Responding to the Russian Invasion of Ukraine

Analysis

The Russian invasion of Ukraine is a tectonic disturbance that has immediate consequences both in the region and beyond. First, and most importantly, this crisis affects people’s lives, and many will suffer pain and loss in the weeks to come; this at a time when pain and loss have become COVID-19 hallmarks. Our responsibility as leaders is to ensure the safety and well-being of our employees. Only then can we address the range of business issues that we also face in the weeks and months ahead.

The situation is changing daily and uncertainty will remain high for the foreseeable future. This crisis will materially change the risk posture of many organizations requiring short-, medium- and long-term changes. Impacts may be temporary or permanent, and this will change the risk considerations, priorities, and investments that influence our decisions. Revenue disruptions will change financial decisions. Business operations disruptions will require operational changes. Upstream and downstream partner impacts will realign value and supply chains.

Organizations should immediately organize subject matter experts from operations, finance, IT, supply chain, human resources, legal and marketing to identify threats and impacts. Develop a list of proposed changes, investments, and controls to manage both threats and impacts. Then, prioritize and create action plans to implement changes and address contingencies for a very fluid situation.With Gartner’s new (see Figure 1), we have provided a framework to help consider strategy in this multipolar world.

Gartner has a multitude of resources to help our clients navigate the impact of the Russian invasion of Ukraine. Subscribers to our various role-based products will find deep insight and advice within our range of key initiatives. On this page, we have compiled an intentionally small — but powerful — set of starter materials to get you centered.

Research Highlights

All executive leaders play a crucial role in times of crisis and disruption, both for their teams and for the enterprise as a whole. The executive team projects strength and clarity and is responsible for employees’ psychological safety and business continuity.

CIOs are part of the cyberthreat response team, but also have responsibility to manage their global computer environment, delivery workforce and partners, all of which face disruption during the Russian invasion of Ukraine.

Every organization is now impacted by the cyber part of hybrid warfare (cyber and kinetic) so you must be prepared for heightened cybersecurity risk and some short- and medium-term changes to your organization’s cybersecurity readiness.

Supply chain leaders face continued and potentially severe disruption as a result of the Russian invasion of Ukraine.

Risk management in a crisis is about a combination of minimizing the impact now, recovering as the crisis event resolves, and restoring and rebuilding when the crisis is over.

Finance leaders should prepare for material changes to protect cash flow while the organization navigates the operations and revenue impacts of the crisis.

HR leaders are on the human front line of crisis response, and are key to ensuring employee safety and well-being. Lessons from the COVID-19 period are applicable for other crises like the Russian invasion of Ukraine.

Legal leaders have the special role of understanding the complete risk landscape, beyond obvious and immediate threats. Amid urgent actions and triage, legal leaders guide the enterprise to the soundest solutions.

Outsourced software development and IT services will be impacted significantly by the Russian invasion of Ukraine, and business must take action to mitigate risk and disruption.

Q: What is the first thing I should do in response to the Russian invasion of Ukraine?

A: The Russian invasion of Ukraine will have a life-changing impact on many people in that region. Failure to act with a human-centric approach would risk people’s lives, and could exacerbate potential mental health issues for you and your team or your organization’s brand. At all stages, seek to promote and prioritize actions that can support impacted staff within your organization, as well as your service providers.

Q: How do organizations promote psychological safety during times of crisis?

A: All levels of leadership have a role in promoting psychological safety within an organization. Building and maintaining trust requires a concerted and consistent effort from all leaders. The C-suite sets the tone with policy and procedures about how the organization takes action in response to disruptions. Leaders cultivate psychological safety by inviting input on what is inhibiting open communication and by creating consistent messaging on culture and expectations.

Q: What should cybersecurity leaders do to mitigate expected consequences of the Russian invasion of Ukraine?

A: Rely on threat intelligence tailored for your organization, and watch for guidance from your government contacts. Expect attackers to leverage the situation as context for already-known attack techniques such as targeted phishing. Focus on what you can control. Increase awareness and vigilance to detect and prevent potential increased threats, but be mindful of the increased stress and pressure your organization is feeling. A human error due to these forces may have a greater impact on your organization than an actual cyber attack.

Q: How should I triage supply chain continuity?

A: Immediately start creating first-tier visibility into the existing supply networks in order to evaluate potential brisk exposure and determine vulnerabilities. Follow through with n-tier visibility, although results will likely only appear in the months to come. This is key to enabling effective response strategies. This crisis will have nth-order effects in unexpected geographies. The event implication can span much further than direct supply chain ties into the conflict region. It is critical to find the best options to get around potential obstacles and to make timely and tough decisions that will keep your organization moving forward.

Q: What is the role for legal leaders in the face of increased cyber risk?

A: Legal leaders contribute to organizational cyber-risk management capabilities by communicating the legal and compliance implications of cyber-risk events to other functions involved. These leaders need to understand the factors that can amplify cyber risks to better engage IS and IT leaders by showing how factors beyond technology and technology processes cause cyber risks. Such discussions help IS and IT leaders create comprehensive risk response plans.

Q: How can risk management create better informed decisions during a crisis?

A: Executive leaders who make defensible, risk-informed choices are more likely to navigate their organizations with resilience, from response through recovery. The impulse to make hasty decisions in the face of crisis must be tempered with thoughtful considerations of reprioritization, divestment and even strategic investment. Even when decisions must be made quickly, a pragmatic assessment of organizational dependencies (risks) like technology, business continuity, workforce and third parties can create valuable insight to support success in all phases of a crisis. Risk management in a crisis is about a combination of minimizing the impact now, recovering as the crisis event resolves, and restoring and rebuilding when the crisis is over.

Q: What steps is Gartner taking in response to the Russian invasion of Ukraine?

A: Russia’s invasion of Ukraine has become a global humanitarian crisis. Our thoughts are with all who are affected by this war. As the situation continues to deteriorate, Gartner has made the decision to stop doing business in Russia. We are currently winding down our business in the country. In addition, we will no longer cover Russian-based vendors in our research. We are also in the process of removing reference to Russian vendors from our published research on gartner.com. A Message to Gartner Clients