Globalisation has meant that businesses now increasingly open their doors to new locations, often setting themselves up in countries with sharply contrasting business and legal practises. While this expansion is fantastic for business growth, it also brings with it its own type of risk that the business may be exposed to in a country. From levels of perceived corruption to the likelihood of natural disasters the risks are as varied as the variables to measure them are numerous. The risk that stems from a business’s presence in a particular country or jurisdiction is commonly referred to as geographic or country risk.

As some global organisations have found out the hard way, it is no longer possible for a business’s subsidiary in London to isolate itself from the business’s operations in Mexico. It is therefore important to understand the geographic risk that stems from a particular location and to have that risk documented and applied across the business’s global operations in a consistent manner.

Additionally, the nature of geographic risk will also vary depending on the industry and sector type. For example, a global payment service provider’s greatest risk in Country X may be the risk of money laundering. However, for a hospitality chain the most concerning risk factors for that same Country X may be direct exposure to the risk of human trafficking. Therefore, careful consideration must be given to the risk posed to each business according to its industry and sector type.

The most common technique to understand geographic risk is through a risk index that can allocate comparative scores to countries across the world. While off the shelf indices are available, increasingly businesses have looked to create their own bespoke geographic risk index.

In this article, we focus on some of the factors that businesses will need to consider when creating such a geographic risk index.

Making your own Composite Geographic Risk Index

The starting point is to identify the nature of risk your business faces and whether there are any unique risk criteria that need to be measured. Having a clear risk appetite statement or risk tolerance level endorsed by senior executives is also important.

In our experience, businesses within the financial services sector will often have sets of risk criteria defined by regulation that will form the core of their approach to measuring geographic risk. Some of these risk criteria in the financial services are factors such money laundering, high levels of corruption within local government, presence of international sanctions, offshore financing and tax efficiency, high levels of secrecy and lack of transparency. However, businesses outside of the financial services sector may have to think of other factors such as high levels of narcotic and human trafficking, poor public administration and governance, high incidences of natural disasters, poor access to health and medical provisions among others, so that these are aligned to their business operation and reflects the unique risks within the industry or sector.

Secondly, identify your businesses ‘non-negotiables’. These are essentially strategic boundary conditions often derived from regulatory expectations and political tensions between countries. For example, businesses that trade in dual use goods and technology will have to comply with international sanctions regulations in relation dual use goods, that either comprehensively prohibit or partially restrict trading activity with sanctioned jurisdictions. Violations of international sanctions can invite severe regulatory censure, media scrutiny and reputational damage. As a result, businesses are expected to have certain auto-prohibit or auto-restrict criteria applied to certain territories. In the language of a risk index they are your overrides. Any presence in these territories should automatically override the risk scoring to prohibited or restricted.

The next step is to identify all publicly available sources of information that can be utilised to measure these risks. There are several “off the shelf” risk indexes such as the Basel AML index, that can be used for this purpose. Additionally, international NGOs, foundations and research organisations also produce unbiased and objective data in relation to most countries across the world, examples of these would be country scores published by the United Nations (UN), the European Union (EU), the Financial Action Task Force (FATF), the Heritage Foundation and Transparency International (TI) etc.  

While “off the shelf” indices allow easy cross comparison from one country to another, they are not be-spoke to the needs of specific business operations or industry type. A more refined approach might require creating a tailored table of relevant geography risk factors drawn from multiple sources. There is a plethora of independent, public source information that can be utilised for this purpose. In very high-risk industries, it is also not unheard of for businesses to utilise private intelligence firms to inform their geographic risk assessments.

Finally, businesses must also think about whether a single approach will be uniformly sufficient for all of its business operations or whether the variety of products and services being offered under a single business brand may require the adoption of multiple, differing approaches for each underlying business activity.

Getting a bit technical

Once the data sources for the purposes of creating a bespoke index have been identified, the development of the index needs to be carefully thought through. So, let us have a look at some of the common data related hurdles that can create problems and how to navigate them.   

Standardisation: when comparing data sets from multiple sources you may find that different scoring methodologies are applied for measuring the same factors. For instance, you may have an index with a scoring system of 1 to 10 where 10 is the highest risk and 1 denotes the lowest risk. However, you may find another index where the scoring model is the exact opposite. It is important to standardise these scoring models before you can start aggregating and utilising the underlying data for your index.

Classification: it is important that indices that measure the same risk factor are classified and grouped together. So, for example, there are several indices dedicated to the measurement of tax transparency. When building your bespoke risk index, these should all be put together and classified as a single group indicating the scores for tax transparency. Other groupings could be risk of bribery and corruption, environment, health and safety etc. This is to the help ensure that the overall risk of a country does not get skewed by a country’s score in relation to one group. This classification will also help you to decide how much weight you want to allocate to each grouping in accordance with its relevance to your business.

Absent data: Often a country may not have data available to measure particular risk factors. This could be due to lack of transparency or lack of information to measure particular risk factors in that country. Resolving this issue is somewhat trickier and requires a documented risk-based approach to be agreed within the business. It is important to note here that lack of transparency of information in and of itself could be an indication of high risk. However, there are several ways to overcome the challenge of missing data, these include but are not limited to:

  • only using data sources where all countries, or only the countries the business operates in, are represented. In some instances, this may have the impact of significantly reducing the footprint of your country risk index
  • removing the data field with the missing data from the entire index. In some instances, this may have an impact on the actual utility of the index
  • replacing missing data with average scores taken from other data points in relation to that same country
  • replacing missing data with information from relevant countries e.g. using the score from UK where data is missing in relation to a British crown dependency.

No matter what method is used, it is very important to document this in your methodology and to be transparent about the data imputations and their underlying assumptions to be able to show the rationale to any regulatory or third party reviewer. 

Weighting: once data sets have been standardised and missing data has been imputed, weighting has to be given to each risk classification or bucket, so that the total aggregated score is weighed to reflect risks that are unique to your business. For instance, a global construction company on a public procurement contract in Country X may be more interested in the risk of bribery and corruption in the public procurement sector than in the risk of lack of access to education and health services. By contrast, a company seeking to relocate staff to Country X may very well realise that lack of access to education and health provisions are a big hurdle to staff relocation and attrition. The weighting given of these two risk factors will be significantly different in the above two businesses. 

Scoring: ultimately the aim of a risk index is to generate a scoring model for each country so that the score can be utilised to make a strategic decision. This could inform decisions such as where to expand the businesses operations to,  whether to build relationships with client’s or partners from certain countries or jurisdictions, as well as whether more robust controls should be placed on existing operations around the globe. It is important that your scoring model is aligned to your overall business risk appetite and is neither too prohibitive nor too permissive in allowing key business decisions to be made.

Finally, regular review and updating of the geographic risk index will help you to stay current and ensure that business decisions can be revised and reflect the reality on ground.

At Protiviti we help clients build bespoke risk indices that are tailored to their businesses and will be happy to discuss this topic with you in more detail.

Tas Zaki is a Senior Manager at Protiviti ( 

Harry Henson is a Consultant at Protiviti ( 

About Protiviti

Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Protiviti and our independent and locally owned Member Firms provide clients with consulting and managed solutions in finance, technology, operations, data, analytics, governance, risk and internal audit through our network of more than 85 offices in over 25 countries.