Most Australian businesses failing to conduct risk assessments beyond first-tier suppliers despite growing geopolitical threats, warns McGrathNicol’s Matt Fehon.
What’s happening: A new McGrathNicol survey of over 300 Australian executives reveals 80% expect geopolitical issues to challenge operations within 12 months, up from 66% in 2024. Cyber security remains the top business risk, with supply chain vulnerabilities creating critical exposure points.
Why this matters: Australian businesses face an interconnected web of global risks but most lack comprehensive preparedness strategies. With new APRA regulations taking effect and geopolitical tensions escalating, companies that fail to address supply chain blind spots and connected risks face significant operational and compliance exposure.
Australian business leaders are sounding the alarm over mounting geopolitical threats, with new research revealing a dramatic increase in executive concern about global disruption to local operations.
The findings show that most surveyed executives (89 percent) expect risk and security issues to worsen in the next 12 months. The McGrathNicol survey, conducted in partnership with YouGov, polled over 300 C-Suite executives and Board-level directors across Australian businesses with 50 or more employees.
The research highlights growing awareness but persistent gaps in preparedness when it comes to supply chain issues, geopolitical threats, insider risks, cyber security, financial risk, and data concerns.
Global threats rising
The findings show that 80 percent of Australian executives now expect geopolitical issues to pose challenges to their operations and supply chains over the next twelve months, representing a significant jump from 66 percent in 2024.
This escalation reflects what researchers describe as a changing global ecosystem that requires businesses to develop more sophisticated understanding of how international developments can quickly translate into domestic operational challenges.
Cyber security continues to dominate executive concerns, ranking as the number one risk for business leaders, followed by financial, regulatory, geopolitical and supply chain risks. Almost half of organisations (49 percent) expect cyber threats to increase in the year ahead.
Supply chain blind spots
Despite heightened awareness of global risks, the research reveals critical vulnerabilities in how Australian organisations manage their extended supply networks. Most organisations (82 percent) are not conducting risk assessments beyond their first-tier suppliers, creating dangerous blind spots in their operational resilience planning.
“Robust due diligence, ongoing monitoring and enhanced contractual safeguards are required so that business leaders can better understand their supply chains and who they are doing business with,” commented Matt Fehon, Head of Advisory at McGrathNicol.
The findings expose a troubling disconnect between perception and reality. When it comes to performance and supplier evaluations, 71 percent of organisations are not considering their suppliers’ own security as a key metric, and 70 percent of organisations are failing to conduct due diligence on key suppliers.
Regulatory pressure mounts
The research comes as organisations within the financial services sector face new compliance requirements under APRA’s CPS 230 standard, which commenced from 1 July 2025. This standard requires financial services organisations to take a close look at the entire supply chain, including third-party providers critical to its operations, identifying all material service providers both locally and globally.
The regulatory shift represents a broader trend towards accountability that cannot be outsourced. “Executives are expected to understand the connection between cyber, geopolitical, data, and insider risk, and carefully manage the third parties they are dealing with,” Fehon explained.
“The courts and regulators increasingly view these risks not as a costly business failure, but as a failure of good corporate governance with disastrous flow-on effects for others along the global supply chain.”
Connected risks ignored
While 82 percent of respondents say they have a holistic security risk management plan, the research reveals warning signs pointing to a lack of connected thinking about interconnected risks.
Business Continuity Plans require continuous updating and testing, yet 30 percent of respondents indicated their key executives are too busy or do not see the need to address this critical requirement.
The research also highlights the dual challenge of artificial intelligence adoption. Respondents recognise AI’s business benefits but many commented on potential new security, governance, regulatory, ethical, and data privacy challenges.
Forward-looking organisations are exploring AI-enabled cyber defences to strengthen capabilities through automated incident response and continuous security monitoring. However, this requires balancing innovation with strengthened enterprise-wide risk frameworks, including establishing ethical AI use guidelines and training staff in responsible AI practices.
“APRA’s CPS 230 is only the latest in a series of broader regulatory shifts. Whether it is obligations under the Privacy Act, changing APRA standards, or updates to Security of Critical Infrastructure legislation, accountability cannot be outsourced. Organisations must focus on risks beyond their own backyard,” Fehon added.
The research suggests that genuine business resilience requires comprehensive programs addressing the interconnected nature of cyber threats, geopolitical risks, changes to the operational environment, supply chains, and counterparty relationships.
Business leaders are encouraged to look to industries such as financial services and consider implementing similar best practice frameworks as those under APRA CPS 230 and the risk management recommendations under the Security of Critical Infrastructure (SOCI) Act.
With most Australian organisations (90 percent) having established a single accountable authority to oversee security risk management, the challenge now lies in ensuring these frameworks can effectively address the complex, interconnected nature of modern business risks in an increasingly volatile global environment.
Keep up to date with our stories on LinkedIn, Twitter, Facebook and Instagram.
