Samuel Rasmussen

There was a time, not long ago, when sustainability lived comfortably in the realm of language. It was shaped in marketing decks and annual reports, polished into pledges and promises that felt, if not always precise, then at least directionally virtuous. Companies spoke of pathways and commitments, of journeys toward net zero and stewardship, and for a while that was enough. The words carried weight simply because they were spoken.

For a long time, compliance has lived in the margins of the enterprise, summoned when needed, consulted when required, and too often encountered as a final checkpoint at the edge of a decision already in motion. It has been, in many organizations, a function of restraint, and a necessary friction applied to ensure that ambition does not outrun obligation.

There are periods when geopolitics hums in the background of corporate life, unsettling, tragic, but still distant enough to be categorized as “external.” And then there are moments when the map seems to press directly against the operating model of the enterprise. Escalation involving Iran sits firmly in that latter category, not because conflict in the region is new, but because it concentrates so many interlocking systems (energy corridors, cyber capability, sanctions regimes, proxy networks, global shipping routes) into a single geography where instability reverberates quickly and unevenly.

There is a particular moment in every technological transformation when enthusiasm gives way to recognition. It is not the moment when innovation falters, nor when critics grow louder. It is the moment when institutions begin to understand that what has been built is now too consequential to remain loosely governed.

For a long time, ESG risk in the supply chain was treated as something adjacent to the business rather than integral to it. A matter of policy statements, supplier codes of conduct, and questionnaires circulated once a year, often completed quickly and filed away quietly. The appearance of diligence was usually sufficient. Oversight, such as it was, could be delegated.

Third-party risk rarely announces itself with alarms. More often, it arrives quietly, disguised as an assumption. The assumption is that responsibility can be shared without consequence. That accountability can be distributed, diluted, and still hold its shape when pressure arrives. That contracts, frameworks, and carefully worded clauses will stand in for human judgment when systems fail and decisions cannot wait.

Organizations are very good at moving on. Leadership changes. Systems are replaced. Vendors rotate in and out. Strategic priorities shift with the market. What organizations are far less good at is remembering why things exist the way they do.