We operate in a fog of friction. Decision-making is often taught as a clean exercise in logic, based on a decision tree of probabilities and outcomes. The reality is uncertainty.
In the trenches, we wonder whether our jobs will be replaced by AI. In the upper echelons of our organization, the environment is even more opaque, driven by heightened internal idiosyncratic risks and external systemic risks. We operate in a persistent fog.
In the past, that fog was primarily economic or competitive. Today it is thick with the friction of domestic chaos and a fragmenting global order.
As risk professionals, we have long distinguished between systemic risks, or market-wide shocks, and idiosyncratic risks, or firm-specific potential failures. However, that distinction is dissolving. We are entering an era where the primary root cause of an organization’s internal idiosyncratic failures – be they operational, financial, or strategic – is the external tectonic shifting of national security and geopolitical rivalry.
To manage the firm today is to acknowledge that the borderless world was a temporary anomaly. Adaptation is no longer optional; it is the price of entry for the next decade of enterprise survival.
The Risk Taxonomy of a New Era
A consistent risk taxonomy is the DNA of risk management. It provides the vocabulary for the enterprise to speak to itself. But if your taxonomy still treats geopolitical risk as a distant category, separate from operational or IT security risks, we are failing to see the common root causes.
Brenda Boultwood
External national security risks have become the primary drivers of firm-specific risks. A state actor targeting a specific semiconductor node or weaponizing a financial messaging system is not just a macro event. It manifests as an idiosyncratic supply-chain failure in your Tier 3 supplier hardware, or a liquidity crisis in your European subsidiary.
The ERM Framework must now be updated. A risk object, the specific asset or process at risk and subject to risk assessment, can no longer be viewed in isolation. A server farm in Southeast Asia or a talent hub in Eastern Europe is no longer just a technical or HR asset. It is a geopolitical pawn. If your risk objects do not reflect the reality of state-sponsored disruption, your enterprise risk framework is a house built on sand.
The Breakdown of Commercial Peace
For 30 years, corporate strategy was anchored in the commercial peace theory, the idea that economic interdependence makes conflict too costly to pursue. We believed that a world tethered by fiber-optic cables and container ships was one in which rational actors would always choose profit over pride through a reliance on mutualized defense that largely deterred non-kinetic economic disruption.
We were wrong.
The peace dividend has been spent. From the autocratic aspirations of leaders seeking to redraw maps to the chaotic, populist policies that have fractured long-standing alliances, the global commons is being fenced off. Identifying these shifts requires looking beyond the quarterly earnings call. It requires understanding that China’s pursuit of independent supply chains is not a mere trade move. It is a wholesale erosion of Western industrial dominance in our most strategic sectors of telecom, chips, and pharma.
This shift fundamentally changes how we view the knowns and unknowns. Risk is what we can quantify, while uncertainty is what we must navigate. Geopolitics has moved from the realm of calculable risk, based on known probabilities and likely outcomes, into radical uncertainty. You cannot put a precise Value at Risk on the end of an almost 80-year treaty commitment, but you can certainly build an organization that is resilient to its collapse.
The CRO as the Strategic Link
If the enterprise is to survive this transition, the role of the CRO must evolve. In the aggregation and reporting of critical risks, the CRO’s job is to be the connective tissue. They must link external geopolitical national-security risks directly to internal operational and strategic risks.
This means moving away from short-term profit maximization. For decades, efficiency was the siren call. We outsourced to the lowest bidder, regardless of the flag flying over the factory. But in today’s environment, globally sourced often means politically compromised.
We must shift our assumptions. The best global talent may no longer be able to live and work in domestic production sites due to visa wars or security clearances. This is an idiosyncratic risk to your innovation pipeline, triggered by a geopolitical root cause.
Paradoxes of the Geopolitically Adaptable Firm
As we navigate this landscape, firms face three fundamental paradoxes that challenge traditional ERM logic:
1. The Efficiency-Resilience Paradox. The more efficient and lean are internal processes, the more susceptible they become to external geopolitical shocks. Our ERM risk treatments force decision-making on the trade-offs between avoidance and mitigation. In a geopolitical world, the mitigation treatment for supply-chain risk is often redundancy, which is, by definition, inefficient. The paradox is that in order to save the firm, you must intentionally make it less efficient by traditional short-term metrics.
2. The Talent-Security Paradox. Innovation requires the best minds on the planet, yet national security requires the exclusion of certain minds based on geography. As the U.S. and China decouple, the firm’s internal idiosyncratic risk of brain drain or inability to innovate is a direct result of external border policies. You need the talent to stay competitive, but the state may forbid hiring it.
3. The Sovereignty Paradox. The global corporation was supposed to be stateless, loyal only to shareholders. Today, the state is reasserting its dominance. Firms are being pressured to act as instruments of national policy – whether through sanctions compliance or reshoring. The paradox is that the more global you try to remain, the more homeless and vulnerable you become to both sides of many bilateral conflicts.
Mobilizing the Connected Enterprise
To address these paradoxes, the CEO cannot act alone. Risk intelligence must be democratized across the organization. The CRO, General Counsel, head of logistics, and Chief Technology Officer must form a unified sensor array.
Risk appetite is not just about what you are willing to lose, but what you must protect. In the current climate, your risk appetite for geopolitical exposure must be recalibrated. Are you willing to bet your entire pharmaceutical line on a single source in a contested region? If not, then your strategic objectives must shift toward domestic production and friend-shoring, even if it hurts the bottom line in the short term.
Adaptation or Extinction
The transition from a world governed by commercial peace to one governed by geopolitical friction is the defining challenge of our era. It requires a fundamental update of our risk taxonomies and a courageous re-evaluation of the scope of enterprise risk management and the tools of risk, and, more often, uncertainty analysis.
Decision-making in this environment is not about finding a safe harbor; there are no safe harbors. It is about choosing a course that allows for maximum maneuverability. Adaptation means acknowledging that your internal idiosyncratic risks, talent shortages, IT vulnerabilities and capital constraints are ripples caused by the underwater turbulence of global statecraft.
We must stop treating geopolitics as an extraordinary event. It is now the ordinary environment. The organizations that will thrive are those that stop mourning the death of the old global order and start building the fortress enterprise, resilient, strategically aligned, and clear-eyed about the flags that fly over their supply chains. The fog isn't lifting; it's time we learn to navigate through it.
Brenda Boultwood is the Distinguished Visiting Professor, Admiral Crowe Chair, in the Economics Department at the United States Naval Academy. The views expressed in this article are her own and should not be attributed to the United States Naval Academy or the U.S. Department of Defense.
She is the former Director of the Office of Risk Management at the International Monetary Fund. She has previously served as a board member at both the Committee of Chief Risk Officers (CCRO) and GARP, and is also the former senior vice president and chief risk officer at Constellation Energy. She held a variety of business, risk management, and compliance roles at JPMorgan Chase and Bank One.
Topics: Enterprise, Geopolitical