Geopolitical shocks trigger immediate policy responses, like sanctions, trade barriers, and other measures, that hit banks particularly hard. These can lead to assets freeze, soaring compliance cost, financial losses, and reputational damage.  

Growing geopolitical risks are impacting the financial sector across traditional risk categories, including credit risk, market risk, operational risk, business model, and governance. Enhancing operational resilience is a key priority for banks to identify vulnerabilities and mitigate risks during turbulent times. There has been a growing number of regulatory initiatives within the banking prudential framework, introducing new capital requirements and raising expectations for operational risk management frameworks.    

How can geopolitical shocks impact operations for financial institutions? 

A single policy move, like tariffs on communication infrastructure, can quickly evolve into a multi-dimensional crisis with deployment delays through supply chains, cyber risk surge, overnight shift of vendors. What follows isn’t just a technical disruption – it’s a storm of rising costs, legal uncertainty, customer data hanging in fragile balance and potentially irreversible reputational damage. And the worst part? Many institutions won’t even see it coming until it’s too late.  

Those that want to stay ahead are already building resilience into their systems. The rest are still debating whether the cost of action is worth it in such an uncertain world – hoping luck will hold. But in an era of digital geopolitics, hope is not a strategy. 

How to strengthen operational risk management? 

Many financial institutions still treat operational risk as compliance checkbox – an internal matter of audits, controls and capital buffers. But recent events have shown that the biggest threats are exogenous: geopolitical shocks, supply chain collapse, and third-party failures that cascade through financial systems without warning.  

Regulators are demanding more than reactive measures. Under the Digital Operational Resilience Act (DORA), institutions are mandated to map, monitor, and stress-test both internal and external dependencies. This poses significant key risk management challenges, particularly for boards and key function holders, who must ensure that robust framework and oversight mechanisms are in place to be compliant with the new regulation.   

Furthermore, banks shall implement operational risk quantification and loss data calculation under the new capital regime (CRR3/CRD6) and take into account the additional requirements to be developed under the EBA roadmap. 

This isn’t just about compliance. It’s about institutional survival. Even though the Advanced Measurement Approach (AMA) has been removed from the Pillar 1 calculation, for institutions committed to resilience, AMA offers a powerful tool to model operational risk with precision and foresight – turning regulatory requirements into a strategic edge.  

Conclusion 

“If times feel uncertain, it’s because they are” 

This simple truth has never been more urgent. The financial sector isn’t facing routine volatility, it is battling systemic shocks, where tariffs, cyber warfare, and supply chain fractures serve as geopolitical weapons. What begins as a policy announcement now triggers synchronized tremors across financial markets, corporate balance sheets, and critical infrastructure.  

The institutions that will dominate this new era aren’t those hoping for stability, but those building asymmetric resilience – the ability not only to withstand disruptions but to use them as a chance to strengthen and outperform competitors. These institutions distinguish themselves by:  

• Treat every geopolitical shock as a stress test of their business model, not only to identify vulnerabilities but also to uncover hidden opportunities. 

Example: When export restrictions hit the semiconductor sector,  forward looking banks can reassess their sectoral exposure and reallocate investments toward more resilient industries-strengthening their portfolios while peers lag behind.  

• Turning regulatory frameworks, like DORA and CRR3/CRD6 into offensive strategic tools by investing early in resilience technologies.  

Example: financial institutions can prioritize advanced threat-led penetration testing and centralized incident response tools, enabling it to proactively identify and address vulnerabilities, respond to incidents more effectively, and build greater client trust.  

• Recognizing that in digital geopolitics, the best defense is vigilant market monitoring, building information-driven, technologically advanced defenses to respond quickly to emerging threats.

Example: After the imposition of tariffs and Europe’s increasingly strict stance toward US cloud services, leading European banks can partnerships with homegrown cloud providers to build modular, resilient IT infrastructures. This strategy reduces reliance on US cloud platforms, enhances control over data, and strengthens resilience against geopolitical and economic shocks. 

The question is no longer What’s coming– It’s Who is ready.

[1] Keynote speech by Claudia Buch, Chair of the Supervisory Board of the ECB, at the eighth European Systemic Risk Board (ESRB) annual conference on “New Frontiers in Macroprudential Policy”