Australia leading the way on geopolitical risk, once again!
Australia leading the way on geopolitical risk, once again!
Views on the latest APRA guidance and what it means for practitioners across security, intelligence, climate and enterprise risk
A number of readers, especially those of the antipodean disposition, will have seen the Australian Prudential Regulatory Authority (APRA)’s latest guidance on minimum expectations for how its regulated entities (banks, insurers, funds etc) should be managing geopolitical risk. There’s a lot to digest, and is the result of over two years of work and engagement between the banking sector and APRA alongside the Council of Financial Regulators, Australia’s coordinating body between regulators (nb: the other regulators being its central bank (Reserve Bank of Australia), the markets and consumer credit regulator (Australian Securities and Investment Commission) and the Treasury).
You can read the full blast here and subscribe the latest edition my geopolitical regulatory risk tracker to find out key areas of action for geopolitical risk teams. But for those of you sitting at an enterprise risk / geopolitical risk / or even climate risk space, what should you take away from this latest guidance?
First, what’s in it?
Geopolitical risk needs to be embedded in corporate strategy, governance, risk appetite and Board oversight. In essence, Boards own this now
Governance needs to effectively connect persistent threat monitoring with coordinately, timely decision-making during a crisis. Crisis management and playbook are spotlighted.
How organisations deal with organisational resilience to geopolitical shocks and shifts now need to be evidenced and tested
Personnel security, critical staff availability, insider risks, foreign interference challenges need to be assessed with appropriate resources and frameworks to mitigate those risks
Sanctions and offshore exposures need to be assessed to vulnerability to policy changes
Capital and liquidity planning as well as stress testing need to incorporate geopolitical risk scenarios more realistically than prior
There’s a lot here to digest so I’m going to break it down into a few “so what’s in it for you” parts:
Health warning + “I’m not Aussie, so what”
First, guidance is a step towards implementation and enforcement. While there’s no “one size fits all” approach expected from APRA, given the diversity in activity and size of the firms it supervises, there are clear baseline expectations which also connect with existing enforced regulatory regimes.
Trust and believe that not meeting minimum expectations is going to lead to tricky conversations and unpleasant enforcement actions.
And if you’re not an Australian firm or have major financial activities in the country, you should still take note. Chances are, some form of regulatory oversight involving geopolitical resilience is coming to a regulator near you. As I’ve pointed out in a previous note and in the tracker, we’re seeing elements of APRA’s approach being taken up by the ECB and UK PRA (observe the cross pollination in white papers such as this from the RBA in 2025), and the Iran war is almost certainly going to get other regulators thinking about how they supervise their own regulated entities around geopolitically-related risks. At a minimum, they’ll be watching APRA’s work closely, see what works and doesn’t, and potentially apply the good stuff on their shores.
For enterprise risk folks
I hope this is music to your ears? Geopolitical risk management inherently requires close coordination between multiple risk, operational and commercial teams to effectively build a dynamic picture of company-level risk exposures, potential impacts and risk appetite calibration. From experience and speaking with peers at other banks, different governance and coordination models exist but those who lead enterprise risk teams should be taking a leading role in at least the governance and Board / entity reporting aspects - collating and updating the catalog of frameworks and controls, metrics and management information, and ensuring that senior leaders are clear on one internal view of 1) “how well are we managing risk?” 2) “where are the highest priority pain points and gaps and what are we doing about them” 3) “which critical areas need immediate decisions?” 4) “how are we benchmarking with our peers across points 1-3?”.
If you have buying power, consider if you existing suites of tools are sufficient, or if new functionalities or new tools are needed to make your work possible. Legacy / incumbent GRC tools and practitioners are rapidly converging into the geopolitical space, but I argue these tools are typically not designed by those with geopolitical risk expertise (maybe supply chain) or with this risk in mind, so ensure what you got is fit for purpose. Specialist tools may be necessary - talk to your security / geopolitical risk teams (or me!) to see if they can help.
For security and intelligence folks
If you’re still reading this, you should already know what I’m about to say - this is a strategic opportunity for you and your team to showcase your capabilities, grow your impact, demonstrate Return on Risk and Return on Investment, and shift the narrative further that security + intelligence is a source of value creation / bottom-line positive for the broader company. Whether it’s positioning your team as a centre of excellence, the monitoring and analysis hub, the “chief geopolitical officer/office” or the lead / one of the co-leads of an internal task force (Boston Consulting Group provides a handy overview of the different types of in-house geopol setups), use this shift in regulatory focus to your advantage as you build and argue for your programme.
This is also the first time that APRA has publicly voiced serious interest in personnel security, insider risk and foreign interference. Foreign interference has been an on and off hot topic for the past decade in Australia, most prominently with raids of the offices of politicians and the introduction of new legal definitions, legislation and criminal prosecutions. In corporate structures, managing these threats are the bread and butter of corporate security leaders, and to an extent their cyber colleagues. The call to action should be to demonstrate capabilities, the value of industry and government relationships, uplift security KPIs and governance reporting, and build out insider functions - most banks in Australia can do far more on the latter. MITRE’s insider threat framework, considered to be the industry standard in classifying insider TTPs as the starting point for threat intelligence, monitoring and response, continues to evolve. Growing regulatory demand for robust insider frameworks, coupled with the risks associated with advancement and accessibility of AI applications, is likely to further drive investment and opportunities in this space.
For climate folks - energy transition and adaptation
If you an in house climate intelligence / ESG, on the consultancy, startup or investor side, why should you care? Because geopolitics is inherently connected with the energy transition, as we’ve most recently seen with the Iran war and China’s energy mix really coming through as a good energy resilience / realpolitik narrative for Beijing. While APRA regs are not a market / demand signal in the conventional sense for those outside of banking/insurance, it should be provoking folks in the climate space to think about how they’re impacted - good and bad - from geopolitical and policy volatility. I see three initial so-whats and now-whats; there are probably more.
Banks and insurers’ calibrations of risk appetite for geopolitical risk may impact how exposures to renewables, energy trading and other energy transition investments are viewed e.g. China and Middle East
In my earlier post on the Iran war, water security as a target for Iranian drone attacks and the disruption to ammonia supplies are just two instances of real world geopolitics and conflict impacts to energy transition / adaptation thematics. It’s worth speaking with your geopolitical and security risk colleagues / network to better understand how geopolitical developments and the shifting policy environments that emerge from that - impact your supply chain, market opportunities, or even technical vulnerabilities for your solution e.g. if a piece of weather monitoring solution deployed at a desal plant would be considered a piece of critical infrastructure worthy of adversarial targeting.
If you’re building and selling models, geopolitical behaviour presented as policy and regulatory actions / decision forks, is probably immature but the regulatory trend would suggest you should start building more in this arena. Climate security risk transmission models can help bridge some of the gap but additional SME insights and pointers are needed to make these models actionable and bankable.
If you’re building and selling platforms
For those supporting financial services customers, this is a clear opportunity to consider how you can support uplifts in 1) governance and reporting, 2) capability, and 3) stress testing. Key areas of focus in my humble opinion, should be:
Vulnerability mapping. Geopolitical risk is complex and means different things to different organisations. Interdependencies, as the APRA guidance points out, are inherently complex but essential to identify and assess how touchpoints with adjacent risks (e.g. AI, cyber) are understood, flagged, escalated and managed. Digital twins, causal world models and other advanced AI-powered modelling techniques to mimic how the world works could be an interesting and powerful way to identify these interdependencies and gaps at scale.
Leveraging AI-native capabilities to convert signals into actionable intelligence connected to existing security, compliance, resilience, sanctions, operational, credit and market risk controls, ideally using explainable agentic AI workflows to perform this at high fidelity and at scale. There are a number of powerful tools on the market, both legacy and AI-native such as Mission Grey (for transparency, I am a guild expert / advisor for them) that can fit the bill.
Dynamic heat mapping of geopolitical and adjacent risks (e.g. supply chain) against country-based portfolio exposures, digital and physical infrastructure, data flows and critical supplier relationships.
Automated governance reporting generation across relevant metrics and highlighting key areas of vulnerability, rising / reductions in risk and impact
Scenario modelling and development to support operational and prudential risk stress testing, crisis simulation and event playbooks.
If what you’re bringing to the table can get your clients from “1 to 2” or “2 to 4” in some or all of these areas, then it opens up a clear “compliance and governance solution” angle to your risk-based solution suite. And that could open more doors to potential customers who now need to wrangle geopolitical risk but lack the know how.
What have I missed? Do you agree or disagree on the “regulator-isation” of geopolitical risk - is it a net good or bad for risk management? And where do you see the opportunities. I’d love to hear from you.
What else caught my eye
A powerful piece from Isaac Kardon Foreign Affairs succinctly highlighting just how radically we have shifted away from pax Americana and where the different threads that make up our global system - from energy to AI and shipping - could be headed.
The FT looks at why there is such a gap between insurance rates and the volatile times we live in. Cheap policies today are probably underpricing risk, setting the insurance industry up for another potential abyss triggered by major catastrophes ranging from AI/cyber disruptions to another Hormuz-type event.
Rapid advances are happening in leveraging AI for weather forecasting and reporting, much of it trained on publicly-funded data sources. Given much of the AI efforts in this space are private, it begs the question about weather data as utility or for-profit.
How it works
Once you click Generate, Ollama reads this article and crafts 5 comprehension questions. Your answers are graded against the article content — general knowledge won't be enough. Score 70+ to count toward your certificate.
Questions are cached — you'll always get the same 5 for this article.