Navigating a New Political Landscape
Global Best Practices mars 17, 2025
According to the Associated Press, elections were held in roughly 70 countries in 2024, with many incumbents and prominent parties ousted in favor of new leadership. The Pew Research Center attributes the turnover to issues such as rising prices, disagreements over cultural issues, and anger at the status quo.
In the U.S., the level of volatility associated with a shifting political environment has been significant, with an unpredictable regulatory environment posing a serious challenge for organizations. The risk environment is always changing, “but we have to be extra vigilant today because there are potentially higher risk impacts, all accumulating at once,” says Charlie Wright, vice president and chief risk officer at Jack Henry and Associates, a technology company that provides software for roughly 8,000 banks and credit unions across the U.S. “We have to understand the implications of these changes and their aggregate impact.”
A case in point: Banks in the U.S. have long been subject to regulation by the Consumer Financial Protection Bureau (CFPB), which reviews the practices of financial institutions, setting fines and penalties when the rules aren’t followed. Many of its regulations address fee management, which is a significant concern for financial institutions. For example, the CFPB has rules limiting “junk fees,” or hidden or inadequately disclosed costs to customers.
When CFPB’s operations were shut down early in the new administration, financial institutions were unable to determine the current or continuing status of its regulations. “There are a whole lot of financial companies that are in limbo,” Wright says. They are wondering what rules still apply, what guidelines may be altered or disappear, and what will be expected of them going forward.
Indirect Impacts
While numerous companies may be directly affected by regulatory volatility, there are many others that are indirectly impacted. For example, although CFPB regulations don’t directly apply to Jack Henry, the systems that it designs and delivers must respond to the needs of its financial institution customers. “We have to be ready to give them a system that allows them to turn a fee on and off,” Wright explains. But their exact needs going forward are uncertain in the wake of the shutdown.
The internal audit team also finds itself in limbo in this situation, according to Wright. Internal audit’s responsibilities include determining whether business units are managing all their risks. It will examine which parts of the company may be affected by rapidly changing regulations and if they are meeting new requirements and managing them effectively.
In this case, the affected teams at Jack Henry are the application developers that design systems, so the audit function might audit the project management aspect of making a change for this client. For example, the developers may have a certain completion date for an initiative, but the date and the initiative itself may now be in question, Wright explains. Customers’ plans and regulations can always change, of course, but the volatility of the current changes is driving new risks.
Getting to a Positive Outcome
Wright says there are actions that organizations and their internal auditors can take to address extreme regulatory volatility and uncertainty, including:
- Having an integrated, comprehensive view of risk across the company. For internal audit, that requires collaboration to help ensure appropriate risk modeling and risk metrics to monitor the environment.
- Evaluating the organization’s compliance management systems, or all the processes and systems that help manage risks and comply with regulations. Internal auditors should examine the efficacy of systems that may include a board of directors with governance oversight, risk management policies and procedures, or risk management training and compliance management systems. Questions to ask include:
- Is the board providing appropriate oversight?
- Are policies and procedures sufficient to address emerging risks?
- Are communications mechanisms enabling effective information sharing?
“There's so much shifting sand that it is really important to be in the loop, and you can't be in the loop unless you’ve got good relationships and collaboration.”
—Charlie Wright, vice president and chief risk officer, Jack Henry - Stepping up collaboration efforts — whether with regulators, peers, or colleagues — to understand not only the challenges in teams being audited and facing the company overall, but also the controls in place to address them. For example, as regulation has become more unpredictable, Jack Henry has proactively enhanced its communications with regulators, providing them with in-depth reports and information beyond what is mandatory. “We spend more time making sure that we understand their expectations and that they understand how we are responding and making compliance changes as necessary,” Wright says.
- Ensuring there is appropriate governance and oversight. “If you don't have good systems to identify regulatory expectations, then you can’t meet those expectations,” Wright says. Internal audit’s role is to determine if there are such systems as well as to ensure the compliance management program and specific activities and projects are functioning well.
Step Up Scenario Planning
Because of the increasingly uncertain geopolitical environment, scenario planning and related contingency planning will become more important to enterprise risk management over the next one to two years, according to Anna Gilmour, senior director, Verisk Maplecroft, in London. “This increased business volatility will bring more immediate internal audit requirements, in terms of assessing the processes management has put in place to ensure compliance with changing regulations and trade,” she says. “In the medium term, audit will be involved in assessing whether these geopolitical and trade shifts have increased risks to the business across various locations, and whether these will require remediation.”
Using proactive tools such as scenario planning is critical when evaluating political risks, according to Gilmour. The process involves:
- Establishing signposts that indicate when one scenario is becoming more or less likely. “These could include events, such as elections, or a tipping point in a trend, such as economic growth, levels of civil unrest, or negative sentiment towards a government or specific policy,” she explains.
- Developing criteria that include a combination of qualitative and quantitative data points that highlight the factors involved in a particular political scenario or outcome.
- Using the company’s risk appetite to set the tipping point for these criteria. For example, a company may determine that when social protests disrupt logistics and supply chains for company operations for X% of working days, that is more likely to lead to a negative scenario.
- Refreshing scenario analysis at least annually, as part of an effort to set annual business objectives and strategy. This makes it possible to maintain alignment of scenarios with company objectives and to reset expectations based on the trends identified.
The Role of Internal Auditors
The current environment is a reminder of the uncertainty of the political landscape, which can clearly change with lightning speed. It also underscores the importance of the role of internal auditors, who must quickly assess existing conditions and how well the organization is responding to them. For the internal audit function, remaining agile and connected to current trends is critical.