Risk Implications of The Russo-Ukrainian Conflict: Interruption, Compliance & Disruption

The Russo-Ukraine conflict has shone the spotlight on exactly how interconnected our world has become today. Such geopolitical events highlight the fact that a specific risk does not exist in isolation. Instead, it impacts a host of other challenges.

The Ukraine crisis has resulted in a complex set of risks including business interruption, regulatory and legal compliance, supply chain disruptions, cyber threats, human capital concerns and ESG considerations.

What are the implications of such risk on corporate and risk management decision making?

Business Interruption

The Russo-Ukraine conflict has exacerbated the impetus for organizations to ensure their business continuity and enterprise resiliency programs are in place and working well to sustain critical business activities while adapting to emerging threats.

Threats such as malicious actors, continued digitization, reliance on existing infrastructure, and supply chain disruption can cause severe business interruption if programs are not up-to-date and nimble enough to be responsive.

To combat these threats, organizations should take a holistic approach to integrating their enterprise resiliency and business continuity activities. Considerations include:

• Governance. Ensure that there is clear accountability for management if a risk occurs and that there is an appropriate understanding of the potential threat and its implications on the business, operations, and all stakeholders. Review and amend risk appetite and tolerance levels to align to the changing risk profile. Develop and implement appropriate metrics to evaluate risk and the need for, or ongoing, action. Ensure that business continuity plans are current and reflect the potential likelihood and severity of a risk. Plans should be tested with greater frequency.
• Organizational Implications. Understand the value chain and where risk events may impact any part of the end-to-end creation and delivery of products and services. Know what parts of the organization are involved, what their role needs to be and how to plan for contingencies. Codify the organizational impact of a risk event, not just its potential effects on one area.
• Integrate. Know the touch points of critical business and product assets including dependencies and relationships (such as systems, data, third parties, processes, people, and key inputs). Bring the strategy and philosophy of resilience into strategic planning, budgeting, product development, and M&As/divestitures.
• Measure. Develop metrics and measures to understand critical service delivery inputs and outputs. Create quantitative and qualitative measures to comprehend how your risk profile may be changing, the triggers necessary to act, and the reporting process necessary to inform key stakeholders. Develop tolerances for specifically created scenarios.

Regulatory and legal compliance

The Ukraine crisis has prompted organizations to engage in the largest regulatory and compliance exercise – the identification, interpretation, and adherence to the sanctions imposed against the Russian government, individuals, groups, and entities. The task becomes more complicated when, for example, in the U.S., compliance also includes foreign entities doing business in or with U.S. parties or goods and U.S. individuals.

“In just a few months since the inception of the conflict, there have been over 5,000 sanctions,” says Tony Adame, Aon’s Business Continuity leader. “This number keeps growing, nearly every day, as countries look to punish Russia for its actions on Ukraine.”

Sanctions imposed (22 Feb 22 – 7 Sep 22) since the inception of the Russo-Ukraine conflict

Source: Statistica

An organization’s legal and compliance teams can, and typically do, take a leading role in supporting an organization’s sanctions compliance program. “Depending on the size of the organization and its risk complexity, compliance departments may also be leveraged to execute a sanctions compliance program,” says Adame.

The compliance program should be in alignment with other risk management activities, which includes outside stakeholders such as suppliers, the regulatory agencies themselves, audit, the board, and senior leadership. “As such, many of the traditional risk management framework elements can be useful to understand, verify, and report on sanctions compliance,” Adame adds.

The elements include::

• Governance and management commitment. Assess the efficacy of the current governance structure to identify and action sanction requirements. Policies and procedures may need to be created and/or amended to reflect sanctions and how they impact key business activities. Identified issues or concerns should be highlighted quickly to the right personnel without fear of reprisal.
• Risk and Control Assessments. Rapid changes in sanctions mean that the cadence for risk identification and assessment must be modified to ensure quicker response to potential, direct or indirect, sanction violation. Additionally, understanding the impact(s) of a risk event extends beyond pure compliance violation for add-on effects such as fines or ceasing of business activities.
• Control, control, control. As controls are identified, they should be raised across the organization and include stakeholders and any business function where a sanction may have implications. Controls should also be evaluated on their ability to be incorporated into technology and software to assist in automation. Thorough record-keeping is crucial to reflect the current state of sanctions.
• Test. Testing if controls are in place and performing as intended becomes more pervasive as part of the sanctions-compliance process. Ownership should continue to be with the business or function where the actual or potential compliance violation root cause exists. Functions that act in a risk management capacity must engage in random, risk-based testing.
• Communication. Besides annual compliance trainings, it is prudent to have one-off trainings to reinforce the importance of sanctions and the process employees need to be follow should there be a concern of a possible violation. Findings from control tests should be fed back into the business to avoid similar or like events in future.

Supply chain disruptions

As sanctions and tariffs increase, resources become scarcer and the ability to source products or services becomes increasingly challenging across the value chain. Russia cutting off gas supplies to Europe indefinitely has already impacted key manufacturing efforts in the region. The spiraling cost of fossil fuels and sanctioning of oil or gas could further put countries into, or worsening of, a recession.

Russia and Ukraine are integral to the world’s food supply, accounting for 30 percent of global wheat exports. Pre-conflict, Ukraine supplied some 45 million tons of grain to the world market, while Russia was the world’s leading fertilizer exporter. Ukraine is also the largest exporter of sunflower oil, which is a key input for consumer goods such as potato chips and baby formula. Blockages of critical freight routes have meant food shortfalls worldwide.

The conflict is also bringing into question economic powerhouse, China. If it continues to align with Russia, it will put additional pressure on the stressed raw materials and finished goods already impacted by issues such as the pandemic, climate concerns, and port closures.

“Organizations therefore need to take a critical look at whether to onshore or nearshore in an effort to avoid these risks and respond more quickly to demand,” Ladd Muzzy, Director, Enterprise Risk Management, Aon advises. “Although these strategies alleviate supply chain choke points and costs, the alternatives may take time to build. For example, organizations’ investment in brick-and-mortar buildings won’t be fully functional for a few years.”

To combat these challenges, organizations must understand their current supply chain to identify key supplier concentration, and how inventory and safety stock strategies are meeting customer needs

Documentation and understanding of existing and potential tier 2, 3, and 4 suppliers, including where they operate, where they source from, distribution channels (e.g., the blockade in the Black Sea, ongoing covid concerns affecting Chinese ports, etc.) and the way they do business is also crucial to manage supply chain exposures

Organizations can turn to these practical and pragmatic steps to manage their exposure to supply chain disruption:

• Find supplier alternatives. These may be the actual supplier itself and/or the product or service it provides.
• Codify the dynamics of the supply chain (e.g., time critical aspects, seasonality, batch sizes, safety stock) and link to the cost of risk.
• Consider insurance as a back stop. Feed data back to the business including the Total Cost of Risk (TCOR) as a means of exploring different solutions for risk transfer.
• Consider developing or joining a consortium to share data between governmental agencies and other industry players.
• Develop scenarios and games to understand critical supplier risk areas to support broader supply chain risk management activities.
• Coordinate with legal and compliance to guarantee that the organization is within global, federal, state, and local laws. Certainty that the organization is abiding by established contracts should also be part of the ongoing management of supplier risk given the dynamic nature in which its changing.
• Embed within the constructs of existing risk management activities. Detail the causes that may contribute or cause a risk to occur and understand the likelihood in the loss of the functionality or actions of a supplier/vendor.

Decision-making in world in flux

“As the conflict lingers on, it is important for organizations to mobilize their resources to constantly evaluate the implications of the conflict,” Muzzy advises. “This extends beyond the conflict zone to countries and businesses that provide goods and services to fill the gaps left by Ukraine or Russia, other countries competing for the same goods, and those countries that are potentially likely to back Russian interests.”

A dedicated cross-functional team within organizations can identify potential and existing risks, assess their potential impact across the organization’s risk profile, explore scenarios through a framework, and recommend the best course of response.

“With risk profiles in constant flux today, having such an approach will help organizations to make better decisions and engage in proactive responses,” Muzzy concludes.

For more information about how we work with C-suite and risk managers on managing organizations’ risk profiles that are in constant flux, please contact the authors or write to [email protected] or [email protected].