About Steven Minsky

Steven Minsky is CEO of LogicManager and co-author of the RIMS Risk Maturity Model for Enterprise Risk Management.

Vendor Risks: Preventing Recalls with ERM

Recall
In 2016 alone, there have been dozens of recalls, by food companies, car manufacturers, and vitamin producers, among others. Not only do these recalls greatly impact a company’s bottom line, they can also affect the health and safety of consumers. With this in mind, what can organizations—both within the food industry and otherwise—do to improve their chances of uncovering suppliers operating in subpar conditions? How can they mitigate the risk of recalls?

Customers of CRF Frozen Foods, for example, a full-line, individually quick frozen processing plant that packages fruits and vegetables for a variety of customers, recently had big problems when it was linked to a widespread listeria outbreak. Contaminated foods affected big-name distributors like Trader Joe’s, Costco and Safeway, and some customers fell ill as a result.

Even though a series of sanitation concerns and other facility issues at CRF had been exposed by regulators as early as 2014, the factory was allowed to continue operating and its customers weren’t notified.

Red flags raised by regulators aren’t always seen by the companies they’re most relevant to, however. The fact that these outbreaks occurred seems to demonstrate that customers’ vendor management practices either failed or simply weren’t robust enough to detect issues. It all comes down to effective enterprise risk management (ERM). ERM provides the tools and framework that allow any organization to standardize processes and effectively mitigate vendor risk.

An ERM approach is characterized by standard criteria, interdepartmental communication, and automatic alerts and notifications. It keeps everyone in the organization on the same page and ensures assessment results are always understandable and accessible. This eliminates redundancy in the risk management process. As a result, you can quickly and easily determine the last time your organization evaluated a supplier. Something as simple as a notification that regulators have published new requirements might save your organization from acquiring infected or defective products.

There are three general stages that apply to any successful risk management effort:

  1. Identify specific risks, followed by assessment and evaluation
  2. Implement tailored mitigation activities to address those risks
  3. Monitor those mitigations to ensure long-term effectiveness

The first step serves as the foundation for steps two and three. Without a proper understanding of what risks your organization faces, it is impossible to prioritize and mitigate them. Especially across multiple business departments or within supply chains—it is quite difficult to identify and account for every variable.

To keep up with vendors’ fluctuating conditions, teams need to systematically identify and assess risks, catching them as they crop up. Preventing assessments from becoming obsolete is the key to keeping a pulse on everything that may affect the business, therefore avoiding unwanted surprises.

Risk assessments also help determine the best way to allocate limited resources. Minimizing vendor-related risks needn’t be burdensome, however. It should be a streamlined process that, by enabling you to avoid harmful incidents, improves operational efficiency. Once your risk assessments reveal the areas of highest priority, you can determine exactly how to mitigate those concerns.

The Freedom of Information Act can be extremely helpful when it comes to your third-party risk management efforts. It grants all companies the right to ask vendors for specific information about plant processes, worker training, sanitation practices, and maintenance. Suppliers are required to be forthcoming with all information (when asked), and teams need to take advantage of this opportunity. It is an important part of the risk management equation and will help you understand your risks before disruptions occur.

Performing vendor risk assessments—in the form of inspections, questionnaires, and service level agreements—generates an enormous amount of data and information. This information is useful for mitigating risk, but only if it is up to date, consistent and distributed to the appropriate individuals. The Freedom of Information Act provides an opportunity to evaluate suppliers with robust risk assessments, and ERM provides the means to capitalize on that opportunity. Ad-hoc assessments of current and prospective vendors, without standardized processes, will only get your team so far.

Steps to Effective ERM

Capitalizing on your vendor assessment rights is only part of the equation. Without an appropriate means of processing, distributing, and making data actionable, you’re back at square one. To make sense of important data, follow these steps:

  1. Create a taxonomy: define relationships between risks, requirements, goals, resources and processes. If each area of the business uses its own system for identifying and classifying risk, the resulting information is subjective and unusable by other departments. There is also significant information overlap—and therefore waste. Use your existing information to create a standard for data collection with minimal work.
  1. Streamline with the standardized risk assessments identified in step one. Risk assessments can be conducted in many different formats and qualities. Use resources already in place and streamline the results using the standard from step one. The most effective way to collect risk data is by identifying the root cause, or why an incident occurred. Honing in on the root cause provides useful information about what triggers loss and your organization’s vulnerabilities. When you link a specific root cause to a specific business process, designing and implementing mitigations is simpler and more effective.
  1. Connect mitigation activities to each of the key risks in these processes. A risk taxonomy gives you a more holistic understanding of all the moving parts in your organization. This makes it easier to design mitigation activities.
  1. Connect incidents, complaints and metrics (for each business process) to mitigation activities. Typically, companies already dedicate many resources to monitoring business performance, collecting information about incidents, complaints and metrics. These processes are often inefficient and ineffective. Simply connecting them to mitigation activities, however, identifies the reason such incidents happen. You can then take straightforward corrective actions, meeting top priorities and allocating resources with forward-looking measures. Risk management, after all, is not about minimizing fallout after an incident, but preventing such an incident from happening in the first place.

To make this entire process effective, management must work to develop an enterprise-wide risk culture. ERM is not just an executive-level process, but should be pushed all the way to frontline managers, where everyday decisions are made and the risks are known—but resources are often absent.

Approach your vendor risk assessments as you would any other risk assessment—they should be reoccurring and standardized. Perform them regularly and evaluate the results with the same scale and criteria with which you evaluate all other risks. Finally, automate information collection and review so that reporting reveals cross-silo dependencies before these risks turn into scandals. The result will be increased vendor security and the prevention of surprises, at a fraction of the cost.

RIMS Risk Maturity Model: Resilience & Sustainability

The final attribute of the RIMS Risk Maturity Model should be of great interest to risk managers responsible for establishing an enterprise risk management (ERM) program. Without some level of business resilience and sustainability built into your program, the iterative, cultural changes that are created by the ERM process will wane and your exposure to loss events will increase.

Understanding Consequences

Traditionally, business continuity plans have focused on technology platforms, but resiliency means much more than ensuring that your information technology infrastructure is prepared for disaster recovery. Consider that the IT infrastructure that is the focus of your business continuity plans is likely to play a critical role in the execution of your mitigation activities (for example, a server that supports access rights and security). A lack of capability to explicitly identify relationships between these entities can result in huge increases in short term risk exposure at the worst possible time, as rapidly deteriorating business environments require even stronger change management ability.

Analysis Based Planning

The key is to determine the downstream dependencies and effects that various external events may have on your operations, and to re-evaluate and assess the potential impact of these events on a frequent basis. Typical business impact analysis (BIA) identifies critical functions, but does not account for a business area’s inherent risk exposures or confidence in mitigation plans.

An ERM approach prioritizes not just business functions, but also mitigation activity and emerging risks that require increased attention. These factors should be weighed against each other and reevaluated as part of the business continuity process. In fact, the concept of “Proactivity,” or the third dimension of the RMM assessment, is specifically geared to evaluate an organization’s ability to prepare for and manage surprises before they materialize.

Looking to integrate Business Continuity with Risk Management? Download our guide on Integrating Governance Areas with ERM.

RIMS Risk Maturity Model: Performance Management

In the study measuring effects of enterprise risk management (ERM) maturity—as  defined by the RIMS Risk Maturity Model (RMM) assessment—no attribute had a more meaningful impact on bottom line corporate value than Performance Management. The correlation is not an accident. While many organizations say they have an effective handle on risk, their ability to execute the policies and procedures they’ve put into place are severely lacking.

The sixth RMM attribute of ERM Maturity, Performance Management, measures the ability for an organization to execute vision and strategy through the effective use of a balanced scorecard.

Balanced Scorecard

The root of the balanced scorecard concept lies in the desire to turn complex but passive strategic plans into marching orders and commitment that can be executed on a daily basis. The methods of accomplishing this result are familiar to risk managers: developing standardized criteria, prioritizing activities, and monitoring results.

To execute the Balanced Scorecard concept, corporations typically have a whole host of measures for monitoring control activity effectiveness, but what is consistently lacking is a means to measure the effectiveness of how the control activity is addressing performance goals. Risk bridges this gap.

The Role of Risk

Every business faces the challenge of cutting costs and making changes. After all, all activities are critically important to someone. So how do you assure that the greater good of the organization gets prioritized?

Linking risk to performance for a risk adjusted decision addresses this challenge.

Examples of performance management in the absence of a risk-based Balanced Scorecard are widespread. BP knew back in 2002 that a lack of pipeline maintenance could result in “catastrophe,” but management instead prioritized the short term operational budget in the interests of cutting maintenance costs. More recently, the U.S. government has dealt with criminal investigations into the Veterans Health Administration’s inability to deliver care to U.S. veterans, due to “significant and chronic system failures.” In the case of the VA scandal, monitoring metrics were improperly controlled and focused on the wrong measures of success. The result was falsified reports created in the interest of demonstrating compliance with policy, rather than execution of strategy.

A Seat at the Table

Involving risk in strategic decision making is the essence of performance management. In every failure we’ve documented, the risks were known, but rarely given a seat at the table. Organizations with mature enterprise risk management (ERM) programs have empowered their risk managers to take action and use ERM tools to support and provide transparency to the organization’s strategic plan.

To learn how Enterprise Risk Management adds transparency and discipline to an organizations strategic planning and performance management process, watch our webinar, “What is Strategic ERM.

RIMS Risk Maturity Model: Uncovering Risk

The value of enterprise risk management comes from the ability to uncover and assess risk from not only the managerial, executive level of an organization, but also from the front line employees. Without penetrating the front line, critical risk and performance information is often overlooked.

Real-life examples of this failure are constantly in the news cycle, such as the recent failure of risk management by General Motors, in which faulty ignition parts in their vehicles resulted in massive recalls and tragedy. The issue was known at the front line level but was not uncovered and brought to the attention of those who could act upon the risk. Without an avenue to assign and elevate risk from the first level (the first line of defense), the error was repeated and left unaddressed.

How to Uncover Your Risks

Many organizations implementing ERM are at the stage where their risk assessments are conducted in interviews with executive level senior management. While these interviews are beneficial in addressing an organization’s more strategic risks and opportunities, it’s rarely a strategic risk that lands a company on the front page of the Wall Street Journal.

Before you can assign risk ownership, you have to provide an obvious method for the front line to elevate key concerns. One method is through frequent risk assessment in which the process owners can describe what can go wrong, but other avenues should be leveraged and may already be in place. Many organizations have similar programs—think whistle blower hotlines or anonymous incident reporting –but in order for these programs to be effective, the reports coming in must be tied back to a root cause risk.

The next component is risk ownership, making business areas responsible for what they control, and more importantly, measuring their effectiveness. For example, if we have a root-cause risk of staff competencies, the indicators, or actual occurrence of this risk could be identified as “errors or task misperformance.” In this manner, a methodology is built directly linking performance indicators and real life events to the root-cause risks. This framework can be applied across business units, allowing different silos to identify the same risks, but use unique performance indicators and metrics for their own department. This allows risk managers to capture front line variance while keeping a unified picture of enterprise risk.

The Effect on Risk Maturity

Ideally, the process of uncovering risks should be proactive instead of annual or semi-annual. Product launches, new projects and initiatives and reorganizations are all opportunities to identify risks and the ways in which they can be measured. The key then is providing end users with the tools they need to accurately assess risk—a standardized scale, set of criteria, and assessment dimensions such as impact, likelihood and assurance.

With the previous attribute, root-cause discipline, we structured our ERM program to be able to address common foundational issues rather than symptoms. Uncovering risk takes us one step further, tying in our root-cause risks to forward looking business performance metrics, so that we can actively identify, mitigate, and manage emerging risks to the organizations.

To learn more about uncovering your risks and taking the next step towards effective ERM, download our eBook on ‘5 Steps for Better Risk Assessments’.