Risk & Strategy
Ross Pounds Image
Ross Pounds
Senior Manager

Governance, risk and compliance during the Ukraine crisis

March 10, 2022
0 min read
GRC professionals discussing their approach during the Ukraine crisis

In mere weeks, the Russian invasion of Ukraine has catalyzed a number of crises in terms of business disruption, economic impact and human cost.

Since the conflict began, millions of Ukrainians have joined the tens of millions of refugees worldwide displaced by war and unrest. At the same time, sanctions and public sentiment have spurred many of the world’s leading corporations to pull their money and operations out of Russia. Sanctions, bank freezes, and other actions have immobilized hundreds of billions in Russian reserves worldwide and caused the steepest decline of the ruble, the currency of what was once the world’s 11th largest economy, since 1998.

Companies worldwide and across industries are expected to experience business and governance repercussions for years to come. “Harsh new global realities arising from the invasion are likely to impact political discourse, government priorities, labor sentiment and consumer confidence,” said Michael Peregrine, a partner with international law firm McDermott Will & Emery.

Now more than ever, secure, informed and transparent governance should be a top priority for corporate leadership, from directors and general counsel to investor relations teams to top executives, particularly CIOs/CISOs and those in risk and compliance. They need to stay up to date on new developments, make decisions quickly and assure employees, investors and customers that their organization is taking the right steps to protect itself and remain compliant.

With so much to cover, and the situation evolving by the day if not the hour, where should leaders focus first? A few key priority areas follow, with guidance for next steps.


Russia, a noted state cyber actor, has aimed its malware, ransomware and more at both Ukraine and the nations inflicting sanctions in Ukraine’s defense. “Early cyber skirmishing has already begun,” a February Harvard Business Review article announced, with “vigilant U.S. companies noting a dramatic increase in cyber probing.”

The cyberworld has been here before. In 2017, the NotPetya attack targeting Ukrainian government and financial entities led to billions of dollars in damages as it impacted computer systems across the globe. Today, critical infrastructure, networks and more are all at risk, and to make the situation even more challenging, the war on the ground may have weakened defenses in cyberspace. It’s estimated that more than 100 of the world’s Fortune 500 companies rely at least partially on Ukrainian IT services.

Chief Executive magazine recommends increased communication during and between board meetings to “reduce the risk that directors are surprised or blindsided.” Yet such communications, particularly of sensitive topics, could be particularly tempting for bad actors.

To strengthen cybersecurity:

  • Safeguard board and executive communications through secure portals and messaging apps.
  • Protect sensitive data across your organization.
  • Refresh and rehearse business continuity plans. How will you communicate and keep operations running if critical data is stolen or key systems go down?

Entity, Third-Party and Supply Chain Risk

Sanctions are another area of complexity challenging even the most prepared institutions. A February 27 Reuters article described the weekend scramble by senior management and compliance teams at major banks to understand sanctions imposed on Russia and its banking system:

“Banks were scrambling to ensure they understood the full implications of the restrictions,” the article reported. “With global financial markets set to open within hours, bankers described staff working on overdrive to apply the sanctions, including frantic calls to governments and regulators to fill in gaps in knowledge.”

To complicate matters even more, sanctions and compliance risk extend throughout a corporation’s supply chain, subsidiaries and global entities. Even if a company doesn’t have direct operations such as stores or offices in Russia or Ukraine, it likely will have some exposure through the many global dependencies that define modern business. The U.S. chip industry relies on neon from Ukraine, for example, and Russia exports several elements critical to building semiconductors, automobiles and jet engines.

“U.S. businesses should take immediate steps to review their relationships with customers, lenders and business partners, wind down business with restricted entities where appropriate, and examine the export classification of items being exported, re-exported and transferred, to ensure compliance with these growing international restrictions,” writes American law firm Fox Rothschild.

As this landscape evolves, companies across industries will need to closely monitor global media, the regulatory landscape and their own risk exposure to proactively identify potential issues and protect themselves against regulatory scrutiny and reputational damage.

Sharpen your visibility and ability to respond with:

  • Risk intelligence data and monitoring tools, particularly those that employ AI for real-time monitoring
  • Entity management solutions that centralize entity and subsidiary records and documentation, for faster due diligence, swifter isolation of sensitive data and easier divestiture of affected entities
  • Third-party management solutions that integrate supply chain due diligence into risk management

Stakeholder Communications

In such a multifaceted and quickly evolving crisis, regulators are only some of the many stakeholders who want to stay apprised of corporate risk and response. Employees want to know about the safety of Ukrainian colleagues and contractors. Customers want to know about the invasion’s impact on prices, supplies and services.

Customers also want to see the brands they do business with taking action. In a late February poll reported by Forbes, a mere 4% of respondents want companies to maintain their business in Russia and not speak out at all in favor of Ukraine. Activists are applying pressure as well. A coalition of more than 75 climate groups sent a request to 100 financial institutions to end financing, investing and insuring companies in Russia’s coal, oil and gas industries. This call to divest joins a growing chorus of entities, including many U.S. state governments, pushing government-owned pension plans to divest of Russian securities.

Take control of your company’s story by:

  • Frequently and thoroughly communicating with investors, shareholders, customers and employees about the precautions you’re taking
  • Harnessing proactive and positive communications opportunities when possible

Make sure your board has secure governance, risk and compliance best practices in place. Set up a meeting with Diligent today.


Your Data Matters

At our core, transparency is key. We prioritize your privacy by providing clear information about your rights and facilitating their exercise. You're in control, with the option to manage your preferences and the extent of information shared with us and our partners.

© 2024 Diligent Corporation. All rights reserved.