The casualties are many, and a good member as well / Outside the scenes of ravage and wreck; / … / All casualties of the war. – The Casualties, John Pepper Clark
I struggled for days with choosing the right title to articulate my thoughts on the impacts of Russia’s war on Ukraine. After deleting several titles, I settled for this one. While I confess that it does not fully capture the storm raging in my thoughts, I hope it points in a direction where businesses can rethink their growth strategy and survivability.
Organizations are in business to provide support, services or products to improve the quality of life. Hence, a disruption to businesses has direct consequence on human life.
The loss of lives cannot be fully accounted for yet in the ongoing war. Whether a civilian or military life, the value of life outweighs any reason or logic for pursuing the path of destruction, such as the Kremlin’s determination to force Ukraine into a position of demilitarization and neutrality. Although this article addresses the survivability of business operations in the face of political uncertainty, it does not undermine the gravity of the war’s humanitarian toll. More than 1.9 million Ukrainians have been internally displaced in addition to more than 10 million who have fled the country. Organizations are in business to provide support, services or products to improve the quality of life. Hence, a disruption to businesses has direct consequence on human life.
More mature organizations have realized that a BCDR plan should go beyond IT-related events or even cybersecurity incidents.
Business continuity and disaster recovery (BCDR) planning is an important process organizations have in place to ensure they can remain in business when a significant disruption occurs to their operations. Traditionally, a business continuity & disaster recovery plan is associated with major disruptions affecting information technology infrastructure. More mature organizations have realized that a BCDR plan should go beyond IT-related events or even cybersecurity incidents. As a result, they prepare for any potential significant business disruption. For instance, we have learnt in the last two years that a pandemic, such as COVID-19, could cause far more devastation than a ransomware. However, in the face of political instability, how do organizations prepare for threats that can cause irreparable damage to their operations?
I am focusing on three scenarios to highlight the dilapidating impacts of political instability on business operations.
The Ukrainian Context: Normal life in Ukraine ceased on February 24, 2022, when Russia began a full-scale invasion. For Ukrainians, the focus shifted from making money or delivering services to existing. The sound of bullets and rockets targeting buildings and infrastructure is enough deterrent for any organization working on its marketing strategy or competitive advantage. In the twinkle of an eye, the goal is to resist foreign oppression and survive as a nation. This reality renders an organization’s preparedness for a major business disruption inadequate. Military actions were not the only things organizations had to contend with, Microsoft Threat Intelligence Center identified evidence of a destructive malware operation targeting multiple organizations in Ukraine. A day before the military invasion, Optiv’s Global Threat Intelligence Center accurately warned of Russian cyber offensive strategies as supplementary to kinetic military operations against Ukraine. A report of the first week of the war by Vectra showed an increase in the deployment of sophisticated and destructive malware targeting Ukrainian organizations and the use of spear phishing attacks leveraging Ukrainian language lures. This is a war executed to maximize damage and destruction of anything of value to Ukrainians.
The Russian (not the Kremlin’s) Context: Economic sanctions against Russia are designed to put pressure on the Kremlin to cease its sustained assault on Ukraine. While the Russian economy has been adversely affected, the Putin war continues to intensify with destruction of Ukraine. The list of organizations that have withdrawn from the Russian market continues to grow. These organizations range from fossil fuels, finance, tech, transportation, to consumer goods, etc. There is a direct impact on the Russian people and businesses. For instance, Russia’s central bank doubled interest rate, while the value of the ruble dwindled. Some banks were also banned from the SWIFT interbank exchange platform, directly limiting or, in some cases, disconnecting businesses and individuals from the international payment system. This is a demonstration of how a country’s political decision could lead to a catastrophic disruption, one which an existing BDCR playbook would not prevent or correct.
The Global Context: Cyber attacks emanating from Russia is no news. Between January 2020 and February 2022, key US security agencies such as the Federal Bureau of Investigation (FBI), National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) observed regular targeting of US cleared defense contractors by Russian state-sponsored cyber actors. Successful sophisticated attacks have been attributed to Russian state actors or cybergangs. The 2020 SolarWinds hack which affected 18,000 public and private sectors and the compromise of Microsoft cloud customers were attributed to Russian state actors. Russia-linked REvil ransomware gang was responsible for the 2021 successful compromise of Kaseya IT management platform. At the wake of Russia’s invasion of Ukraine, the Conti ransomware group publicly pledged support for Putin and threatened to retaliate against any country or organization that opposed the Kremlin’s interest. A threat from Conti is quite credible and should be taken seriously. The US security agencies doubled down on their warning of the threat the Conti cybergang poses to private and public sectors. The threat of a cyberwar is not limited to the US. There are concerns that Russia may target members of the North Atlantic Treat Organization (NATO).
Though cyber policies insurers are worried about how the Russian war on Ukraine could lead to significant losses, cyber threats are not the only concerns the US and the West worry about. There have been consequential impacts on the economies of these countries as a result of sanctions imposed on Russia and its businesses. Supply chain disruption is another serious problem these countries are facing. Increase in the price of gasoline is not the only economic fallout of the war. There are concerns that the US economy would be slow in its recovery, while Europe risks recession. The US is already experiencing major impacts on different industries such as automobile, agriculture, finance and energy.
The general consensus is that Europe’s reliance on Russian energy and economic ties place the continent in a precarious situation. Europe also relies on Ukraine for more than half of its corn supply, as a result, the war has made access to corn and produce very difficult. To combat inflation, Europe’s central bank is making an early exit of its economic stimulus efforts. However, Goldman Sachs forecast an 8% inflation rate for the continent.
While most multinational organizations took a moral stand to do what was right, a fact remains that businesses are exposed to catastrophic disruptions as a result of a preventable war.
A Proposal for an Enterprise Sustainability & Resilience Approach
I am yet to read of any Russian company that was consulted prior to the February 24 Russia’s invasion of Ukraine. Similarly too, I have not come across any report of a company in the US or Europe which was consulted prior to the imposition of sanctions. While most multinational organizations took a moral stand to do what was right, a fact remains that businesses are exposed to catastrophic disruptions as a result of a preventable war. There is no doubt that these organizations are fully aware of the loss of business in Russia or Ukraine, supply chain disruption, and potential targeted cyber attacks. Other businesses that do not maintain presence in Russia are not exempt from the disruption the war continues to cause.
The question is, “Can organizations adapt quickly to political uncertainties and create a robust business continuity & disaster recovery plan just as they have coped with a global disruption as the COVID-19 pandemic?”
The question is, “Can organizations adapt quickly to political uncertainties and create a robust business continuity & disaster recovery plan just as they have coped with a global disruption as the COVID-19 pandemic?” Both the pandemic and Russia’s war on Ukraine share some similarities including: supply chain disruption, social chaos, misinformation, cyber attacks, economic recession, high mortality rate, dependence on foreign companies, and unpredictability. Of course, there are huge differences between the war and the pandemic, the chief differentiator being an act of premeditation and calculated carnage in the case of the war, revisiting the lessons learnt from managing the disruption caused by COVID-19 might point us in a new direction.
This new thinking begins with some vital questions, such as: “Why are we in business?”, “What do we need to remain in business?” What threats should we be concerned about?”, What dependencies are crucial to our survival?”, What do we need to put in place to remain operational after a major disruption?”, etc.
As companies have learnt from the pandemic, a traditional BCDR plan is insufficient to address the need for sustainability and resilience in the face of a catastrophic disruption. Therefore, it is crucial for organizations to have a rethink of why they are in business and what they need to do to remain in business. This new thinking begins with some vital questions, such as: “Why are we in business?”, “What do we need to remain in business?” What threats should we be concerned about?”, What dependencies are crucial to our survival?”, What do we need to put in place to remain operational after a major disruption?”, etc. While these questions are not exhaustive, they are fundamental to getting organizations ready for the reality of doing business in a volatile climate, thus paving way for an enterprise sustainability and resilience consideration.
An enterprise sustainability and resilience approach is a leadership blueprint on how an organization is prepared to remain competitively operational, resilient and sustainable even when threatened by a major disruption.
The United Nations Educational, Scientific and Cultural Organization (UNESCO) defines sustainability as a “paradigm shift for thinking about the future in which environmental, societal and economic considerations are balanced in the pursuit of an improved quality of life“. Leaning on this concept, I define enterprise sustainability as an ideology that drives organizations to critically assess risks to continued operations, identify mitigating controls to reduce those risks to acceptable level, maximize returns and invest in growth opportunities. On the other hand, resilience requires a considerable investment in disruption-reduction resources, recovery capabilities, contingency alternatives, processes and technologies to enable an organization remain sustainable and operational when affected by a catastrophic event. An enterprise sustainability and resilience approach is a leadership blueprint on how an organization is prepared to remain competitively operational, resilient and sustainable even when threatened by a major disruption.
Considerations for an Enterprise Sustainability & Resilience Approach
However, advantageous labor and natural resources should not be the only considerations when choosing a foreign new market; it is important to reassess globalization in view of how foreign politics could adversely impact companies’ globalization strategies.
Foreign Politics and Globalization: The benefits of embracing globalization are many and obvious. In a borderless marketplace, customers want to connect with companies and products without being hampered by time constraint. Multinationals expand to new markets for growth and opportunities. However, advantageous labor and natural resources should not be the only considerations when choosing a foreign new market; it is important to reassess globalization in view of how foreign politics could adversely impact companies’ globalization strategies. Apart from researching if the prospective new market has a nationalist-protectionist agenda, organizations should also assess whether the political ideologies of the prospective country are antithetical to or critical of their countries’ political views. Critically considering how foreign politics could impact a company’s capacity to remain operational in the future is very important to its enterprise sustainability and resilience program.
To remain sustainable, businesses must avoid a single source of failure by investing in alternatives for their critical operations.
Cold Site has a New Meaning: A cold site, whether virtual or physical, is an important element in disaster recovery. It functions as a backup for a business to operate in the event of disruption to the primary business location. It is not enough for organizations to have a cold site for their operations, they must also have backups for critical vendors and supply chain channels. Just as COVID-19 disrupted the supply chain because of concentrated dependence on a few countries for resources or finished products, the Russia-Ukraine war is disrupting the supply chain across multiple verticals. To remain sustainable, businesses must avoid a single source of failure by investing in alternatives for their critical operations. While cost will be an essential factor to consider, the focus should be on putting measures in place to keep the business operational at the most reasonable expense.
For big corporations, the goal should not only be focused primarily on making massive profit, a major part of their social corporate responsibility is to continually invest locally in sustainability and resilience programs.
A Matter of National Security: In 2020, during the scramble for personal protective equipment, the US and many countries in the West struggled to procure masks and hand sanitizers because they depended on a foreign country for the manufacture of these items. While most of the brands might have been owned by American or European organizations, the very fact that those products were made in a foreign country and were subject to freight disruption was a major economic concern for organizations. This is not just an economic risk, it is a national security issue. A private-public program should be in place to incentivize organizations to invest locally in critical infrastructure, including building a resilient supply chain network. The government should create the environment that promotes competitive manufacturing and advancement without losing the requirement for accountability. For big corporations, the goal should not only be focused primarily on making massive profit, a major part of their social corporate responsibility is to continually invest locally in sustainability and resilience programs. Corporate and individual prosperity is intricately intertwined with a country’s security and prosperity.
The discussion of local politics should not be limited to laws or regulations, organizations should also pay attention to social activism, cancel culture proclivity, and inclusion, diversity and equity conformance. But more noteworthily, organizations should actively participate in shaping the direction of local politics.
Economics of Local Politics: Local politics could shape the economic environment in which companies operate. Recently, some American tech giants moved their operations from states that were considered unfriendly to business. The discussion of local politics should not be limited to laws or regulations, organizations should also pay attention to social activism, cancel culture proclivity, and inclusion, diversity and equity conformance. But more noteworthily, organizations should actively participate in shaping the direction of local politics. This, of course, is not donating money to some political ideologues to protect selfish corporate interests; this participation is more of guiding against policies and regulations that threaten economic prosperity and competitive advantage in a global market. For instance, if Russia has a strong corporate culture that influences its political direction, perhaps, Putin might have done things differently. Since no one is immune from the consequences of local politics, it will be in the interest of organizations to actively involve in how politics affect their chances of sustainable operation.
An insider threat activity is not limited to trade secrets or data exfiltration, it extends to any activity by an employee that could jeopardize a business’ ability to remain profitable, competitively operational and resilient.
Protecting the Secret Recipe: Insider threat is a serious business risk which can threaten the sustainability of an organization. I listened to the CEO of a superconductor company narrate how an employee stole the company’s secret source code and sold it to a foreign business partner. The partner was responsible for 80% of the superconductor’s revenue. As a result of an insider threat activity, the company moved from being a $1.6 billion organization to a $200 million company within months and laid off two-third of its workforce within a year. An insider threat activity is not limited to trade secrets or data exfiltration, it extends to any activity by an employee that could jeopardize a business’ ability to remain profitable, competitively operational and resilient. For instance, intentionally underfunding a company’s resilience program because the Chief Finance Officer is not convinced of the need to have such a program in place since there has not been an imminent threat to the business is not only a lack of foresight, but may also indicate a negligence that could as well be an insider threat activity. Having a robust insider threat program is an essential part of a company’s sustainability and resilience program.
Any serious organization interested in remaining in business for the long haul should prioritize investment in cybersecurity controls to proactively mitigate technology-based threats to its existence.
Yes, it is Still Cyber: Investment in cyber security controls is as vital as the service or product a company is providing. Modern businesses depend on technology to survive. Protecting technology directly translates to ensuring businesses can continue to function as expected. A leading medical collector filled for bankruptcy after suffering a data breach in 2019. That singular adverse event interrupted the company’s ability to remain operational and sustainable. On March 9, 2022, the US Securities and Exchange Commission proposed amendments to its rules, which include requiring a company’s board of directors’ oversight of cybersecurity risk. Now, cybersecurity is not just the responsibility of the security team, it is an organizational risk and must be addressed by an organization’s top leadership. Any serious organization interested in remaining in business for the long haul should prioritize investment in cybersecurity controls to proactively mitigate technology-based threats to its existence.
Getting Back to the Drawing Board
An organization is a living organism. Its ability to adapt to changing times will guarantee its survival chances. There will always be events that threaten an organization’s ability to remain operational and profitable for the foreseeable future. To be ready for such disruptions, organizations will be better prepared if they make considerable efforts to invest in enterprise sustainability and resilience programs.