By Dr Milo Jones

Companies should not try to identify and quantify every geopolitical threat they might face.

Leon Trotsky is believed to have said: ‘You may not be interested in war, but war is interested in you.’ Companies that want to reduce their geopolitical risk might heed his warning and scour the world for potential disasters; but they should let disaster find them.

Companies adopting the former approach analyse the myriad of geopolitical risks they read about in the newspapers or research reports, and then try to apply each of these to their own business operations. An airport bombing in Brussels? What’s our vulnerability to terrorism, they ask. A failed Turkish coup? Commission a report into the impact of regime change. An Ebola outbreak? Prepare for a pandemic.

The wrong puzzle

This geopolitical-centric approach, however, falls foul of what CIA analysts call ‘the problem of the wrong puzzle’. There are too many potential events, and too many potential outcomes, to consider. Any given event might have minimal impact to your business or be truly devastating—and in unexpected ways. As finance professor Elroy Dimson observed, ‘risk means more things can happen than will.’

Consider one of the biggest scare stories of recent times. In 1999, disaster scenario planners in New York banks were looking at how they would cope with an event that could knock out power, keep staff home, shut down markets and paralyze aircraft for days. It wasn’t a terrorist attack they had in mind. Instead, they were preparing for the so-called Y2K bug (the programming anomaly that assumed software wouldn’t be able to read the new two-digit date ‘00’ at the turn of the century). The feared Y2K catastrophe didn’t happen. But 20 months and 11 days later, a devastating terrorist attack did, and with similar consequences for business operations. The banks that had prepared for the first event, found themselves well placed to survive the second.

The lessons learnt was that companies should start by examining their own value chain for what engineers call ‘single points of failure’ (SPOF). A SPOF is a part of a system that, if it fails, can bring down the entire operation. Executives should then ask what might happen if any of these points are disrupted, whether by geopolitical or any other event, and then plan accordingly.

The US Marine Corps, in which I served, has a pithy maxim about equipment: ‘Two is one, and one is none’; you don’t know why a piece of gear might fail, you just assume it will. The same applies to a company’s geopolitical exposure—examine the SPOF not its potential cause.

The quantification illusion

In a similar vein, executives should avoid the ‘quantification temptation,’ the belief that geopolitical risks can be quantified numerically. Impressive-looking monitors, indices and scores can give executives an illusory sense of control. But a report that rates geopolitical risk in, say, Nigeria the same as Argentina obscures countless qualitative judgments and suggests dubious similarities. Moreover, the same geopolitical event will affect an oil company, a car-maker or a law firm quite differently. Remember: not everything that counts can be counted, and not everything that can be counted counts.

Instead, express the company’s vulnerabilities qualitatively. Document key assumptions, and don’t be afraid to leave some questions open. Provide a detailed examination of your value chain, country-specific inputs and customer profiles, and prioritize areas of fragility for mitigation or correction.

Geopolitical risk analysis, done right, is a laborious task. But it forms the basis of sound risk management. Your goal is not to analyse the state of the world, but to help the board determine what business trade-offs they may need to make to keep their value chain both profitable and robust.

Milo Jones is a Visiting Professor at IE Business School. This article was commissioned specifically for FT | IE Corporate Learning Alliance.

© 2017 Corporate Learning Alliance