Managing 21st-Century Political Risk

by Condoleezza Rice and Amy Zegart

IN 2010, Gabriela Cowperthwaite read a news article that changed her life. It described how an orca whale had killed a trainer during a show at SeaWorld in Orlando. Cowperthwaite, a Los Angeles filmmaker who liked taking her twins to see orcas at the San Diego SeaWorld, spent the next two years making an investigative documentary, Blackfish, which depicted how the theme parks’ treatment of orcas harmed both the animals and their human trainers. The film cost just $76,000 to produce. Yet it quickly went viral, capturing the attention of celebrities and animal rights groups. Public pressure on SeaWorld mounted. Corporations cut sponsorship ties, regulators opened investigations into the parks’ safety practices, and lawmakers proposed a ban on breeding orcas in captivity. Eighteen months after the release of Blackfish, SeaWorld’s stock price had plunged 60%, and CEO Jim Atchison announced that he was resigning. By 2018, SeaWorld’s stock still had not recovered—all because one woman had read a story about orcas and made a low-budget film.

Until recently, political risk was relatively easy to understand. More often than not, it involved dictators who suddenly seized foreign assets for their own domestic agendas, like Venezuela’s Hugo Chávez. Today expropriating leaders are far less common than they used to be. And although national governments are still the main arbiters of the business environment, a great deal of the political risk within and across countries now comes from other players: individuals wielding cell phones, local officials issuing city ordinances, terrorists detonating truck bombs, UN officials administering sanctions, and many more. Events in far-flung places affect businesses around the world at dizzying speed. Anti-Chinese protests in Vietnam create clothing stock-outs in America. Civil war in Syria fuels a refugee crisis and terrorist attacks in Europe, leaving the tourism industry shaken. A North Korean dictator launches a cyberattack on a Hollywood movie studio. We live in a new world of political risk.

For companies, 21st-century political risk is essentially the probability that a political action will significantly affect their business—whether positively or negatively. This definition is more radical than it sounds. We chose the phrase “political action,” not “government action,” to highlight the growing role of risk generators outside the usual places like capitals, army barracks, and party headquarters. These days, political activities that affect business are happening almost everywhere—inside homes, on the streets, and in the cloud; in chat rooms, dorm rooms, and boardrooms; in neighborhood bars and summit sidebars. Companies that want a competitive edge need to manage the potential impact of this widening array of global political actors.

Considered in isolation, many 21st-century political risks seem like low-probability events. If you’re American, the chance that you’ll be killed by a foreign-born terrorist is about one in 45,000—far more remote than your odds of dying from a heat wave or by choking on food. Unlike Blackfish, most social-activism documentaries don’t become viral sensations. Cumulative risk is a different matter, however, and is easy to underestimate. While the probability that a single political risk will affect a company’s business in a particular city tomorrow may be low, the probability that over time some political risk somewhere in the world will significantly affect its business is surprisingly high. Add up a string of rare events, and you’ll find that the overall incidence is not so rare after all.

The good news is that while political risk has grown complex, effectively managing it remains fairly straightforward. Organizations can get ahead by getting the basics right. Building on existing best practices and drawing on our own leadership experiences and research, we have identified four core competencies of organizations that excel at risk management—and a series of questions that can help executives identify gaps in their organizations’ ability to operate in an era of increasing global insecurity.

The New Forces behind Political Risk

Three megatrends are transforming the landscape for political risk: dramatic changes in politics since the end of the Cold War, supply chain innovations, and the tech revolution.

Politics

Companies today operate in the most complicated international political environment in modern history. During the Cold War, superpower rivalry between the United States and the Soviet Union set relatively clear dividing lines between adversaries and allies. Trade politics and security politics were sharply delineated, too. The world was largely split between Western capitalist markets and the command economies of the Soviet bloc. Arms control treaties involved the Soviets, but global trade negotiations did not. Today’s landscape is much more crowded and uncertain—filled with rising states, declining states, failed states, rogue states, and nonstate actors like terrorist groups and cybercriminals. And security isn’t just about security anymore; international economic issues are often tightly connected to security policy and politics.

When Condi was secretary of state, she watched in dismay as Dubai Ports World, an award-winning port management company owned by the government of the United Arab Emirates, was forced to transfer its ownership of U.S.-based shipping terminal operations to an American entity following a public backlash. Although the UAE was a staunch U.S. ally and a thorough U.S. government review had found no security concerns with the deal, Americans heard the words “Arabs” and “ports,” and in the aftermath of 9/11, that was enough to make Dubai Ports World’s operations in the U.S. untenable—even in one of the staunchest pro-market economies in the world.

Supply chains

The growing efficiency of supply chains is unlocking enormous value for companies. Even very small businesses can now take advantage of lower offshore wages, low shipping costs, and better inventory management. But there is a dark side to the supply chain revolution: Longer, leaner global supply chains leave companies more vulnerable to disruptions in faraway places.

As companies extend their overseas supplier relationships in search of improved margins, customization, and speed, the chances rise that a political action will disrupt the distribution of goods and services to their customers. When China moved an offshore oil rig into Vietnam’s exclusive economic zone in 2014, anti-Chinese protests erupted in Vietnam. Suppliers of Li & Fung, one of the world’s largest wholesale providers of clothing and toys, were forced to close their Vietnamese factories for a week, slowing delivery of goods to the United States. What had begun as a conflict over disputed territorial waters in Southeast Asia quickly emptied store shelves in U.S. cities.

Technology

Social media, cell phones, and the internet are also transforming the 21st-century political environment. Forty-eight percent of the world is online. By 2020 more people in the world are expected to have mobile phones than to have running water or electricity. Technology is dramatically lowering the cost of collective action, making it easier for like-minded people to find one another and join a common cause, even across vast distances. What’s more, social activism is not just for social activists anymore. In a hyperconnected world, bystanders can post cell phone videos that go viral. On April 9, 2017, after United Airlines oversold a flight to Louisville, Kentucky, the airline decided to remove four passengers. One of them, David Dao, refused to deplane. Passengers video-recorded Dao as he was violently dragged from his seat and posted the footage on Twitter and Facebook. Two days later, United’s stock had lost $255 million in shareholder value, and analysts began worrying about the ramifications for the airline in the Chinese market, where commenters on social media shared the view that Dao was discriminated against because he was Asian.

The Political Risk Framework

How can companies best manage political risk in this environment? Some hire consultants to provide analysis and advice when they need it. Others rely largely on in-house units. Many employ a hybrid approach. While no one model fits all, we have developed a framework that is broad enough for most companies to apply but suggests specific actions. The framework focuses on four competencies: understanding risks, analyzing risks, mitigating risks that cannot be eliminated, and putting in place a response capability that enables effective crisis management and continuous learning.

At each step in the framework, there are three guiding questions that everyone in any organization can ask to address the most important issues.

Step 1: Understand

What is my organization’s political risk appetite? Companies, like individuals, approach risk differently. Factors that influence their appetite for it include the time horizon of major investments, the availability of alternative investments, the ease of exiting investments, and visibility to consumers. Companies in extractive industries like oil and gas, for example, undertake long-term investments in distant countries, many of which are governed by autocratic regimes and are prone to social unrest. In addition, these firms’ key assets cannot be moved easily. For all those reasons, oil and gas companies must be willing to tolerate substantial political uncertainty. In contrast, consumer-facing industries, such as hotel chains and theme parks, are particularly susceptible to reputational damage and typically have a lower risk appetite as a result.

Is there a shared understanding of our risk appetite? The best companies ensure that political risk is a concern for everyone, from the boardroom to the sales floor. Of course, not everyone in an organization will have a similar take on it: The way lawyers and accountants approach risk differs from the way marketers and product developers do, and those differences need to be sorted through and resolved. At Disney the shared understanding is that “nothing hurts the mouse.” Disney essentially sets the political risk appetite close to zero.

In 2006 the Lego Group created a strategic risk management capability, which helped align views on risk across the company. The effort was led by Hans Læssøe, an engineer and a 25-year company veteran who called himself Lego’s “professional paranoid.” He set up systematic processes for training all new managers about risk; engaging every important business leader, including the board members, in setting the risk appetite; identifying risks; and integrating risk assessment and mitigation into business planning. Læssøe’s team even developed a “net earnings at risk” metric that management and the board used to estimate the company’s risk exposure annually.

How can we reduce blind spots? Reducing blind spots requires imagination. As one major investor told us, “The biggest mistake is believing the future will look like the present. It almost never does.” His firm trains all its associates to ask a simple question, over and over: What if we are wrong? Scenario planning, war-gaming exercises, and other methods can also help firms identify hidden risks. While the tools vary, the goal is the same: fostering creative thinking and guarding against groupthink.

Step 2: Analyze

How can we get good information about the political risks we face? It may sound obvious, but you have to look for good information to find it. Companies sometimes neglect to do this. When General Electric’s legendary CEO Jack Welch tried to acquire Honeywell International in 2001, the merger sailed through the U.S. Justice Department review, and Welch assumed that EU approval would soon follow. It didn’t. European regulators didn’t have the same philosophy about antitrust issues that their American counterparts did; the Europeans focused on the potential impact on competitors, not on consumers. And although European regulators had never rejected a major American merger before, they had come close, nearly scuttling the merger of Boeing and McDonnell Douglas just four years earlier. But Welch and Honeywell’s CEO, Michael Bonsignore, were so eager to close the deal that they reportedly never consulted their European antitrust attorneys in Brussels. When it became clear the merger was dead, Welch declared, “You are never too old to get surprised.”

How can we ensure rigorous analysis? Richard Feynman, one of the world’s great physicists, once said that analysis is how we try not to fool ourselves. Nobody can predict the future, but good risk analysis challenges assumptions and mental models about how it might unfold so that organizations are better prepared.

One useful way to begin is by understanding which assets are most valuable and which are most vulnerable. The more those lists converge, the higher a company’s political risk. The backlash against SeaWorld was particularly damaging because trained orcas were so important to the company’s brand.

Precisely quantifying vulnerability is impossible. But that doesn’t mean managers can’t reduce uncertainty. Various tools—from red teams (which assume opposing roles or points of view) to Monte Carlo computer simulations (which project the range and likelihood of outcomes)—can help. The goal is to develop ways of understanding key drivers and possibilities so that surprises aren’t so surprising.

FedEx is a model of effective risk management. As the company once said, “[We] may not be able to foresee what will cause the next European truck drivers’ strike, but [we] know that ground delays will happen at some point, and when it happens, the backup plans are ready to go.” Marriott International has a five-tier color-coded security alert system for all its hotels and continuously assesses whether to move each hotel up or down. The Marriott risk team doesn’t know exactly when or where terrorists may strike next. Its system is designed to increase preparedness and safety—by notifying hotel managers about changing conditions that might pose a threat, designating specific tasks for every threat level, and auditing compliance to ensure that everyone knows what to do.

How can we integrate political risk analysis into business decisions? In 2016 a global survey by McKinsey found that only a quarter of executives integrate risk analysis into a formal process. The most popular method for addressing geostrategic risk is to simply do ad hoc analyses as events arise. Lego has a better approach, called “boat spotting”—keeping an eye out for potential risks and opportunities so that you don’t “miss the boat.” The company has used many risk assessment tools, including analyses of Google Trends search data and scenario planning. But it also understands that more important than the approach is the intention: Simply getting managers to use rigorous political risk analysis—of any variety—to defend investments can significantly improve decision making.

Step 3: Mitigate

How can we reduce exposure to the political risks we have identified? Three strategies are almost always useful: dispersing critical assets (colloquially, don’t put all your eggs in one basket), creating surge capacity and slack in the supply chain, and working with others in the industry to share political risk assessments and mitigation strategies. The last approach, which is perhaps the most often overlooked, has been undertaken in the hospitality industry. In 2005 suicide bombers simultaneously hit Hyatt, Radisson, and Days Inn properties in Amman, Jordan. In the aftermath of the bombings, Marriott’s vice president for global safety and security, Alan Orlob, formed a hotel security working group with competitors to share information and best practices—receiving sponsorship from the State Department’s Overseas Security Advisory Council.

Do we have a good system and team in place for timely warning and action? Companies that manage political risk well do not sit back waiting for government advisories or quarterly industry reports. To develop better situational awareness, they set up effective warning systems that constantly scan a wide range of sources for information. They also establish protocols so that responses to specific conditions are triggered automatically. These protocols make clear what steps should be taken and by whom. The idea is to reduce decision making on the fly.

Companies on the front lines of managing global political risk often create in-house threat-assessment units staffed with former intelligence and law enforcement professionals who track political developments in real time. Royal Caribbean International’s team is led by a 25-year veteran of the FBI. Orlob worked in the U.S. Army Special Forces for 24 years. Chevron’s eight-person team of global risk experts has a combined 92 years of experience in government security services. These and other best-practice firms know that dedicating a team to spotting risks and developing a warning system can make all the difference.

How can we limit the damage when something bad happens? Managers can take steps to minimize potential damage long before a crisis unfolds. Relationships with external stakeholders are critical during a crisis, for instance—but building them takes time. Former secretary of state George Shultz often likens good diplomacy to gardening—you have to cultivate relationships with counterparts before you ask them to do something hard on your behalf. The same is true in business.

Step 4: Respond

Are we capitalizing on near misses? All organizations want to learn from failures. Not enough try to learn from events that could have ended poorly but didn’t because luck saved the day. Leaders must recognize and correct for the human tendency to ascribe close calls to a system’s resiliency when it’s just as likely the near miss occurred because of a system’s vulnerability. The Challenger shuttle tragedy is a classic example: Dangerous erosion of special “O-ring” seals had occurred in shuttle flights before the disaster, but the seals had never completely failed, which led NASA managers to mistakenly believe that failure was not likely.

Are we reacting effectively to crises? Good crisis management can be distilled into five steps: assess the situation, activate a response team, lead with values, tell your story (and be honest!), and do not fan the flames. Crises often involve multiple audiences—consumers, investors, journalists, activists, elected officials, federal regulators, and law enforcement officials, to name a few. Each audience can affect the others, generating new risks and making the situation worse. Managing the dynamics among the interested parties is essential.

Soon after Condi began serving as President George W. Bush’s national security adviser, a Chinese fighter jet collided with an American surveillance plane in international airspace. The Chinese pilot was killed, and the U.S. plane had to make an emergency landing in China. Its crew members were detained while the two governments negotiated the terms of their release. For President Bush, the goals were clear: The crew had to be released; America would not apologize for legally conducting surveillance in international airspace; and the relationship with China needed to be maintained. Neither country wanted to escalate the situation, but the negotiations were complicated by multiple audiences. The U.S. government could not just say, “China, you listen only to this part. Congress, you listen only to that part.” Condi was on the crisis team that met twice a day to carefully manage the response. That effort included crafting a strategy for communications that would show that the governments were working on the problem but wouldn’t increase tensions with each new statement. In the end the crew was released, and the Chinese received a letter from the U.S. ambassador to China, Joseph Prueher, expressing regret for the pilot’s death without apologizing for the incident.

Are we developing mechanisms for continuous learning? The best crisis response systems institute feedback loops for learning before disaster strikes, to lower the odds that a crisis will occur and improve the response when one does. Few companies get this right. Indeed, it may surprise you that the best continuous learning organizations that we know of are top-notch football teams. In football errors are everywhere, and success and failure are obvious. Elite coaches study wins as well as losses, analyzing each and every play. They review game tapes, make midgame adjustments, and reshuffle lineups for better matches.

Jim Harbaugh—who coached Stanford’s team and the San Francisco 49ers and is now at the University of Michigan—has a track record of turning losing teams into winning ones in just a few seasons. He likes to say, “You are getting better, or you are getting worse. You never stay the same.” In the corporate world, mechanisms for continuous learning must involve both the head and the heart: assessments of what to keep doing, what to stop doing, and what to start doing, and an inspirational approach to motivate everyone to join the journey.

Risk Management in Action: Royal Caribbean’s Haitian Crisis

Best-practice companies can attest to the value of understanding potential political risks and getting out ahead of them. Royal Caribbean is a good case in point.

On January 12, 2010, a 7.0-magnitude earthquake struck Haiti, killing an estimated 200,000 people. Three days later a Royal Caribbean cruise ship named Independence of the Seas landed in the Haitian port of Labadee, sending 3,000 passengers to swim and bask on a private beach just 85 miles from the hard-hit capital of Port-au-Prince. Public reaction was blistering. The New York Post’s headline screamed “Ship of Ghouls,” and the paper noted that passengers were jet-skiing and sipping rum while Haitians were living nearby in makeshift tents amid squalid conditions.

Royal Caribbean faced a political crisis just as dramatic as the backlash against SeaWorld after the release of Blackfish. But for the cruise line, the tide soon turned. Within days prominent news organizations ran stories highlighting how Royal Caribbean was in fact docking at the request of the Haitian government and providing desperately needed economic aid. Shortly thereafter, a survey of 4,700 people conducted by the website Cruise Critic found that two-thirds agreed with the company’s decision to proceed with scheduled cruises to Labadee.

Royal Caribbean’s success in handling the situation went far beyond its well-crafted talking points and midcrisis public relations effort—although those surely helped. The company had begun taking political risk management seriously years before the earthquake. And because it had developed strong competencies for handling man-made political risks in Haiti, it was well positioned to deal with a natural disaster there, too.

The cruise line had begun doing business in Haiti in the 1980s, when the country was wracked by political violence, instability, corruption, and poverty. The first step was finding a location in Labadee that—because of its inaccessibility by road—could provide a secluded and gated haven. Next, Royal Caribbean built ties with residents in the area by, for instance, creating a place for local merchants to sell their goods to disembarked passengers, which generated employment for local villagers. The cruise line also paid per-guest taxes to the government and worked to develop relationships at the national and international levels with Haitian officials, NGOs, think tanks, and UN organizations.

As a result, when the 2010 earthquake struck, the company had a deep reservoir of local understanding, trust, and relationships to draw upon. Its executives consulted with government officials and got their buy-in about continuing previously planned stops at Labadee. The cruise line agreed to contribute $1 million in aid, brought disaster relief supplies in on its ships, donated all Haitian shore-excursion proceeds to earthquake relief, and announced partnerships with high-profile charities to provide additional assistance. When Royal Caribbean was attacked in the press, independent advocates and experts, including NGOs and academics, came to its defense. The Haitian special envoy to the UN offered a quote for a company press release in support of continued dockings on the island.

Just as Royal Caribbean did not suddenly begin managing political risk when the earthquake hit, it did not stop once the immediate press furor died down. Six months after the earthquake, the company announced it was building a new school in Haiti, establishing a strategic partnership with three other companies to provide construction materials for housing and critical infrastructure, and launching a “voluntourism” excursion option for passengers to engage in community service onshore.

The cruise line still faces political risk in Haiti: In 2016 it had to temporarily turn away its ships when the country’s presidential election was postponed and antitourism unrest grew. But thanks to effective risk management, Haiti has proved a valuable destination for the cruise line for more than 30 years.

Without good practices in place, Royal Caribbean’s reputational crisis could have taken a very different turn. The company understood the political risks it faced in Haiti early on, analyzed them, and instituted a number of mitigation efforts before its first ship ever docked on the country’s shores. Finally, Royal Caribbean’s response plan was well executed, with clear leadership from the top. Adam Goldstein, the president and chief operating officer of the cruise line, put a human face on the crisis, using his personal blog to post frequent updates about everything from how the company made its decisions to daily meeting notes, responses to media reports, and photos of relief supplies. Company spokespeople stayed on message, expressing their empathy and their commitment to contributing to Haiti’s recovery. In the aftermath of the earthquake, all the hard work Royal Caribbean had put into political risk management paid off.

When we started teaching a political risk course several years ago at Stanford, some future trends seemed clear. But in the intervening years, we have both been surprised by political events. We might have predicted that a revanchist Russia would challenge the territorial status quo in Eastern Europe but not that it would annex Crimea. We expected the European Union to face stresses, but we did not expect Brexit. Who would have thought that Donald Trump would be elected president of the United States? Or that in the Philippines, a strongman like Rodrigo Duterte would come to power, turning his country away from the West and toward China?

No one can foresee precisely how history will unfold. But managing political risk doesn’t need to be pure guesswork. You do not have to know exactly where the risk will come from to be prepared for it. Just as world-class athletes use training and conditioning to increase their strength, executives, we hope, can use our framework to build up their political-risk-management muscles.

In the end the most effective organizations have three big things in common: They take political risk seriously, they approach it systematically and with humility, and they lead from the top.

Originally published May–June 2018. Reprint R1803L

Note

This article is adapted from Political Risk: How Businesses and Organizations Can Anticipate Global Insecurity (Twelve, 2018).