Irregular: Emu in the coal mine
Australia regulates geopolitical risk

Hello from Paris,
In today’s Irregular, I’d like to examine how financial institutions should grapple with what almost everyone now agrees is a more contested international environment — one with rising geopolitical risk and increasingly widespread consequences for the financial sector.
The prompt for this piece is that Australia’s prudential regulator, APRA, last month wrote to every bank, insurer and superannuation fund it supervises, setting out what it described as “minimum expectations” for readiness against geopolitical shocks. These expectations are not a legislative requirement, and questions remain about how the regulator will enforce them. But the letter is rippling through the Australian financial industry — and, equally important, it sends a significant signal to financial institutions operating in or headquartered in other jurisdictions.
So in this piece I’ll provide some background on what financial regulators around the world are doing to deal with the consequences of a more contested international environment, protect financial stability, and improve the systemic resilience of financial markets to geopolitical shocks.
Why Australia matters beyond its shores
The reason the APRA statement is worth exploring beyond Australia is that this is the first comprehensive move of its kind by a relatively large jurisdiction. And it should not be seen in isolation.
Much is made of the so-called Brussels effect, whereby the European Commission and its sister institutions are regarded as leading the regulatory charge — setting rules that are then mimicked, adopted and adapted elsewhere. Less well-known is that Australia has an almost equal claim to such an effect.
Australia has long had a culture of regulating before other nations. Australia pioneered the secret ballot in 1856 — still known in much of the world as “the Australian ballot”. It was the first country in which women could both vote in and stand for national parliament. Melbourne’s stonemasons won the world’s first eight-hour working day, also in 1856. Victoria was the first jurisdiction anywhere to make seatbelts compulsory. And many of these regulatory approaches were subsequently adopted in other parts of the world. (Australia’s recent ban on social media use for children and its efforts, announced earlier this week, to set Australian standards for AI, may be the next examples.)
So it bears watching what Australia is doing, and how its regulated financial institutions — principally banks, superannuation funds and insurers, but also a host of others, from credit unions to mutuals — respond to increasing scrutiny from the regulator.
The policy rationale
Behind APRA’s minimum expectations sits a growing recognition that geopolitical shocks, even in faraway lands, can have widespread systemic impacts on financial markets.
Over the last few years, central banks — the European Central Bank, the Bank of England, and Australia’s own Reserve Bank among them — have become considerably more sophisticated in articulating how geopolitical events, trends and crises transmit through both financial markets and the real economy. They hit the bottom line of businesses, disrupt supply chains and operations, elevate cyber risk, and ultimately move markets in ways that affect liquidity, capital adequacy and interest rates — with large, systemic and often unpredictable first- and second-order consequences.
At the same time, geopolitical shocks are by their nature diffuse, hitting many different businesses in many different ways, across different industries, to different degrees. And the policy levers at governments’ disposal for mitigating these shocks at the systemic level are quite limited.
Central banks can adjust interest rates to respond to inflation arising from, say, fluctuating oil prices. Governments can build self-sufficiency in critical minerals, maintain strategic oil reserves, and deploy subsidies and tariffs to offset some of the macro-level consequences of geopolitical events. But ultimately, the total effect of geopolitical shocks — economically, financially, and at the level of the firm — and a country’s resilience to them, hinges in large part on individual companies, banks, insurers and investors themselves becoming more resilient. That means being able to respond quickly; properly understanding their geopolitical risk — where threats come from and how much damage they could do; and setting up governance structures that allow the organisation to respond appropriately to a range of ultimately unpredictable events.
The regulatory impulse seen in Australia is therefore very understandable. It is something the European Central Bank has also recently moved to address, in a different way. In December, it announced that the 110 banks under its direct supervision will conduct reverse geopolitical stress testing this year. That is, rather than being handed a common adverse scenario, each bank must itself devise the geopolitical scenarios that could severely deplete its capital position — working backwards from a prescribed loss to identify what would hurt the bank, its customers and its clients so badly as to carry systemic consequences for the broader European economy, with a view to then establishing the appropriate risk mitigation and resilience measures.
The logic behind these regulatory approaches is very likely to hold in other jurisdictions too. Our expectation is that others will follow with similar, if not identical, measures.
What APRA has actually asked for
So what has APRA required? First and foremost, it expects regulated financial institutions to understand the geopolitical environment and how it affects them — and to integrate that understanding into standard risk management, strategy and governance rather than treating geopolitics as an exotic side interest for board retreats and after-dinner speeches.
The regulator has set out its minimum expectations across six areas, running from board oversight and scenario analysis through to crisis preparedness and personnel security. It has also flagged that a selected group of larger, more exposed entities will shortly be required to complete a targeted readiness assessment — and that where it finds heightened exposure, weak governance or inadequate crisis preparedness, it will take supervisory action.
It is worth being precise about what has and has not happened here. APRA has not created a new regulatory framework. Its position is that existing prudential obligations already require institutions to consider geopolitical risk where it is material. The letter is simply the first clear supervisory statement of that view. It may well become more prescriptive over time. But it has not yet.
Indeed, one of the interesting things about APRA’s expectations is that, despite being presented as guidance on geopolitical risk, very little of it is actually geopolitical in nature. Almost all of it concerns things financial institutions already do: governance, operational resilience, crisis management, sanctions, security, business continuity and board oversight.
In effect, APRA is saying that since geopolitical developments can materially affect all of these functions, financial institutions should integrate geopolitical understanding into their ordinary ways of doing business. In other words, geopolitics should no longer sit outside ordinary risk management, but should increasingly become part of it.
This is at once a simple exercise and a complex one. Simple in the sense that the regulator is not asking financial institutions to create their own geopolitical risk units, spend an inordinate amount of time on geopolitics, or do something wholly different from how they ordinarily operate. What it is doing is making sure that all the ways in which financial institutions already consider risk, strategy and governance — their ordinary operating procedures, the way they assess counterparty risk, sanctions risk or security risk — are adequately informed by a realistic understanding of how the world is currently operating and where it could go.
For many institutions, then, the challenge is less about building entirely new processes and more about “joining the dots” and integrating existing capabilities and processes. Most already possess the capabilities the regulator is pointing at — sanctions screening, business continuity planning, technology risk management, scenario analysis, security. The harder task is ensuring these functions speak to one another, and that each is informed by a common understanding of the geopolitical environment rather than working from its own private picture of the world.
Interestingly, APRA is also — perhaps not mandating, but certainly encouraging — financial institutions to run simulations of “plausible but severe” geopolitical shocks to stress-test how these would play out and affect the organisation, its clients and the broader economy. As APRA’s Chair put it, “awareness is not enough”.
Whether this effort ends up being a tick-the-box exercise for some firms or a major upheaval for others will depend on their international exposure, their existing frameworks, and what you might call their geopolitical maturity level. But none of the thousand or so financial institutions in Australia will be able to simply ignore geopolitics any longer.
There will be no one-size-fits-all solution. Each response will need to be proportionate and adapted to the individual organisation’s exposures, risk tolerance, size and capabilities.
The practical implications will also differ across the financial sector. For banks, geopolitical shocks may transmit most immediately through liquidity, credit and counterparty exposure, sanctions, payment systems, cyber risk and business continuity. Superannuation and pension funds will be more concerned with the effect on asset valuations, offshore investments, capital mobility, external managers, custodians and the long-term assumptions underlying portfolio strategy. And insurers will have to consider not only their own investments and operations, but also how war, political violence, cyberattacks, disrupted supply chains and changing sanctions regimes may alter claims, coverage, exclusions, pricing and reinsurance capacity.
While the appropriate response will differ considerably by sector, almost all financial institutions will need — in management jargon — a “capability uplift” in how they understand and manage geopolitical risk. And because the regulatory expectations touch so many parts of the business, meeting them is likely to require coordination across multiple functions rather than assigning responsibility to a single specialist team, an approach that larger institutions are already adopting.
A welcome move
To our mind, this is a welcome development. It has become only clearer over the past year that geopolitics can hit the banking system and the real economy through many channels at once. Few financial institutions need reminding that tariffs and trade restrictions can reprice entire sectors overnight. Sanctions regimes can quickly entangle counterparties and lead to frozen or stranded assets (and heady legal bills). And state-linked cyberattacks on financial infrastructure, as well as “insider threats” from hostile foreign intelligence services, are, sadly, becoming much more frequent.
All this points to what makes geopolitical risk genuinely different from most other risks financial institutions face. Geopolitical risk is not different simply because the impacts can be large. It is that its impacts often arrive simultaneously. Whereas a cyber incident often remains a technology problem with a technical fix, and a hurricane might manifest solely as an operational problem, a single geopolitical event can quickly become — all at once — a liquidity problem, a sanctions problem, a cyber problem, a staff-safety problem and a communications problem, landing on the desks of the treasurer, the chief risk officer, the head of security and the board in the same week.
That is why geopolitical risk cannot be owned by a single organisational “silo” — both the problems and the solutions necessarily cut across the institution, which is precisely why the regulator has framed its expectations around governance rather than analysis.
There is certainly a gap in how most organisations approach these questions — and quite rightly, in a sense.
For most organisations through most of their history, geopolitics has not been something they needed to consider deeply or frequently. But with contestation now occurring across multiple domains — US–China competition, the fight for technological supremacy, expanding regulation in the name of national resilience, tensions between Western allies and rifts within NATO, and an increasing frequency of conflict, to name but a few — geopolitics can no longer be ignored.
What financial institutions should do now
There are, in our view, three steps that all financial institutions — not just in Australia, owing to the regulatory expectations, but everywhere — should be taking now.
Before setting them out, one point of framing: the objective should not be to forecast every strategic surprise correctly. That is impossible. Rather, it is to ensure that the institution can absorb shocks, recover quickly and retain enough flexibility to adapt as circumstances change.
First, conduct a geopolitical readiness review.
The starting point should not be creating a new geopolitical bureaucracy, but understanding what the institution already has in place and identifying where those existing systems need to be adjusted, connected or informed by geopolitical thinking.
Such a review need not be overly cumbersome. At a minimum, it should develop a house view on how geopolitics is changing in ways relevant to the institution; map the specific threats arising from geopolitical contestation that could directly and indirectly affect the organisation; and translate these threats into the language of risk by incorporating them into existing risk management frameworks through probability and financial impact estimation.
It should also stress test existing policies on specific risks, such as sanctions risk, against a realistic assessment of how the geopolitical environment is changing; review the organisation’s strategy through the lens of geopolitical contestation; and ensure that governance procedures — including board reporting, information flows on geopolitics and the determination of materiality — deal adequately with material risks.
For the record, we have been working with organisations in exactly this way, and it can be done in a relatively short period of time.
Second, run a small number of geopolitical crisis simulations.
These are live exercises based on “plausible but severe” geopolitical shocks, designed specifically to test the organisational resilience of the firm. A well-designed crisis simulation can identify risks that may have been missed, reveal policies and plans that would not activate effectively in practice, expose capability gaps, and provide a basis for building the organisational “muscle memory” needed to deal with the next inevitable but unpredictable shock.
In practice, this is probably the highest-value exercise an institution can run. Simulations do what no framework document can. They test governance and decision-making under pressure. They force different parts of the business to work together in ways that plans on paper never do. And they need not be overly complicated, able to be completed in the space of half a day or a day.
Geopolitical crisis simulations, in our experience, benefit from drawing in executives from different parts of the business — especially because geopolitical shocks hit different parts of a financial institution in different ways at different times, and require what you might think of as “whole-of-organisation” responses.
Designing meaningful geopolitical scenarios can, however, be surprisingly difficult. It requires not only an understanding of international developments, but also experience in translating them into realistic business disruptions and decision points that genuinely test an institution’s governance and resilience. Getting those things right with the right people in the room can yield major benefits.
Third, establish an appropriate system for monitoring and interpreting geopolitical change.
Some financial institutions, especially larger and more internationally exposed ones, do this by establishing a “geopolitical risk unit” or observatory — staffed by one, two or a handful of people whose mission is to stay on top of international developments, interpret them, inform the leadership about what is relevant, and work with the rest of the organisation to assess impact and design mitigation measures.
Such a function typically interprets developments, but does not own the downstream risks. Technology teams should own technology risk. Treasury should own liquidity risk. Financial crime should own sanctions risk. Operational areas should own broader organisational resilience and continuity. But since geopolitics can drive and influence all these more typical risk categories, the geopolitical function’s job is to help those existing teams understand how international developments affect the risks they already manage — not to take those risks off their hands.
A monitoring system need not be elaborate. It can start with a corporate subscription to a service like Geopolitical Dispatch. But it should ensure the institution has access to the most appropriate geopolitical analysis, and that this is filtered, analysed and reported internally in a way that is decision-useful. Monitoring should not be about “problem admiration” — there is enough of that — but interpreting which developments matter, explaining why they matter, and translating them into business decisions.
At a minimum, that helps institutions deal with the challenges of getting distracted, sorting signal from noise, and working out what is relevant, important and material to the business. Ultimately, the challenge is one of materiality: distinguishing the enormous number of geopolitical developments occurring every day from the relatively small number capable of significantly affecting the institution.
This is also, in our experience, what boards actually want. Boards do not need detailed foreign policy analysis. Nor can they reasonably be expected to become experts in international affairs. Their role is to ask good questions, test assumptions, and ensure that material geopolitical risks are being identified, understood and governed appropriately. When the next geopolitical disruption occurs, they need concise answers to three questions: Why does this matter? Is it material? What should we do? In other words: so what?
Establishing an appropriate geopolitical monitoring system matters because geopolitics inevitably evolves. Even after a readiness review and crisis simulations, developments will occur that change the risks identified. Staying up to date is important not merely to be a well-informed citizen — a good thing, of course — but to make sure that international developments relevant to the firm reach the right people at the right time, so that decisions can be made to improve the firm’s positioning and resilience.
The Canberra Effect
The significance of APRA’s announcement lies not simply in what it means for Australian financial institutions. It is that one of the world’s leading prudential regulators has now formally recognised something many executives have sensed for several years: geopolitics is no longer an externality but a core driver of an increasingly complicated operating environment.
Whether other regulators ultimately adopt requirements identical to APRA — and validate what we might call the “Canberra Effect” — remains to be seen. Australia has often acted as an early regulatory laboratory, and it would not be surprising if this proved to be another example.
But in many respects that is almost beside the point. Regulators around the world are confronting the same underlying challenge: how should financial institutions prepare for a world in which geopolitical disruption has become a normal feature of the operating environment? Geopolitical shocks now propagate through financial markets, supply chains, cyber systems and the real economy in ways that traditional risk frameworks were never designed to address. Whether Australia’s particular approach is copied verbatim or not, the underlying direction of travel is likely to be far more widely shared.
The question for financial institutions is therefore no longer whether they need to think systematically about geopolitics, but how quickly they can build the capability to do it well.
We are working with a number of financial institutions on precisely these matters. If you think it would be helpful to have a conversation in more depth, please do not hesitate to reach out.
Best wishes,
Damien




Excellent analysis. Thanks for sharing.