Series 7 Episode 2: Navigating geopolitical risk – a new era for financial services

Transcript

Tessa Norman: Hi everyone, and welcome to our latest episode of Risk & Regulation Rundown, the podcast where we discuss risk and regulatory hot topics and what they mean for financial services firms. In today's episode, we're going to be talking about geopolitical risk, so talking about how and why this is becoming an increasingly important issue to financial services firms, to the regulators and to the wider stakeholders. We'll be discussing how geopolitical risks are evolving, and talking about the strategic and operational implications of that, and we'll also be focusing on what are the practical steps that firms can take to enhance their approach to managing geopolitical risk, and the benefits that that can bring. To help us navigate all of that, and to share their expert insights, I'm delighted to be joined by Derek Leatherdale, who's the Senior Geopolitical Risk Advisor at Sibylline, and Sean Withington, who's a Senior Manager in PwC's Geopolitics Team. Welcome to the podcast. Derek, geopolitics feels like it's an area of risk management that's risen up the agenda over the past couple of years, clearly driven by various world events. Do you want to kick off our discussion today by first sharing a bit of context, how that geopolitical landscape has changed or is still changing, and perhaps bring to life some of the ways in which these types of risks can really manifest for financial services firms?

Derek Leatherdale: Definitely. Thanks very much indeed for having me on to speak today, Tessa, and just by way of trying to explain that changing context, if you like, by reference to my personal experience, as a way of bringing it to life, I joined HSBC in 2007 and ended up setting up the group's geopolitical risk function. As we discussed before, at the time it was the first in a G-SIB context as far as we were aware, but at that stage I don't think geopolitical risk were, as it were, a thing as people say. There were previous generations I think of bankers at that stage who tended to identify, almost silo geopolitical risk with reference to their own experience, so an older generation of bankers who remembered the 1970s, and therefore viewed geopolitics and geopolitical risk as primarily basically wars in the Middle East, higher oil price, impact on the global economy, tracked through to banking impacts. Then, there's a subsequent generation of bankers, probably from the early '80s onwards who viewed geopolitical risk as primarily manifesting through sovereign default risk, and that was because there was just a period of sovereign defaults or periods of fiscal stress in higher sovereign risk markets over the '80s and into the early '90s. So for them, it became basically if you said, 'Geopolitical risk,' they automatically equated it with sovereign risk, and you kind of see shades of that still reflected in US supervisory handbooks and rule books, where essentially the commentary in those rules books where it touched on political risk is about US financial institutions taking on too much credit risk in their overseas legal entities.

That was the next step in the process and then fast-forward to the 2000s when I got into the financial sector from government, and as I say, geopolitics wasn't really a thing to the extent that there was this thing called political risk, particularly for HSBC but other globalising banks as well. It was mostly a feature of emerging markets, where you would typically say, 'Well, if we've got political risk in our portfolio, it probably tracks into those emerging, those frontier markets where we're starting to expand.' Then bring it forward two more steps, it sounds a bit like the five stages of grief, but bring it forward to the next step, during the 2010 period, I think then the banking community, when they were thinking about geopolitical risk, would think it was either primarily a sanctions implementation issue or a cyber risk issue, that started coming onto the radar, but again very heavily siloed. It was like, 'Okay, it's sanctions, so that's a compliance team responsibility,' or 'It's cyber, right, so we'll leave cyber to deal with it.' Bring it forward to now, just by way of rounding out that context and how things are changing, clearly in the very much more volatile global political context that really has been manifesting for several years now, you can see that geopolitical risk is almost much more hydra-headed as a series of risk impacts on banks and financial institutions more generally. It can affect strategy, business model, market footprint, financial performance, and operational resilience. There's also something in there about reputation and reputational considerations, particularly as external stakeholders, not least governments and increasingly regulators, and maybe we'll touch on this later, but governments are taking a more assertive or interested view in where and how particularly larger financial institutions are doing business around the world. There are reputational issues which I think flow from that. If I could have one final point, you know, we set up the geopolitical risk function in, what was it, 2008 or 2009? I think at the time, a lot of people said, 'Why do we need that?' Then, things started to happen, the eurozone debt crisis, the US debt ceiling started becoming a feature, this was all post financial crisis, the Arab Spring. Again, you're looking at a regional series of issues rather than an isolated domestic case of political unrest. Then, Brexit of course. In the background, issues around Crimea in Eastern Europe. We talked about this before, Sean, but for me, geopolitical risk isn't a thing that's suddenly popped up in the last two years, I think you can trace it back a fair bit further.

Tessa: It was really fascinating, thanks so much for setting out that context. Sean, how does that align with what you see among the clients that you work with? How are they developing their approaches to managing geopolitical risk in light of that context that Derek set out?

Sean Withington: Thank you so much for having me, it's a pleasure to be here. In terms of how they're approaching it and how we also advocate for approaching it, Derek can, I'm sure, talk a little bit about the maturity of a lot of institutions already, but basically a lot of it is when it's successful, it is driven from the centre. Fundamentally, you need someone who is an advocate for this right at the top who can drive a lot of this, because, and I think this is especially true of financial institutions, but what you'll find is a lot of the required factors for dealing with geopolitical risk, you're already doing as an organization. It may be that your currency traders are looking at the geopolitical drivers of what is going to drive currency swaps, and what's going to drive interest rates, and the value of different currencies. You look at your cyber team, there are mandates around managing cyber risk, and even look at your reputation management team, who are looking at things like ESG requirements. That is to say that you have these different functions going on already in your organisation. It's about how you leverage that, and the best organisations, not to necessarily plug Derek's former employee, but they deal with that very well.

Then, once you have that kind of capability in place, then you can take it to the next level to operationalise that and ingrain it into the organisation so you can do things like crisis exercising, where it's semi about developing a plan and to a degree about being able to understand and expect the unexpected. It's also about having the muscle memory and flexibility to deal with that and know who has responsibilities where. You can do the same with scenario planning as well, so you can identify, once you know exactly where your risk exposures are across all the different elements of the business, how those geopolitical drivers are going to impact the business. In a nutshell that's, I think the best practice that's employed, and we're seeing that I think more and more.

Tessa: How do financial services compare to some of the other sectors in the economy? Is it a relatively mature approach?

Derek: Happy just to build off what Sean said by way of an answer to that. I think silioisation, particularly in larger financial institutions, is definitely an impediment to enterprise-wide geopolitical risk management of the kind that any regulator would expect, and enterprise-wide approach to any other field of risk management. Geopolitics requires that, and in spades, because it is this, kind of hydra-headed, it manifests with so many different dimensions. I think one capability gap that firms in general, and probably financial institutions still need to plug is around their ability to understand, to interpret and to project forward those geopolitical issues, trends, developments in the external world that may affect them in future. I was just going to say, on the back of your comment, Sean, if you go into a risk function in even a large financial institution and you speak to the CRO, and the CRO will say, 'Well, look, we've got accountants, economists, statisticians, modelers, credit risk, technical experts and market risk experts, stress-testing gurus,' and a bunch of other by and large quantitative disciplines and expertise in those disciplines besides. You then ask, 'Oh, well, that's great, but where's your geopolitical expertise?' I think that perhaps if you were having this conversation five or more years ago, a CRO might legitimately say, 'Well, I don't really need that. You know, that's not really part of the core skill set that we need in a risk function.'

I think that's starting to change, that on the external macro risk picture, to some extent risk functions have tooled themselves up with macroeconomic capability, increasingly recognise that there's a geopolitical analytical deficit in the bench of skills within the function. Just on that point, Tessa, about, how does the financial sector compare? I'd make two broad points. Probably the industry sector that people point most frequently to is the sector that has got the best capability on political risk, is oil and gas, and you can understand why that is. They've for decades been operating in some very difficult markets. They sink huge amounts of CapEx into oil fields or gas fields upfront, and where the payback, the ROI time cycle is very lengthy, measured in decades, and so you can understand why they pay a lot of attention to political risk. I think in the financial sector, that hasn't been the case to the same extent, and they are therefore somewhat behind. It's a different business model. You don't necessarily, if you're going into a new market, you don't need to sink in hundreds of billions, you know, upfront to get a project going, it can be a much lower upfront CapEx requirement. Probably the other advantage the financial sector in general has, is that it's generally got quite mature risk management capabilities and resources, and there's a reason for that, it's because regulators have demanded that for a long time now. I think the challenge for the financial sector is not so much, 'Do we need to spin up swathes of new risk management capability to deal with the impacts of geopolitical risk on our business and our institution?' It's much more, 'We've got the tools,' if you like the risk management tools and capabilities, 'But we need to optimise them against this more complex external environment.' I sometimes liken that to saying, 'By and large, certainly in the G-SIB, the systemically important layer of the financial sector, they've got most of the instruments in the orchestra that they need, but what they probably lack is a conductor.' I think that can be quite a helpful way of thinking about where the financial sector is on this agenda.

Sean: I would just build on that as well, if you don't mind. You know, financial services, they're very good at certain elements of this already as we've discussed. But a lot of that is in the sense of either value protection or making money. They're good at making money out of volatility, but it's I think about broadening all of this into thinking in terms of your operational resilience, and as Derek mentioned, strategic positioning as well. Really, I'm not quite sure, and Derek might be able to comment on this, but I'm not quite sure the degree to which the financial services industry in its entirety really thinks of itself as critical national infrastructure, and that's obviously domestically, it makes up about 12% of GDP I think, but it's also internationally. It's at the core, it's at the centre, of a lot of global trading. I think 90% of euro clearing still goes through London, so it is this big central node that needs to be considered as well, so those are I think interesting ways and methods to be thinking about this, so outside of just the pure financials that they're used to thinking about it.

Tessa: Yes. I think those links to other elements such as operational resilience are interesting, and that brings to mind the kind of direction that regulation and regulators are going to. It's clearly been an area that the regulators have looked at, that point around third-party dependencies. I know that the regulators are increasingly referencing and making reference to geopolitical risk. Are those regulatory expectations around geopolitical risk and how firms manage those, are they changing, and do firms have clarity on what the expectations are from regulators, and how they meet?

Derek: Yes and no, if I could summarise the answer that way. Clearly, for any regulator it is a sensitive thing to speak in public about geopolitical risk, because they are apolitical bodies and they regulate firms who operate in many different markets, generally speaking including markets that if I could put it like this, sit across geopolitical fault lines. It's not an easy path for regulators, or indeed firm themselves, to navigate when they've got that kind of global market footprint, or at least international market footprint. It's probably worth saying as well, I think regulators, as Sean was saying, have started to clock, individual aspects of the risk picture, so that idea that something like the failure of resilience in one financial institution, because of their third-party outsourcing arrangements, might create a kind of concentration risk that then spreads through the rest of the financial system. That idea has been around for a good number of years now, and you can see that tracking through to recent op-res regulation of the kind the team PwC will be very, very familiar with. There is a kind of geopolitical backdrop to that that's not always been explicit, but to some extent has been implicit. I think that it is starting to change, to go back to your question, in very neutral terms from regulators.

For instance, the chair of the ECB's supervisory committee said in testimony to the European Parliament, I think it was autumn last year, that they were minded to put geopolitical risk as one of their top three supervisory priorities for 2025 and '26. You can start to see, for instance in the PRA rulebook here in the UK, there's already a requirement for firms to account for geopolitical factors in their ICAAP process, and that's explicit there in the rulebook. That does beg the question I think, and this goes to the second layer of your question, do regulators know what to look for, and do firms know what to do? I think we're still in the foothills of this debate on both of those fronts. I don't think regulators have yet a fully-formed view of what good geopolitical risk management looks like. I mean, there are some straws in the wind, if you like. The Dutch central bank put out an interesting paper on this late last year, with I thought some good ideas, probably what I would regard as maybe a 60% or 70% solution. On the firm side, no, I still think there's a bit of a lack of clarity about best practices, what good looks like, and perhaps more importantly, how you get from where they are now to a better state of risk management. So, very much for me, both on the regulatory and on the risk management practice side, the best case would be to say it's a work in progress, and we're probably at the beginning of that sort of cycle.

Tessa: Yes. It would be helpful for our listeners to hear both your reflections on that piece around, I appreciate it's still evolving, but what does good look like, and what are some of the enhancements that firms could make to their approaches? I know you both touched on it, but Sean what would you highlight in that regard?

Sean: The number one thing in my mind is those channels of communication being open. As we mentioned already about how you have these different functions going on around your business, really the question is, how do you bring all of that together? How do you have somebody who is, as the Americans would say, quarterbacking that, to be coordinating it all and making sure the correct information is channelling upwards for the decision-makers to be acting upon. I think there are different easy wins that you can really reach to. The kind of industry bodies that you're part of, any vendors that you use, suppliers, all these different relationships that you already have, that aren't even necessarily in your organisation, you can use those as open-source channels as well. Like, they're a source of information I think for you to be leveraging. Exploiting that I think is probably in everybody's interests, and that then feeds into a level of understanding that isn't necessarily going to be wholly available on the open source. It's not to say that any of its secret or any of its proprietary, but it's about using those resources successfully. Derek probably can expand a little bit more there.

Derek: Yes. We touched a few minutes ago on the idea of a risk function, where is the geopolitics capability? Should risk functions have this now? In a way that ten years ago, you would have been not quite laughed out of court but regarded as a faintly eccentric idea. I think part of the skills gap here, to pick up on Sean's point, is that to know where to look, to understand the risk trajectory of key geopolitical issues is almost a skill in itself. Most CROs, I would venture, don't have that, because it's just not been part of their background, their professional training or hinterland. To give you a very concrete example, I remember asking a number of CROs at a panel-type discussion, I asked straw poll, I asked them how many of them maintained ongoing relationships with regulators, and they all put their hand up, as you would expect, because obviously it's a core part of their external relationship network. They had more or less all said that geopolitical risk was something they were very concerned by beforehand anyway. I then asked, you know, 'How many of you are in UK-headquartered institutions?' Most of the hands went up, and I then asked a third question along the lines of, 'Okay, so how many of you maintain, or have someone maintain on your behalf, relationships with say relevant desks in the Foreign Office in a UK context?' Not one of them put their hand up, because again, I think there's a sense of, 'This just isn't the world that we've ever needed to inhabit.' As a CRO, if you want to be influencing the internal discussion around geopolitical risk approaches, then knowing where to turn for that kind of insight, and by the way that's not just official channels, there are plenty of specialists consultancies, independent experts, think tanks and a range of other sources.

What it's probably not though is, 'Ah, I read on the front page of the Wall Street Journal or the Financial Times the following morning, and therefore we now need to do X, Y and Z.' It needs to be a bit more systematic than that. I think that's certainly part of it, and then building on Sean's point as well, particularly in financial institutions, there will be lots of silos where people are absorbing risk information with a political dimension. Credit risk team, country risk teams are the obvious example, and where for instance they're probably nourishing and feeding their country risk models, which are quantitative generally, with quant metrics from ratings agencies by and large. Quite often there will be a political risk dimension to those risk measurements. They'll be cracking on with that, and then maybe the cyber team are drawing on political risk information. There may well be in the compliance team an internal due diligence team that will be looking at things like political exposures as they're onboarding client counterparties that may have PEP exposures or that kind of thing. There's probably a network of teams within an organisation, and bringing that together is definitely part of that art. Just for what it's worth, and for listeners, that doesn't mean that, certainly in my experience, particularly within an organisation like HSBC, that you end up acting as a kind of internal thought police, telling everyone what to think. But it does mean that you try and bring together as best you can a collective view of the risk environment, around which all relevant parts of decision-making and the first line, and risk management at the second line, can coalesce and operate from. Effectively, it's the equivalent of an enterprise-wide risk assessment of the kind that would be standard in any other field of risk management. Those would be a couple of other points I'd build on.

Tessa: Brilliant, thank you both. Yes, that's some helpful reflections there I think for listeners and firms to take away in terms of current state and how they can enhance their approaches. We're coming towards the end of our discussion, and as we wrap up, I wanted to get your reflections on looking a bit further ahead as well. I appreciate that's particularly challenging when we're talking about geopolitical bits, but do you have any reflections on things that organisations need to think about in order to try and future-proof against geopolitical risk? Just thinking back to your phases that you talked us through at the start, Derek, is there another phase that's coming even further ahead that firms should start to be thinking about and preparing for?

Derek: I'd probably make two or three points. One is, it's very easy in a discussion about geopolitical risk to think only of the downside. Also to think of geopolitical risk as this series of every so often very big shocks, like an invasion of a country to name one, or like the invasion of an island off the coast of another, and that really the job of risk management is just to look at those shocks in isolation, and work out what they might mean and deal with that. I think there's a longer-term series of trends at play as the geopolitical environment develops, and that that gives rise I think almost as much to a range of opportunities for financial institutions as it does downside risk. Thinking about the next stage, I would encourage those who are connected with or concerned with geopolitical risk in their organisations to think about a slightly different mindset, of not only just downside risks from individual shocks but longer-term trends and, 'How can we help our organisations navigate towards the opportunities that that may generate?' To give you a concrete example, if you run a trade finance business in your organisation then yes, trade patterns are changing because of geopolitics. It's a complex picture, there are a number of dynamics at play, but that's giving rise to the emergence of new trading patterns, new trading relationships, and a smart trade finance business could position to leverage and support that and make money in the process.

Likewise, if you're running in your organisation a corporate banking book, if you're providing strategic banking services of one kind or another to a range of corporates across industry sectors, they'll be facing individual pockets of risk, because a lot of geopolitical risk is sector-specific, will bear on certain sectors in different ways. Equally, a smart corporate banking business could help them navigate towards opportunity as well, so that's part of it, at least in my view. Then, another part to consider in the external environment is a sense that this is a long-term structural change. Again, it's very easy to think, 'We're going through this abnormal spasm, that somehow we'll revert to the mean, and all will be well again.' I would definitely encourage those connected with this subject in their organisations to think in a longer-term timeframe. The very final point is that it's not just down to CROs and risk teams alone, there's a layer in all of this around the role of the ExCo, a layer in all of this as well about the role of the board, and that's probably a whole other rabbit warren we could go down. Where I see emerging best practice, it involves for instance a risk function, taking on a Head of Geopolitical Risk, with a professional background in the subject, and where they are increasingly interfacing with their board or their board risk committee to help drive if you like, and forge that more interconnected internal approach, and also a more forward-looking and proactive approach.

Tessa: Brilliant, thank you very much, that ties together lots of strands that we've talked about. Sean, what would you add to that?

Sean: I would just pick up very much on the point around this being a long-term trend. We're not going to snap back into the way things were in the year 2000, and there's a lot of evidence to see already how that's beginning to emerge, to give you pointers about things to be concerned about. We're just over a week since we had India and Pakistan at loggerheads with each other. Those are two nuclear-armed states, one of which doesn't have even a formal nuclear use doctrine, and I think that should be a barometer of the kind of concerns now we're thinking about, things that used to be really extreme and a little bit off the reservation to be thinking about. Those now are actual issues to be considering in a sensible, cold, sober way of approaching it. You can apply that to all kinds of different trends as well, that we've sort of started to think are axiomatic about our future. I would look especially to the green transition, and if you're investing in the green transition, particularly if you're SFDR Article 8 compliant, how is this going to impact you if the multilateralism that really underpinned the transition to net zero is no longer there, and what are the consequences going to be for that?

So, if you've got this, like I mentioned, end of multilateralism, but then if the role of the United States is no longer to be holding this system together that we have come to be very accustomed to over the last 60 or 70 years, what does the future of that look like? I think as I said, those clues are starting to emerge already of what those could be, and that could be conflict, it could be across cyber domains, it could be across what's known as the grey zone as well, so issues around hardware that financial services are very reliant on, like your undersea cables that are being cut, and we see that as a recurring theme now. I would be looking at the last two or three years as indicators of what could come in future, but in a more magnified sense.

Derek: Tessa, I'll make just one final, kind of, parallel rather than directly-related point, I think in the, sort of, paradigm ahead, one other thing that financial institutions will increasingly need to be aware of is external stakeholder perspectives and pressure on this, and it links to the, what does the future look like? Because it will be a future of that external environment. We mentioned at the beginning about reputational risk and differing government perceptions of how a financial institution operates across different markets. I think that pressure will become more acute. Sean touched a bit earlier on the concept of critical national infrastructure. Well, what happens if you're part of CNI in the UK, CNI in the US and CNI in China? How do you balance off the competing requirements that they may generate? I'm starting to see as well in annual reports from banks, and 10Ks in the US, statements along the lines of, 'It's becoming increasingly difficult for us to manage what are increasingly divergent government perspectives on our operations, and that's' causing greater political risk for us as an organisation.' In parallel with that, I think investors are starting to register this as a risk to value in their portfolios. If they've got a big chunk of equity in a bank, I think they're increasingly talking that geopolitics is potentially a source of risk in the valuation of that element of their portfolio. Again, that's still in the foothills.

Investors are still trying to work out, how do you incorporate geopolitical factors into portfolio measurement, management, and evaluation. You can start to see, sort of, anecdotal evidence of investors saying, 'Hang on a second. You know, bank X or insurer Y, how does your business model square with a world in which there are going to be X number of tariffs on country Y, or extra sanctions on country X or whatever?' I think that's also a feature. I mention both of those external points because yes, a source of reputational risk large financial institutions mostly have these days internal rep risk teams, and they're definitely part of the framework that's needed on this agenda internally, but also because I think it increasingly becomes from a risk management point of view a vector of what CROs need to understand. If they're going to be working on this agenda internally, they need to understand what investors are saying, they need to understand what governments are saying, perhaps more so than they have done before.

Tessa: Brilliant. Thank you both so much for joining us. I think we've covered a lot of ground and there are going to be some helpful takeaways for our clients. It's such a multifaceted and fast-moving agenda, so interesting to have both your thoughts on that. Thank you. To our listeners, I hope you've enjoyed this conversation too and thank you as ever for listening. Please subscribe to future episodes, and please rate and review this series as it helps other listeners to find us. If you'd like to hear more from us on risk and regulation, please look out for our regular publications on our website, which we'll link to in the show notes, and I look forward to speaking with you again in our next episode.