2
Move Over, Hugo Chávez
In June 2009, Venezuelan health minister Jesús Mantilla announced that Coca-Cola’s diet soft drink Coke Zero would be banned and production halted immediately “to preserve the health of Venezuelans.”1 Coke Zero, which was aimed at young men and marketed heavily with the James Bond movie Quantum of Solace, was a major move by Coca-Cola to capture the diet soft drink market. In Venezuela, that move did not last long: Coke Zero was on the shelves just weeks before it was yanked.
The decision to ban Coke Zero in Venezuela was not about health. It was about politics—namely, President Hugo Chávez’s bid to pursue a radical socialist agenda. Chávez, who governed from 1999 until his death in 2013, embarked on an anticapitalist campaign that included attacking symbols of Western power and nationalizing large segments of Venezuela’s economy. Coke Zero was just one of his many targets.
In the oil industry, Chávez imposed enormous windfall taxes as oil prices spiked, took a majority stake in four oil projects that caused ExxonMobil and ConocoPhillips to leave the country and file arbitration claims, and seized eleven oil rigs from Oklahoma-based Helmerich & Payne. In agriculture, Chávez nationalized a rice mill operated by U.S. food giant Cargill and took control of ranches and lands owned by Vestey Foods, a British meat company. Chávez also seized the local operations of Mexico’s Cemex cement company, Switzerland’s Holcim, and France’s Lafarge. He took over large swaths of the banking, manufacturing, and telecommunications sectors. The Venezuelan strongman even nationalized the gold industry.2
When most people think about political risk, they picture someone like Hugo Chávez, a dictator who suddenly captures foreign assets for his own domestic political agenda. But the truth is that Chávez is a throwback. Expropriating leaders still exist, but they are far less common than they used to be. Wharton Business School professor Witold Henisz and Maryland’s Robert H. Smith School professor Bennet Zelner find that expropriation risk was prevalent in the 1950s, 1960s, and 1970s, but “has largely disappeared,” thanks to more robust international law and more integration between developing and developed economies.3
When you think of twenty-first-century political risk, imagine instead a crowded landscape of different actors, not just dictators banning soft drinks and commandeering oil rigs. This landscape includes individuals wielding cell phones, local officials issuing city ordinances, terrorists detonating truck bombs, UN officials enforcing sanctions, and many more. It is complicated and messy, with overlapping and intersecting players generating risks within countries and across them, often simultaneously. We simplify the picture to five major “levels of action”: individuals, local groups, national governments, transnational actors, and supranational/international institutions.
Individuals
Activists and consumer advocates have been creating political risks for businesses for a long time. Ralph Nader took on the American automobile industry and succeeded in getting mandatory design standards, including the use of seat belts, implemented back in 1965.4 Today, activists have new, more and more powerful technological tools that can dramatically increase the speed and scale of their efforts and the odds that they will succeed. Changing a company policy no longer requires face-to-face organizing, around-the-clock picketing, or testimony before Congress. Connective technologies enable people to organize and their messages to “go viral.”
Individuals do not have to be part of activist groups to generate risks these days. They don’t even need to consider themselves activists. They can be bystanders with 280 characters and a cellular network.
On Sunday, April 9, 2017, United Airlines oversold its afternoon flight from Chicago to Louisville, Kentucky. When no passengers volunteered to rebook so that four United staff members could make the flight, the airline decided to remove four passengers at random. One of them, Dr. David Dao, refused, explaining that he needed to see patients the next day. Police officers then forcibly removed him, pulling Dao out of his seat, causing him to hit his head, break his nose, gash his lip, and lose two teeth. Dao was dragged off the plane, dazed and bleeding, in front of shocked passengers. Some videotaped the incident on their cell phones and posted the footage on Twitter and Facebook. By Monday night, the videos had attracted more than nine million views, made international headlines, triggered a Transportation Department investigation, and prompted Congresswoman Eleanor Holmes Norton, a senior member of the House Transportation and Infrastructure Committee, to call for hearings.5 The Internet exploded with memes like this one:
United CEO Oscar Munoz issued an apology that did not improve the situation. By Tuesday, United stock had lost $255 million in shareholder value6 and some analysts began worrying about ramifications for the airline’s Chinese market, after the incident attracted more than one hundred million views on Weibo, China’s social media platform. Many commented that they believed Dr. Dao was discriminated against because he is Asian.7
What could have been resolved with a rebooking incentive ended up costing United Airlines far more, all because new technology platforms have amplified the voices of individuals, making it more likely that other customers, investors, and political actors will hear them and respond.
Local Organizations
As the old saying goes, all politics are local—and local politics can generate risks for businesses. In 2015, after intensive negotiations, the United Nations Security Council’s five permanent members and Germany reached an agreement with Iran to lift UN sanctions in exchange for Iran’s suspension of nuclear activities. On January 17, the day after sanctions were removed, Iranian president Hassan Rouhani tweeted euphorically, “The shackles of sanctions have been removed and it’s time to thrive.”8 Foreign direct investment (FDI) did start to flow, with twenty-two new projects in the first quarter of 2016, boosting Iran’s FDI ranking from twelfth in the region to third.9
Yet by April, Iranian leaders were complaining that they were not reaping the economic benefits of the deal, largely because many American unilateral sanctions remained. Which sanctions exactly? Not just federal government ones that had been on the books to condemn Iran’s sponsorship of terrorism and development of advanced missile technology. It turned out that thirty-two American state governments had imposed sanctions of their own worth billions. California law, for example, prohibited state pension funds from investing in any company that conducted energy or defense business in Iran. California’s public employee pension systems are among the largest in the United States, and if it were a country, its economy would be the sixth largest in the world.10 Some estimated that the state’s investment ban totaled close to $10 billion. Florida’s state law similarly prohibited retirement fund investment in companies conducting oil business in Iran, resulting in $1 billion of divestment. Although the nuclear deal required that the U.S. government “actively encourage officials at the state or local level to take into account the changes in the U.S. policy… and to refrain from actions inconsistent with this change in policy,” several governors made clear that they had no intention of lifting sanctions. Texas governor Greg Abbott was one of them. “I am committed to doing everything in my power to oppose this misguided deal with Iran,” Abbott wrote to the Obama administration. “Accordingly, not only will we not withdraw our sanctions, but we will strengthen them to ensure Texas taxpayer dollars are not used to aid and abet Iran.”11 Analysts expected protracted litigation.
Labor union disputes are a more common example of how political risks generated locally can have reverberating effects globally. About half of all cargo entering or leaving the United States transits through ports on the West Coast, notably Long Beach and Los Angeles. In June 2014, the labor contract between the International Longshore and Warehouse Union, which represents about twenty thousand port workers, and the Pacific Maritime Association, which represents shippers and negotiates contracts with port employees, expired. For the next several months an impasse in negotiations led to work slowdowns, suspended night and weekend operations, and congestion in key western U.S. ports, leading many multinational companies to reroute shipments to Canada, Mexico, and the eastern United States. The situation became so serious that Labor Secretary Tom Perez joined the negotiations and threatened to force both parties to Washington if they could not reach a resolution. They eventually did, but not until February 2015, nine months later.
Big shippers like Walmart, Home Depot, and Target were able to capitalize on a diversified shipping strategy that enabled them to reroute cargo and avoid stock-outs. However, longer shipping routes increased shipping time and costs, doubling the typical two weeks it took to transport goods from Asia to Los Angeles. Smaller companies and agricultural businesses were particularly hard hit. Because farmers have to use ports close to where products are grown, many agricultural containers were stranded outside Los Angeles, where warm weather accelerated spoilage.12 The Agriculture Transportation Coalition estimated that losses in agricultural sales reached $1.75 billion per month.13
Outside of local officials and labor negotiations, the most common examples of local-level political risk generators are “not in my backyard,” or NIMBY, movements. In 2008, for example, Monterrico Metals, a London company acquired by China’s Zijin Mining Group, was set to develop a copper-molybdenum project in northern Peru worth nearly $1.5 billion. Local opposition groups filed a referendum to block the project. As a result, the company found itself scrambling to bolster local support by adding local social programs. “We’re trying to make friends,” said company chairman Richard Ralph.14
Closer to home, a NIMBY movement led by rural landowners in Nebraska put a halt to TransCanada’s Keystone XL pipeline, a twelve-hundred-mile-long project spanning an area from Canada to Texas. In 2012, ranchers whose land would have been impacted by the pipeline filed a lawsuit against the state challenging a new law that allowed the Nebraska governor to unilaterally approve the project. Local opposition sparked a national debate that led President Obama to nix it. In 2017, President Trump signed an executive order clearing a major hurdle for the pipeline to be completed.
As we will see, companies that manage risks well recognize the importance of building relationships with local stakeholders before opposition mounts. Being a good neighbor is good business. Alcoa, for example, initiated a major public outreach and communications campaign in Brazil two years before the company opened a bauxite mine there. In addition, it created a multi-stakeholder council to enable continuous communication with civil society organizations and local residents and established a $35 million development fund for initiatives proposed by the community. Alcoa executives had watched competitors face fierce local opposition in Brazil (including physical breaches that had temporarily shut down railroads and mines) and were determined to avoid the same fate. As one international mining investor put it, “You’re in their backyard and they need to be on your side. Violent opposition on your doorstep is extremely disruptive.”15
National Governmental Actors and Their Institutions
National governments pose evident risks through their power to tax, regulate, confiscate, expropriate, make or break commitments, and shape capital markets. Sometimes divisions within governments pose risks for businesses. Whether a regime is authoritarian, totalitarian, or democratic, all governments organize activities into offices with specialized portfolios and competencies to get the work done, each with its own incentives, interests, traditions, and ways of doing things that can conflict with others. Jurisdictional lines of authority between agencies at the federal level can at times be blurry or contested, generating uncertainty and facilitating corruption in specific industries and situations.
One of the more dramatic jurisdictional disputes arose due to the collapse of the Soviet Union. Practically overnight, assets and territory that had been under Moscow’s control became the property of newly independent states.
Chevron was one company that felt this impact. The company acquired an oil and gas concession near the city of Atyrau in the Soviet republic of Kazakhstan in 1989. Before any production could take place, Kazakhstan became an independent state. Chevron faced thorny questions. Was the company’s contract still valid in this newly formed nation? Would the Kazakhs have different regulations or requirements than the Soviets did? Clearly, negotiations would now go through Almaty, then the Kazakh capital, and its president, Nursultan Nazarbayev. Nazarbayev had been a member of the Soviet Politburo. Would Russia, the legal successor state to the Soviet Union, make claims to Chevron oil revenues as well?
More often, national governments as a whole pose risks. Most countries consider particular industries to be intimately tied to the national interest. These are called “strategic industries.” Russia, for example, considers oil and gas to be a strategic industry, leveraging the full power of the state both to protect its state-owned gas giant, Gazprom, and to use the company for political advantage against European countries that rely on Russia for a substantial portion of their energy supplies. Long considered the Kremlin’s hammer, Gazprom cut off energy supplies to Europe in 2006 and again in 2009 during times that coincided with rising political tension. Russia’s “pipeline politics” were serious business.
Many European countries used to consider telecommunications strategic industries until technological advances led to the demise of landlines and the disintermediation of the business model. China’s state capitalism model considers nearly every industry to be strategic, even the Internet. Lu Wei, who came from the propaganda department to serve as China’s Internet czar until he was sacked in 2016, told foreign dignitaries in 2015 that “online space is made up of the Internets of various countries, and each country has its own independent and autonomous interest in Internet sovereignty, Internet security and Internet development.”16
If China sits at one end of the strategic industry spectrum, the United States sits at the other. Where the state in China has a large hand in every important industry, the U.S. government has always been allergic to state ownership of industry. As Condi puts it, “We just didn’t grow up as a country that way.” Economic debates at the nation’s founding were about charging government tariffs to private industry, not replacing private industry with state-owned “strategic” businesses. Vital industries to American growth, including most notably the railroads, remained in private hands. For the U.S. government, the “national interest” has always meant breaking up private monopolies, not asserting government ownership. Moments where the federal government has taken an ownership stake in private firms have been rare, temporary, and crisis-driven.
This American orientation nearly put Stanford University out of business in its earliest days. When Leland Stanford died in 1893, the U.S. government sued his estate to cover long-term government loans he had used to build the Central Pacific Railroad. While the case was being settled, Stanford’s assets were frozen. As a result, his widow, Jane Stanford, scrambled to keep the family’s fledgling university operating. She tried to sell her jewelry collection to purchase books for the campus library but found no buyers. She ended up funding the university for six years from her personal household allowance and put the faculty on her household payroll.17
The American experience is exceptional. Most countries consider some key industries to be within the national interest and will use the full power of the state to protect them. Companies seeking to move into a foreign market would be wise to understand whether their industry is one of them and plan accordingly.
Transnational Groups
Technology has enabled transnational groups of all types—nongovernmental organizations, activists, international labor unions, cyber vigilantes, criminal syndicates, terrorists, militias, and religious and ethnic organizations—to become more significant sources of risk for businesses. Cyber groups are newest on the scene. In February 2015, a cyber security firm discovered that an international group of cyber criminals, dubbed Carbanak, had stolen as much as $1 billion from a hundred banks in thirty countries over two years, the worst known cyber heist in history.18 In addition to cyber criminal networks, the last decade has seen the dramatic rise of “hacktivist” organizations like Anonymous and LulzSec. Described by many as Internet vigilantes, these leaderless groups are loosely organized, global online communities that are driven by a shared sense of outrage against any action or entity that restricts the free flow of information on the Internet. They have vandalized, pranked, stolen data from, and waged distributed denial-of-service (DDoS) cyber attacks on a large and varied set of targets, including entertainment companies and industry associations, financial services companies, American military contractors, the Vatican, Arab dictatorships, pornography sites, the San Francisco Bay Area public transit authority, the CIA, and the FBI.
In cyberspace, membership in various communities and groups can be both fluid and anonymous. The relationship between individual hackers, groups, and governments is often unclear. And even when a particular breach can be traced to a computer, determining just whose fingers are on the keyboard and whether that person is part of an organization that is tolerated, encouraged, directed, or even employed directly by a nation-state is a significant intelligence challenge.
In June 2017, for example, a cyber attack called “NotPetya” disabled computer systems worldwide. The ransomware attacks disrupted everything from radiation monitoring at the Chernobyl nuclear site to shipping operations in India, and its victims ranged from Russian oil company Rosneft to American pharmaceutical giant Merck. The worm permanently encrypted the hard drives of tens of thousands of computers and demanded that owners pay a Bitcoin ransom to regain access. Except that the virus never allowed users to recover their data even if they paid the ransom. Instead, it permanently damaged the machines it infected. Exactly who was responsible for the NotPetya attack? Security researchers and law enforcement officials initially were not sure. The malicious code was for sale “in the wild,” for anyone to buy and launch from the comfort of their personal computer. A group calling itself Janus Cybercrime Solutions authored the malware and got a cut of any ransom paid. Attackers also utilized a cyber tool called EternalBlue—a highly classified cyber vulnerability that the National Security Agency (NSA) was stockpiling until it was somehow stolen from Fort Meade and then leaked online by a shadowy group calling itself the Shadow Brokers. And just who are the Shadow Brokers? A corrupted insider at NSA? A nonstate actor group? A foreign government? Some combination of these actors or something in between? Were the Shadow Brokers responsible for stealing EternalBlue or just for releasing the secret code on the Internet for bad guys everywhere? These are just some of the vexing questions. Notably, even after investigators successfully traced the method of the global cyber attacks, clues about the intent of the attackers were harder to decipher. Since NotPetya initially targeted businesses and government offices in Ukraine before spreading globally, some quickly pointed to Russia. However, a major Russian bank and mining company were also struck and international companies were affected, costing billions in cleanup costs and lost revenue. It took eight months before the British and American governments publicly attributed this cyber attack to Russia as “part of the Kremlin’s ongoing effort to destabilize Ukraine.”19
As these examples suggest, politics, technology, and business can be a combustible mix. Technology is enabling groups to find, recruit, and galvanize like-minded members across geographic boundaries at little effort or cost. The ability of these groups to take politically motivated action—in virtual space, physical space, or both—poses new and rising challenges for governments and businesses alike.
Supranational and International Institutions
Supranational institutions, like the European Union, are made up of several countries who agree to participate in decision-making for the group as a whole. International institutions are bodies like the United Nations that function on behalf of essentially all nations in the world.
If individuals lie at one end of the “level of action” spectrum, supranational and international institutions lie at the other. Individuals start with the power of one. Supranational and international institutions start with the power of many. Individuals operate in informal ways, bringing others to the cause. Supranational and international institutions are formalized organizations that bind countries and hundreds of millions of people together. They have bureaucracies and offices, specific rules and procedures, and collective capabilities and punishments that can be directed at member states. With so many members, action is often difficult. But at times, these institutions can impose their will deep inside the economies and societies of member states, which is why they are so rare. Ever since the Treaty of Westphalia of 1648 established the principle of national sovereignty, countries have, for good reason, always been wary of relinquishing sovereignty to a collective.
The purpose of European integration was initially quite grand—nothing less than an effort to prevent war for all time on a continent that had experienced more than two hundred years of destructive conflicts. The EU and its forerunners were designed with the idea that if Germany and France were bound together, if their political and economic fates were tightly intertwined within broader European institutions, they would never go to war again.20 From the point of view of its neighbors, Germany could be powerful but not dangerous. The idea was something akin to what political scientists call the democratic peace—the finding that democracies do not fight one another.21 Not only did Germans accept this idea, they embraced it.
Condi saw this firsthand during negotiations for the unification of Germany. It was very clear that German chancellor Helmut Kohl was anxious to unify the country. The Soviet Union was in retreat and he knew that he would be the chancellor who delivered on the forty-year dream of Germans to live again as one people. It was equally clear that he was uncomfortable with any suggestion that Germany would again be powerful in its own right. Thus, whenever an American official said that we welcomed a unified Germany, Kohl would interrupt. “Within a unified Europe,” he would say.
This explains in part the psychological attachment of Europeans, and particularly Germans, to the European Union. Yes, they have hoped that the common market will lead to greater economic growth. Yes, they have aspired to make the European Union a political force, equal to the United States and China in world affairs. But they credit the EU with something far more important: peace on the continent.
For those outside of it, whether countries or businesses, the European Union is more likely to be seen as a complicated entity that is difficult to navigate. Henry Kissinger is said to have asked, “When I have a problem, do I call Brussels or London, Paris, or Bonn [then the capital of West Germany]? As secretary of state, I found it better to call all of the above.”
In many ways, Kissinger is still right. The EU actually has three key institutions: the European Parliament, the European Council, and the European Commission. The European Parliament consists of legislators who are elected on a Europe-wide basis. In truth, though, it has relatively little power to make consequential laws—that function is largely reserved for national legislatures. The European Council includes the heads of state and government, as well as other lower-ranking ministers. It is a powerful institution, but it meets only periodically, tends to reinforce sovereignty, and on the most important issues must achieve unanimity among states as varied as Germany and Spain, Slovakia and Sweden.
The European Commission (EC) is a permanent bureaucracy in Brussels with twenty-eight commissioners, nearly thirty-three thousand staff, and a budget of €155 million. The commission is arguably the most powerful and coherent of the EU’s institutions. It is also the least democratic since its commissioners are appointed, not elected. Moreover, although the EC has a carefully delineated set of “competencies” or areas of jurisdiction, actual policy issues can overlap in confusing ways. For instance, energy policy is largely the purview of the individual states. Germany bans nuclear power, while France gets 80 percent of its generating power from this source. But environmental policy is largely within the jurisdiction of the commission. So, is the use of fracking technologies an environmental issue or a matter of energy policy?
The United Nations was founded in 1945 to promote international cooperation on issues such as peace and security, terrorism, humanitarian crises, and sustainable development. Today it includes 193 member states, nearly every country in the world. The five permanent members of the UN Security Council—the United States, the United Kingdom, Russia, China, and France—wield veto rights. The UN’s large membership and its veto structure mean that Security Council resolutions are difficult to enact and enforce. But hard does not mean impossible. The UN has imposed multilateral sanctions twenty-six times on twenty-two countries since its founding.22 UN sanctions can have an effect, and they at least inject greater market predictability by leveling the playing field. International binding sanctions are usually preferable—even with their drawbacks—to ad hoc arrangements by one nation or a few.
For example, following the Iranian revolution and the seizure of more than fifty American hostages in 1979, the United States imposed unilateral sanctions on Iran. The UN Security Council, however, did not impose sanctions until a 2006 resolution passed unanimously amid rising international concern about Iran’s nuclear activities. One result of the lag between American and UN sanctions was that American companies were kept out of Iran while some of America’s closest allies continued to do business there. When the Security Council’s sanctions were finally instituted, Iran’s two biggest trading partners were Japan and Germany.
Ironically, elaborate sanctions that are in place for a long time tend to get weaker. Those levied against Saddam Hussein after the 1991 Gulf War are a case in point. Everyone knew that the Iraqis were selling oil on the black market well in excess of what was allowed. But the UN and the international community turned a blind eye to the practice because it benefited so many countries. Moreover, sanctions on Saddam’s ability to buy equipment with potential military applications eroded as the UN committee that was supposed to oversee these prohibitions became a place of constant bickering. By 2001, the sanctions regime against Iraq was in tatters.
Iraq is of course an extreme case, but sanctions regimes generally suffer from lax enforcement. This is due in part to the fact that countries are responsible for policing themselves. Not every state lives up to the letter (or even the spirit) of the law. And because the negotiations often result in least common denominator approaches with vague language, loopholes abound and states take advantage of them.
Types of Political Risk Today
What about the political actions that all of these risk generators take? What do businesses need to worry about most? Here, too, the list is long and growing. We summarize the ten major types of political risk in the table here and discuss each one.
You will notice that two major risks are not on the list: climate change and economic risks. We excluded them for analytical reasons, not because we think they are unimportant.
Climate change is a global challenge that directly threatens agricultural production, vital ecosystems such as coral reefs, and the welfare of millions of people living in low-lying coastal areas. Rising temperatures are already spurring interstate rivalry over rights in the Arctic, where rapidly melting ice sheets have created a new ocean, and severe droughts and other major weather events are inflaming conflicts in weak states. But climate change is more of a risk multiplier than a separate risk category. It creates the environmental circumstances that trigger political actions, from social activism by environmental groups, to new environmental laws and regulations, to civil wars and interstate conflicts. Our top ten list covers these risks already.
The omission of economic risks to companies is also deliberate. Most businesses think about economic risks routinely, examining indicators like inflation, labor markets, growth rates, unemployment, and per capita income across markets. MBA programs teach about these risks, and Amazon.com is filled with business books about them. Our focus is different. We are interested in how political actions affect businesses, a topic that receives surprisingly little attention in MBA courses or business books but that causes a great deal of concern in boardrooms and C-suites. Corporate boards and executives often think about political risks but have few resources to develop a more systematic understanding or management of them.
Ten Types of Political Risk
Geopolitics: Interstate wars, great power shifts, multilateral economic sanctions and interventions
Internal conflict: Social unrest, ethnic violence, migration, nationalism, separatism, federalism, civil wars, coups, revolutions
Laws, regulations, policies: Changes in foreign ownership rules, taxation, environmental regulations, national laws
Breaches of contract: Government reneging on contracts, including expropriations and politically motivated credit defaults
Corruption: Discriminatory taxation, systemic bribery
Extraterritorial reach: Unilateral sanctions, criminal investigations and prosecutions
Natural resource manipulation: Politically motivated changes in supply of energy, rare earth minerals
Social activism: Events or opinions that “go viral,” facilitating collective action
Terrorism: Politically motivated threats or use of violence against persons, property
Cyber threats: Theft or destruction of intellectual property, espionage, extortion, massive disruption of companies, industries, governments, societies
Geopolitical Events
First and most broadly, political risks arise from geopolitical events like major wars, great power shifts, and the imposition of multilateral sanctions or military interventions. These events can redistribute power among countries and generate reverberating effects across markets. Many market effects are direct and immediate—think back to what happened to Chevron with the collapse of the Soviet Union. But as we will keep underscoring, the indirect effects of geopolitical events are often hidden and yet just as important for businesses.
Dow Corning, an American silicone products manufacturer, provides a good example of the indirect effects from major geopolitical events and how to handle them. In the spring of 2003, it looked like the United States and Iraq were heading for war. Dow Corning executives were paying attention. They figured that war in Iraq would probably produce shipping capacity shortages across the Atlantic, since the United States would need to mobilize large numbers of troops and large amounts of equipment and materiel. This was exactly what happened. But before then, Dow decided to stockpile inventory and accelerate its own shipping schedule, actions that later enabled the company to mitigate the impact of wartime shipping capacity reductions on its operations.23
Internal Conflict
Conflicts within countries are often just as serious for businesses as conflicts between them. Internal conflicts include social unrest, ethnic violence, and federalist discord about the appropriate allocation of power between central and regional governments. In more extreme cases, federalist disputes evolve into separatist movements, such as Scotland’s referendum to secede from the United Kingdom in the fall of 2014, or Catalonia’s referendum to secede from Spain in 2017, or the Kurds’ efforts to secure independence from the central Iraqi government, a struggle that has simmered and boiled over repeatedly since the end of British rule there in 1932.
Ultimately, internal conflict may lead to civil wars, coups, and revolutions, producing mass migrations into neighboring countries. The past several years have witnessed a dramatic rise in the number of displaced persons fleeing conflict zones resulting from enduring conflicts such as Chechnya, Darfur, Somalia, and Afghanistan, as well as newer conflicts such as the Syrian, Yemeni, and Burundi civil wars. In 2015, the United Nations high commissioner for refugees found that political conflict and persecution had displaced more than sixty-five million people, the highest number ever recorded in the agency’s fifty-year history. That number amounted to one person in every 113 people on earth, or a population greater than that of Canada, Australia, and New Zealand combined.24
Mass migrations disproportionately affect neighboring states. In 2015, for example, six hundred thousand Ukrainians left Ukraine seeking political asylum or other forms of legal stay in neighboring countries.25 In 2016, Syrian refugees were estimated to constitute 10 percent of Jordan’s total population.26 In 2017, more than five hundred thousand Rohingya fled violence and persecution in Burma by traveling to Bangladesh.27
It should come as no surprise that internal conflict can severely impact economic welfare. Coups are associated with a cumulative 7 percent reduction in national income.28 Political scientist Jay Ulfelder finds that economic growth slows on average by 2.1 percentage points in the year of a coup.29 Disruptions in business operations, displaced labor forces, sudden policy changes, corruption—these are just a few of the economic aftershocks that often add to human suffering in conflict-ridden areas. Even businesses with the best of intentions, robust corporate social responsibility programs, and strong relationships with diverse country stakeholders can find themselves facing significant challenges, including reputational risks.
Laws, Regulations, and Policies
Laws, regulations, policies, and the structure of business ownership vary considerably around the world. Global business investors and executives, of course, know this. For Marc Andreessen of the Silicon Valley venture capital firm Andreessen Horowitz, regulatory risk is top of mind. “Regulatory capture is probably the single biggest government risk that our start-ups think about,” he told us.
“Regulatory capture is probably the single biggest government risk that our start-ups think about.”
—Marc Andreessen, cofounder and partner, Andreessen Horowitz
Yet businesses can miss and get burned by legal, regulatory, or policy changes if they assume that political stability and policy stability are the same thing. They aren’t. Even if a country’s regime is stable, its ownership rules, taxation, environmental regulations, and other laws and policies may not be. Political risks for businesses exist even in seemingly “safe” countries with relatively well-established legal regimes, well-functioning bureaucracies, well-respected currency controls, and low levels of corruption.
In our course, we first wrote a case in 2011 about a shale gas play in Poland by an Irish company called San Leon Energy. By all accounts, Poland looked like a good bet. Geologists estimated that the country had some of Europe’s largest recoverable shale gas reserves. Poland also had a fervent desire for energy independence from Russia (which provided about two-thirds of its energy needs), a relatively professional bureaucracy with moderate levels of corruption, and more than twenty years of democratic rule. In fact, Poland had agitated against Soviet rule throughout the Cold War, and in 1989 became one of the first countries in the former Soviet bloc to democratize. In 2011, fracking was strongly supported by all of Poland’s major political parties.
What San Leon did not expect was that strong domestic political support for fracking would lead the Polish government to overreach. Seeking greater revenues from shale gas exploration, the government in 2013 proposed dramatically increasing taxes to nearly 80 percent of profits and establishing a state-owned company that would take a compulsory minority stake in shale investments.30 “What’s been done here is what Poles call dividing up the bear hide before you’ve shot the bear,” said Tom Maj, the head of Polish operations for Canada’s Talisman Energy. “This has been hugely damaging to the shale gas project.”31 Essentially, the government was planning to increase the regulatory burden on an industry that had yet to develop.
Prime Minister Donald Tusk’s government eventually reversed course, but not before Talisman and Marathon Oil pulled out in the spring of 2013.32 Regulation, taxation, and state involvement in oil drilling added tremendous political uncertainty to the geological and economic uncertainty of shale gas exploration already at play.
In the summer of 2015, we were talking through the San Leon case and its broader implications for this book when Condi commented, “Taxes aren’t usually a sudden market-distorting risk. Governments are always adjusting some policies like taxes, and most companies watch that carefully. It’s really about the suddenness and the gravity of change.” The more we talked and thought about it, the more it struck us that businesses needed to think of policies, laws, and regulations along a continuum. At one end of that continuum are those that are almost always changing in some way, like taxes, and that typically result in incremental, manageable effects for global businesses. After the 2008 global financial crisis, for example, more than forty countries cut their corporate income tax rates, many of them temporarily, to stimulate business activity.33 Another sixteen economies introduced new taxes such as environmental taxes, road taxes, and labor taxes.34 In the middle of the continuum are policies like foreign ownership rules that change less frequently but when they do change are typically more consequential. At the extreme end of the continuum are major departures from the status quo like new “champion rules” that essentially close markets to foreign competitors. These types of policy changes occur more rarely, are harder to see coming, and are more difficult for a business to absorb. In these cases, policies create large market-distorting effects.
This is exactly what happened in 2002, when China proposed new policies stating that a Chinese government agency could buy only Chinese software. The government’s goal was to stimulate the development of indigenous software companies. The effect, however, was to ban foreign software firms from selling to state-owned enterprises, which constituted 80 percent of the Chinese market.
Breaches of Contract, Expropriations, and Defaults
Sometimes governments need not go through the effort of changing national policy to create political risks for businesses. Instead, they can simply renegotiate, renege on, or violate existing contracts, or, in extreme cases like Hugo Chávez’s, expropriate foreign assets entirely. As we noted at the start of this chapter, outright expropriations have become rare. But renegotiating or reneging on contracts, including politically motivated credit defaults, is more common. A 2004 World Bank study found that 15 to 30 percent of contracts in the 1990s involving $371 billion of private infrastructure investment were either renegotiated or disputed by governments.35 And as Harvard economist Ken Rogoff notes, “Most countries have gone bankrupt at least a couple of times.”36 Countries defaulting on their national debt since 1995 include Russia, Pakistan, Indonesia, Argentina, Paraguay, Grenada, Cameroon, Ecuador, and Greece.37 Argentina has defaulted twice in thirteen years. Ecuador and Venezuela have defaulted ten times in their history, and four other countries have failed to pay their debts nine times.38
In some cases, countries are simply unable to pay their debts. In others, countries are unwilling to repay foreign creditors for domestic political reasons. As our Stanford colleague Mike Tomz and his coauthor Mark L. J. Wright note, “When governments appropriate funds to service the foreign debt, they are making a political decision to prioritize foreign obligations over alternative goals that might be more popular with domestic constituents.”39 Sometimes, governments prefer to lose access to credit markets abroad rather than the support of constituents at home.
Russia, for example, defied economists’ predictions in 1998 by essentially defaulting on its debt and allowing the ruble to float, which devalued the currency considerably and sent inflation surging to 80 percent. Many economic analysts were caught by surprise by this move because they examined only whether Russian leaders could pay off their debt, not whether they would. As it turned out, the Yeltsin government faced strong domestic pressures from striking workers, unions, and industry groups to devalue the ruble and stimulate exports.40
Ecuador in late 2008 failed to repay part of its national debt—for the second time in a decade—because the country’s populist president, Rafael Correa, knew the move would be seen favorably by left-wing voters in the run-up to his bid for reelection in April 2009.41 As Claudio Loser, the former director of the International Monetary Fund’s Western Hemisphere department, noted, “The financial need wasn’t so great that it was forced to declare a default.”42 In Ecuador, as in Russia, domestic political considerations trumped economic ones.
Domestic political factors also figured heavily into Greece’s 2015 default woes. Although that nation had been confronting a looming economic crisis for years, the election in January 2015 of leftist prime minister Alexis Tsipras sent the country spiraling toward default. Tsipras’s Syriza party ran on a single issue: rolling back Greece’s austerity measures, which were a condition of the country’s international bailout. And roll back he did, raising the minimum wage and cutting taxes, and in June 2015 making Greece the first developed country in history to default on its debt obligations to the International Monetary Fund.43
Russia, Ecuador, and Greece suggest why political risk analysis is so important, even with issues that are so intimately tied to a nation’s economy. National decisions about economics are never just about economics.
Corruption
For the international community as a whole, corruption is a serious problem, hindering economic development, spurring transnational crime, and even fueling extremism and terrorism.44 For individual businesses, it is a recurring and ubiquitous challenge. The United Nations estimates that corruption adds a 10 percent surcharge to the cost of doing business in many parts of the world, and the African Union found that in the 1990s a quarter of Africa’s gross domestic product was lost to graft.45
The World Bank broadly defines corruption as “the abuse of public office for private gain.”46 As Sarah Chayes of the Carnegie Endowment for International Peace puts it, “That means when you have to be paid money on the side to do your job, or you can be paid not to do your job. It means the monetization systematically of public service.”47 Corruption includes, among other things, the payment of bribes or special favors by private interests to secure or breach government contracts; gain special access to schools, medical care, or other favorable business opportunities; reduce taxes; secure licenses or exclusive rights; or influence legal outcomes.48
Corruption cannot be avoided. In Transparency International’s 2014 corruption perceptions index, no country earned a perfect score of 100 (on a scale where 0 is highly corrupt and 100 is very clean). Only two countries (Denmark and New Zealand) scored above 90. Two-thirds of all the countries in the world scored below 50. These included half of all G-20 countries and all of the large emerging-market BRIC countries (Brazil, Russia, India, and China), of which Russia scored so low, it was tied with Nigeria and Kyrgyzstan.49
Emerging markets are particularly prone to corruption for two reasons. First, their economic and political spheres are highly interdependent, which provides incentives for bribery. When public officials have discretionary power over the distribution of private-sector benefits or costs, the opportunities for corruption are high. Second, emerging markets typically have weak institutions. As a result, many laws are on the books, but the rule of law is not practiced systemically or predictably. A customs officer, for example, can appeal to the law to threaten punishment of a foreign company for not filling out a form correctly at the same time that he demands an under-the-table payment to overlook the transgression.
In addition to increasing the costs of doing business in foreign markets, corruption leaves companies at risk for criminal and civil prosecution as well as heavy penalties under the American Foreign Corrupt Practices Act (FCPA) and the United Kingdom’s Bribery Act 2010. For decades, the United States was the only nation in the world that banned bribery. In fact, bribes used to be tax deductible in Germany.50 Those days are over. In 2005 the passage of the United Nations Convention Against Bribery signified changing international norms and a growing global anticorruption movement. The United Kingdom’s antibribery law came into force in 2011. Enforcement of the U.S. law has increased substantially in recent years as well. Lockheed Martin’s 1994 corruption fine of $25 million held the record for many years. In 2008, Siemens settled the largest FCPA case in history, paying voluntary fines, penalties, and profit disgorgements of $1.7 billion to U.S. and German authorities. In 2009, Halliburton settled a bribery case by paying a $559 million fine.51 Corporate penalties in 2016 under the FCPA totaled $2.5 billion, the highest in history,52 and included four landmark settlements that are among the ten highest in FCPA history. The largest, of $519 million, was paid by Teva Pharmaceuticals, an Israeli generic drug manufacturer charged with bribing government officials in Russia, Ukraine, and Mexico.53
Both U.S. and U.K. anticorruption laws are extremely broad,54 banning gifts to any foreign government official even if the gift is given by a company contractor or third-party vendor and even if it is given in places where the practice is common. “Gifts” can be almost anything—a discount on a product, a donation to a charity, a used laptop, even payment for funeral expenses, which is a common form of tribute in many countries. The title “government official,” moreover, may be held by just about anyone. In China, for example, doctors and university professors are considered state employees. The extraterritorial reach of both laws is wide, applying to the business dealings anywhere in the world of any company with a presence in either the United Kingdom or the United States.
Extraterritorial Reach
Corruption laws are one example of a more general political risk: the extraterritorial reach of powerful states into the affairs of others. American laws extend most broadly, as the 2015 arrests and indictments against fourteen international soccer officials showed. The arrests included a made-for-TV early morning international raid in which Swiss police descended on a luxury hotel in Zurich, nabbing seven high-ranking Fédération Internationale de Football Association (FIFA) officers. Hotel officials erected a shield wall of luxury bed linens in a futile attempt to protect the FIFA officials’ identities as police carted them away—a moment captured on video and replayed around the world. The raid was a vivid display of the long arm of the law: Swiss police arresting soccer officials from Brazil, the Cayman Islands, Costa Rica, Nicaragua, Uruguay, Venezuela, and the United Kingdom so that they could be charged and tried in American courts for violating U.S. anticorruption laws.55
U.S. “311 sanctions” also have extraordinary reach. Developed as an antiterrorism tool shortly after 9/11, section 311 of the USA Patriot Act grants the Treasury Department’s Financial Crimes Enforcement Network the authority to sanction countries and financial institutions anywhere in the world if they are linked to money laundering. No presidential action or new action by Congress is required. Perhaps most important, these sanctions bar any targeted institution from banking with any American financial institution, essentially cutting off the targeted country or bank from worldwide trade in U.S. dollars. What’s more, any third party doing business with a targeted institution of a 311 sanction can also be barred from conducting business with any American financial institution. Targets of 311 sanctions include Iran, Burma, Ukraine, Nauru, and banks in Syria, Macau, and Latvia. The consequences of these sanctions can be severe. The Lebanese Canadian Bank, which was accused of transferring money for Hezbollah, was forced to close. Another targeted bank lost 80 percent of its business.56
The signaling effects of 311 sanctions can be powerful as well. In 2005 the United States put Macau-based Banco Delta Asia on the 311 sanctions list for its involvement in North Korea’s illegal activities. Global banks took notice: North Korea was off-limits. However, when the United States later sought to lift the freeze on $25 million in North Korean assets at Banco Delta Asia as part of ongoing nuclear negotiations with the Hermit Kingdom, no bank in the world wanted to process the transaction.57 Condi remembers how Chris Hill, U.S. envoy to North Korea, spent weeks trying to recruit a bank to execute the transaction, offering assurances that the United States would not punish any institution for its involvement in the deal. “Still, nobody wanted to touch it,” Condi recalled. “Even the Central Bank of Russia wouldn’t do it alone. So the Central Bank of Russia and the Federal Reserve Bank of New York worked together to process the transfer of North Korea’s $25 million. Talk about an unusual partnership.”
Manipulation of Natural Resources
In 1960, the Organization of the Petroleum Exporting Countries (OPEC) formed to take oil pricing out of the hands of the “seven sisters” multinational oil companies, which at the time controlled most of the world’s petroleum extraction and shipping outside the communist bloc. OPEC’s own website notes that in the 1970s, member countries “took control of their domestic petroleum industries and acquired a major say in the pricing of crude oil on world markets.”58 During the 1973 Arab-Israeli War, Arab members of OPEC launched an oil embargo against the United States, Portugal, South Africa, the Netherlands, and other countries that supported Israel. The effects were extreme and global: Oil prices quadrupled, triggering high inflation and economic slowdowns in the United States, Europe, and Japan, giving rise to the term “stagflation.” For energy companies, the crisis eventually triggered investment in new exploration outside of OPEC countries—in Alaska, the North Sea, the Gulf of Mexico, and Canadian oil sands—as well as investment in alternative power sources. Today, world oil production is 50 percent higher than it was in 1973.59 For automakers, the oil shocks of the 1970s led to new American fuel efficiency standards that transformed the industry.60
While OPEC’s influence has waned with the rise of shale gas exploration in non-OPEC countries, state manipulation of other natural resources poses increasing risks to a large number of industries. China currently produces more than 90 percent of the seventeen rare earth minerals, elements like europium and tungsten, which are vital components in most high-technology devices, including electric car batteries, mobile phones, computers, and military equipment such as missiles and night-vision goggles.61 As former Chinese leader Deng Xiaoping once declared, “The Middle East has its oil, China has rare earths.”62 China has been accused of manipulating both the pricing and the production of minerals, charging foreign firms far more than Chinese state-owned enterprises for the same products and thus giving Chinese companies a competitive edge.63 In 2002, the Molycorp mine in California was forced to close for nearly a decade when China flooded the market with cheaper minerals.64 In 2014, the United States, Japan, and the European Union won a World Trade Organization case against China for Beijing’s tight export controls on rare earth minerals.65 China has also used its market dominance more directly as a foreign policy tool. During a territorial dispute in 2010, Beijing canceled all rare earth mineral shipments to Japan while Tokyo held a Chinese fishing ship captain in custody.66 Today, many experts worry that China’s concentrated control over rare earth minerals poses strategic vulnerabilities to specific industries as well as countries.
Social Activism
As SeaWorld’s troubles made clear, social activism has become supercharged, generating sudden and sometimes large risks, particularly for consumer-facing businesses. The spread of social media, cell phones, and the Internet has empowered individuals and small groups in big ways. From the Arab uprisings to antifracking protests in Europe, technology has made it possible for civil societies to organize more suddenly, widely, and effectively. Technology-empowered social activism offers enormous potential benefits, enabling citizens to mobilize against repressive regimes, fostering greater democratic transparency and responsiveness, and bringing companies and stakeholders closer together. But it also poses new challenges. Governments and businesses alike must now contend with events that can go viral with little warning.
Greenpeace exemplifies the growing power of online social activism. In 2010, the environmental group used a creative social media campaign that took on food giant Nestlé and won. At issue was the sourcing of palm oil, a key ingredient of many of the company’s products, whose production involved the destruction of the Indonesian rainforest habitat of orangutans. While Nestlé had committed to responsible sourcing, Greenpeace believed the company had not done enough to cut all ties to Sinar Mas, one of its suppliers. For two years, Greenpeace had been pressing Nestlé to take greater action. Then Greenpeace took its protest digital. “This is the place where major corporations are very vulnerable,” said Daniel Kessler, press officer at Greenpeace.67 On March 17, Greenpeace released a report about Nestlé’s palm oil use featuring a cover picture of one of the company’s signature products, KitKat chocolate bars, with the KitKat logo changed to the word “Killer.”
The same day, Greenpeace protesters dressed as orangutans demonstrated outside the company’s U.K. headquarters. And the organization posted a sixty-second video on YouTube mocking Nestlé’s KitKat ad campaign and its tagline, “Have a break, have a KitKat.” The video features an office worker opening the chocolate bar wrapper to eat a bloody orangutan finger, and ends with, “Have a break? Give the orangutan a break. Stop Nestlé buying palm oil from companies that destroy the rain forests.”68 Nestlé requested that the video be removed from YouTube, but Greenpeace then posted it on the video-sharing website Vimeo.com and spread the word on Twitter. The clip went viral, attracting hundreds of thousands of views. Meanwhile, protesters “brandjacked” Nestlé’s Facebook fan page, many of them encouraging a boycott of Nestlé products. When Nestlé told Facebook users that it would delete any negative comments that included the doctored KitKat “Killer” logo, the number of protesting posts exploded. John Sauven, executive director of Greenpeace U.K. and the Greenpeace global forest team, reflected, “The moment that will forever stick in my mind was when Nestlé decided to ban our campaign on the fan site of their Facebook page. Fans of Nestlé products are only allowed to say nice things about chocolate bars. It backfired on them and helped us win our campaign.”69
Social activism is not just for committed activists anymore. As we noted earlier, cell phones and social media are empowering ordinary citizens, too. “Companies are now being swept up into this political consumer activism in a way that they have not been in the past,” said Maurice Schweitzer, a professor at the University of Pennsylvania’s Wharton School.70 The Twitterstorm over United Airlines’ passenger dragging incident was so fast and powerful that the airline quickly conducted a policy review. Just three weeks after fellow passengers posted their cell phone videos of Dr. Dao online, United announced that it would no longer force paying passengers off its airplanes unless safety or security was at risk and that it was increasing passenger compensation for overbooked flights to as much as $10,000.
“The moment that will forever stick in my mind was when Nestlé decided to ban our campaign on the fan site of their Facebook page. Fans of Nestlé products are only allowed to say nice things about chocolate bars. It backfired on them and helped us win our campaign.”
—John Sauven, executive director of Greenpeace U.K. and the Greenpeace global forest team
It is worth noting that social activism is not always a threat. Sometimes it is a golden opportunity, galvanizing support for a company, a cause, or both. In 2014, Procter & Gamble launched an award-winning online campaign for its Always product line called “Like a Girl.” Feminine hygiene products don’t exactly spring to mind as winning social media topics. Nobody likes to talk about them. But the company created an Always-branded three-minute video on YouTube that transformed the insult “like a girl” into a message of female empowerment. The video depicts a casting call for boys and girls who are asked to do athletic activities such as running and throwing “like a girl.” Ten-year-old girls give it their all, brimming with self-confidence, while teenage boys and girls follow the stereotype, interpreting “like a girl” to mean “weakly,” or “not as good as a boy.” They run flapping their arms and legs, throw poorly, giggle, and flip their hair. The video caught fire, reaching ninety million viewers in more than 150 countries. P&G launched a #LikeAGirl Twitter campaign and aired a Super Bowl ad. Always’s product brand equity rose by double digits, its Twitter following tripled, and surveys found purchase intent grew more than 50 percent among the target demographic. In surveys, two out of three men who watched the video said they would now think twice before using “like a girl” as an insult. Procter & Gamble harnessed the power of social media activism to change minds, not just sell products.71
Terrorism
Terrorism comes in many forms—hijackings, kidnappings, bombings, beheadings, and shootings, to name a few. Terrorist attacks are also conducted by a variety of actors, from transnational organizations like al-Qaeda, which operates in over sixty countries, to nationalist movements like the Tamil Tigers, to “lone wolves.” But all terrorists use violence or the threat of violence for political purposes. All terrorists deliberately target innocents. And all terrorists seek to instill fear, terrorizing societies and their leaders. There is a strong psychological component to terrorism, which is why terrorists often strike victims and targets that have symbolic significance—like the Houses of Parliament in London, the 1972 Munich Olympics, the Taj Mahal Palace hotel in Mumbai, and the Charlie Hebdo magazine offices in Paris. Terrorists also frequently select “soft” targets. The more that governments harden the defenses of government buildings and installations, the more terrorists turn their sights on relatively vulnerable locations like hotels, restaurants, markets, and even marathon races.72
Terrorism has become a growing economic and security concern for governments, particularly in Europe. In 2015–16 the Eurozone saw a record number of successful and foiled terrorist plots, including attacks in Turkey, Belgium, and Germany, and a wave of mass-casualty attacks in France that slowed French growth to a halt in the second quarter of 2016 and played a major role in cutting Eurozone economic growth in half.73 In their July meeting, finance ministers from the world’s twenty largest economies emphasized that geopolitical conflicts and terrorism had become growing threats to the global economy. The French finance minister, Michel Sapin, singled out terrorism as an economic risk, telling reporters, “Today the frequency of attacks creates a new situation of uncertainty, which is at least as damaging as regional destabilizations or a regional conflict.”74
Terrorist attacks often trigger cascade effects for specific companies that can be widespread, long-term, and surprising. Consider the tragic attacks of September 11, 2001. For Wall Street trading firm Cantor Fitzgerald, which lost 658 of its 960 New York employees that day—almost two-thirds of its workforce—the damage could not have been more direct or searing.75 (As we discuss in chapter 8, Cantor survived, and its incredible turnaround after tragedy reveals important lessons about communicating in crises, aligning incentives, and creating organizational resilience.) For Ford and Chrysler, the effects of 9/11 were immediate but indirect: These two American auto manufacturers suddenly found themselves confronting the first total grounding of American air traffic in history, disrupting shipping in their supply chains. For Boeing, the full effects of 9/11 took six years to surface. It wasn’t until 2007, when orders for a new airplane took off, that the company discovered its principal supplier of specialized nuts and bolts had laid off nearly half its workforce after 9/11 and could not keep up. Four American companies in three different industries were all affected by the 9/11 terrorist attacks in very different ways and along very different time frames.
Cyber Threats
John Chambers, executive chairman and former CEO of Cisco, famously said, “There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.”76
“There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.”
—John Chambers, executive chairman and former CEO, Cisco
He’s right. Experts estimate that at least 97 percent of Fortune 500 corporations have been hacked already.77 In 2016, a Google director revealed that Google notifies customers of four thousand state-sponsored cyber attacks on its systems each month. That’s about one attack every eleven minutes just from state actors, and just from attacks Google is telling its customers about.78 Brad Smith, president and chief legal officer of Microsoft, noted in February 2017 that 74 percent of global businesses expected to be hacked in the coming year.79 Most cyber victims will not know for months that they have been breached: The typical time between a cyber penetration and its detection is 205 days.80 Costs are hard to measure, but by all accounts are large and growing. The Center for Strategic and International Studies, a well-regarded think tank, in 2014 estimated that the annual global cost of cyber crime was as high as $575 billion81—the equivalent of the entire GDP of Sweden.82 A Juniper Networks study found that cyber crime is now worth more than the global illicit drug trade.83 For individual companies, the cost of a single incident can be large, including everything from customer notification, forensic investigations, legal fees, and fines to lost business and long-term reputational damage. The Target breach of 2013 has cost the retailer $292 million so far, with only $90 million covered by insurance.84 The 2017 breach of credit reporting company Equifax compromised the personal information of 143 million customers and could become the most expensive in history, with estimated costs in the billions.85
And that’s just crime. Countries, criminals, hacktivists, and others wage cyber attacks in many ways for many reasons. Official government systems are major targets. The United States fends off millions of attempted cyber intrusions into military and other government networks each month.86 In 2015, hackers most likely acting at the behest of the Chinese government stole the highly classified security clearance information of twenty-two million Americans from the Office of Personnel Management. Many believe it was a massive intelligence operation to find foreign contacts and compromising information about government officials that could be used to coerce them later. In 2016, the mysterious Shadow Brokers started releasing a treasure trove of secret computer vulnerabilities that had been stolen from the NSA.87 That same year, the Russian government waged an unprecedented influence operation to disrupt the American presidential election and undermine American democracy. Russia’s efforts included hacking into campaign-related websites and servers, releasing data from those breaches online, penetrating multiple state and local electoral boards, disseminating propaganda overtly through Russian state-backed media outlets RT and Sputnik, and inflaming social cleavages by covertly spreading deceptive information with botnets, fake accounts, and unwitting users on American social media platforms.88 According to Facebook’s general counsel Colin Stretch, Kremlin-instigated content may have reached 126 million Americans—more than a third of the U.S. population. “We’re obviously deeply disturbed,” said Joel Kaplan, Facebook vice president for United States public policy. “The ads and accounts we found appeared to amplify divisive political issues across the political spectrum.”89 Experts expect that attacks on elections and government systems worldwide are likely to grow.90
For companies, attackers and motives vary widely. Some steal, some spy, some disrupt, others destroy. Some attack a company to protest a particular product or action, some to steal intellectual property, some to turn a quick profit by stealing customer credit card information, some to help a foreign government, some to gain information that will advantage another business in an upcoming negotiation, and some simply because they can. The threat landscape is evolving rapidly and dramatically, raising business and reputational risks for companies. As U.S. director of national intelligence James Clapper noted in February 2015, despite improvements in cyber defenses, the frequency, severity, sophistication, destructiveness, and scale of cyber breaches all are increasing.91 The cyber dark arts are growing darker.
Although headlines focus on major breaches in large corporations like Target, J.P. Morgan Chase, Anthem Insurance, Home Depot, Sony Pictures, and Equifax, nobody is immune. As Enrique Alanis, chief risk officer at the Mexican building materials giant Cemex, put it, “You don’t have to be a sexy company anymore to be hacked. Cyberthreats are real for everybody and for every company. It could impact any brand.”92 Any company that relies on information and communications technology—and nearly all companies do—is inherently vulnerable. Exposure is global: Any device that is “smart,” any phone or computer or printer or machine that is connected to the Internet (and even some that aren’t),93 can be used as an attack vector into your company’s networks. From anywhere. Hackers pulled off the Target attack of 2013, stealing credit card and personal information from forty million customers during the peak holiday shopping season, by getting into the computer system of a Target third-party vendor—a small family-owned refrigeration, heating, and air-conditioning company called Fazio Mechanical Services in Sharpsburg, Pennsylvania.94
Many cyber threats are intimately connected to political actors and actions. By far the most sophisticated cyber attack capabilities reside in the hands of governments—namely, Russia, China, Iran, North Korea, and the United States. As a matter of policy, the United States does not conduct espionage to aid specific companies. But other countries do. And lest anyone think that cyber attacks on companies are only about profit, talk to Amy Pascal. She was the studio chief of Sony Pictures Entertainment during one of the worst cyber attacks in American history. The 2014 hack, which was eventually attributed to the government of North Korea, stole terabytes of Sony trade secrets, including upcoming movie scripts and celebrity contract information; revealed internal emails so embarrassing that Pascal had to resign; forced the company off the grid for days; publicly released personal information of thousands of Sony Pictures employees; destroyed data on thousands of hard drives and servers; and threatened violence in movie theaters if the studio released The Interview, a comedy depicting the assassination of North Korean leader Kim Jong-un.
By the end, the Sony hack was not just about Sony. It became a national security incident involving the highest levels of the U.S. government. It erupted into an international crisis. And it provided a sneak preview of cyber threats facing all companies today. As Fortune magazine reported, “What happened at Sony… struck terror in boardrooms throughout corporate America, and for all the unique elements in Sony’s situation, the lessons apply to every company.”95
Risks from Within
A final word about the risk landscape. Our list above focuses on external challenges—on political risks “out there.” But it’s important to underscore that sometimes the biggest political risks come from within. Organizations can hurt themselves by paying too little attention to their own corporate cultures and practices. In 2017, Uber and Fox News faced firestorms of criticism and business crises over their treatment of female employees. At Fox News, sexual harassment scandals led to the firing of cofounder and chairman Roger Ailes as well as twenty-year veteran host Bill O’Reilly. Over a fifteen-year period, O’Reilly (and Fox executives) had settled six complaints of harassment against him. When a New York Times investigation made some of these settlements public, more women came forward with allegations, and an advertiser boycott soon followed.96 In Uber’s case, twenty people were fired, and Uber founder and CEO Travis Kalanick was forced out, after a blog posting by a former employee triggered a string of reports describing sexual harassment, discrimination, and “Silicon Valley start-up culture gone awry.”97 For both companies, these “sudden” crises were self-inflicted and years in the making.
KEY TAKEAWAYS: MOVE OVER, HUGO CHÁVEZ
Political risk used to be driven mostly by the actions of governments. Not anymore.
Today’s risk generators operate at five intersecting levels of action: individuals, local organizations and governments, national governments, transnational organizations, and supranational and international institutions.
The risks they create are more varied now, too. Old political risks remain, but new risks have arisen alongside them.
Today’s top ten types of political risk are: geopolitics, internal conflict, policy change, breaches of contract, corruption, extraterritorial reach, natural resource manipulation, social activism, terrorism, and cyber threats.