Chess, Not Checkers: Managing Systemic Financial Risk on a Global Stage Siobhan MacDermott | Consello Partner
and Former Vice Chair, Global Corporate & Investment Banking, Bank of America
and Co-President, Financial Systemic Analysis and Resiliency Center

If a company can identify systemic financial risks and get ahead of them, then it can make informed decisions and take swift action to address them, without being perpetually caught off guard and forced into crisis risk management scenarios. But today, companies need to re-think their traditional definition of risk from being all about control, mitigation, and avoidance to using risk for competitive advantage. By thinking of systemic risk in this context, companies can be more agile and responsive to changes in the market.

Enter a new brand of systemic financial risk management. Today’s risk management services market is growing globally. The global risk management market size was valued at $7.39 billion in 2019, and is projected to reach $28.87 billion by 2027, growing at a CAGR of 18.7% from 2020 to 2027.¹ Where the rubber hits the road, however, is the nation-state threat to businesses. In many cases, individual companies and their management are targets of geopolitical tensions.² Sound like being caught in the middle of a James Bond movie? Absolutely.

Trade wars, political instability, pandemics and natural disasters are just a few examples of the disruptions that global organizations face, but cybersecurity threats remain present and ever-changing. As these cybersecurity threats have become more sophisticated and pervasive, it has become difficult even for the most advanced organizations to distinguish if threats are coming from individual cyber criminals, foreign government actors or cyber criminals supported by foreign government actors.³ These myriad threats are emerging on arguably the most complex geopolitical backdrop that has ever existed.

So, how do business leaders deal with this new level of threat while trying to run their businesses and optimize shareholder value? Geostrategic considerations must be at the center of market entry/rationalization decisions as opposed to an afterthought – and a risk register that includes geostrategic and cyber risk in addition to systemic risk, intelligence, and cyber resilience is mandatory to gain disproportionate competitive advantage and leverage. As a result, there must be a single point of accountability within the organization that works hand-in-glove with the CEO on every business decision that is made. They must also work closely with functional experts (particularly finance, cybersecurity, government relations, public affairs and technology) across the strategy of the business. Whereas in the past having these functions operating in silos was sufficient, today’s complex geopolitical environment demands that companies have an “all bets are off” business plan scenario.

A Word About Financial Systemic Risk

Financial systemic risk refers to the risk of widespread and significant business impact in sectors or upheaval in regions caused by events that are difficult both to predict and control. Market globalization and the increasing interconnectedness of economies means that financial systemic risk can arise anywhere in the world and have far-reaching implications and consequences.

To effectively model systemic risk, a firm needs to get a handle on its current level of activity and its exposure to geopolitical developments. For example, most companies would be gravely affected by a global outage of transportation or communications networks, neither of which are far-fetched scenarios in today’s world of cyberattacks. Stress testing and wargaming are ways to help businesses evaluate the impacts of such scenarios and allow for contingency and resiliency planning ahead of time.

Financial systemic risk modeling can identify potential risks and vulnerabilities before they occur and help companies think through very complex situations. Using and analyzing data and patterns across multiple sectors, regions and levels of risk can help companies identify potential triggers for risk, such as political instability or financial market volatility. This allows the boards, CEOs, chief risk officers and chief strategy officers to take preventative measures to mitigate the impacts of those risks. Some of those mitigations might include supply chain adjustments or strengthening financial regulations.

We can also use this kind of risk modeling to improve our understanding of the interconnectedness of different sectors and regions. For example, as COVID-19 demonstrated, a global pandemic will disrupt supply chains and affect industries around the world.

Building Cross-Industry Expertise and Public-Private Partnerships

In some industries, groups have come together and used their scale to share and analyze cyber threats. In the finance community, for example, the Financial Systemic Analysis and Resiliency Center, or FSARC, was founded in 2016 by the eight U.S.-based global systemically important banks (G-SIBs) and several branches of government.⁴ FSARC (now ARC) is not just another information sharing center, but rather one where systemic players have skin in the game to ensure its success. Employees from banks were seconded to the center for a minimum of a year, where they work alongside their competition to share information to protect the entire financial system from failing. Having the large banks bear the financial and staffing burdens of the center was essential to be able to share the resulting reports and intelligence across the broader financial sector – about 7,500 institutions.

A few months after the FSARC was founded, the Tri-Sector Executive Working Group emerged with the idea of building an FSARC-type structure across multiple industries.⁵ This group included leaders from finance, telecommunications, and energy companies. The sheer magnitude of this is mind-boggling. In the United States alone, that meant getting 25+ CEOs into a room and getting them to agree to share information with not only their competitors but also with industries outside their own.

This model, born in the finance ecosystem in the United States, has been replicated in other countries. For those of us who co-ran this center during its inception, our ultimate end-state was to connect similar centers around the world for truly global information and intelligence sharing. After all, how can we protect the system when we can’t share information – but the bad guys do? Many criminal enterprises have extremely sophisticated, global networks that share information in real time.

Stress Testing in the Financial Markets

Imagine a wargame for the global payments system. The scenario: A major U.S. bank is taken out of the system (for whatever reason). If a large U.S. bank is compromised, what is the impact on the global financial system? The U.S. economy? The U.S. financial system’s ability to address liquidity in the market? What happens to the large customers of those banks? How do all the companies that are dependent on that one bank continue to operate and not create systemic failures themselves?

When I was at Bank of America, we ran a wargame across other players in the global financial system, regulators and several branches of the U.S. Government in order to address those scenarios and to determine exactly what the impact on each financial institution would be, as well as what the knock-on effects would be. This exercise allowed the banks to build great resiliency models and to explore new ways that technology could play a role – both in determining indicators of compromise for such an event, as well as in the recovery speed of getting that institution back online. We determined specific criteria for taking a bank out of the system and for assessing whether it was “clean” for re-entry in the case of a cyberattack, for example.

All this experience was a direct result of the fact that geopolitical instability had directly contributed to fear that the financial sector could be impacted, and the system could be taken offline. If we analyze the impact of the Colonial Pipeline hack, for example, we see that the impact was far-reaching – well beyond a company headquartered in Alpharetta, Georgia – as a large part of the East Coast’s fuel supply was cut off.⁶

The world is getting more complex. Companies that track geopolitical impact are used to dealing simultaneously with several major events globally. In today’s world, we are well beyond that capacity. The conflict in Ukraine and China/Taiwan tensions are just two of the big ones today. Couple that with retrenchment, political movements that are rife with dis- and misinformation, deep fakes, artificial intelligence like ChatGPT, quantum computing and Y2Q (years to quantum), and it’s overwhelming to imagine how a CEO manages all these disruptions in addition to their business.

Analyzing Systemic Financial Risk

It is only by analyzing these complex interconnections that systemic risk models can inform decision-making and resource allocation. The goal of these models is to provide stakeholders with quantitative data on the business impact of different scenarios that can drive efficiency, preparedness, and risk management strategies. All these exercises improve collaboration and coordination across the executive suite and with governments.

An example of how to think through a three-year risk modeling exercise is to look at the business plan and then model scenarios (individually or collectively) to get an idea of exposure, response, and resilience.

There are several financial examples that many businesses look at today. They include the traditional financial risk metrics of tax rates and tariffs. But do they model out potential political and regulatory shifts? For example, would a 2x increase in operating expenditures for transactions across borders due to a political event allow a company to remain in business? Some examples of impacted areas here include professional fees, hedging and regulatory advisory assistance that were likely not included in the company’s original business plan.

Also important is assessing how shifting global monetary measures from geopolitical tensions impact stock markets, currencies, and commodities. This assessment should be taken alongside the traditional exercise of assessing the attractiveness and feasibility of the business model while paying attention to geographic footprint, product attractiveness and availability, supply chain, and customer profiles.

Emerging technologies like AI and quantum computing bring significant advantages, but also new risks. These technologies can be weaponized by nefarious actors to hack companies and disrupt them.

All these identified risks (and some, like climate change, that we haven’t even mentioned) are a result of what is happening in the world. They force us to look internally, within our businesses to scenario plan and risk mitigate.

Turning Financial Systemic Risks into Advantage

But what if we could use these risks as a competitive advantage? Everything mentioned above is table stakes when it comes to operating a global business. Traditionally, firms have only viewed the negative impact of geopolitical shifts. However, geopolitical shifts can create opportunities alongside risks for a business. For example, shifts in global trade policy, economic sanctions or political leadership changes can increase tariffs, limit market access, and disrupt global supply chains but they can also create opportunities for new partnerships, new markets and access to new talent pools.

Some of the industries most affected by these shifts today are those that rely heavily on global trade, investments, and access to natural resources. We already discussed financial services above. They are heavily dependent on global investments, trade, and regulation. Geopolitical shifts sometimes create economic sanctions, restrict investment, and create regulatory barriers. These have a significant impact on a global bank.

In the global technology sector, the industry relies heavily on the global supply chain, global talent – and its ability to relocate that talent – and markets. As we have already seen in the Ukraine conflict and China escalations, market access can be limited, trade barriers can be increased or created, and talent mobility can be significantly restricted.

In the automotive space – an industry heavily reliant on global supply chains, as well as trade and market access, – we have seen recent supply chain disruptions in chips, causing significant delays in delivering existing orders, as well as delivering new model vehicles.

In the energy sector, there is high reliance and dependence on natural resources. Any shift that affects the price of oil, creates trade barriers, or disrupts the supply chain significantly impacts that industry.

And in healthcare, an industry highly dependent on global talent, supply chains and market access, those disruptions can have a massive impact.

Bringing together these different perspectives and expertise will give companies a common framework and understanding of risk, as well as offer potential solutions and better outcomes for all stakeholders. Former U.S. Treasury Secretary Tim Geithner and Bridgewater founder Ray Dalio may have said it best. During a speech at the London School of Economics in 2011, Geithner said, “Systemic risk is the risk that the failure of one participant in a market will have a domino effect on others.” Given global interconnectedness, this is certainly true. And Dalio said, “Geopolitical risk is the biggest risk facing the world today.”  Either one of these quotes is worrisome in isolation, but if we combine the two concepts, it’s certainly time to rethink and restructure how we evaluate global risk.