What security policies do small and medium sized businesses need?

5 minutes

Policies play an essential role in coporate governance – even for SMBs

One of the topics I’ve always been interested in is how we can uplift the resilience of Small and Medium Sized Businesses (SMBs). Whilst SMBs are the engine rooms of our economy, they typically have immature information security and fraud protection capabilities despite facing the same threats as large organisations. In fact, the 2020 Australian Cyber Security Centre (ACSC) survey showed that 65% of Australian SMBs surveyed spend less than A$999.00 on their security! It’s no wonder they fall victim to phishing, ransomware, data breaches and other exploits. Like having a good security culture, and tone from the top, policies are another essential.

OK, so the topic of policies can be quite dry – many of us don’t get excited by reading our company policies (some of us might even fall asleep), but they play a key role in setting expectations for staff, customers and suppliers. Corporate Governance is all about how businesses are organised, managed and governed, and comprises the principles, practices and structures that help inform decisions, operations, and conduct.

Policies are formal statements that outline guidelines, principles or rules governing the behaviour, actions and decisions of staff and management within an organisation. Whilst SMBs don’t need a comprehensive policy library like you would find in an ASX100 company, there are a few security policies which are essential.

white and red boats on lake
Photo by Gilberto Olimpio on Pexels.com

What are the main security policies every SMB should have?

When it comes to security policies for small to medium-sized businesses (SMBs), there are several key ones that can make a significant impact – see below for details:

  • Information Security Policy: This policy establishes guidelines for protecting sensitive information, data, and assets. It covers data classification, access controls, encryption, password standards, and safe data disposal.
  • Acceptable Use Policy: This outlines how employees can use company resources like computers, networks, and the internet. It helps prevent misuse and establishes boundaries to ensure productive and secure usage.
  • BYOD (Bring Your Own Device) Policy: As remote work becomes more common, this policy addresses the use of personal devices for work purposes. It should outline security requirements for these devices to ensure they don’t compromise sensitive data.
  • Incident Management Policy: This policy should address what to do in relation to a broad range of incidents, such as cyberattacks, natural disasters, and equipment failures. It outlines how to respond promptly and effectively to minimise disruptions.
  • Remote Work Policy: With the rise of remote work, this policy addresses the security measures needed for employees working outside the office. It should cover secure connections, data storage, and device security.
  • Access Control Policy: This policy defines who has access to what data and systems. Implementing least privilege principles ensures that employees only have the access necessary for their roles.

Additional policies, covering topics such as physical security and vendor / third party security standards may also be appropriate, complementing your business’ employment, code of conduct, and other workplace policies.

booth branding business buy
Photo by Pixabay on Pexels.com

Start as you mean to finish

When running any business, there is always so many things to do. Marketing, sales, customer engagement, product – the list goes on. Governance and Risk Management often take a bit of a back seat, especially in smaller organisations, and typically only become more important as organisations grow and management has time to focus on these issues. However, policies and risk management are one of those things that really needs to be considered earlier for three reasons:

  • Policies – even simple ones – add value to a business by improving governance, ensuring staff adopt the desired behaviours, and improved management outcomes
  • Provide clear and constistent advice to staff around BYOD and Remote Working – data loss and data breaches are becoming an increasingly common occurence, and remote working and BYOD arrangements are a key vulnerability. Whilst technical controls are available to mitigate some risks, a policy that clearly sets out what is expected of staff and in which circumstances is essential to manage risk.
  • Well-governed suppliers are more attractive to buyers – due to their size, SMBs are unlikely to have robust supplier assurance programs which contractually oblige suppliers to meet certain standards, but they are likely to sell their products or services to larger companies. Having good governance and standards in place demonstrates a degree reliability, quality and integrity which suppliers can put faith in and might just win you that next contract!

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Using strategic early warning for advanced notice of emerging threats and geopolitical risks

What is strategic early warning and why is it important?

One of the challenges in business is the need to deal with threats, which can arise from competitors, market shocks, natural disasters, political decisions, criminals and a host of other sources. A form of intelligence, strategic early warning (also known as ‘strategic indications and warning’) involves identifying and forecasting emerging threats, with the overarching objective being to avoid surprise (Clark, 2017). Simplistically, threats have two velocities, or the speed with which they materialise into risk events:

  • Slow velocity – risk events that happen slowly, often comprised of multiple discreet events which might be immaterial when they occur individually, but which together have a typically disproportionate and material impact.
  • Fast velocity – risk events that happen very quickly when triggered, with minimal to no warning, making them hard to identify and mitigate.

Generally, a fast velocity risk event happens so quickly that the value of strategic early warning is limited, potentially gaining seconds or minutes warning as opposed to hours, days, weeks or even months. In constrast, slow velocity risk events can appear as random or discreet events which creep up slowly over time. However, these discreet events do leave a trail in the form of indicators and can be identified with the right tools.

The ancient greeks understood the value of strategic warning.
Photo by Spencer Davis on Pexels.com

To be effective against slow velocity risk events, particularly those external to your organisation, requires tools capable of continuously monitoring your operating environment and being finely tuned to detect the subtle changes (signals) in your operating environment which comprise these multiple discreet events. As Aesop reminds us, all too often we are so busy with day to day distractions that we miss these subtle underlying signs which could otherwise tip us off that something big is coming until it’s too late.

Those who cry the loudest are not always the ones who are hurt the most

AESop, Ancient Greece

One of the most powerful tools for strategic early warning, known as ‘indicators and warnings‘ (I&W) in the intelligence community, is explored in this article. However, in order to appreciate why this is important we need to understand a concept called decision quality.

How does strategic early warning contribute to decision quality?

Some years ago I took courses in the Stanford University Strategic Decision and Risk Management Certificate Program, where I learned about the concept of decision quality and what actually makes a really good decision. As someone who has done a lot of work throughout my career in security, intelligence and resilience, I found this insightful as it provided a foundation for grasping how strategic intelligence capabilities (such as strategic early warning) need to be designed to enable high quality decisions by decision makers (as customers of that information).

To illustrate, according to Parsons (2016) there are seven main elements to a ‘high quality‘ decision, being:

  • An appropriate decision frame
  • Create alternatives to choose from
  • Good information
  • Clear values to adhere to and objectives you are trying to accomplish
  • Clear tradeoffs and sound reasoning
  • Decision choice alignment with values and reasoning
  • Commited implementation

Strategic Early Warning really contributes to the first three elements in that it provides timely, relevant and actionable insights as early as possible. Earlier, better decision framing and identification of alternatives, supported by information which has the trust or confidence of decision makers, contributes to better strategic outcomes.

Strategic warning involves foresight
Photo by Francis Seura on Pexels.com

Benefits of using Strategic early warning tools in your business

A properly designed and implemented strategic early warning program can help identify, monitor and effectively respond to medium-long term ‘over the horizon’ threats as early as possible, including those which are external in nature. Objectives of strategic early warning programs in business typically include:

  • Providing early notice of a potential risk event – facilitates an early response (assuming business has a mature incident response and / or crisis management capability), typically resulting in a lower business impact (e.g. less disruption, financial loss, or reputation damage).
    • The aspirational state is being predictive: identifying that a risk event is likely to happen with a high degree of confidence, and swiftly responding to manage potential outcomes.
    • Early responses provide opportunities to mitigate downside risks and exploit upside opportunities, and get a jump on competitors
  • Improved foresight and better decision quality – strategic early warning reduces the need to make decisions under pressure and provides more time to devise an appropriate response.
  • Providing timely, actionable insights – with the exception of actions like learning more about an adversary, intelligence is generally considered pointless if it is not relevant to a decision at hand, timely in that insights are developed in time to make a decision, and accurate.

Strategic early warning methods are ideal for providing insights into macro factors, such as how your business’ operating environment is changing, market factors, and strategic drivers impacting competitors. Strategic early warning tools allow decision makers to develop and monitor scenarios before and as they develop, leading to strategic and competitive advantage.

Strategic warning enables business to successfully traverse high risk environments
Photo by Christian Buergi on Pexels.com

Building an early warning threat detection capability in six steps

There is an extensive body of knowledge globally around how to build an early warning threat detection capability in practice: Intelligence Officer’s have been developing and applying this tradecraft for decades (see Grabo, 2002). When developing these capabilties to detect emerging threat activity (such as the presence of organised fraud syndicates in a market), I apply a six-step process similar to that used to develop Key Risk Indicators, except these early warning capabilities consume external data, as follows:

Step 1 – Identify and build threat scenarios: Preparing threat assessments are a core competency for any intelligence professional. Whilst not covered in detail here, the outcome of the threat assessment is used to inform the design of scenarios for monitoring (see Heuer & Pherson, 2011).

Step 2 – Identify indicators for each scenario: Try to identify indicators (say 3-5) that are independent of each other and representative of a scenario occurring (i.e. they are highly correlated). Indicators that are ambiguous or which apply to multiple scenarios should be discarded. Various intelligence analysis methods (not explored here) can be applied to draw out the underlying mechanics of each scenario (see Heuer & Pherson, 2011).

Step 3 – Classify indicators as leading or lagging: Receiving intelligence on a risk event after that event has happened is often deemed an ‘intelligence failure’, so your focus is on leading indicators. If all your indicators are lagging, repeat Step 2.

Step 4 – Identify data sources for each indicator: Having identified leading indicators, determine where you will source the underlying information and obtain it. When looking at sources, apply the Admiralty Scale and consider source reliability and assessed level of confidence in the information.

Step 5 – Define normal (expected range) and elevated thresholds for your indicators: Identify what is normal for a given indicator in the region concerned, and therefore what you need to worry about. I use three categories of indicator:

  • Expected value (baseline): represents what is ‘normal’ for the specific indicator in its context
  • Trend: the purpose of this value is to tell you the incidence of something is increasing or decreasing over time and may involve use of professional judgement or hypotheses.
  • Threshold value: this represents a red line, the point at which you know (or hypothesise) that you have a real problem. Anything above this point effectively is used within your organisation to mean the likelihood of a risk event occurring is high, triggering your incident response or crisis management process.

Step 6 – Monitor indicators and escalate as appropriate: whilst there is work involved in setting up and collacting the data, this process is is made easier with software such as Tableau or Microsoft PowerBI which have the capability to integrate multiple data feeds from different sources into the one dashboard.

An example of what these capabilities look like in practice is illustrated in the following figure, which uses terrorist diversion in an NGO humanitarian aid as the context:

Simple tools can be used to build analytical dashboards for strategic warning
(c) Paul Curwell (2022). Example scenario to build an early warning dashboard for emerging threat scenario monitoring

Moving towards ‘Continuous Monitoring’ of the strategic operating environment

Depending on your organisation, you may be exposed to dozens of potential scenarios, each of which could emerge to shape your business in a number of different ways (see Heuer & Pherson, 2011). In an ideal state, businesses will continuously monitor and evaluate (assess) how threats are emerging in relation to markets, competitors or supply chains.

A capability such as this requires scaling up the data collection, processing and analysis steps across material scenarios. Typically this involves building a common repository which can be easily monitored, assessed, and where appropriate responded to, by risk, compliance or operational teams using appropriate software tools.

Dashboards can be scaled up to accomodate a range of scenarios and continuously monitored
Photo by Lukas on Pexels.com

Implementing appropriate business processes to support the teams managing this capability day to day is also essential – all too often when building capabilities we focus on the technology and forget the people, process and change elements which are just as critical.

In practice, automating data collection, saving this data to a database, then visualising the data through a dashboard tool like Tableau or Microsoft PowerBI will get many organisations to a high level of capability maturity quite quickly.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Critical Minerals – what’s the problem here?

What are critical minerals anyway?

Critical minerals are defined by Geoscience Australia as “metals and non-metals that are considered vital for the economic well-being of the world’s major and emerging economies, yet whose supply may be at risk due to geological scarcity, geopolitical issues, trade policy or other factors” (2022). One category of critical minerals, ‘rare earth elements’ (listed below) are particularly important:

  • (Ga) Gallium
  • (In) Indium
  • (W ) Tungsten
  • Platinum-group elements (PGE) including
    • (Pt) Platinum (Pt)
    • (Pd) Palladium
  • (Co) Cobalt
  • (Nb) Niobium
  • (Mg) Magnesium
  • (Mo) Molybdenum
  • (Sb) Antimony
  • (Li) Lithium
  • (V) Vanadium
  • (Ni) Nickel
  • (Ta) Tantalum
  • (Te) Tellurium
  • (Cr) Chromium
  • (Mn) Manganese
Photo by Maxime LEVREL on Pexels.com

The problem with critical minerals is their availabiilty: they are not distributed evenly throughout the world, and in some cases it is not economical to extract them using current technology. This is particularly the case with rare earths, where according to InvestingNews, the top 10 countries for rare earth production are:

1 China6 India
2 United States7 Russia
3 Myanmar8 Thailand
4 Australia9 Vietnam
5 Madagascar10 Brazil
InvestingNews (2021)

Readers will note that some of the countries are subject to greater geopolitical risks than others – ranging from emerging to developed economies and sanctioned to non-sanctioned jurisdictions. One of Australia’s strengths is our proliferation of critical minerals and our geopolitical and economic stability. As shown in the following figure, Australia has critical mineral deposits distributed across the country:

Critical Minerals Supply Chain in the United States: Mapping the Landscape for Australian Suppliers (AUSTRADE, 2019)

As demands for the world’s critical minerals increase and supplies dwindle, rich countries will increasingly seek alternative sources. Deposits that were previously uneconomic to extract may become economical, whilst other countries may resort to war or coercion to achieve or maintain geostrategic advantage. Geoscience Australia has ranked Australia’s resource potential for critical minerals and their associated criticality (or scarcity):

Geoscience Australia (2022). Critical Minerals.

Understanding the criticality of raw materials is particularly important when assssing your supply chain threats and risks, as is understanding the geopolitical risks associated with the Critical Minerals value chain (refer figure below).

Geoscience Australia (2022) notes that some “category one and category two metals and semi-metals are primarily by-products of refining of the major commodities such as zinc, copper, lead, gold, aluminium and nickel”. Australia has abundant stockpiles for many of these commodities, however they are not always cost effective to extract. In the future, advances in processing techniques might mean these can be extracted in a highly targeted way at a cost that makes economic and environmental sense.

What industries use critical minerals?

Critical minerals underpin the world’s 4th Industrial Revolution as well as the high tech gadgets as well as enabling a green low-carbon, digitised economy. Without access to critical minerals, we would not be able to have our computers, phones, wind turbines, electric vehicles or solar panels that are decoming de rigueur in Australia and worldwide. Here are some lesser known examples and their applications:

Critical MineralUsage (examples, not exhaustive)
YttriumCeramics (abrasives, jet engine coatings, oxygen sensors in cars, and corrosion resistant cutting tools)
Electronics (microwave radar, dental and surgical procedures, digital communications, industrial cutting and welding, photochemistry, distance and temperature sensing)
Metallurgy (superalloys, high-temperature superconductors)
TantalumProduction of tantalum alloys, capacitors, compounds and metal
Major end uses for tantalum capacitors include automotive electronics, mobile phones and personal computers
Tantalum oxide is used in glass lenses and tantalum carbide is used in cutting tools
GermaniumFibre optics, infrared optics, electronics and solar applications including solar cells for satellites
Critical Minerals Supply Chain in the United States: Mapping the Landscape for Australian Suppliers (AUSTRADE, 2019)

As you can see, the applications for critical minerals are diverse – without them, much the advanced civilisation we live in today would cease to function.

What are the security and supply chain risks for Australian companies?

Two principal security and supply chain risks associated with critical minerals are worth highlighting, both of which have a geostrategic flavour – (1) foreign ownership, control and influence, and (2) sanctions and trade embargo risks, as illustrated below:

Paul Curwell (2022) – adapted from AUSTRADE Critical Minerals Supply Chain in the United States (2019)

The Foreign Ownership, Control and Influence (FOCI) risks we have seen globally tend to materialise in two scenarios, outlined in the following table:

FOCI RiskRisk Description / Scenario
Mining rights (licences) are held by a single company which controls a substantial percentage of productionThis scenario is particularly applicable to Rare Earth Elements which are only found in a few locations around the world, hence global supply is very low in comparison to demand.
In this case, a single company could conceivably control a substantial percentage of the production for a given rare earth element globally.
Ownership of multiple mines is held by shareholders of the same nationality (i.e. a concentration risk)This effectively gives the parent country ‘control-by-proxy’ of critical minerals production, meaning the minerals can be exported under the guise of legitimate trading contracts to the parent country for stockpiling and / or use in manufacturing. Once extracted and shipped, there is no easy way of getting the minerals back, and the country which holds all the stockpiles effectively controls both market pricing as well its permitted end use (for example, military end-use export controls might be applied, effectively giving the controlling country a military advantage).
(c) Paul Curwell 2022

The second type of risk is sanctions and embargos risk. Historically, when we think of sanctions, trade embargos or even naval blockades it is typically on countries such as North Korea and Iran for their actions against the global community and internationally acceptable norms and behaviours.

As a source country for critical minerals, there is always the possibility that Australian companies or Australian exports could be sanctioned. However, two factors act in our favour to mitigate this risk with critical minerals:

  • First is global availability, being that critical minerals are either only located in specific geographic regions or can only be extracted in a way that makes economic sense from a small number of locations.
  • Second is the global balance of power. Whilst geostrategic power is shifting away from the United States, we are not yet at the point where other geostrategic players have sufficient power or leverage to impose meaningful sanctions or export restrictions at a large scale (note this does not mean that targeted, and even non-conventional forms of sanctions would not be possible or effective).

Another commonly used sanctions and embargo tool is the naval blockade would be very oenerous to enforce in a country such as Australia, which is so large and surrounded by navigable waters.

Photo by Yevgen Buzuk on Pexels.com

What can we do about it?

Like an increasing number of countries around the world, Australia has implemented foreign ownership and foreign investment restrictions to prevent the scenario arising whereby our mining companies or mining licences are owned by foreign investors either at issue or throughout their period of validity, without appropriate review. Additionally, we have introduced a range of foreign intereference laws to criminalise and help prevent actions by foreign governments and their proxies (including legal entities) from interfering in Australia’s sovereignty.

As with saw with trade restrictions on Australian exports, the management of sanctions, embargos and the like are much harder to mitigate. This is particularly the case where Australia sends extracted ore to a third country for processing and refining, which may then be purchased for re-import back to Australia. In this scenario, Australian manufacturers or businesses are immediately exposed to potential sanctions risks. One way to mitigate this is to conduct mineral processing and refining here in Australia, allowing Australia to export refine material as well as to use it directly in Australian manufacturing.

If there is one positive thing that can be said for the COVID-19 pandemic (aside from introducing more flexible working practices), it is that the supply chain disruptions have really refinforced the need for Australia to expand our domestic manufacturing capability and the need to be less reliant on other countries for our critical supplies and services in the Australian psyche. Understanding where security, geopolitical (country) and resilience risks lie in your supply chain, and implementing appropriate risk treatments, is critical for every Australian business.

Further reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Natural Hazards and Accidents, and their intersection with physical threats

Author: Paul Curwell


With the impending passing of the Security Legislation Amendment (Critical Infrastructure) Bill 2021 (referred to as SOCI, or Security of Critical Infrastructure) in the Australian Parliament, and the Department of Home Affairs working through definitions of the Rules which prescribe the requirements for critical infrastructure operators around integrated risk management, there is a lot of movement and discussion underway within Australia’s expanded eleven critical infrastructure sectors to ensure readiness to comply with the new legislation.

As it currently stands, the legislation refers to “physical and natural hazards” which is out of alignment with terminology used in various Australian / New Zealand and International Standards (ISO). When it comes to physical threats and hazards, there are effectively three categories:

  • Physical threats – pertains to security risks and are caused, ultimately, by humans. The difference between physical threats, natural hazards and accidents is intent to do harm or otherwise impact the ‘security’ of something. These are generally assessed via a ‘Threat and Risk Assessment’ or ‘Security Risk Assessment’.
  • Natural hazards – are those which derive from nature (sometimes referred to by insurers as ‘acts of god’). These are generally assessed using different techniques, such as risk bowties.
  • Accidents – includes industrial accidents and similar events which can have the same / similar impact as natural hazards but are caused by humans, rather than nature. There is a possibility that what appears as an accident might actually be caused by a physical threat, such as an insider seeking to perpetrate an act of workplace sabotage or terrorism.

In my work, I primarily focus on risks with a root cause in national security or crime, as opposed to working on business continuity generally. I regularly encounter situations in my work with clients where I am requested to assess natural hazards (including accidents) and physical threats using the same underlying risk assesment methodology.

Whilst you can aggregate the results of risk assessments against physical threats with natural hazard and accident risk assessments (some of which have a close relationship to occupational health and safety or Health Safety Environment risk management), trying to apply the same underlying risk assessment methodology on an asset by asset or site basis is not leading practice.

Photo by Genaro Servu00edn on Pexels.com

Types of Natural Hazard

So what is a hazard anyway? A hazard is defined by ISO31000 as “a source of potential harm’ and is different to a risk. In fact, hazards (like physical threats) both cause risk events if controls to prevent their occurance either do not exist or are inadequate. Have a read of this excellent article from the team at Broadleaf Capital International if you want more information.

For the purposes of this article I have used the Centre for Research on the Epidemiology of Disasters (CRED) EM-Dat taxonomy, an excellent resource, which records 17 types of natural hazard across 6 categories:

Natural Hazard CategoryNatural Hazard
Dry mass movement
Volcanic activity
MeteorologicalExtreme temperature
Wave action
Glacial Lake Outburst
Wildfire (bushfire)
BiologicalEpidemic / Pandemic
Insect infestation
Animal accident
ExtraterrestrialImpact event
Space weather
CRED EM-DAT General Classification (emdat.be/classification)

You will recall that the core risk assessment methodology focuses on Consequence (or impact) and Likelihood. When assessing Likelihood, or the chances of a natural hazard arising, you need to determine whether your asset is in a geographical area impacted by that given type of hazard. There are two main considerations here:

  • Regional geographical factors – this relates to where your asset is situated on the planet and is something you can’t readily influence. If your asset lies within an earthquake or cyclone (hurricane) prone zone, this increases the likelihood of the risk.
  • Local geography – is more specific to where exactly your asset is sited. An asset situated at the bottom of a deep valley is likely to be more prone to flooding than an asset situated at the top of a hill.

Governments and scientific research organisations all publish data on natural hazards which inform their likelihood. Some produce complex scientific models which can also be used to help understand factor such as when a natural hazard might arise, where exactly it will impact within a given geographical area, and how severe it might be. For many natural hazards, there are underlying indicators which are monitored by governments and research centres that provide advance warning of an impending natural hazard. One example here is the amount of dry fuel load in the case of bushfire risk. You can quickly locate relevant data for your risk assessments with the help of Google, most of which is free.

Photo by Recognize Productions on Pexels.com


For the purposes of any risk assessment, the second main category of hazard is that of accidents. Sometimes, this category is referred to as ‘manmade accidents’ as the cause of an accident is effectively poor controls, human error, negligence etc – all of which are foreseable and theoretically preventable. The key difference between accidents and physical threats is intent. A worker at a chemical plant might accidentally drop a barrel which results in a chemical spill (an accident), or they could intentionally empty a barrel of chemicals to for example commit physical sabotage in the workplace (an ‘insider threat’).

Where accidents such as those outlined below are possible, it is not sufficient to simply address these from a safety or HSE perspective. Physical threats (in the form of insider threats) could intentionally cause one of these events which might pass undetected as an ‘accident’. A complete assessment of physical threats will reflect this.

Technological HazardAccident type
Industrial AccidentChemical spill
Gas leak
Oil Spill
Transport AccidentAir
Miscellaneous AccidentCollapse
CRED EM-DAT General Classification (emdat.be/classification)

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Conducting a Country Risk Assessment for your key suppliers

Author: Paul Curwell


Choosing a supplier is an important decision for any business, no matter the size or time in operation. We all know that picking the wrong supplier can have disastrous consequences for your brand, reputation and customer satisfaction. Globalisation has driven manufacturing to low cost destinations, typically in less developed parts of the world. Whilst this meant the ability to purchase a product for a cheaper price, it also came with risks relating to reliability, quality, supply chain disruptions, integrity and ESG (Environmental Social Governance) risks such as indentured labour.

Stories of bad procurement experiences abound in relation to sourcing Personal Protective Equipment like gloves and masks for health workers during the COVID-19 outbreak. For example, some customers purchased counterfeit product whilst others purchased products which did not conform to stated specifications and had to be destroyed. However, in other cases the government where the manufacturer or distributor (e.g. warehouse) was located stepped in to compulsorily acquire the products for their own citizens, at the customer’s expense.

Photo by Pixabay on Pexels.com

As highlighted by these examples, three main risks need to be considered as part of any supply chain decision:

  1. How well do you Know Your Supplier (KYS)
    • Are they legitimate?
    • Do they have a good track record in the market?
    • Are they financially solvent?
    • What do existing customers think of them (do they have any customers)?
    • Will associating with them damage your reputation?
  2. Does the product quality and pricing meet expectations?
    • Are their products legitimate?
    • Do they use substandard or counterfeit components?
    • Do their products conform to expected / agreed standards and specifications?
    • Are they competitively priced?
  3. Is the supplier located in a high risk country?
    • What factors external to the supplier might impact their ability to service your needs?
    • How dependent are they on other parties, such as trucking companies and electricity utilities, to delivery on supply agreements?
    • Are there any other considerations which might result in supply chain disruptions or non-delivery?

This concept of a ‘high risk country’ and the concept of country risk is examined in more detail below.

So what is country risk anyway?

The importance of understanding country risk is often overlooked, or given only a cursory glance by many businesses. As Australians we are truly privileged in terms of our advanced society, laws and infrastructure, and it is easy to forget that this is not the case for other countries (especially those manufacturing low cost products for import). When used by economists and the investment community, country risk refers to the “losses that could arise as a result of the interruption of repayments or the operations of entities engaged in cross-border investments caused by country events as opposed to commercial, technical or management problems specific to the transaction” (Toksoz).

The term political risk may also be used interchangably with country risk in some situations, however it is typically used to refer to those sources of risk with a political dimension whereas country risk as used here is much broader. According to Moosa (2002), country risk analysis is used in three scenarios:

  • Multinational companies use it as a screening tool to select preferred countries for investment and / or market entry based on risk factors;
  • Country risk metrics can be used as part of a continuous monitoring program for in-flight projects or investments (see below); and,
  • It can help identify, assess and manage country-related risks pertaining to projects or other initiatives in a foreign country.

For the purposes of this article, the selection of suppliers falls into the latter category.

You don’t need to consider country risk as part of every supplier decision

Not every product is created equal – some products may be more highly commoditised (and therefore readily availble from multiple suppliers) than others. Typically, it is not necessary to follow the practices outlined in this post for products which can be easily purchased from many suppliers in many different countries (and indeed regions of the world).

Situations where a business should to conduct a proper country risk study of its supply chain include:

  • Companies that are sourcing a contract manufacturer to build their products to specification
  • Products that require rare or hard to obtain ingredients / materials / components
  • Products that require specialist skills, equipment or manufacturing conditions (e.g. clean rooms)
  • Products that require components which are made under license by a fourth party

Where does country risk fit into the overall decision process for a supplier?

The process of choosing a supplier generally involves at least five core steps:

  • Identify and document your business requirements
  • Identify source countries for the product
  • Identify potential suppliers (i.e. individual businesses)
  • Negotiate and award the contract
  • Monitor the supplier for the life of the contract

Often, the identification of a potential supplier is conducted in tandem with the country risk assessment, however the order really depends on how many supplier choices exist. For example, in the case of contract manufacturers there may be suitable suppliers across multiple countries. Assuming these contract manufacturers are broadly comparable on other attributes such as price / quality and KYS outcomes, the inherent country risks may become a determining factor in the ultimate decision.

Photo by Startup Stock Photos on Pexels.com

What does the country risk assessment process involve for suppliers?

In my career, I have seen many country risk assessments which really miss the mark. They might be a great piece of research that consumes copious numbers of pages and tells you everything you might ever want to know about a country, but so what? We’re in business, not writing a doctoral thesis or encyclopedia. Many country risk assessments are actually what are referred to as ‘country studies’, effectively research documents that catalogue many facts about a given country but are not linked to risks per se. I use a three-step process to produce a country risk assessment for a supplier, as follows:

  1. Map the supplier’s value chain – use Michael Porter’s value chain analysis to gain at least a basic understanding of what is required by the supplier to make your product. For example, if your supplier runs an iron foundry, you care about electricity and water as inputs. The reliability of your supplier’s phone network is important for delivery and payment, but without power and water there is no product. If your supplier depends on third parties for components, you need to understand this as well.
  2. Identify country risks – there are numerous methods for this, with two common ones being PESTLE and PMESII. If you already have a country study, this should be used as an input to this risk identification stage. Use desktop research and interviews to identify the required information, and then categorise your findings using the PESTLE and PMESII taxonomies:
    • PESTLE – stands for Political, Economic, Social, Technological, Legal and Environmental and is commonly used in government and business. Each of the PESTLE categories has a multitude of sub-factors, such as types of contract law (as a Legal example) which should be researched, discounted, or included where relevant
    • PMESII – stands for Political, Military (or law enforcement / organised crime), Economic, Social, Information (as in the reliability of information such as public records and the media) and Infrastructure. PMESII is a methodology used by the intelligence community.
    • Either method, or any variation thereof, should be developed based on your scope of work and objectives.
  3. Write up the country risk assessment and risk mitigation plan – the last step in my method for preparing a country risk assessment for suppliers involves overlaying the country risks against the value chain. Where possible, market forecasts and internal metrics (e.g. revenue, production) should also be referenced to ensure identification of country risks that actually impact the value chain. Once you have identified risks relevant to the value chain, these risks can be assessed and potential mitigation options identified for consideration.

Why should I bother? What is the cost-benefit here?

In her latest book on Political Risk, former US Secretary of State turned Stanford University professor refers to political risk in the context of her “five hards of political risk management” (p82):

  • Hard to reward
  • Hard to understand
  • Hard to measure
  • Hard to update
  • Hard to communicate

I have encountered situations where well-intentioned businesses sought to manage country risk, such as when selecting a single contract manufacturers for all their production, only to find executives balk at the thought of spending a thousands of dollars to identify and assess risks which in many cases would protect from losses of millions in future revenue. Whilst it might be hard to quantify the return on investment that justifies spending on country risk, the benefits are clear, as illustrated by this example from MIT Professor Yossi Sheffi’s excellent book ‘the resilient enterprise’:

On 17 March 2000, lightning resulted in a fire at the Philips NV semi-conductor plant in New Mexico, USA which damaged manufacturing clean-rooms and destroyed inventory under production. Two of the plant’s most important customers were Ericsson and Nokia, then leaders in the mobile phone market.

In Finland, Nokia received a call from the plant informing them of an anticipated one-week delay. However, on further investigation Nokia determined the downstream effects would impact millions of its handsets, jeopardising sales and market share. Nokia began to enact its contingency plan, including buying excess capacity in the global market.

Nokia’s primary competitor, the Swedish company Ericsson, also received the same call but was reportedly less concerned. By the time they realised the materiality of the situation it was too late. This event ultimately triggered billon-kronor losses for Ericsson, resulting in its exiting the mobile phone market entirely.

This example highlights the importance of understanding all aspects of risk in the supply chain – making early, informed actions are critical to managing supply chain risk.

Photo by Alexander Isreb on Pexels.com

The country risk assessment process isn’t just a once-off

Most relationships in life start out well but deteriorate over time. Like any business relationship, suppliers need to be continuously monitored and the relationship nurtured to ensure long-term benefits to all parties. The concept of ongoing or continuous monitoring in due diligence and risk management generally has been around for many years, but has only recently started to take hold. Two elements need to be continuously monitored so as to properly manage supply chain risk:

  • Ongoing monitoring / continuous monitoring of the supplier themselves for factors such as financial solvency, quality, changes in ownership; and,
  • Ongoing monitoring of those external ‘country risk’ factors which the supplier may not even be aware of but which could disrupt ongoing supply.

One way to conduct ongoing (continuous) monitoring is through a strategic ‘early warning’, ‘situational awareness’ or ‘risk sensing’ capability which monitors the operating environment for tripwires, or leading indicators of an emerging risk which allows for closer monitoring and timely response. I will discuss how to build one of these capabilities in a future post.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.