risk scenarios, risk plans and investments in capabilities required to reduce exposure. Recalibrate your company’s risk capacity and align on the acceptable level of risk that you’re willing to take. Follow through by identifying where investment and resource allocation is required. Establish risk tolerances to identify when exposures exceed your risk capacity and appetite. Develop metrics and key risk indicators that trigger alerts to adjust risk plans. Provide frequent updates to affected stakeholders, including the board.
Perform a risk assessment targeting specific risks triggered by the war in Ukraine. Evaluate and assess the changes to your current risk profile. Prioritize the top risks that create the largest exposures to your company. Update leadership and the board on the emerging business risks and the rationale for prioritization of actions. Develop specific risk reporting for these key emerging risks for continuous monitoring by leadership and the board.
The emerging risks may have far reaching impacts across your business. In some scenarios, you will have obvious and direct impacts (e.g., rising commodity prices) and other areas may be not so direct (e.g., third parties or suppliers with Russia or Ukraine operations). Performing a deep dive on your risks can help your organization identify and assess the areas of your business that are or may be affected. Evaluate current measures and capabilities to mitigate exposures.
Companies should evaluate potential best and worst case scenarios, quantifying exposure and impacts where possible. Assess the need to reallocate resources to strengthen capabilities and respond to the risks. Boards, in particular, should ask management about the financial impact of specific risk and risk events under various scenarios.
The ability to maintain a coordinated response is critical to confirm that critical business services can continue to operate. The most likely disruptive threats facing businesses today require an organization to be able to bridge crisis response, incident management, emergency response, business continuity, and disaster and cyber recovery functions. Coordination of these capabilities doesn’t just happen, not even in sophisticated companies. It takes deliberate effort and investment to develop an integrated resilience program. Where collaborative resilience functions used to be the exception, they now need to be the norm. Integration clears away speed bumps along with unnecessary complexities and costs. Finally, don’t overlook opportunities to invest in the resilience and robustness of your digital infrastructure. The current crisis creates urgency; available technology provides an answer.
PwC partners and specialists who have contributed to this content: (Enterprise risk management) Brian Schwartz, Lillian Borsa, Richard Vose; (Employee safety) Bhushan Sethi; (Sanctions) Eric Lorber; (Cybersecurity) Matt Gorham; (Supply chain and third party) Dean Spitzer, Matt Comte; (Resilience) David Stainback, Shawn Lonergan; (Board governance) Paul DeNicola; (Trust solutions) Mark Cornish
Principal, Cyber, Risk and Regulatory, PwC US
Cyber, Risk and Regulatory Marketing Lead Partner, PwC US