One important source of operational risk relates to the organizations, people, processes, and resources comprising a company’s supply chain. In many sectors, companies increasingly depend on the external elements of the supply chain (e.g., suppliers, outsource partners, third-party logistics) in an effort to cut costs while increasing capabilities and global reach. Because every business depends on a well-functioning, cost-effective supply chain, every board should consider its oversight of supply chain risks. The following are seven suggestions for better board-level oversight of supply chain issues.
1. Strike the right balance when selecting a supplier. Time, cost, quality, and risk are four factors a company needs to consider when identifying potential suppliers, negotiating contracts, and evaluating supplier risk and performance throughout the lifespan of the contract. Boards should be leery when management emphasizes one or two factors over the others as this can result in unintended consequences. For example, seeking to reduce procurement costs when negotiating supply contracts should not lead to the unintended consequence of taking delivery of components that fail to meet critical quality specifications or timing requirements.
2. Make procurement decisions with an enterprisewide perspective. Striving for functional excellence is a laudable goal, but it has its limits. Companies can incur huge losses making procurement decisions in isolation, ignoring initiatives undertaken by the research and development, engineering and finance functions.
3. Ensure the supplier agreement spells everything out. When a contract clearly defines scope, business objectives, deliverables and performance specifications, it lays the foundation for ongoing monitoring of contract compliance and supplier performance and reduces the risk of costly disputes and misunderstandings. For example, the contract should clarify product and packaging specifications and quality control and inspection protocols so that performance can be monitored over time. It also should ensure that intellectual property and critical assets (e.g., proprietary molds and tools the company gives to the supplier) are adequately protected. Due to the complexity of managing suppliers operating in other countries, boards should ensure that the procurement process is supported by legal advisers knowledgeable of the applicable court jurisdictions, particularly in countries where laws, customs, and business ethics may vary.
4. Hold suppliers to the same level of accountability. The rigor of company processes for identifying, sourcing, measuring, monitoring, and reducing third-party relationship risks should be proportionate to the level of risk and complexity of those relationships. With respect to legislative and regulatory developments regarding disclosure of the actions a company has voluntarily undertaken to remove labor abuses from its supply chains, companies should seek the advice of counsel as to the status of these developments and the jurisdictions and circumstances in which they apply. Given this environment, a case can be made for adopting and enforcing a supply chain code of conduct—especially for vendors authorized to act as agents on behalf of the organization. Coupled with a code of ethics that details the principles and values by which the company operates, a code of conduct might address topics such as human rights, health and safety standards, environmental sustainability standards, ethical and responsible business behavior, and cybersecurity standards.
5. Conduct periodic third-party audits. A supply chain code of conduct is only as good as the vendors who sign it. That’s why a cost-effective third-party audit process is Such audits may be integral to the due diligence associated with vendor selection and onboarding. Conducted on a periodic basis, third-party audits may focus on: selected internal controls, such as cybersecurity; vendor performance against contract specifications; and compliance with laws and regulations. The audits may also be conducted before contract renewals.
6. Monitor supplier risk and performance over the life of the contract. The risk environment is not static over the life of the contract. All suppliers should be segmented based on factors such as risk, the level of spend, criticality, and alternatives in the market. The segmentation should drive the level of preselection due diligence, the contracting strategy, and the level and frequency of monitoring through contract duration. Ideally all facets of contract and supplier risk are addressed through performance reporting, including early warning alerts before it’s too late to act on a timely basis.
7. Pay attention to business continuity risk. There are many instances where a single-source supply strategy is the right business decision. In these cases, however, quality, time, and cost considerations often win out over business continuity risk considerations despite the risk of supply chain disruptions. Thus, risk assessments should consider what could happen to the organization’s business model if any key component of the supply chain were taken away, even though a cause may be somewhat elusive at the time of the assessment.
An assessment should also consider the implications of plausible and extreme scenarios stemming from the loss of strategic sources of supplies for an extended period, including exposure to data security risks and physical access to sensitive information, the financial impact, expected recovery time, and adequacy of current recovery and contingency plans. To illustrate, directors should inquire whether management has considered the following questions:
What would happen if we were to lose, for any reason, one or more of the suppliers that we depend on for essential raw materials and components?
How long would we be able to operate?
What if there were significant disruptions in transportation?
What contingency plans do we have?
Have our key suppliers performed their own risk assessments with respect to key “Tier Two” or “Tier Three” suppliers? How do we know?
The board should be informed of the results of these assessments.
As my firm reflected on directors’ expectations that have emerged while working with boards, four areas of emphasis that internal auditors should address rise above the rest. We refer to these as the four Cs: culture, competitiveness, compliance, and cybersecurity. These four areas offer suggestions to directors regarding what they should expect from a risk-focused audit plan.
Here’s a closer look.
A breakdown in risk management, internal control, or compliance is almost always due to a dysfunctional culture. The risks spawned by cultural dysfunction often require a lengthy incubation period before noticeable symptoms appear—and lead to consequences that could result in a reputation-damaging event. Examples include an environment that isolates senior leaders from business realities, allows cost and schedule concerns to override legitimate public safety priorities, empowers falsification of emission reports, or drives unacceptable risk-taking through inappropriate performance incentives. Once a culture of dysfunction inculcates a flawed business environment, it may take a long time for the consequences to emerge—and emerge they will if the dysfunction is left unaddressed.
Given that an organization’s culture is the mix of shared values, attitudes, and patterns of behavior that comprise its particular character, how does a board get its arms around it? An opportunity we see is for directors to look to the chief audit executive as the independent “eyes and ears” of the organization’s culture. Specifically, internal audit can be asked to perform the following functions:
understand the overall working environment;
identify the unwritten norms and rules governing employee interactions and workplace practices;
highlight possible barriers to an effective internal environment and communication flow;
report unacceptable behaviors, decisions and attitudes toward taking and managing risk; and
make recommendations to address identified problems.
Internal audit can also post warning signs to directors that further investigation into cultural concerns is warranted, and can assist in assessing whether the tone in the middle and at the bottom match the leaders’ perception of the tone at the top. This contrast can be quite revealing. It can serve as a powerful reality check to a management team that really wants to listen.
Competitiveness is a priority of every business and poses a significant opportunity for the internal audit function. If, for instance, the company’s practices are inferior relative to best-of-class performers due to underperforming business processes, the internal audit function can improve operating efficiency. In essence, the board should expect internal audit to look beyond traditional compliance areas and financial reporting to help the organization to continuously improve its operations.
Most organizations use some form of a balanced scorecard when monitoring whether they are successfully establishing and sustaining competitive advantage in the marketplace. Key performance indicators address critical areas such as quality, time, cost, and innovation performance. They often include indicators of customer and employee satisfaction. Internal audit can assist with assessing the reliability of these metrics for decision-making. In addition, internal audit can benchmark selected metrics against competitors and best-in-class performers to identify performance gaps that must be corrected in a timely manner.
Traditionally, the internal audit plan ensures that the organization’s compliance with laws, regulations, and internal policies are under control. As the third line of defense in the compliance chain of command, internal audit should ascertain whether:
Front-line operators and functional leaders whose activities have significant compliance implications own the responsibility for identifying and managing compliance risk. These front-line operators are responsible for having effective controls in place to reduce the risk of noncompliance to an acceptable level.
The scope of the independent compliance function, or the second line of defense, is commensurate with the significance of the company’s compliance issues and results in reliable and timely insights to management and primary risk owners.
Internal audit should determine whether a cost-effective monitoring process is in place to address the top compliance risks, and that can assess the overall implementation of the compliance program in light of changes in applicable laws and regulations.
In a recent survey, cybersecurity was cited as the third most critical uncertainty companies are facing as they look forward into 2017. What can internal audit do to alleviate this concern?
Assess whether the company’s processes give adequate attention to high-value information and information systems. Rather than costly, system-wise protection measures resulting in lack of attention to the most important assets, internal audit can assess whether the information technology organization and business leaders agree on what constitutes the company’s crown jewels.
Assist the board and senior management with understanding the threat landscape. The organization’s cybersecurity risks should be assessed based on the company’s crown jewels, the nature of its industry and operations, and its visibility as a potential target. For example: Who are the likely adversaries, and how might they attack? Where are our biggest vulnerabilities? How effective are our current internal controls? Do we conduct penetration testing? If so, what are the results?
Review the organization’s response readiness to a cyber incident. Effective incident response processes are critical to a company’s preparedness to reduce an attack’s impact and proliferation.
By focusing more broadly on the implications of audit findings and thinking beyond the expressed or implied boundaries set by the audit plan, internal audit is better positioned to deliver stronger, more practical and harder-hitting recommendations aligned with what directors are seeking.
Despite this call to action, overcoming short-termism remains a stark challenge for many companies. In fact, as the National Association of Corporate Directors’ (NACD) 2015 Blue Ribbon Commission observed, “factors encouraging a short-term focus are stronger now than ever before.” Additionally, in a 2015 report, the Conference Board contemplated whether short-term biases might jeopardize future business prosperity altogether.
Yet if short-termism is a sizable challenge, so too is the commitment to understanding why short-termism is so entrenched as a business practice and the task of mitigating its harmful effects. In July, the Anti-Fraud Collaboration, a group of organizations focused on fighting financial reporting fraud, hosted a webcast on Coming to Terms with Short-Termism. The discussion, which I was privileged to moderate, featured top experts and generated a wealth of useful takeaways for participants across the financial reporting supply chain.
Let’s look at a few key takeaways from the discussion.
1. Acknowledge and Define the Complexities of the Issue
To address the challenge of short-termism, it helps to understand the complexities of what companies are up against. For one thing, “short-termism” doesn’t equate to short-term activity, which isn’t necessarily bad. NACD Chair Karen Horn, director of Simon Property Group, observed at the outset of the webcast that the “long term is made up of many, many short-term actions.”
Another tricky step to understanding the complexities of short-termism is how to define “short-term” at your company. Is it a month? A quarter? A year? “It depends on the company,” said panelist Bill McCracken, president of Executive Consulting Group LLC. McCracken, who previously served as CEO of CA Technologies, added that even within a company the meaning of “short-term” can change according to different contexts, such as strategy or compensation.
2. Think Strategically
However complex a challenge combatting short-termism may seem, there are several simple solutions for directors to consider. One of them is this: think strategically. A strategic mindset helps short-term actions align with long-term goals. “Boards really need to be conversant with the company strategy,” said Horn. McCracken agreed, noting that board members should become “activist directors” who immerse themselves in the details of the company, its strategy, and its industry. This engaged approach, he added, can help directors be prepared to handle situations such as share buybacks or changes to dividend policy where questions of short-termism may arise.
Similarly, strategic thinking can also help directors gauge the validity of the use of non-GAAP measures. “Shouldn’t the use of non-GAAP measures also tie in to the strategy of the entity?” asked Douglas Chia, executive director of the Conference Board’s Governance Center. “Absolutely,” responded fellow panelist and KPMG Partner Jose Rodriguez.
3. Strengthen Tone at the Top…
One danger of short-termism is that it can heighten fraud risk across the enterprise. Companies need to ensure that management is setting the right tone at the top. “I can’t underemphasize tone at the top,” said Rodriquez. “How do [senior executives] talk to employees? Is everything geared around meeting that analyst’s [earnings] expectations?” From his auditor’s viewpoint, he added, “that would be concerning.
4. …But Don’t Forget the “Mood in the Middle” and “Buzz at the Bottom”
While emphasizing tone at the top, panelists also stressed that short-termism shouldn’t be a point of concern for only senior management. Many instances of fraud, noted Rodriguez, occur outside the C-suite. “It’s middle management and lower management that had to get that sales number to a certain amount of dollars,” he said, and this pressure can lead to channel stuffing or other undesirable activity. Such activity is what audit committees, auditors, and the board ought to be looking for, added Bill McCracken.
5. Dial Down the Emphasis on Quarterly Results
“Our entire [financial reporting] structure is built around quarterly reporting,” said McCracken. While eliminating this quarterly focus might not be possible—or even desirable—panelists agreed that reducing the quarter-to-quarter mindset was an important part of addressing short-termism. “Obviously you can’t get entirely away from that,” said Chia, “but there are ways you can reduce the emphasis and build on the timeline that you think is appropriate—not what you’re being told by the analyst community.”
Fostering robust communication internal and external communication is a core priority for the Anti-Fraud Collaboration, and communication at all levels was a recurring theme throughout this webcast. When discussing the use of non-GAAP measures, Horn noted that “the chairman of the compensation committee should be talking to the chairman of the audit committee as these measures work their way in to [compensation] programs.”
Likewise, communicating effectively with external investors and other stakeholder parties is critical. “Boards need to really understand investor communications,” said Horn. “The way that we can pursue long-term value creation is in partnership with our investors.”