…$17.2 billion in environmental damage; $62bn cost to BP. Left unchecked, poor corporate cultures can lead to disasters of great magnitude.
And BP's Deepwater Horizon disaster is just one example. Even if procurement does not own risk management, a deep and broad understanding of the business gives a unique ability to monitor and advise – a powerful skill that should be used. Here are some watch points
Hazards abound in modern business. A single employee can spark a crisis with a data leak, a hacker can down a company with one breach of security and a rogue leader can drive success onto the rocks with poor strategy.
With ever more complex interconnections spreading out between and within businesses, risk can be magnified, and a closed corporate culture that fails to manage these links or listen to employees is storing up trouble that can lead to irreversible damage. Just look at the parade of corporate catastrophes that continues despite established risk management methodologies and compliance efforts.
Adopting a holistic, corporate-wide approach is now seen as essential to minimising the instances of shock and building in resilience if trouble does occur. The key to achieving this approach is to focus on behaviour and culture, which may require fundamentally rethinking and challenging current attitudes to risk, according to the Roads to Resilience report by Cranfield School of Management. “Traditional risk management techniques, whilst essential, do not in themselves create a culture of resilience,” the report says. It adds that an organisation should put resilience at the heart of the strategy and part of the overall decision – and it will reap many more rewards.
Resilient companies encourage employees to be vigilant, to question what they see and, when risk is found, to communicate quickly to senior managers. This smart and responsive approach to risk tends to go hand in hand with being better at building brand and reputation, largely because they understand how their business and others tick and so can adapt their business model to gain an edge over rivals.
“Companies that are confident in their risk management have the confidence to be more enterprising and entrepreneurial thereby not only identifying risks but also seizing opportunities,” says the report. “Their staff and suppliers are motivated and loyal, they gain trust by being more dependable and achieve better results for shareholders.”
Procurement and supply chain teams can make a powerful contribution, with their experience in managing the complex and far-flung nature of today’s supply chains and their wide reach across the organisation. They are arguably best placed to spot internal problems, corner-cutting and to see supplier and market-related risks earlier than the highest management of the organisation.
Despite the fact that many procurement teams will not have a direct role in shaping risk strategies or monitoring risk, history shows the powerful role individuals have in spotting and raising concerns about practices inside the organisation and circumstances outside it. It is the companies that listen and enable these messages to reach a responsive board that fare best in minimising the damage when the unexpected happens.
So what marks out the good from the bad risk managers? Where did the worst victims go wrong and what did the more successful ones do to avoid trouble? We explore six bad business positions that led to spectacular fails and some better approaches.
Concentration of power
Enron is perhaps the most notorious example of disastrous concentration of power in the top management. The energy conglomerate’s CEO Kenneth Lay selected his board members from those who had business relationships with Enron, making them unwilling to challenge its dominant and long-standing chairman. The power of the top executives and the lack of oversight from the board enabled fraudulent behaviour, which led ultimately to the collapse of the business.
By contrast InterContinental Hotels Group (IHG) has established a robust approach to risk in its structure and culture, according to the Cranfield report. Risk management is embedded throughout the company, which strives to run great hotels guests love, and uses a franchise model, and a number of brands. The staff are encouraged and empowered to raise their concerns, even if this means asking awkward questions – because risk management protects reputation and brand. The non-executive directors are trained in risk management issues directly after they are appointed. They are then expected to provide objective and critical feedback.
Many organisations simply do not discuss material risks at a senior level because it is expected that doing so might prompt bad decisions or behaviour at board level. This puts the organisation at risk of groupthink, where obvious frailties will not be pointed out. A similar problem is the ‘risk glass ceiling’ where internal risk management and audit teams do not discuss received risks from higher up the organisation, including problems arising from the ethos, behaviour, strategy and perceptions at board level.
As part of its strategy to avoid rigid or siloed thinking around risk, American insurer AIG uses what it calls a Vulnerability Identification Process (VIP). It surveys thousands of employees to ask for their views on potential risks. This process helps flag emerging problems that may not be visible at board level and enables AIG to consider early action to head them off. IHG’s board meanwhile invites continual self-critiquing, inviting third-party feedback about board members’ freedom and capacity to raise issues and speak up. It is a reminder that consulting disinterested outsiders can help challenge embedded groupthink.
It is easy to pay lip service to issues while encouraging activities that go against them. Many banks’ approach to risk management revealed during the financial crisis is a good example of how invisible fragilities can build up despite apparently robust processes.
In the late 1990s and early 2000s, BP management focused on cost-saving and efficiency over a safety culture, which was seen as partial cause of the Texas City Refinery and Deepwater Horizon disasters that cost more than $60bn and left its reputation in tatters.
Yet, evidence shows that organisations with a deeper commitment to doing things right reap benefits. The London 2012 Olympic Delivery Authority won the prestigious RoSPA award for the safest construction of an Olympic stadium ever, delivering one of the most acclaimed Olympics ever, with the infrastructure and other enabling projects on time and on budget.
Outsourcing is often a convenient way for organisations to wash their hands of responsibilities, which then come back to haunt them, such as furniture and clothing brands that found themselves under fire for using unsafe sweatshop suppliers. The Hatfield and Potters Bar rail crashes, in 2000 and 2002, where there were a total of 11 fatalities, were partly a result of the increased complexity arising from the core activity of rail maintenance being outsourced to subcontractors.
Yet, again, those that don’t shirk responsibilities may benefit more widely than simply avoiding corporate scandal and reputational damage. Power station operator Drax, that has achieved five-star health and safety ratings, shares its risk management culture with the many contractors it engages. It is part of a wider and highly cautious approach to spotting and dealing with risk that the organisation believes gives it greater resilience operationally, strategically and commercially.
Risk of Employee crime
The admission of guilt and a £671m fine for historic bribery in China, India and other markets paid by jet engine maker Rolls-Royce to the UK and US authorities earlier this year was a reminder of the potentially catastrophic cost of employee crime. The revelations touched the car maker of the same name, even though it has been a separate company since the 1970s.
With longer supply chains, as well as increasing digital activity, commercial crime is becoming more complex and hard to spot, and as fraudsters become more ingenious, tech savvy and motivated by tough financial times. This trend will only increase and we may see the day when ‘seeker bots’ will outnumber flesh and blood fraudsters, testing a company’s cyber defences.
“At the heart of good fraud prevention lies the recognition that for business to work, you have to put trust in your staff and so ensuring your staff, customers and suppliers won’t want to commit fraud is the key,” says Richard Minogue, at fraud detection business Hibis. Employees are not controlled by the system – they are the control system, he says. “If there’s a fraud going on in the company its staff needs to know what the rules are, they also need to be willing to condemn it and to have the courage to communicate it.”
Training and awareness are thus essential, as is communication between departments. “Transparency is the enemy of fraud and corruption so legal, compliance and HR need to work as a team not in silos. Above all, put yourself in the shoes of a potential whistleblower, to gauge how successful your fraud prevention efforts really are, adds Allan McDonagh, a director at Hibis. “Ask, would you be a whistleblower in your own organisation? If not, there is something wrong – it is an organisation that does not want to listen and learn.”
Careless with data
Stories of business data theft and loss are common and costly, with high profile breaches coming through weaker supplier systems. US retailer Target was caught out after a hacker broke into its payment system through an insecure IT connection from its air conditioning supplier. That supplier had used a free version of anti-malware software. The hack cost Target $148m.
The Ponemon Institute tracks trends on data breaches and estimates that each lost record in 2016 cost a business $158 – a cost that could cripple a business that falls victim to a mass attack. It found a 22% likelihood of a data breach over 24 months, meaning that every business needs to work on the basis that a successful attack is highly likely to happen. Internal data breaches pose just as much risk as external hacks, and the safety culture is one key to mitigating risk here.
People are generally the weakest link, so consider what is the security culture and maturity like, awareness and training levels? Is there a plan in place for when a data breach happens? A swift, co-ordinated and appropriate response in the event of a breach or attack of any kind should repay the effort and expense.
New aircraft are among the most elaborate, detailed products of the modern era, and Airbus and Boeing both suffered profit loss and reputational damage from over complex projects. For Airbus, 530km of wiring in its new A380 super jumbo had to be replaced from scratch. The root of the problem was incompatible design software used by different consortium members but the problems were not picked up or passed on by middle managers. The crisis was discovered close to deadline and delayed the launch by two years, led to resignations at the top and hit earnings by €4.8bn.
Risk exposure can lie hidden in insurance too, as American International Group (AIG) found when the financial crisis hit the global economy in the late 2000s, revealing it had taken on excess mortgage risk without protection. It would have gone under if it had not been rescued by the US Treasury. Now AIT conducts vulnerability identification and near-miss reporting, and monitors accumulation of risks.
The procurement function has a great opportunity to spot and help mitigate problems from such complexity. Jaguar Land Rover used analysis to highlight suppliers that may not be keeping pace with rapidly increasing demand for its new models, and risk specialists to help its supply chain managers rationalise the supplier base. This cut its reliance on fragile suppliers and helped to improve its ability to monitor the capacity and capability of suppliers, and keep pace with demand for its vehicles.