INTERNAL CONTOLS ARE NO LONGER ENOUGH!

In today’s connected world, events on the other side of the world can have a
significant impact closer to home. While terrorism, SARS, foot and mouth
grab the headlines, there are many other more mundane risks putting supply
chains under great pressure. Every headline grabbing corporate collapse
causes thousands of organisations to struggling to survive. The same can be
said about mergers, acquisitions, legal change and any other event that shifts
power in the supply chain.

Ask the board to describe what they want from Internal Audit and Risk
Management and their reply will be something along the lines of “to guarantee
that we meet our legal obligations, and to ensure that we manage our
business in a way that maximises the likelihood of achieving our corporate
goals”.

In highly integrated businesses the traditional risk management approach of

assessing internal controls, is fairly well aligned with meeting the board’s
goals. But for organisations with significant outsourcing internal controls are
not enough. Organisations must adopt processes that allow them to look
outside their organisation, and where possible influence the external
environment. With outsourcing exceeding 80% in some organisations, there
is little point in only reviewing internally.

CORPORATE GOVERNANCE

In July 2002 the UK Government published its white paper ‘modernising

company law’. Contained in the white paper is a recommendation that
companies over a certain size (basically the top 1500 companies) should be
required to prepare and publish an Operating and Financial Review (OFR).

The high level objective of the OFR is ‘to enable users to assess the
strategies adopted by the business and the potential for successfully
achieving them’. The OFR may contain qualitative and quantitative
information, and is aimed at an audience of all the organisation’s
stakeholders.

Two categories of information have been identified for inclusion in the OFR;
items that must always be included and those that would be included
‘whenever the directors judge them material’. These optional categories
include ‘corporate governance, values and structure; an account of key
relationships with employees, customers, suppliers and others; polices and
performance on environmental, community, social, ethical and reputational
issues; and receipts from and returns to shareholders’. For those
organisations operating in large networks, this requires them to understand
the risks as well as benefits contained within them.

A CHANGING RISK LANDSCAPE

So what’s happened to change the risk landscape? As organisations have
outsourced globally to focus on core competencies, and seek out low cost
resources, they have created large and complex supply networks. Supply
chain, or more accurately supply network, can be an ambiguous description.
For the purposes of this article I use the definition provided Cranfield
University “the network of organisations that are involved, through upstream
and downstream linkages, in the different processes and activities that
produce value in the form of products and services in the hands of the
ultimate customer”.

Many organisations consider that they have reduced their total risk in this
outsourced environment; experience is showing us that this is not the case.
Toyota, Cisco, Ericsson and Land Rover, to name a few, have all suffered
major business disruption which has been inflicted by another member of their
network. With the adoption of lean and agile supply network, failure in one
part of the network can bring all its members to a standstill, costing the
network millions per day. Whether explicitly stated or not it is expected that
supply managers will take responsibility for the strategy and operation of
these networks, and that Internal Audit will assess how well they are
discharging their responsibility.

AN EXPANDING ROLE FOR INTERNAL AUDIT

So what does this mean for the organisation and its Risk Management
activities?

Firstly the organisation must recognise how much of its total risk comes from
outside its legal boundary. My advice is that an organisation should accept no
more risk from its partners than it would internally. In fact it should consider
what its risk appetite is, irrespective of what the risk is or where it comes from.
Organisations with significant external risk must decide how to manage it.

The single biggest challenge in managing supply network risk may be

identifying a senior management owner within the organisation. In my
experience the individual elements of the supply network are still managed by
the traditional silos of purchasing, logistics, manufacturing, marketing etc.
While this complicates the challenge, it also represents an opportunity for
Internal Audit to act as a consolidator of supply network risk information, and
to ensure consistency across disciplines and business units.

Within the network environment both the range of risks and the amount of risk
increases (see figX). Today’s reality is that an organisation’s network can
enhance or diminish key intangible assets such as reputation and brand
value. It is also relevant to recognise that an organisation’s network is now
seen as an asset of the organisation.

Through the downsizing that normally follows outsourcing the focal company
will have dramatically reduced its expertise in the outsourced area. Not only
does this make the organisation more dependent, but it also reduces its ability
to assess performance (including risk management).
 Network Location of
• Political
• Economic
External to the
organisation/

• Social
network

• Technological
• Legal
SOURCE OF RISK

ADDITIONS TO THE AUDIT • Environmental

I’m not going tell experts what a risk management programme should look
like, or how to audit it, but I would suggest that assessments of supply
networks would include the following;

• The organisation or specific business units conduct an assessment of

the inherent risks associated with the structure of its supply networks.

• Having identified unacceptable risks within the supply network that

Internal to the
organisation/

actions have been taken to reduce either the impact or probability to an

acceptable level. Research from Cranfield University indicates that
network

less than 50% of organisations have business continuity planning or

crisis management procedures for the loss of suppliers, and less than
25% plan for pressure group action.

•
• Corporate risk
That limits of acceptable risk are agreed with senior management and
• Financial risk
communicated throughout the organisation and to its partners in the
supply network.

•
• Product market risk
That partners in the network have robust risk management

Chartered Management Institute • Operational

(2002) found that only risk
programmes of their own. It is interesting to note that a study by the
9% of
companies that outsourced activities insisted on their outsourced
partner having business continuity plans.

ORGANISATION
 • Where possible risk is transferred to the partner with management of
the risk built into the contract and forming part of the performance
review process.

• A supply network risk register is maintained and monitored and where

possible preventative actions are taken.

Because of the vast and complex nature of supply networks, branded

organisations will ultimately have to trust the members of the network to
manage the risks they own. However, the branded (focal) organisation must
spot changes in the supply network structure and assess whether they alter
the overall level of risk in the network. Environmental scanning should identify
new laws or changing political agendas that would impact a whole industry.
Perhaps more importantly it should identify changes within the network that
could impact its stability. Mergers and acquisitions, demergers and partners
with financial difficulties are obvious examples. Less obvious may be the
implication of a major supplier landing a huge new order or the impact of
changes in an associated industry. Whenever power bases shift, supply
network risk needs to be reviewed.

NEW TALENTS REQUIRED

Underpinning all the issues raised is the assumption that supply staff are
actively managing risk and that auditors have the skills and experience to
conduct a review of the area. In my experience neither of these assumptions
is correct. Although many organisations will formally manage supply network
variability, and on occasion review what they believe their main risks are, few
will have a formal risk management programme or train their staff to identify
and manage risk.

Audit groups will face a significant challenge in covering supply network risk.
Few will have any first hand operational experience of managing within a
supply network, and less will have received any specific training in this area.
Supply networks are complex and dynamic, and like most areas of business
do not lend themselves to a tick box review. The risks in each supply network
are different and the tolerance to risk will be highly context specific. While a
sound audit background and approach could raise really poor performance to
the attention of senior management, in the margins were most successful
groups operate, poor technical knowledge will be exposed. I have seen
organisations extend the responsibilities of their financial auditors into this
area, only to have the credibility of the whole function undermined by poor
assessments. To audit in this area an auditor must have an appropriate level
of skill, experience and be respected.

CONCLUSION

In the past decade supply networks have grown internationally and become
more complex. For some organisations over 80% of activities are purchased
from others. Risk in these supply networks more often comes from the other
members of the network rather than internally. With an increasing number of
stakeholders watching the activities within these networks, Internal Audit
groups need to ensure that business risk is identified and managed. To do
this they must ensure that they bring the appropriate skills and experience into
their group. Only in this way can they deliver what the board needs, and what
the law will require.

Summary of the Author

Richard is the founder of Core Risk. He has a practical and academic

background in both risk and supply networks. More information about Core
Risk can be found at www.corerisk.com, and Richard can be contacted at
richard@corerisk.com.