Is Your Company Trying to Eliminate All Vulnerabilities?
How a top-down approach can help.
September 2, 2010
Strategic initiatives create corporate direction, which in-turn is the force that drives many decision-makers to unwittingly introduce new risks to a company. Risks at the strategic-level often present the most exposure and the potential to cause the most damage. Your company, for example, may be considering outsourcing production to overseas contract manufacturers. As a business strategy, such outsourcing promises greater efficiency. It allows your company to focus more attention and resources on value-added activities.
There are numerous risks associated with that strategy, though. What about potential political instability in a foreign country? Among other possible exposures, that presents reputational risk. Using online news sources to continually monitor political events abroad helps mitigate that risk.
What about reliability and product quality? Requiring appropriate ISO certification ensures that selected contract manufacturers meet internationally-recognized standards for operational consistency and quality.
Outsourcing presents scalability and growth risks, too. Your company may want to proceed slowly with its outsourcing plans in the event unforeseen difficulties arise. If that works out well, it may wish to increase outsourced production. At that point, assigning an onsite employee to every manufacturing location would provide additional oversight.
Every business strategy presents risks, and management must define the threshold or amount of risk they are willing to accept. Such definition assures that the residual risk remains at an acceptable level. Such definition also provides direction for identifying and reducing related entity and process level vulnerabilities.
Strategic Emphasis Requires Leadership Commitment
The audit committee, board of directors and senior management — including the chief executive officer, chief risk officer and chief financial officer — must be engaged in addressing and reducing risks.
Senior management must emphasize the importance of ethical behavior, the need to protect company assets and the value of recognizing, addressing and reducing risks. Effective corporate governance also means defining and documenting steps for responding to adverse events.
A disaster recovery plan as a risk mitigation strategy for your company, for example, provides direction for dealing with the aftermath of a tornado, flood, hurricane or other catastrophe. When disaster strikes, there is the immediate devastation as well as the potential for prolonged business disruption. A disaster plan addresses those concerns and reduces the number of decisions that must be made under duress.
Such leadership provides institutional support for applying similar diligence throughout the organization.
Top-Down Approach Starts With the Most-Crucial Risks
Your company cannot eliminate all vulnerabilities; some residual risk will always remain. By taking a top-down approach, you focus on the most crucial risks first; you assure that the residual risk remains within your company’s risk appetite.
This approach applies to any organization, in any industry. An oil company faces industry cycles of expansion and contraction, along with constant fluctuations in price. In response, it relies upon detailed actuarial analysis to project future price movements. That analysis also illustrates where current prices stand in relationship to upward or downward trends. Hedge contracts that establish fixed payment rates mitigate the risks of price fluctuations. Partnerships or joint-operating agreements with other companies further reduce risks.
Organizations operating in other business sectors face their own specific exposures. A regional company wishing to grow into a national entity, for example, faces risk from taking on too much debt to finance expansion or from not having strong enough internal functions in place to manage growth.
Crucial strategic risks vary over time as well. Negative industry publicity may pose a serious concern one year, while proposals for potentially adverse legislation could require attention the following year. Regularly evaluating emerging exposures protects strategic aims.
Strategic Focus Directs All Risk Evaluations
Addressing and mitigating risks at the strategic level reduces the likelihood or potential impact of adverse events as they relate to strategic aims. That strategic emphasis provides a foundation and direction for addressing and mitigating risks at the entity and process levels.
That emphasis uncovers opportunities at the entity and process levels, too. When Sarbanes-Oxley first became law, public corporations had to identify and mitigate IT vulnerabilities linked to financial reporting functions. They uncovered IT incompatibilities, inefficiencies and other concerns. Those discoveries, though, highlighted the long-term benefits of updating and streamlining IT systems and processes. The need to mitigate high level exposures drove efforts to identify and reduce IT-related vulnerabilities throughout organizations.
Addressing Risks Requires Continuity
Compliance requirements change, global economic conditions fluctuate, technology advances, marketplace shifts unfold. Other internal or external exposures arise, too. To provide continuous long-term strategic value, the company must have a risk recognition process that identifies new possible exposures early. These risk-related efforts must be efficient, effective, sustainable and scalable.
Dashboard reporting systems provide efficient tools for monitoring key performance indicators (KPI) in real time. Automating manual processes whenever possible promotes further efficiency and constant vigilance.
Incorporating best practices represents an effective means of continually addressing and mitigating risks. Your company may rely on vendors to process payrolls or online transactions. Requiring that a service provider supply a SAS 70 Type II report constitutes a best practice for outsourcing.
Efforts to identify and mitigate vulnerabilities must be sustainable. Deploying a 24-hour fraud hotline enables individuals to anonymously report suspicious conduct any time.
Efforts to limit vulnerability must be scalable, too. Imbedding responsibilities for addressing and reducing risks within routine processes and work responsibilities provides that scalability.
Sustained Emphasis Delivers Lasting Value
Placing strategic emphasis on addressing and mitigating risks assures that your company’s identified risks do not exceed its risk threshold and that your organization’s risk appetite remains aligned with its business strategies.
That strategic emphasis focuses attention on anticipating change, rather than just reacting to it. The resources devoted to identifying and lessening vulnerabilities serve as vital long-term investments that sustain a competitive advantage.
Alyssa Martin, CPA, MBA, is the Dallas executive partner of Weaver, ranked the largest independent certified public accounting firm in the Southwest with offices throughout Texas. Contact her at 972-448-6975.