Recent weeks have seen a significant escalation in hostilities in the Middle East, involving cross-border strikes and drone and missile attacks. Geopolitical instability is once again reshaping the global risk landscape, with the likelihood of wide-reaching and complex implications for financial firms.
While the main dispute centres on Israel, the US and Iran, escalations have spread throughout the region and include several neighbouring countries. The conflict is already creating short- and long-term operational risks and concerns, many of which have the potential to impact the financial services industry.
This blog explores some of the impacts we are beginning to see or expect to emerge over the coming weeks. It draws on publicly-reported news stories, conversations with our community of operational risk experts and some of the resources we created to support our members at the outset of the Russia-Ukraine war. It also examines the results of our risk landscape studies, which have had an increased focused on geopolitics in recent years.
How impacts are materialising in the short term
Business disruption and physical security concerns
Business disruption and physical security concerns are particularly focused around:
- The exposure of staff (including staff travelling for leisure), premises or critical infrastructure to physical threats or disruptions
- Overseas firms with operations or staff in the region could face becoming direct or indirect targets of geopolitical activity.
As a result, firms are considering whether or not to withdraw staff from the region. This decision is complex and involves significant reputational considerations. Some firms are responding by offering their staff the temporary option to work outside the region.
Additionally, third parties and critical infrastructure are being impacted. Drone attacks on data centres have already caused outages in the region, impacting financial services institutions.
Supply chain disruptions
Disruption to the critical maritime route of the Strait of Hormuz is leading to delays across supply chains, including crude oil, pharmaceuticals and electronic parts. This will likely have downstream effects, such as inflationary pressures as a result of rising energy and commodity costs or unavailability of technology hardware.
Information security and cyber threats
Information security and cyber threats are also a key concern, as state-affiliated and hacktivist groups increase their activities, targeting critical infrastructure and corporate systems, for example, through DDoS attacks. Early responses to our current Top Risk Review survey suggest that many are already in a state of heightened alert.
Geopolitical shocks: What we learnt from the Russia-Ukraine war
In early 2022 as the Russia-Ukraine conflict escalated, we brought together risk leaders from across our network to discuss the immediate and long-term concerns.
Key considerations identified in our discussions
- Operations: Firms with operations and entities in the region experienced a range of adverse effects from the conflict, including those related to risks such as Physical Safety and Security, Business Continuity, and Technology.
- People: Firms worked hard to ensure employees and their families in the region were safe and felt supported during the crisis.
- Sanctions: A key focus for members globally, especially when facing the challenge of how to correctly apply sanctions rules in different jurisdictions.
- Information Security (including cyber): As the information security landscape evolved, members devoted significant resources to improving cyber defences and monitor developments.
- Social expectation and reputational risk: Stakeholders had high expectations of firms in their response to the crisis and firms were conscious of the need to handle the situation sensitively.
- Longer-term impacts: The conflict was and is still developing but firms were already considering what could happen as the situation evolved, e.g. macroeconomic impact on businesses and their client bases, supply chain and third party dependencies and critical infrastructure challenges.
What this means for the operational and non-financial risk (ONFR) function
Previous discussions with our leadership community on geopolitics have highlighted that the operational and non-financial risk function is increasingly being asked two key things.
1. React fast to the changing external environment by being agile and resilient
Being resilient is the clear overall priority and objective for financial services institutions in the face of an increasingly volatile and uncertain landscape. To achieve this, firms recognise the need for the risk function to understand the business, its exposure to the external environment and its potential vulnerabilities. For example, single points of failure or concentration risk.
2. Contribute to strategic business decisions
Many issues are strategic in nature and should involve influence from risk teams, such as relocating certain activities/business functions or exiting material supplier relationships.
Example actions being taken to address ongoing geopolitical instability
Increasing focus on business continuity planning, testing and general awareness:
- Planning and testing of/with suppliers
- Rapid response communications to employees
- Revision of business impact assessments
Introducing more agile and severe scenario development and testing:
- Additional geopolitical storylines
- Increasing severity levels
- Simplified number of data fields recorded to increase the speed of development
Greater strategic involvement of the risk function around:
- Third and nth party risk and exit planning
- Setting risk appetite
- Entering/exiting markets
- Nearshoring, offshoring
- Systemic supplier risk exposure, such as ‘de-clouding’ vs. risk acceptance
- Risk function attendance at regular discussions on geopolitical developments (e.g. at senior management meetings)
More industry collaboration on cyber threat intelligence
A broader perspective
How geopolitical uncertainty and shocks impact the risk profile
Geopolitics remains one of the most prominent themes in our Risk Landscape studies, including our recent Operational Risk Horizon study. Firms typically view geopolitics as a cross-cutting risk driver with the potential to increase exposure across the risk profile.
Percentage of Top Risk Review respondents who saw the risk as one of the top five risks most impacted by geopolitical uncertainty. Taken from the Top Risk Review H1 2025.
|
Risk |
% respondents |
Key threats |
|
Information Security (incl. Cyber) |
81% |
Hybrid warfare against governments, large enterprises or critical infrastructure |
|
Business Continuity |
53% |
Direct exposure to conflict at headquarters or local business entities |
|
Third Party |
57% |
Outages (deliberate or unintentional) at third parties, Concentration risk |
|
Financial Crime |
41% |
Rapidly changing sanction regimes |
|
Regulatory Compliance |
36% |
Increasing global regulatory divergences |
|
External Fraud |
31% |
Criminal organisations operating from countries promoting instability |
|
Physical Security & Safety |
26% |
Social unrest, e.g. protests, Exposure of staff to conflict and physical risk |
|
Technology |
19% |
Technology outages |
|
Transaction Processing and Execution |
15% |
Large volumes of sanctions leading to processing delays or bottlenecks |
|
Data Management |
13% |
Theft of data as part of hybrid warfare |
|
People |
14% |
Talent mobility, employee safety, mental health concerns |
|
Legal |
10% |
Rapid changes to the legal landscape |
|
Conduct |
5% |
Deregulation leading to long-term/future conduct risk exposure |
|
Statutory Reporting and Tax |
4% |
Changing reporting and taxation formats |
|
Internal Fraud |
2% |
Malicious insider activity |
|
Model |
2% |
Overreliance on inaccurate models |
Next steps and key resources
We'll continue to monitor ongoing geopolitical developments and work with our community to identify how we may be able to support them. In the meantime, here are some of our existing resources focused on geopolitics:
