Regulators...mount up: geopolitical risk via the lens of global markets regulators
Geopolitical risk teams go mainstream, but at a cost to risk management and corporate strategy
This post is free for all subscribers. If you like the content, please consider a paid subscription - you’ll get goodies (keep reading to see what they are this month).
Hi folks!
In this edition, I want to take another zoom out from the wars in Iran and Ukraine, and the slow burn over Cuba. But only to 10,000 feet. With all this volatility, what does it mean for conducting geopolitical risk analysis and for those whose responsibility is to ensure market stability, what are the opportunities and risks of regulating this space.
We’re talking regulators, specifically the prudential ones.
Why are regulators worried about geopolitical risk?
Regulators are concerned about mainly three things: 1) impacts on financial markets; 2) impacts on the real economy - how it impacts trade, supply chains, and downwind impacts on corporate and retail consumer behaviour, credit portfolios; and 3) impacts on the security and safety of regulated entities and the financial system. Their role, thus is inherently linked to national and bloc (in the case of the EU) security. Events like the Iran war have multiple risk transmission channels into the financial system, ranging from the safety of key personnel and data centres, to disruption to trade flows and cyberattacks of critical infrastructure.
But in spite of the awareness of the second and third order effects of geopolitical volatility, regulatory behaviour varies widely in their maturity. Many have simply cited the risk as a concern but no further call to actions. Geopolitics may not always be explicitly mentioned but more often embedded.
Even before the current crisis, global regulators have been gradually signalling their interest, and action in a few cases, to get assurance that regulated entities - banks, asset managers, pension funds, insurers, etc - are a) seriously thinking about geopolitical risk and its impacts, b) taking meaningful steps to manage the risk and c) being able to convincingly demonstrate that mitigation to the regulators.
Tracking the Regulators
So we know that this is going to be a rapidly evolving space, which is both a risk and opportunity for security, intelligence, and enterprise risk professionals alike. And it can be tough keeping track of developments and assessing where new requirements may be on the horizon.
I have created a tracker of how the regulators are evolving their thinking and actions. It includes:
A description of how 22 major financial regulators are approaching geopolitical risk (or not)
Their stages of developing guidance, policy and enforcement mechanisms
A scoring on the criticality of needing to address a regulator’s needs
A monthly recap of any noteworthy changes to their positions
A deeper case study into the EU’s DORA and how it is hardwired to address geopolitical risks
You can view sample of the tracker here.
For the full contents in an interactive format + downloadable PDF, updated monthly, subscribe today to get access to the link in the next post.
In summary, here’s what I found:
Almost all the big boys are ostensibly worried. Even if a works programme isn’t happening today, chances are we’ll see more in the coming 18-24 months as geopolitical risk becomes embedded as a global risk premium across capital markets.
While they may not be geopolitical experts themselves - and it’s clear the “politics and security” bench within most regulators is shallow - they are already connecting it with already-regulated areas they know and love such as market risk, credit risk, cyber, operational resilience, anti-bribery and corruption and sanctions. Not just at the risk level, but also over governance and reporting.
Only an intrepid few are taking the step from information gathering and advising to setting rules with timelines for enforcement, with Australia being the global leader along with the likes of the ECB (geopolitical risk stress testing) and the UK’s PRA. Europe and perhaps some of the Asian regulators could follow, especially if the second and third order impacts of market volatility and energy insecurity seriously damage economic growth in their regions.
Building out capabilities for more sophisticated horizon scanning, stress testing and scenario modelling, governance and AI explainability are going to be key to the journey to both effective compliance AND good risk outcomes.
There are lessons learned to be had from how cyber, privacy and sustainability issues are treated by regulators to date.
In the following sections, I cover in greater detail how the EU and Australia are leading the pack, what their regulatory priorities mean for which aspects of geopolitical risk management will be most scrutinised, and a look ahead to where the form of regulation may evolve:
The ties that bind
While binding rules explicitly for geopolitical risk is not yet present in most jurisdictions, links are emerging them with existing regimes which do have binding rules and enforcement, such as the EU’s Digital Operations Resilience Act, or DORA, which came into full effect in January 2025. Financial entities and key third party suppliers are compelled to strengthen their information security and resilience against cyber attacks. It’s the most comprehensive info / digital security and resilience regulation out there, and calls for strict frameworks for ICT risk management, incident reporting, testing and simulations, as well as oversight frameworks for key suppliers of the financial services industry like cloud providers. For banks, being able to build and demonstrate DORA compliance is now foundational to business operational resilience and broader enterprise risk management.
Closely related is NIS2 Directive, another key piece of EU regulation which came into force in 2023 and focused on strengthening cybersecurity across organisations in 18 essential sectors. The directive sets essential requirements across risk-based approaches to network security, third party risk management, incident reporting, key testing, managing vulnerabilities, encryption and access management. Each country is responsible for pushing through related legislation with fairly severe fines for noncompliance.
These regulatory mechanisms is one of the most fertile grounds for compliance-related geopolitical risk work. Some of the kinds of questions that are already asked / demanded:
How do geopolitical risk events create or impact known or new vulnerabilities to enterprise information security, and what types of critical assets are especially exposed?
Are there bottlenecks or key dependency risks (e.g. geographical) on critical third parties e.g. payments, cloud services, telecommunications, payroll, trading? Are they vulnerable to sanctions or export control regimes?
Is the monitoring and analysis of state-sponsored threat actors overlaid and integrated with geopolitical risk analysis? Is this reflected in required penetration testing, in line with the TIBER-EU framework?
Are critical functions carried out in geographies with an elevated risk of disruption from geopolitical risk events (e.g. running key settlements out of Dubai)?
Where does threat intelligence collection sit? Does threat research and hunting account for geopolitical risk actors? How does capability, process and governance link up cyber, physical and other risk intelligence teams?
Is the organisation’s key risk teams connected with their counterparts at key suppliers? For instance, does your intel team know the intel team at AWS?
How does geopolitical risk events a) create or impact known or new vulnerabilities to enterprise infosec resilience, b) what types of critical assets are particularly exposed, c) what mitigations are taken, both technical and non-technical (e.g. people and process)
More enforcement and scrutiny over scenario planning, stress testing, assumptions. Portfolio exposures, impact to clients, liquidity and capital reserve positions.
How are testing scenarios and parameters informed?
Do key contractual provisions with third party providers allow for geographical resilience? Is there n+1 / n+x resilience in providers, and how is that diversification determined?
Aussies in the lead
Australia has a mature financial services ecosystem but the broader economy is vulnerable to volatility in commodities, trade flows and energy markets. It is also geographically isolated, with poorer digital infrastructure connectivity to other global financial hubs. It is perhaps not overly surprisingly that its prudential regulator, APRA, has come out of the stables with the clearest guidance last November, requesting explicit geopolitical risk management frameworks, governance and reporting which “connect the dots” with other existing risk functions. They’re particularly focused on
Horizon scanning
Payments systems resilience
Greater focus on people risk
Sanctions risk exposure and preparedness
Maturity in crisis planning, management and response processes
Connectivity with its new standard for operational risks (CPS230), which has parallels with DORA, but is more prescriptive around identifying and managing key business functions
This is new-ish territory for regulators at a time where globally regulators are paring back requirements, so it’s more than possible that other regulators are watching APRA’s progress, the responses from regulated entities, and adapt elements of their approach in their jurisdictions. APRA’s priorities point to a few areas of compliance and future enforcement, which regulated entities need to have upfront:
The why: key objective(s) of geopolitical risk management for the organisation and how the work is done. A clear definition and description of the kinds of trends or events which are in-scope (action domains), how it fits into the organisation’s broader risk taxonomy and risk register. This may sound simple but actually would comprise significant work for many organisations.
Intelligence capabilities to the fore: Mapping out risk transmission channels requires the right data and in-house subject matter expertise. Have in place and demonstrate effective workflows e.g. the intelligence analysis cycle, scenario planning development, crisis simulation exercises, are clear and easily explainable. This should also include where and how AI is used and human-in-the-loop. Critically, the intelligence part of the framework should clearly explain how collected data is turned into actionable reporting and informs risk + commercial decisions.
Tweaks to data management and information classification: A clear data strategy for information gathering, vetting, analysis, and distribution. Because of the sensitive nature of some of this work - be it sources, methods or intended use / what question is it trying to answer - the data strategy should be aligned to how the organisation manages data privacy and classification.
Security risk management frameworks and policies: they’d need to be much more connected to broader enterprise risk management frameworks as well as reputational risk management e.g. specialist teams or corporate affairs. Standards and best practices for travel security, staff accounting, evacuation and other emergency procedures now undergo greater scrutiny.
Real, proactive enterprise risk management: because of the unpredictability of some events, there may be a tendency to focus on reactivity, which is a criticism of enterprise risk management philosophies to date. There’ll be a greater demand to demonstrate how organisations are on the front foot - from active engagement across disparate risk (security, cyber, credit, ops, ESG, ERM) and “front office” teams, to integrated horizon scanning and higher tempo of stress testing exercises
Looking over the horizon
Geopolitical risk governance requirements, I believe will start to reflect already other regulated risks covering market conduct, AI, cyber and sustainability. And it’s likely that there will be parallels between how those areas of governance and regulatory + board reporting evolve and how geopolitical risk reporting moves. Key areas:
Managing geopolitical challenges across jurisdictions: when a crisis emerges, multiple regulators are eyeing an organisation’s behaviour. It’s key that decisions are made rapidly but also in a defensible manner. In the past, not every institution has done this well. For instance, if a company pulls its staff and key functions out of Dubai, has that choice considered reputational risks and regulatory issues with the local regulator? Or the views of the regulator where those staff and functions are relocated to? And how does market-entry work after things calm down and how would that be received locally? You can see how what may be a physical security decision is really far more complex, and costly (financially, operationally, reputationally) if planning, execution and messaging are not well managed. An integrated framework underpinned by solid relationships across security, corporate affairs, legal, compliance and sanctions teams would be essential to make good decisions that can withstand regulator and board scrutiny.
Intelligence, data and AI: Most robust geopolitical risk intelligence tools have some form of LLM embedded into their product offerings. A growing number of organisations have built agentic AI workflows that determine which intelligence is shown on analyst / operator / leadership dashboards, or to build reporting. This creates an AI governance pillar in geopolitical risk management. If geopolitical risk data is also used for commercial applications e.g. commodities trading, then I can see the risk management evolution showing parallels to how sustainability and climate data is handled in the regulatory space: Guy Gresham, a financial services sustainability governance expert, points out that such data needs to demonstrate ROI while also having robust governance to meet regulatory requirements - articulating how data is turned into actionable intelligence, and vendor management become essential as the data is steadily embedded in frontline teams.
Risk ownership: who should be involved in informing, making decisions and being responsible and accounting for managing the risk? There’s no consensus beyond “senior management and the Board,” and the answer to this will be unique to the organisation, driven as much by the motivations of those with social capital at the top, as it is by the technical needs or available resources. A RACI is a good start, but as AI becomes embedded in most tech and enterprise risk controls, clear articulation of who owns what in the geopolitical realm is absolutely essential when so much of the mitigation revolves around data management and AI-powered workflows. My former colleague and digital transformation leader Nilesh Khatri sees clear control, defined boundaries and the ability to intervene when things don’t go right, will be essential to demonstrate effective governance.
Governance gaps: few organisations would overhaul how they work to adapt to geopolitical risk needs, but rather seek to either a) shoehorn it into existing functions, processes and roles, or b) make modest changes to team makeup, remits and workflows. Different models will emerge, largely driven by existing corporate culture (open door v siloed, flat v hierarchical, all voices welcome v deference to seniority). This creates gaps where risk transmission channels don’t align well with how risk teams are set up and work together. As governance expert Mimi Ajibadé points out, information is shaped at the point where roles converge but it’s often unclear who has what type of responsibility. Similarly, supply chain issues are often treated as operational, but risk governance lags - these types of disconnects between what the banking sector calls first and second lines of defence also creates gaps where rapid changes in risk can create problems in escalation and breaches.
Is it compliance or managing risk? The more prescriptive the regulatory requirements, the more organisations will get pushed to one or two models. I’m not convinced there is one winning model to manage geopolitical risk inside a company, but there is a concern regulatory oversight creates path dependencies and incentives, such as reporting requirements that lead to new efforts of work to demonstrate compliance to the extent it dilutes proactive risk management. One key criticism of the sustainability field is how much resourcing has now gone into reporting versus “actual” sustainability work to deploy technologies, build talent, etc. So in managing geopolitical risk, we’ll probably see a mix of new roles created to supporting regulatory reporting while existing compliance, financial crime, credit, and cyber professionals have elements of geopolitical risk added to their board / committee reporting asks. They must be thrilled!
Professionalisation: regulation brings standardisation, and standardisation brings greater professionalisation. Geopolitics and security largely lack this. Practitioners come from a wide range of backgrounds and there is no recognised accreditation of such. Most have a mix of academic and practical backgrounds (corporate risk, government / military / intelligence, politics, government affairs and policy). We may see industry associations like ASIS start to promote or elevate their standards so that these would be recognised as “passing mustard” by regulators and the broader financial services industry. This is probably a long way off but becomes a real prospect if more regulators pick up the geopolitical football.
Getting ahead
Learn from what’s come before: Geopolitical risk is yet another risk, so it pays to learn from the good, bad and ugly of how regulatory requirements (and responses) evolved with cybersecurity, privacy, AI etc as a roadmap of what (not) to do. Each company has their institutional memory around these already-regulated spaces, so it would be very surprising not to tap into that expertise as part of their uplift.
An empowered intel capability: this combines all of the above with where data resides, who and which capabilities turn it into intelligence, and how it gets to decisionmakers (or not). It’s not necessarily about having the “best” AI tools, but about how you get the right people in the room, connected with best practice and the tools needed to do the job, and empower them to have a voice at the decisionmaking tables. Moreover, the different centres of intel production should be integrated, if not at least joined up in capability so they are not operating, and reporting, in silos.
Do it for the culture: this is, I believe, the biggest determinant of success and doing better than the company across the street. Culture eats strategy for breakfast (no, Peter Drucker didn’t actually say this). Companies with the culture, talent and technology to proactively anticipate risk, plan ahead, respond rapidly at the operational level, and quickly deliver actionable intelligence to the senior-most decision-makers will be best placed to navigate risks successfully.
Ultimately, this requires a shift from organisational and management theory popular since the late 1990s to models more common in (former) small and medium tech firms like Netflix, which are agile, prize horizon scanning and getting the most of market insights, and willing to disrupt themselves.