Preventable corporate scandals, as seen by headline events related to Pepsi, Wells Fargo, Volkswagen, Chipotle and Wendy’s, result from a variety of risk management failures across a variety of industries. Notable scandals include cybersecurity failures at retail organizations and restaurants, quality control issues at manufacturers, and ineffective asset management and access rights at financial institutions.
Despite their differences, the root cause of all these scandals is a failure in risk management resulting from poor governance. When assessing risk management effectiveness at your own organization, there are a few fundamental concepts to consider:
1) Linkage and Dependencies—Do departments across the organization have the ability to identify interdependencies, shared risks, areas of operational overlap, and potential collateral damage from errant processes?
2) Operationalizing Policies—Most all organizations have internal policies and third-party contracts. However, few organizations assess the effectiveness of their policies. Questions to ask include: Are policies followed by employees throughout the organization? Are risk assessments extended to outsourced third parties, helping with the design of policies and contracts? Are monitoring activities used to determine gaps or lapses in vendor activity? Are third party accountability and controls regularly reviewed?
3) Strategic Alignment—Finally, senior management and the board should receive periodic reports demonstrating the alignment of daily operations with strategic objectives. Strategic goals should cascade down to be assessed by front-line management. This also helps ensure budget is allocated effectively.
An affirmative answer to all the above questions mitigates the risk of any business scandal, whether it results from a problem related to the supply chain, cybersecurity, employees or third parties.
An enterprise risk management process protects organizational reputation and preserves business continuity. Most organizations prioritize third parties by contract value; an objective risk assessment of a supply evaluates not its value, however, but the overall impact it could have on the organization. Often, vendors with small fees can present massive risks to an organization.
When it comes to vendors, you can always outsource a process, but you can never outsource the risk associated with that process. Vendors must therefore be held accountable to your own internal standards.
A risk-based approach is the foundation to each of the considerations mentioned so far. Prioritization—both of related critical processes and their relationship to top organizational risks—requires all units to use the same methodology and taxonomy. This can only be achieved through centralized governance.
Long-Term Success Results from Incident Prevention, Not Recovery
Effectively managing your supply chain involves managing numerous interconnected relationships and potential vulnerabilities. Keeping track of this web of interdependencies cannot be accomplished in disparate spreadsheets; preserving your reputation requires a cross-functional effort.
Many organizations learn this lesson too late, and as a result seek to rebuild their reputations by implementing and documenting robust recovery processes. After Wells Fargo’s accounts scandal, for example, the board produced a report detailing the company’s efforts to rebuild customer trust, better identify customer expectations, and streamline its marketing efforts.
The problem with these initiatives is that they are recovery-oriented. That is, Wells Fargo’s report demonstrates attempts to “make things right” for this particular scandal. Much more effective would be a deep dive into the root cause of the scandal; what went wrong, and how can we prevent similar incidents from ever happening again?
As stated by Warren Buffett, “It takes 20 years to build a reputation and five minutes to ruin it.” The financial cost of detecting and preventing incidents before they happen, which is determined by the financial cost of your enterprise risk management solution, is miniscule compared to the costs of a damaged reputation.
To go back to Wells Fargo, the organization payed $185 million dollars in regulatory fines. This number is just the tip of the iceberg, since it doesn’t take into account the lasting financial impact associated with a severely damaged reputation. Estimates are that Wells could lose as much as $212 billion in deposits and $8 billion in revenue. This drop is significant, as it would represent a 17 percent decrease in deposits and a 9 percent drop off in revenue. As a result of the scandal, many customers migrated to other providers, and many prospects decided not to give Wells Fargo their business in the first place.
Mitigate Supply Chain Risk and Improve Performance with Good Governance
As mentioned above, risks cannot be outsourced to your vendors; the liability for risk management failures will always rest on your organization. Similarly, reducing risk likelihood to zero is an unrealistic goal. Good governance is not about completely eliminating risk, however. Good governance is achieved when cross-functional risk management is used to inform decision-making.
Organizations with strong governance and risk management programs have a few common characteristics:
- They create accountability. No initiative, whether a policy implementation, a departmental risk assessment, or a vendor evaluation, can be accomplished by one individual. Each of these processes requires identification and assessment, mitigation, and monitoring. The only way to ensure every step is performed appropriately is by breaking steps into smaller components, assigning responsibility to the most appropriate party, and monitoring the results.
- They create transparency. Collaboration and efficiency are only achievable if departments are able to communicate quickly and effectively. This means department-specific risk management procedures are inherently limited in their effectiveness. Employees across the organization need to be able to see the risk status, as well as which controls are associated with it. They must also be able to report incidents in a standardized manner, aggregating information across business processes.
- They engage the right people. The best way to prevent risks from slipping through the cracks is to involve the front lines of the organization in the risk assessment process. Front-line managers and employees are closest to and most knowledgeable about which risks present the greatest threat. They should therefore have the ability to identify risks, what could go wrong if they occur, and how effective (and why) they think current mitigation activities are.
Once this occurs, they should have access to the resources they need to prevent that risk from occurring, avoiding the impact it would have on customers, the organization itself, and shareholders.
The key to incident prevention is integrating the risk-based process across business units. Recovery from previous failures may work temporarily, but the only way to achieve sustainable success in the long-term is with strong organizational governance.
Steven Minksy is the CEO of LogicManager Inc., the leading provider of ERM software solutions. Minsky is the author of the RIMS Risk Maturity Model for ERM, the RIMS State of ERM Report among many other papers, and a RIMS Fellow (RF) instructor on ERM. He has conducted ERM and RIMS Risk Maturity Model training for hundreds of organizations around the globe.