Team meeting around a computer to analyze data

The crisis in Ukraine is having a major impact on companies with suppliers, distributors, customers and employees in Ukraine, Russia and Belarus. Some of the ramifications are obvious, while others are taking place "behind the scenes," so to speak. In either case, business leaders need a proactive strategy to protect their business that includes:

  • Revisiting their enterprise risk assessment plan
  • Refocusing on their supply chains
  • Rehearsing their crisis management, business continuity and disaster recovery plans

Risk assessment plan

Companies need to revisit their enterprise-wide risk assessment plan, with a focus on geopolitical risks and the barriers and hurdles created by the crisis event. For example, if you don’t “know your customer,” it's something that you need to think about because of the sanctions placed by the U.S. Treasury Department on various Russian oligarchs and political and national security leaders. Federal regulators will have zero tolerance for sanction violations, so there's no excuse for not knowing them. Review the sanctions and see how they line up with the risks you have identified, how they may directly or indirectly impact your supply chain, and how they will affect your ability to do business.

Because of the increased threats of cybercrimes, businesses should review their cyber insurance policies, to know exactly what the conditions are and what the policies cover.

Also, be aware of fraud risk, specifically related to money laundering and bribery. In the wake of sanctions, entities in Russia, Ukraine and Belarus will get more creative about financing transactions, including the use of cryptocurrency. When the status quo changes (whether it’s moving to a remote work environment, in the case of COVID-19, or a shift to unique ways of financing transactions, in the case of the crisis in Ukraine) companies may override internal controls or ignore policies and procedures. Business leaders have to monitor internal controls on an ongoing basis to gauge whether they are designed appropriately to deter and prevent fraudulent behavior.

In the event of a future investigation, regulators likely will ask questions such as:

  • Is your compliance program well designed?
  • Is it effectively implemented?
  • Does it actually work in practice?

Supply chain

A geopolitical risk like the war in Ukraine will create barriers, obstacles and hurdles to the movement of goods. Businesses must take a deep look into their ecosystem and determine how well they know the answers to these questions:

  • What do they make?
  • What do they grow?
  • What do they move?
  • What do they consume?

The footprint and the movement of goods is going to change, and businesses need to take a “now, next, later” approach to protect their supply chain. While businesses may want to move faster to make decisions that affect their enterprise, moving faster may not be feasible.

Additionally, supply chain visibility is more essential than ever. A business may know where its main components are sourced, but they need visibility throughout the supply chain, down to the last subcomponent. If a part is manufactured in a plant located in an area affected by war, a business may have to source from another location or risk an interruption to their production lines. In addition, businesses need to be aware of how supplies move through the system. For example, if products or supplies are shipped by boat, how may dockworkers in a port be affected if the port is located in a country affected by sanctions or military activity?

From an export control standpoint, businesses also need to be aware of the importance of end user certificates (EUC), which would limit the transfer or re-export of products that may have an alternative use in a military operation. It is the responsibility of the seller/exporter in the U.S. to obtain the EUC from the buyer/importer in the foreign country.

Increased transparency – not just on the movement of goods but country of origin – is critically important, as well. Understanding the current state of your supply chain allows you to plan for the future state, whether that's moving an enterprise or sourcing goods from a different place or country.

Business continuity and disaster recovery plan

Now is the time to rehearse your crisis management, business continuity and disaster recovery plans. A sound crisis management plan includes:

  • Detailed steps taken to manage a crisis
  • Coordination of your organization’s response to a crisis with the goal of avoiding or minimizing damage to the organization’s profitability, reputation or ability to operate
  • Coordination of communications between management, response teams, emergency teams and media during a crisis.

The business continuity and disaster recovery plans go hand-in-hand and are designed to be resilient and restorative for the organization. These plans include:

  • Detailed steps taken to ensure continuity of mission-critical business operations
  • Defined planning, preparatory and related activities which are intended to ensure that an organization’s critical business functions will continue to operate despite serious incidents or disasters that might otherwise have interrupted them
  • Detailed steps to recover from a disaster and/or crisis

Businesses must ensure that their people, processes and technology are aligned with their overall strategy – both inside and outside the walls of the organization – and especially if they are doing business globally. This alignment, coupled with reviewing your risk assessment plan and rehearsing your crisis management and business continuity plans, will help make your organization more risk-resilient, wherever the risk comes from.

Ryan Holzhueter
Senior Director
Government building pillars with American flag
Next up

SEC 2021 enforcement report – Key highlights