The elevation of geopolitical risks has historically been a mere checklist item in the IT risk management protocols of organizations. However, with increasing global tensions—from trade wars to the ongoing Russia-Ukraine and Israel-Palestine conflicts—theoretical risk frameworks are now being put to the test in practice.
No existing risk management strategy or business continuity plan could have adequately prepared Nayara Energy, an oil refinery supported by Russia’s Rosneft, for Microsoft’s abrupt suspension of cloud services due to EU sanctions against Russia. While this case might be an outlier, it nonetheless serves as a vital warning.
This incident underscores for CIOs that even the most reliable technology partners can transform into liabilities during surges in global conflict. Vendor partnerships are now defined not just by technology and financial considerations but by the complexities of navigating a shifting global political landscape, prompting CIOs to reevaluate their vendor risk management strategies.
In India, corporations must shift strategically towards incorporating geopolitical risks into their broader enterprise risk management strategies, particularly in vendor risk management.
“Evaluating vendor risk can no longer be limited to a technical or procurement viewpoint. Geopolitical factors need to be central in organizations’ decisions regarding their digital infrastructures,” states Harnath Babu, Partner & CIO at KPMG India.
Luke Ellery, VP Analyst at Gartner, notes that global uncertainty is at unprecedented levels, with sanctions, tariffs, and trade restrictions affecting nearly every region. These risks will increasingly impact how CIOs evaluate vendors, draft contracts, and conduct audits.
Vendor Assessment
By incorporating geopolitical risks into vendor assessments proactively, CIOs can better shield their organizations against unforeseen disruptions and ensure business continuity in an increasingly unstable global context.
The assessment must encompass critical factors concerning the geopolitical exposure of technology partners. Rajesh Uppal, strategic advisor and board member at Maruti Suzuki, suggests that new vendor onboarding processes should involve thorough due diligence regarding sanctions and ownership structures.
Vendor risks related to geographic presence in high-risk areas, political climate, susceptibility to sanctions, and dependencies on other potentially high-risk third parties should be key aspects of the vendor evaluation scorecard. This also covers hidden dangers. For instance, a company might seem to operate solely within a single jurisdiction while having a parent company or significant investors affected by regulations from another country.
Beyond scrutinizing vendors and their parent companies for sanctions, Babu also recommends working alongside legal, policy, risk, and procurement teams to share responsibility for vendor onboarding and risk analysis.
Sethi emphasizes the importance of collaboration with other business functions, as they possess the expertise necessary to comprehensively understand the potential geopolitical risks and their ramifications.
Dynamic and Continuous Monitoring
To successfully embed sanctions and compliance awareness into vendor risk assessments, ongoing monitoring and audits are essential. This necessitates moving away from traditional audits and annual assessments, which often struggle to keep pace with rapidly changing geopolitical circumstances.
“CIOs need to adopt a dynamic, ongoing risk monitoring strategy. Leveraging tools like sanctions lists and political risk indices can yield valuable real-time insights into emerging dangers,” asserts Archit Rajesh, Sr. VP, Head of Technology & Marketing at FirstMeridian Business Services.
CIOs also bear the responsibility of staying updated on changing global regulations. Sethi advises utilizing threat intelligence feeds, news monitoring, and specialized risk assessment platforms to receive real-time alerts about possible disruptions, sanctions, or regulatory changes that may affect their key partners, enabling rapid responses in critical situations.
Vendor Diversification
While ongoing monitoring and risk evaluation can help lower disruptions and enhance responsiveness during escalations, vendor diversification enables a proactive strategy to mitigate risks. Avoiding excessive reliance on a single vendor from sensitive regions is essential for operational resilience. This may involve identifying alternative suppliers for crucial services and establishing rapid business transition plans.
Local and alternative vendors in varied jurisdictions capable of stepping in as substitute providers must also be identified for times when risks materialize.
“For essential services, develop a contingency plan in advance. This could involve a different vendor or fostering internal capabilities. If geopolitical risks escalate and threaten your suppliers, proactively engage with your pre-identified backup vendors,” recommends Ellery.
“CIOs must remain vigilant for emerging threats and maintain an open-source backup system in case of unforeseen events and the inevitable breaches of contract or trust that might occur with their current digital infrastructure provider,” adds Rajeev Batra, CIO at Bennett, Coleman & Co. Ltd.
Revisiting Vendor Contracts
The final and crucial element of vendor risk management involves contracts, which must address an expanding risk landscape and align strategically with the realities of fluctuating geopolitical situations, including sanctions.
Ellery urges CIOs to review all IT vendor contracts integral to ongoing business operations. In specific sectors—for example, financial services, critical infrastructure, and healthcare—this review may be a regulatory necessity. This can act as a negotiation tool. In other organizations, prioritizing this at the board level is essential due to its significant implications for business continuity.
When establishing new vendor agreements or revisiting existing ones upon renewal, CIOs must ensure that scenarios and corresponding actions are provisioned for by getting the fundamentals right. According to Babu, well-crafted contracts not only allow for effective cost management but also sustain continuity amid unexpected global shifts.
Negotiating Robust Vendor Contracts
Leading CIOs and technology executives share their insights for structuring stronger vendor contracts tackling data access, suspension conditions, and emergency continuity to cushion against geopolitical risks.
- Common clauses in technology agreements often feature transition assistance or unwind clauses, ensuring service continuity until a transition to another provider can occur for a fee.
- As precise drafting is vital, CIOs should seek legal counsel or consider external legal advice when necessary.
- Enhance new vendor onboarding processes to explicitly include sanctions, ownership structures, as well as ensure the right to audit in all contracts.
- Guarantee redundancy for mission-critical infrastructure and incorporate strong force majeure clauses to include this aspect.
- The data management clause should ensure access to data in usable formats and stipulate provisions for real-time backups.
- Include options to suspend services or immediately terminate agreements if the vendor is sanctioned or loses operational rights in your region. The examples of technology firms facing abrupt service restrictions due to regulatory actions demonstrate this need.
- Insist on complete transparency from the vendor to avoid surprises from compliance shifts on their end.
- Prioritize clauses beyond conventional commercial and confidentiality ones, amending contracts accordingly. For example, CIOs should demand clear assurances and contractual clauses on regulatory compliance alongside immediate notification of changes in compliance status.
- Incorporate a clearly defined and timely exit strategy, covering the transition phase, vendor responsibilities for data migration, and guarantees of data delivery in an open, non-proprietary format.
- A data escrow provision for crucial data and applications should ensure a reliable third party holds a copy for immediate access if the vendor is sanctioned.
- Require prompt notification from the vendor within a prescribed timeframe about any incidents that could result in service suspension, including regulatory investigations, legal actions, sanctions, etc.
- Specify the limited conditions under which the vendor can suspend services to avoid arbitrary disruptions while also detailing the process for service restoration.
- Review indemnification clauses to encompass financial losses, legal costs, and reputational harm stemming from abrupt service interruptions due to geopolitical events.
- A vendor’s failure to maintain compliance or appearing on a sanctions list should trigger a formal assessment or even potential contract termination.
Embedding sanctions and compliance awareness into vendor risk management can predominantly be achieved through contractual terms and potential penalties. However, as Batra highlights, issues at a national level may fall under force majeure and contractual obligations might not be fulfilled. Thus, a multifaceted strategy coupled with the identification of alternative suppliers is crucial.
