During the peak “the world is flat” days of the 1990s and early 2000s, globalization promised new efficiency and opportunity. Over that period, CIOs rebuilt their technology functions to benefit from distributed infrastructure, global networks, and talent hubs to improve efficiency and lower costs. This globalization drive led companies to customize their IT capabilities for local markets, creating highly fragmented and complex IT organizations with people and assets spread around the world.
In the past decade, however, geopolitical developments have put that global IT operating model under enormous pressure. More than 70 percent of countries have their own data protection laws and privacy laws, for example, creating considerable fragmentation.1 Data theft and cyberattacks, some under the guidance of states, have escalated. The projected annual damage from cyberattacks, in fact, is about $10.5 trillion during 2025—a 300 percent increase from 2015 levels.2 Industrial and trade policies favoring local providers have created greater reliance on local operations, increasing the complexity and cost of IT procurement and operations.
Current IT policies and models generally aren’t up to the task of addressing the range (and pace) of geopolitical risk. CIOs hoping to successfully navigate these challenges will need to revise their existing risk practices, develop new ones, and rebalance their global footprint and operating model. That includes being at the table with business leadership to help shape decisions around geopolitical risk not just in terms of the implications for the tech estate but also the implication of tech risk to the business itself.
The time is ripe to make these shifts. Geopolitical risk is a top issue for executives, creating broad momentum and support for tech leaders to address these issues (Exhibit 1). Thoughtful action can also provide companies with first-mover advantage by securing data, location, or talent options when pricing is likely to be better than it will be at the time of a risk event when companies are scrambling to compete for scarce resources. In many cases, companies are already thinking through how to rebalance their tech estates to address the realities of today’s environment. Incorporating geopolitical risk into those decisions can help CIOs take more effective action.
Where are the most business-critical assets and people, and how exposed are they to geopolitical forces?
The traditionally functional view of tech risk goals—such as availability, delivery, and uptime—isn’t sufficient to address geopolitical risk. A company might pass a cyberattack test but not an asset concentration one, for example. CIOs need to augment their views on risk by developing a much broader view of the possible failure modes beyond just availability and continuity (for example, data theft, insertion of malicious code or data, and manipulation), where their assets (and their vendors’ assets) are, and where the people who manage them are working.
On its own, this issue would lead to a pretty basic (though not simple) tech-asset mapping exercise. But to be meaningful and practical, CIOs and CTOs need to focus on which assets and teams support critical business functions and have a sufficiently granular view of their assets and people to understand what their companies’ true vulnerabilities are. This can be a deceptively difficult effort. Many tech leaders can have a false sense of security because they might know where they have people and infrastructure assets in a given region but not necessarily which business capabilities the assets support and if those capabilities are critical to the business.
Working closely with business leaders, CIOs need to triage their tech estate to develop an 80/20 view of what matters to the business. If a system that manages menus for a company’s cafeterias goes down, or one that tracks employee sick days is disrupted, the business can manage. But if the system that manages payments or e-commerce sales goes down, it would be catastrophic to the business. Those are the systems and capabilities that CIOs need to focus on.
Understanding the true nature of the vulnerabilities to those high-priority systems, however, requires companies to have a sufficiently detailed understanding of the value streams (the end-to-end set of processes needed to deliver an outcome). This is especially true in a world where tech estates are highly complex and rely on vendors (and their vendors’ vendors) for portions of it.
For the development life cycle of a new consumer-banking product, for example, tech is a component of each phase: design, testing, production, scaling, and distribution. A consumer bank will need to identify each tech asset, or node, along that life cycle and understand where it is and what the local requirements are. In this instance, that might mean knowing that a database that’s needed to test a product is in China and is subject to the nation’s regulations.
The outcome from this effort is a map of the geographic concentrations of talent and tech specific for each of a business’s most important value streams.
What could go—or is already going—wrong?
The surge in headlines about global conflict, trade instability, and escalating regulations related to AI and data means that many CIOs and CTOs are already thinking through various failure modes. The main issue, however, is that these considerations tend to be reactive and limited in scope, creating blind spots for geopolitical-risk mitigation. To be specific, tech leaders should be assessing nine types of failure modes that stem from geopolitical risk, including architecture vulnerable to node and linkage disruption, assets overly concentrated in one or a few geographies, and inhibited insight from and use of data because of privacy regulations (Exhibit 2).
These failure modes become the baseline for systematically developing scenarios for priority value streams. These scenarios account for the geographic footprint and are informed by specific operational concerns or escalating geopolitical tensions (such as emerging trade barriers) that a CIO may want to further probe. In some cases, companies commission highly tailored scenarios from geopolitical-risk specialists to help flesh out options.
It’s important to realize that some of these failure modes aren’t simply tied to future potential scenarios but are already happening and need to be addressed. Some companies are already at risk of data or IP theft, for example, by virtue of where their operations are sitting.
What’s the plan to follow when a geopolitical event happens?
Typically, companies don’t model the impact of a specific geopolitical risk until it’s happening. By then, it’s often too late to mitigate the damage effectively because the slow-moving nature of tech makes it difficult to intervene quickly. For this reason, forward-thinking CIOs proactively plan interventions based on the scenarios that they have developed.
These interventions are rarely a simple set of binary actions because although some geopolitical risks can happen quickly, many have warning signs. The best intervention plans identify the range of escalating warning signs and lay out a set of corresponding actions that companies can take to react thoughtfully while preserving the fullest set of options possible. When well done, this intervention planning yields a cascading set of triggers and actions that follow a specific escalation pathway (Exhibit 3).
With interventions identified, CIOs can move more quickly than competitors can when a risk is triggered and secure agreements that are more cost-effective than they would be when scrambling in the face of a risk event. They can also invest in the necessary tech development in a thoughtful and cost-effective way rather than purely reacting to one-off events.
What mitigation steps should CIOs take?
To maintain an effective risk posture, companies need to rebalance their operations globally to address both current and potential issues. CIOs have lots of risk mitigation options, such as allocating emergency funds for short-term contingencies, reshoring operations to lower-risk regions, duplicating operations to create redundancy, and localizing global operations into region-specific units. What that rebalancing looks like, however, will depend on being thoughtful about which options best address the risk and whether they’re worth the investment and loss in productivity.
Take a global approach
It can be tempting to create a country- or region-level strategy to ensure compliance with local regulations (for example, General Data Protection Regulation, Schrems II decision–based standards, and China’s Personal Information Protection Law). This approach, however, may have the effect of unknowingly pushing risks into other geographies (also known as “squeezing the balloon”).
A multinational company might choose to avoid risks in one country by transitioning an existing data center to another region that has its own set of geopolitical risks, for example. Or the mitigation actions might create substantial complexities and costs that outweigh their benefits. For instance, one consumer company ended up building out more than 80 data centers to reduce local geopolitical-risk issues, a highly fragmented landscape that created huge operational complexity and was simply untenable.
Ground rebalancing on clear cost–benefit analysis
In the same way that CFOs account for risk by incorporating its cost into financial planning, CIOs need to cost out potential risks and mitigation strategies to allow for thoughtful cost–benefit analysis. Using financial modeling and data analysis, the CIO can work with the CFO, the chief information security officer, the chief HR officer, and infrastructure leaders to develop an aligned view of which mitigation strategies make the most sense given the costs and benefits. These practices will likely require companies to give back some of the IT efficiency gains from globalization in return for not just greater resiliency but also more strategic flexibility.
While it’s unrealistic to expect this analysis to yield perfect calculations, the value is in having a clear and aligned view of what actions make the most sense for a set of risks. Through experience, companies can expect to refine and improve these analyses.
Build flexibility into the IT estate
Upgrading the IT estate can be expensive, so CIOs should be surgical with the actions that they take as part of a broader rebalancing program and not overreact. CIOs should invest the time to determine which components can be customized or standardized based on risk needs and available tech (such as APIs and microservices). In general, the focus should be on standardizing core infrastructure systems and deployment models while providing for variability in how to create platforms and data products based on regional regulations.
A core element of this capability is a platform architecture made up of components that local teams can configure or connect to through centrally developed standard interfaces (such as APIs). The success of this model depends on alignment around the right balance of global and local capabilities and clear governance structures to clarify decision rights.
For example, a multinational consumer company found that China’s rapidly changing regulatory landscape made it increasingly difficult for it to deliver a top-tier local customer experience efficiently because of its global technical architecture. By establishing a support team and localized tech stack that adhered to local regulations but used capabilities like APIs to take advantage of the global platform, the company could better meet Chinese consumer needs while staying in compliance.
While a laborious effort, designing a compliant local architecture was in some ways the easy part for the company. The real work came from thoughtful separation of its business and user data to ensure a more secure global data privacy environment, with clear rules for data aggregation and residency across its global footprint.
Are the right people and governance processes in place to take action?
It might sound trite to say that traditional IT-risk-correlation models are no longer sufficient to account for geopolitical risk. The implications, however, are more complex than simply adding this risk as a line item to existing risk programs. Developing this capability starts with building up a new IT risk discipline, with clarity about roles and responsibilities and any potential geopolitical-risk events (Exhibit 4).
Geopolitical risks are inherently interconnected, with multiple parts of a business potentially triggered by a single geopolitical event, so the capability needs to be integrated across functions and practices. One element of this integration lies within IT itself, where traditional IT risk functions (such as availability and resiliency, cybersecurity, data and intellectual property protection, regulatory exposure, and tech talent concentration) have been managed independently. The geographic risk issue is exacerbated if companies don’t understand the locations of their vendor concentrations (and location concentrations of the vendors that those vendors use, sometimes called “nth-party risk”).
A unified asset-and-service-management capability should have oversight over these functions. This capability is then responsible for measuring and reporting on risk across each individual component, aggregating this risk profile, and translating outstanding issues into business terms.
This integration needs to happen at the organization level too. To the degree that companies do have a geopolitical-risk program, our experience is that it tends to focus on supply chain issues rather than on IT ones. CIOs aren’t fully connected to the broader organizations’ geopolitical-risk practices. The result is that CIOs lack a framework for identifying, managing, and tracking geopolitical risk as part of a broader company-wide program.
To be an effective leader within an organization-wide risk program, CIOs should consider building up a small, dedicated team to track geopolitical developments, assess their implications and impact, and provide recommendations to leaders with sufficient time to take action. This is where a unified asset-and-service-management capability is critical.
A business should incorporate this team into existing risk management functions, including registers and treatment plans, with a framework and clear protocols to understand how and where data and tech operations contribute to distinct nodes on the business value chain. The geopolitical environment can change rapidly, so organizations will need to refresh their analysis and risk responses. CIOs and CTOs need to be constantly evaluating geopolitical risk.
The geopolitical forces shaping businesses and economics remain fluid and dynamic. Few can confidently predict which way the tides may turn, but there’s a good chance that uncertainty and heightened geopolitical risk will be the norm for the near future. Tech leaders who can navigate this volatility not only can shield their businesses but also stand to outmaneuver their competitors.
