Skip to main content
Opens in a new tab External site

September 2022 / 15 Min Read

Risk Implications of The Russo-Ukrainian Conflict: Interruption, Compliance & Disruption

 

The Ukraine crisis has resulted in a complex set of risks. What are the implications on business and risk management decision making?

 

Key Takeaways

  1. Business continuity and enterprise resiliency programs need to be working well to sustain critical business activities while adapting to emerging threats.
  2. Organizations have had to engage in the largest regulatory and compliance exercise around sanctions imposed against the Russian government, individuals, groups, and entities.
  3. As sanctions and tariffs increase, resources become scarcer and the ability to source products or services becomes increasingly challenging across the value chain.

The Russo-Ukraine conflict has shone the spotlight on exactly how interconnected our world has become today. Such geopolitical events highlight the fact that a specific risk does not exist in isolation. Instead, it impacts a host of other challenges.

The Ukraine crisis has resulted in a complex set of risks including business interruption, regulatory and legal compliance, supply chain disruptions, cyber threats, human capital concerns and ESG considerations.

What are the implications of such risk on corporate and risk management decision making?

Business Interruption

The Russo-Ukraine conflict has exacerbated the impetus for organizations to ensure their business continuity and enterprise resiliency programs are in place and working well to sustain critical business activities while adapting to emerging threats.

Threats such as malicious actors, continued digitization, reliance on existing infrastructure, and supply chain disruption can cause severe business interruption if programs are not up-to-date and nimble enough to be responsive.

Threat Contributing Factor(s) Impact/Implication
Malicious actors Ongoing volume and sophistication of Russian state-sponsored or other criminal threats to global organizations, industries, and infrastructure Damage to companies and industries such as manufacturing, supply chain, and infrastructure

Challenging for organizations to stay current and recover from threats/events
Continued digitization Technological advances and uses (including adoption of automation and big data) leave organizations exposed to recovering from physical or digital attacks Disruption to technological inputs, critical and sensitive data such as personally identifiable information (PII), and its use in producing, delivering, or maintaining products
Reliance on existing infrastructure Lack of strategy, product, or delivery channels due to current and potential expansion of the conflict zone Inability for organizations to produce, transport, or receive critical material inputs
Supply chain disruption Cyber, physical, availability of materials, and organizations effected through the war zone and/or its ancillary effects Ability to scale; and the availability of critical inputs (e.g., commodities, materials) to produce products in an efficient and cost-effective manner

To combat these threats, organizations should take a holistic approach to integrating their enterprise resiliency and business continuity activities. Considerations include:

  • Governance. Ensure that there is clear accountability for management if a risk occurs and that there is an appropriate understanding of the potential threat and its implications on the business, operations, and all stakeholders. Review and amend risk appetite and tolerance levels to align to the changing risk profile. Develop and implement appropriate metrics to evaluate risk and the need for, or ongoing, action. Ensure that business continuity plans are current and reflect the potential likelihood and severity of a risk. Plans should be tested with greater frequency.
  • Organizational Implications. Understand the value chain and where risk events may impact any part of the end-to-end creation and delivery of products and services. Know what parts of the organization are involved, what their role needs to be and how to plan for contingencies. Codify the organizational impact of a risk event, not just its potential effects on one area.
  • Integrate. Know the touch points of critical business and product assets including dependencies and relationships (such as systems, data, third parties, processes, people, and key inputs). Bring the strategy and philosophy of resilience into strategic planning, budgeting, product development, and M&As/divestitures.
  • Measure. Develop metrics and measures to understand critical service delivery inputs and outputs. Create quantitative and qualitative measures to comprehend how your risk profile may be changing, the triggers necessary to act, and the reporting process necessary to inform key stakeholders. Develop tolerances for specifically created scenarios.

Regulatory and legal compliance

The Ukraine crisis has prompted organizations to engage in the largest regulatory and compliance exercise – the identification, interpretation, and adherence to the sanctions imposed against the Russian government, individuals, groups, and entities. The task becomes more complicated when, for example, in the U.S., compliance also includes foreign entities doing business in or with U.S. parties or goods and U.S. individuals.

“In just a few months since the inception of the conflict, there have been over 5,000 sanctions,” says Tony Adame, Aon’s Business Continuity leader. “This number keeps growing, nearly every day, as countries look to punish Russia for its actions on Ukraine.”

Sanctions imposed (22 Feb 22 – 7 Sep 22) since the inception of the Russo-Ukraine conflict

Sanctions imposed since the inception of the Russo-Ukraine conflict

 

Source: Statistica

An organization’s legal and compliance teams can, and typically do, take a leading role in supporting an organization’s sanctions compliance program. “Depending on the size of the organization and its risk complexity, compliance departments may also be leveraged to execute a sanctions compliance program,” says Adame.

The compliance program should be in alignment with other risk management activities, which includes outside stakeholders such as suppliers, the regulatory agencies themselves, audit, the board, and senior leadership. “As such, many of the traditional risk management framework elements can be useful to understand, verify, and report on sanctions compliance,” Adame adds.

The elements include::

  • Governance and management commitment. Assess the efficacy of the current governance structure to identify and action sanction requirements. Policies and procedures may need to be created and/or amended to reflect sanctions and how they impact key business activities. Identified issues or concerns should be highlighted quickly to the right personnel without fear of reprisal.
  • Risk and Control Assessments. Rapid changes in sanctions mean that the cadence for risk identification and assessment must be modified to ensure quicker response to potential, direct or indirect, sanction violation. Additionally, understanding the impact(s) of a risk event extends beyond pure compliance violation for add-on effects such as fines or ceasing of business activities.
  • Control, control, control. As controls are identified, they should be raised across the organization and include stakeholders and any business function where a sanction may have implications. Controls should also be evaluated on their ability to be incorporated into technology and software to assist in automation. Thorough record-keeping is crucial to reflect the current state of sanctions.
  • Test. Testing if controls are in place and performing as intended becomes more pervasive as part of the sanctions-compliance process. Ownership should continue to be with the business or function where the actual or potential compliance violation root cause exists. Functions that act in a risk management capacity must engage in random, risk-based testing.
  • Communication. Besides annual compliance trainings, it is prudent to have one-off trainings to reinforce the importance of sanctions and the process employees need to be follow should there be a concern of a possible violation. Findings from control tests should be fed back into the business to avoid similar or like events in future.


Organizations therefore need to take a critical look at whether to onshore or nearshore in an effort to avoid these risks and respond more quickly to demand.”

Ladd Muzzy
Director, Enterprise Risk Management, Aon

 

Supply chain disruptions

As sanctions and tariffs increase, resources become scarcer and the ability to source products or services becomes increasingly challenging across the value chain. Russia cutting off gas supplies to Europe indefinitely has already impacted key manufacturing efforts in the region. The spiraling cost of fossil fuels and sanctioning of oil or gas could further put countries into, or worsening of, a recession.

Russia and Ukraine are integral to the world’s food supply, accounting for 30 percent of global wheat exports. Pre-conflict, Ukraine supplied some 45 million tons of grain to the world market, while Russia was the world’s leading fertilizer exporter. Ukraine is also the largest exporter of sunflower oil, which is a key input for consumer goods such as potato chips and baby formula. Blockages of critical freight routes have meant food shortfalls worldwide.

The conflict is also bringing into question economic powerhouse, China. If it continues to align with Russia, it will put additional pressure on the stressed raw materials and finished goods already impacted by issues such as the pandemic, climate concerns, and port closures.

“Organizations therefore need to take a critical look at whether to onshore or nearshore in an effort to avoid these risks and respond more quickly to demand,” Ladd Muzzy, Director, Enterprise Risk Management, Aon advises. “Although these strategies alleviate supply chain choke points and costs, the alternatives may take time to build. For example, organizations’ investment in brick-and-mortar buildings won’t be fully functional for a few years.”

To combat these challenges, organizations must understand their current supply chain to identify key supplier concentration, and how inventory and safety stock strategies are meeting customer needs

Documentation and understanding of existing and potential tier 2, 3, and 4 suppliers, including where they operate, where they source from, distribution channels (e.g., the blockade in the Black Sea, ongoing covid concerns affecting Chinese ports, etc.) and the way they do business is also crucial to manage supply chain exposures

Organizations can turn to these practical and pragmatic steps to manage their exposure to supply chain disruption:

  • Find supplier alternatives. These may be the actual supplier itself and/or the product or service it provides.
  • Codify the dynamics of the supply chain (e.g., time critical aspects, seasonality, batch sizes, safety stock) and link to the cost of risk.
  • Consider insurance as a back stop. Feed data back to the business including the Total Cost of Risk (TCOR) as a means of exploring different solutions for risk transfer.
  • Consider developing or joining a consortium to share data between governmental agencies and other industry players.
  • Develop scenarios and games to understand critical supplier risk areas to support broader supply chain risk management activities.
  • Coordinate with legal and compliance to guarantee that the organization is within global, federal, state, and local laws. Certainty that the organization is abiding by established contracts should also be part of the ongoing management of supplier risk given the dynamic nature in which its changing.
  • Embed within the constructs of existing risk management activities. Detail the causes that may contribute or cause a risk to occur and understand the likelihood in the loss of the functionality or actions of a supplier/vendor.


As the conflict lingers on, it is important for organizations to mobilize their resources to constantly evaluate the implications of the conflict.”

Ladd Muzzy
Director, Enterprise Risk Management, Aon

 

Decision-making in world in flux

“As the conflict lingers on, it is important for organizations to mobilize their resources to constantly evaluate the implications of the conflict,” Muzzy advises. “This extends beyond the conflict zone to countries and businesses that provide goods and services to fill the gaps left by Ukraine or Russia, other countries competing for the same goods, and those countries that are potentially likely to back Russian interests.”

A dedicated cross-functional team within organizations can identify potential and existing risks, assess their potential impact across the organization’s risk profile, explore scenarios through a framework, and recommend the best course of response.

“With risk profiles in constant flux today, having such an approach will help organizations to make better decisions and engage in proactive responses,” Muzzy concludes.

For more information about how we work with C-suite and risk managers on managing organizations’ risk profiles that are in constant flux, please contact the authors or write to Tony.Adame@aon.com or Ladd.Muzzy@aon.com.

General Disclaimer
The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

Terms of Use
The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.