Geopolitical risk management in financial services: Component parts of a comprehensive approach

At a glance:
 

• Geopolitical risk is growing in prominence, and features regularly in financial services (FS) supervisors’ statements.
• However, at present there is little by way of concrete guidance on what actions supervisors expect firms to take, or on what “good” looks like.
• In our experience, approaches to managing geopolitical risk vary considerably across FS, and FS firms’ capabilities are comparatively less mature than some other sectors (such as oil and gas). Firms often assess geopolitical risks on an “ad-hoc” basis, rather than as part of the continuous risk management cycle.
• Developing or enhancing a number of key capabilities will help make FS firms more resilient. This includes identifying and addressing data needs, clearly defining responsibilities and integrating geopolitical risks into established financial and non-financial risk management processes.
• Even if converting robust geopolitical analysis into effective action will remain a challenge, FS firms should look to embed a structured and comprehensive approach.
   

Relevant to:

Board members, Senior Executives (CEOs, CFOs, CROs, CCOs, COOs), Risk, Strategy and Public Affairs functions at Financial Services firms

Geopolitical risks have risen up the Board and policymaker agenda, spurred by recent world events, including ongoing conflicts between Russia and Ukraine and in the Middle East, pressure on shipping routes and supply chains, and significant uncertainty over how the geopolitical landscape will evolve given numerous upcoming elections across major economies.

The Bank of England’s biannual Systemic Risk Survey (March 2024) of risk and treasury executives pointed to widespread and increasing concern about geopolitical risk, which was deemed by industry respondents to be the risk with the highest potential impact (85% of respondents, +19pp. vs 2023), the most challenging risk to manage (70% of respondents, +25pp. vs 2023) and the most likely risk to materialise (67% of respondents, +26pp. vs 2023). The recently published Deloitte CFO survey also found that CFOs still see geopolitics as the greatest risk to their business over the next 12 months.
 

Why does geopolitical risk matter to FS firms?

FS firms could feel the impact of geopolitical risks through multiple direct and indirect channels.

Geopolitical risks could act as drivers of traditional prudential risks both for cross-border and purely domestic firms in numerous ways: market risk could be affected through increased market volatility; operational risk and resilience through increased risk of direct or indirect cyber-attacks, supply chain disruption, sanctions compliance or reputational risk; strategic risks where firms have to exit a market quickly; or credit risks to the extent that any of those risks affect clients’ ability to service debt or afford insurance premia. Insurers offering political risk, cyber or business interruption insurance face the risk of increasing claims on those policies.

Risks could also crystallise through less direct macroeconomic channels such as reduced economic activity and trade flows, prompted by increased short-, medium- and long-term uncertainty.

FS firms are particularly susceptible to geopolitical risks. They are exposed to both direct and indirect channels, they have a central role in governments’ national security policies (through implementation of sanctions) and often operate across geopolitical fault lines. For FS firms, being able to anticipate and mitigate geopolitical risks effectively is therefore crucial, and in some cases may even be existential.
 

The growing supervisory imperative
 

Against this background, it is hardly surprising that geopolitical risk management features prominently in FS policymakers’ and supervisors’ statements. Supervisory stress tests and scenario analyses are increasingly incorporating narratives of escalating geopolitical tensions (such as the EBA’s 2023 EU-wide stress test and EIOPA’s 2024 insurance stress test) or acute geopolitical shocks (as in the Bank of England’s System-wide exploratory scenario (SWES)). It has rapidly become one of the ECB and PRA’s top supervisory priorities, and is increasingly coming up in firms’ supervisory conversations.

The PRA has set out its expectation that domestic and international banks are able to demonstrate that their overall risk management frameworks are evolving in line with the changing macro environment, and this should be enabled by a sound risk culture. The ECB recently highlighted, in its May 2024 financial stability report, the need for banks to take a “proactive approach” to managing geopolitical risks using a range of risk management and diversification techniques.

On the insurance side, the PRA has highlighted the need for UK insurers to be able to understand and mitigate novel risks (including geopolitical risks), and highlighted concerns around limited allowance for geopolitical uncertainties in insurers’ internal models. In a similar vein, the EU’s proposal for a revised Solvency II would require insurers to consider macroeconomic and financial market developments in their ORSA.

However, there remains little by way of detailed supervisory guidance on what actions regulators and supervisors expect firms to take, let alone what “good” looks like. While banking supervisors in particular have set out a number of requirements that cover geopolitical risks (the PRA has, for example, included geopolitical risks in the ICAAP section its rulebook under business risk), and have conducted thematic reviews of certain elements of geopolitical risk management (as with the ECB’s recent review of how firms capture novel risks in modelling), there are not yet comprehensive guidelines or expectations on geopolitical risk management for FS firms to align with and benchmark themselves against.

Current FS firm capabilities
 

As demonstrated by the BoE survey, FS firms find it difficult to manage geopolitical risks. In general, it is clear that these risks are less well embedded in FS firms’ risk management frameworks than they are in sectors (such as oil and gas) with more experience of grappling with the relevant issues.

In the absence of supervisory guidance around managing geopolitical risks, and given the speed with which complex geopolitical risks have emerged after a long period of relative calm, many FS firms have understandably had to develop their own, idiosyncratic approaches in short order. This has inevitably resulted in variability in approaches across FS, and in some cases the following shortcomings: 

• Many firms, at least until recently, will not have had teams formally dedicated to geopolitical risk. Government affairs functions have historically had a significant (and in some cases monopoly) role in geopolitical risk, which has often been conceived in terms of political intelligence, relationships and reputational issues. While the first and second lines of defence have become increasingly involved as the risk has grown in prominence, there is still often a need for more permanent management structures.
• Political issues have often been considered by firms at the individual country level as political risk or sovereign risk, or as drivers of other narrow risk types such as terrorism or cyber risk, with geopolitical risks which manifest outside the bounds of national politics or these specific risk categories falling through the cracks. 
• Firms have started to incorporate geopolitical risk into at least some aspects of financial and non-financial risk management, including through techniques such as scenario analysis and stress testing. Yet practices vary. Outside of leading firms, geopolitical risk management is commonly treated as an “ad-hoc” exercise undertaken in the context of specific material investment decisions rather than an ongoing risk discipline, and in some cases appears more as a form of “box ticking” without any lasting impact.
  
  

Putting the right capabilities in place
 

What good looks like for an individual firm will inevitably depend on the nature of its business, and its exposure to geopolitical risks.

For those firms whose practices are currently more rudimentary or “ad-hoc”, progressing to a more sophisticated and routine integration of geopolitical risk into day-to-day risk management and strategic decision-making requires comprehensive integration of geopolitical risks into all stages of the risk management cycle, from risk identification, through to risk measurement, mitigation and monitoring. 

Comprehensive integration requires several substantive but broad capabilities:

Monitoring and data collection capabilities

Firms should be able to demonstrate that they have identified the relevant channels through which geopolitical risks could affect their business – starting at least with an expert-led “heatmapping” approach (categorising relevant risks according to their likelihood and severity). The most relevant channels will vary depending on the firm and its portfolio composition, geographical footprint and the availability of risk mitigants such as hedging, insurance or reinsurance. Relevant channels will likely include, among others, energy and commodity prices, consumer and business confidence, financial market volatility, trade and supply chain disruptions and disruption to critical infrastructure.

Firms need to be able to monitor risks on a continuous basis – prioritising metrics relevant to the risks deemed most material by the firm. Some metrics will be ones that FS firms track as a matter of course – such as energy and commodity prices, measures of financial market volatility, or the sensitivity of counterparties or portfolios to changes in energy prices. Other indicators – such as demographic shifts, or measures of social or regional inequality, changes in military spending or active personnel – may be less commonly tracked.

Firms should also consider supplementing quantitative data with more qualitative inputs – such as news monitoring, consideration of publicly available news-based aggregate measures of geopolitical risk such as the Geopolitical Risk Index, or specialist political intelligence. 

Incorporation into financial/non-financial risk management processes

Comprehensively managing geopolitical risk will, as with any risk, entail incorporating the risk holistically into the firm’s risk management and internal controls, with management of geopolitical risk embedded in policies, processes and controls across all relevant functions and business units, and clear definition and assignment of responsibilities across the three lines of defence.

Scenario analysis and stress testing will be key risk management tools, including for setting the risk appetite, and should be used systematically and continuously. Supervisors will expect firms to develop capabilities that are proportionate to the size of their exposure. Supervisory feedback on firms’ climate scenario analysis can provide useful guiding principles for firms as they develop their capabilities: scenarios should be tailored to the firm’s business and appropriately test the firm’s specific vulnerabilities. They should generate decision-useful outputs – for example, projecting the impact on KPIs and KRIs – with appropriate documentation of adjustments and assumptions, use of proxies and limitations in data.

In addition to running standalone scenario exercises, firms should consider whether material geopolitical risks are appropriately captured in existing regulatory stress testing and reverse stress testing processes (through firms’ ICAAPs and ORSAs) and, for banks, IFRS9 modelling. Supervisors will be prepared to accept that firms will use expert judgement and model overlays – yet, as set out by the ECB in its 2022 thematic review of best practices for capturing novel risks in models, supervisors will expect those overlays and in-model adjustments to be evidence-based, avoiding “umbrella overlays” that do not capture the differentiated impact between different borrower groups or portfolios.

Recent supervisory exercises to assess the impact of geopolitical risks (such as the Bank of England’s SWES, the recently launched EIOPA stress test or the EBA’s 2023 EU-wide stress test) can provide a useful framework for firms to follow in their scenario design, and be used as a “sense check”, including for firms that were not in scope of the exercises.

Evaluation of the output of those processes and inclusion in firm decision-making

The ultimate goal of conducting geopolitical risk analysis should be to empower firms’ leadership to make decisions that mitigate risks and take advantage of opportunities. This is arguably the most difficult step for FS firms – even if firms can satisfy themselves that they have conducted robust analysis, converting that analysis into effective action is easier said than done. In many cases firms may need to rely on “blunt instruments” (such as exposure limits) where a lack of historical data makes geopolitical risk more difficult to quantify and price accurately.

Supervisors expect firms’ risk appetites to cover all material risks, and geopolitical risks are no exception. The outputs of the scenario analysis, stress testing and reverse stress testing that firms do should be used to define trigger points for management actions, as well as related early warning indicators and thresholds. Where firms include geopolitical risk metrics in their risk appetite, supervisors will expect to see that those metrics (as well as the associated trigger points and escalation procedures) have been subject to the appropriate internal governance processes – including challenge and approval by the Board.

Governance and operating models

Who “owns” geopolitical risk is ultimately a question for each firm, as is the question of whether to set up a dedicated geopolitical risk function. In practice, in many firms there will be a variety of plausible options, and effective geopolitical risk management will cut across the responsibilities of multiple SMFs and across the three lines of defence.

Yet while there is no “one-size fits all” governance model for geopolitical risks, our view is that, at a minimum, effective geopolitical risk management requires development of more permanent management structures and processes for cross-functional input, involving at least the risk, strategy, government affairs and corporate affairs functions. As the materiality of the risk grows, the risk function needs to be able to challenge first line teams effectively on whether geopolitical risks have been appropriately considered.

Firms will also need to identify how their systems and technology needs will change over time as they seek to upscale their capabilities. This could include development or procurement of horizon scanning tools, news aggregators, external political expertise, as well as new models and upgrades to existing models.

Having sufficient capabilities to operationalise management actions and contingency plans.

In addition to being able to anticipate geopolitical risks, FS firms will need to ensure that they are prepared to manage geopolitical risks when they crystalise or escalate. Having a pre-defined crisis response process will help FS firms to get on the front foot and act quickly to safeguard their resilience and reputation, and to ensure that relevant response capabilities such as cyber defences, external relations, political relations or public communications are adequately prepared and resourced.

FS supervisors are already asking firms to run crisis simulation exercises that focus on the crystallisation of material geopolitical risks, and we expect to become expected practice for cross-border firms. The objective of crisis simulation exercises should be to develop contingency plans and mitigation strategies, and to designate concrete management actions and responsibilities. Firms may be able to leverage existing expertise developed in response to regulatory expectations around recovery planning, liquidity contingency planning or cyber and operational resilience testing.
 

Conclusion
 

Managing geopolitical risks is undoubtedly a daunting task for FS firms, and managing the risks effectively is easier said than done. But as the risk grows in prominence, the need for FS firms to take a structured and comprehensive approach to managing the risk grows in tandem.

FS firms can leverage recent experience in mobilising to manage other emerging or growing risks (such as cyber or climate-related risks). Much like for those risks, developing or enhancing certain key capabilities will help make FS firms more resilient. Firms that begin to gather the right data, clearly define responsibilities and integrate geopolitical risks into established financial and non-financial risk management processes will be best placed to navigate an increasingly uncertain geopolitical climate.