Skip to content

Illustration by iStock; Security Management

Map Geopolitical Risk Priorities Using ERM

By Claire Meyer
1 November 2025

Focus on Geopolitical Resilience

The geopolitical status quo is changing. As of late October 2025, there are 114 armed conflicts taking place worldwide, with more than 45 conflicts occurring in the Middle East and North Africa alone, according to the Geneva Academy of International Humanitarian Law and Human Rights. These can be non-international clashes involving armed non-state actors, governmental powers, military factions, or foreign interventions, as well as international armed conflicts between different nations.

Meanwhile, previously reliable power structures are shifting and breaking down. Traditional alliances are weakening, major powers like the United States are stepping back from intervening on the world stage, and sanctions and tariffs are changing what it means to do business with different nations or regions.

Although all risks should be on security leaders’ radar, geopolitics has crept closer to center stage for stakeholders in the last 10 years, being cited more frequently on corporations’ financial reports as a notable risk, says Kelly Johnstone, senior security advisor at International SOS. Previously, Johnstone spent 20 years in federal law enforcement, later joining Coca-Cola, where she eventually rose to the position of CSO and vice president.

One of the main challenges in geopolitical intelligence and resilience, Johnstone says, is narrowing the scope by determining which factors would have the most impact on the organization and focusing resources on those elements without jettisoning all other risks that may arise.

“Most companies that were international in nature always had geopolitics as an issue because there are so many things you need to be aware of as you’re working in other countries,” Johnstone says. “But I think now U.S.-based companies are more aware of it as a risk than they were, say, five years ago. It is playing a bigger part in how we do our business.”

Geopolitics involves far more than direct armed conflict, too. Environmental factors, changing technology and associated regulations, trade wars, and shifting power dynamics can all affect private corporations and organizations, even if they do not operate internationally.

Johnstone recommends leveraging an enterprise risk management (ERM) model to map out the organization’s key priorities and potential pain points, which can then define the topics that get regularly tracked and reported to the board of directors or other decision-makers.

ERM is an integrated risk management lens that encourages the organization to view risk proactively and holistically, rather than siloed in different departments, functions, or regions. The security or risk management leader can evaluate each function’s core business channels and risks, ranking them across the board to get a top-down, enterprise view of the most significant risks that could affect the whole organization, for better or worse. ERM can help inform management about risks on the horizon and guide next steps that accept, avoid, mitigate, or transfer that risk or take advantage of that situation to seize new opportunities.

“Once you identify the risks and you identify what your acceptance level is, then you can put a plan in place to figure out how you’re going to manage that,” Johnstone says. “The problem with ERM is sometimes people just go through the checklist—‘Okay, here are the top 10 risks in the world.’ No, no, no. As a company, you really need to personalize it. Think about your business and what you’re trying to do: Are you expanding? Are you going through M&As? Are you trying move into different markets? Are you launching a new product? All those things, you need to put into your ERM.”

Note that ERM is different from enterprise security risk management (ESRM). ERM accounts for the broader pool of risk, including security risk but also encompassing strategic, technology, credit, and market risks. ESRM focuses on security risk and its various domains, presenting security professionals as internal risk advisors to individual asset owners, wrote David Feeney, CPP, for Security Management in “A Brief Guide to ESRM Implementation.” The two approaches share common concepts, including stakeholder partnerships and holistic risk management, and they can be applied in a complementary fashion.

Those top-ranked organization-specific ERM priorities will help business leaders determine when and how to brief the board. Those conversations could be about an acute issue, such as determining whether to pull operations out of Russia following its invasion of Ukraine in 2022 and subsequent sanction action. Here, the security leader can help weigh business objectives against current and likely future conditions to recommend either staying or leaving the country.

The conversations could also be broad, especially around business expansion. The risk equation depends heavily on what actions are being considered; opening a new office in a different country will carry different risks than mining for natural resources, especially if resources are scarce and mining could negatively impact the local population.

Johnstone recommends looking at pie-in-the-sky scenarios, too. For instance, what would happen if a global manufacturer of consumer goods was no longer able to do business in China, including manufacturing and distribution? It’s worth thinking about, she says.

“ERM is the way you start positioning the company and the risks, and then letting the company decide: Are we accepting, mitigating, or preventing it from ever happening,” she adds.

The geopolitical triggers could be time-sensitive, but effective security and risk management teams will have mapped out those threats in advance and made plans around them. Consider current tariffs and sanctions, Johnstone says. Conversations with stakeholders will need to drill down into what tariff rates would be acceptable in the short-term versus long-term. What is the backup plan if the tariff for a key product component reaches an untenable level, like 80 percent? Are any sole-source providers at risk of being subject to tariffs or other penalties? Can the organization diversify its supply chain options, and if so, are there risks of political or economic backlash to changing partners, especially across countries?

“You don’t sit down in an hour and do this,” Johnstone says. “It takes a while, because you have to go through each one of them and figure out what can I accept, what can I mitigate, and what can I absolutely not tolerate, and what are the plans behind that? I look at this risk either increasing, decreasing, leveling off, so it’s constant. It really is a full-time kind of job. And that’s why you look at the top 10, because you can’t look at 150 every day.”

ERM is the way you start positioning the company and the risks, and then letting the company decide: Are we accepting, mitigating, or preventing it from ever happening?

Having this lens, though, enables security and risk intelligence teams to focus their efforts, rather than running around and worrying about everything with the same level of intensity. Although it’s important to have intelligence-gathering about all types of risks and incidents, analysts need to review that content and determine when it aligns with or affects an ERM-level risk, and then bubble that up to management and other decision-makers.

During an incident, “You can listen to CNN and it can be telling you about this terrible crisis, but why it matters to my company needs to come from the company’s lens through the company’s analysts and our intelligence network,” Johnstone adds. “We need to look at it from our perspective, so that we can really get as much information as we can quickly.”

“It comes down to looking at what your business is trying to accomplish, and where it’s trying to accomplish that,” she says. “So, you’ve got to focus on all these risks, but with the lens of your business. Stick to the lens of your business: what’s important to your company, how you move forward, your company culture, company philosophy…. If you’re a big environmental company and that’s one of your passions, then you would look at environmental issues differently than if you were a company that sells potatoes.”

From there, it’s essential to work through those different scenarios with the necessary stakeholders and decision-makers and build tangible, practical plans to help the organization navigate geopolitical disruptions. Although real-world incidents rarely perfectly match response plans, the act of planning and workshopping solutions builds resilience and preparedness in a way that support’s the organization’s unique needs and goals.

“It’s a very directly focused, intentional process,” Johnstone continues.

 

Claire Meyer is editor-in-chief at Security Management. Connect with her on LinkedIn or via email at [email protected].

 

Focus on Geopolitical Resilience

Geopolitical Resilience in Times of Uncertainty

Truth Under Siege: How Disinformation Threatens Corporate Security

4 Global Regulations and Guidelines to Watch on Disinformation

To Find Your Footing in a Weightless Geopolitical Environment, Use Intelligence and ESRM

Fast Facts: 7 Types of Disinformation

Q&A: Why Geopolitical Resilience Matters

Map Geopolitical Risk Priorities Using ERM

The Top 10 Global Risks for 2027

Best of Security Management

How to Create and Maintain an Effective SOC

A Cascading Crisis: U.S. Federal Prisons Grapple with Decades of Unsafe Understaffing

The Other Side of the Looking Glass: Providing Security for Marches and Rallies

Is Your Workplace Toxic? Here's What You Need to Do

Preventing Workplace Violence: Holistic Support Starts with Listening to Nurses

What to Add to a Rules of Engagement Document
arrow_upward