Thank You!

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer?

The Rise of Political Risk​

An uncertain and volatile political landscape has created an opportunity for internal audit to help the organization prepare for the worst.

Comments Views

It hasn’t been a good year for Chinese tech giant Huawei. Last winter, the U.S. asked Canada to arrest the company’s chief financial officer, Meng Wanzhou, on spying charges. By mid-May the U.K. government was embroiled in a fight about whether to allow the firm to be involved in developing the next generation of communications networks. Meanwhile, customers were starting to avoid Huawei’s products after hearing that Google would no longer allow them to update some Android products, citing U.S. sanctions. The impacts are clear for Huawei, but many other firms were left asking what repercussions it could have on their contracts, markets, customers, and business decisions. How would China retaliate? What other businesses could be caught in the crossfire?

This is just one example of the questions that arise when even a small part of a business is caught up in a revolution or exposed to economic crises, coup d’états, interstate trade disputes, economic sanctions, or diplomatic clashes. Such risks ebb and flow with the diplomatic tide; however, as businesses become more dependent on international markets and extended supply chains, they are more exposed to political risks. 

Risk management specialist Marsh, for example, highlighted a period of “unprecedented uncertainty” in its Political Risk Map 2019, citing a rise in geopolitical tensions (namely, Russia against the rest of the world) and protectionist sentiments (namely, the U.S. against the rest of the world). 

Although companies with multinational operations or overseas supply chains have always had to review their exposure to political risks, most U.K.-focused businesses have added the topic to their risk registers only in the past few years. “Up until the election of Donald Trump in the U.S. and the vote for Brexit in the U.K., political risk was always something that companies in other countries had to think about,” says Michael Moore, director general at British Private Equity and Venture Capital Association, former Liberal Democrat Member of Parliament, and the Secretary of State for Scotland who helped prepare for the 2014 Scottish independence referendum. “It never even registered that U.K. companies would need to consider their home country as being politically risky.” 

Worse still, he says, companies have been slow to react. Although Brexit has been a major political and corporate issue for the past three years, Moore says that most U.K. companies have not made any significant preparations for the country leaving the European Union. “Most organizations have still done very little to prepare for Brexit, despite knowing that the worst-case scenario of a ‘no deal’ option is very much on the table,” he says. “It appears that businesses want more certainty about what the outcome is going to be, which rather flies in the face of planning for political risk.” The U.K. has called for a general election on Dec. 12, 2019, and the EU has agreed to extend the Brexit deadline to Jan. 31, 2020. 

Brexit is, of course, just one of many political risks on the global map. Whether organizations are exposed to the fallout from a U.S. trade war with China or increased sanctions on Iran or North Korea, or are more worried about political instability in Venezuela, Russia’s intentions in Ukraine, Chinese military strength in the South China Sea, war in Yemen, or the ever-present threat of terrorism worldwide, none of the current global political risks is likely to disappear soon — organizations need to know they can react rapidly to changing circumstances. Internal auditors should be able to provide assurance on this area and feature political risks in their audit plans.

Rapid Response

Ian Stone, CEO and founder of business advisory company Vuealta, says that he expects political uncertainty to remain one of the biggest challenges facing decision-makers for the next five years. He warns against trying to “predict the future.” Instead, he advises them to focus on being fluid.

“Organizations should be prepared for every scenario — worst, best, and everything in between,” he says. “Successful businesses can then choose their course based on the information they have and use the latest technology to test ‘what-if’ scenarios against those plans to cover all bases.”

He adds that it is possible to react quickly to changing circumstances only if all the parts of the business think the same way and are aware of what they need to do in any given situation. “Planning can be vital in responding to an unpredictable political situation,” he says. “No matter how big the organization, if all departments — from sales and finance to marketing and the supply chain — are not connected, they will never keep pace with rapidly changing and volatile international markets. When one area of the business changes, the effects ripple across the whole company.”

Business continuity is an obvious priority for those already accustomed to operating in a volatile political environment, so internal audit should review continuity plans regularly. Tom Tahany, an intelligence analyst at security firm Blackstone Consultancy, says it is vital to ensure all threats and risks that could interrupt the business’ output are identified, and plans are up to date and effective. “You may need to prioritize the resilience of key functions so that these can continue, while business areas that are less immediately crucial are brought back online when possible,” he says.

Conversely, however, companies with subcontractors or suppliers abroad, but with no direct presence overseas, also need to understand how their supply chains and customers could be affected by events outside of their control. It’s generally wise not to rely too heavily on a small group of suppliers and to ensure they are not all in the same political region or subject to the same political forces. It’s also important to keep monitoring changing circumstances and to think broadly about how political developments in one place could potentially have effects elsewhere.

“You cannot prepare for every possible eventuality and plan a response for every minutia in a crisis,” Tahany says. In some ways this is a good thing. It allows companies a degree of flexibility in planning responses. However, you may need evacuation plans of varying magnitudes and secondary and tertiary options to help staff in different countries in the event of a crisis. It is important that companies are prepared for anything, rather than everything.”

Reliable Sources

A key problem with political risk is that it can be difficult to get reliable, timely, and accurate information, especially if events unfold quickly — for example, in a government coup, revolution, riot, civil unrest, or an invasion. Another problem is how to quantify the impacts of these risks and assess what contingencies need to be taken and when.

If asked to provide assurance about operations in another country or region, internal auditors may find it helpful to talk to employees based there and look at risk indicators provided by global nongovernmental organizations, such as Freedom House, the International Monetary Fund, Transparency International, and the World Bank, whose opinions may provide a base layer for measuring risk. However, Pornprom Karnchanachari, a partner at Thailand-based law firm Legal Advisory Council, warns that some “on the ground” views can be skewed by poor reporting, inaccurate commentary, and information sources that cannot easily be challenged or verified. When Thailand experienced a coup in 2014, social media and news coverage helped to spread misconceptions of the political situation, making it seem extremely risky. However, the on-the-ground situation was quite different, he says. Foreign companies were not affected by the political changes, and business continued as usual under the existing legislation while political stability was restored. So, for example, he says, social media “should be taken with a pinch of salt.”

More reliable sources of information include embassies, which “can offer a basic, but generic, overview,” and local and foreign chambers of commerce, Karnchanachari says. But the best source is foreign companies that have been on the ground for some time, as they will have a government affairs team that can share useful insights.

“It is only by arming the business with various viewpoints and understanding the history, culture, and unique situation in each country that a business can build a robust understanding and approach to political risk exposure,” he says. However, sometimes you need to act swiftly. 

Ben Abbouddi, global threat analyst at travel and health-care risk management firm Healix International, says companies should always consider the worst-case scenario. A risk matrix that places the likelihood of a risk against its impact can help highlight the most significant risks and those that would require the most time and resources to manage. It may also help to eliminate political “red herrings” that attract media attention, but do not have a significant impact. 

Internal audit can play a significant part in evaluating the level of risk and can offer an objective view if there are clashes of opinion. For instance, project managers working in some regions may find themselves at odds with risk managers at the headquarters office. Their perception of local risk may be very different, and their incentives could make them anxious to pursue contracts or business that, correctly or incorrectly, are seen to be high risk.

Level-headed Assurance

Jack Darbyshire, manager at De-Risk, a strategic risk management planning firm, says internal audit teams can assess whether risk managers are being too cautious about particular regions. “Uncertain times can make risk managers focus on risks that will probably never happen,” he says. “Risk management is a negative concept, and many traditional risk management teams think so negatively that they end up worrying about extremely unlikely scenarios. This may make project managers reluctant to share communication with the team.”

This is another reason why accurate, timely, and trustworthy information is vital. Organizations could lose far more than they gain by failing to do profitable business, implementing emergency plans unnecessarily, and removing staff or closing operations, only to find that the crisis blows over. Internal auditors should assess the quality and quantity of information available to management while it makes such difficult decisions. Internal auditors also could consider whether there are other sources of assurance available.

Look for Opportunity

A political crisis may also bring opportunities. Paul McIntosh, CEO of Bridgehead Agency, points out that it is equally important that organizations consider potential advantages associated with volatility. “Companies need to look for the advantages that a change in political circumstances might afford, and not just think about the risks,” he says.

Brexit is a case in point. “No matter what kind of deal — if any — the U.K. gets, the E.U. and the U.K. are likely to remain major markets, and companies want to continue to do business in both,” McIntosh says. “If there is more paperwork in the future, it will add to costs, but this is usually not as difficult or as expensive as some think. Whichever way you look at it, Brexit will create opportunities — possibly not as many as staying in a single market — but companies need to explore these and exploit them.” 

A version of this article first appeared in the July/August 2019 issue of Audit & Risk, the magazine of the Chartered Institute of Internal Auditors. Adapted with permission.

Neil Hodge
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author



Neil HodgeNeil Hodge<p>​Neil Hodge is a freelance journalist based in Nottingham, U.K.</p>


Comment on this article

comments powered by Disqus
  • AuditBoard-February-2021-Premium-1
  • GAM-February-2021-Premium-2
  • ACGI-February-2021-Premium-3



Thanks, We Already Know That, We Already Know That
Six Data Privacy Predictions for 2020 Data Privacy Predictions for 2020
Public Servants Are Vital to Defeating COVID-19 Servants Are Vital to Defeating COVID-19
Are We Ready to Move Beyond COVID-19 Risks? We Ready to Move Beyond COVID-19 Risks?