Risk managers face up to Russia-Ukraine crisis bolstered by Covid experience
Russia’s invasion of Ukraine has thrown up a second once-in-a-generation crisis immediately after the pandemic, sending risk managers and their organisations into crisis mode once again. In front of them is a whole new set of risks to deal with, as well as those that have been exacerbated by the conflict. Sanctions, reputation, people, cyber and supply chain risks have all come to the fore, and must all be dealt with at the same time.
Experts agree that risk managers are well placed to help their companies respond to these risks and drive the crisis response, armed with lessons learned from Covid-19 and a new-found corporate respect. But achieving this will not be easy and will require risk managers to use their tried-and-tested tools, while also adapting plans to a set of challenges that are far from black and white.
François Malan, chief risk and compliance officer at Eiffage, board member of French risk management association AMRAE and 2020 European Risk Manager of the Year, said people risk should be the top priority for any organisation following Russia’s invasion of Ukraine.
Carl Leeman, chief risk officer at international logistics firm and port operator Katoen Natie, and vice-president of Belgian risk management association Belrim, agreed that protecting employees should be the priority as companies look to manage their risks and exposures to the war.
“It is an unpredictable situation so we have already moved some of our employees and we have a detailed evacuation plan for the rest,” said Leeman. “This includes advising employees to have a bag ready with all the necessary provisions so that they can leave at a moment’s notice.”
His company has also developed a communications plan in the event that mobile and telecoms networks go down.
Amid all this uncertainty, the main thing you can do is maintain clear instructions for your employees, continued Leeman. “There may be little you can do to protect your assets, so the focus should be on your employees and ensuring that you can continue to pay their salaries and they have access to food and shelter. This means keeping in daily communication and assembling a team that can make decisions quickly if the situation escalates,” he said.
Cyber is another big risk facing companies, with attacks increasing dramatically since the conflict broke out. “Risk managers should really be careful when it comes to this risk and work more closely than ever with their IT departments,” said Malan.
He added that other risks already prominent on risk registers following Covid-19, such as supply chain issues and cost of materials, will be exacerbated by the Russia-Ukraine crisis.
Malan said the cost of materials such as steel, aluminium and wood are changing by the hour, so it is almost impossible to get a fixed price. In addition, European risk managers are concerned about the availability and cost of energy following price shocks since the conflict broke out, he said.
They can turn to their contracts to try and alleviate some of this price uncertainty, but it is not always easy to achieve
“We need to include in our contracts price revision clauses, which are really difficult to negotiate today. It is easier to have it in public contracts but in private business clients want a fixed price, which is impossible to do. So today a major concern for the risk committee is to come up with a solution to protect our business from this risk,” said Malan.
The French risk manager also stressed that the risks from Covid-19 haven’t gone away just yet, as highlighted by China’s recent lockdown affecting areas producing electric and other goods. “So all in all, we are in a period of real uncertainty,” said Malan.
And then there are huge risks from failing to comply with sanctions imposed since the war, agreed risk managers and their advisers.
GRAPPLING WITH SANCTIONS RISK
Alessandro de Felice, chief risk officer at Prysmian Group and past president of Italian risk management association Anra, said there were already sanctions in place against Russian companies before the war broke out but there are now many more, with sanctions also in place on Russian individuals.
“Sanctions was a big risk already but the risk landscape has worsened with sanctions on individuals,” said the Italian.
So the blacklist of companies has expanded and now there is a blacklist for individuals, continued De Felice. It is therefore vital to check whether shareholders are on that blacklist, he said.
Stephen Sidebottom, chair of the IRM, agreed that sanctions risk was already a complex issue for risk managers but is more of a problem now.
“Sanctions lists are rapidly evolving and the current dynamic and divergent nature of lists across different governments and sanctioning bodies is a significant challenge,” he told CRE.
“As well as directly sanctioned entities, businesses need to look at organisations owned or controlled by these sanctioned entities. Customers who aren’t sanctioned themselves but have a relationship with sanctioned individuals may also be a risk,” said Sidebottom.
While financial services have historically been a major focus for sanctions, new sanctions put in place since the Russia-Ukraine conflict are impacting a much broader range of sectors, noted the IRM chair.
It is vital therefore that companies have appropriate screening in place to work out whether they are affected and are responding appropriately.
“Businesses need to have adequate sanctions controls covering direct customers and their extended supply chain, particularly in geographies and sectors with strong links to sanctioned countries, organisations, or individuals,” said Sidebottom. “Businesses need to ensure they understand their customer data, have a robust screening methodology and tools, and are able to access and work with up-to-date sanctions data,” he added.
Risk managers have a critical role to play in assessing and understanding sanctions risk before ensuring companies have the right mitigation systems and processes in place, continued the IRM chair.
But he said a lack of reliable data significantly increases the difficulty of compliance efforts. “Businesses need to be actively looking at the data they hold on customers and how to access the data they need to assess exposure throughout their supply chains,” said Sidebottom.
Malan said the biggest difficulty facing risk managers in this area is simply keeping up to date with the many different sanctions and working out who actually owns companies they deal with .“The difficulty of working out who is the end user and owner can be difficult,” he said.
But after carrying out such analysis as best they can, companies need to work out how sanctions will affect their contracts. Malan’s firm did this via an in-depth contract review.
“We, as risk managers, need to adapt and improve our sanctions management process and tools. We need to work closely with compliance and legal departments. We did this with Covid when we had to adapt contracts and now, today, we have to do it again,” said Malan.
The risk from sanctions is far from certain or clear, stressed Leeman. “The situation is sometimes changing on a daily basis, with both new sanctions by the west or new local laws in Russia. This is not always easy to follow, nor is it simple to find eventual links between sanctioned persons and their eventual involvement in certain companies. Also, on the sanctioned dual-use product list, there seem to be different views in some cases,” he said.
Fortunately, there is an unprecedented international consensus on the most important sanctions measures, noted Leeman. This makes it a little easier for multinationals but many questions will remain for risk managers, finance teams and compliance managers.
“Therefore, risk managers must do their utmost to stay as informed as possible but also ensure that any actions regarding counterparties that could potentially be subject to sanctions are recorded, should they need to be reported to regulators or government authorities,” said Leeman.
Cvete Koneska, head of advisory at security intelligence firm Dragonfly, noted that sanction risk isn’t just about compliance – it brings reputational risk that touches on company values.
“Risk managers need to be part of this conversation about how companies comply with sanctions. Risk is integral to the compliance conversation. Risk managers will be able to see the effect that risks that impact the different levels of compliance will have on the different parts of the business, whether it’s profit, people, market share or competition. So they have a big part to play in making organisations more resilient to sanctions risk,” she said.
“There is very little precedent here and you need to think and feel your way through this,” she advised risk managers.
De Felice agreed that reputational damage is one of the big risks to emerge from the crisis.
While many big brands, mainly on the retail side, have started to close businesses in Russia, such decisions can be very hard, he said.
“You can’t just send people home and leave families without jobs,” so there are big corporate social responsibility issues to consider as part of the bigger picture, he pointed out.
RISK PROFESSIONALS WELL PLACED TO DRIVE RESPONSE AFTER PANDEMIC
The experts believe that risk managers are critical to the Russia-Ukraine crisis response, and well positioned to make their contribution count after Covid-19 sharpened their toolkit and showed the value they can bring.
Koneska, head of advisory at security intelligence firm Dragonfly, said that from what she sees, organisations are prepared to deal with the current crisis and have learnt lessons from Covid-19. But as ever, the best companies and risk managers will be able to adapt their plans to new scenarios, she said.
“Organisations with a mature risk management framework ideally should have arrived at this point well prepared, with the right tools and organisational setup to enable risk managers to play that critical role by pulling critical resources from across the organisation, rolling out the right risk management measures and so on,” said Koneska.
“It is still early days but from what I see, I think a lot of organisations came to this well prepared. I think Covid was a good crisis exercise. Those organisations that really invested in their risk management and crisis management should be in a good position to respond to this latest crisis, with the internal resources and tools to do their job properly now,” she said.
“However, while you can learn from other crises, the best organisations and risk managers will be flexible and adapt plans to account for the individual situation,” she added.
Malan said that as with Covid-19, risk managers have the ability and skillset to manage these types of multifaceted crises. And they are now armed with lessons learnt from the pandemic, he pointed out.
“We can play a central role. We did it for Covid-19 so we have to do it again. It is important to use what we have learnt from the Covid-19 crisis. My CEO asked me to coordinate our actions in the Ukraine crisis, so I think he trusted what I did for Covid-19. So I think we have the legitimacy now,” he said.
But Malan also said there is room for improvement and the need for risk managers to seek new ways to conduct risk assessments, so companies are better forewarned of potential threats.
“Risk assessment is a terrific tool but we underestimated the frequency and severity of Covid and it is the same thing with geopolitical risk in Ukraine. So we need to be humble and review how we are conducting our risk assessments… we need to improve our way of assessing the risk,” he said.
De Felice agreed that Covid-19 highlighted the added value risk management can provide through clear analysis of various scenarios and their impact, which helps companies take strategic decisions.
“Our community is living through a unique situation and opportunity to show added value,” he said.
Faced with people and security risk, rising economic risk, cyber threats, reputational damage and many other issues, risk managers have “more than enough” on their plates to “justify their role” and show value, he added.
RISK MANAGERS ADVISED TO THINK AND FEEL THEIR WAY THROUGH CRISIS
Risk managers must think big and take a more holistic approach to risk management to best deal with the many risks thrown up by the Russia-Ukraine war that simply aren’t black and white, advised security intelligence expert Koneska. She believes companies need to both think and feel their way through the crisis, keeping ethical behaviour front of mind.
Koneska stressed that the risks facing companies due to Russia’s invasion of Ukraine will vary by company and sector. But the bottom line is companies face a range of risks in a complex situation such as this, she said.
The big challenge for risk managers, said Koneska, is getting the risk mix right and understanding how risks interact. And, crucially, she advised taking a high-level, holistic approach to risk rather than focussing on individual threats that could result in other issues being missed.
“That really should be the highest priority now for risk managers. Rather than approaching things piecemeal risk by risk, they need to take a more comprehensive approach and find the right balance of measures that can reduce those risks,” she said.
“I am not saying ignore the individual risks, but that piecemeal approach may cause you to miss some dependencies and some of the mitigation for one risk can also reduce another. If you evacuate a lot of your people from Ukraine, you are obviously reducing your security risk, but you might also reduce risk to data and equipment. It’s about getting into that mindset to think comprehensively about the risks. This is the exact sort of scenario when you really need to think big,” she added.
As well as thinking big picture, Koneska urged companies and their risk managers to think fluidly and beyond pure financial numbers in order to deal with many of the political risks thrown up by the crisis. This requires a change in mindset and there is room for improvement, she added.
“The legal risks from sanctions or security risks if you have people in Ukraine are not black and white. So many of the decisions facing companies are a bit less clear cut than in some other risk areas,” she said.
“There is a little bit more grey here. I think to be able to navigate that grey space, businesses and risk managers require a bit more fluency in the language of politics and geopolitics and what that means for businesses. Business are very good at numbers and profits but not many so far have been aware as actors in the political space. I think this crisis is really bringing that to the fore, especially for the large multinationals,” added the political risk adviser.