Geopolitical risk has largely been a check box item in organizations’ IT risk management documents, until now. As geopolitical tensions hit an all-time high with the tariff wars as well as the ongoing Russia – Ukraine and Israel – Palestine conflicts, the theoretical frameworks are now being widely tested in the real world.
No risk management framework and business continuity plan would have prepared Nayara Energy (an oil refinery company backed by Russia’s Rosneft) for the sudden suspension of Microsoft’s cloud services following the EU sanctions on Russia. This one incident might be an exception pointing to one extreme, but nevertheless a warning trigger.
The incident is a sobering reminder for CIOs that even the most long-term trusted vendors can become liabilities in the wake of rising global tensions. Vendor relationships are no longer about technology and cost alone but also about navigating a complex and unpredictable global political landscape, demanding CIOs to re-visit their vendor risk management strategy.
For Indian corporates, this demands a strategic shift towards embedding geopolitical risk within the broader enterprise risk management framework, specifically vendor risk management.
“Vendor risk can no longer be assessed solely from a technical or procurement perspective. Geopolitics must be a central consideration in organizations’ digital infrastructure decisions,” says Harnath Babu, Partner & CIO, KPMG India.
According to Luke Ellery, VP Analyst, Gartner, global uncertainty is at historically high levels with sanctions, tariffs and trade restrictions impacting nearly all geographies. These risks will increasingly wield stronger influence on CIOs’ decisions around how they assess their vendors, draw up contracts and conduct audits.
Vendor Assessment
By proactively integrating geopolitical risks into vendor assessments, CIOs can better safeguard their organizations against unexpected disruptions and maintain business continuity in an increasingly volatile global environment.
The assessment should cover critical considerations around the geopolitical exposure of the technology partners. Rajesh Uppal, strategic advisor & board member, principal consultant, Maruti Suzuki suggests the new vendor onboarding processes should include due diligence around sanctions and ownership structures.
Vendor exposure based on geographic location/presence in high-risk regions, political climate, potential vulnerability to sanctions and dependencies on other potentially high-risk third parties should be evaluated as key parameters in the vendor evaluation scorecard. This also includes hidden risks. For instance, a company may appear operating solely within one jurisdiction but might have a parent company or key investors subjected to regulations from a different country.
Besides screening vendors and their parent companies for sanctions and evaluating connections with sensitive regions, Babu also suggests collaborating with legal, policy, risk and procurement teams to co-own vendor onboarding and risk mapping.
Sethi adds that collaboration with the other business functions adds value as they understand the full scope of the potential geopolitical risks and their impact considering their expertise on international law, sanctions and local regulations that may impact vendor relationships.
Dynamic and Continuous Monitoring
To effectively integrate sanctions and compliance awareness into vendor risk assessments, continuous monitoring and audits are critical. This requires moving beyond traditional audits and annual assessment exercises, which often fail to keep pace with the rapidly evolving geopolitical events.
“CIOs must adopt a dynamic, continuous risk monitoring approach. Leveraging tools such as sanctions lists and political risk indices can provide valuable real-time insights into emerging threats,” states Archit Rajesh, Sr. VP, Head of Technology & Marketing, FirstMeridian Business Services.
The onus is also on CIOs to stay informed of the evolving global regulations. Sethi advises using threat intelligence feeds, news monitoring and use of specialized risk assessment platforms to get real-time alerts on potential disruptions, sanctions or regulatory changes affecting their key partners and act fast in case of issues.
Vendor diversification
While continuous monitoring and risk assessment may help minimize the disruption and react faster in case of any escalations, measures such as vendor diversification help de-risk with a more proactive approach. Avoiding over-reliance on a single vendor from sensitive regions helps ensure operational resilience. This includes enlisting alternative vendors for critical services and plans for rapid business transitions.
Local and alternate vendors in different jurisdictions who are capable of stepping into the shoes of an alternate provider, must also be identified to take over in the event of risk translating into reality.
“For critical services, identify a plan B upfront. This could be a different vendor or an internal capability. If geopolitical risks are elevated and have the potential to impact your suppliers, proactively engage with your identified plan B vendors,” advises Ellery.
“CIOs need to keep their ears and eyes open for any emerging threats and always have a parallel open-source system trial in place for any unforeseen eventuality and unavoidable breach of contract or trust, which may occur with the existing digital infrastructure provider,” adds Rajeev Batra, CIO, Bennett, Coleman & Co. Ltd.
Re-visiting Vendor Contracts
The final and critical piece of vendor risk management are the contracts, which must address the broadening risk canvas and strategically align the terms to the reality of evolving geopolitical developments such as sanctions, etc.
Ellery advises CIOs to review all IT vendor contracts where the services are critical to the continual operation of the business. In some industries, such as financial services, critical infrastructure and healthcare, this is a regulatory obligation. So, this can be used as a negotiation lever. In other organizations, this should be a board-level priority as it potentially impacts business continuity in a material way.
When entering new vendor contracts or re-visiting older ones, as they come up for renewal, to provision for possible scenarios and appropriate controls/actions, CIOs must start with getting the basics right. According to Babu, well-drafted contracts not only facilitate effective cost management but also ensure continuity when unexpected changes occur in the world.
Negotiating stronger vendor contracts
Leading CIOs and technology leaders share their suggestions for negotiating stronger vendor contracts covering data access, suspension triggers and emergency continuity, to cushion the impact of geopolitical risks.
Luke Ellery, VP Analyst, Gartner
Common clauses used in technology agreements include transition assistance or unwind clauses, which ensures the continual operation of the services until they are transitioned to another provider for a fee.
As the drafting matters, CIOs should consult their legal counsel or seek external legal advice as appropriate.
Rajesh Uppal, Strategic Advisor & Board Member, Principal Consultant, Maruti SuzukiStrengthen onboarding of new vendor processes to include sanctions, ownership structures and also ensuring strong right to audit in all contracts.
Ensure mirroring for business critical infrastructure and also a very strong force majeure clause in contracts to include this aspect.
Harnath Babu, Partner & CIO, KPMG IndiaThe data management clause should guarantee access to your data in usable formats and includes provisions for real-time backups.
Include options to pause services or promptly terminate the agreement if the vendor is sanctioned or loses operational rights in your region. The bans on technology companies serve as clear examples of services being abruptly restricted due to regulatory actions.
Insist on complete transparency from the vendor to avoid being caught off guard by compliance changes on their part.
Vijay Sethi, Chairman – Mentorkart & Crafsol Technologies, Former CIO, Hero MotocorpEmphasize on clauses beyond the traditional commercial and confidentiality ones and re-work on the contracts accordingly. For instance, CIOs mandate the vendor to provide clear assurances and contractual clauses on regulatory compliance along with immediate notification of changes in compliance status.
Include a clear and time-bound exit strategy, covering the transition period, vendor requirement for data migration and guarantees of data delivery in an open, non-proprietary format.
A data escrow clause for critical data and applications to ensure a trusted third party holds a copy of the data for immediate access if the vendor is suspended.
Require the vendor to notify CIO within a specified timeframe of any event that could lead to service suspension, including regulatory investigations, legal actions, sanctions, etc.
Define the specific and restricted conditions under which the vendor can suspend services to avoid any arbitrary suspension while also specifying the process for service restoration.
Review indemnification clauses to cover financial losses, legal fees and reputational damage from sudden service suspensions due to geopolitical events.
A vendor’s failure to maintain compliance or their appearance on a sanctions list should trigger a formal review or even a potential contract termination.
Sanctions and compliance awareness can be successfully embedded into vendor risk management mostly through contractual terms and punitive penalty routes. However, as Batra points out, when an issue happens at the national level, the problem may be categorized under force majeure and contractual obligations may not be honoured. Hence, a multi-pronged strategy and identifying alternative providers becomes key.
