Tag Archive: Risk Oversight

Four Exercises for Contemplating Digital Readiness

Published by
Jim DeLoach

Jim DeLoach

Over the next few years, the digital revolution will force many organizations to undertake radical change programs and, in some cases, completely reinvent themselves to remain relevant and competitive. Ask executives and directors what their company’s biggest threats are, and chances are the answer will include the threat of disruptive innovation. That said, is disruptive innovation sufficiently emphasized on the board agenda?

Our experience indicates that most boards do not fully grasp the opportunities and risks associated with digital transformation. There are four important activities for organizations to consider as they contemplate what digital means to their business and strategy.

1. Assess digital competencies. Protiviti’s original research has identified more than 30 competencies at which digital leaders excel. These competencies consist of empirically supported capabilities and structural characteristics that can be used to benchmark the organization. They are arrayed across six core disciplines that many traditional businesses struggle with:

  • vision, mission, and strategy;
  • management and employee culture;
  • organization, structure, and processes;
  • communication, marketing, and sales;
  • technology innovation and development;
  • and big data, analytics, and automation.

An example of a competency related to “vision, mission, and strategy” is that executive management must have a clear understanding of the potential impact of digital disruption in the industry segments in which the organization operates and be able to articulate a clear strategic vision fit for the digital age. In addition, digital strategy-setting and review should be a continuous activity for the business and in the boardroom.

Competencies can be useful when plotting the path toward digital maturity. The strategy should reflect the competencies that currently define the organization and address the absence of those which present barriers to success. This is important because the digital age is forcing organizations to radically rethink how to engage with customers and pursue design breakthroughs for improving processes and functions continuously. That means they must balance outside-the-box thinking with the practical considerations of repositioning the business. Many strategies ignore these fundamental issues, resulting in a business that is digital on the edges but not at the core. Our view is that a truly digital business has a digital core.

2. Define and refine continuously the digital vision and strategy. Organizations need to make a conscious decision about whether they are going to lead as the disrupter of the industry or, alternatively, play a waiting game, monitor the competitive landscape, and react only when neces­sary to defend market share. For many companies, the answer may be somewhere in between. For organizations choosing not to actively disrupt the status quo, their challenge is to be agile enough to react quickly as an early mover. Few are ready for that challenge, however.

A leader of the organization must own responsibility for understanding the competitive landscape, the opportunities emerging technologies present, and the threats to existing revenue streams. Management must frame the digital vision and the strategic initiatives supporting it around the enterprise’s core competencies. The vision must reflect the direction in which relevant digital technology is trending. It should express how technology can elevate the company’s differentiating core competencies and deliver unique customer experiences. With technology and regulations changing, and innovation happening so rapidly, the business needs to review and refine its digital priorities constantly.

3. Define the target operating model. Too often policies, processes, and organizational structures get in the way of a business becoming and remaining digital. The key is to empower, trust, and monitor people, not control them. That’s a different way of thinking for organizations rooted in “command and control” structures. The business should clearly define where it’s going in its vision and strategy, and management must recruit and train the right people while ensuring that the enterprise’s policies, processes, and systems are suitable to compete in a digital world.

Accordingly, management should define the processes, organization, talent, methodologies, and systems comprising a future operating model that remains true to the company’s identity and brand promise. In the rush to become digital, the importance of policies shouldn’t be forgotten to address risks and ethical questions leaders must consider.

With the current and future states defined, improvement plans should be developed to close the gaps based on industry best practices and reviewed with executive management and the board. The risks associated with the target state should be identified and assessed against the entity’s risk appetite. In this respect, management should be careful to avoid understating the hyper-scalable business model component of digital transformation. Digital thinking requires organizations to solve the problem of rapid growth and scalability to rely primarily on technology rather than people, as opposed to the traditional focus on scaling ahead of demand.

4. Align the organization with the needed change. Using digital technologies to improve products, services, and processes requires focus and discipline. To enable continuous or breakthrough change with confidence, buy-in must be obtained from executive management and the board for significant changes in strategy, processes, and systems. Support also is needed from business-line leaders, operating personnel, and process owners affected by the change. The communication of change and its implications must address why a digitally-focused culture is necessary for the entity to survive and thrive, and offer a compelling case that the interests of employees and the enterprise are inextricably tied to effecting change.

Depending on a director’s perspective, the exciting or worrisome truth is that the digital revolution is just getting started. Even when executives are aware of emerging technologies that obviously have disruptive potential, it is often difficult to have the vision or foresight to anticipate the nature and extent of change. That is why every organization must chart its own digital journey.

To that end, the board should be engaged in all of the above activities, from readiness assessment to organizational alignment. When addressing digital, directors should recognize the signs of organizational short-termism and executive management’s emotional investment in traditional business models. Ultimately, the board must ask the necessary questions to encourage management to advance the enterprise’s digital journey at a pace that will sustain the company’s sources of competitive advantage and market position.

Jim DeLoach is managing director of Protiviti. 

Seven Ways to Stronger Oversight of Supply Chain Risk

Published by
Jim DeLoach

Jim DeLoach

One important source of operational risk relates to the organizations, people, processes, and resources comprising a company’s supply chain. In many sectors, companies increasingly depend on the external elements of the supply chain (e.g., suppliers, outsource partners, third-party logistics) in an effort to cut costs while increasing capabilities and global reach. Because every business depends on a well-functioning, cost-effective supply chain, every board should consider its oversight of supply chain risks. The following are seven suggestions for better board-level oversight of supply chain issues.

1. Strike the right balance when selecting a supplier. Time, cost, quality, and risk are four factors a company needs to consider when identifying potential suppliers, negotiating contracts, and evaluating supplier risk and performance throughout the lifespan of the contract. Boards should be leery when management emphasizes one or two factors over the others as this can result in unintended consequences. For example, seeking to reduce procurement costs when negotiating supply contracts should not lead to the unintended consequence of taking delivery of components that fail to meet critical quality specifications or timing requirements.

2. Make procurement decisions with an enterprisewide perspective. Striving for functional excellence is a laudable goal, but it has its limits. Companies can incur huge losses making procurement decisions in isolation, ignoring initiatives undertaken by the research and development, engineering and finance functions.

3. Ensure the supplier agreement spells everything out. When a contract clearly defines scope, business objectives, deliverables and performance specifications, it lays the foundation for ongoing monitoring of contract compliance and supplier performance and reduces the risk of costly disputes and misunderstandings. For example, the contract should clarify product and packaging specifications and quality control and inspection protocols so that performance can be monitored over time. It also should ensure that intellectual property and critical assets (e.g., proprietary molds and tools the company gives to the supplier) are adequately protected. Due to the complexity of managing suppliers operating in other countries, boards should ensure that the procurement process is supported by legal advisers knowledgeable of the applicable court jurisdictions, particularly in countries where laws, customs, and business ethics may vary.

4. Hold suppliers to the same level of accountability. The rigor of company processes for identifying, sourcing, measuring, monitoring, and reducing third-party relationship risks should be proportionate to the level of risk and complexity of those relationships. With respect to legislative and regulatory developments regarding disclosure of the actions a company has voluntarily undertaken to remove labor abuses from its supply chains, companies should seek the advice of counsel as to the status of these developments and the jurisdictions and circumstances in which they apply. Given this environment, a case can be made for adopting and enforcing a supply chain code of conduct—especially for vendors authorized to act as agents on behalf of the organization. Coupled with a code of ethics that details the principles and values by which the company operates, a code of conduct might address topics such as human rights, health and safety standards, environmental sustainability standards, ethical and responsible business behavior, and cybersecurity standards.

5. Conduct periodic third-party audits. A supply chain code of conduct is only as good as the vendors who sign it. That’s why a cost-effective third-party audit process is Such audits may be integral to the due diligence associated with vendor selection and onboarding. Conducted on a periodic basis, third-party audits may focus on: selected internal controls, such as cybersecurity; vendor performance against contract specifications; and compliance with laws and regulations. The audits may also be conducted before contract renewals.

6. Monitor supplier risk and performance over the life of the contract. The risk environment is not static over the life of the contract. All suppliers should be segmented based on factors such as risk, the level of spend, criticality, and alternatives in the market. The segmentation should drive the level of preselection due diligence, the contracting strategy, and the level and frequency of monitoring through contract duration. Ideally all facets of contract and supplier risk are addressed through performance reporting, including early warning alerts before it’s too late to act on a timely basis.

7. Pay attention to business continuity risk. There are many instances where a single-source supply strategy is the right business decision. In these cases, however, quality, time, and cost considerations often win out over business continuity risk considerations despite the risk of supply chain disruptions. Thus, risk assessments should consider what could happen to the organization’s business model if any key component of the supply chain were taken away, even though a cause may be somewhat elusive at the time of the assessment.

An assessment should also consider the implications of plausible and extreme scenarios stemming from the loss of strategic sources of supplies for an extended period, including exposure to data security risks and physical access to sensitive information, the financial impact, expected recovery time, and adequacy of current recovery and contingency plans. To illustrate, directors should inquire whether management has considered the following questions:

  • What would happen if we were to lose, for any reason, one or more of the suppliers that we depend on for essential raw materials and components?
  • How long would we be able to operate?
  • What if there were significant disruptions in transportation?
  • What contingency plans do we have?
  • Have our key suppliers performed their own risk assessments with respect to key “Tier Two” or “Tier Three” suppliers? How do we know?

The board should be informed of the results of these assessments.

8 Risk Oversight Practices to Master in 2017

Published by

Boards and executive teams are challenged by a fast-changing, highly interdependent, and often ambiguous external environment that continually creates unforeseen opportunities and risks. Volatility is the new normal. Not surprisingly, according to the National Association of Corporate Directors’ (NACD) most recent public company governance survey, global economic uncertainty ranks as the top trend corporate directors believe will impact their company in 2017. In yet another NACD poll conducted during a recent webinar, 49 percent of directors did not feel that management was providing them with a reliable view of the future.

The recent election of Donald J. Trump as President of the United States is likely to contribute to this growing sense of uncertainty, with the corporate director community evenly divided about the potential impact, according to the NACD webinar poll. Forty-two percent of directors report that his administration will be good for business, while 42 percent are unsure about the impact, and still another 16 percent believe that a Trump presidency will not be good for business.

RiskOversightBlogDiagram

Click to enlarge in a new window.

In this complex, uncertain environment, what can boards do to gain more comfort from management that risks are accurately identified and well-controlled?

The International Standards Organization in ISO 31000 defines risk as “the effect of uncertainty on objectives,” which can be a negative or positive deviation from what is expected. More specific to business, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) is currently defining risk as “The possibility that events will occur and affect the achievement of strategy and business objectives.” Each of these definitions of risk exposes a company to potential loss—indeed, yet another definition of risk authored by insurance professionals highlights risk as the possibility of loss. Yet when viewed as part of an active business dynamic, risk, as daunting as its manifestations may be, is far more than the chance of loss. Rather, risk is a level of uncertainty that can create economic opportunity.

The recently released Director Essentials: Strengthening Risk Oversight identifies eight leading risk oversight actions that directors can take to seize opportunities and avoid the loss possibilities inherent to risk. A brief outline of each action and a key question boards should consider asking follows.

1.) Clarify the Roles of the Board, Committees, and Management. The board, all board committees, and all members of senior management need to know their unique roles in risk oversight. Without clarity on ownership of specific responsibilities, redundancies and lapses can occur.

The practice of role definition helps establish a clear mandate for risk oversight by the board and offers management a blueprint for the execution of risk management.

  • Is there a common understanding among management, the board, and board committees about their respective roles, responsibilities, and accountabilities on strategy?

2.) Understand the Company’s Risk Profile. Especially in light of the new environment, all board members should be aware of the company’s key risk exposures, which collectively are referred to as the company’s risk profile. Oversight of any business requires understanding the major risks that it faces now and in the future, and making decisions accordingly. Although the universe of risks that a company faces may be almost limitless, a company’s risk profile is the composite (and analysis) of the most pressing risks that impact strategy and reputation.

  • What are the strategic assets we must protect at any cost? Are they at greater risk now?

3.) Define the Company’s Risk Appetite. Companies take risks in order to grow and compete in the marketplace, yet they need parameters for how much risk they are willing to accept. The board plays a critical role in defining the boundaries of risk for the company.

  • Given our risk profile, strategy, and the uncertainty surrounding the current business environment, what risk appetite should our company have? Have we clearly cascaded our risk appetite into decision-making processes at the level of operations?

4.) Integrate Strategy, Risk, and Performance Discussions. All too often, risk and business performance assessments are divorced from the strategy process in the organization. These silos increase the likelihood of poor, costly decisions.

  • When we discuss strategy in this evolving environment, how do we consider both risks to the strategy and the risks inherent in our chosen strategy?

5.) Ensure Transparent and Dynamic Risk Reporting. Risk reporting must reach the right people with the right information. Reports should not be limited to the metrics mandated by external disclosure rules—they should include all the information the board needs to assess the company’s risk exposure. Similarly, reporting should be dynamic, taking into consideration the velocity by which existing risks change or new risks emerge.

  • What is the threshold for risk-related reporting to the board (e.g., categories of risk, specific issues or incidents)? What situations may call for greater board engagement (e.g., perceived management failure to disclose or address a critical risk)? Do we have a protocol that defines these situations? 

6.) Reinforce Clear Accountability for Risk. The management of risk in today’s often-extended enterprise is complex, with executive teams typically transferring ownership of risks to specialist functions. But examination of recent risk disasters reveals that diffuse accountability for risk management is a major problem.

  • As we reward our executives, do we take into account their ability to anticipate and manage risk? Are accountability for and performance in managing risks effectively embedded in incentive structures at all levels of the organization? How far down the reporting chain do our incentives for risk management excellence go?

7.) Verify That Mitigation Reduces Risk Exposure. The success or failure of risk mitigation is often underreported, leaving boards with a limited understanding of whether or not risks are effectively minimized over time.

  • Do we clearly differentiate between risks that can and cannot be mitigated? Are our mitigation plans realistic? Do we understand that mitigation does not mean elimination? Have we clearly communicated our expectations for reporting on risk mitigation?

8.) Assess Risk Culture. Culture is often described as how work really gets done when no one is looking, and it is critical to ensuring a successful and sustainable strategy. More specifically, risk culture is a critical subset of overall corporate culture defined as the behavioral norms inside a company that drive both individual and collective risk decisions. A well-balanced risk culture can unleash innovation, and deter fraud and abuse.

  • Do we have a culture in which staff at all levels know what risks to take and what risks to avoid? How willing are employees to speak up about problems that can cause significant risk to the organization?

By adopting the above eight practices, directors can help their companies prepare for risks in 2017 and beyond.

For more NACD insight and support on board risk oversight, please visit our Risk Oversight Resource Center.