Managing Business Risks and Disruptions Stemming from the Ukraine Crisis
17 February 2022, Version 1.0
Executive Insights: Your Risk and How to Manage It
In last week’s note, we updated you on the Ukraine crisis and recommended measures that organizations could consider to manage risk created by the changing conditions. Among the areas we highlighted was managing supply-chain and third-party dependencies. In this installment, we take a deeper look at steps companies can take to understand their critical dependencies and provide further recommendations to help mitigate any related risks.
Despite reports of the Kremlin’s interest in continuing diplomatic talks and certain Russian military forces returning to bases, western intelligence services indicate a continued buildup of Russian troops and equipment around Ukraine’s borders. Meanwhile, earlier reports of a Russian invasion sometime during the week of February 14th have not materialized, perhaps in part due to aggressive declassification of apparent Russian invasion strategies by U.S. and other intelligence services. While it is still possible that Russia will back down, given the substantial Russian forces still amassed around Ukraine, no credible evidence of troops returning to bases, the continued rhetoric from Putin and other senior Russian leaders, and recent artillery activity potential in the far east of Ukraine possibly contributing to a pretext for a state-action to protect separatists, we still believe there is a substantial risk of a Russian invasion of Ukraine.
First and foremost, organizations must recognize the significant potential of massive loss of life and a humanitarian crisis in Ukraine and should focus on the safety of any employees in potentially affected areas. Follow guidance and alerts issued by the relevant national authorities and consult with diplomatic missions as appropriate to ensure you have the most recent guidance and understand any safety and security risks. Help your team members find shelter in Ukraine or immediate transportation out of likely zones of conflict.
Should the Russians further invade Ukraine, western businesses should anticipate a range of immediate as well as more protracted impacts on business operations due to military actions, cyber-attacks, western economic sanctions, and Russian export restrictions in response. Critical supplies and services that were once readily available and markets that were open for business may spike in price or dry up entirely. Supply chain disruptions will likely manifest not only in businesses that operate in the region, but also in disruptions of previously available critical components or services from businesses that source from the region. Sustained supply chain shortages to critical components and products may prompt the U.S. government to use Defense Production Act authorities to mitigate the impacts to the national security mission—reflecting the lack of a more comprehensive U.S. plan for a long-term, large-scale disruption.
Understanding critical suppliers and third parties with exposure to such risks in the region is therefore crucial to business continuity planning. Here is where a framework can be useful to examine your organization’s various dependencies, as well as the types of risk those dependencies create.
How to Consider Dependencies in the Current Crisis
Supply chain risk management is among the most complex practical risk management endeavors. Decision-makers must integrate an understanding of multiple internal and external factors—combining knowledge of internal enterprise operations with insights about the behavior of a broader ecosystem of suppliers, markets, regulators, and governments.
For organizations with a global footprint, the complexity of risk management efforts is often exacerbated in times of geopolitical conflict or crisis. Operating environments can unexpectedly change, new regulations or sanctions can lessen the availability of key resources, technology systems may be under unanticipated stress, and the broader consequences of the crisis (both intended and unintended) can manifest in unexpected ways.
Enterprise risk managers can use the following concepts to organize and understand their organization’s unique needs and challenges as they navigate the evolving Ukraine crisis.
Leaders should adopt a broad view of their enterprise’s dependencies. A dependency is a linkage or connection that, if disrupted, can have a material impact on an enterprise’s ability to operate. Critical dependencies are those where an enterprise’s operational state can either be disrupted or assured based on the availability and quality of that linkage. It can include a traditional view of process inputs and outputs but can also be expanded to consider situational realities driven by geography, regulation, or broader market dynamics.
Enterprise risk managers should consider three types of dependencies to ensure that their risk management approaches are comprehensive:
Critical dependencies can be affected by changes in the availability of materials, physical assets, technology systems, and workforces. The availability of risk management alternatives can be heavily influenced by changing market dynamics rooted in the effects of armed conflict, regional segmentation, sanctions, and trade policies.
In assessing risks stemming from the Ukraine crisis, companies should broadly examine their dependencies on the materials, services, workforces, and market sectors most likely to encounter disruptions—which are likely to manifest themselves as diminished availability, service outages, delivery delays, and price volatility. The figure below illustrates the risks surrounding dependencies in the context of the current Ukraine crisis.
Executive-Level Actions
Business leaders should ensure they understand their organization’s exposure to this crisis across the domains of upstream, internal, and downstream dependencies.
Impact analysis should consider materials, services, workforces, and markets.
Consider secondary supply-chain impacts or the impacts to the supply chain of your own goods and service providers. The following questions should be asked of your critical goods and service providers:
Has your organization considered the potential impacts to your business posed by the Ukraine crisis?
Have you enacted the appropriate contingency plans to reduce the risk of disruption to the goods or services you provide?
Do you expect any disruption to the provision of goods or services to your organization?
Incident response and business continuity plans for workforce operations, as well as for service and supply-chain disruptions in the impacted region, should be reviewed and considered for immediate action.
Alternative suppliers for materials sourced within the impacted region should be identified and engaged.
Service providers operating within the impacted region should be avoided, and alternative providers or in-sourcing should be considered for these services.
Contingency plans should be operationalized for business operations and functions within the region and moved to an area not impacted by the crisis.
Ensure commercial and financial planning cycles consider potential immediate and long-term impacts to markets and sectors with exposure to this crisis.
Financial impacts from this crisis may include variations in pricing of raw materials, goods, and services, as well as revenue reduction from lower regional sales.