Yesterday I sat on a panel at the Consulate General of Finland in New York. Finland is a country that punches above its weight geopolitically, led by President Alexander Stubb, whose pragmatic realism reflects the outlook of a country that joined NATO recently and shares a 1,340-kilometer border with Russia. The discussion was sponsored by Inclus, a Finnish enterprise risk management software platform built around a sensible proposition: companies make better decisions when risk frameworks are developed collaboratively across the firm, rather than handed down in isolation.

On the panel with me were experts in cybersecurity risk, environmental, social, and governance risk, and enterprise risk management methods and practice. I was there to talk about geopolitics, which is plainly one of the hot topics in risk management right now.

The other, of course, was AI.

That too was revealing. AI is rapidly becoming part of the machinery through which firms identify, classify, monitor, and communicate risk. Geopolitics, meanwhile, is increasingly part of the operating environment those tools must help firms navigate. One is a new layer of capability. The other is a growing source of pressure on the business. The challenge is to bring the two together without mistaking better tooling for better judgment.

What struck me this morning was not simply that geopolitics has become prominent. It was something more specific.

Much of what gets described as geopolitical risk can, and should, be absorbed into existing corporate risk frameworks. That is not how the subject is usually discussed. Geopolitics tends to arrive wrapped in headlines and crisis language. It is treated as something exceptional, almost mystical: too large, too fast-moving, too strategic to be incorporated into normal management disciplines.

But from the standpoint of corporate management, much of the underlying work is familiar.

What is the exposure? How material is it? Where does it sit inside the business? Who owns it? What indicators matter? What thresholds trigger escalation? What actions are available?

That is not exotic. That is risk management.

For much of my career, I worked at the most disorderly end of the geopolitical spectrum, protecting civilians from what Clausewitz famously described as politics by other means: war. That is geopolitics in its starkest form.

Armed conflict sits at one extreme: the far disorder end of global politics. What is changing now is that more of the pressure once associated mainly with the periphery of the international system is being transmitted toward its center, and with it into firms. The world economy is becoming more political as decades of free trade and globalization are partially reversed. States are intervening more directly in markets. Security logic is shaping trade, technology, energy, and investment policy.

That is why geopolitics has moved so quickly to the center of boardroom conversation. Boards ask about it. Executives mention it on earnings calls. Investors want to know whether companies have a view. Risk teams are told to account for it.

Some of that urgency is justified. We are living through a more contested international environment. The rules are less settled. The constraints are weaker. Great-power competition has sharpened. Industrial policy has returned. Interdependence is increasingly weaponized. Political shocks travel more rapidly through markets and supply chains than many firms are equipped to handle.

But to make geopolitical risk governable is not to minimize it. It is not to deny that geopolitics can be severe, discontinuous, or strategic. It is to stop treating geopolitics as something so unique that it cannot be brought within the discipline of the firm. It is to move from fascination to management.

This is where the ESG community, in particular, has something useful to contribute.

Whatever one thinks about the ESG label, the field helped many firms build capabilities that are directly relevant here: materiality assessment, cross-functional coordination, stakeholder mapping, regulatory scanning, supply chain scrutiny, board engagement, scenario work, and the translation of external pressures into internal processes. None of this is identical to geopolitics. But much of it is adjacent.

That matters because one of the strange features of the current moment is that companies are loudly acknowledging geopolitical instability while often lacking the internal mechanisms to process it. They consume briefings. They commission country notes. They run scenario exercises. They discuss developments in executive meetings. But many still do not have a repeatable way to determine which geopolitical issues are material, how they map to specific exposures, when they require escalation, and what decisions should follow.

Awareness is not capability.

That is why governance matters so much. Amid the noise of headlines, not everything matters equally.

Some geopolitical risks are systemic. Sustained increases in energy prices, for example, are felt across sectors. Others are highly specific: a product suddenly subject to export controls, a market closed by sanctions, a supplier disrupted by regulatory change, a technology stack exposed to investment restrictions or cyber pressure. There are also opportunities. Industrial policy is returning. Governments are prioritizing reindustrialization, strategic autonomy, and domestic capacity. Capital is being directed, incentives are being deployed, and markets are being reshaped.

The practical question is not whether geopolitics matters. It does.

The question is what matters, to whom, through which channels, and with what implications for decision-making.

AI sharpens this challenge. It lowers the cost of producing analysis, summaries, dashboards, alerts, and scenarios. That is valuable. But it does not remove the need for judgment. If anything, it heightens it. The risk is no longer a shortage of information. It is a surplus of plausible interpretation. If geopolitical risk is not tied to clear frameworks of materiality, exposure, and decision ownership, AI may simply accelerate the production of noise.

The question is no longer whether firms can access geopolitical insight. They can. The question is whether they can operationalize it.

Can they link geopolitical signals to actual exposures? Can they distinguish signal from noise? Can they identify which developments require escalation and which do not? Can they connect external developments to structured decisions on sourcing, investment, compliance, treasury, market entry, product strategy, security, or board oversight?

That is the real frontier.

And here the answer is not to build a wholly separate geopolitical priesthood inside the company, cut off from the rest of the business. Nor is it to force geopolitics into a generic risk register and declare the problem solved. Both approaches miss the point.

The better path is integration.

Start with the existing machinery of enterprise risk management, compliance, and strategy where it is useful. Use those structures to identify owners, assess materiality, map dependencies, define escalation triggers, and track actions. Then add what geopolitics specifically requires: sharper external monitoring, better scenario development, more explicit assumptions about state behavior, and a clearer grasp of how international political disorder reaches firm-specific exposures.

In many cases, firms do not need entirely new systems. Existing enterprise risk platforms already provide much of the workflow: identifying risks, assessing exposure, analyzing scenarios, assigning ownership, and tracking mitigations. What is often missing is a geopolitical layer.

That is a more manageable challenge than many assume.

It also suggests a more optimistic reading of the moment. Firms do not have to start from zero. Much of the architecture already exists. The task is to adapt it to a world in which geopolitics is no longer background context but an operating condition.

The firms that will handle this period best will not be those with the most dramatic rhetoric about global disorder. They will be the ones that make geopolitics legible inside the organization. They will identify the exposures that matter. They will assign ownership. They will build shared frameworks across functions. And they will translate external volatility into structured decisions rather than ambient anxiety.

Geopolitics is not going away. If anything, it is becoming more normal in business life.

That is precisely why it has to become governable.

Not sanitized. Not downgraded. Governable.

Made discussable. Made manageable. Made actionable.

That is when it stops being merely a hot topic in risk management and starts becoming a real management discipline.