Co-authored by John Lindsay*
Businesses today face a broader range of risks than ever before. Ongoing geopolitical crises, such as the Russia-Ukraine conflict, along with the adoption of advanced technologies like AI, have created numerous new challenges for companies seeking to operate securely and effectively.
In response to these challenges, there has been an increasing discussion about the necessity of a senior risk management role that can assist firms in understanding the full range of threats they encounter and how to navigate them. Such a role is referred to by various names, typically variations of Chief Geopolitical Officer or Geopolitical Risk Officer (GRO). Although a focus on geopolitics is important, current definitions of the GRO role lack an emphasis on the need for technical fluency and the ability to unite both technical and non-technical stakeholders.
In this article, we explore why business leaders need to change how they think about risk and we propose a more nuanced definition of the GRO. Crucially, we expand our focus beyond the risk management aspects of the role to highlight how it can also create business opportunities.
How has the Global Risk Landscape Evolved?
Companies still face well-known risks associated with operating internationally. Geopolitical tensions and kinetic conflicts can impact both physical security and supply chain stability, as well as overall economic stability. Evolving and often contradictory regulatory environments can create compliance challenges across different jurisdictions. Operating on the home turf of potentially hostile nation-states can increase insider risk, as employees may choose or be compelled to misuse their privileged access to appropriate and exfiltrate sensitive information from the organization. There are also risks that remain agnostic of jurisdiction, such as cyber threats, whether perpetrated by criminals, state-backed actors, or even hacktivists.
However, the variety and intricacy of digital risks have increased dramatically. Greater reliance on cloud storage and software as a service (SaaS) has complicated the management of digital supply chains. It is harder than ever to determine the actual location of your data and, as a result, whether you comply with the data localization laws in the regions where you operate. Additionally, you no longer have full control over digital security. You rely on your partners to ensure the confidentiality, integrity, and availability of the information you share with them. This issue is well illustrated by the widespread impact on customers of Amazon Web Services during its major outage in October.
The normalization of indiscriminately deployed cyber-attacks as part of hybrid warfare has left businesses at heightened risk of suffering collateral damage, even if they don’t have a presence near a conflict zone. Furthermore, global economic uncertainty has led to an increase in the extent of cyber espionage conducted by governments to understand the motivations and intentions of major corporations.
The threat posed by sophisticated online disinformation campaigns has also continued to grow. Governments are not the only entities waging such campaigns; criminals and activists are increasingly involved as well.
Alongside the many potential benefits it brings, AI is also changing the risk landscape. The eagerness to integrate AI into the workplace increases the likelihood that sensitive corporate data will be deliberately or accidentally ingested by public AI models. It is also possible for a cyber attacker to poison the training data of an AI model, thereby manipulating or degrading its behavior. Additionally, advances in generative AI have enabled the creation of increasingly convincing deepfakes—digitally manipulated images, audio, or video—that allow cyber attackers to deceive victims by posing as members of their organizations or as hacktivists issuing inflammatory statements that seem to come from a business leader.
Against the backdrop of these challenges, the complexity of the current geopolitical climate makes it easier than ever to find oneself on the wrong side of a social, environmental, or political issue, thus becoming a target for hostile governments or activists. Knowing what the most pressing issues are and how your stance—if any—is likely to be perceived is essential.
The Need for a Technically Fluent Geopolitical Risk Officer
IIn light of the various risks, businesses must adopt a coordinated approach to manage them effectively. However, implementing this coordinated approach is more challenging than it seems. Responsibility for managing risks often lies with multiple departments, including IT, corporate security, and legal and compliance. Currently, beyond the risk register and infrequent meetings of risk committees, there is no structured method for these groups to regularly convene and discuss risk. Enter the Geopolitical Risk Officer.
In summary, the GRO acts as a visionary. They ensure that the business is tracking the appropriate risks and has the necessary information to manage them effectively. The GRO discerns and follows risk trends. The GRO immerses themselves in a company’s strategy to understand where future risks are likely to originate and what forms they might take. The GRO reports their findings to the C-Suite, making sure to factor risk into all strategic decisions.
The GRO is also a convener. They bring together risk owners to ensure that risks spanning multiple business functions, such as insider threats, are managed appropriately and that those responsible are aware of relevant developments in the threat landscape. They also examine how challenges encountered by one part of the business may affect other areas.
The GRO ensures that effective intelligence collection occurs, enabling the business to detect and mitigate risks. This process involves not only collecting threat intelligence but also providing advance notice of impending social, political, or economic developments that could impact a company.
The GRO tracks best practices and failings among peers and competitors to learn from mistakes made by others. They should be intimately involved in the business’s scenario planning exercises to ensure that it is testing itself against the latest and most relevant risk scenarios.
The GRO is a role that requires someone well versed in liaison and diplomacy. The incumbent must build and maintain effective relationships with a variety of stakeholders, both internal and external, including risk owners, supply chain managers, members of the C-suite, strategic partners, and government regulators.
Most importantly, the GRO must possess a high level of technical fluency. They cannot operate effectively with only a superficial understanding of topics like cyber security, internet-accelerated disinformation campaigns, deepfakes, AI, and quantum computing. They have to be able to engage with both technical and non-technical stakeholders. This applies to the GRO role in all businesses but is especially relevant for those in tech sectors such as AI, cloud computing, and the data center industry.
A Worthwhile Investment
Considering the job description above, it is clear why finding suitable candidates for the GRO role is challenging. The required combination of skills is most commonly found in former national security professionals and career strategic advisers, especially those who have experience working in the tech sector. Unsurprisingly, there is a high demand for these specialists.
It might be tempting to outsource certain aspects of the GRO role, but this outsourcing is rarely effective. GROs need to know everything about a business, both good and bad, and sharing your innermost secrets with an external party is rarely a good idea. Furthermore, only an individual who is fully immersed in the business and understands its history, culture, and strategy can truly grasp the range of risks that the business is likely to encounter.
If you can find the right candidate, the benefits of having a GRO extend well beyond just risk management. The role is also about identifying upside. MMany of the issues tracked by the GRO present opportunities; for example, they include the ability to operate safely in regions where other businesses cannot, as well as the potential to become a thought leader by demonstrating risk management best practices and enhancing your organization’s reputation among peers, competitors, and external stakeholders.
* John Lindsay is a senior adviser with an extensive track record of working inside major global corporates and investors, helping C-suites and boards to navigate digital and geopolitical risks and opportunities.
John previously worked in various public affairs and diplomatic roles in the UK government, including as a cyber security adviser to the UK Ministry of Defence and for the UK Foreign, Commonwealth & Development Office, where he focused on Afghan politics.
John specializes in facilitating dialogue between technical and non-technical audiences. He has undergraduate and postgraduate degrees from the University of Cambridge, where he studied Politics and International Relations. He also holds several advanced cybersecurity qualifications.
