Author: Carl-Petter Stav, Senior Advisor Security and Preparedness, Agenda Risk
The Russian invasion of Ukraine, the pandemic, China’s global ambitions, and the subsequent shift towards a new security and commercial world characterised by clear deglobalisation trends should serve as a wake-up call to the significance of robust geopolitical risk management. The world has changed, and today, business and trade policies are significant tools in the realm of security. “Business is security policy.” Civil society and domestic businesses are the prime targets for Russian hybrid activities during a period when Norway has gained increased importance as a guarantor of gas supply to Europe.
The need for a well-established framework for geopolitical risk management is greater than ever. Yet, it seems that many find it easy to discuss but harder to implement in practice.
The complexity of the task is understandable. Fortunately, methods and processes for gathering data and information to provide timely and relevant insights about the future are well-documented. This is the core of intelligence work, and geopolitical risk management should be one of the intelligence tasks tackled within the broader context of “Business Intelligence.” In this article, I will highlight some simple lessons we can learn from the people and organisations that collect, analyse, and produce intelligence on a daily basis, and I will discuss how this can be beneficial in the private sector.
Effective and comprehensive risk management for most will entail placing geopolitical risk on the agenda, making it a governance and leadership responsibility on par with all other forms of risk management. Sound risk management requires insight (intelligence). Therefore, boards and leaders should start by defining the organisation’s intelligence needs, forming the basis for the company’s business intelligence or intelligence strategy. Defining how to utilise intelligence capacity, outlining the tasks to be addressed, potentially making necessary organisational adjustments, and, crucially, identifying the right individuals to carry out the mission.
When considering organisational experiences, it is useful to remember that while a good team can answer your questions, an exceptional team can do much more. An exceptional team can point out the questions you should be asking, what you should be the most concerned about, and even identify competitive advantages you were not aware of. For the latter to succeed, the team must know the organisation intimately and be well-versed in the strategic goals and underlying processes. If you want a team that delivers products with strategic impact, ensure they are organised accordingly. Enable them to tap into as much knowledge and expertise from across the organisation as possible, allowing them to engage in cross-functional dialogue without being hindered by organisational barriers or production demands.
Next on the list is finding the right people. In a comprehensive team, you need leadership in collection and analytical prowess with an understanding of methodology, predictive analysis, intelligence production, and presentation. Technology is pervasive, and they must know which data and information need to be gathered, which sources to use, how to organise the data and information, and, importantly, how to process the information to create effective intelligence that can yield impact.
Which individuals are best suited to provide reliable information, and where can we find them? How can publicly available images yield relevant information? What documents can we access, and are they available online or offline? How do we efficiently organise OSINT efforts? What are the legal implications of all this, and how do we ensure we operate within applicable laws? How do we minimise cultural bias in our assessments and root it out in the sources we use? When should we gather supplementary information from alternative sources?
These are just a few examples of questions the team should be capable of answering, and the collection leadership process should be paramount when the work begins.
With the team in place and work processes defined, the board and leadership should prioritise the organisation’s information needs. Prioritisation ensures that what matters most is never overlooked, and a systematic and long-term commitment is necessary to make sensible predictions about the future. It will always be the prerogative of leadership to re-prioritise, but remember that all reactive efforts come at the expense of the ability to look forward. The prioritisation should ideally have a clear link to the company’s strategy and reflect what is of utmost importance in the upcoming period. Whether offensive or defensive. Many may find that prioritising information is more challenging than it sounds, but again, a team with a sufficient understanding of the organisation (and its strategy) should be able to provide a solid starting point. Furthermore, remember to review priorities regularly to ensure that the right questions are being asked.
Now, as the team gathers, processes, and produces to gain clarity about the threats, risks, and opportunities lying in the future, it is beneficial to rely on two methodical tools: scenarios and indicators. Scenarios can be both strategic and operational, and you can assess a broad set of indicators related to each scenario. Strategic indicators can typically involve factors like political stability, economic trends, social unrest, and climate changes. These are things that could impact activity in the long run, and indicators can be used to evaluate whether you are moving towards a scenario that requires a reassessment of strategic alignment. Operational indicators can be tied to critical factors for a given activity or operation, and these should encompass all conceivable dependencies to the greatest extent possible and in a prioritised order.
How long can we sustain production if our access to gas, steel, rubber, ships, logistics routes, airspace, land areas, personnel, or electricity is restricted? What happens to our assets abroad if a crisis emerges? Can we say that we have control over our data if the server is located in a country with a dependence on a third state with principles vastly different from our own? Why are dysprosium, neodymium, and Mongolia of interest to us? And how can our strategic indicators and assessments contribute to telling us what this will look like in five years?
Identify what you depend on to keep the wheels turning and create indicators that allow threats to be detected as quickly as possible. An additional effect of working with scenarios and indicators is that it fosters strategic awareness, which can be used to create plans that can be implemented at a stage where competitors have not yet perceived what is about to happen. It is then up to the team to piece together the puzzle and answer the most crucial question: What does this actually mean for us?
Be prepared that, occasionally, the answer will be that something must be done. Sometimes it is merely a good opportunity to be seized, but it can also mean that you should alter your strategic alignment. The extent to which intelligence is translated into action is the privilege of leadership, but it will be futile, and perhaps even harmful, if the team ends up telling you only what you want to hear for some reason. The latter has multiple good examples, more famously known as intelligence failures. Intelligence is not always good news, and that is something one must learn to appreciate.
In conclusion, it is worth remembering that implementing an intelligence capacity is an investment. One must learn to use this capacity before the returns truly materialise. And it’s not just about reducing risk but also about creating opportunities, ensuring activity continuity, and developing strategy based on insight, knowledge, and sound assessments.
We believe that in the future, more significant enterprises in Norway will require this capacity. For some, it will be natural to build capacity and expertise in-house, while for others, it will be more practical to purchase “Intelligence as a Service.”
About the author: Carl-Petter Stav has nearly 20 years of experience in intelligence and security-related work, with extensive expertise in the field at both national and international levels, encompassing operational and strategic aspects, both in civilian and military settings. He has been involved in handling geopolitical risks, including threats from state and non-state actors across all domains (cyber/technology/human). Throughout his career, Carl-Petter has led analytical efforts and operational units, both in Norway and abroad, during military operations and crises. He has been responsible for operational risk management and security. Additionally, he has been engaged in emergency preparedness planning and conducting exercises and training. Recently, Carl-Petter completed further education in information security management at Harvard.