Risk Implications of The Russo-Ukrainian Conflict: Digitization, Talent & ESG

The Russo-Ukraine conflict has given rise to a complex set of interconnected risks. For instance, regulatory and compliance issues have led to supply chain disruptions, which in turn have led to business interruptions.

Businesses worldwide are faced with more challenges in the near future, including cyber threats, human capital concerns and ESG considerations. How can organizations manage these risks and make better decisions amidst constant volatility?

Cyber Threats

There has been, and will continue to be, an increase in cyber attacks from the outset of the Ukrainian and Russian conflict. There are indications that the number of attacks may continue to rise. Russia is likely expected to continue to mobilize its cyber arsenal as the rest of the world braces by planning its own defenses, which are currently inadequate.

Nearly 80 percent of senior IT and IT security leaders believe their organizations lack sufficient protection against cyberattacks – despite the increased IT security investments made in 2020 to deal with distributed IT and work-from-home challenges. Moreover, it can take a half a year to detect a data breach Although all industries have exposure, the top five reported industries facing a successful cyber threat include:

1. Education
2. Telecommunications and Technology
3. Financial Services
4. Manufacturing
5. Retail

Other industries targeted – education and government entities as well as COVID-19 research, election organizations, healthcare and pharmaceutical, defense, energy, gaming, nuclear commercial facilities, water, aviation, and critical manufacturing.

The average number of daily attacks globally, is about 65 million, with spikes in late January, February, and early April.

Source: Check Point Live Threat Map

Several options are available for businesses to holistically understand their cyber risk profile,” says Ladd Muzzy, Director, Enterprise Risk Management, Aon. “The approach includes understanding the triggers to a cyber event, the technology and asset impacted, and the outcomes (e.g., financial, reputation, compliance, etc.).”

By quantifying first- and third-party financial impacts and understanding the extent to which current risks are insurable and retained on the balance sheet, organizations can better manage their cyber risk profile, thereby improving the Total Cost of Risk (TCoR).

Businesses will also be able to develop effective risk financing and insurance solutions and provide clarity to management on the optimal investment in cyber risk mitigation and transfer, thereby protecting stakeholder value.

“The prevailing mindset is that it’s not just a case of if you are susceptible to a cyber-attack, but rather when the attack will occur,” Muzzy advises. “Ensure that there is an understanding of the causes to a cyber threat and its implications to ensure that your organization, and those critical to its success, are protected.”

Human Capital

The Russo-Ukraine conflict is taking a toll on employees. On top of unexpected challenges such as the two-year pandemic and economic uncertainty, the Ukraine crisis has added to the woes of employees. Many are directly impacted by the humanitarian crisis, experiencing migrations and lack of basic necessities in Ukraine. Others have become unemployed as companies including Starbucks and McDonald’s have halted operations in Russia.

Organizations are responding by providing:

• Salary advances to employees
• Paid temporary accommodation for employees and immediate families (housing allowance)
• Assistance to relocate, transportation, and visa/tax
• Security assistance
• Relocation assistance to employees who have family in Ukraine, even though the employee may not physically reside there
• Hardship allowance
• Financial loan(s)

In addition to managing employee wellbeing in the face of geopolitical turmoil, businesses are grappling with the Great Resignation, Quiet Quitting, and other such phenomena. “Organizations are already facing difficulties in not only finding employees with the right skill sets but also to find individuals who are willing and able to work in positions that are in greatest demand,” explains Tony Adame, Business Continuity and Enterprise Risk Management, Aon. “There is also the risk that employees are being asked to perform in an unfamiliar capacity.”

Rising inflation is also affecting overarching costs to attract, retain, and develop capable employees worldwide. Pay rates have increased dramatically, in some instances by 50 percent for hourly workers. “In rare cases, some individuals are even getting offers from competing firms without an interview because their skill set is in high demand,” says Adame. Moreover, attrition remains high at many levels, albeit at less senior levels.

For Environmental aspect of ESG, the most obvious concern relates to the potential delay in net zero commitments given the choke points in gas distribution and supply.

“Time will tell whether the climate commitments will halt the ongoing reduction in fossil fuels usage,” says Adame. “Organizations will need to evaluate whether and how their carbon footprint may be impacted. There may be opportunities to accelerate the adoption of other renewable sources of energy especially in light of strained gas and fossil fuels.”

WTI Crude

Source: CNBC WTI Crude

The conflict is also highlighting the Social aspect of ESG. In particular, the humanitarian crisis as millions of Ukrainians are being forced from their homes. While many organizations with operations or businesses in Ukraine have already taken steps to try and lessen the impact of this disruption (see Human Capital section above), employees, customers, and other stakeholders are closely watching organizations to see how they align with societal expectations and “doing the right thing”.

In fact, according to a 2020 report by LendingTree, 38 percent of Americans said they believe it is their responsibility to withhold their dollars from companies whose values or actions are not in alignment with their own. “This is putting heightened interest in organizational actions, not only in the conflict zone, but the public philosophies and actions across the value chain,” says Muzzy.

“These organizational decisions and actions are part of the maturing governance practices of ESG,” says Adame. “Topics such as ethics, sanction compliance, instability in manufacturing and distribution, and transparency of decision making are front and center — both in the broader media but also in other social media mediums.”

Organizations that have yet to establish ESG risk management processes can consider:

• ESG risk identification through internal and external sources. Internal opinion can be captured through tested activities such as surveys, interviews, or workshops. Additionally, mining “data” from call centers, letters, and social media posts can prove to be insightful of future exposures. External inputs include outside counsel, consultants, performing sentiment analysis, vendors and suppliers, customers, and advocacy groups offer insights that may be good complements to internal data to remove inherent biases typically fraught with risk identification.
• Assessment and prioritization. Develop measures and variables that can be used to evaluate ESG-related exposures. This would include the potential for assessing risk against each of the ESG categories. In particular, the process used for risk assessment should become a part of Governance activities. Once the measures for risk assessment have been created, a discussion should take place to understand the assessment criterion and the conclusions from this exercise (see the diagram below as one (uncomplicated) way to perform this evaluation). The outcomes of these activities help determine which risks to address in the near, medium, and long term.

• Actions and responses. Extrapolate the event and its implications on the business, operations, and the organization as a whole. Depending on the criticality of the risk and its effects on organizational strategies, objectives and its mission, a determination of the capital, resources, and time available to effectively address the risk should be considered. This would include the creation of additional or more robust controls, management activities and risk financing solutions. For example, Aon is pioneering the concept of a green captive to specifically address ESG risks.
• Monitoring and reporting. Develop the metrics and measures to monitor identified risks and how they may change over time. Identify stakeholders who should receive risk management training and risk-taking activities to understand how the ESG and risk profile is changing.
• Sustain. Ensure that the governance of ESG risks has the same internal oversight from appropriate committees, audit, leadership, and the board. Align ESG risk taking in tandem with other business and operational goals to ensure that the topic receives the appropriate attention in strategy setting and the budgeting process.

Navigate volatility with better-informed decisions

With no end-date yet in sight for the Russo-Ukraine conflict, organizations must buckle down, mobilizing resources to constantly evaluate the implications of the long-standing conflict. “Cross-functional teams should be put in place to proactively assess risks, swiftly identify potential business impact, and recommend the most ideal action based on sound analysis such as that of scenarios through a framework,” Adame advises.

The team should report its analysis, findings, and recommendations to a risk, audit and/or executive committee to ensure that capital, resources, and requisite time is properly allocated to the most salient concerns.

For more information about how we work with C-suite and risk managers on managing organizations’ risk profiles that are in constant flux, please contact the authors or write to Tony.Adame@aon.com or Ladd.Muzzy@aon.com.