top of page

Emerging Risks and Geopolitical Uncertainty: What Leaders Should Be Paying Attention to Now

  • May 13
  • 4 min read

I was pleased to be invited by Third Party Risk Association to attend April’s session on Emerging Risks and Geopolitical Uncertainty. 


The discussion reinforced how quickly the third party risk landscape is shifting and how interconnected these risks have become. AI, data sovereignty, supply chain realignment, cyber activity, financial stability, and operational resilience are no longer separate topics. They are converging. 


Across all of it, one message came through clearly: Organizations need a more integrated and leadership-led response. 


AI is changing the landscape of third party risk 

AI is no longer a niche technology issue. It is reshaping how organizations approach vendor oversight, data governance, and cross-border exposure. 


A vendor that appears straightforward on paper often relies on multiple layers beneath the surface. A SaaS provider may depend on an AI engine, which in turn relies on foundation models and sub-processors across multiple jurisdictions. 


That means data is moving across countries and entities, often without full visibility. 


The implication is clear... Organizations need to move beyond generic policy references. AI-specific due diligence, stronger contractual controls, and a clear understanding of data flows must now be foundational. 


Data sovereignty is now a live, operating issue 

Data sovereignty is becoming more complex, not less. 


It is no longer sufficient to know where a provider is headquartered. Organizations need to understand where data is stored, processed, accessed, and transferred across the full ecosystem of providers and infrastructure. 


The leadership question has shifted. 


It is no longer “Is the data protected?” 

It is “Can we clearly explain where our data is going and why?” 


Geopolitical fragmentation is reshaping supply chain risk 

Geopolitical tension is actively reshaping supply chains. 


Regional conflict, sanctions, trade tension, energy disruption, and concentration risk in sectors such as semiconductors and infrastructure are directly affecting resilience, pricing, and service continuity. 


Many organizations believe they have diversified. In reality, they have often redistributed risk. 


Third- and fourth-party dependencies remain a significant blind spot. 


Cyber activity is part of the operating environment 

Cyber risk continues to evolve in both scale and intent. 


The TPRA discussion highlighted activity targeting critical infrastructure, telecom providers, and software supply chains. This shift is important to note. 


This is no longer just about data loss. 

In some cases, threat actors are positioning themselves inside infrastructure to enable future disruption. 


This raises a critical question. 

How much visibility do you really have, not just into your vendors, but into the infrastructure they depend on? 


Financial stability still matters 

Financial stability remains a core risk factor, particularly in uncertain markets. 


Tariffs, energy pricing, and geopolitical instability are directly impacting vendor viability. This is especially relevant for smaller or newer providers where financial transparency may be limited. 


The practical question is straightforward... If a critical vendor failed tomorrow, could you transition? For many organizations, the answer is still no. 



Operational resilience is where this all comes together 

Operational resilience is no longer a standalone activity. 


It cannot be reduced to documentation or periodic assessments. It is shaped by: 

  • Geographic concentration of vendors 

  • Supply chain dependencies 

  • Location of talent and engineering teams 

  • Strength of contracts and communication protocols 

  • The ability to respond effectively under pressure 


The session emphasized the importance of testing real-world scenarios, including third party failure and geopolitical disruption. 


This is where the leadership challenge becomes visible because these issues do not sit in one function. 

They cut across legal, procurement, risk, cyber, compliance, operations, and executive decision making. 


What this means in practice 

If you are leading third party risk management today, focus on this: 


  1. Move beyond visibility to decision readiness 

It is not enough to map vendors and dependencies. You need to understand how decisions will be made when something fails or is disrupted. 


  1. Define ownership across functions before pressure hits 

Legal, procurement, risk, and the business often operate independently until there is an issue. Clarity on ownership and escalation paths need to be established in advance. 


  1. Strengthen how you evidence decisions 

Regulators and boards are increasingly focused on how decisions are made, not just the outcome. Document rationale, trade-offs, and accepted risk clearly. 


  1. Test your operating model under stress 

Tabletop exercises should reflect real scenarios such as geopolitical disruption, vendor failure, or cyber events. Many frameworks work in a steady state but fail under pressure. 


  1. Reframe third party risk as an organization-wide issue 

This is no longer a compliance exercise. It requires executive engagement, cross-functional coordination, and board-level visibility. 


Final reflection 

The environment is no longer stable enough for siloed responses. 


AI, geopolitical tension, supply chain concentration, cyber disruption, and vendor viability are intersecting in ways that increase pressure on decision making. 


Organizations do not need more frameworks. 


They need to be able to make and defend decisions under pressure. This is where leadership becomes the differentiator. 


My thanks again to Third Party Risk Association for the invitation and for convening such a timely discussion. 


Author Bio

Tracy Keeping

Tracy Keeping 

Founder, Steel Harbor Consulting 


Tracy Keeping is the Founder of Steel Harbor Consulting, providing fractional executive leadership to organizations navigating governance, risk, and operational complexity. She works directly with CEOs and boards to drive decisions, execution, and defensible outcomes.


Comments


bottom of page