GeoLegal Weekly #55: There is no Resilience Button

Building resilience in an unruly world is hard work. You better get started.

As the world wakes up to the prospect of Ukraine being carved up as if we are at a modern day Yalta Conference, we also must grapple with a multitude of second-order effects. Will the US remove sanctions on Russia and attempt to bully Europe into following suit? Will Europe refuse, adding further tension to a relationship that has become stunningly fraught over a matter of days—with everything from US interference in the German elections to tariffs shattering Transatlantic harmony. Will Europe rebalance its economy away from social spending toward taking on a deeper military burden or will it simply accept risk and exposure to military, cyber, and political risk. And will companies licking their wounds from fire sales exiting Russia move swiftly to seize opportunities and face the host of legal and political ramifications of doing so?

Today, I welcome David Bender, a long-time geopolitical expert with deep corporate and technology experience, as a collaborator. We’ll use the latest on Russia as a jumping off point to rethink corporate resilience. Plus, catch me on CNBC deep-diving about my book Unruly at the bottom.

Prediction versus Resilience

In times of peace and quiet, everyone ignores politics. When the world becomes unruly, everybody wants a crystal ball. In a world with bounded outcomes where precedent acts as a reasonably reliable if imperfect guide for the future, forecasting can give you an edge. But in an unruly world, precedent can be a red herring.

Prediction is the holy grail for geopolitical analysis. If I had correctly predicted the souring of Transatlantic relations and the rest of US-Russia tensions, companies that listened to me would have been better off than those that didn’t. One might argue that obviously Trump would work with Russia - he told us as much. But the full scale abandonment of Ukraine and the speed at which Putin and Trump are looking to meet to carve it up would have been risky predictions given they fly in the face of precendent.

The problem now is that there are too many factors feeding into such a prediction to have made it with any sense of confidence. If the US and Europe no longer need to move in lockstep-which has been the post-war precedent-then, of course, new scenarios open up. And when Putin has placed confidence-building downpayments with Trump through attempts at US election manipulation, it’s easier to believe that the US would abandon suspicion of Russia negotiating in poor faith. But that requires multi-stage chess that can all fall apart if one of the factors is incorrectly appreciated. Thus, few analysts have been vocal before this week in forecasting as such.

The end of precedent and the complexity of forecasting doesn’t make forecasting useless, but it does dilute its impact. Many predictions today are often too general (for instance, “the US and Russia will have a better relationship under Trump”) or made too close to an event (like forecasters coming out of the woodwork in the last 24 hours) to be helpful. And, of course, many predictions are just flat wrong.

But let’s assume you did have a crystal ball. Are all your problems solved?

No, because there’s no easy way to prepare for all the risks your crystal ball would see.

There is no Resilience Button

One of our biggest pet peeves is business strategists that casually advise companies to “build resilience.” As if there is a magic resilience button that executives can click to be prepared for anything.

Resilience is the ability for a company to sustain itself safely, stably, and profitably through predictable and unpredictable crises. Building resilience within a business requires delineating what the limits of the probable, possible, and conceivable are, and then deciding how many standard deviations from the mean you want to plan for. For some industries September 11th probably tested the limits of what was considered possible; for many the financial crisis broke their stress models. But terrorist attacks involving airlines, wars in the Middle East, and even severe financial crises probably should have been on the resilience bingo cards of airlines, oil companies, and banks.

But is it reasonable to think that a few years ago tariffs on Mexico and Canada, diplomatic (and threatened economic) tensions with NATO partner Denmark, and military threats on Panama should have been on resilience maps? What about the impact of a breakdown of a global humanitarian and democracy/human rights supply chain with the potential demise of USAID? Or the WHO? Or spiking worries about the future of the IMF and World Bank should the US turn away from them and other international organisations that aim to maintain stable financial systems.

Perhaps there was some analyst somewhere who predicted that US companies should avoid relying on supply chains that depended on Mexico and Canada despite near-shoring being an explicit US government goal at the time. But it is doubtful any companies would–or should–have listened. Good decisions should be judged not on the outcome but on the quality of the thinking with the available information at the time–though the paradox is that ultimately it is the outcome that will affect the company. Outcomes are important, but if you cannot make informed decisions–and in unruly times you may not be able to–you should make moves that mean you are able to understand and react to the world as it evolves.

Resilience amid Unruliness

In an unruly world where geopolitics, technology, and law come together in highly complex ways to create new and unpredictable risks, companies are better off understanding the types of risks present, the underlying dynamics driving those risks, and the potential outcomes. And they must prepare for all of them.

So how can companies focus less on predicting and forecasting risk and instead prepare for the inevitable yet unpredictable crises? In the past, an oil executive might have said something to the effect of “What we do is needed everywhere, so politics don’t matter.” That is certainly not true today.

Today, resiliency planning is a big topic, but here are three broad ideas for approaching it:

1. Know what the critical nodes of your business are. Some first-order nodes are obvious, but others might not be, and second- and third-order ones can be harder to identify. At the very least, have a list of people, places, facilities, suppliers, market prices, macroeconomic and environmental factors, partners, political connections, customers, shipping lanes, and regulatory frameworks that your business relies on. You probably cannot protect them all, but you can react quickly if any of them come under pressure. For bigger companies, no doubt these lists and maps exist. The real challenge is having detection and decision-making structures that enable swift related action.

2. Understand the ways the risks you face can be correlated. Your car insurance covering a fender-bender is probably uncorrelated to your neighbor’s car insurance, but your flood insurance probably isn’t. So maybe your supply chain relied on frictionless trade between the U.S. and Mexico, Canada, and China—a pretty diverse set of countries and therefore, historically, probably uncorrelated. But if the U.S. decides to impose tariffs on its most significant trading partners, suddenly you get hit with all three at once. And potentially in Japan too. Leaders need to slice the pie differently when thinking about correlations of risk. The world is no longer split between East and West or Global North and Global South (if those terms were ever suitable). It is not split into who has signed up to certain UN treaties and who has not. Instead, the categories that will design the future will be made on the fly based on very realist foreign policy transactionalism. Again, adaptability is key.

3. Identify where you have the ability to influence or respond in a crisis—and where you will be watching it all unfold. This is where scenario planning is critical. Often, in scenario planning sessions—particularly if it is not their first time running such an exercise—companies find they are less powerless in a crisis than they initially feared. The various arms of a large firm have often individually considered what they might do in foreseeable crises, but what has not happened is anyone putting all the nodes and risks together and thinking about them holistically. This is where scenario planning comes into play. Then, with the findings from those planning sessions, assess what types of risks can be managed or mitigated and which ones could indeed overwhelm you or at least take away any initiative.

What to watch and what to derive risk assessments from vary from company to company and industry to industry. But in today’s unruly world, there are a few types of risks that are both relatively new and increasingly widespread:

• Cyber threats: Cyber threats have been around for years, but today the cyber arms race is giving way to AI-driven weaponization, where adversaries leverage advanced algorithms to conduct more efficient and covert attacks. In response, companies must implement a “defense in depth” strategy that layers robust cybersecurity measures with adaptive monitoring systems. Only by securing multiple points of vulnerability can organizations hope to thwart both conventional cyberattacks and those augmented by emerging AI capabilities.

• Single points of failure: Recent global disruptions—from pandemics to regional conflicts—have exposed the fragility of centralized operations. Incidents such as semiconductor shortages and logistics challenges seen in 2023 demonstrate the need for agility. By decentralizing critical assets and diversifying supply chains, companies can mitigate the risk that a localized disruption will cascade through their entire operation. This agility is not only a hedge against geopolitical uncertainty but also against cyber and technological risks that can suddenly paralyze centralized systems.

• Legal preparedness: The rise of “weaponized law” adds another layer to the threat matrix. As governments update regulations in response to emerging AI and cyber capabilities, companies must anticipate—and even help shape—these legal shifts. A recent report from the Carnegie Endowment for International Peace warns of the perilous regulatory void in military AI governance, urging the creation of proactive legal frameworks and international norms. Firms that invest in legal foresight and maintain an active dialogue with regulators can better navigate sudden changes in the legal environment and avoid being caught off guard by politically motivated lawsuits or compliance challenges.

• Strategic partnerships and intelligence sharing: Strategic partnerships across industry, government, and international borders are key to developing collective resilience. By engaging in regular intelligence sharing and cooperative projects, companies can pool resources, share best practices, and collectively counteract sophisticated threats. In some cases, this can walk a fine line between avoiding sharing competitive advantages and running afoul of antitrust laws, but overall, the point is to find ways to collaborate on common interests in a fragmenting world.

• Continuous innovation and organizational agility: For corporations, fostering a culture of innovation means not only investing in R&D but also upskilling the workforce to use emerging technologies effectively. An agile organization that embraces iterative learning and rapid prototyping will be better positioned to pivot when new threats or opportunities emerge.

Let us know if you want to discuss any of this further. Or, better, yet, let me know if you want to try our Hence Global platform for managing the risks of unruliness.

And so I leave you with me on CNBC discussing unruliness which starts at 10 hours and 38 minutes here. Be sure to get yourself a copy of Unruly here if you haven’t already.

-SW & DB