One important source of operational risk relates to the organizations, people, processes, and resources comprising a company’s supply chain. In many sectors, companies increasingly depend on the external elements of the supply chain (e.g., suppliers, outsource partners, third-party logistics) in an effort to cut costs while increasing capabilities and global reach. Because every business depends on a well-functioning, cost-effective supply chain, every board should consider its oversight of supply chain risks. The following are seven suggestions for better board-level oversight of supply chain issues.
1. Strike the right balance when selecting a supplier. Time, cost, quality, and risk are four factors a company needs to consider when identifying potential suppliers, negotiating contracts, and evaluating supplier risk and performance throughout the lifespan of the contract. Boards should be leery when management emphasizes one or two factors over the others as this can result in unintended consequences. For example, seeking to reduce procurement costs when negotiating supply contracts should not lead to the unintended consequence of taking delivery of components that fail to meet critical quality specifications or timing requirements.
2. Make procurement decisions with an enterprisewide perspective. Striving for functional excellence is a laudable goal, but it has its limits. Companies can incur huge losses making procurement decisions in isolation, ignoring initiatives undertaken by the research and development, engineering and finance functions.
3. Ensure the supplier agreement spells everything out. When a contract clearly defines scope, business objectives, deliverables and performance specifications, it lays the foundation for ongoing monitoring of contract compliance and supplier performance and reduces the risk of costly disputes and misunderstandings. For example, the contract should clarify product and packaging specifications and quality control and inspection protocols so that performance can be monitored over time. It also should ensure that intellectual property and critical assets (e.g., proprietary molds and tools the company gives to the supplier) are adequately protected. Due to the complexity of managing suppliers operating in other countries, boards should ensure that the procurement process is supported by legal advisers knowledgeable of the applicable court jurisdictions, particularly in countries where laws, customs, and business ethics may vary.
4. Hold suppliers to the same level of accountability. The rigor of company processes for identifying, sourcing, measuring, monitoring, and reducing third-party relationship risks should be proportionate to the level of risk and complexity of those relationships. With respect to legislative and regulatory developments regarding disclosure of the actions a company has voluntarily undertaken to remove labor abuses from its supply chains, companies should seek the advice of counsel as to the status of these developments and the jurisdictions and circumstances in which they apply. Given this environment, a case can be made for adopting and enforcing a supply chain code of conduct—especially for vendors authorized to act as agents on behalf of the organization. Coupled with a code of ethics that details the principles and values by which the company operates, a code of conduct might address topics such as human rights, health and safety standards, environmental sustainability standards, ethical and responsible business behavior, and cybersecurity standards.
5. Conduct periodic third-party audits. A supply chain code of conduct is only as good as the vendors who sign it. That’s why a cost-effective third-party audit process is Such audits may be integral to the due diligence associated with vendor selection and onboarding. Conducted on a periodic basis, third-party audits may focus on: selected internal controls, such as cybersecurity; vendor performance against contract specifications; and compliance with laws and regulations. The audits may also be conducted before contract renewals.
6. Monitor supplier risk and performance over the life of the contract. The risk environment is not static over the life of the contract. All suppliers should be segmented based on factors such as risk, the level of spend, criticality, and alternatives in the market. The segmentation should drive the level of preselection due diligence, the contracting strategy, and the level and frequency of monitoring through contract duration. Ideally all facets of contract and supplier risk are addressed through performance reporting, including early warning alerts before it’s too late to act on a timely basis.
7. Pay attention to business continuity risk. There are many instances where a single-source supply strategy is the right business decision. In these cases, however, quality, time, and cost considerations often win out over business continuity risk considerations despite the risk of supply chain disruptions. Thus, risk assessments should consider what could happen to the organization’s business model if any key component of the supply chain were taken away, even though a cause may be somewhat elusive at the time of the assessment.
An assessment should also consider the implications of plausible and extreme scenarios stemming from the loss of strategic sources of supplies for an extended period, including exposure to data security risks and physical access to sensitive information, the financial impact, expected recovery time, and adequacy of current recovery and contingency plans. To illustrate, directors should inquire whether management has considered the following questions:
What would happen if we were to lose, for any reason, one or more of the suppliers that we depend on for essential raw materials and components?
How long would we be able to operate?
What if there were significant disruptions in transportation?
What contingency plans do we have?
Have our key suppliers performed their own risk assessments with respect to key “Tier Two” or “Tier Three” suppliers? How do we know?
The board should be informed of the results of these assessments.
Boards and executive teams are challenged by a fast-changing, highly interdependent, and often ambiguous external environment that continually creates unforeseen opportunities and risks. Volatility is the new normal. Not surprisingly, according to the National Association of Corporate Directors’ (NACD) most recent public company governance survey, global economic uncertainty ranks as the top trend corporate directors believe will impact their company in 2017. In yet another NACD poll conducted during a recent webinar, 49 percent of directors did not feel that management was providing them with a reliable view of the future.
The recent election of Donald J. Trump as President of the United States is likely to contribute to this growing sense of uncertainty, with the corporate director community evenly divided about the potential impact, according to the NACD webinar poll. Forty-two percent of directors report that his administration will be good for business, while 42 percent are unsure about the impact, and still another 16 percent believe that a Trump presidency will not be good for business.
Click to enlarge in a new window.
In this complex, uncertain environment, what can boards do to gain more comfort from management that risks are accurately identified and well-controlled?
The International Standards Organization in ISO 31000 defines risk as “the effect of uncertainty on objectives,” which can be a negative or positive deviation from what is expected. More specific to business, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) is currently defining risk as “The possibility that events will occur and affect the achievement of strategy and business objectives.” Each of these definitions of risk exposes a company to potential loss—indeed, yet another definition of risk authored by insurance professionals highlights risk as the possibility of loss. Yet when viewed as part of an active business dynamic, risk, as daunting as its manifestations may be, is far more than the chance of loss. Rather, risk is a level of uncertainty that can create economic opportunity.
The recently released Director Essentials: Strengthening Risk Oversight identifies eight leading risk oversight actions that directors can take to seize opportunities and avoid the loss possibilities inherent to risk. A brief outline of each action and a key question boards should consider asking follows.
1.) Clarify the Roles of the Board, Committees, and Management. The board, all board committees, and all members of senior management need to know their unique roles in risk oversight. Without clarity on ownership of specific responsibilities, redundancies and lapses can occur.
The practice of role definition helps establish a clear mandate for risk oversight by the board and offers management a blueprint for the execution of risk management.
Is there a common understanding among management, the board, and board committees about their respective roles, responsibilities, and accountabilities on strategy?
2.) Understand the Company’s Risk Profile. Especially in light of the new environment, all board members should be aware of the company’s key risk exposures, which collectively are referred to as the company’s risk profile. Oversight of any business requires understanding the major risks that it faces now and in the future, and making decisions accordingly. Although the universe of risks that a company faces may be almost limitless, a company’s risk profile is the composite (and analysis) of the most pressing risks that impact strategy and reputation.
What are the strategic assets we must protect at any cost? Are they at greater risk now?
3.) Define the Company’s Risk Appetite. Companies take risks in order to grow and compete in the marketplace, yet they need parameters for how much risk they are willing to accept. The board plays a critical role in defining the boundaries of risk for the company.
Given our risk profile, strategy, and the uncertainty surrounding the current business environment, what risk appetite should our company have? Have we clearly cascaded our risk appetite into decision-making processes at the level of operations?
4.) Integrate Strategy, Risk, and Performance Discussions. All too often, risk and business performance assessments are divorced from the strategy process in the organization. These silos increase the likelihood of poor, costly decisions.
When we discuss strategy in this evolving environment, how do we consider both risks to the strategy and the risks inherent in our chosen strategy?
5.) Ensure Transparent and Dynamic Risk Reporting. Risk reporting must reach the right people with the right information. Reports should not be limited to the metrics mandated by external disclosure rules—they should include all the information the board needs to assess the company’s risk exposure. Similarly, reporting should be dynamic, taking into consideration the velocity by which existing risks change or new risks emerge.
What is the threshold for risk-related reporting to the board (e.g., categories of risk, specific issues or incidents)? What situations may call for greater board engagement (e.g., perceived management failure to disclose or address a critical risk)? Do we have a protocol that defines these situations?
6.) Reinforce Clear Accountability for Risk. The management of risk in today’s often-extended enterprise is complex, with executive teams typically transferring ownership of risks to specialist functions. But examination of recent risk disasters reveals that diffuse accountability for risk management is a major problem.
As we reward our executives, do we take into account their ability to anticipate and manage risk? Are accountability for and performance in managing risks effectively embedded in incentive structures at all levels of the organization? How far down the reporting chain do our incentives for risk management excellence go?
7.) Verify That Mitigation Reduces Risk Exposure. The success or failure of risk mitigation is often underreported, leaving boards with a limited understanding of whether or not risks are effectively minimized over time.
Do we clearly differentiate between risks that can and cannot be mitigated? Are our mitigation plans realistic? Do we understand that mitigation does not mean elimination? Have we clearly communicated our expectations for reporting on risk mitigation?
8.) Assess Risk Culture. Culture is often described as how work really gets done when no one is looking, and it is critical to ensuring a successful and sustainable strategy. More specifically, risk culture is a critical subset of overall corporate culture defined as the behavioral norms inside a company that drive both individual and collective risk decisions. A well-balanced risk culture can unleash innovation, and deter fraud and abuse.
Do we have a culture in which staff at all levels know what risks to take and what risks to avoid? How willing are employees to speak up about problems that can cause significant risk to the organization?
By adopting the above eight practices, directors can help their companies prepare for risks in 2017 and beyond.
Recently, the world’s largest ongoing study of the internal audit profession—the Global Internal Audit Common Body of Knowledge (CBOK)—was completed by the Institute of Internal Auditors (IIA) and Protiviti to ascertain expectations from key stakeholders regarding internal audit performance at organizations of varying operational models and sizes. The study sought input from members of audit committees all over the world about their expectations of the internal auditor’s role in the organization. We think all directors will find the results of the study applicable to their work in the coming year and beyond.
Below are six imperatives for internal auditors from the CBOK study based on feedback from audit committee members.
1. Focus more on strategic risks. According to the CBOK study, two out of three board members believe internal audit should have a more active role in evaluating the organization’s strategic risks. Study respondents indicated that internal audit should focus on strategic risks (as well as operational, financial and compliance risks) during audit projects (86 percent) and periodically evaluate and communicate key risks to the board and executive management (76 percent). Accordingly, chief audit executives (CAE) must focus their function sufficiently on the bigger picture to think more strategically when evaluating risks, proposing risk-based audit plans, and formulating audit findings. By understanding the organization’s business objectives and strategy, and identifying risks that create barriers to the organization achieving its objectives and executing its strategy successfully, the CAE increases internal audit’s value proposition.
2. Think beyond the scope. The call for internal auditors to think strategically leads to another challenge: thinking beyond the scope of the audit plan. Thinking beyond scope means, for example, that the auditor should:
“Connect the dots” when considering enterprisewide implications of the findings of multiple audits, particularly findings with significant business model underpinnings;
Broaden the focus on operations, compliance, and nonfinancial reporting issues; and
Watch for patterns or signs indicating a deteriorating risk culture.
By focusing more broadly on the implications of audit findings, and thinking beyond the expressed or implied boundaries set by the audit plan, internal audit is better positioned to deliver stronger, more practical, and harder-hitting recommendations aligned with what directors are seeking.
3. Add more value through consulting. In today’s era of slower economic growth, a high premium is placed on operational effectiveness and efficiency. The CBOK study respondents picked up on this point, as 73 percent of respondents recommended that internal audit advise on business process improvements. For example, consulting activities by internal audit can result in: strengthening of the lines of defense that make risk management work; more effective collaboration with other independent functions focused on managing risk and compliance; improvements in the control structure, including greater use of automated controls; and suggestions for improving and streamlining compliance. These study findings underscore the benefit of investing in consulting services that will strengthen business processes.
4. Facilitate effective, high-quality communication. Board members generally rate internal audit’s communication at a high level of confidence. For example, a large majority of directors give high scores for the quality (83 percent) and frequency (81 percent) of internal audit’s communication. That’s good news and a great foundation on which to build the board’s satisfaction with the internal auditor’s role.
5. Elevate stature and perspective. Intentionally positioning the CAE and internal audit within the organization is vitally important to their ability to meet elevated expectations. Access and perspective have always been keys to positioning. Access has typically been attained through direct reporting to the audit committee, as well as to the C-suite. But beyond these reporting lines, the study reports that two out of three board members rank the CAE’s participation in board settings beyond the traditional audit committee meetings as an effective strategy for broadening the CAE’s perspective. The board settings that are relevant in this context must be defined by directors to fit the organization’s specific needs. However the goal is defined, increased access to and more frequent interaction with the board broadens the CAE’s perspective of the organization and elevates the stature and visibility of the internal audit function within it. It also enables the CAE to establish relationships with directors, understand their views on addressing competing audit priorities, and earn the right to be viewed as a valued source of insight for the board.
6. Align with stakeholder expectations. In most organizations, not all stakeholders see eye to eye or want the same value from internal audit. This reality creates a significant challenge for CAEs tasked with building consensus among stakeholders. While directors may not expect their company’s CAE to address all of the above imperatives, they should initially and periodically assess whether internal audit is doing what matters based on previously-established imperatives. The CAE bears the brunt of the responsibility for addressing this challenge by articulating the value that a top-down, risk-based audit plan contributes to each facet of the organization, and by providing an assurance and advisory perspective that the board, executive management, and other stakeholders can understand.
Following are some suggested questions that directors may consider based on the risks inherent in the entity’s operations.
Does the board periodically evaluate the scope of internal audit’s activities and discuss whether modifications are needed in view of changes in company operations and the business environment? Is the board getting the insights it needs?
Does internal audit provide adequate attention to strategic risk issues, including barriers to the organization’s execution of the strategy?
Does internal audit have an appropriate mix of consulting and assurance activities?
Does internal audit have the stature and access necessary to maximize its effectiveness?
Jim DeLoach is managing director with Protiviti, a global consulting firm.