Governance & Compliance 11: Geopolitical risk and supply chains. Is your Board ready?

Will Chalk:

Hello, and welcome to Ashurst Legal Outlook and the latest in our series of Governance and Compliance Focus podcasts. My name's Will Chalk and I'm a partner in Ashurst's corporate transactions practice focusing on governance.

You're listening to a special series tackling our view of the top risk-related priorities for boards in 2026. In each episode, as regular listeners will know, we explore a major risk, trend, or opportunity commanding attention when setting board agendas this year.

Our next topic is supply chain risk management. Now, the eagle eyed amongst you will have spotted that one of our board priorities for 2026 was geopolitical risk. Pretty topical, right?

Well, we recorded our accompanying podcast for that a few weeks ago and we were just about to release it when the next day the war in the Middle East kicked off. Timing didn't feel right, so we've hung onto it for now. Releasing it felt trite, but we'll definitely come back to it as a subject.

We tested our thinking on that issue, on this issue of supply chain risk, and have come to a different conclusion. In part, because what's going on in the Gulf arguably requires an even more immediate response, and in part because it's a classic example of the surprising consequences that an event has had that we can learn from.

And no surprise perhaps that the events in the Gulf have had such a significant effect on, for example, oil and gas prices. But as a lad who grew up on a farm and still listens to Farming Today, I know rock'n roll, I didn't realise that so much of the world's supplied fertiliser went through the Straits of Hormuz. And Helium, anyone? The party balloon industry must be on its knees. Anyway, enough of me.

But what's a board to do? What should boards be thinking about on this topic? To help unpick the issue, we've got the principal authors of our supply chain risk management board priority.

Specifically, we've got Nisha Sanghani, former FTSE 350 board member and Head of our Risk Advisory consultancy in the Middle East, and Neil Donovan, a partner in our London Dispute Resolution practice. Thanks both for joining me.

Nisha, supply chain risk isn't new, and let's be honest, it's been a board-level priority for some time. I mean, whether that's been the reality or not. But is it fair to say that the speed at which these interdependent risks materialise tend to catch some by surprise?

Nisha Sanghani:

I think it's entirely fair to say this, Will. As you said, supply chain risk isn't new. What's changed is the scale, speed, and accountability. Historically, supply chain risk sat comfortably within procurement or operations. It was largely about efficiency, cost, and continuity.

Today, it's fundamentally different. Organisations are now accountable, not just for their own actions, but for the conduct of every tier of their supply chain, from human rights and forced labour through to sanctions, breaches, and tariff circumvention. That's a material legal and reputation or exposure that boards simply can't delegate.

At the same time, the risk environment has become far more interconnected. A single disruption, geopolitical, regulatory, or even reputational, can cascade across the business within hours, and that's the key point. Speed. What used to unfold over weeks, now plays out in real time in a matter of hours and, in some cases, minutes.

As we're seeing in the current conflict, it's easy to fall into the trap of viewing supply chain risk primarily through a legal and reputational lens. In reality, security price volatility and business continuity are equally critical risks and arguably risks that many organisations have not fully anticipated, but ones that are now materialising rapidly.

I do think many boards are still underestimating the speed at which an impact can become multidimensional. There's often an implicit assumption that there will be time to react, but increasingly there isn't. By the time an issue is visible, it's already impacting cost, availability, or reputation.

So this has moved from an operational efficiency issue to a strategic resilience issue. And as you know, Will, once something touches resilience, reputation, regulatory exposure, and of course the bottom line, it strongly belongs in the boardroom.

Will Chalk:

So I think what you're saying is that light touch oversight is no longer sufficient. So what does genuinely active board engagement look like in practice?

What questions should boards be asking management that perhaps they aren't? Or put another way, where do you see the biggest gaps?

Nisha Sanghani:

Yeah, really good question. Look, active board engagement is not about doing management's job, it's about changing the quality of oversight. In practice, that means moving from periodic, high-level updates to structured, data-driven interrogation of supply chain risk.

I choose the word interrogation very purposefully. Boards should expect to see clear visibility over critical dependencies, quantified exposures, and defined disruption tolerances, not just narrative reporting, which is traditionally what boards are used to seeing.

Will Chalk:

That, of course, comes with it the danger of perhaps overstepping into active management, put another way, stepping on management toes, getting in the way of them doing their job. So what questions should boards be asking? How do boards challenge effectively without getting into the management weeds and frankly getting in the way of management?

Nisha Sanghani:

Will, the questions boards should be asking are also evolving. It's less about, "Do we have a policy?" Which I hear time and time again? And it should be more about: which supply chains are critical to our core services and how quickly could they fail?

Where are we most exposed to indirect risk, including third and fourth parties? What would we do if a key supplier became unavailable tomorrow? Who are those key suppliers? How quickly can we substitute days, weeks, or months, and can we tolerate that? Where are we relying on assumptions that we have made rather than real-time data?

Where I typically see the biggest gaps in these three areas. Data is often fragmented, backward-looking, and not decision-useful. Accountability: often it is unclear to boards who are the owners across legal, procurement, risk, and operations.

And finally, integration. Risk frameworks always exist, but they are often not embedded into commercial decision-making.

And to your question on the balance between board challenge versus overreach, in my opinion, the most effective boards focus on testing resilience, not managing operations.

They don't ask, "Have you done due diligence?" They ask, "How do we know it would hold under stress?" That shift from assurance to challenge is really, in my opinion, where real value sits.

Will Chalk:

So what kind of supply due diligence do you see your clients doing today, Nisha?

Nisha Sanghani:

Will, what we're seeing across most organisations is that supplier due diligence is still largely standardised and front loaded. By that, I mean firms are typically carrying out onboarding checks focused on familiar risk categories, data protection, IT security, financial crime, tax, labour practises.

And those are, of course, important and critical, but they are often applied in a fairly uniform way, regardless of what the supplier actually does.

Where the gap really sits is in contextualising that risk. Firms are not consistently assessing the specific service being provided and the criticality of that supplier to the business.

Will Chalk:

So crucially, you don't think what's going on at the moment is in all cases adequate?

Nisha Sanghani:

No, Will, I don't. It's an extreme example, but there's a fundamental difference between a supplier providing low impact goods such as staples and one that provides infrastructure for a core client-facing platform or critical system.

Yet, in many cases, they go through a very similar due diligence process. I'm not kidding.

The other major weakness is what happens after onboarding that supplier. Due diligence is treated as a point in time exercise rather than something that evolves with the relationship. Ongoing monitoring, performance oversight, and reassessment of risk, particularly as the external and environment changes is often limited or inconsistent.

So the issue isn't that firms are doing nothing, it's that the approach is too generic, too static, and not sufficiently aligned to real business risk and the real external threats that businesses are facing today.

Will Chalk:

So Neil, turning to you and looking at this through a different lens. To what extent are organisations now responsible for the actions of third parties across their supply chain? And perhaps it's helpful to illustrate this with an example.

We've currently got a client that's worried about modern slavery in their supply chain. How worried should they be?

Neil Donovan:

Thanks, Will, and good to be with you. So look, I think organisations have a range of existing responsibilities, but the direction of travel is certainly towards greater responsibilities for the actions of their third parties. And boards should certainly be more worried than they are about supply chain risk, in particular modern slavery.

If we take a step back, maybe historically the legal position was relatively straightforward. An organisation was responsible for its own conduct. There are some circumstances where it could be responsible for the conduct of direct agents, but the supply chain was broadly speaking someone else's problem.
And what we've seen over the past decade has been this wave of new legislation across several jurisdictions, which really extends the company's compliance obligations across supply chain, both upstream and downstream.

And the area in which we've seen the most significant change in terms of imposing these standards is tackling modern slavery. And modern slavery is used as an umbrella term for various situations and conduct risks involving the exploitation of individuals for commercial gains, so forced labour, human trafficking, poor working conditions, for example.

And the main legislation we've seen, we've got the UK Modern Slavery Act; in France, the Duty of Vigilance Act; the German Supply Chain Due Diligence Act; and perhaps most significantly the EU Corporate Sustainability Due Diligence Directive, and all of these impose obligations on organisations to identify and to prevent and mitigate these risks across the entire value chain.

I think what's important to understand is that they're not just, as Nisha has already touched on, they're not just reporting obligations that the UK legislation focuses on that. But these other laws I've mentioned, they impose substantive due diligence obligations.

And so there's an expectation there to map the supply chains, conduct risk assessments, as Nisha just described, and to essentially monitor this on an ongoing basis. And that's very much a really significant shift from the previous position.

So companies need to be very concerned and worried about breaches of these obligations because failure to do so and breaches can give rise to regulatory penalties, administrative penalties, to potential civil litigation, and, in some jurisdictions, personal liability for directors.

Will Chalk:

So you mentioned the penalties and regulatory intervention. Are regulators actually enforcing these risks, these issues, or is it still theoretical or are we seeing real consequences?

Neil Donovan:

So on modern slavery specifically, it's slightly more than theoretical, but it's still an early stage that the enforcement environment is still quite nascent, I would say. And in the UK, the Modern Slavery Act, one of the criticisms of the legislation is that it does lack teeth in terms of enforcement, but there are calls to change that.

So the UK's independent anti-slavery commissioner has called for reforms, including the introduction of corporate liability for human rights harms.

Will Chalk:

But I suppose, Neil, let's be honest, they've been calling for that for an awfully long time, haven't they?

Neil Donovan:

They have. They have, and the law has been in place for over 10 years now, but the reality is is that the UK is falling behind the other major economies and jurisdictions, and I think they will want to catch up.

So if you look at Germany, for example, we know that the enforcement authorities there are very active at conducting mandatory risk analysis of companies frameworks that they're issuing corrective actions.

In France, for example, there have been a series of high profile litigation cases, public cases against major multinationals, which relate to these issues to these supply chain risks.

And I think something that's really important to note on enforcement is that in a supply chain context, it's not limited to modern slavery violations here. So if you take anti-bribery and corruption, for example, I mean, that enforcement for bribery and supply chains has been very active for a number of years.

And in the UK, the Serious Fraud Office has pursued a number of companies for failing to prevent bribery by their 'associated persons' who by definition are external parties within their supply chain. And we've seen a number of significant fines against companies for the conduct of their third-party agents, distributors, and others operating in the supply chains.

And similarly, in the sanction space, enforcement has really picked up since 2022. And the regulators, not just in the UK, but in the US and the EU, are very clear that companies need to look beyond their direct transaction counterparty, and it's looking at the supply chain structure.

So how are goods being rerouted through other jurisdictions to circumvent sanctions? Are 'front companies' being used? And we've seen companies being designated, we've seen enforcement actions, and we've seen substantial penalties against organisations that failed to conduct that due diligence across their supply chain.

Will Chalk:

And of course, you've got reputational consequences.

Neil Donovan:

Yeah, absolutely. I think one of the challenges of supply chain compliance is that the risk goes beyond formal criminal or regulatory enforcement and reputational consequences.

And I would say litigation risk from maybe impacted communities from competitors or indeed from your shareholders or investors, perhaps that almost in a way outweighs some of the criminal and regulatory risks at this stage.

And of course, the court of public opinion, as we call it, is so much faster and can hit a lot harder than any regulator, and the commercial consequences of that can be so significant.

So I think, for corporates and for boards, that's a really important consideration that while the formal enforcement environment might still be evolving and maturing, there's a very real, immediate risk in terms of reputational consequences.

Will Chalk:

And just thinking about things like contractual protection, so I'm thinking about things like audit rights, termination clauses, that sort of thing. Do you think they're being used effectively, or are they window-dressing?

Neil Donovan:

Yeah, it's an interesting observation because it's become standard practise to include these types of contractual provisions for many years now in supplier contracts and the types of revisions, as you mentioned, audit rights, reps and warranties, obligations to maintain anti-bribery and human rights policies or termination clauses.

These, of course, on paper, they look very robust, they look very comprehensive, but like anything contractual, it's only effective if it's actually implemented in practise. And what we regularly see is that there's a significant gap between the rights that are in the contract and actually what's happening operationally and how those rights are used.

So if you take audit rights as a good example, many businesses have the contractual right to audit their suppliers and look at their compliance programmes and their records, but how many are actually doing that? I think in some of the highly regulated sectors, yes, they are being used, but most organisations are sitting on these rights and aren't using them.

And I think that there needs to be a shift in terms of the mindset and the appetite to exercise these rights, because that's what the regulators would expect to see.

Will Chalk:

So Nish, just coming back to you, do you think that boards have fully grasped that geopolitics contributes to a supply chain strategy? And if not, what does effective geo-strategy, if I can put it like that, actually look like in practise?

Or put it another way, why are so many organisations still reacting when disruptions hit overnight? And perhaps if you give us some examples, that'd be great.

Nisha Sanghani:

Well, I don't think this is about awareness. Boards do understand it. I think the issue is is that many haven't truly internalised it yet, but time is of the essence and geopolitics is no longer a backdrop. It's an active driver of supply chain strategy.

What we're seeing in the current conflict environment is a very clear illustration of that. Take energy markets, security risks to critical infrastructure are no longer a distant concern.

We're seeing in real time how even perceived threats can move oil and gas prices immediately with knock-on effects across transport, manufacturing, and inflation. That's not abstract. That's margin impact within days.

Look at fertiliser and raw materials. We're seeing that geopolitical tensions affecting major producers can constrain supply almost overnight, which then impacts agriculture, food production, and broader commodity markets globally. No one predicted the sheer scale of this impact.

Shipping and logistics is another example. Rerouting due to regional instability can add weeks to delivery times, increase insurance costs, and create bottlenecks across entire trade corridors. We've seen how quickly that can disrupt just in-time models, let alone everything else.

What's striking is that many organisations are reacting to these events and will continue to react to them rather than plan for them. And that's because geopolitics has traditionally been treated as too uncertain, too external, and therefore not modelled in the depth that's actually required to understand the impact to the business.

Effective geo-strategy changes that mindset. It means embedding geopolitical scenarios into core business planning, really modelling these things, mapping supply chains against geopolitical exposures, not just cost bases. Strategic diversification of regional supply sources for critical inputs, pre-identifying alternative suppliers and routes, and making conscious trade-offs between efficiency and resilience.

In other words, Will, it's about asking if the world changes tomorrow, and by the way, it has and it, Will, how exposed are we and how quickly can we respond?

The organisations that get this right aren't necessarily the ones with the cheapest supply chains. They're the ones with the most adaptable ones. And increasingly, that adaptability is becoming a competitive advantage, not just a risk mitigation tool.

Will Chalk:

Nisha, Neil, thank you so much, and thank you for listening to this episode of Ashurst Legal Outlook.

To listen to more episodes in this Board Priorities mini-series, just search for Ashurst Legal Outlook on Apple podcast, Spotify, or your favourite podcast player, or visit our Board Priorities homepage and read more about our top priorities for boards in 2026.

You can also find our contact details there, and we'd love you to get in touch. To receive news and alerts on the kinds of issues we've raised here, subscribe to our regular governance and compliance updates via ashurst.com, and I'll be back soon with the next episode in this Board Priorities miniseries.

Until then, this is me, Will Chalk, saying thank you very much for listening and goodbye for now.