Riskology by Infortal Episode 21: Due Diligence & Geopolitical Risk

Chris Mason:

So welcome, everyone, to the latest episode of Riskology by Infortal. And I'm joined here today with my colleague, as always, Dr. Ian Oxnevad. And today we're planning to cover the world of geopolitics. But really, we thought it would be good to pause and reflect because we've been through about 20 episodes, and so we thought it would be good to talk through some of the issues we've hit before. 

The headlines, of course, are never ending, so there's plenty of new material to cover. But really we want to hone in on something that Ian and I are both passionate about. And that's really looking at how companies can use geopolitical risk intelligence to: 

One, manage their risk and make sure that they don't encounter any issues that are really going to tank the business. But two, how can you use geopolitical risk intelligence to seek out investment opportunities to expand your firm? That's really what it's all about. 

If you set up a program and you've got it really moving forward the way it should, once you're able to start discovering opportunities and expanding your business through the analysis, that's really where you've hit the sweet spot. 

So we thought we'd hit on that today. Ian, welcome aboard. Let's get after it. 

Ian Oxnevad:

Of course. So one of the big questions that we come across frequently is when we come across potential clients and others that read our material, there's this question of what is geopolitical risk intelligence? Because it's kind of the buzzword right now. You look at Bloomberg, you look at Forbes, you look at quotes by big CEOs. Right now, it's kind of all the rage. 

And it's not a rage. That's necessarily a good thing. You have the Houthis blocking off trade in the Red Sea, and you have a drought in the Panama Canal and you have attacks from China, and of course, you have supply chain issues and war in Ukraine and election uncertainty and all these different things. So it can kind of seem overwhelming. And then companies are like, well, that's all really cool, but what does this mean? 

What does this mean for me? Well, it really comes down to saving money and discovering opportunities and cutting liability. 

And how that happens is really, in a nutshell, all that geopolitical risk intelligence is. And all that due diligence is, is screening who you're hiring and what you're investing in before you invest. 

It's that simple. 

Chris Mason:

It's so critical. If you look at the different types of geopolitical risk analysis that are available on the market. And you mentioned it's hitting the headlines in terms of companies, especially banks, seeking out help in this space. It really starts with understanding who's in your proximity because a lot of the risks in this space, if you start thinking about money laundering, foreign corrupt practices act violations. 

To avoid those types of issues, it really comes down to knowing who's in your proximity. And that means both individuals, key individuals, but also companies that you're partnering with or investing into, because the practices that are happening with those companies and the behaviors of those individuals will come back to your company. 

So as you mentioned, it really comes down to conducting the proper level of due diligence of those individuals and companies. 

Once you do that, then you can start looking at longer term operations and assessing things like the security of your assets overseas. But before you get anywhere near any of that stuff, it's really all about vetting who's in your proximity.  

We mentioned that it's hitting the headlines. People are basically saying there's a need to look at this type of stuff. But in your opinion, Ian, do you think that the focus is correct in terms of how companies seem to be approaching the issue? 

Ian Oxnevad:

I think it varies by company, to be honest. I think what you're seeing is a lot of people, when they read OSINT or open source intelligence, they just look at: Well, that means I look at the headlines. No, that's not what it is. It's not reading the news, although reading the news helps, obviously it's necessary, but it's not sufficient to overcome these challenges. 

Good intelligence really comes down to unpacking everybody that you do business with, everybody you invest in, everything you invest in before you do it, and knowing its exposure to all sorts of different risks. So if you're about to invest in, let's say you're getting a new supplier or you're investing in a new facility, or even if it's portfolio investment purely on paper. Are you investing in an industry that's under regulatory attack? A lot of companies, they don't really have good practices. They may have very competent people, but they don't have good practices in terms of assessing all these different risks and integrating them into their investment decisions. 

Chris Mason:

So in thinking of what we've read recently in the headlines, and I think it's a good moment to plug the fact that we were recently featured in Bloomberg Law, which they've put on a great series of articles that cover a lot of different angles in terms of how General Counsel and their teams and companies are really having to unpack these issues. But one of the challenges really at the outset is understanding who should own these issues and who should own this analysis. And it really can look a few different ways. 

There's certain companies that have established a resilience officer or a team that focuses on this stuff. And again, because it's sort of an emerging industry, there's a lot of different ways to tackle this. 

And there's no sort of one size fits all that's available for companies. But there are a few key fundamentals that I think are important to highlight. And these are areas that we focus on in terms of advising our clients how to perform this type of work, but also in conducting some of the analysis ourselves. And really what you need is, as we mentioned before, you need some of that upfront due diligence for key decisions. And when we say key decisions, we mean key hiring events, key investments, or something like moving your supply chain from Southeast Asia into South America. Those are all key events that require a specific level of deep dive due diligence, extremely important. So that needs to be part of your program. 

Once you have your operations up and going, honestly, even before you make some of those decisions, you want to have an ongoing flow of analysis that's going on to really understand how geopolitical risk events may impact your company. Maybe that's on a five year horizon, maybe it's immediate impacts. But what you want is an ability to pull in and synthesize information that can then be provided to the right parties. 

And so I started by mentioning that this can look a lot of different ways. The key is making sure that the right information gets in front of the right people. And so what you need to do is basically have an escalation point. So if you've got a resilience officer, geopolitical risk officer, they need an outlet to provide this information to senior level leadership who can then incorporate this into the decision making. Ian, I think maybe it would be helpful if we walk through a scenario. 

 Something that you've looked at heavily the past couple of years, really is with what's going on and the breakdown in relations in China. But let's talk through maybe a scenario where someone is looking to nearshore or reshore, maybe to the IMEC or into, you know, how do you approach that from a geopolitical risk standpoint? 

Ian Oxnevad:

Right. So if your supply chains were exposed to China in any major way and you're looking to derisk from China, what does that look like? Well, in terms of your organization, the first thing you should look at is. You talked about this before. Who is that? Is it your geopolitical risk officer? Is it your general counsel? Is it someone in your executive team? Who is that? They spot this risk. 

They see that maybe China is starting to sanction companies in your industry, or maybe they're raiding offices of western companies. Or maybe it's just the reabsorption of Hong Kong into mainland China. You see these as warning indicators even though your company is not affected. So you want to minimize your risk. Then you decide to look overseas. 

Maybe it's manufacturing, maybe it's some sort of technological development you're concerned about IP, that's going to guide your needs, are going to guide where you reshore and you're shore. So if most of your customers are in Europe, for example, and you want to pull out of China, you're probably going to be looking at someplace in India or the Middle east, depending on what you're looking at. India's done a lot to try to open up its manufacturing sector, to try to suck off some of these companies that are fleeing China. And there have been investment incentives there. 

So that looks great on paper. Well, let's get a little closer. You have to look at the specific laws and regulations pertaining to your industry. You have to look at legal requirements, upfront investment costs, tax incentives, et cetera, and then also just kind of basic rule of law issues. If you're looking at manufacturing, what's the labor relations like?  Are you talking about a country where maybe it's heavy labor centric and maybe it's kind of left leaning? What are the power of labor unions? Is corruption an issue? Is corruption going to add significantly to your upfront manufacturing costs? 

Chris Mason:

What about the fact that that can all change quickly? How do you factor that in? 

Because let's say there's a major election or even a regional election that can completely change the dynamics. How do you account for that? 

Ian Oxnevad:

So that's where that geopolitical risk officer or General Counsel who's doubling as a geopolitical risk officer is going to have to do ongoing monitoring. There's really no way around it. 

And there's all sorts of different warning indicators that you can spot. So you have to pick constantly be able to pick up indicators of how your operating environment is treating your industry and your company. Your competitors, are they getting shaken down by law enforcement in a specific locale?  Is there a political party that wants to overtly tax, increase the tax burden on foreign direct investment? You're not from this country. Let's say this was happening in India or Mexico? Is the ruling party doing this or is the opposition party doing this? And if it's the opposition party, what is the likelihood of that opposition party taking power? 

That's where you start to look at sort of political indicators and there's polling data that comes in. There's focus groups you can do to get more granular data. What about the specific politicians involved? What about liability from war or supply chains? If you derisk from China and you put your manufacturing plant in India, but you're still running off of raw materials that are owned by China, you're not really derisking. 

So those are all things that your point person in your organization, whether it's your legal counsel or Japanese companies, are doing this increasingly where they're actually hiring geopolitical risk officers to assess these things. It's an active job. It's not a passive one. It's not just before you invest, you have to do it before you invest, you have to do due diligence and intelligence and screening, but it's also just ongoing monitoring to make sure you protect what you already have, not just screening before you invest. 

Chris Mason:

Yeah. That's really interesting in terms of the wide ranging scope that really can come into play when you start looking at geopolitical risk, particularly surrounding big decisions. And I mentioned it before, but I think it's really important to make sure that whatever group or whatever person you have that's focused on this, you don't want them to be stuck on geopolitical risk island. You need to make sure, and I'll say it again and again, that there's an off ramp for key information. Otherwise it's not going to help the organization. 

And I've heard from colleagues that that's happened in different places where they really put some funding, put some assets behind this type of work, but it didn't really work out because there was no way to utilize the information. 

So the key is, as you set up these programs in house, you need to make sure that you set up the policies and procedures that creates that off-ramp for the information, but also gives it the backing of senior leadership. 

In an ideal world, these are the types of issues that should be considered at the board level. And I think for the larger companies, particularly banks, you're starting to see that. But really there should be a line item on the at least quarterly meetings for the board level to look at these types of issues and make sure that the business plan that's in place, the compliance programs, cybersecurity programs, you name it, all of the above. 

You need to be testing those against the geopolitical risk environment that's out there.  

Ian, one of the things that I think is really telling by what we've seen lately in terms of the government's approach is the fact that we keep seeing geopolitical risk mentioned in agendas, mentioned in strategic plans for the federal government. Do you think it's starting to have an impact in terms of getting people's focus? 

Ian Oxnevad:

I still think there's a learning curve that a lot of companies, especially in the US, that they're trying to climb that learning curve in terms of how do you address this? I think companies in Europe and Asia do a much better job of this because it's more familiar. But I do see it starting to percolate into American boardrooms. And I mean, it's a process, right? 

So you have to know your risk profile. 

How do you build that? You look at your competitors in your operating environment. You look at any pertinent activist groups or enemies or allies in your specific environment. Are you in an industry that has a lot of antagonism between management and labor? Depending on your company, that may or may not be the case. 

If you're a German company, that's probably not your problem. Your problem is probably more regulatory than in terms of being a labor relations issue. 

Is it inflation? Is it an inflationary issue? Is it a supply chain issue? So you have to identify your most likely threats that are facing your business and most likely challenges. And then you just sort of monitor those. You look at regulations, you watch your competitors because your competitors are proxies for things that can be going on. You can monitor, if you're an oil company, you can monitor environmental groups, and what are they saying? Is your company specifically being mentioned? 

For example, if you're an EV maker or in high tech, what are the certain cyber attacks that are coming out against your industry? Are these coming from China? So you kind of get advanced warnings and then you can start to beef up or derisk, you can beef up your defenses or learn to derisk from these different things as they start to emerge. So you can hopefully get out of the way or minimize your exposure before they happen. 

Chris Mason:

Yeah, I think it's so important that you have that ongoing monitoring, as you mentioned. But as we've noted recently, and we recently published an article with Corporate Compliance Insights on disinformation as that grows this year, both through the election cycles that are happening all throughout the world. 

But now that bad actors are able to essentially, from their own homes, target companies. How can you actually deal with all of that noise, or discern the misinformation and disinformation from what's actually relevant? That's a big part of really understanding where you stand. 

What do you think about approaching that in the current environment? 

Ian Oxnevad:

I think disinformation and misinformation is a newer challenge because the knee jerk reaction of many companies is to go to your cybersecurity people. But misinformation is not really a cyber attack. It's an attack designed to elicit human behavioral responses. It's not just trying to access your data, necessarily. It's more about trying to get your company to respond a certain way. 

For example, hypothetical scenario, you have a publicly traded company. You have a concerted cyber attack that crashes the stock value. The attacker could then buy up your stock at a discount. 

Chris Mason:

Yeah, right. And we saw that happen even this last year. Yeah. 

Ian Oxnevad:

There was a company in Hong Kong that they were talking to their CFO and CEO, or at least they thought they were, and they moved, like, $25 million to all these different accounts around the world. That CEO and that COO were not real. Right. Deep fake. So you need to put in new procedures because this is not a cyber attack. 

Chris Mason:

No, I think that's really important here. Of course, the cyber elements are there for the investigation process that will ensue once there is an attack. The cyber side of things is really important. 

But something that stood out as we were conducting research for that article is the fact that there's a huge  PR element and a huge reputational risk element here, because it's really about the information, not necessarily stealing assets directly from your company, but impacting your company's reputation in the market from a public relations standpoint, so that they can either  extort that company or find a way to target a section of the market to basically exploit. And so a big part of how you solve that is coming up with a game plan at the ready for your team to respond. 

And again, it can look a lot of different ways. It depends on the size and the scale of your organization.  Similar to how we described the geopolitical risk analysis earlier, you should have a designated group or individual that's there if there is an attack or a situation. 

Ian Oxnevad:

I mean, depending on the type of attack you're looking at from disinformation, it could just be having best practices, where if you're looking at executive meetings and you don't want to be deep faked out of sending money or information, maybe you have those meetings in person. Maybe you have checks where you do actual phone calls beforehand to make sure that your CEO on the screen actually picks up when you call that kind of thing. It could just be best practices. If it's a piece of information that's static, maybe you just have to verify alibis of certain types, or verify that that's happened. Or maybe you're concerned proactively. 

Have your competitors been attacked this way? If your competitors have been attacked this way, the odds are you're probably going to be, too. So then you need to start to beef up your monitoring of potential disinformation before it actually hits the mass media or mass market or social media so that you can get ahead of it, because then it's about who tells the story best and first. 

Chris Mason:

Yeah, and definitely an issue that I think will be front of mind this year. As we've mentioned in the past, the World Economic Forum engagements in Davos really placed this as number one on the list of concerns across all of the different stakeholders. And that still seems to be the case. 

Something else that we've hit on, and again, I mentioned it earlier over at Bloomberg Law. We put together an article that really looked at the fact that there's so much going on in the financial crime space, both in terms of innovation on the criminal side, but also regulation by countries around the world. 

And that's another one that I think will be really complicated for companies, particularly financial institutions, to tackle this year because the game has changed. 

Once you have world conflict, we've got the Ukraine conflict, of course, we've got Hamas and everything that's going on in Gaza and emerging conflicts in Asia, of course, all of these things have a massive impact on the flow of trade and how trade is funded around the world. So I think that is going to fall right behind disinformation, misinformation for me. Interested to hear your thoughts there, Ian. 

Ian Oxnevad:

I think a lot of the crime and the threats that you're looking at, they're all driven by this, whether it's regulation to try to beef up industrial capacity or maybe it's cyberattacks and data, critical infrastructure, the conflict is the cutting edge of all the risks, whether it's violence, open violence, or not. Think about all the different groups that are involved. Think about the narrative wars that are going on. Think about the incentives to steal data or economic espionage. Think about the criminal organizations that are working to try to circumvent sanctions for Russian oligarchs or for Iran, et cetera. 

All these different things are at play. And unfortunately, it's a geopolitical world. We're just doing business in it. 

Chris Mason:

Yeah. And it creates more of a burden for both. We mentioned financial institutions, but all companies now need to really examine their client base, examine their customers to make sure that there's no risk exposure. 

Just a couple of days ago, the US issued a ton of sanctions aimed at Russia in response to the recent killing of Navalny. And so again, that increases the burden for companies and it also increases the pressure on financial criminal networks to innovate new ways to try and get around those sanctions. 

I don't think it'll stop anytime soon. I think the sanctions of Asia will continue to grow in different ways and the West, in terms of major powers, have sort of coalesced behind the sanctions regimes. But a lot of it is untested at this scale in terms of can it truly contain some of the underlying risks that are there? We'll see. 

I think we've definitely elevated that focus or that approach to financial warfare even more. 

Ian Oxnevad:

Oh, yeah. No, I mean, all economics is warfare, especially at this level. And the private sector doesn't really figure out that it's in the middle of it until it's too late, unfortunately. But if you're forewarned that you're in the middle of this, you can implement best practices to safeguard your investments, cut liability risks, cut legal risks, and ultimately protect your executive board and your shareholders. 

Chris Mason:

Yeah, totally agree. And so we've covered a lot of the problems of the world, or a lot of the problems around the world, a lot of the compliance headaches. But let's try and think of what are some of the positives that we're seeing on the horizon. 

I think for me, if you really think about the economic conditions here in the US, we've done relatively well considering how bad it could have gotten last year, and there's a ton of dry powder on the sidelines. So for me, it's really hoping that that stability can continue to allow some more investment to flow. 

What are your thoughts on overall economic conditions? 

Ian Oxnevad:

I think it's too early to tell.  I think there's a growing optimism that things will stabilize. I think inflation is a big issue. I think it's even bigger than people realize because all these pressures add inflationary cost. I'm not sure, I'm not necessarily doom and gloom. 

I'm just not overtly rosy about it. 

Chris Mason:

Yeah, well, there is no crystal ball, as the markets have shown. 

Ian Oxnevad:

No, but I mean, the thing to keep in mind is I think when we're looking at geopolitical risk. Ukraine will have to be rebuilt. Russia is going to have to be rebuilt. 

Chris Mason:

Long term economic. Yeah, I see what you mean there. 

Ian Oxnevad:

Long term opportunities. You think about the Middle east as nasty as the Middle east looks right now. You can kind of look at the war in Gaza as the last gasp of the old mean. The Middle east as a region is looking to move on from these conflicts. You can't divorce Hamas from Iran. 

Iran, the Iranian regime is not in a healthy situation and it could democratize any time. And if that happens, you're looking at a massive economic boom. You're looking at more energy production, you're looking at a massive new market. And really that's sort of the big piece of that region falling into a peace and prosperity sort of phase. And that can happen very quickly. 

Chris Mason:

You're right. That's what I was about to say. It can happen very quickly. 

And thinking of the Middle East, a development that really happened just a couple of days ago. And something we discussed in our article is the fact that overnight a lot of the sanctions evasion activity and the financing started to show up in the United Arab Emirates, in Dubai particularly, and FATF put them on the gray list. 

They made a huge push to really improve controls, to really elevate the market to where it needs to be in terms of the amount of economic activity. I was excited to see that the FATF members actually pulled them off of the gray list just the other day. So that's great to see that they recognized the problem, they stepped in, put the right measures in place, and undoubtedly there will be a lot of monitoring going on. But again, it shows you how quickly both a problem can arise, but also how quickly solutions can be implemented. And that's the same for companies. 

If you think about some of these heavy duty issues that we've talked about, once you break it down into simple steps, and if you think about the compliance model of setting up a team to monitor risks and have an outlet through your procedures to discuss the information at the right levels, get it in front of the right stakeholders, you can tackle these big picture issues in a very quick and methodical. I think, you know, that for me was probably the biggest highlight this past week. 

Ian Oxnevad:

Yeah, absolutely. I mean, there's a lot of stuff on the horizon. You can look at the macro stuff like the IMEC kind of keeping the Middle East as a theme. If Iran democratizes tomorrow, which could happen, how are you positioned to enter into that? Because this is a whole new world that's sort of unfolding. 

The world of the 90’s is gone. The world of the post 911 era is gone. But I think we're even beyond that. I think we're in kind of a fluctuating period. But that doesn't mean there's not opportunity. 

Chris Mason:

Yeah. Particularly when you see what's going on with developing technology, AI spaces blowing up. And I think right now there's a bigger world competition in that space than a lot of people realize. To become the hub of where that's going on the horizon is the quantum computing, which will take everything to another level. Six G networks. There's another one. 

All of that, though, creates opportunities in ways that we haven't seen before. So there's a lot of positive sort of developments just underneath the surface. It's a case of, can we keep the world moving forward in an even keeled manner? And so I think 2024 is going to be a big year to really see if that's the case. 

Ian Oxnevad:

Absolutely. 

Chris Mason:

I think that's a good place to pause here. We covered a lot of ground. Thanks, everyone, for joining us for another episode of Riskology by Infortal.