Operational risk is the risk that one or more future events will impair the effectiveness or viability of the business model in creating value for customers and achieving expected financial results. These risks relate to the various activities along the value chain within which the organization’s business model operates – this includes the supply chain, customer fulfillment processes, human resources, information technology (IT), major channels, and key customers and ultimate consumers, among other things.
Generally, an operational assessment is directed to assess actual performance against quality, time, innovation and cost targets to identify critical gaps. Significant performance gaps lead to decisions around making appropriate midcourse corrections by analyzing root causes for the gaps, with the objective of determining actionable process improvements to close them. The question is whether this traditional approach to an operational review is sufficient in today’s business environment, where most enterprises are now “boundaryless.”
Over the past two decades, globalization, outsourcing, increased cross-border sourcing, IT and shared services centers have encouraged many organizations to consolidate facilities and streamline processes to eliminate nonessential and redundant activities as well as focus and automate remaining activities. The successive waves of total quality management, process re-engineering and Six Sigma process improvements have created a bias for strong supplier and customer relationships and tight coupling within supply chains and distribution channels with the objective of driving costs out of processes and products while adhering to established quality standards.
Decisions to decrease inventory levels; maintain a sole-source or single-source strategic supplier in any country of the world; and adopt just-in-time manufacturing and delivery techniques versus higher inventory levels, multiple suppliers and other “buffers” in the process; involve trade-off decisions where quality, time and cost considerations often win out over business continuity considerations.
Supply chain disruptions resulting from catastrophic events clearly illustrate that these trade-off decisions are not without risk. Accordingly, the appropriate risk assessment approach applied to operational risks suggests the need for an end-to-end extended enterprise view of the value chain, requiring consideration of looking upstream to supplier relationships – including the suppliers to critical suppliers – as well as downstream to channels, customer relationships and all the way to the ultimate end users.
In effect, the enterprise’s business relationships are just as important as its internal processes, personnel and systems, because they are inextricably linked to what makes the business model work. Therefore, an assessment of operational risk should take a “big picture” approach by focusing on the risk of loss of any of the key links in the chain.
What would happen to the organization’s business model if any critical component of the value chain were taken away or altered in a significant way through either a process failure or an unexpected catastrophic event? To illustrate, consider what the business impact might be if any of the following value chain elements were taken away: a strategic supplier of reasonably priced essential raw materials or other inputs, availability of power at a reasonable price, lines of credit and working capital, core employees essential to the business, critical systems and facilities, key distribution channels, transportation and logistics for delivering products, or major customer contracts. Put another way, at every stage of the value creation process, what would be the implications of a shortage, disruption or quality problem in a key input or output along the value chain, or the loss of a major customer? How long would the company be able to operate in one or more of these situations?
When evaluating operational risks, management should consider the following factors:
- The velocity or speed to impact, including whether the loss of any critical component of the value chain can occur without warning (i.e., does it smolder or is it sudden?)
- The persistence of the impact (i.e., the duration of time before the loss of the component can be replaced)
- The resiliency of the company in responding to a catastrophic event resulting in loss of a component
- The extent of uncompensated risks the company faces across the value chain (e.g., risks for which there is no apparent upside, such as increased warranty costs and/or product recalls, or the potential for significant environmental, health and safety exposures)
Operational reviews should do more than just compare actual performance to targets. Periodically, the above issues should be considered because every company faces a crisis sooner or later.
Questions for directors
Following are some suggested questions that boards of directors may consider, based on the risks inherent in the entity’s operations. Does management’s risk assessment process consider what would happen to the organization’s operations and business model if:
- A key supplier was lost through an unexpected catastrophic event, loss of infrastructure and/or disruption of essential transportation and logistics?
- Key components did not meet quality specifications?
- Major customers were to fail or consolidate, or major customer contracts were not renewed?
- Other critical components of the value chain – for example, vital raw materials, skilled labor, or power available at a reasonable price – were lost for any reason?
How Protiviti Can Help
As the board evaluates how to organize for risk oversight, Protiviti can assist it and executive management with identifying and assessing the enterprise’s risks and implementing strategies and tactics for managing risk. We help companies integrate their risk assessment process with their core business processes, including operations management.
Board Perspectives: Risk Oversight (Issue 40)