In listening to companies discuss compliance in the areas of anti-corruption under the Foreign Corrupt Practices Act (FCPA), anti-money laundering (AML) or export control, one of the things that has consistently struck me is how siloed each of these groups invariably is within their company. Not only does this deny a company the ability to share a wide variety of talent and experiences, it can lead to the concept of what authors Robert Kaplan and Annette Mikes call the "functional trap" of labeling and compartmentalizing risk. In an article in the June issue of the Harvard Business Review, entitled "Managing Risks: A New Framework", they declare that good risk discussions must be integrative in order for risk interaction to be evaluated. If not, a business "can be derailed by a combination of small events that reinforce one another in unanticipated ways."
The authors posit that it is difficult for companies to accurately and adequately discuss risk for a variety of reasons. One of these reasons is the aforementioned silo effect which can lead to a lack of discussion by a wide group regarding a number of risks, for example compliance risk; reputational risk; brand risk; credit risk; human resources risk are but a few of the types of risks mentioned in their article. The authors believe that one of the ways to knock down these silos when it comes to a more complete management of risk is to "anchor their discussions in strategic planning, one integrative process that most well-run companies already have" in place.
I. VW do Brasil Risk Management Strategy
The authors cite to the example of Volkswagen do Brasil (VW) and the techniques used by its risk-management unit. Initially, the VW risk management unit uses the company's overall strategy map as a starting point for internal discussions around risk. For each objective that the company sets, the risk management group identifies risk events which might cause the company to fall short of its objectives. Based upon this risk profile, the group creates a "Risk Event Card" for each risk on the strategy map, "listing the practical effects of the event on operations, the probability of the occurrence, leading indicators and potential actions for mitigation." From this Risk Event Card, the risk management group creates a "Risk Report Card" which is a tool used to present and convey high level information to senior management within the company.
A. Risk Event Card for the Objective of a Smoothly Functioning Supply Chain
Guarantee reliable and competitive supplier-to-manufacturer processes
Interruption of deliveries
OvertimeEmergency freightQuality problemsProduction losses
Critical items reportLate deliveriesIncoming defectsIncorrect componentshipments
Hold daily supply chain meeting logistics, purchasing, QAMonitor suppliers' tooling to detect deteriorationRisk mitigation initiative: Upgrade suppliers' toolingRisk mitigation initiative: Identify key supply chain executive at each critical supplier
Mr. O. Manuel director of manufacturing logistics
From this Risk Event Card, the risk management group will next create the Risk Report Card. It is organized by strategic objectives and allows senior management to see at a glance "how many of the identified risks for each objective are critical and require attention or mitigation."
B. Risk Report Card For Satisfaction of Customer Expectations
Achieve market share growth
Satisfy the customer's expectations
Improve company image
Develop dealer organization
Guarantee customer-oriented innovations management
Achieve launch management efficiency
Increase direct processes efficiency
Create and manage a robust production volume strategy
Develop an attractive and innovative product portfolio
II. Risk Oversight Approach
The authors caution that beyond simply introducing a systematic process for identifying and mitigating key risks, companies should also employ a risk oversight structure. The authors discuss the experience of the Indian IT company, Infosys, which uses a dual structure. It consists of a central team that identifies general strategy risks and then establishes central policy, together with a specialized, decentralized functional team. This second team designs and monitors policies and controls in consultation with local business units. These decentralized teams have the authority and expertise to respond to changes in the company's risk profile coupled with the nimbleness and agility of being in the field to deal with smaller issues before they become larger problems for the central team back in the corporate office.
All three of the components identified by the authors are relevant for your compliance program. Just as it is important to perform due diligence on third party representatives, before execution of an appropriate contract; the real work is in managing the relationship. In risk management, you must identify and assess the risk but the real work begins in managing the risk. This is where the rubber meets the road.
Visit the FCPA Compliance and Ethics Blog, hosted by Thomas Fox, for more commentary on FCPA compliance, indemnities and other forms of risk management for a worldwide energy practice, tax issues faced by multi-national US companies, insurance coverage issues and protection of trade secrets.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2012
For more information about LexisNexis products and solutions connect with us through our corporate site.