Don't Put Yourself at Risk with an Ineffective Risk Management Strategy
What’s the greatest risk facing multinational companies today? Global economic meltdown, natural disaster, cyber terrorism? No. While these are all significant challenges to any organization, there is one danger that trumps them all: an ineffective risk management strategy.
With the ever-growing list of potential threats facing organizations today, a robust enterprise-wide risk management strategy is essential to protect your organization and its stakeholders. Yet, according to a recent executive survey by Deloitte LLP, 45% of respondents characterize their risk management programs as “only somewhat effective” or “not effective at all.”
As a result, these companies face the very real possibility of both significant financial losses and potentially irreparable damage to their brand if/when a major event disrupts their operations. For example, a weak risk assessment plan might overlook more subtle threats such as insufficient employee training in regulatory compliance.
This oversight could bring an organization into noncompliance with such requirements as the Foreign Corrupt Practices Act (FCPA), the Dodd-Frank Wall Street Reform and Consumer Protection Act, or the International Traffic in Arms Regulations (ITAR) and may result in substantial fines and/or the loss of business.
So, what can these companies do to better safeguard their operations? Though risk is obviously a very subjective concept, influenced by a wide variety of factors, in my experience there are certain elements common to every successful enterprise risk management (ERM) program: cross-organizational buy in, proactive risk assessment and a comprehensive business continuity plan.
The Common Good
As businesses have expanded and globalized over the past decade, many organizations have adopted a more decentralized approach to managing their operations. As a result, these companies are now challenged with not only synchronizing the functional silos of their business, but also satisfying various regional interests. To ensure a truly holistic, enterprise-wide risk management effort, it stands to reason that coordination and oversight of the effort be distributed among a diversified group of leaders representing the core elements of your business.
At Avnet, for example, we have assembled a cross-functional Risk Council that includes executive-level participation from Logistics, IT, Audit, Trade Compliance, Legal, Finance, Human Resources, Corporate Communications and all operating groups. The range of interests represented in this group gives us confidence that our key corporate objectives and strategies are being considered.
Once the Risk Council establishes risk priorities, risk owners are selected within the relevant business areas and are tasked with engaging in risk assessments, managing control plans and reporting risk exposures/actions back to the Council. In addition, Avnet has established a Risk Hotline to enable employees throughout the organization to report potential risks.
Tools of the Trade
Identifying risk priorities is among the most challenging steps in the development of an effective ERM program. Therefore, equipping your risk managers with structured and systemic assessment tools and resources to identify, assess, prioritize and manage risk is imperative. Avnet’s Risk Council relies heavily on two formal risk assessment methodologies: value at risk (VAR) and an internally developed risk assessment tool modeled after the traditional Six Sigma process failure modes and effect analysis (PFMEA) quality control process.
The VAR technique calculates the probability of an event, and then multiplies that number by the event’s anticipated cost. Though this method was originally developed for financial calculations, it has been widely adopted throughout the supply chain community to evaluate the optimal distribution of resources based on a methodical return on investment assessment.
The backbone of our Risk Council’s risk assessment activity is Avnet’s PFMEA-based risk assessment tool. This tool enables our Risk Council to assess risk priority through assigning ratings for severity, occurrence and detection and then determine what action to take: accept the risk, mitigate it, avoid it, or transfer it. As a result, Avnet is able to take a more proactive preemptive approach to risk management, so that we are controlling the risk, not the other way around.
As with any operational strategy, regular audits assure your time and resources are well spent. Risk is a very fluid concept, and must be managed in accordance with the ever-changing dynamics of your business. Once risk owners set their plans in motion, Avnet’s corporate audit team periodically reviews each risk plan against actual mitigation activities. This provides us with the timely feedback we need to update and modify our plans to optimize ongoing implementation.
Protect and Serve
Implementation of a structured and systematic method to identify, assess, prioritize and manage risks not only helps to define a company’s risk tolerance, but also prevent overzealous risk avoidance, which can stifle innovation and inhibit your company’s ability to capture opportunities. Remember, risk-taking is an inherent part of business progress. Your goal should not be to create a risk-averse organization, but a risk resilient one.
To achieve true business resiliency, your ERM plan must be the beginning, not the end, of the risk management process. At Avnet, we have found that by linking the disciplines of business continuity and enterprise risk management, we have a much clearer picture of our overall risk and we can then create a roadmap to assure that our response to a risk event is swift and efficient.
This integrated approach provides Avnet’s customers, suppliers and other stakeholders with the assurance that we have a robust process for identifying risk, reliable tools to assess that risk and a comprehensive plan that will enable us to react immediately to an event, and put a plan into motion that assures an acceptable level of business continuity.
There is no doubt that achieving a comprehensive enterprise risk management program is complicated and involves the coordination of a lot of moving parts, but when all the pieces come together, unified risk management approach can be a key competitive differentiator.
Gerry Fay is chief global logistics and operations officer with electronics distributor Avnet Inc.