Supply chains are highly complex and are continuously exposed to a variety of internal and external risks. Whether today’s risk assessment techniques can assess tomorrow’s risk is a difficult question to answer. A recent industry study examines manufacturers' risk-assessment strategies, implementation, and evaluation to determine best practices in risk management.
The study, jointly conducted by Deloitte and the Manufacturers Alliance for Productivity and Innovation, looks at how manufacturing companies are assessing and responding to risks today and in the future. The study concluded that current operating environment demands a more analytical, agile, and clinical view through better use of technology, greater frequency of risk-assessment cycles, and embedding risk-management practices across an organization
Risk management: a manufacturers' perspective
Deloitte and MAPI conducted a risk-assessment practices study to gain insight into how manufacturing companies are assessing and responding to risks and how they plan to do so in the feature. Survey respondents consisted of 68 members of MAPI’s Internal Audit and Risk Management Councils with the majority of respondents in the revenue size of $1 billion to $10 billion in annual revenue. The survey respondents answered questions to their risk-assessment practices, the top business and information technology (IT) risks they face, and the intersection of risk management and strategic risk. Four main issues were examined (1) how is the risk landscape changing; (2) what unique risk aspects should manufacturers consider; (3) is risk ownership aligned to address the needs of the organization; and (4) can today’s risk assessment techniques address tomorrow’s top risks. The study also looked at how external/environmental factors, along with other factors, such as changing customers’ preferences, new products, new applications of technology, and manufacturing practices influence risk.
Executives identified the top five business risks and the top IT risks that they feel that their organizations will face three years from now, with innovation and cybersecurity topping the respective lists. The top business risks identified in order of priority were: (1) product design/development innovation; (2) transforming the business model to access emerging sources of demand (i.e., joint ventures, mergers and acquisitions, and alliances); (3) pricing/margin pressure resulting in overhead cost constraints; (4) talent and succession planning; and (5) fraud and corruption risks in emerging markets. From an IT perspective, the top IT risks that were identified by executives as the greatest that they will face three years from now were: (1) cybersecurity risk management; (2) mobile-device (i.e., smart phones and tablet) security; (3) cloud-computing risks; (4) sensitive data loss prevention; (5) maintenance/viability of complex, disparate and/or antiquated systems.
The survey also examined what unique risks that manufacturers should consider. The first set of risks involve current and future competitive capabilities, with innovation and talent management ranked as the highest priority business risks and risk management and data analytics as two important areas of investment. Data from the “2015 Skills Gap Study,” a recent analysis by the Manufacturing Institute and Deloitte, which examined manufacturing skill gaps, estimated that nearly 3.5 million manufacturing jobs will need to be filled over the next decade and that the skills gap is expected to leave those jobs unfilled. Eighty-two percent of executive respondents from the study believed that the skills gap will impact their ability to meet customer demand, and 78% said it will impact their ability to implement new technologies and increase productivity. Executives also said that the skills gap will impact their ability to provide effective customer service (69% reported as such) the ability to innovate and develop new products (62%), and the ability to expand internationally (48%). Executives reported that it takes an average of 94 days to recruit employees in the engineering/researcher/scientist fields and an average of 70 days to recruit skilled production workers.
Supply-chain risks were another area identified in the Deloitte and MAPI study with the key finding being that supply-chain risk assessment requires a multivariable approach. Key variables to factor into a risk model include: (1) macroeconomic risks around geopolitical pressures, regulatory environments, environmental/social responsibilities, and challenges in emerging markets; (2) value-chain risks related to development, planning, sourcing, production, and distribution; and (3) functional risks related to financial investments, human resources, and IT. The study defined a resilient supply chain as one that incorporates these factors and balances risk and costs to mitigate supply-chain vulnerability and improve supply-chain transparency through flexibility in sourcing, internal and external collaborations, and a strong control environment. An important consideration to achieve that control, suggested the study, is to employ an internal audit team charged with specifically considering the risk-management framework methodology, tools, and technology used by the business as well as the application of measurement techniques for monitoring supplier performance, availability and delivery of materials, and risk-sensing capabilities established by the business to monitor risk exposures within the supply chain.
In assessing the changing risk landscape, the study identified six main questions that manufacturers should consider:
1. How will the changing risk landscape affect future planning for internal audit and the organization?;
2. Is the outside-in view of risk the same as the view from the inside out?;
3. Is the return of investment of innovation and R&D programs effectively monitored?
4. How is velocity measured to identify rapid onset in the organization for the following: cyber attacks, talent marketplace for key roles, global supply/demand changes, onset of geopolitical risk, raw material/energy price volatility; pricing; and fraud and corruption?;
5. Has an appropriate cross-functional ownership team been identified for mitigation strategies for risk?; and
6. How will IT risks be identified and addressed timely in the future (i.e., security, social media, data loss, and other emerging risks?
Risk from an organization perspective
Risk management governance was also an important element examined in the Deloitte and MAPI study. The survey found that 93% of respondents said that risk-management oversight rests with the full board or audit committee, but only 2% of respondents reported having a risk committee. The chief audit executive (CAE) was the most frequently cited as the owner of enterprise risk management (ERM) with 28% of respondents using the CAE in that capacity, 24% using the chief financial officer and/or general counsel, and 17% using a dedicated risk management director or chief risk officer. The study identified the following questions that manufacturers should consider in addressing risk-management governance:
1. Does risk have a dedicated role at the board level with sufficient time and capability?;
2. Does the board receive frequent updates on the effectiveness of key risk actions?;
3. In management, who owns risk and ERM and who should own it in the organization?;
4. Do the organization owners have sufficient authority and credibility to drive action on key risks?;
5. Is risk identification/mitigation integrated with the strategic planning process?;
6. Does management meet frequently enough to identify and address material changes to the company’s risk profile?;
7. Are senior leaders held accountable for achieving commitments related to risk identification and mitigation strategies? ;and
8. Is internal audit objective to monitor the effectiveness of risk-management functions?
In addition to risk-management governance, the Deloitte and MAPI study examined the frequency of risk-assessment cycles. In characterizing the risk assessments of the manufacturers surveyed, the study found the following characteristics: (1) annual or semi-annual risk assessment (70% of respondents); (2) risk assessment generally consumes less than 500 hours of time for an average of 2% of internal audit’s available hours; (3) risk assessment is focused globally on the whole organization; (4) risk assessment is heavily based on interviews, workshops, or questionnaires; (5) risk assessment primarily focuses on evaluating the impact and likelihood of risk events; and (6) top risks do not change (two-thirds of respondents report that zero or less than 25% of risks change).
The study identified several key issues that manufacturers should consider in their risk-assessment approaches: (1) the strengths and weakness of the risk-assessment technique employed; (2) the frequency of risk-assessment activity and whether it can adequately identify emerging risks; (3) whether there is sufficient dialogue about risk topics at board and management levels; and (4) whether the dimensions of risk should be enhanced to include additional areas, such as velocity (i.e., rate/pace of changed and evolving risk). The study further identified additional questions that manufacturers should consider: (1) Are annual risk-assessment reviews sufficient?; (2) What are the board’s and management’s expectations in developing and effectively monitoring risk indicators?; (3) Should a management-led risk council be established to enable better risk dialogue and consideration; (4) What are some challenges in collecting relevant data to determine if risks are occurring and/or emerging?; and (5) Does the organization spend sufficient time analyzing the external view of the organization’s risks.
Enhanced risk management
Finally, the Deloitte and MAPI study identified what were the most and least successful risk-assessment practices. In offering these considerations, however, the study emphasized that the manner in which an organization establishes a risk-assessment program should fit the organization’s culture and risks. That said, the most successful risk-assessment practices were: (1) interviews; (2) periodic presentation of specific risk topics to board committee tasked with governance; (3) integration of risk assessments into strategic planning process with business units; (4) leveraging ERM or risk assessment committee with broad representation involvement of C-suite executives; (5) risk-scenario modeling; and (6) quantification of impacts.
The least effective risk-assessment practices identified in the study were: (1) questionnaires or surveys (too long and/or sent to too many); (2) risk models with too much complexity, detail, or subjectivity; (3) risk models that were too narrowly focused (e.g., only financial); (4) accepting “canned” or repetitive risk-mitigation responses; (5) excluding failures in risk management from previous years in current risk model; and (6) determining probability of risk and trying to quantify residual risk after risk mitigation.
The study concluded that manufacturers should consider several factors in the evaluating the value of their risk assessments: (1) integrate risk identification as part of the strategic planning process; (2) research potential disruptors to strategy, such as innovation; (3) identify mitigation and/or monitoring strategies to prioritize the highest risks; (4) prioritize action-oriented risk-mitigation strategies; (5) develop mechanisms for monitoring changes to strategic plan assumptions; (6) remove bias through the use of both internal and external data to provide objective benchmarks to monitor key assumptions and risks; (7) focus dialogue on continuous improvement for anticipating changing risk landscapes; and (8) make strategic risk a standing topic with the board and senior management.