Network Intelligence Report: Navigating the Risks of a Multipolar World

(Shutterstock)

Editor's Note: This is a complimentary piece of content we share from our Core Intel platform. RANE’s community-based solutions help address a range of enterprise risks covering Safety + Security, Cyber + Information, Geopolitical, and Legal, Regulatory + Compliance. Contact us to learn more.

RANE's Network Intelligence Report incorporates our analysts' diverse expertise to assess risks and opportunities pertinent to our clients across our taxonomy's four areas of focus: geopolitics; legal, regulatory and compliance; cyber and information; and physical safety and security.

Although we only began conceptualizing this special Navigating Multipolarity issue of the Network Intelligence Report towards the end of 2022, it has been clear for several years that the era of unchallenged U.S. hegemony – and of the broader Western-led global order – is over. The Russian invasion of Ukraine is only the most recent and acute demonstration of this, but more broadly the rise of China and the emergence of multiple small and middle powers have introduced a great deal of uncertainty into the global environment. Even a more integrated Europe, though still close to the United States, has created new challenges as Washington and Brussels pursue divergent policies in many areas, such as tech and environmental regulation.

Our Network Intelligence Report begins with an overview of what this emerging multipolar world looks like and the implications for organizations trying to navigate it. As we are keenly aware, business leaders across industries and company sizes have identified geopolitical risk as a key concern in 2023. Our analysts examine five key areas of this new world order that are highly relevant to our clients.

One of the defining characteristics of the emerging global environment is a decline in the relevance and effectiveness of the Western-led multilateral political, economic and security institutions that emerged in the wake of World War II. In particular, the rise of alternative lending institutions and business norms, many of which are championed by China, creates new legal, reputational, financial and operational risks to organizations.

Just as new multilateral institutions are increasingly dividing the physical world, so too are countries increasingly resorting to nationalism in cyberspace. What was once a global commons is increasingly split along national or regional lines. This is creating a much more complex and protectionist digital landscape for organizations to maneuver and protect their data.

Countries are also growing more protectionist in their environmental policies as they seek to pair action on climate change with state-led economic intervention. While China has long done this, it is the United States that has more recently and unexpectedly led this charge, forcing Europe to respond. This is already creating compliance challenges, which are set to only grow in the coming years, for multinational businesses.

If these challenges are not enough, legal and compliance teams are also facing a growing array of sanctions requirements. Though most immediately focused on Russia, Western nations are expanding and in some cases wholly redesigning their sanctions architecture in ways that will make it crucial for all organizations to improve their due diligence practices to avoid legal or reputational blowback, especially as regulators turn their focus toward China.

Finally, a shifting and more uncertain world will make it more important than ever that organizations have a model and tools to evaluate and mitigate the various risks future crises may bring, especially for physical security. Applying a framework from the U.S. Intelligence Community that leverages the proliferation of open-source intelligence for a corporate context offers one well-developed way forward.

We strongly believe that you will find this special Navigating Multipolarity issue of the Network Intelligence Report a useful guide to this emerging multipolar world order. As always, we are indebted to the work of our talented analysts and expert contributors, whose observations and guidance frame each advisory.

Sincerely,
Sam Lichtenstein, Director of Analysis, RANE

Geopolitical Disruptions: The Return of Multipolarity

The reemergence of a multipolar world and rising peer competition is changing the global security and business landscape. Defense budgets are climbing. National security considerations are driving geo-economic competition. Global norms and expectations that have held for decades are in flux. Complex supply chains woven since the end of the Cold War are fraying. Adapting to this shifting global landscape will require rethinking longstanding assumptions, but also understanding the geopolitical forces driving change.

Multipolarity is not new – in fact, it may be the norm of the modern globalized world. With the exception of the Cold War and a brief period of re-adjustment following the collapse of the Soviet Union, modern global history has been characterized by a multipolar world system. No power was able to hold sway over the rest singularly. Even at the height of British imperialism, the UK was not the clear global hegemon, as seen in its continued struggles to manage competing powers on the European continent as well as Russian advances in Central Asia toward South and Southeast Asia – the so-called "Great Game." No truly global bloc formation emerged until after World War II. Instead, the global balance of power was fluid.

From Globalization to Liberal Economics

From a geopolitical perspective, which seeks to take the long, structural view, the "modern" world began sometime in the early 16th century, when Europe "discovered" the rest of the globe. Before this time, there were empires rising and falling, cultures emerging and developing, and science and technology advancing, all over the globe. And there were connections moving people, goods and ideas across Europe, Asia and Africa. But distance remained a major constraint on global connectivity, and it took the combined advances in shipbuilding, navigation technologies and economic resources to bring the globe into clear focus and integration.

By the 19th century, global trade, strategic competition and shifting technology meant that the world was a closed political system. As British geographer Sir Halford Mackinder assessed in 1904, "every explosion of social forces, instead of being dissipated in a surrounding circuit of unknown space and barbaric chaos, will be sharply re-echoed from the far side of the globe, and weak elements in the political and economic organism of the world will be shattered in consequence." In other words, what happened on one continent had repercussions for those on other distant continents and vice versa. Thus the American Revolution had significant implications for Britain's security in India (and affected London's dispersion of force and decision-making), and the expansion of European sea trade to the Far East degraded the economic viability of Central Asian trading routes (and the fortunes of the Italian city-states).

With the integration of the world into a single system, fully cognizant of itself, we can trace the origins of today's globalization to the early 1500s, with sporadic maturation over the succeeding centuries. But it is only after World War II that the modern framework for globalization emerged. At the end of the war, the United States stood as one of the few strong economic powers, and Washington used this heft to rebuild Europe and establish a new global economic and philosophical framework. Modern liberal economic policies may have their origins in older eras and theorists, but it was the widespread destruction of World War II that allowed the construction of a new liberal economic framework, which took on more importance as the world quickly moved into the Cold War architecture.

The Cold War was both a strategic and ideological competition. The United States and Western Europe promoted a liberal ideology that linked personal freedoms, private industry and democracy as the fundamental (and universal) conditions for economic growth and success. This challenged Soviet collectivism and statism, but it also challenged other traditional forms of economic and social collectivism that characterized much of the developing world. When the collapse of the Soviet Union "proved" the superiority of Western liberal economics, the West could demand adherence to its norms amid the rapid expansion of global trade, trade agreements and economic interactions. Thus, one abnormal period (the bipolar Cold War) gave way to another oddity, the "hegemonic" moment of U.S. power that lasted until the early 2000s. This was a transitory period where the rest of the world sought balance, particularly the rapidly growing China.

Challenging the Status Quo

China stands in stark contrast to the universal assertions of Western liberal economic norms. While China made some economic progress through the 1980s, it was the 1990s and early 2000s that saw the real surge in Chinese economic growth and global importance. China was well positioned to take advantage of its massive low-cost labor pool to draw industrial investment and link into the rapidly expanding containerized shipping. Global norms and trade agreements facilitated the growth and complexity of global supply chains, allowing corporations to move goods at various stages of completion to different countries, with products at times crossing oceans several times before reaching their final destinations. China played within this system when it was beneficial, but Beijing never gave up state involvement in the economy or Communist Party control over the government and people.

As China's economic power rose, and its importance to global trade flows increased, Beijing grew more confident in beginning to challenge aspects of the global (i.e. Western) norms, highlighting its own successes in economic growth without the same political or personal freedoms the West asserted were necessary co-requisites. Beijing's message resonates with much of the world. The Western liberal economic and political ideas are not inherently universal, but rather come from a particular strand of philosophy and were codified at a unique moment in history. But the North Atlantic no longer comprises the bulk of global economic activity and heft. Thus, China argues, the West's mores should not necessarily dictate the political, economic and social choices of other countries.

China is not alone in challenging the status quo. As U.S. power seemed to grow unchecked following the collapse of the Soviet Union, the rest of the world sought balance. Freed of the Soviet threat, Europe accelerated its own integration, creating a massive single market that gave Brussels power in asserting global norms on issues ranging from the environment to human rights. Russia perceived unchecked U.S. power, and the expansion of NATO, as a direct threat to its own strategic position, and by the early 2000s began its own push against the global order. As these four poles of power became clearer, small and middle powers like Turkey, India and Japan saw the opportunity to begin exploiting the differences between the big powers, finding their own advantages where they may, but also introducing uncertainty into political and economic policies as they bucked against U.S., European, Chinese and Russian interests, or saw local politics swing between different big power influence.

Challenges and Opportunities of a Multipolar System

The United States and China sit at the core of the new multipolar system, with Europe and Russia as similar but not fully aligned poles – and an array of small and middle powers shifting throughout this new ecosystem. But despite growing U.S.-China strategic competition, it is unlikely the world returns to another Cold War-like architecture. Unlike at the end of World War II, there is no massive dislocation of global trade and peoples that can allow the formation of a new competing set of economic and political blocs. Rather, no single power has the ability to either dominate the international system alone or force other countries to fully choose a side. This has strategic and economic implications not only for government policies and international relations but for internationally engaged and exposed businesses and organizations.

Uncertainty in international relations: Multipolarity provides space for many small and middle-tier countries to decline "choosing a side" between big powers, leading to more flexible alignments rather than expanding strong alliances. In the Indo-Pacific, for example, many countries are finding themselves largely aligned economically with China while militarily with the United States. This may make them more susceptible to economic coercion from big powers, and economic impacts are often based less on the economic fundamentals in a specific smaller country than on the political actions of the larger powers. Thus, unexpected economic disruptions may become more common, requiring not only adept political risk awareness that draws on the expanding amount of open-source intelligence but an understanding of the broader geopolitical balance as well.
Emergence of miniblocs: While traditional large-scale complex alliances may be waning, the multipolar system encourages the frequent formation of smaller mini-blocs, attempts by like-minded countries to pool their relative power to better maneuver between the big powers. These may be driven by the big powers, as seen in groupings like the QUAD or AUKUS, or be regionally focused, as with the closer cooperation emerging among the Baltic countries and Poland, or the renewed collaboration within the core of ASEAN. This will force businesses to navigate increasingly diverse – and at times opposed – political and economic blocs, posing new compliance, supply chain, data security and other risks.
Rising nationalism: The challenges to assertions of universal norms (such as Western liberal economics) and the impact of re-emerging great power competition drive renewed nationalism and protectionist tendencies, even on topics like climate change that are truly global challenges. As the global trade system undergoes structural realignment, big powers employ geo-economic tools against one another and ideas of economic security as a key component of national security are revived, protectionist actions and greater state involvement in economics and industry become both more normal and more acceptable. And this moves well beyond the issue of trade, or ideas of near-shoring and friend-shoring. It is also rapidly expanding into new territories, such as information and cyber-sovereignty, and expansion of traditional ideas of air sovereignty to now include space.
Fraying of global financial architecture: While there is little likelihood of a near-term replacement of the U.S. dollar as the global reserve currency, its dominance and the global financial architecture give Washington disproportionate power to use economic tools to shape global political and security environments. China, Russia and many other countries are actively seeking alternatives to the dollar and existing financial infrastructure to soften Washington’s ability to punish and coerce. But this is not limited to just direct competitors to the United States. Even nominal partners, such as Middle Eastern oil suppliers, are making arrangements for alternative currency exchanges, and both China and the European Union have developed regulations that can counteract U.S. sanctions, leaving businesses in the difficult position of choosing which set of regulations to adhere to.
More localized conflict: As nationalism rises, so does sub-nationalism, and many ethnic or regional groups within countries are asserting their own right to self-determination. At the same time, as the big powers step up strategic competition, more localized competition within and among smaller powers may devolve into military conflict. With the focus on China and Russia, the United States and Europe may be less likely to intervene in moderate localized conflict, suggesting that the threshold for intervention is shifting.
Uncoordinated responses to broader global issues: Multipolarity makes collaborative global action more difficult. Nationalism and economic security will often take precedence over global issues, and while this doesn’t end the momentum for addressing things like climate change or illegal fishing, it may lead to more regional and local responses or actions by big powers more focused on their particular location than on the overall globe. This may be particularly notable in places like South America and the Pacific Islands – the former where we are seeing a New Left harness environmentalism as part of its challenge to outside economic exploitation, the latter where their very survival is already being challenged by climate change.
Restructured supply chains: Organizations and corporations that have very complex multi-company supply chains, and those that have very narrow, single-source supply lines, are highly vulnerable to disruptions in the multipolar world. Resilience may require redundancy, which is costly, or more flexibility in identifying and being able to rapidly shift to alternatives in times of localized stress. This impacts not only physical goods but services and information-based products as well. Increasingly, companies will also need to develop their own foreign policy, particularly if they have heavy exposure to more than one of the big powers, or wide-ranging supply chains. Understanding multiple layers of supply, at times down to the initial minerals, will also become an important component in managing geopolitical risk and trade. This will only increase the need for organizations to have robust frameworks to proactively collect, analyze and mitigate various risks.

China's Challenges to Bretton Woods: Implications for Businesses

The rise of non-Bretton Woods institutions (BWIs) in an increasingly multipolar world has significant implications for global business opportunities and demonstrates the need for firms to modify their operational strategies to mitigate potential geopolitical, legal and financial risks. Since the founding of institutions such as the New Development Bank (NDB) in 2015 and the Asian Infrastructure Investment Bank (AIIB) in 2016, both of which are headquartered in China and guided and resourced to a significant extent by Beijing, concerns have grown that infrastructure development investment projects that these new institutions underwrite, are accompanied by a different set of rules and norms for business and investment that may diverge from the values affirmed during the Bretton Woods era. As part of Chinese President Xi Jinping's vision of the "Chinese Dream," China seeks to challenge the Western-centric global order through such projects as the Belt and Road Initiative (BRI), the new Maritime Silk Road and new multilateral development institutions that offer loan packages that appeal to developing countries and deprioritize transparency, anti-corruption and safeguards for workers, among other things. Close observers of the Chinese influence on multilateral lending by the AIIB and NDB point also to the potential linkages between lending decisions and China's geopolitical objectives. In order to better understand the legal, reputational, financial and operational risks to businesses likely to emerge as competition from non-Western multilateral lending institutions challenges the norms and practices enshrined in the values of BWIs, RANE spoke with Nathan Picarsic and Emily de la Bruyère, Co-Founders of Horizon Advisory.

The Rise of Bretton Woods and China's Recent Challenge

In December 1944, 44 delegates representing the Allied Powers met in Bretton Woods, New Hampshire, to discuss the formation of an international organization to finance the reconstruction of Europe following the conclusion of World War II. The primary lending institution that emerged from the conference is the World Bank Group (WBG). Composed of the International Bank for Reconstruction and Development, the International Development Association, the International Finance Corporation, the Multilateral Investment Guarantee Agency and the International Centre for Settlement of Investment Disputes, the WBG's primary mandate is to provide financing to low- and middle-income countries for development projects. The International Monetary Fund (IMF) was founded alongside the WBG with a mandate to resolve international financial crises and to correct balance of payment issues.

The BWI ecosystem has given rise to a number of multilateral development banks (MDB) focused on regional lending, such as the African Development Bank (1964) and the Asian Development Bank (1966). These MDBs have largely been organized and capitalized in a manner similar to the WBG and have adopted the same terms, practices and norms, and have participated in coordination with other WBG entities in lending activities. To supplement the activities of these MDBs at the regional level in Europe, the Organization for Economic Cooperation and Development (OECD) was established in 1961. Headquartered in Paris, the OECD's stated purpose is to stimulate economic progress and world trade. It is a forum whose member countries describe themselves as committed to democracy and the market economy, providing a platform to compare policy experiences, seek answers to common problems, identify good practices, and coordinate the domestic and international policies of its members. A brief synopsis of relevant multilateral institutions and their mandates that comprise the BWI ecosystem can be found below:

A List of Major Multilateral Development Banks Founded Since World War II

In general, the norms and behaviors of these multilateral lenders reflect those of the international liberal order established by the United States and its allies at the Bretton Woods Conference. Since the 1990s, this "international liberal order" has come to be defined by the Washington Consensus. The Washington Consensus features policy prescriptions such as fiscal discipline, pro-growth spending, market-based interest rates, free trade, privatization of state-owned enterprises, deregulation of business and basic property rights. Furthermore, integrating the Washington Consensus into its loan packages, the WBG began to require that aid recipients implement structural adjustment programs if they wished to receive new loans or adjust the interest rates on existing loans. Conceived in the aftermath of economic crises in Latin America throughout the 1980s, structural adjustment programs often require recipients to curtail social spending and implement fiscal austerity plans, leading to allegations of neocolonialism and the undermining of national sovereignty. As a result of such policies, the WBG, IMF and their affiliated institutions have been criticized by various groups and opposition leaders in recipient states as examples of Western hegemony.

As global development accelerated, the drumbeat of criticism by emerging and developing economies, most particularly China, became louder. China insisted that the governance structure of the BWIs is too tightly controlled by the United States and its Western allies, and that the investment decisions and economic support provided by the BWIs are inextricably linked to the Washington Consensus. In line with recurring geopolitical tensions between Washington and Beijing, China came to believe that it did not have appropriate voting power and influence in the BWIs to reflect its own growing economic size and geopolitical influence. The leadership of the World Bank is traditionally reserved for a U.S. representative. The IMF is run by a representative chosen from Western Europe. Even the most relevant regional MDB, the Asian Development Bank (ADB), works in concert with BWI norms and practices and is always headed by a Japanese representative.

In 2016, to correct this perceived imbalance, China established the AIIB, headquartered in Beijing, and coordinated with other emerging and developing economies countries — Brazil, Russia, India, China and South Africa (BRICS) — to establish the BRICS Development Bank, which was subsequently rebranded as the NDB, and headquartered in Shanghai. As of 2021, the five BRICS countries represented 41% of the world's population and 24% of global GDP. Furthermore, as of 2022, China alone represented nearly 18.5% of the global population and the equivalent percentage of global GDP.

The governance of the new institutions is illustrative: China controls a 26.5% voting share in AIIB decision-making, whereas the next largest vote holder is India, with 7.6% voting rights. China can control the governance of AIIB given that its voting power is greater than the 25% required to block decisions made even by a supermajority of AIIB voting members (which would require 75% of the vote by two-thirds of the Bank's members). China holds a 20% share of voting rights in the NDB, along with 20% held by each of the other four original BRICS founding members. China is the largest capital provider to the Contingent Reserve Arrangement (CRA), instituted in the same year as the NDB, which provides balance of payments assistance to BRICS countries. China has committed $41 billion to CRA, the largest contribution from the five BRICS countries, giving it 39.5% of the voting power. Although the United States is not a member of the AIIB, NDB or the BRICS-controlled CRA, Western nations such as Australia, France, Germany, Italy and the UK have joined AIIB (with a combined voting power of 13.2%), demonstrating the rise of the AIIB and NDB as viable, multilateral alternatives to the BWIs.

Unpacking the Challenges

The challenge of these China-centric institutions comes at a time of staggering investment opportunity and need throughout the world's emerging and developing economies. In its 2017 report, Meeting Asia's Infrastructure Needs, the ADB estimated that in the Asia-Pacific region alone, the investment need is approximately $1.7 trillion per year through 2030, "if the region is to maintain its growth momentum, eradicate poverty, and respond to climate change." However, the rise of China-centric multilateral institutions such as the AIIB and the NDB challenge the BWIs and their affiliates and create myriad geopolitical, reputational and economic risks, particularly with respect to the rise of a "Beijing Consensus," divergent positions on human rights, corruption and business transparency, and increasing friction in the Western alliance on shared values and competing commercial interests between the United States and Europe.

A List Showing Challenges to Global Trade and Finance in a Multipolar World: Asia-Pacific

The Beijing Consensus

Picarsic and de la Bruyère both note that China appears to view the AIIB, NDB and related infrastructure initiatives as opportunities to rewrite global norms surrounding lending and economic growth in the developing world. Emblematic of this perspective is the "Beijing Consensus." Defined as a development framework that prioritizes infrastructure, active state intervention in markets and gradual market reform vs. "shock therapy," the Beijing Consensus is an extension of the policy prescriptions that have enabled the Chinese economy to lift over 300 million citizens from poverty since the beginning of the "Reform and Opening Up" period in 1978. Indeed, since 2012, China has leveraged international partnerships and the Belt and Road Initiative, a cornerstone of President Xi's development policy that seeks to provide infrastructure funding in the developing world, to provide training to over 10,000 bureaucrats in the developing world, using the sessions to extol the virtues of state capitalism and infrastructure-led development. Commenting on China's export of new norms, de la Bruyère states that "Beijing is increasing its footprint and that of its institutions and organizations internationally," suggesting that China is likely to continue this practice as it seeks to supplant the U.S.-led unipolar order. For de la Bruyère, this ideological conflict between China and the West is likely to intensify, particularly to the extent that China strengthens its "no-limits friendship" with Russia amid Russia's war in Ukraine.

According to Picarsic, this trend demonstrates how China has learned from the mistakes of the "Washington Consensus" and now seeks to use its lending power in a more appealing formula when engaging the developing world. A primary criticism of the BWIs and structural adjustment programs is that they undermine national sovereignty and breed popular resentment as people chafe at austerity measures required in exchange for financial support. Picarsic theorizes that China has "watched what the United States did since World War Two and throughout the Cold War. And I think they have updated and learned from it." By avoiding overt conflict with aid recipients in favor of an approach that champions active state intervention in markets, he believes that Beijing Consensus policies will likely continue to serve as an attractive alternative to the BWI-led order.

Picarsic also notes that Beijing may be more likely, given its close reading of the history of BWI-led investment and pushback from recipient countries, to position its own geopolitical interests more carefully as commercial and civilian engagements. This approach "won't spur the same kind of wake up call" in the West, Picarsic notes. It may give China the opportunity to present itself in a manner that does not show signs of overt military or undue geopolitical influence while behind the scenes engaging in renegotiations of lending and other financial interactions to increase China's control and influence. For example, in 2022 under the BRI, China's Export-Import Bank extended a $4.7 billion loan to Kenya to finance the country's railway system. Notably, the loan does not feature any expectations for structural adjustment programs and has drawn significant media attention for its questionable terms, portrayed as secretive and exploitative by transparency activists in Kenya. Picarsic adds that using some of the leverage China has in the global financial system through its lending will be part of Beijing's geopolitical playbook, stating that "It won't be the same sort of blunt, in your face mode." Picarsic and de la Bruyère also see China managing its economic policy to further a geopolitical goal of dividing the US relationship with Western Europe. Both comment that there is an "underrecognition of this problem" in which China appears to use economic levers in a manner that creates friction between the United States and its European allies by selectively favoring European companies over U.S. companies. In a more fractured trans-Atlantic alliance, U.S. firms may face stiffer competition in a less fair geopolitical environment and have the added responsibility of managing differing sets of compliance requirements between Europe and the United States.

Human Rights, Corruption and Norms

Within the BWI lending framework, loans are often conditioned on the adoption of policy prescriptions that protect basic human rights such as the freedoms of religion, assembly and expression. In addition, recipients of loans from the IMF and WBG must also commit to anti-corruption measures, particularly on how aid money is spent and allocated, as well as sign on to other good governance initiatives like protecting workers' rights. However, many recipient countries chafe at these restrictions and view them as neocolonial attempts to interfere in domestic governance. Recognizing this opportunity to provide condition-free financing that forges linkages with leaders in developing states, loan agreements from the AIIB and NDB omit language around human rights, anti-corruption and other good governance standards in favor of "resource for infrastructure" loan programs that are often seen as corrupt. As just one of many examples, as of 2020, Angola had received $42 billion in loans from China in exchange for access to Angolan oil.

Indeed, commenting on the deprioritization of anti-corruption in non-BWI institutions, de la Bruyère states that U.S. and Western firms that seek to bid on contracts for major development projects can become "immensely frustrated" because they cannot compete given what she calls the "corruption of the Chinese approach" and the "high degree of bribery." Therefore, as Western firms continue to seek business in the developing world, particularly in primary and raw goods markets, or as participants in the infrastructure development activities financed by these new MDBs, firms will have to be mindful of the constraints on their ability to do business given the anti-corruption and business practice norms and behaviors to which they are held accountable by their home governments.

Reputational Risk and Potential Sanctions

De la Bruyère believes that firms bidding for contracts as part of projects funded by the Bretton Woods institutions, AIIB or NDB investments will have to be mindful of "major reputational and regulatory risk." Because Chinese firms may not be held to the same regulatory and ethical standards as Western firms, consortia led by China could make decisions that run afoul of Western sanctions or other regulations. De la Bruyère suggests that firms should adopt a holistic view of reputational risks throughout the lifecycle of a deal and pursue rigorous due diligence before making agreements and continue to monitor the transaction closely. Picarsic notes that if a Chinese firm becomes aware that a competitor is doing anything that can somehow be construed as cutting corners or seeking ex parte, non-competitive support or assistance on a transaction, "the Chinese side has shown that they're able to weaponize that type of information and use it against the international competitor." The Chinese competitor may have access to Chinese government resources — including classified intelligence or surveillance technology — to potentially compromise and manipulate the international competitor via intellectual property (IP) theft, hack-and-leak cyberattacks and/or reputational attacks.

Picarsic notes the significant reputational risk faced by Western companies that have an on-the-ground local market presence and compete with Chinese firms in the kinds of project development investments that the AIIB finances. He notes "I think those risks are probably going to flow to parent entities in ways that existing compliance and oversight mechanisms probably aren't prepared to handle at the corporate level." He also points out that business activities involving Chinese entities are attracting greater scrutiny from Western politicians and regulators. For example, Disney's continued engagement with China has led to public boycotts by human rights activists such as Hong Kong democracy activist Joshua Wong. Picarsic also notes that capital markets regulators and other watchdogs will be increasingly focused on business that involves China in order to assess and mitigate sectoral exposure to human rights abuses, sanctions violations and other unethical business practices.

Related to environmental, social, and governance (ESG) standards, de la Bruyère notes that human rights issues are the first line of investigation when assessing ESG and reputational risks. For example, in July 2022, the U.S. Treasury Department's Office of Foreign Assets Control sanctioned five Chinese government officials for involvement in human rights violations against ethnic minorities in the Xinjiang Uyghur Autonomous Region. The move by the Treasury followed the publication of an advisory earlier the same month by the Treasury and the U.S. Departments of State, Commerce and Homeland Security warning companies of the reputational and legal risks of doing business with entities involved in human rights violations in Xinjiang. This followed the Department of Commerce in 2019-2020 added 37 entities to its Entity List, which flags entities with which U.S. companies are prohibited from engaging in commercial activity, or must do so under specific licenses and approvals from Commerce. De la Bruyère adds that as the incentives and abilities for official governmental watchdogs and non-state monitoring groups to uncover human rights abuses grow, this ESG risk will surface and be a bigger concern that companies will need to monitor and manage.

Picarsic adds that Western firms need to monitor closely for poor environmental performance by the Chinese firms with which they participate in development investment activities. For example, project finance agreements may have content requirements or other stipulations by Chinese finance providers that Chinese solar panels or batteries be used. The production of these materials is often done in an environmentally harmful manner. Picarsic suggests that with more global scrutiny of China-related business, and better watchdog tracking of supply chain realities, the issue of ESG compliance may become "a battleground where you see a reckoning and increasing tension between the reality of Chinese projects and the normative ambitions of ESG friendly capital and corporates."

Geopolitical Risk: Companies on the Frontline and Frayed Alliances

The relationship between China and the West has grown increasingly strained at the same time that China has assumed a more aggressive role in global finance and commerce. The COVID pandemic and the perception by some that China covered up or moved too slowly to combat the possible origin of the virus, as well as increasing concerns over Chinese intentions over Taiwan and China's crackdown on domestic dissent, have complicated China's relationship with Western countries. Even more recently, China's unwillingness to take a hard line opposing Russia's invasion of Ukraine has also been a major concern for the Western alliance. As a result of increasing tension, and the political significance that the U.S. relationship with China plays in U.S. economic and geopolitical decision-making and policy, on Jan. 10, 2023, the new Republican-led House of Representatives established, with broad consensus, a House Select Committee on China. The new committee will likely focus on Chinese threats to U.S. cybersecurity and the IP of U.S. entities, the perceived overdependence of U.S. firms on supply chains originating in China and the risk that some investments by U.S. firms in China may contribute to Chinese human rights violations or the modernization of the Chinese military. In addition, the Committee may investigate activities by Beijing to support and influence the academic study of China in the United States — namely, the use of Confucius Institutes — which it believes shape student perceptions in a manner that favors China over U.S. values and interests. Opposition to China appears to be one of the few bipartisan areas of agreement; there is every indication that U.S. relations with China will assume more politicized attention as the country moves toward the presidential election in November 2024.

De la Bruyère makes the point that China's industrial policy focuses on prioritizing Chinese companies in key strategic value chains. A continuing market risk for non-Chinese firms is the assumption that, if they are operating at a more sophisticated point on the value chain and if significant competition from China is not yet evident, they are immune to competition from Chinese firms. She says it is a mistake to ignore the preferential treatment China provides its companies or how it works to make them more competitive. De la Bruyère comments that "China's approach to international competition and power projection and as geopolitical tension escalates, is to use the private sector as a tool. China puts pressure on U.S. companies so they in turn put pressure on the U.S. government. China inflicts costs on the U.S. for the sake of geopolitical competition."

China is not only targeting the developing world but also states that have been supporters of the international liberal order and the norms captured by the BWIs. "China reaches out to other Western countries about American 'unilateralism,' and presents Beijing's approach as one that actually gives everybody a voice," de la Bruyère comments. She adds that Beijing emphasizes the economic costs of siding with Washington and suggests giving sweetheart-type deals to Western countries with the objective of isolating the United States and driving a wedge over China issues between Washington and its traditional allies. Picarsic agrees, emphasizing that one of China's objectives is to divide the United States from its allies. "In terms of Alliance maintenance and cooperation," he notes, "whether it's international trade or social and cultural trends, the Chinese are farther ahead than we give them credit for, and some of that is that we've just been looking at the wrong things." Picarsic continues to say that while the West may not see clear examples of Chinese military encroachment in areas with immediate geopolitical implications to current conflicts — such as a Chinese presence in the Black Sea, for example — there are examples in recent years of Chinese commercial and financial activities giving Beijing possible dual-use commercial and military influence over other geostrategic locations. High degrees of indebtedness to Chinese commercial lending, such as the Chinese acquisition of a 99-year lease to operate the Hambantota Port in Sri Lanka — could lead to an influx of other Yuan-denominated debt transactions that tip a sovereign nation into conceding port access, valuable raw materials or some other geostrategic asset to Chinese control.

In evaluating the trajectory of U.S.-European unity regarding China, Picarsic references the United Kingdom as a key country to track. He recalls that during the Trump administration, London aligned closely with Washington on the geopolitical threat posed by China, specifically the national security risks of allowing Chinese telecommunications company Huawei access to commercial procurement transactions that could put the privacy of communications at risk of penetration by Beijing. Picarsic points to the UK National Security and Investment Act, which came into law in January 2022. London has used the law to unwind the 2021 purchase of Newport Wafer Fab, the United Kingdom's largest microchip assembly facility, by Nexperia Holding, the Dutch subsidiary of Chinese company Wingtech Technology Co. Picarsic suggests the Newport example is illustrative and worth tracking. He believes that, if the UK continues to scrutinize Chinese investment and use the National Security and Investment Act to roll back transactions as necessary, that would bode well for the trans-Atlantic alliance with respect to working together to blunt the geopolitical threats from China coming via commercial transactions. But if the unwinding of the Newport transaction is appealed and if the United Kingdom is not able to show the resolve to use the Act to prevent Chinese commercially directed interests from accessing strategic and emerging industries, there will be cause for greater concern.

Furthermore, Picarsic raises a current test case of how China may seek to exploit the fault lines of Western alliances: the manner in which the United States and its Western allies address the discovery and recent media coverage of overseas police stations linked to the Chinese intelligence services. Various media reports have shown that China uses overseas police stations to monitor the activities of Chinese nationals abroad, harass dissidents and in some cases even forcibly repatriate them. While Picarcic acknowledges that governments' public condemnation has been fairly consistent throughout the Western world, he notes that an "interesting early indicator in the months ahead" will be the degree to which countries are willing to confront this Chinese encroachment. He poses a hypothetical question: if the response by some countries is tepid, to avoid the opprobrium of China, will that suggest that they are more concerned about losing access to Chinese markets and deals arranged through Chinese financing, such as AIIB project loan activities than such an affront to national sovereignty?

How to Respond: Practical Guidance

To limit their risk profile to these threats, there are numerous best practices organizations can implement. The primary obstacle to mitigating the legal and reputational risks of participation in potentially corrupt development projects is to obtain clarity regarding potential business partners and develop a thorough understanding of all firms involved in the life cycle of a deal. To that end, Picarsic stresses the importance of conducting robust due diligence when bidding on contracts, noting that strong due diligence can help firms "execute their compliance mandates." He further states that effective due diligence can "help with governance issues if a firm is publicly listed on an exchange." By conducting appropriate due diligence when evaluating whether to participate in a deal funded by a non-BWI institution or a Chinese-influenced firm, companies will be able to reduce their legal exposure and preempt potential sanctions if the project engages entities on a sanctions list. In particular, effective due diligence should include a thorough investigation of corporate ownership (as Chinese authorities at all levels of government have significant financial holdings in many nominally private firms) and state influence on corporate decision-making. Given that firms in China are required to host Communist Party cells if the firm employs three or more Party members, the Party-state could influence business strategy and potentially implicate partner firms in rights violations.

Moreover, in the context of reputational risk associated with non-BWI-funded development projects, firms can mitigate the fallout of frayed alliances among Western states by maintaining a low profile and avoiding direct engagement with politically-charged discussions. In practice, this means that firms must give more thought to a carefully balanced PR strategy that avoids statements or actions that could be perceived as overtly partisan or political. This approach will enable the firm to focus on business and avoid entanglement with great power competition. To complement this approach, firms can also develop a proactive media policy that assures investors and government regulators that they seek business free from bribery or impropriety. As de la Bruyère notes, because the Western world "is reluctant to engage in what rings of a return to a bipolar world," firms will have to be careful in their messaging on China-centric issues.

Both Picarsic and de la Bruyère note that ESG watchdog specialists, particularly in the human rights, corruption and environmental categories, are increasing their scrutiny of Chinese business activities, looking at the long tail of supply chains and the ecosystem of business participants in a large business transaction like complex, multiyear project finance activities. Companies may need to devote additional resources and develop more comprehensive reviews and documentation of their own ESG targets across their business as a whole, calibrating the differing expectations for ESG between the United States and Europe as necessary, and with due consideration for the ESG performance of the Chinese and other companies with which they partner or who provide business services for them.

Corporate security officers at companies with significant global business activity, particularly involving Greater China, may also need to enhance their understanding of the ongoing risk that managers and employees in their firms face with Chinese competitors that have the advantage of using government resources to monitor and manipulate those individuals. Chinese companies can use information collected about the personal lives and activities of managers and employees, as well as information about their pre-transaction activities and preliminary marketing discussions, to manipulate and create a distorted narrative that may make it difficult for these firms to continue to compete against Chinese firms for participation in transactions. Legal and compliance teams may need to create additional company processes to require structured documentation of the manner in which transactions originate and to record that compliance steps are being undertaken. This documentation also makes sense given the increasing level of scrutiny Western firms may face from home government regulators and public interest organizations.

In addition, maintaining the integrity of proprietary company plans and data is crucial, as is protecting company employees from the risks of being targeted and involved in efforts to suborn their cooperation — both of which point to a need for corporate security teams to prepare for both increased cyber and physical security threats to their data and personnel. On this point, Picarsic points out the ability of Chinese firms to "weaponize" information and use it against their competitors. The overseas police stations previously cited by Picarsic are likely designed to monitor overseas Chinese students and dissidents, but the blatant disregard for national sovereignty they represent suggests that China is capable of taking steps to secure interests that go far beyond the Western liberal order's respect for individual rights, rule of law and territorial integrity of other countries. The drumbeat of attention on all things China is likely to increase; while not engaging in fear-mongering or ignoring the very real and rewarding opportunities to participate in selective transactions with Chinese counterparts, corporate security officers may need to increase the messaging about general best practices and encourage strong internal reporting of threats and concerns regarding the company's China business given the heightened risk environment.

Navigating Growing Nationalization of Cyberspace in a Multipolar World

As the international system has become increasingly multipolar, geopolitical and national security concerns have begun to shape the boundaries of the internet, heightening compliance risks for companies seeking to navigate these competing regulatory frameworks. Some regions, such as Europe, have created a comprehensive and detailed legal framework for its citizens' data rights, in the form of the General Data Protection Regulation (GDPR), while other countries such as the United States have still not adopted a federal legal framework to address data privacy regulations. Outside of the West, other major powers like China have pursued radically different approaches to cyber regulations, reflecting a much higher level of security, evidenced by China's so-called "Great Firewall." In between, emerging powers such as India are only just beginning to bolster and revise cybersecurity policies within their respective cyberspaces amid growing foreign commercial investment in India's markets. As a result of the broad variation between different regions' approaches to regulating cyberspace and as geopolitical tensions rise, businesses will have to grapple with a number of compliance requirements, heightening their reputational and financial risks as a result of the shifting regulatory landscape. To better understand how the internet is changing and which forces are driving this fragmentation, RANE spoke with Ronald Marks, President at ZPN National Security and Cyber Strategies; John Wunderlich, Senior Advisor at Privacy Pro; Michael Morrissey, Chief Information Security Officer at PrivacyEngine; and Andrea Little Limbago, Senior Vice President of Research and Analysis at Interos.

The Move Toward Securitizing Cyberspace

As the digital revolution over the past few decades has grown to encompass most aspects of daily life, many governments have realized the vulnerabilities posed by the open nature of the internet. While digital communication has vastly improved the convenience of sharing information, the internet has also had major implications for national security, individual user privacy, and commercial and economic interests. These realizations have resulted in many governments pursuing different strategies to better protect digital information within their respective cyberspace.

Marks first points to the infrastructure of the internet, as it was originally designed, highlighting the fact that the way it was built did not prioritize security. He notes that "It wasn't built to regulate … in fact it was deliberately built the other way — so you could just put whatever out there you wanted to. And that of course has run into the kinds of problems of any mature industry where it was nice when everyone was playing nice but now we have unexpected challenges with it."
Wunderlich further elaborates on how this natural insecurity has heightened nations' awareness of the dangers posed by an unregulated internet, stating that "A lot of countries — irrespective of left, right, center, up, down, sideways in terms of the orientation of the government — are reexamining, for a number of reasons, why free flows of data turned out to be a bad idea." To many experts, the internet has already begun to fracture. In fact, from Marks' point of view, "There's already a Balkanization of the internet … The question is how far it goes."
In addition to the internet's lack of natural privacy protections, Wunderlich further highlights that data has increased rapidly in commercial value. As he explains, "The more significant data becomes economically, the more it intrudes on the stage of geopolitics and therefore national interests are engaged." Geopolitical tensions, especially between the United States and China, have increasingly included an economic component as both countries seek to advance ahead of the other in a number of strategically important sectors. The heightened value of digitized information, including proprietary data, personally identifiable information (PII) and other sensitive data has added another rationale for governments to try to take greater control of cyberspace.

A Chart List of Three Approaches to Data Privacy

The European Union, the GDPR and the United Kingdom

The European Union paved the way for a rights-based, comprehensive legal framework under the GDPR. The GDPR, which took effect in 2018, includes extensive and stringent requirements for how PII is defined and used, as well as how data is collected, stored and processed by domestic and foreign companies. Among the GDPR's provisions, the legislation upholds EU citizens' data rights, including that data is collected and processed for only its articulated use, limitations on how long clients' data can be stored and various requirements for reporting data breaches. Additionally, the GDPR requires companies to uphold EU citizens' data rights, including their right to be informed on how their data is being used, the right to access their data, the right of data portability, and the right to data rectification and erasure. The extensive compliance requirements that the GDPR enforces pose a number of legal and regulatory challenges for both Europe-based companies and foreign companies operating in European markets. Following Brexit, companies must now also navigate the added challenges of complying with emerging data privacy legislation in the United Kingdom that will likely differ from the GDPR in many ways.

Morrissey first explains the primary differences in how Europe approaches data security compared to other locations like the United States. He notes that "In Europe, personal data is owned by the living individual. It's legally their data, so a company doesn't own it. The latter are called a data controller. They control it on behalf of the individual, and the GDPR defines specific legal obligations on how controllers process such data. So that's an important legal difference between the United States and EU." This foundational difference in how the European Union shapes data privacy and security protections and puts extensive responsibility on companies to uphold this framework, heightening their legal, financial and reputational risks for not complying with the GDPR's high standards.
Failure to comply with the GDPR has resulted in many companies being fined or otherwise penalized, including many U.S. companies operating in Europe. For example, in 2022 alone, a number of companies were fined for noncompliance with various GDPR provisions. These included Meta, which was fined $405 million in September 2022 over how the company handled minors' data and Google, which was fined $57 million in December 2022 for failing to obtain users' consent before using their data for ad personalization purposes.

In addition to the GDPR's rigorous compliance requirements, the British decision to withdraw from the European Union has also complicated the overall European cyber landscape. Since the Brexit process first began, the United Kingdom has sought to enact new domestic legislation in a number of policy areas, including cyber and data regulations. Morrissey explains that Brexit has had a direct impact on any business operating between the United Kingdom and the Continent. He further explains that the United Kingdom is looking to replace the U.K. Data Protection Act of 2018, based on the GDPR, with new legislation in the coming year, which will likely create a number of digital divisions between London and Brussels.

Morrissey highlights the special attention that Europe will likely be paying to the United Kingdom as it pursues new data protections in the coming year. He says, "I think there's a bigger concern about European data going into the U.K. into the future and making sure that there's some degree of alignment between these two pieces of legislation that allows data to continue to flow. He elaborates that "The EU is the U.K.'s biggest trading market, and vice versa. Something has to be figured out that allows business and commerce to continue to operate normally regarding digital data, which is more and more important every day in terms of its intrinsic value."
Morrissey also outlines the challenges that companies will have to face in operating in both the European Union and the United Kingdom under different legislation. He states that "In reality for businesses, if you're an organization in the U.K. and you're trading into the European Union, you're going to have to comply with two pieces of legislation ... So it's going to create an operational headache for companies in the U.K. because they're going to have a double set of legislative standards that they will have to comply with." He explains further, "It's a very concerning problem for them because it's magnifying the complexity at a technical level where they have to segregate data potentially into silos based upon these geo-national restrictions which are coming down the line and that's a headache because it's both an additional operational and capital expenditure cost, as you are potentially duplicating technology across multiple geographical locations, in order to offset compliance risk."

The Fragmented U.S. Approach to Cyberspace

The United States contrasts with the broad and comprehensive EU legal framework with a more disjointed approach to its cyberspace. With no single federal data privacy regulation framework, the United States operates in a decentralized system with multiple overlapping federal agencies and organizations that oversee U.S. cyber practices, leaving states largely to decide data privacy regulations. While this fragmentation may be more attractive for some companies wishing to bypass strict regulation found in other jurisdictions like the European Union, it also poses risks because the lack of a federal data breach reporting requirement, for example, leaves businesses more vulnerable to losses if impacted by a cyberattack or if data is otherwise compromised. Though many states still do not have a comprehensive regulatory framework in place, this is changing, as several states are beginning to adopt data regulation practices modeled after the European Union.

Although federal lawmakers have made some efforts to create a more explicit data privacy framework, each has subsequently fallen through. Without a single federal framework, U.S.-based companies have freer rein and an expanded scope for data collection practices. Limbago notes that, as a result of the growing nationalization of cyberspace, many companies are reshoring to the United States. Though partially due to the extended leeway many are granted in terms of regulation, she claims that it is mostly because of a greater stability and rule of law that provides a better business environment. Nonetheless, Limbago argues that much of the reason for a lack of a federal data framework is due to lobbying by U.S. companies, saying "that's probably why we don't have a data privacy law in the U.S. yet. Instead, we've got a very big patchwork. We have 54 different data breach notification laws because, you know, some core industries have helped limit our ability to have a data privacy law."
Following in the footsteps of the EU GDPR, a handful of states have started enacting more stringent data protection laws using the EU "rights-based" model. In 2023, five states California, Colorado, Connecticut, Utah and Virginia — will begin enforcing these EU-like data privacy laws. Other states — including Michigan, New Jersey, Ohio and Pennsylvania — are also considering data privacy revisions, demonstrating a state-based trend to bolster cybersecurity protocol even in the absence of a federal mandate. While these changes will enhance cybersecurity regulations within these states, they will also pose more compliance risks to companies that will have to navigate data regulations from state to state.

U.S. cyberspace regulations are not only still being formed through various means, both at a federal and a state level, but also through international cooperation. Despite the absence of a single federal framework to govern data, the United States has participated in a great deal of international collaboration in this field. In fact, Limbago notes that although cross-data border flows are becoming more closed as a result of this growing trend toward the nationalization of cyberspace, in some ways they are also becoming more open — at least between certain jurisdictions. Indeed, agreements that allow for cross-border data flows may make it easier for companies based in the United States to straddle multiple cyberspheres, either to collaborate or work with others outside of this digital sphere or to expand their business scope beyond U.S. borders.

In March 2022, U.S. President Joe Biden and European Commission President Ursula von der Leyen announced an EU-U.S. Data Privacy Framework to facilitate trans-Atlantic data flows. Since the European Union is a major trading partner for the United States, the framework, which is still under review in the European Union, is designed to provide a legal mechanism to transfer EU personal data to the United States that addresses privacy concerns and is compatible with EU law. Washington and Brussels frame the deal as benefiting companies in both geographic regions, allowing for a continued flow of data that enables trans-Atlantic trade amounting to more than $1 trillion annually.
Additionally, Limbago highlights the "NAFTA 2.0" agreement that addresses not only cross-border physical trade, but also data flows across Canada, the United States and Mexico. In July 2020, the new U.S.-Mexico-Canada Agreement, colloquially known as NAFTA 2.0, entered force; it essentially serves as an updated version of the 1994 NAFTA. Among other provisions, the new agreement addresses technological advancements that have occurred since the original document was enacted, including clauses on digital trade rules and the promotion of cross-border data flows.

China and Digital Authoritarianism

While current U.S. data practices are relatively loose and decentralized, and the European Union is characterized by rigorous protections for its citizens, China represents a different type of stringency that moves away from individual data and privacy protections and more toward strict data reporting to the government, which has extensive reach into citizens' and companies' private data. This poses challenges for companies operating in China, as they balance the risks of keeping their data locally in a country known for its corporate espionage and intellectual property theft. Limbago explains that the motivations behind China's laws governing its cyberspace are to create a system that helps the government stay in power — one that gives it access to information and the ability to manipulate data and access as it sees fit.

The cyber regime in China is characterized by strict reporting requirements to the ruling party and heavy government involvement in many industries. Within the country, Limbago notes that "digital authoritarianism also includes an aspect of domestic company favoritism. And so you also see companies starting to get pushed out of some markets because of that and so it kind of all goes hand in hand as far as a broader strategy … because many of the domestic companies in these countries are very much used to those kind of data policies and aren't necessarily as concerned because there's such a tight link between the estate and enterprise than government anyway." This highlights risks for companies moving into China, not only because of the stringency of the existing data privacy framework, but also because it is more difficult for foreign companies to succeed in a Chinese market that shows favoritism to domestic companies.
Morrissey points out that Beijing's nationalization of cyberspace is not a new phenomenon that companies are dealing with when considering moving into China. He describes China as "the progenitor of this nationalization of data" and that "for the longest time now every U.S. corporation could write the book about what the experience is like going into China where you are segregated straight away. So everything you do in China stays in China. And that's the reality, the Great Firewall of China, as they call it ... Any businesses that are looking to move into the Chinese market inevitably are going to have to align with those national laws, both privacy and others."
Limbago elaborates on this by explaining that historically, "for many countries ... that was almost a Faustian bargain. In exchange for having access to that market they understood there would be some sort of risk as far as access to data and so forth." Nonetheless, as cyberspaces continue to fragment and follow this trend of nationalization, "in many cases, [companies are] starting to realize that the balance of risk reward is starting to tilt away from the reward being as big as it was. And that's where we see so many companies either thinking about reshoring away from specifically China or already have started that process." For companies that are thinking about reshoring back to the United States, or just starting to think about operating in China, it is important to weigh priorities and implement the diversification suggested by Limbago.

When companies outside China that may not be accustomed to the culture of digital authoritarianism are thinking about operating within China's cyberspace, Limbago highlights that it is important to remember that any data that resides on China's sovereign territories must be stored there and adhere to its data laws, potentially allowing the government to access and manipulate data. She says that, in contrast with the EU's "rights-based" protections, in China, "instead of having data protected … the government can access that data under the claim of national security or really in many cases, just because they want to. But that's legal." As Limbago highlights, under digital authoritarianism, the government, under the auspices of national security, can formulate reasons for accessing data that would not be legal elsewhere, thereby creating higher data risks for companies operating in this cyberspace. This is important for companies to keep in mind when operating in China's cyberspace. If there is sensitive data being handled, it is crucial that companies weigh their options in terms of segmenting where certain data is located.

Limbago elaborates on this point, calling for data segmentation and diversification, the process of separating and storing various data in different locations depending on the perceived risks of keeping data in different regions. When talking about concerns with China, she says, "Some aspect is just having the access to their data. Other aspects are really thinking about where your data centers are and making sure those are diversified and having to also focus on data segmentation for companies ... really making sure you do have the data segmentation becomes huge. So because you have to store the data in China and in various countries, making sure that as little is stored there as possible."

India and Emerging Powers

Outside of Europe, the United States and China, other countries have pursued a mix of data regulation frameworks in line with varying degrees of liberalization or authoritarianism. Some countries, such as India, have become increasingly attractive for foreign companies looking to expand into emerging markets with high commercial potential. Emerging powers like India are also becoming more attractive alternatives to other countries like China, which has historically attracted many Western companies looking for cheaper manufacturing and labor options. As geopolitical tensions have risen between China and the West, companies are seeking to minimize their political risk by investing in other countries, including India. While India is one of the fastest growing major economies in the world, it has also experienced significant political gridlock in its efforts to create a national cybersecurity framework. Partisanship and concerns from domestic and foreign companies have repeatedly prevented the Indian government from passing updated data privacy directives, creating an uncertain legal and regulatory environment for companies operating in India.

Morrissey underscores the importance of India for Western businesses, stating "I don't know any company here in Europe or in the United States that does not have some commercial relationship and outsourcing arrangement with India. They're critically important in a lot of this because in many contexts Indian companies have significant access to data in the EU and North America."
To mitigate compliance risks posed by operating in emerging powers' markets like India, Morrissey recommends that, "if you're using Indian companies to process your data, such as in technical support and other service-driven type roles, then it's going to come down, like it always is, to good practice in terms of cybersecurity. You need to really make sure you're extending your scope of cybersecurity best practice out to those partners in India so that they are aligned with your own standards which you have implemented, and that you have the necessary visibility on how they are using your data as well." By maintaining strong internal cybersecurity standards and by staying aware of India's regulatory developments, companies can still benefit from the economic opportunities that India offers while limiting their exposure to inadvertent compliance risks.

Best Practices for Companies

The current international cyber landscape and trends toward further nationalization in 2023 will pose significant challenges for companies. Aside from the specific actions companies can take in each of the aforementioned jurisdictions, there are a number of general best practices.

Of paramount importance, Wunderlich emphasizes the need for companies to have a holistic and critical risk management plan when operating across different cyberspaces. According to him, companies first "need a clear-eyed enterprise risk management view of your data … Start from a risk management approach, understand what your data is and make sure you have an up-to-date and reasonably commercially viable security program." Specifically, Wunderlich emphasizes that companies need to think critically about how their data is protected in higher risk economic environments and developing markets, for example, by sharding or partitioning data into different secure databases. He suggests that companies ask themselves, "'Can I share my data in such a way that I have reasonable resilience and redundancy and still address the possibility that various jurisdictions that I operate in will require data localization that I have to demonstrate?'"
Outside of internal cyber infrastructure, Wunderlich also emphasizes the importance of data minimization. He advises that companies make sure they "collect the minimum amount of data because data is opportunity and risk … You make money off of data but the more revenue you can generate off of data, the higher the risk that it's breached or misused." By minimizing data collection, companies can proactively mitigate any potential reputational or financial fallout in the case of a data breach, especially as such cyber breach incidents continue to evolve as a primary cyber threat. In the same vein, companies can also maintain clear data retention and destruction policies to ensure data is being properly handled internally and is at the least risk of being directly or indirectly compromised in a data breach.
Limbago puts particular emphasis on data diversification and segmentation, specifically, separating aspects of your data and minimizing which locations you keep your proprietary data locally stored. As Limbago highlights, "having all of your eggs and basket turns out to be quite risky." When talking about China, she notes that "it doesn't have to be all or nothing. You can still keep some footprint in China, but it's more than diversification." Though China is a clear example of why companies may need to segment and diversify their data, this recommendation can be applied more generally for companies operating in multiple cyber realms — not just in China.
Additionally, as Morrissey previously mentioned specifically in the context of India, it is broadly in companies' best interests to expand their scope of cybersecurity best practices, not only for their own cyber protections, but also to ensure their foreign partners are aligned with their company's internal standards. Maintaining a common framework across international partnerships, in addition to staying abreast of the local regulatory environment, can also help companies mitigate the risks of operating in a multipolar landscape. For example, for companies operating within the United States, it will be useful for compliance teams to ensure they are aware of changing U.S. state and federal privacy and security legislation, in order to anticipate any changes that may impact their operations. Increasingly, compliance plays an important role in informing capital and operational investment, in particular for technology. Morrissey notes that digital advertising is an excellent example of this, where changes in global privacy law have created a major need for institutional change at the technical level for that sector.

In spite of the myriad and growing risks within the cyber realm, Wunderlich also encourages companies to nevertheless investigate ways to capitalize upon the increasingly multipolar international system. He urges corporate leaders to ask themselves, "If we're coming out of a period of globalization and we're getting into a multipolar commercial world, not just a multipolar geopolitical world, how do you position yourself to take advantage of that? What's the business model that allows you to take advantage of that? How can you pivot and take advantage of where you think things are going?" To do so, Wunderlich references the importance of having a clear-eyed enterprise risk management view to enable a company to make an informed, analytical decision about the costs and benefits of operating in foreign markets.

From Tax Credits to Subsidies and Green Technology, The New Protectionism

The United States and Europe are embracing climate-focused protectionism for political, economic and climate-related reasons, and consequently upending aspects of their free trade environment that have existed for decades as they increase trans-Atlantic trade barriers. The U.S. Inflation Reduction Act of 2022 included some of Washington's most significant protectionist measures for its industrial sector in recent years, triggering tension with its European allies due to stringent requirements for electric vehicles qualifying for tax credits. The EU is now preparing to introduce its own subsidies in response. To discuss what is driving their respective policies and the implications for multinational corporations, RANE spoke to Jason Cherish, Founder of Atlas|Bear; Marc A. Ross, Chief Communications Strategist of Caracal; and Robert Ludke, Founder of Ludke Consulting.

The Inflation Reduction Act Aims to Boost U.S. Jobs

A Bar Graph Showing Green Tax Credits in the Inflation Reduction Act

The Inflation Reduction Act (IRA), signed into law on Aug. 15, 2022, includes a raft of support measures for the U.S. green sector and electric vehicles (EVs), with total financial assistance reaching an estimated $396 billion. Although the IRA includes a number of corporate and consumer tax credits beyond the automotive sector, the clean vehicle tax credit has proven the most controversial due to the fact that some of its provisions, critics argue, discriminate against foreign companies and inhibit competition in favor of supporting the U.S. industrial base. In order to be eligible for a newly purchased EV to qualify for a full $7,500 tax credit, the vehicle must have its final assembly occur in North America, with a certain percentage, from less than 50% in 2023 to 100% in 2029 and beyond, of its battery components being manufactured in North America and a certain percentage, increasing from 40% in 2024 to 80% in 2026, of its critical minerals processed in North America or a country with which the United States enjoys a free trade agreement (FTA). Critics argue that the first two conditions – the location of final assembly and the percentage of battery components being manufactured in North America, provisions designed to support U.S. jobs – discriminate against EU, Japanese and South Korean automakers that have not shifted their final assembly to the United States or rely on battery and battery component manufacturers based outside of North America.

A Chart Showing How Vehicles Qualify for the IRA's EV Text Credit

Although the IRA represents a sincere and aggressive attempt by the United States to invest in the green energy transition, the protectionist measures also reflect a shift in U.S. mentality towards free trade and its industrial policy. Ross says, "clearly, politicians in the U.S. government decided to go all in on energy nationalism [and] technology nationalism," adding that the Inflation Reduction Act and the broader shift towards energy and technology nationalism "has been the [strongest] industrial policy formulation I've ever seen [in] 20 years." Cherish points out that right now in the United States, there is a consensus between left- and right-leaning politicians around protectionism, a novelty in the current political climate, and this is being driven by the confluence of social and political forces, including calls for more action to address climate change and local political drivers (i.e., job creation). Cherish adds that he thinks there is a recognition in the United States of a "realignment in the 'Global World Order'" and this is driving the United States to consider "economic security and resource security [and] that's just manifesting in the green industry."

Ludke agrees and says that there is a mix of three things driving the U.S. green protectionist policy. First, he thinks that the U.S. is demonstrating pragmatism by creating "greater energy security" that lessens dependence on foreign resources. Second, Ludke argues that there is a degree of idealism related to the need to address climate change. Finally, Ludke says U.S. policy has the potential to foster also reflects "long term-ism," with the government, adding that the government seems to be trying to foster new long-term industries able to compete well into the future and spur innovation – although he believes the outcome of that goal is uncertain.

The European Union Will Have No Choice But to Respond With Its Own Protectionism

The social and political drivers that Cherish, Ludke and Ross point to as prompting the U.S. to take more protectionist strategies all predate the Biden administration and previously led the Trump administration to adopt a hard-line stance on trade issues, including Trump's own attempt to protect the U.S. automotive industry, first through renegotiating the North American Free Trade Agreement (NAFTA) in a way to increase regional content requirements for vehicles and as well as threats to place 25% tariffs on vehicles produced by foreign manufacturers. Thus, for many U.S. allies, the IRA's passage represents a point of continuity for U.S. protectionism, even though the landmark legislation is packaged as being focused on green technology.

The EU, Japan and South Korea have lobbied hard to try to get the United States to modify the IRA's EV tax credit requirements so that their vehicles would qualify for inclusion, but the Biden administration's unwillingness (and the need for Congressional changes to the IRA) to do so, is a demonstration, that, especially when coupled with the Trump administration's protectionist tariffs, many of which remain in force, free trade is falling out of vogue in Washington. This, in addition to the erosion of the World Trade Organization's (WTO) tools to adjudicate disputes, will likely lead to more protectionism in the future.

Over the last decade, the WTO's institutional strength has eroded significantly. Since 2016, the United States has blocked new appointments to the WTO's Appellate Body, which functions as a review body for appeals of panel rulings. WTO panel rulings on disputes are not finalized until the appeals process is concluded and since December 2020 the entire body, which normally includes seven members, is vacant due to the U.S. blockage. This has made it impossible for governments to go through the normal trade dispute process and easier for governments to implement protectionist measures without concern about a potential WTO ruling against them in the near future.

The U.S. stance is driving the EU, where many member states have long had a more pro-interventionist industrial policy, in contrast with the United States, to increase support for their domestic green industries to compensate for the new U.S. policy. On Jan. 17, 2023, European Commission President Ursula von der Leyen announced the EU would prepare the Net-Zero Industry Act, a law to boost the green energy sector and introduce more state aid for the sector, as well as establish a new European Sovereignty Fund to keep companies from moving operations to the United States. Interestingly, the proposed policy must be carefully calibrated in order to avoid fragmenting the European market and causing competition between and among members, illustrating how Europe is not immune to its own form of protectionism. Von der Leyen's plan does not have universal backing in Europe, but the UK's exit from the bloc in 2020 weakened pro-free market voices within the EU compared to members which call for more protectionism and state-led development. Thus, even though the act is likely to undergo many changes (for instance, it is unclear if key measures, like the European Sovereignty Fund, financed by €807 billion of common debt, will be approved by some key member states, like Germany), some form of increased protectionism, subsidies and other overall EU and individual member state aid is coming down the pike.

Greater Protectionism Brings Opportunities For Small Companies, But Risks to Innovation and Global Supply Chains

Cherish, Ludke and Ross all agree that the shift towards Western protectionism in the green sector will have profound impacts, both positive and negative, for corporations and the environment. Each expert highlights that protectionism will have a significant impact on supply chains and regionalization and that government pressure will create new risks for multinationals trying to maintain global sales and supply chains.

Ross says there is a lot of U.S. government pressure to bring manufacturing back to the United States, or at the very least perhaps to Mexico or Canada. He points out that regional manufacturing was a key part of the North American Leaders Summit held in January 2023 and that onshoring to a trusted trade partner is a viable option.
Cherish similarly points to the regionalization of trade areas as seen with the emphasis on North America in the IRA in an era where the emphasis on climate-friendly investments has countries scrambling to secure sufficient resourcing. When contextualized in the broader global picture of increased competition, regional trade blocs are a potential source of collaboration for investment and innovation.

Ross also questions whether or not business leaders will respond entirely to governmental pressure, pointing out that some American multinational companies like Ford also view China as a strategically and commercially important market, regardless of the risks involved. Ford, for example, sold over 600,000 cars in China in 2021, compared to 1.9 million vehicles in the United States. Ross says the only real viable strategy for companies exposed to China who intend to remain engaged there is the China Plus One business strategy that has been becoming more popular over the last decade. In the China Plus One model, companies avoid investing only in China and seek to also invest in supply chains beyond China, often in Southeast Asia, to build up alternative supply chains. For companies operating in industries affected by the IRA, like the battery industry, investing in countries with which the United States has an FTA may be crucial in order to fulfill new conditions for the EV tax credits, such as future new percentage requirements for the number of critical minerals needing to be produced in the United States or a country with which it has an FTA.

There is also reputational vulnerability for companies that do not follow through with an onshoring program. Ross imagines a situation in which executives are questioned by congressional legislators about why they are not sufficiently investing in their U.S. operations. Furthermore, he foresees the potential for a "name and shame" situation with questions about why investments have been allocated in a specific part of the world.
At the same time, executives must continue to be cognizant of the response of Wall Street and their responsibility to shareholders and customers, which in some cases may be in opposition to politicians' desires for onshoring. The combination could lead to what Ross calls a "dynamic environment" for CEOs and Western companies as they navigate the complex situation.

Cherish and Ludke warn that rising green nationalism and the push to control supply chains potentially create risks in other countries as the United States, EU and China compete over some of the raw materials that are needed for the industry. The lithium and cobalt markets alone are expected to reach $15.4 billion and $19.4 billion, respectively, by 2028. Cherish notes that there could be "proxy conflicts over resources that end up just destabilizing entire places." Ludke adds that "if both [the West and China] start playing games with how materials are sourced, then the competition becomes destructive rather than productive." Many of the raw materials needed for the green industry, including nickel, cobalt and copper, are produced in developing countries. The Democratic Republic of the Congo, for example, is home to the world's largest cobalt reserves, approximately 70% of the global supply according to the IMF, which are used in lithium-ion batteries. If U.S. and European companies are being pushed to invest more into mining operations in some of these areas, like Congo, Cherish says companies might "get caught up in the storm that [they're] not anticipating." This would create added ESG risks – for instance, children are often employed in artisanal cobalt mining – for not only Western companies directly involved in these countries but also for firms that source raw materials for processing domestically.

While the impact of regionalization will be disruptive for multinational companies that are now forced to modify their supply chains, Ross also points out that it "could actually be a real opportunity now for smaller, midsize businesses," if they present themselves as an ally in onshoring or nearshoring because the IRA provides a more competitive environment. He uses the battery and semiconductor industries as prime examples of supply chain modification.

Ross notes that investments into these industries, while often announced by large automakers, create an ecosystem that small and mid-sized companies can take advantage of. This ecosystem is only likely to grow as the conditions that the IRA attaches to EV tax credits become more stringent and require that a higher percentage of EVs' battery and critical minerals technology be produced in North America (or a country the United States has an FTA with, which the EU does not qualify for).
According to the Center for Automotive Research, the automotive industry in the first eleven months of 2022 collectively announced $22 billion in planned investments into battery plants in the United States. According to Atlas Public Policy, in 2022 automakers announced $73.6 billion in EV manufacturing investment, $20 billion more than automakers announced over the previous seven years combined.

Ludke and Cherish warn, however, that while subsidies for the green industry are politically en vogue right now, sentiment in the United States could shift in the future. Ludke believes that the unpredictable nature of the policy process is a much greater driver of uncertainty for corporations than macroeconomic factors. He noted that, historically, dismissed macroeconomic factors as a main driver of uncertainty for companies, but homed in on the consistency of policy, which can change quickly as control of Congress shifts. He recalls pieces of regulation and legislation, particularly those based on wind tax credits that required regular congressional review and renewal, were often subject to the partisan, political whims of policymakers. As such, the policy outcomes were always in doubt as examples of policy that could rapidly change, thus forcing businesses to abruptly alter strategy and/or serving to deter them from making major financial commitments in the first place given the potential for downside risk.

Cherish offered similar caution about how shifting political sentiments could have a material impact on investment decisions when policy changes unexpectedly. With the Republicans now in control of the U.S. House of Representatives and House Speaker Kevin McCarthy being forced in January to give significant political concessions to fiscal conservatives during his bid for the Speaker position, policy whiplash is a risk.
This is especially the case as more Republicans are setting their sights on ESG-related issues and promising to open investigations into companies – principally financial institutions – that are incorporating more stringent climate goals into their investment strategies. In a notable example of ESG backlash, the State of Florida announced in December 2022, that it would divest $2 billion in assets from BlackRock in protest of the asset manager's stance on ESG investing.
Ludke warns that many European leaders question the U.S. commitment to Biden’s IRA climate measures, pointing to the Trump administration's decision to exit the Paris Agreement as something particularly scarring for Europe. With U.S. presidential elections looming in 2024, it is possible that U.S. policy priorities could shift again, particularly as Republicans have criticized a number of agreements Biden signed at recent UN Climate Change conferences.

Cherish and Ludke both warn that protectionism, as well as the U.S. shift towards more interventionist economic policies in the green industry, may have an impact on innovation. Cherish says that there is going to be a "tradeoff for innovation for the U.S." and that government intervention can limit innovation. Ludke says, "the big question is, 'is [the IRA] structured in a way that's going to foster the frameworks needed to scale innovation in a way that transforms markets?' I think that is a very, very open question and I'm somewhat skeptical that the bill was designed with that in mind." He believes that the United States has historically had more success in developing the EV and green industry than Europe, pointing to Tesla's emergence and the growth of the solar and wind industries in the United States. Industry sources note that the U.S. solar industry alone generated $33 billion in private investment in 2021 and, together, solar and wind accounted for a record 13% of U.S. power generation in 2021. Ludke also points out that historically the EU has had more of a policy-centric approach to its industrial policy when it comes to the sustainable economy, while the United States has had more of a market-centric approach. This raises the question of whether the United States adopting a more policy-centric approach through the IRA and other forms of protection could stifle U.S. success.

Heightened competition between the EU and the United States over green technologies also risks creating competing technology standards and regulations that also stifle innovation. In addition, more stringent qualification criteria for tax credits, subsidies and other financial incentives can create challenges for multinational companies to navigate because a one-size fits all approach will not necessarily lead to qualifying for all Western tax credits given that there may be no way to use a greatest common factor solution; for example, if the United States and EU both require final assembly in North America and Europe, respectively, it is possible that the United States and EU thresholds cannot both be met.
Amid these challenges, Ludke points out that protectionism could offer at least one positive development in helping foster startups that innovate, but his question remains whether the new policy can foment scalable innovation able to effectively address systemic challenges, from energy security to climate change and inequality.

Finally, Cherish warns that through their protectionist measures and government policies, the United States and EU may be overly focusing on emissions reductions at the expense of other aspects of climate change – and points out that doing so is also a key risk for companies. He notes that companies have become especially sensitive to the emissions issue because they view it as being in the interest of most people and a green initiative that is easy for non-experts to understand. However, Cherish raises questions about whether most companies are genuinely committed to emissions reduction given the technical knowledge needed to make the adjustments to operations and evaluate progress, versus the desire to ensure compliance with standards. He divides the business community into two groups when it comes to emissions: those with genuine concern and interest, and those with purely compliance and reputational interest. Cherish adds that there could be legal exposure for companies whose public narrative is one of emissions reduction but whose actions do not align with public statements. When the actions and public statements are not aligned it also creates reputational risks for companies.

Some of what Cherish notes has already come to fruition in Europe. In recent months, the EU and several member states have launched new investigations and proposed new anti-greenwashing laws, designed to make sure companies are transparent about hitting their climate targets and clear about what they are promising. The European Securities and Markets Authority in November 2022, for example, warned it may create quantitative thresholds for investment funds to use sustainability-related terms in their names.
In the United States, the SEC proposed a new rule in 2022 around climate risk disclosure requirements and is expected to issue a final rule by May 2023. If adopted, the rule will require companies to report their emissions and net zero transition plans.

Proactive Guidance

RANE analysts' extensive research, including leveraging the experience of our network of trusted experts, has led to the compilation of these recommendations for businesses. These recommendations reflect a range of concerns that could impact global operations, especially in an era of increasing green protectionism.

North American and Europe-based multinationals should evaluate options for strategic changes in their supply chains to include, over the long run, increasing the proportion of regional suppliers (via the U.S.-Mexico-Canada Agreement and European Economic Area). Increased awareness in this area facilitates quicker reactions to new developments.
Companies should invest in scenario planning surrounding protectionism-related climate policies, including new requirements for local suppliers, emissions-based tariffs and subsidies, and evaluate how each scenario affects their supply chains and profitability. Such planning will help companies identify exposures to certain scenarios and, if necessary, develop contingency strategies.
Companies operating in green technology areas should consider, expand and/or accelerate plans to adopt a China Plus One model – which invests in at least one country outside of China as a hedge against complete dependency –- if they still want to be able to sell into the China market and consider establishing supplier and producer relationships with companies in several other countries where cheap labor is plentiful. If nearshoring is not feasible, then companies should explore alternatives elsewhere in Southeast and South Asia.
Companies operating in green technologies that are highly exposed to sales in the Chinese market should review their long-term strategy for market prioritization, as operating in China's market will become more difficult for Western companies as China is expected to continue to push for self-sufficiency in most green technologies.
Companies can help try to insulate themselves from policy volatility at the national level by establishing closer relationships with local political leaders (at local, state and federal government levels), though this will be a careful balancing act. While establishing such ties will give those politicians incentives to try to limit the impact of any changes in subsidy and spending plans, corporate lobbying can also generate negative media scrutiny which means it is all the more important to ensure compliance with campaign finance and other regulations.
Increased competition over natural resources has the potential to spark conflicts and exacerbate existing ones in parts of Africa, making it prudent for companies to carry out contingency planning surrounding possible escalations in violence in countries where there are few alternative suppliers for a resource, like in the case of Congo's control of cobalt.
Companies directly involved in the development of natural resources for the green industry should ensure that their local partners, including local governments, and employees are properly vetted for concerns about child and forced labor, involvement in violence and similar risks. Companies consuming such materials should carry out similar due diligence for their suppliers to avoid reputational and potential legal repercussions.
Slower innovation in the green sector could make it more costly, or even impossible, for companies to achieve explicit emissions reduction and other energy transition-related targets; coupled with the higher regulatory requirements regarding climate disclosure by the SEC and other regulatory agencies, these trends will require companies to frequently monitor technological progress, innovation and adoption of new technologies and modify and potentially scale back pledges, particularly commitments made for 2030, accordingly. This will open up companies to other risks (such as grassroots campaigning by environmental activists), which require companies' security personnel to consider new threats to companies.

Closing Ranks: How Russia's Invasion of Ukraine Strengthened Sanctions Regimes

Following Russia's invasion of Ukraine in February 2022, Western allies unleashed proliferating sanctions with unprecedented speed and coordination. Nearly a year on, empowered investigative and enforcement authorities are undertaking a collaborative effort to identify and prosecute sanctions evasion, and the net is widening. While Russia is the direct target of these efforts at the moment, governments are learning lessons and are carefully positioning themselves to be prepared and ready to act should other countries, such as China, take any action that would provoke international condemnation. Compliance teams must not only ensure that their sanctions compliance efforts, practices and policies are fit for purpose, but any company with a global supply chain must also conduct deeper due diligence into its product’s end-use and end-user to avoid any potential legal or reputational damage. RANE spoke with DJ Peterson, President at Longview Global Advisors; Rod Tuvaev, CEO and Founder of Sanctions Adviser; and Matt Zweig, Senior Director of Policy at FDD Action, to better understand what to expect and how compliance teams can prepare.

Russia's Invasion Accelerated Existing Sanctions Trends

Russia's invasion of Ukraine prompted an unprecedented and highly coordinated range of sanctions and export controls introduced by the United States, the United Kingdom, the European Union, Canada, Australia and Japan, among others, representing the most severe sanctions ever imposed on a major economy. But while the scope, speed and level of coordination of these sanctions is unprecedented, they represent merely an acceleration of existing trends — such as sanctions hyperinflation and autonomous sanctions regimes — rather than a complete paradigm shift.

A November 2022 whitepaper from financial markets data provider Refinitiv revealed that sanctions hyperinflation, defined as "an established trend in which the total number of explicit sanctions across the globe has increased significantly over time," has been occurring for at least five years and "the recent increases driven by the Russia-Ukraine war have not necessarily resulted in sanctions that were historically unprecedented at a global level." Peterson agrees, noting that building 'sanctions muscle memory' has been happening for years in Iran, Libya, North Korea and Venezuela. He says that the sanctions apparatus has built up an institutional knowledge of what to do, how to do it, what works, and what the impacts are. One of the lessons he thinks regulators have learned over recent years is that sanctioning individuals, while a common strategy in the past, is largely symbolic and has limited effects, so in this case, they've been more aggressive in sanctioning companies as well as financial institutions and financial flows more broadly. The sanctions that the U.S. imposed on Russia in 2014 were more sophisticated and targeted than previous sanctions, he says, and it is clear U.S. authorities learned from those and were able to take things to the next level in 2022. Peterson anticipates that they will do so again in any future sanctions regime.

The Refinitiv paper also found that consensus-based sanctions mechanisms created under the guidance of the United Nations have become an increasingly minor part of the global sanctions landscape (driven by a polarized Security Council), and 98% of all sanctions are now issued autonomously by national governments or regional bodies. Prior to the Ukraine war, collaboration among the main autonomous sanctions players – the United States, European Union, United Kingdom, Canada and Australia – was typically on an ad hoc basis. In 2021, the U.S. Treasury conducted a comprehensive review of how U.S. sanctions authorities, strategies and implementation have evolved since Sept. 11, 2001. The results of the study found that sanctions are more effective when coordinated with allies and partners, helping to account for why the Biden administration made multilateralism the foundation of its response to Russia. The United States began building its coalition in advance of the war and, in November 2021, the U.S. intelligence community shared with its allies and partners in Europe the intelligence pointing to Russia's potential invasion of Ukraine and began laying the groundwork for the response. Although not every decision was finalized by February 2022, the United States, its allies, and partners had developed a concrete set of initial actions and plans for how to execute them.

The ability of the West to respond quickly and decisively to Russian aggression allowed autonomous action to gain credibility, causing some hitherto-resistant countries, including Japan, New Zealand, Switzerland, Monaco and Singapore, to positively reassess the option of autonomous sanctions.

A Shift in Regulatory Capabilities, Remit and Appetite

Russia's invasion of Ukraine catalyzed many governments to speed up the approval of previously introduced sanctions reforms or push through new legislation that would enable them to move swiftly and flexibly within the sanctions landscape. Given that the number of sanctions, the seniority and profile of the individuals sanctioned, the size of entities targeted, and the aggressive scope of the economic measures imposed have been an escalation from historical norms, the enforcement powers of U.K. and EU regulatory authorities, in particular, have expanded in kind.

In the United Kingdom, the Economic Crime (Transparency and Enforcement) Act 2022 (the Act) came into force on March 15, 2022, introducing a range of measures intended to tackle economic crime. The Act, first proposed in 2016, was fast-tracked through parliament following Russia's invasion of Ukraine. The Act makes changes to the Sanctions and Anti-Money Laundering Act 2018 (SAMLA) intended to facilitate speedier alignment of U.K. sanctions with those imposed by international partners. Other changes to the Act aim to provide greater flexibility when enacting autonomous sanctions and seek to increase the enforcement of breaches of financial sanctions. The U.K. sanctions authority, the Office of Financial Sanctions Implementation (OSFI), has been increasing its resources to deal with the workload arising from the recent sanctions, reporting in November 2022 that it would be scaling up to over 100 full-time employees – from about 45 employees before the Russian invasion of Ukraine – by the end of 2022.

Aside from its recruitment drive, OFSI is "seeking to move from a reactive to a proactive compliance and enforcement model" and to accelerate its ongoing transformation program as a means to adapt to the challenges ahead.
OFSI's 2022 Annual Report noted that it is "significantly enhancing its ability to ensure effective enforcement." In 2023, OFSI will take on more, and more complex, enforcement cases to match its increased resourcing and capabilities. New powers provided by the Economic Crime (Transparency and Enforcement) Act 2022 will likely make it easier for OFSI to investigate suspected breaches and impose fines where contraventions are identified.

In the European Union, on Nov. 28, 2022, violation of EU sanctions was added to the "List of EU Crimes," and on Dec. 2, 2022, the EU Commission (EC), the bloc's executive body, put forward a proposal to harmonize criminal offenses and penalties for violations of EU sanctions. The European Commission hopes that recognizing EU sanctions violations as a criminal offense will guarantee a greater degree of harmonization of enforcement and make it easier to investigate, prosecute, and punish sanctions violations in all member states.

If this proposal is formally adopted unanimously by the Council – made up of member states' heads of state or government – it will allow the adoption of a Directive that sets out minimum rules concerning the interpretation of, and penalties for, violations of EU sanctions. While the actual enforcement of EU sanctions will remain the responsibility of individual member states, this will establish a baseline level for the member states' law in this area.
If the Proposed Directive is adopted, potentially later this year, many national legislators will have to revise their current enforcement frameworks and may take the opportunity to adopt a more comprehensive approach as the intensity and importance of sanctions continues to increase. With enhanced cooperation at an EU level and the European Commission's proposal of a fine minimum of 5% of worldwide annual turnover, fine exposure for companies would increase substantially.

Additionally, the European Union's Russian sanctions package adopted in October 2022 grants the bloc broad new powers that would allow it to target "natural or legal persons, entities, or bodies" inside and outside of the European Union who facilitate circumvention of EU sanctions. The introduction of secondary sanctions – which put pressure on third parties to stop their activities with sanctioned countries, entities, or persons by threatening to cut off the third party's access to the sanctioning country – indicates a major policy shift and brings the European Union closer to enforcing EU sanctions on foreign companies directly.

While enforcement in the European Union remains complicated and uneven due to execution falling to member states, EU officials are reportedly considering the establishment of a central authority, similar to the U.S. Treasury's Office of Foreign Assets Control (OFAC), to enable tougher and more consistent enforcement of sanctions penalties across the bloc and improve information flows between the national enforcement authorities. However, the creation of an EU sanctions enforcement agency is unlikely due to the aversion of national governments to relinquish power.

The European Union could also give its planned Anti-Money Laundering Authority (AMLA) the power to oversee sanctions by amending legislation currently under review by the European Parliament and member states, according to a statement made by Financial Services Commissioner Mairead McGuinness in a July 2022 interview.
McGuinness said Brussels is considering a number of other changes to strengthen the EU sanctions regime, including considering forcing sanctioned entities to disclose their assets, with criminal penalties if they attempted to hide any. It is also looking at harmonizing definitions, including what constituted control of a sanctioned entity and widening registers of beneficial ownership of assets.

Beyond the United Kingdom and European Union, countries with less developed or utilized sanctions regimes are responding to Russia's war in Ukraine in ways that will make them larger players in the sanctions environment.

While Australia has an autonomous sanctions regime, it has significantly expanded its remit since February, including by imposing new "thematic sanctions" on a number of Russian citizens under recent amendments to its Autonomous Sanctions Act. On March 29, 2022, for the first time, Australia implemented sanctions under its Magnitsky-style (thematic sanctions) laws, which were introduced in December 2021. Australia designated 39 individuals, including a number of Russian individuals allegedly engaged in serious corruption and human rights abuses.
New Zealand's Parliament unanimously passed the Russia Sanctions Act on March 9, 2022. Although the law was motivated by a desire to punish Russia for its invasion of Ukraine, it will have long-term implications for New Zealand's policy toward China as well. A spokesperson for the Act remarked, "We need to make sure that, if another country does this in the future, like China to Taiwan, they know that we will have their back too, that this will not just be the end, it won't just be Russia."

All Eyes On China

New Zealand is not alone in watching China with caution in light of Russia's invasion of Ukraine. Viewing Beijing as an increasingly disruptive power, U.S., Taiwanese and Japanese officials in particular are more anxious about the possibility of China trying to attack or impose a blockade on Taiwan. In line with the trend of governments increasingly using financial levers to forward national security goals, as of September 2022, the United States was reportedly considering options for a pre-emptive sanctions package against China to deter it from invading Taiwan, according to several sources who spoke to Reuters under the condition of anonymity. U.S. conversations about Chinese sanctions reportedly began after Russia invaded Ukraine in February, but took on greater urgency after China launched a major military exercise in August 2022 in response to a visit to Taiwan by then-U.S. House Speaker Nancy Pelosi.

The war in Ukraine has shown the value of broad alliances. Although thus far, the United States is the only country reportedly working on a sanctions package against China, the White House is now reportedly focused on getting its allies in Europe and Asia on the same side. In the fall of 2022, Washington pressed NATO members to harden their language on China and start working on concrete action to restrain China.

NATO held its first dedicated discussion on Taiwan in September, to share intelligence on China's actions and debate ways in which a potential military conflict over the island would affect Euro-Atlantic security.
At the end of November, NATO ministers conducted a comprehensive discussion on China, part of which involved the United States urging the transatlantic security alliance to pay more attention to the ramifications of possible Chinese military action against Taiwan. NATO ministers discussed potential action, including export controls and ways to protect strategic infrastructure from Chinese investment, in talks that the United States said showed "growing convergence" among NATO countries on the issue.

Common wisdom, Peterson says, is that the United States cannot impose the same types of sanctions on China as it did on Russia given China's overall much greater importance to both the U.S. and the global economy. While he agrees in principle, he does not think the United States would shy away from imposing sanctions should China make an equally aggressive move, like launching a full-scale invasion of Taiwan. Rather, the sanctions might not be as broad and blanketing, at least initially. But sanctions will be laid down, particularly, Peterson says, because Congress is inclined towards punitive action against China, already evident in the context of trade and human rights issues. Any potential sanctions would be selective and targeted, but he thinks they would probably be imposed quickly with high levels of coordination with U.S. allies and alignment in terms of their structure and design.

Peterson believes that what happened with Russia is not a unique case and its lessons are likely applicable to future conflicts. He has seen the velocity of sanctions imposition increase over the years, to the point that the U.S. Congress is fairly comfortable with the process. So while the speed and the layering of sanctions against Russia appeared dramatic, the underlying process leading up to action was not, and would likely be replicated in the future should the situation call for it. Peterson adds that the targeting of financial institutions and financial flows was unprecedented, but its successful execution means it will likely be added to the sanctions toolkit.
Peterson sees another broad takeaway from the proliferating sanctions in the unity of the rollout. He thinks that the effect created a template and established muscle memory. He also notes that politicians have gotten more comfortable with a broader approach to technology sanctions, export controls and licensing controls, restrictions, and bans, which we continue to see in the context of China.
The sanctions regime towards Russia has stabilized at this point, but Peterson expects that regulators are going to continue to tweak and modify things as they see what works and what doesn't. Peterson says we see the mirror image of that playing out in China with technology sanctions and restrictions.
Zweig adds to this argument by pointing out that in last year's National Defense Authorization Act (NDAA), Congress included a significant fix in the export control format which broadened the ability of Commerce to place restrictions on end-users. He thinks with this update there will be a lot more the U.S. Department of Commerce Bureau of Industry and Security (BIS) can do now on the issue.
With regard to China, Zweig says the United States and its allies are currently in a shaping phase because China has not invaded Taiwan. But the conversations about multilateral mitigation efforts are occurring, despite a reluctance to target structurally significant institutions and individuals in China.

While EU officials have so far been less inclined than U.S. authorities to impose aggressive sanctions on China over human rights issues, given that China plays a far more complex and entrenched role in the bloc's economy than Russia (even when acknowledging the Kremlin's historic role as an energy supplier), pressure to maintain a united front with its allies is a strong consideration for ministers and political leaders, who are aware that China is closely watching the planning as it assesses Western powers' ability to coordinate in the face of a shared security threat. Zweig believes that China is paying close attention to the evolution of the sanctions rollout on Russia and learning lessons from Russia's example. China is also watching for cracks in the Western coalition's cohesion as the Ukraine war drags on, which could signal exploitable pain points in the future.

A Cohesive Coalition Built from Greater Alignment and Coordination

Sanctioning major economies like Russia, and potentially China, in a world so interconnected, requires alignment and coordination by sanctioning countries to not only ensure effectiveness but also mitigate economic destabilization. The Ukraine war has reenergized the NATO alliance and created the impetus for regulators to more aggressively develop information-sharing channels for both the current challenges and future ones. Within three weeks of Russia's invasion, more than 30 allies and partners joined the United States in sanctioning Russia, including Australia, Singapore, South Korea, Taiwan and the members of the European Union and the Group of Seven (G7). Among the main participants, the degree and sophistication of practical cooperation have increased significantly. As a matter of routine, sanctioning countries now confer more deeply than before, resulting in regularly coordinated announcements and approaches.

The coordination extends beyond the development of sanctions, into investigation and enforcement capabilities. Not only are existing national regulators regularly sharing information and approaches, but also new transnational task forces have been created with the goal of collaborative enforcement efforts.

On March 2, 2022, the U.S. Department of Justice (DOJ) announced the creation of Task Force KleptoCapture, an inter-agency task force designed to enforce sanctions and export restrictions imposed against Russian officials and oligarchs. Where appropriate, information gathered through KleptoCapture investigations will be shared with interagency and foreign partners.
On March 17, 2022, the U.S. Treasury Department announced the formation of the Russian Elites, Proxies and Oligarchs (REPO) multilateral task force in an effort to increase cooperation to target Russian assets. The task force will allow sanctions and law enforcement authorities from Australia, Canada, the European Commission, Germany, Italy, France, Japan, the United Kingdom and the United States to share information regarding sanctions targets, sanctions evasion attempts, and asset seizures. The work of Task Force KleptoCapture is expected to complement that of the REPO transatlantic task force.

In addition to the launch of the REPO task force, the U.S. Treasury took steps to boost cooperation and intelligence sharing with counterparts in task force member countries. On Oct. 17, 2022, the U.S. Treasury Department announced OFAC's commitment to an increased partnership with the United Kingdom's OFSI, illustrating a coordinated effort by the United States and its allies to enforce sanctions moving forward.

Since Russia's invasion of Ukraine, the European Union's EPPO has expanded its investigative reach substantially beyond the EU by concluding working arrangements with the United States and Ukraine.

The Widening Net of Enforcement

Although only a handful of high-profile enforcement actions for violation of Russia sanctions have been handed down to date, this is likely to change soon due to increased collaboration and resources dedicated to identifying and prosecuting sanctions violations. While the focus on seizing conspicuous assets like yachts and jets was a short-term goal for Task Force KleptoCapture, Andrew Adams, KleptoCapture's director, said at a November 2022 New York City Bar Association Symposium that as the task force's activities have picked up momentum, it has turned its attention to the service providers that support Russian oligarchs. Export controls are also the focus of increased scrutiny, as exemplified by the DOJ's Dec. 13, 2022 charge against five Russian nationals and two U.S. nationals for attempting to evade U.S. export laws through a global procurement and money laundering network on behalf of the Russian government.

The DOJ credited Task Force KleptoCapture in the indictments, which revealed several implications for future enforcement from the task force: a shift in focus toward procurement networks rather than assets, a willingness to use other legal enforcement authorities, an inclination to pursue a wide range of changes that capture all parties to a transaction and close partnership with foreign law enforcement authorities.

Working with foreign law enforcement authorities and having international buy-in also has allowed the task force to accelerate the traditionally slow burn of financial crime investigation and produce at least some results in a relatively timely manner. Adams, in a December 2022 interview with VOA, said "the existence of sanctions regimes in those foreign partners that look like ours gives [Task Force KleptoCapture] the ability to bring a request for a search…an arrest…a seizure to a foreign partner and have it recognized instantly as valid and something that can be enacted under their own laws. That greatly speeds up our process both for investigation and for taking action, and it's the reason that in the short time period that the task force has existed, we've seen some real successes across the globe."

At the November 2022 New York City Bar Association conference, Adams pointed to the DOJ's October 2022 actions against Russian oligarch Oleg Deripaska and prominent U.K. businessman Graham Bonham-Carter – who a grand jury indicted with helping facilitate illicit financial transactions on behalf of Deripaska – to illustrate the shift in how the United States and other countries are enforcing the Russia sanctions. The indictment of Bonham-Carter demonstrates how the focus has moved toward the service providers who facilitate sanctions evasion, as well as how enforcement has become an increasingly multilateral effort involving the close coordination of the United States and its allies in Europe."
Mr. Bonham-Carter is a U.K. citizen, living in the U.K., arrested in the U.K.," Adams said. "That is something that would have been extremely unlikely eight or nine months ago. And it was accomplished with relatively high speed, now that the tide has turned."

Sanctions, the New FCPA?

While the momentum of multilateral enforcers would alone bring the significant potential for increased enforcement measures taken against sanctions violators, a statement from U.S. Deputy Attorney General Lisa Monaco during an NYC Bar Association event in June 2022 describing sanctions as "the new FCPA" (U.S. Foreign Corrupt Practices Act), signals an anticipated "sea change" in the intensity with which sanctions violations will be prosecuted.

Using the growth of the FCPA as a blueprint, Monaco outlined four areas where sanctions enforcement will build upon the FCPA enforcement history:

Sanctions enforcement will grow dramatically
Sanctions enforcement will be a global effort
Corporate sanction compliance programs will be a focus of the DOJ
Self-disclosure and cooperation remain key.

As such, companies can expect to see the DOJ initiating more sanction enforcement actions given its expanded resources and partner agencies' expanded scope, growth in global sanctions recoveries as sanctions enforcement becomes more of a "multinational team sport" with international support, a more critical examination of a company's sanction compliance controls, and a prioritization of self-disclosure.

During her June 16, 2022, keynote address at an event hosted by the Global Investigations Review, Monaco emphasized that sanctions enforcement is no longer just a concern for banks and financial institutions. Rather, "any business with an international supply chain" should place sanctions at the "forefront" of its compliance efforts, including pressure-testing its sanctions compliance program. The DOJ "expect[s] to see a new level of sophistication and resource commitment to sanctions compliance at companies across the globe." Given the explicit warning, companies should be prepared for a DOJ that will be paying even closer attention to enforcing sanctions and export control measures in the coming years.

Compliance Teams Must Pay Attention to Sanctions and Enforcement Headwinds

Reverberations from the Russian sanctions efforts will likely force both governments and organizations to expand resources for sanctions matters and compliance, Zweig says. There will be an increased financial and operational burden on the private sector given its need to dedicate resources for this purpose.

Notably, Zweig does not see the sanctions enforcement appetite shifting dramatically should the White House change hands in 2024. Zweig says enforcement appetite is more tied to the geopolitical atmosphere, and with the international landscape getting more complex and dangerous, paired with enhanced unity between allies, we'll likely see enforcement efforts continue relatively untouched by political winds for a while.

In this environment, companies need to have appropriate controls, policies, and procedures in place, including rigorous due diligence and screening mechanisms and where appropriate, IP or geolocation blocking procedures, to ensure compliance with the sanctions.

Tuvaev recommends that organizations in industries dealing with sensitive technology or engineering products go deeper than a provided end-use statement in due diligence. He advises organizations to check for foreign partners and try to understand what happens to their products in the second and third layers of the market. Tuvaev recommends using screening tools not only for the formal check of the name and address of the entity, but to go deeper into diligence on the ownership level, trying to identify the trade activity of distributors, dealers, customers, or customers' distributors. He says that in his experience, when compliance professionals spend at least two days for sanctions due diligence on one entity, they always find at least one request for information (RFI) that they should ask of their organization's foreign partner.

Companies should revisit their internal compliance programs, considering potential areas of sanctions-related risk and exposure. While due diligence processes should include a standard cross-check of parties involved in relation to the proposed transaction, activity, or operation against the sanctions lists of any potentially relevant jurisdictions, they should not rely solely on the sanctions lists. As the DOJ files forfeiture actions to seize Russian assets, companies should pay close attention to the companies and individuals named in them. In some cases, prosecutors may file actions that are unlikely to be successful in seizing a particular asset in an effort to lay out tracing analyses, which reveal what particular companies or vehicles are being used by oligarchs in order to evade sanctions. Keeping abreast of cases that come out will clue companies into associated counterparties and give them additional information to update their screening mechanisms as needed.

Tuvaev advises compliance teams to spend time identifying who stands behind the deal, to dig into what happens with the company's products in the second and third layer of the market and to thoughtfully explore how to control official distributors of American exports in countries that are regarded as transshipment points. Much like Peterson, Tuvaev recognizes the serious challenge this poses, but it is important, he says, to conduct the appropriate amount of due diligence that finds the balance between exerting maximum attempts for control and devolving into paranoia and over-compliance.
Zweig recommends paying particular attention to countries where Russian sanctions evasion may be taking place — such as Turkey, United Arab Emirates, Malaysia, Chile and increasingly certain African jurisdictions — in order to get an idea of where to focus additional compliance efforts, especially countries whose fintech infrastructure has grown significantly while the regulatory infrastructure has lagged.

Task Force KleptoCapture is intentionally being transparent in an effort to arm organizations with greater compliance tools. The KleptoCapture task force has disclosed that it speaks as publicly as possible and as quickly as possible about its investigations, unsealing affidavits in situations that are more aggressive than the typical DOJ policy for unsealing affidavits, in order to "give a clear picture and a clear roadmap for our investigations so the people in the private sector…can see our work, see how we have built this case, see the names of entities and shell companies' structures, straw men and cutouts, and take their own action to cut those people and those entities out of the legitimate financial sector, even if we can't find cooperation in a particular jurisdiction." In light of this, organizations should utilize open-source intelligence – including corporate registration, general background, litigation, regulatory, court, and NGO information, public and proprietary databases, and media, social media, and blog sites – to ensure they are not missing any information that could either tighten their sanctions screening efforts or bolster their defense should they fall foul of the law.

Companies that outsource sanctions compliance efforts, which can be a valuable practice, especially for smaller organizations that do not have sufficient internal resources, must understand the scope and limitation of the services being provided and whether they actually mitigate risk.

In July 2022, the OFAC issued a Finding of Violation to a U.S. financial institution for apparent sanctions violations. The vendor for the financial institution conducted daily screenings of new customers and of existing customers with certain account changes but only screened the entire existing customer base once a month.
In a separate enforcement action in October 2022, OFAC determined that a U.S. company that offered virtual currency exchange services retained a third-party vendor for sanctions screening purposes, but the vendor only screened for hits against OFAC's Specially Designated Nationals And Blocked Persons List (SDN) List and did not scrutinize customers or transactions for a nexus to sanctioned jurisdictions.

Even though in the case of the former, the OFAC ultimately issued only a Finding of Violation without assessing any monetary penalties, the potential reputational damage could be just as harmful as a fine or potential legal penalty. Media coverage of possible violations and enforcement actions increases reputational risks to companies and individuals. Disclosure of violations, or even of an investigation of potential violations, is often followed by securities class action litigation and derivative lawsuits claiming that directors failed in their duties to appropriately oversee risks.

At the end of the day, Peterson says, a compliance officer can only do so much. After that, the organization has to have a good narrative to explain how their market is working and how their goods are flowing. While the explanation doesn't have to be perfect, because downstream flows are much harder to follow than upstream, organizations have to be able to defend themselves in a plausible manner, and they have to be ready to take the political heat. Compliance officers need to be working with communications professionals along with executives and board members to craft the message about how things are being managed and to be able to defend their position.
Zweig agrees with Peterson, recommending that organizations "beef up their communications departments now." With the changing landscape, organizations cannot just look to compliance to be both the back-of-house and front-of-house staff for sanctions issues. Having a professional communications team helps to mitigate reputational risk, just as having competent compliance employees helps to mitigate legal risk. Zweig also makes a point to highlight that external and internal communications teams need to be in regular conversations with compliance teams in the event of a sanctions investigation or enforcement matter, as clarifying matters for both workers and external stakeholders like shareholders is vital for operational resilience.

A Corporate Intelligence Cycle for the 21st Century

A shifting and steadily more uncertain world order is increasingly bringing geopolitics into the boardroom as global stability appears to be eroding. The return of the specter of great power conflict, the ascendance of unpredictable regional powers, the paralysis of key global institutions and a host of other challenges necessitate that organizations of all types and sizes have a model to mitigate the risk of future crises, particularly those that affect the safety and security of their personnel and infrastructure. The U.S. Intelligence Community (IC) does so by using a specific framework to help intelligence agencies deliver the best forecasts possible to policymakers. To better understand how to apply the intelligence cycle in a corporate setting, RANE spoke with Jim Sisco, Founder and President of ENODO Global; Christopher Garvin, Founder and CEO of Three Sixty Corp.; and Jack Devine, Founding Partner and President of The Arkin Group.

Putting the Intelligence Cycle in Context

Depending on what model is used, the intelligence cycle has somewhere between five and seven steps (the model presented here includes six), but all include the same fundamental principles. At its core, the cycle is a rigorous process to address key questions about various risks in a way that is useful for decision makers. It is widely used throughout the civilian and military agencies that comprise IC, as well as in law enforcement, but also fully applicable in a corporate environment. Indeed, as organizations navigate a changing global environment in which threats seem to move more quickly than ever and there is a lot of proverbial noise that can make the signal hard to decipher, having a framework to help inform decisions is more important than ever. While applied here to safety and security concerns, it has myriad other uses, including to make investment decisions, mitigate reputational risks and address other business considerations.

Step 1: Planning - Setting Priorities

Getting answers first requires asking questions – known in the IC as intelligence requirements. To this end, organizations should begin the intelligence cycle by considering what their key concerns are, starting with known risks that need to be addressed. According to Garvin, the most important first task is to ask fundamental questions along the lines of, "What is your mission? What questions are you trying to answer? What do you need to know?" He notes that "rarely do people actually sit down and ask, 'Given my mission set, what questions need answers?'" Sisco agrees, maintaining that organizations are often unclear in identifying their crucial concerns and saying, "Number one, you clearly have to understand what your requirements are. You need to say, 'Here's what our objective is. And these are the five things we need to do to get to our objective.'"

Only after defining your fundamental mission can you start asking more specific questions about your particular risk profile. How are supply chains vulnerable to theft in a particular country? What level of threat does a terrorist group pose to personnel in a far-off location? Does an activist group pose any sort of a threat to corporate infrastructure? Of course, each organization's risk profile will look different, but these are the types of questions that can help guide a corporate intelligence strategy that starts with existing risks.

However, to go beyond the immediate and obvious, organizations also need to consider threats that have not yet manifested. A starting point is to consider generally plausible, foreseeable threats. How might an outbreak of war between two long-feuding countries affect operations? Will a future election trigger disruptive street demonstrations near corporate facilities? How might extreme weather events impact employees' safety? Garvin highlights that considering these future-oriented questions is much easier when you have already clearly defined your mission. According to him, "Once you define what your mission is, then you define what your threats are. And it doesn't matter if those are for today or tomorrow – that threat is still going to be there."

There is also value in going beyond these more tactical considerations to consider additional strategic developments that may be more challenging to detect because they emerge gradually over longer time horizons, but which would have an outsized impact on an organization's operations should they occur. What is the trajectory of political stability in a country over the coming decade? What countries will become more important later in the century? How will future technological advancements impact corporate security? Asking these sorts of questions hedges against uncertainty by forcing organizations to think through how their risk profile could change over time.

This can be challenging because, as Sisco notes, "Corporate America runs on quarterly cycles and earnings calls." He laments that true long-term strategic planning, especially in terms of safety and security, is often not a priority at many companies. However, Devine highlights that it is precisely because strategic planning is difficult that there are so many business opportunities to be gained from future forecasting. He particularly laments this deficit of strategic planning at most companies, which he argues are typically reactive and do not engage in enough unorthodox and strategic thinking. Drawing on his time in government, Devine asserts that, "Conventional wisdom is often when you see intelligence failures." Now in the private sector, he says he "rarely gets an over-the-horizon request" and that "it is hard to sell strategic planning and thinking in the private sector" as client requests are "very tactical. It is current intelligence. Tell me about this guy, this place, this time."

A key consideration when setting these requirements is to balance concision with precision; ideally, an intelligence requirement is phrased to be broad enough to capture as much relevant information as possible, but specific enough to be answered in a meaningful way that is tailored to the organization. Inevitably, however, there is tension between the two, meaning it may take some adjustments to find a good balance. For example, asking a question like "What organized crime groups threaten personnel?" is probably too broad to be useful in that it will generate a long list without actually scoping the threat that groups pose, whereas a question like "What is the kidnapping risk from x group over the next month?" is probably too narrow in that it only considers only one criminal tactic in a very short timeframe that ignores broader risks. A better question could be, "In what ways could x group threaten personnel in y location over the next year?" – which is broad enough to capture a range of tactics over time, but also specific enough to focus on one group in one place.

Sisco uses an example about developing intelligence requirements to support new market entry to underscore how it can be difficult to formulate well-developed questions. He notes that this challenge particularly hampers "businesses which have been doing business for decades, and they have a certain way of doing it. If you try to introduce new ideas or new techniques or new strategies, it is very difficult for them to do that." He explains that companies may ask traditional questions about tax implications, legal constraints and other typical concerns, but fail to ask more tailored questions to understand the specifics of the local society and culture that, without considering them, eventually undermine their market entry strategy. Sisco highlights that the need to appropriately scope questions is all the more important in a safety and security context, providing multiple examples from both his time in the military and the private sector in which failing to ask well-formed questions about the situation on the ground could present violent risks.

Once organizations have mapped known, plausible and strategic risks, the final step is to prioritize. No organization has unlimited resources, so classifying threats in some sort of rank order is key. There are many methods to do so, but a starting point is to think in terms of a basic matrix with four quadrants and two axes showing likelihood and impact on the organization. Prioritize risks that are both highly likely and highly impactful, while minimizing those that are neither. Those that are either highly likely but of low impact or unlikely but highly impactful should fall somewhere in between, with each organization's specific risk tolerance and the tradeoff in near- versus long-term thinking determining how to order. For instance, some organizations may be willing to accept the risk of highly likely events that are not very impactful and therefore prioritize those that are unlikely but highly impactful; by contrast, others may have less tolerance for risk and thus focus on events that are highly likely even if not very impactful, rather than spend resources on events that are more hypothetical even if more of greater impact.

A Chart of the Likelihood and Impact Matrix

Sisco and Garvin both emphasize the importance of prioritizing intelligence requirements. As Sisco notes, this can be challenging for organizations of all sizes, but at least larger ones have superior resources; by contrast, he highlights that "if you're a mid-level company or a small company, you don't have the internal capacity, the finances or the budget" to address every question "so you have to be judicious in how you do this." Garvin agrees, suggesting that companies "define the sort of red flags" that are the key priorities and then focus on answering those. He says, "Don't just sort through everything…You're going to spend way too much time and expend too many resources."

Of course, making these determinations does not occur in a vacuum. After all, there may be C-suite requests to focus on expanding the organization's footprint in a particular location that therefore makes one risk more relevant than it otherwise would be. After all, as Devine highlights, in a well-run company, the CEO should set a clear strategic plan that provides direction for key questions like, "What are the critical issues? Are we going to invest in Russia? Are we going to invest in China? What are the challenges over the horizon?"' Similar pressures can come from shareholders, employees or members of the public. Moreover, prioritization cannot be seen as immutable, but instead as responsive to shifting internal and external conditions. Corporate strategies often change and global events can clearly shift the order of priorities over time – sometimes in a span of years but in others literally overnight. As a result, organizations need to establish a process to periodically assess whether their priorities need to change – either in terms of rank order or by adjusting the questions themselves.

Step 2: Collection - Gathering Information

Once priorities have been set, the next step is to acquire the information to help answer the questions identified as intelligence requirements. While private organizations may not have access to classified information, in the past two decades the massive expansion of open-source intelligence (OSINT), which is by definition publicly available, has vastly broadened access to valuable insights. Thus, in designing a collection strategy, it is helpful to think in the broadest terms of different avenues to gather information.

In some cases, doing so may replicate exactly what intelligence agencies do, but instead merely using unclassified means. For instance, just as spy services gather intelligence from clandestine sources, so too can organizations collect information from human sources – be they business contacts, government officials or anyone else that can help answer the necessary questions. Devine is a particular proponent of human intelligence (HUMINT), drawing on his days in the IC to argue that when designing a collection strategy, "The main piece that is often missing is the human." For him, "the value of HUMINT is priceless" because you can glean certain types of information from personal relationships that simply cannot be found via other means. In particular, Devine highlights that, despite major technological advancements, such as artificial intelligence programs that can answer questions in great detail, most of what these technologies present back to the user is secondary source material that can be redundant, reflect conventional wisdom and/or struggle to separate fact from opinion – all of which lessen its value. By contrast, and acknowledging that HUMINT presents its own challenges in dealing with sources who can have ulterior motives, humans can still provide crucial context and unfiltered reporting about what is really going on.

Beyond HUMINT, which relies on close relationships that may be deliberately hidden or at least not easily available to all, the greatest opportunities to gather information to address intelligence requirements lie in information that is, at least in theory, universally accessible. Corporate leaders already do this implicitly every day when they make decisions based on information they see in the news, but they can be much more intentional in using open sources to help answer questions about their risk profile. Consider the many potential sources of OSINT, including all forms of media (print, television, web, social, etc.); government data and reports; industry, civil society and think tank publications; academic research; commercial imagery; and competitors' public statements and regulatory findings, just to name a few. Add to this list the massive range of digital tools that collect information from the Internet, as well as a growing list of organizations, both non- and for-profit, which specialize in gathering OSINT.

Of course, the proliferation of OSINT also poses challenges for organizations, the most obvious being that public information streams are literally never-ending. Organizations, especially those with fewer resources, can quickly become overwhelmed by the amount of information that may be relevant to their risk profile. This is particularly the case because many organizations rely on analysts to cover multiple geographies and/or risk domains (terrorism, civil unrest, etc.), meaning it can be hard for them to ever become experts on one region or topic. This points to the need to be judicious in how many sources to regularly consult and prioritize a set amount of those seen as both critical and trustworthy. Beyond that, it may be helpful to use a third-party OSINT provider or a specific software tool to filter through publicly-available information to highlight only what is most relevant for the organization's specific risk profile.

To this end, and building on their previous advice about being careful in prioritizing intelligence requirements, Garvin and Sisco again emphasize the need to be discriminating in the amount of information to collect. For Garvin, you should not aim to collect information on everything at once, but instead – and again emphasizing the importance of having a clearly defined mission – collect on the key "red flags" that ultimately narrow down the number of places you search for information. Sisco concurs, saying, "There's a lot of information out there…but 99% of the information never gets used…It's not the data [companies] really need. So you have to understand how your collection is going to be useful to making really sound decisions."

An additional challenge is the fact that some OSINT sources are relevant only intermittently, whereas others require continual monitoring. For instance, an organization may find a specific think tank's reports on the security environment in a particular country very useful, but those reports are only published sporadically throughout the year. By contrast, there may be a very reputable social media account that posts daily updates about the on-the-ground situation in that country, necessitating constant observation. This distinction points to a need for analysts to establish a clear daily routine of reviewing certain sources while also setting aside time to survey the OSINT environment for new ones that may be useful to add to daily sweeps of information, or at least to monitor for future consideration. After all, as Devine emphasizes, it is crucial to not become overly reliant on a static set of information sources, which risk becoming either "orthodox in their views" (and thus "a much greater victim to conventional wisdom," which he cautions undermines effective risk planning) or "politicized" to the point that they "have a story to tell and everything fits the story."

Finally, organizations need to bear in mind that, by definition, OSINT is available to everyone – including competitors and the threat actors themselves. In the first case, rival organizations likely have many of the same concerns and therefore look at many of the same sources to address their risk profile. This speaks to a need for analysts to always be thinking of unique, new ways to collect information that may give their organization a decisive advantage. Devine's emphasis on the importance of HUMINT is all the more important in this respect. Second, cybercriminals, organized criminal syndicates, protest groups and others all can at least in theory find the same publicly-available information and leverage it to do harm. This means that organizations also need to be very conscious of publicly-available information about their own operations to avoid unintentionally creating risks by divulging sensitive information.

Step 3: Processing - Converting Raw Data

A key intermediate step before making analytic judgments based on information that has been collected is to ensure it is in a comprehensible, useful format. While some information may have already been collected in this manner (for instance, a publicly available social media post from an activist group announcing a protest outside an organization's headquarters), in other cases analysts will need to convert raw information into a workable format. An obvious example of this relates to foreign language information. A good OSINT collection strategy should always incorporate local media reporting, especially, as Devine highlights, to avoid falling into the trap of "conventional wisdom" that can often come from solely using Western, English-language news sources that often present a similar narrative. By definition, this will require at least some level of translation; while online tools can do basic translations quite well, they still struggle to convey nuance, technical terminology and other niche aspects of language which may be incredibly important to a particular organization's concerns, suggesting another argument in favor of Devine's human-first approach.

Aside from foreign-language content, another way to appreciate the importance of processing information is to consider the use of commercial satellite imagery. This gained widespread media attention before the Russian invasion of Ukraine as private geospatial companies publicly released images of locations along the Russo-Ukrainian border. While potentially highly relevant to address corporate intelligence requirements, photos can simply consist of lots of unclear lines and dots on a map without greater context. After all, though trained experts were able to point out specific things like tank columns, troop formations and logistical staging areas, the vast majority of people would have been unable to comprehend what was being depicted in the photos – hence the importance of bringing this type of context to raw data.

Another frequent example is large datasets showing statistical information. Sisco jokes that "We have a phrase within the company: 'Data only gets you to the wrong answer fast.' And what we mean by that is that you have so much data out there, but what is useful? How do you filter?" Drawing a similar parallel about how large amounts of data can obscure the key indicators, Garvin explains that while "big data" is great for finding patterns, he asks, "If you just need a question answered, why go through all that mess?.. Define the one question [you have] and go get the information that solves the answer to that one question." For both experts, data in itself is not an unalloyed positive but instead requires careful processing to separate out the majority of information that may not be relevant and instead focus on just addressing the key question.

These examples speak to the need for organizations to have relevant specialists (or third-party providers) who can help, when necessary, process information into a more intelligible format. This is easier said than done, especially for smaller organizations with fewer resources, so it helps to think creatively about how to leverage different corporate teams when necessary. For instance, there may not be an analyst who speaks a particular language, but an employee in another part of the organization may be able to help translate when needed. Similarly, an untrained analyst may have a hard time deciphering a large dataset, but a member of the organization's creative team may be able to put the dataset into a graphic form that is much more useful. These and other workarounds can help make up for what otherwise may be challenging hurdles in making sense of some key pieces of intelligence.

Step 4: Analysis - Assessing the Intelligence

Likely the most challenging part of the intelligence cycle is the step at which an analyst takes all the information that has been gathered and turns it into an assessment to answer the relevant question. After all, it is one thing to collect and process information, but a very different challenge to make judgments about what that information means. For instance, an organization may have a priority intelligence requirement to forecast whether an insurgent group in a particular country will grow to become a security threat to its operations there in the next year. There may be a lot of OSINT covering the group's attacks (locations, tactics, etc.), propaganda (public statements, videos, etc.), responses by the country's government (military offensives, arrests, etc.), and other useful information. But on its own, all that does not answer the question of whether the group will threaten the organization's activities on the ground. Instead, an analyst must sift through the information that has been collected and generate an assessment based on sound argumentation and be tailored to address the specific question to evaluate the trajectory of the insurgent group over the next year and security implications for the organization.

Sisco echoes this guidance by emphasizing the need to make sure "analysis answers your objective or requirement and adds values in a way that is operational." He notes, "That's a skill that many people don't have. A lot of people can write great reports and pontificate with great words, but 'how does this help me make a decision?' At the end of the day, you should always be answering your question." Using the example of evaluating whether to make an investment in a particular country, he cautions that merely providing information about the country, even if well-researched, is unhelpful. Ultimately, Sisco says, proper analysis needs to answer the question of, "'Should I make an investment or not?' If so, why? If not, why? Very simple."

Garvin offers a similar take, using multiple examples from his business advising clients. He notes he discovered that his team was spending excessive amounts of time compiling analytic reports for clients that ultimately were not the most useful because his employees went down proverbial "rabbit holes" and did not ultimately answer the fundamental questions his clients had; this led him to revise his process to ensure that, during his initial conversations with clients, they develop tightly scoped questions to be addressed so that his team can much more quickly and directly answer them in an analytic report. Using the specific example of a clothing manufacturer evaluating whether to introduce a new product, Garvin highlights that good analysis must also consider the broader environment in which a question (even if well crafted) is posed. In this case, the clothing concept may have made sense, but the specific materials needed to produce it were essentially monopolized; this meant that answering the question of if there is a market for the product also required evaluating whether the supply chain to produce it was available – underscoring how good analysis has to make connections across domains.

There is an entire industry dedicated to providing clients with analysis – and organizations often find it valuable to use a third-party provider to address at least some of their intelligence requirements – but there are also a variety of internal actions organizations can take to help analysts produce effective assessments. A starting point, especially for small teams without deep subject matter expertise, is to use structured analytic techniques (SATs), which are a large set of tools to organize thinking and bring rigor to intelligence analysis. SATs range in complexity from the very simple, such as structured brainstorming techniques, to the very complex, such as an analysis of competing hypotheses, but all can help turn the information gathered in the collection and processing stages of the intelligence cycle into useful analysis.

SATs are particularly helpful because they are designed to reduce various cognitive biases that often unknowingly creep into the analytic process. Many of these are well-known and include challenges like "groupthink" (when people converge around a single assessment out of a desire to avoid disagreement), "confirmation bias" (when people seek out or interpret information in a way that conforms to their own beliefs) and "status quo bias" (when people fit information into their current assessment rather than acknowledge a change). Using SATs involving techniques like "red teaming," building alternative scenarios or even simply coming up with key indicators of change can all help reduce the potential for bias and therefore improve analytic quality. As Devine cautions, "Objectivity is the key." He notes that good analysis most fundamentally needs to be free of bias and that requires "challenging the conventional wisdom," something SATs can help do.

To be sure, sometimes there is not enough time to leverage SATs deeply – especially in the corporate world where a high-priority C-suite directive can mean that an assessment is needed in a matter of hours. In these situations, a strategy to develop a basic assessment is to think in terms of key forces (the crucial influences that affect the question at hand), fundamental assumptions about those forces (the basic things that are presumed to be true about the given influences at play) and critical uncertainties (the most important unknowns). Especially when there is little to no time to do serious information gathering beyond what has already been collected, thinking through these three categories provides a simple framework to make a basic assessment and highlight information gaps.

To put this method into practice, consider the same question above regarding the potential threat from an insurgent group. In this scenario, the key forces may include tactical sophistication, internal cohesion and capability of the opposing military; the fundamental assumptions may include that the group will grow more advanced in its tactics, that it will not splinter and that the opposing military will continue to suffer major morale problems; and the critical uncertainties may be whether the group seeks to expand territory versus solidify existing control, whether the group sees the organization as a priority target and whether the U.S. military sends troops to fight the group. In bucketing information into these three categories, analysts have the building blocks to make a basic assessment.

No matter how analysis is done, however, Devine emphasizes the importance of the human element in the intelligence cycle. As he notes, despite advances, no technology has come close to replicating human-generated analysis because "it's a cliche, but it's an art, not a science."

Step 5: Dissemination - Delivering Insights

The way in which analysis is provided can be just as crucial as the assessment itself. The first key consideration involves format. Is the analytic outcome meant to take the form of a written deliverable, an oral presentation, a slideshow briefing or something entirely different? In this respect, the audience and environment matter greatly. First, recipients of the analysis may have different preferences for how it is conveyed; some, for example, may prefer to review a short slide deck whereas others may want a sit-down briefing. Second, different settings call for different formats; after all, the requirements for a presentation at a Board of Directors meeting will look very different than what is necessary for a briefing for a mid-level manager. Garvin recommends that, "The number one thing to understand is who owns the risk. You can't produce a good intelligence product without understanding the individual who is going to make the decision." For him, "It's knowing the customer and the person that will ultimately make the decision. Make it so they can digest [the analysis]...You have to know who you're giving this thing to; you have to know your audience."

No matter the precise format, though, one near-certainty is that disseminating analysis cannot take a long time. Key decision makers do not have the time to read a multi-page report or sit through an hours-long briefing. This means it is all the more important to make very clear and concise judgments that directly address the organization's key interests. At a minimum – and especially if the analytic deliverable is longer than otherwise ideal – leading with key takeaways at the start is a must. Devine, Garvin and Sisco all agree on this point, saying that written analysis must at a minimum have an executive summary with key judgements at the top, which Devine, drawing from his years in the IC, says is exactly the format used in the government. To this end, Sisco specifically points out that, "Decisionmakers don't have time to be reading a 40-page report; they're going to just read the first page…So if it's not concise, it's not succinct, it doesn't capture your attention, it's not going to work."

Another consideration is whether disseminating the analysis would benefit from visuals. Even when judgments are clear, concise and directly address the organization's key interests, visual aids can often amplify the value of analysis by making key takeaways more tangible. For instance, whenever providing an assessment that is location-based, including a map is often beneficial. To return to the insurgent group example, showing the location of the group's attacks compared to the organization's physical presence would understandably be helpful in evaluating violent risks. Similarly, if the analysis involves a lot of numeric data, providing accompanying tables, charts and/or graphs is often much more effective. Indeed, Sisco emphasizes that analysis "has to be visually appealing. If it doesn't look good or aesthetically pleasing, it doesn't matter if you give somebody the best Word document in the world; nobody wants to just read."

Finally, underlying all of these best practices, it can be valuable to establish a formal process for disseminating analysis so that it is not ad hoc but instead an established routine, especially when the recipients are top leaders. To be sure, there will inevitably be time-sensitive and/or one-off requests that do not lend themselves to a formal process. However, disseminating analysis is generally most effective when there is a protocol. This is why the IC uses briefers who are assigned to particular national security decision makers, visit them at a set time each morning and tailor briefings to their preferences. However, this is not necessarily possible in the corporate world, where corporate leaders are often focused much more on business questions, rather than safety and security. Moreover, they may only receive the key judgments of an assessment second- and third-hand after they have been disseminated up the management chain – and even when they do receive key judgments directly, these may be conveyed in a short walk from a boardroom to a car. As Sisco suggests, this is a particular problem in large organizations that lack a routinized process, where it can take weeks if not months to brief top leaders. As he illustrates via an example, his team may produce a report for a client in January but then need to set up meetings with multiple different corporate stakeholders, some of whom may not be available until March, at which time the report could be irrelevant.

Unsurprisingly, disseminating important analysis in such an environment is not ideal, which makes it all the more important to create a protocol for effective analytic delivery. While the demand on top executives' time may be a complicating factor, dedicating even a small amount of time on a regular basis to present analysis in whatever format leaders prefer can pay large dividends; after all, the recipients will be far better placed to act on the analysis when they are undistracted and able to follow-up immediately with any questions. This is of course easier, but no less important, for those lower down the management chain, who presumably have more free time and in some cases actually may be more important recipients of analysis than top executives. After all, frequent questions on topics like travel safety, personnel protection and location security rarely filter to the very top of an organization but instead are addressed at a lower level.

Step 6: Evaluation - Judging and Adjusting

The final step in the intelligence cycle amounts to a holistic review. What key information gaps came to light during OSINT collection? Did any bias creep into the analysis? Did the recipients of the assessment have feedback on the format? These and similar questions are important to ask at the end of addressing an intelligence requirement to improve the process going forward because, after all, this is a continual cycle.

Frustratingly, feedback can often be hard to solicit. Indeed, both Garvin and Sisco lament that getting a client to offer a response can be exceedingly challenging. Sisco says, "You know, everybody wants that but nobody gets it. When we go out to existing clients and say 'How can we better serve you?' or we go out to clients that we've lost and say 'What did we do wrong?' but nobody has the time. Nobody cares. It just goes back to you." In fact, Garvin jokes that, "It's like pulling teeth…It's pretty hard to get somebody to pay attention after [delivering a report]."

This points to two key takeaways. First, analysts need to solicit feedback from as many sources as they can, under the assumption that top executives may never provide a direct reaction. This means seeking out the input of colleagues, direct managers and others who may be able to offer input; it also means, when applicable, comparing assessments to those of others, including peers, who may be examining similar questions and offer a useful baseline for evaluation. Second, it means creating a culture where positive feedback is just as encouraged as developmental feedback. After all, analysts need to know what they did well so they can continue to do it, just as much as they need to know what to improve going forward. In fact, Garvin says he all but forces an after-action review on clients to get a better understanding of what went well and what needs improvement next time. As he says he tells clients, "We're going to do another one and another one so I need to know what was missing or not missing, has your mission changed…"

Notably, the answer to the most obvious question to consider – "Was our assessment correct?" – may not be knowable for a long time. This speaks all the more to the importance of making self-evaluation not a one-time event but a continual process, with check-ins at regular intervals to monitor developments. Returning to the example of the insurgent group, that question asked about its potential threat over the course of a year. Thus, by definition, analysts will need to monitor events over time and reconvene to judge whether their original assessment holds true or needs to be adjusted. This is complicated by the reality that, as Sisco notes, "nobody has time to talk about what was right or wrong" because "corporate America runs on quarterly cycles and leaders move on the next problem, focus on the next earrings, what's the next this, what's the next that." However, at least at the analyst level, a process of continual self-evaluation is a key part of ensuring analytic integrity and can go some way to breaking from the quarterly cycle and the more fundamental problem of what Devine calls "People who sell current intelligence as strategy," alluding to those who falsely portray near-term tactical information as more valuable long-term strategic guidance.

Moving Forward with a Corporate Intelligence Cycle

Taken together, these six steps should provide a valuable roadmap for organizations of any type and size to implement as they face a changing and increasingly unstable global environment. Applying the intelligence cycle is all the more important amid the erosion of many of the previous certainties – or, at least, strong expectations – about how the world order operates. To this end, the intelligence cycle gives organizations a way to plan for disruptions, mitigate the risks of uncertainty and, when necessary, respond to crises.

While presented here in discrete steps, it is important to remember that analysts answering an intelligence requirement will not only be doing some of them in tandem, but also addressing multiple requirements at the same time. For example, especially when under time pressure, it is easy to imagine how analysts may simultaneously be collecting information and writing an assessment – and in fact sometimes may begin writing before fully collecting. Similarly, analysts rarely have the luxury of addressing one intelligence requirement at a time, which means they may be disseminating an assessment on one question while they are processing the data for another. Thus, it is helpful to see the intelligence cycle not as immutable, but instead fluid – more of a guiding framework than a collection of firm rules. No matter how it is implemented, however, having a process like the intelligence cycle to hedge against risk – particularly in the form of safety and security – is invaluable.