In an age of proliferating business risks, multinationals should adopt a comprehensive, joined-up approach to risk mitigation. That means interrogating corporate threats in the round – instead of in isolation – because of their tendency to impact each other, creating unforeseen operational problems and challenges.

Mitigating the possibility of such a domino effect requires companies to not only have a wider understanding of their actual and potential exposure but also a willingness and ability to act quickly to prevent one risk setting off another. 

Where once firms concerned themselves primarily with the security of their staff and physical assets and financial vulnerabilities, they now must address a multiplicity of risks. These range from compliance, brand, reputation, ESG and geopolitical to those associated with less tangible assets, such as data, research, and intellectual property, especially amid the growth of commercial and state-sponsored espionage. 

The widening of risk exposure has in large part been driven by the growing acknowledgement in business circles that international companies are not just vehicles for delivering profit and value for shareholders, but also global citizens with responsibilities beyond the bottom line. 

Influenced increasingly by ethical considerations, investors and consumers want companies to be both conscious of their impact on the environment and society and take steps to avoid negative consequences. This is especially true of the largest among them; many now geopolitical actors, wielding significant economic, social, and political influence in their regions of operation and beyond.

Growing recognition of the expanded number of risks stems from their potential bearing on a company’s share price and competitive position in the market. In the past, these was largely dictated by quarterly results.  Now business analysts will factor in a company’s performance on addressing multiple corporate risks when putting a value on the organisation.

As risks have expanded, so has their connectedness. They cannot be tackled in isolation, as one risk very often sets off others. But with a more strategic approach to risk management, the possibility of such a chain reaction can be anticipated at the outset and dealt with. Below, I set out a few examples of why such an approach is necessary.

A multinational company’s public relations might align with American backing for Israel in the Gaza war in order to enhance its standing in US markets. But as a result of its stance, it might find its brands boycotted in predominantly Muslim Asian countries, deeply concerned over Palestinian civilians caught up in the fighting between the Israeli army and Hamas.  

Prior to the Ukraine war, an international bank may have onboarded prominent, politically-exposed Russian businessmen, calculating that the revenue they generate outweighed the compliance risks. However, there would be a risk of reputational damage if, once the war broke out, the businessmen’s connections with the Kremlin were exposed in media reporting. Moreover, the bank could be subject to financial penalties in the event of its clients being sanctioned. 

And a tech major in India might reluctantly agree to comply with controversial data sovereignty laws to protect its trading position in what is an important emerging market. But in doing so, it may expose itself to political risk. The government could go on to demand access customer data, possibly prompting customers in India to move elsewhere out of privacy concerns.

There is a general recognition of the need to move on from the old ways of assessing risk through risk registers, essentially a spreadsheet-approach to the task. In the past, the risk assessment function’s conclusions were rarely, if at all, something that boards or executive committees were expected to address.  Now the post is accorded more importance and, in most cases, reports directly to senior leadership. Yet its determination of risk often remains rather siloed, and therefore, flawed.

So, while serious risk to data or staff, for example, may now be quickly escalated, not enough thought goes into how one might affect the other and, if it does, what new risks might then arise. If you don’t understand how risks can cascade or snowball, then you can’t put together an effective mitigation strategy. What we are talking about here is the need for a change in mindset. Rather than viewing a threat as a discrete event impacting a specific area of operations, there should be an assessment of its potential to raise red flags elsewhere.

In addition to understanding corporate vulnerabilities and how they interact, the owner of the risk function in a company must also have an acute sense of its risk appetite. Indeed, for some companies, risk tolerance might be the starting point for determining vulnerabilities. What this means in practice is a company, for instance, possibly preferring to let its global reputation slip to protect earnings in a specific market. That’s seemingly what many have opted to do by retaining a presence in Russia, despite international criticism of Russia’s war in Ukraine and growing sanctions risks.  

The process of corporate risk analysis may seem like multivariable calculus, but in fact it is more of an art than a science. It’s about establishing a company-wide risk culture, so staff understand both the risks their respective departments face and how these can affect other parts of the business. 

Their insights and observations provide the baseline information and data on which an organisation’s risk owner draws conclusions about risk exposure and mitigation. The board then weighs them up and decides on a course of action. It should be a seamless process. Some companies have put it in place, but more should consider doing so to best navigate the increasingly complex, interconnected global risk landscape. 

Cvete Koneska is Head of FiscalNote Global Intelligence Advisory services, which helps executives mitigate risk and optimize growth by providing clarity needed to make strategic decisions.