Geopolitical risks 

• Overview
• Risks types 
• Why geopolitical risks matter
• Geopolitical risk detection 
• Severity ranking guidelines and definitions
• Risk resolution 

Overview

UpGuard’s geopolitical risks are organization-level risks that surface signals related to sanctions listings, regulatory enforcement, export controls, financial crime, and more. 

All geopolitical risks are: 

• Based on data from worldwide sanctions and regulatory action lists published by government and regulatory authorities.  
• Raised against an organization’s primary domain.
• Included in the Operational Risk category.
• Initially created as provisional risks and remain provisional for 6 months following the date they are added to UpGuard. Provisional risks do not affect an organization’s security score during the provisional period. 

 UpGuard, and geopolitical risks, do not assess individuals or politically exposed persons.

Risk types 

Each risk is assessed independently and assigned a severity so that you can focus your attention appropriately. 

The following geopolitical risks are currently supported:

Risk	Potential severity
Debarred by a regulator	Informational to Medium
Export control violation	Informational to High
Flagged for financial crime	Informational to High
Listed on a sanctions list	Informational to Critical
Compliance violation	Low to High
Regulator action	Low to High
Sanctions violation	Low to High

Why geopolitical risks matter

Geopolitical and regulatory exposure can materially influence how a security incident unfolds, or whether a business relationship can continue at all. Sanctions listings, enforcement actions, or export control violations can lead to restricted transactions, contract termination, regulatory scrutiny, or reputational damage.

Geopolitical risks bring fragmented regulatory and sanctions signals into the same workflow used for third-party security assessments thereby equipping you to more fully evaluate your vendor and assess your (potential) relationship. 

Geopolitical risk detection 

UpGuard monitors worldwide sanctions and regulatory action lists published by regulatory authorities and governments worldwide. We do this monitoring approximately every 24 hours and update our platform accordingly.   

Detection follows a structured process:

1. Organization identification
   The first time any organization adds a domain for monitoring: UpGuard identifies the organization's domain using attributes such as company name, legal name, and country of registration.
2. Entity matching across global datasets
   Company name and organization attributes are used to search global sanctions, enforcement, and compliance listings. Variations in naming, translations, and legal suffixes are accounted for.
3. AI-assisted verification
   An AI analyst reviews potential matches by comparing identifiers such as registration details and addresses to confirm whether the listing refers to the same organization. Confirmed false positives are remembered to prevent repeated flagging. 
4. Dynamic severity assignment
   Positives from step 3 are created as geopolitical risks and are assigned a severity based on the authority issuing the action and the immediacy of the risk.

If you see a risk that is a false positive or incorrectly attributed, please contact our Support Team at support@upguard.com. 

Severity ranking guidelines and definitions

Geopolitical risks, like all UpGuard risks, use a 5-tier risk model to reflect the nature and immediacy of the exposure. 

As findings age, their severity drops. The timelines below are based on when a finding initially appears on a sanctions list: 

• 0-12 months old: the risk is visible in UpGuard and the risk and severity determine its impact on your security rating. 
• After 12 months: the risk's severity drops to informational and it no longer affects your score. 
• After 10 years: the risk is completely removed from UpGuard and no longer visible. 
• Findings more than 10 years old: do not appear in UpGuard. 

Severity is determined and assigned based on:

• authoritative evidence 
• the nature of the issue

Severity	Risk Definition (specific to geopolitical risks)
Informational	Contextual intelligence rather than an active risk. Provide historical context, but do not represent current exposure.  Includes: resolved enforcement actions, delisted entities, valid licenses or exemptions, ethical investment exclusions, or findings that are more than 12 months old.
Low	Captures minor, peripheral, or historical issues with limited current impact.  Includes: general exclusion lists, minor regulatory breaches, consent agreements for past violations, procedural violations, or ownership of a sanctioned entity without direct involvement.
Medium	Represents material regulatory or compliance issues that warrant attention and monitoring.  Includes: state-owned enterprises in comprehensively sanctioned countries, formal investigations, civil money penalties, administrative sanctions, or debarment from government programs.
High	Reflects direct involvement in serious violations. Includes: sanctions for human rights abuses or significant corruption; penalties for violating international sanctions programs, export control laws, or financial crime regulations; severe enforcement actions such as Cease and Desist Orders; or meaningful indirect exposure through sanctioned ownership or control structures.
Critical	Indicates the most serious forms of exposure.  Includes: sanctions related to terrorism, weapons proliferation, or military aggression. Also includes systemic compliance failures that may trigger significant legal or operational consequences.

Geopolitical risk resolution 

Geopolitical risks resolve on several conditions:

• Source removal: The entity that listed the finding has removed it. This is noted in the “Risk Resolves” field.
• Timeframe lapse: Risks automatically convert to informational 12 months after a finding is listed on a sanctions list. Risks are dismissed when they are 10 years old. 

Remediation

Due to the nature of geopolitical risks, remediation focuses on legal, compliance, and business actions.

The below are some potential steps you could take in response to geopolitical risks, the list is not meant to be exhaustive or conclusive, merely examples of common approaches. We recommend working closely with your legal and compliance team to establish your response and remediation process to meet your business needs.

• Review severity and scope
  Evaluate the risk severity and risk details to determine whether the issue represents a direct legal restriction for your organization, an active enforcement action, or contextual intelligence. This helps establish whether immediate action is required.
• Engage legal and compliance teams
  For sanctions, export controls, or financial crime findings: work with your legal or compliance teams to confirm obligations under applicable laws. This may include reviewing licenses, exemptions, reporting duties, or jurisdiction-specific restrictions.
• Adjust business relationships where necessary
  Based on legal guidance, update procurement decisions, restrict transactions, modify contractual terms, or pause onboarding or renewal activities. In some cases, disengagement may be required to remain compliant.
• Document due diligence and decisions
  Record the review process, advice received, and actions taken. This documentation supports audit readiness, regulatory inquiries, and internal governance requirements.
• Apply a risk waiver when appropriate
  If the risk is valid but does not require action, apply a risk waiver to explain the context and decision rationale.
• Continue monitoring for changes
  Sanctions listings and regulatory actions change over time. UpGuard will continue to monitor for new & changes to geopolitical risks every 24 hours.

Waivers

For Breach Risk customers, we recommend using waivers to explain why a geopolitical risk exists and to provide any relevant information to organizations that might be assessing you.