Why Firms Need Geopolitical Risk Simulations, Not Just Reports

/

You walk into your office at 7:45 in the morning. It’s a typical Tuesday, and you’re getting ready to call the strategy, policy, legal, and public relations teams together to deal with an ongoing situation in a country that’s blocking access to your service. Unbeknownst to you, President Donald Trump has just tweeted about your company. Your phone starts vibrating. You check the notifications and realize what’s happening. All hell is about to break loose- supporters are praising you, while critics are urging a boycott. You know that a response of some sort is necessary, but this is only your third week on the job. You sit down at your desk and pull out the employee handbook. Unfortunately, there is no section called “When a World Leader Tweets About You.” Now what?

This is an extremely exciting time to be involved in global affairs and international business. But one’s excitement about potential opportunities is another’s paralyzing uncertainty about the potential pitfalls. Political risk, defined as any change in a company’s business and security operating environment, abounds. This is true both in traditionally risky frontier markets and increasingly in developed countries, especially following events like the election of Donald Trump, and the continuing fallout from Brexit. Geopolitical risk is not just a concern for investors, nor does it only manifest in vacillations in the financial markets, as I’ve written about previously. For startups especially, who often fail to realize how political risk can deal a deathblow to operations, it is not always obvious how an engineering team’s action could affect or be affected by geopolitical risk. Most engineers have never taken a course on political risk, or witnessed how a tweak in code or app capability can hamstring another team’s work or be seen as a threat by a government. But rather than exploring the ways that political risk can affect their operations in depth, most companies continue to rely on the vague, quickly outdated, and largely useless reports that traditional risk consultancies provide.

Has a report ever truly changed your mind after you had made it up? Unlikely. There are several reasons for this, some of which I’ve discussed in earlier posts. First, many reports are commissioned after a decision has already been made, to serve as confirmation or to tick a checkbox on a compliance form, and as a result, only the most basic questions are asked. The desire is to be proven right, not ask tough questions that could jeopardize an investment or rollout. Second, reports are usually written by fresh out of grad school analysts who only have a cursory understanding of how the business they are informing actually functions. Consequently they are unlikely to appreciate the complexities of the decision being made or the need to consider and account for the likely second and third order effects. Third, the report is likely to be based largely on only what the analyst can Google from his or her desk under a tight deadline. Not surprisingly, this means the analyst’s — and most importantly — the client’s biases go unchallenged. Finally, the reports are rarely read; executive summaries are skimmed, but rarely with an open mind. It’s the business equivalent of TL;DR. Is it any surprise then that many decisions appear to have been inadequately contemplated?

After seeing this cycle repeat itself for years and across industries, including mining, logistics, higher education, and tech, I’ve come to the conclusion that although the written word is powerful, it is neither adequate for helping clients understand their exposure to political risk, nor useful for empowering them to make decisions, address their vulnerabilities, or seize opportunities, on its own. Once views are deeply entrenched, and confirmation bias and group think take hold, the written word has limited effectiveness in challenging opinions, changing minds, or improving actions. To change a mind requires changing perspective, a task most effectively accomplished by exposing a person to an experience that tests their views and forces them to make decisions under less than ideal conditions. Immersive experiences allow a subject to see what happens when theory, or bias, meets practice. That meeting is often messy, but it’s also frequently the chaos from which the best ideas can emerge. As I like to say, expectations rarely survive first contact with an experience. The level of intricacy that a robust simulation conveys is far higher than would ever be possible in a written report.

You wouldn’t want to be taken to a trauma surgeon who has only read medical texts. And you wouldn’t send a soldier into a critical battle after he has only read a field manual. We require that these professionals practice their craft against the unpredictable — through residencies and war games, respectively — because many emergency surgeries and firefights do not go exactly, or even remotely, as planned. Immersive learning is not just for high intensity professions. Studies have repeatedly shown that people learn just about anything better by doing- practicing procedures, experiencing simulated ethical dilemmas, and acting out decisions. Think about how you learned in school- the teachers did not just hand out a pamphlet on evacuating during a fire or active shooter situation; we all practiced these drills regularly, with different circumstances. It’s the same with businesses and political risk. You can’t just give a handbook to employees and trust that they’ll automatically know how to respond to a stressful situation or make a difficult decision without having ever practiced it.

This is all precisely why I’ve turned my focus towards helping my clients via customized, interactive, immersive simulations. These simulations help the client to diagnose their vulnerabilities (information stove-piping, lack of clear chains of command, unusual circumstances, etc.), anticipate and analyze major decisions, identify shortcomings in processes, and train their staff members in more effective protocols. In these simulations, participants play their own roles, and communicate via their normal channels (whether chat programs, email, texts, or in-person conversations), meaning there are no complicated instructions to learn. These exercises take place at their headquarters, in familiar surroundings, meaning clients get the truest possible view of their own operations under stress. Injects, or pieces of information that drive the plot of the simulation, are customized to look like the real information that employees handle everyday, whether tweets or news articles for the public relations team, or technical readouts for the cyber security teams, designed by subject matter experts who are intimately familiar with the realities such teams face. The situations that clients confront are constructed based on rigorous analysis of crises that the firm has faced in the past, decisions that they’re actually struggling to make, or situations that they repeatedly encounter and want to train their staffs to address more effectively.

I’ve seen participants go from being upset at having to attend such a simulation to actively engaging in the process, and suggesting new practices to help address problems or anticipate challenges, all in the span of 3 hours. I’ve never seen that happen as a result of a report. And that’s why clients are increasingly requesting this service- they see the change in their employees, and they see the tremendous benefits of taking a day to engage in a simulation vs. the expense and lack of utility associated with vague and quickly outdated reports.

While no simulation can predict the future, well-crafted ones can simulate the chaos of a crisis or the pressure of a major decision, allowing you to troubleshoot and develop more effective processes. If you were the executive in the story above, my simulation would’ve addressed the potential for a vocal political figure to bring sudden social media attention to your company. Your team would have been forced to weigh multiple response strategies that address the immediate crisis, while still dealing with more systemic issues, like the government that is blocking your users. Instead of just having pondered it yourself and giving in to your biases, you’d have the opportunity to harness the thoughts and ideas of members of teams across your organization, to understand the situation from the multiple perspectives, and to anticipate the various consequences of the options. You would have had to challenge your biases, and experience how unconfirmed assumptions can exacerbate a crisis. You would have learned how to find or analyze information, verify its authenticity, share it with people who need to be aware, prioritize actions and decisions, and work with other executives to form a cohesive and complementary response. By facing the simulated experience in its full dimension and complexity, you’d be ready to bypass the disorientation of an actual chaotic situation and instead find yourself empowered to make the most of an opportunity.

Milena Rodban is a geopolitical risk consultant and simulation designer based in DC. She can be reached via Twitter (@MilenaRodban) or email (milena@milenarodban.com).

Why Tech Firms Need Geopolitical Risk Consultants

/

A few months ago, I wrote a post that made a splash: Why Rockstars Need Geopolitical Risk Consultants. Since then, a few notable musicians have failed to heed that advice, including Nicki Minaj, who performed in Angola to fierce backlash, and Enrique Iglesias, whose concert in Colombo provoked the Sri Lankan president to suggest that promoters be whipped. While they get their act together, there’s another sector that should consider seeking out the best geopolitical risk consultants who are still on the market: the tech sector.

Unlike traditional consumers of political risk insight such oil & gas or mining firms, technology firms rarely operate out of restive provinces in rural areas, nor do most of them have long supply chains to protect. Many of them, such as Twitter, for example, which doesn’t produce any hardware, and Facebook, are safely based in California, which might be part of the Old Wild West, but is hardly dangerous now. Others, including IBM and Apple, which produce a variety of hardware, are exposed to a variety of political risks, including volatile currency fluctuations, vulnerable supply chains, dependence on the availability of natural resources, the etc. Yet Apple too is based out of California, and therefore feels far removed from the places we think of when we mention “political risk.” Apple and Google, like all public firms, must file a 10-K form with the SEC, specifying potential risks to its business and investors. I’ve read hundreds of these forms and I can tell you that they reveal a lack of understanding of the intricacies of political risk, including both macro and micro political risks within their home countries, as well as geopolitical (transnational/cross-border) risks.

The tech sector’s belief that it is insulated from most types of political risk is an illusion, and a dangerous one at that. The origin story of the tech industry is a beautiful fairy tale and it’s hard to blame the sector- it’s full of optimistic idealists who are eager to use technology to solve complex problems, transcend national boundaries, and empower individuals. These all sound like great goals, but there are many deeply entrenched power structures that like their problems complicated, their borders well ringed with barbed wire and their populations well-controlled.

By perpetuating its own illusion, the industry makes itself more vulnerable. And we’ve seen the results. The tech industry continues to be repeatedly burned by a variety of political and geopolitical risks. Of course there’s the obvious example- Edward Snowden’s revelations regarding the extent to which US tech firms’ user data was compromised by National Security Agency surveillance. But there are others, such as operating in countries where cyber attacks to steal intellectual property are unrelenting. Then there are issues like the locations where companies decide to build their data centers; those choices have massive ramifications in terms of legal and regulatory compliance issues. Or situations where tech firms are having trouble balancing the desire to protect users’ freedom while contending with censorship demands in countries like Turkey (where Twitter is going to court) or China (which Google chose to leave over censorship concerns). Or how protectionist policies designed to ensure the sustainability of fledgling but primitive domestic firms is keeping tech firms like Uber from capitalizing on underserved markets. And how tech firms seeking to “disrupt” dysfunctional or outdated practices with tech innovations risk disrupting existing balances of power in countries where such actions can result in swift backlash. When I first heard news of Netflix’s major global expansion, my first thought was to wonder how they’ll deal with undependable connectivity in some areas, or censorship demands, and how long it’ll be before there’s a scandal of some sort. Finally, of course, there’s the issue of due diligence, which done poorly can topple a firm. The political risks involved in the movie business are quite well known, yet just like with the rockstars, the same issues pop up regularly due to poor planning.

Following the disclosure of various NSA spying programs, as well as data regarding tech firms’ frequent acquiescence to demands that user data be provided to the NSA, many foreign clients decided to stop using services from firms based in the US. Snowden’s disclosures caused the trifecta of losses: monetary, legal, and reputational damage. IBM lost a considerable amount of business in China, Google is the target of European ministers seeking to punish the firm via new laws and legal challenges, and Microsoftis contending with the ramifications of a PR scandal regarding its particularly close relationship with the NSA, which caused many consumers to seek alternatives to Microsoft services such as Skype. The exposure of NSA surveillance alone is estimated to cost just the cloud computing industry alone between $22 billion and $35 billion in overseas business in the 3 years between 2013 and 2016.

In that case, the tech sector willingly collaborated with the government, providing access to services and sensitive user data, in exchange for what it believed was the government’s ironclad guarantee that the collaboration would remain a secret. The government seemed like a helping hand reaching down into the Valley. As we all know, valleys aren’t a good place to be in battle, and the government doesn’t have the best reputation for protecting secrets. (Yes, I’m talking about you, NSA, CIA and OPM.) But the bottom line here is that there was no perceived cost for the tech sector to cooperate with the government, and therefore no perceived risk. A sure thing is rare in Silicon Valley, and this was the closest you could get to a sure thing. Now, the costs are not only clear, but prevailing. The tech industry lost the trust of its users, its foreign clients, and even some of its own employees with each consecutive expose, and it’s still trying to regain it, through legal challenges to requests for data, enhanced encryption (which makes it impossible for companies like Apple to read or share the contents of Messages sent between Apple devices with the government), and a myriad of PR efforts designed to convince the public that they will protect privacy and resist surveillance efforts. But the damage has been done, and dozens of new competitors, promising to protect user info and encrypt communications are capitalizing on the fall out, creating new competition, and more hurdles for tech firms fighting to retain and increase their market shares.

Given the rocky relationship between tech and the government, it’s surprising that the White House continues to call for Silicon Valley and tech leaders in general to do more to help the government fight transnational threats such as the Islamic State terror group. Sure, it seems logical that the tech sector could help the US prosecute its war against the brutal organization, given heavy IS use of Twitter, YouTube, and other platforms to spread its graphic and horrific propaganda. But while both the White House and tech firms share a desire to defeat the group in theory, the means by which the White House wants tech firms to fight the group are no longer cost or risk-free. In fact, they’re priceless. And while the White House is looking to score political victories, tech firms are looking to score legal victories that in many cases will make it harder for authorities to do their jobs. Tech firms aren’t trying to subvert the war against IS just to be difficult; they realize that winning one battle could mean losing their war to stay alive.

Not a single tech leader is willing to enthusiastically and unequivocally help the government install backdoors, or supports some government officials’ absolutely ludicrous calls to outlaw encryption. Not only is outlawing encryption completely impossible, any efforts to try reveal the governments’ embarrassing inability to understand how technology works. This was on full display recently, when Silicon Valley showed up to fight with the government over a plan to implement 2013 revisions to the Wassenaar Agreement, which would in effect keep tech firms from creating secure software. And the battle will only get harder for the government now that the tech sector is more self-aware. (There’s an artificial intelligence joke somewhere here, but I’ll leave it to you all.)

Tech firms have learned their lesson in the case of Silicon Valley vs. government surveillance, and they won’t risk being burned so easily again. But on other issues, where the tech sector hasn’t been burned nearly as badly, they’re still floundering as political risks build up around them. While it’s great to include the worst-case scenarios on their 10-K disclosures or in all hands meetings, while dismissing them as unlikely, it’s frequently the not-even-close-to-worst case situations that will cause the biggest problems for these firms. We often plan for the really big problems we can think of, and overlook the minor ones that be the one domino that start the chain reaction that could lead to a company’s bankruptcy or collapse. To avoid getting burned again, and from multiple risks, increased investment in political and geopolitical risk insight will be vital. A good political risk consultant isn’t going to predict the future. Their job is to anticipate the turbulent waters ahead, and to ensure that companies safely navigate any obstacles ahead, while also making sure they don’t sabotage themselves by failing to think through the consequences of their actions- especially the ones that seem like sure things. Every system needs an occasional patch to keep functioning, and when it comes to political risk, Silicon Valley needs a critical update.