"I was recently tasked with writing a business continuity plan for a manufacturing organisation with critical production facilities close to a conflict zone. This prompted me to write a paper about geopolitical resilience. The organisation’s executive was positioning it for investment and wanted to be seen to be managing that aspect of risk. They recognised the situation, the way investors might regard it and the potential need to resume in a planned, acceptable way if disruption occurred. The focus was strongly on geopolitical risks whilst still planning for conventional natural perils. "
The full paper is as a blog below. If you would like to discuss Geopolitical Continuity Planning with us, please do get in touch.
In the face of growing global instability, manufacturing organisations need to know how to formulate their response options in a robust and workable way, ensuring business continuity.
1. Risk is on the rise
Geopolitical Risk (GPR) fuels business risk through the effects it has on supply chains, trade agreements, availability of labour, currency, competition, acquisitions, market development, infrastructure, investment and more. GPR is characterised by hot-spots, meaning that some regions may be more affected than others; they may be more volatile making the outlook harder to predict. Returns on investment are realised over years and any GPR event can interrupt the payback cycle, incurring significant costs. It makes good sense to develop contingency plans that minimise disruptive effect and resulting impact.
GPR is chaotic and unpredictable. By this we mean that if a metaphoric butterfly flaps its wings in China, the effect may be transmitted, transformed and amplified many times before it reaches us. In most cases, it will lose impetus and peter out. However, occasionally, a seemingly insignificant event will result in conflict, recession or other socio-economic effect whose proportions bear little relation to apparent cause. The key words here are transmitted, transformed and amplified, since on each leg of the journey, conversion is brought about by exposure to the unpredictable global condition.
This means the chances are slim of accurately predicting whether a risk prime mover, such as an inflammatory election rally remark, will ferment unrest, cause socio-political tinder to ignite and spread, resulting in popular backlash, civil disorder and instability, requiring multiple conditions to be satisfied. For example, few - except his supporters - predicted a Trump win. GPR is characterised by uncertainty - and surprise for those who failed to envisage all outcomes.
Having a finger on the GPR pulse is increasingly important, since the rate of transmission and response, and the opportunities for sophisticated technological influence, intervention and manipulation will continue to grow. This means you have less time to detect, understand and respond to events than you had a year ago.
2. Understanding the situation
It’s tempting to generalise expected effects of a geopolitical event on apparently same-situation organisations as ‘minor’ or ‘severe’, and this works in a macro-sense, for example allowing us to judge the effect on a sector or economy. However, take two near-identical organisations each faced with an event such as the UK’s recent Brexit vote. One might thrive and the other fail, simply due to their differing customer sensitivity and supply chain profiles. This implies that continuity planning demands a clear organisation-centric risk model.
However, we still benefit from big picture analysis, using it to focus risk management. For example at the time of writing, we face:
- Increasing cyber-threats against organisations, infrastructure and governments
- Growing regional no-go zones, live conflicts Syria, Ukraine, Yemen, Iraq, North Korea
- discontinuity, Trump election and policy uncertainty
- Political fragmentation, populism, xenophobia, protectionism, NATO at risk
- Rise of political technology (GAFA) opaque, non-democratic, unpredictable, invisible
- Russian austerity and opportunism, Turkey, Syria and Ukraine, with eyes on EU
- China economic expansion and globalisation, Africa
- Middle East Sunni Shia conflict, KSA and Iran, failed states and power vacuums
- ISIS and associated extremist groups and insurgencies, ISIS targets
- Oil price winners and losers
We see a proliferation of inter-linked GPR-contributory conditions, raising the likelihood of one or other being realised. Predicting which will unfold and how, whether, where or when is demonstrably an educated guess. Faced with this, businesses close to an area of growing unrest might envisage needing responses to deal with each variant of each risk. Fortunately, this is not the case. Despite many threat and influence combinations, there are limited outcomes or scenarios and (simplifying) we can reduce the solution to planning for effect and defending against cause.
Geopolitical risks expose organisations to commercial, socio-economic and political side-effects. These reflect the ways we feel resulting pain of disruption, for example:
- Termination of operating license
- Safety and welfare of staff
- Physical loss of access
- Availability and cost of labour, border controls
- Restrictions on trade and movement of goods
- Commodity price volatility
- Supply chain disruption
- Loss of access to markets, loss of demand, influence or funding
These impacts are felt cumulatively via the balance sheet, eroding revenues, curbing growth, damaging brand and reputation. In the wider sense, they also serve to reduce employment, wealth and well-being. They fill the gap between the geopolitical risk profile and organisational KPI.
With plants and suppliers in potentially many countries, the implication for manufacturers is that some factories may be affected by at least some of the risks, to a greater or lesser extent, within a near time-frame. In the worst case, multiple plants in a country or affected region may be forced to close. Such setbacks must be managed collectively against an organisation tolerance-related timeline if production targets are to be met and continuity assured; we can also envisage a handful of lesser scenarios. All drive strategies, forming a foundation for continuity plans.
This is not to say that we should discard the GPR profile. It is inherently valuable and focuses our horizon-scan. Scanning helps us detect, analyse and track new risk situations as they arise, informing senior management and raising alert levels if any appears to converge on our position. This early-warning mechanism promotes risk-awareness and increases the time available to prepare and mobilise appropriate defences, shaping our response.
Given the nature of risk, and that non-GPR risks such as fire, flood and seismic activity can still unexpectedly close or destroy a factory, it makes sense for all plants to have plans that address conventional, technology and geopolitical risks. In the latter, multiple plants may be concurrently affected. In the former, it may be enough to create a suite of standard high-level responses to plant loss, driving more detailed local plans.
4. Creating Plans
Continuity planning is a discipline and a process, constantly reflecting changes in the organisation and environment. When invoked, plans trigger a major change in behaviour, switching in a matter of hours or minutes from business-as-usual to survival mode. They must protect lives and contain damage, and then replace or reconstruct levels of service that may have taken years to evolve. They must do this within days, weeks or months with little room for error.
Planning involves a trade-off between the residual risk associated with unprotected assets and the cost of resilient provision, such as relocation or replication. The balance point is a function of tolerance – the organisation’s willingness and/or capacity to absorb a major impact, irrespective of its low probability of occurrence. The rule is, over-plan and time and money is wasted; under-plan and create uncertainty, exposing the business and potentially breaching governance. It means you need to be clear on what downtime is tolerable and what your recovery capability is.
Recovery requirements can be scoped by envisioning each major scenario the business faces, informed by the GPR and local risk profile. Scenarios provide a basis for review and a testbed for resumption strategies, setting out the big picture response to fundamentally different conditions. Larger organisations may need to maintain collections of strategies covering single and multi-site scenarios, coupled with crisis management plans that support top-level decision-making and communications. Strategies then provide the foundation for all local site plans.
Site continuity plans should be detailed practical documents, ideally embedded within a wider control framework and flexible enough to deal with any locally disruptive incident. The need for practicality stems from the fact that staff on the ground need to act predictably and in concert with senior management, frequently dealing with operational issues. Plans also form the basis for rehearsal, which generates certainty and confidence as lessons are learned in times of relative safety. Constructed, practised and applied appropriately, they can significantly reduce losses due to GPR and other major risks.
5. Points to Consider
Business continuity best practice is enshrined in International Standard ISO 22301 : 2012, however you may wish to reflect the following 10 checkpoints when planning for geopolitical risk:
- Analyse the business, map dependencies and set tolerances
- Scan the horizon and understand the risks you face, where they can bite
- Define detailed realistic scenarios as your basis for validation
- Devise strategies that restore production acceptably from all foreseeable risks
- Defend your technology, define and rehearse cyber-scenarios
- Diversify assets across countries and risk regions, suppliers and supply routes
- Decide what redundant capacity you can afford and maintain it. Replicate key skills
- Involve senior management and get them bought-in. Link your continuity and crisis plans.
- Train your people and rehearse your scenarios regularly
- Buy insurances that complement and reward your continuity capability
Undoubtedly, manufacturers face special challenges associated with geopolitical risks, with the possibility of plants and supply chains becoming non-operational without warning as disruptions spill across borders. Operational agility offers part of the solution, achieved by creating production processes with designed-in resilience and redundancy, allowing capacity to be easily transferred, but often at considerable cost and retaining some inflexibility. Continuity plans and insurance policies provide a flexible layer of compromise, potentially slower to enact but at much reduced cost and more capable of adaptation as the geopolitical risk profile changes. Together, they offer a powerful component of risk management capability.
INONI is a leading provider of business continuity, resilience and risk management solutions. We help our clients manage risk and systematically defend them against major disruption. Since 2004 we have delivered a comprehensive and innovative range of flexible services and expertise for organisations of all sizes and sectors.