Documente Academic
Documente Profesional
Documente Cultură
In today’s connected world, events on the other side of the world can have a
significant impact closer to home. While terrorism, SARS, foot and mouth
grab the headlines, there are many other more mundane risks putting supply
chains under great pressure. Every headline grabbing corporate collapse
causes thousands of organisations to struggling to survive. The same can be
said about mergers, acquisitions, legal change and any other event that shifts
power in the supply chain.
Ask the board to describe what they want from Internal Audit and Risk
Management and their reply will be something along the lines of “to guarantee
that we meet our legal obligations, and to ensure that we manage our
business in a way that maximises the likelihood of achieving our corporate
goals”.
CORPORATE GOVERNANCE
The high level objective of the OFR is ‘to enable users to assess the
strategies adopted by the business and the potential for successfully
achieving them’. The OFR may contain qualitative and quantitative
information, and is aimed at an audience of all the organisation’s
stakeholders.
Two categories of information have been identified for inclusion in the OFR;
items that must always be included and those that would be included
‘whenever the directors judge them material’. These optional categories
include ‘corporate governance, values and structure; an account of key
relationships with employees, customers, suppliers and others; polices and
performance on environmental, community, social, ethical and reputational
issues; and receipts from and returns to shareholders’. For those
organisations operating in large networks, this requires them to understand
the risks as well as benefits contained within them.
Many organisations consider that they have reduced their total risk in this
outsourced environment; experience is showing us that this is not the case.
Toyota, Cisco, Ericsson and Land Rover, to name a few, have all suffered
major business disruption which has been inflicted by another member of their
network. With the adoption of lean and agile supply network, failure in one
part of the network can bring all its members to a standstill, costing the
network millions per day. Whether explicitly stated or not it is expected that
supply managers will take responsibility for the strategy and operation of
these networks, and that Internal Audit will assess how well they are
discharging their responsibility.
So what does this mean for the organisation and its Risk Management
activities?
Firstly the organisation must recognise how much of its total risk comes from
outside its legal boundary. My advice is that an organisation should accept no
more risk from its partners than it would internally. In fact it should consider
what its risk appetite is, irrespective of what the risk is or where it comes from.
Organisations with significant external risk must decide how to manage it.
Within the network environment both the range of risks and the amount of risk
increases (see figX). Today’s reality is that an organisation’s network can
enhance or diminish key intangible assets such as reputation and brand
value. It is also relevant to recognise that an organisation’s network is now
seen as an asset of the organisation.
Through the downsizing that normally follows outsourcing the focal company
will have dramatically reduced its expertise in the outsourced area. Not only
does this make the organisation more dependent, but it also reduces its ability
to assess performance (including risk management).
Network Location of
• Political
• Economic
External to the
organisation/
• Social
network
• Technological
• Legal
SOURCE OF RISK
•
• Corporate risk
That limits of acceptable risk are agreed with senior management and
• Financial risk
communicated throughout the organisation and to its partners in the
supply network.
•
• Product market risk
That partners in the network have robust risk management
ORGANISATION
• Where possible risk is transferred to the partner with management of
the risk built into the contract and forming part of the performance
review process.
Underpinning all the issues raised is the assumption that supply staff are
actively managing risk and that auditors have the skills and experience to
conduct a review of the area. In my experience neither of these assumptions
is correct. Although many organisations will formally manage supply network
variability, and on occasion review what they believe their main risks are, few
will have a formal risk management programme or train their staff to identify
and manage risk.
Audit groups will face a significant challenge in covering supply network risk.
Few will have any first hand operational experience of managing within a
supply network, and less will have received any specific training in this area.
Supply networks are complex and dynamic, and like most areas of business
do not lend themselves to a tick box review. The risks in each supply network
are different and the tolerance to risk will be highly context specific. While a
sound audit background and approach could raise really poor performance to
the attention of senior management, in the margins were most successful
groups operate, poor technical knowledge will be exposed. I have seen
organisations extend the responsibilities of their financial auditors into this
area, only to have the credibility of the whole function undermined by poor
assessments. To audit in this area an auditor must have an appropriate level
of skill, experience and be respected.
CONCLUSION
In the past decade supply networks have grown internationally and become
more complex. For some organisations over 80% of activities are purchased
from others. Risk in these supply networks more often comes from the other
members of the network rather than internally. With an increasing number of
stakeholders watching the activities within these networks, Internal Audit
groups need to ensure that business risk is identified and managed. To do
this they must ensure that they bring the appropriate skills and experience into
their group. Only in this way can they deliver what the board needs, and what
the law will require.