Why security risk management must be treated as a strategic input and not an operational afterthought.
As organizations scale operations into new and emerging markets, growth strategies are increasingly tested not by market demand, but by the complexity of operating environments. Political volatility, social fragmentation, regulatory ambiguity, labour mobilisation, and fragile enforcement mechanisms often shape outcomes more decisively than financial projections or competitive positioning. In such contexts, the success or failure of business expansion is frequently determined by how early and how seriously risk is integrated into decision-making and how unmanaged risk can materially impact organizational value, continuity, and reputation.
Yet, in many organizations, cyber / physical / operational technology security continues to be viewed as a downstream function that is typically engaged after site selection, regulatory approvals, and capital commitments have already been made. This delay limits an organisation’s ability to influence outcomes meaningfully. Experience across geographies shows that security failures in complex markets are rarely the result of inadequate implementation and protective measures; they stem from delayed risk recognition, misreading of stakeholder dynamics, and overreliance on formal assurances that do not translate to ground realities.
For boards and executive leadership, this raises a fundamental question: are security risks being treated as operational afterthoughts, or as strategic variables that can materially affect investment viability?
What Makes a Geography “Complex”?
Complex geographies are not defined solely by conflict or crime. More often, they are characterised by a misalignment between formal systems and informal power structures. Governments may offer strong policy support while lacking enforcement capacity. Legal approvals may coexist with contested social legitimacy. Communities, unions, political actors, and activist groups may exert influence that far outweighs their formal authority.
In such environments, traditional risk indicators such as crime statistics, regulatory compliance checklists, or insurance benchmarks offer limited predictive value. Risk manifests through perception, mobilisation, and escalation rather than through overt threat alone. This is precisely where risk management professionals, when engaged early, can add disproportionate value by interpreting ground truth and translating it into strategic insight. Based on the business itself as this is the most important part, know the business then you also know the Risks.
Let us look at three distinct case studies to understand these better.
Case Study 1: A Greenfield Manufacturing Project in Eastern India
The withdrawal of a leading Indian Automobile organisation’s manufacturing plant from Singur, West Bengal, remains one of the most cited examples of a greenfield project derailed during the setup stage. The project was positioned as a landmark industrial investment, supported by state approvals and framed as a symbol of manufacturing growth.
From a traditional risk perspective, the project appeared viable. However, the operating environment was politically sensitive, with contested land acquisition, strong local leadership, and a highly mobilised rural population. Security risk assessments largely focused on physical protection and law-and-order assurances, with limited attention paid to social consent, perception management, and escalation pathways.
As protests intensified and political narratives hardened, site access became increasingly constrained. Despite the presence of security arrangements and government backing, the project faced repeated disruptions and was ultimately withdrawn before commissioning.
The lesson here is not about inadequate security deployment. It is about a failure to recognise that legitimacy, stakeholder alignment, and early warning of political escalation are central to physical security in complex geographies. In greenfield projects, risk often originates outside the fence line.
Case Study 2: A Global Energy Company Operating in a Complex Emerging Market
A multinational energy company operating in a complex emerging-market environment faced persistent operational disruptions over time. While the challenges manifested as protests, access blockades, and infrastructure interference, underlying risks stemmed from unresolved community grievances, weak local governance structures, and erosion of social licence.
Security efforts initially focused on asset protection, perimeter hardening, and contractual enforcement. However, these measures proved insufficient without sustained stakeholder engagement, informal intelligence, and alignment between operational security and community realities.
When trust deficits deepen, physical security risks escalate rapidly. In long-running operations, risk maturity is dynamic, and failure to recalibrate security strategy in line with evolving social and political conditions can significantly undermine business continuity.
Case Study 3: A Global Manufacturing Firm Scaling Operations in an Emerging Market
A global manufacturing organization scaling operations in an emerging-market geography encountered risk challenges during rapid scale-up. While the company had prior international experience, local labour regulations, workforce expectations, and compliance norms introduced unfamiliar operational pressures.
As headcount grew quickly, issues related to workforce stability, insider exposure, and compliance alignment surfaced. Initial attempts to replicate global operating models delayed effective mitigation. Over time, risk posture improved through localized workforce screening, strengthened access governance, and closer coordination between security, HR, and compliance teams.
Existing international presence does not equate to risk readiness. Growth phases often amplify latent vulnerabilities, particularly when speed outpaces contextual understanding.
What Boards and Executive Leadership Should Pay Attention To
Across these cases, a consistent pattern emerges. Business outcomes were shaped not by a lack of opportunity, but by an underestimation of risk complexity and a delayed integration of security insight into strategic decisions.
For boards and CEOs, risk management should not be viewed narrowly as cyber, physical asset protection and operational technology security alone. In complex geographies, it is a risk translation function that connects social, political, and operational realities to business continuity and reputation. When engaged early, security leaders can challenge assumptions, stress-test operational viability, and highlight non-obvious escalation triggers that may not appear in traditional risk registers.
Ignoring this perspective does not eliminate risk; it merely postpones its impact to a point where corrective action becomes significantly more expensive.
Recommendations for Risk Leaders
Do
- Engage during strategic planning phases, not after approvals
- Assess security feasibility, including social and political dynamics
- Map informal influencers such as unions, community leaders, and local power brokers
- Localise security SOPs to enforcement capacity and cultural realities
- Build early-warning intelligence through workforce and community sensing
- Establish law enforcement and regulatory relationships before incidents occur
- Empower local security leadership with authority, not just responsibility
Don’t
- Assume government backing guarantees operational security
- Treat land acquisition, labour unrest, or activism as non-security issues
- Replicate headquarters security models without contextual adaptation
- Outsource accountability entirely to vendors or public authorities
- Wait for incidents to validate known escalation risks
- Isolate physical security from HR, legal, and operations
Conclusion
Organizations rarely fail in complex geographies because risks were unknown. They fail because risks were acknowledged too late or assigned to the wrong functions. The lessons from global operations demonstrate that physical security must evolve from a protective service into a strategic capability, one that interprets ground realities, anticipates disruption, and informs decision-making at the earliest stages of growth.
For boards and executive leadership, the question is no longer whether security risks exist, but whether the organization is structured to hear uncomfortable truths early enough to act on them. In complex geographies, resilience is not built at the gate. It is built at the table where strategic decisions are made.
Author:
Major Saurabh Srivastava, Managing Partner and Regional Director, South Asia, Lares Risk Management International. With over 20 years of experience advising organizations operating in complex and high-risk environments, Saurabh works closely with boards and executive leadership to integrate physical security, operational risk, and crisis preparedness into core business strategy.
About Lares Risk Management International
Lares Risk Management International (LRM) is a trusted security and risk management consultancy with an established presence across Europe, the Middle East & Africa (EMEA) and Asia-Pacific (APAC). With offices in Netherlands, Thailand, India, and Vietnam. We specialize in strategic security solutions, operational risk management, and protective services for businesses and individuals worldwide.
For additional details, please reach out to:
📩 info@laresriskmanagement.com
🌐 Get in touch
📰 Related insights