The Risk Assessment component of the COSO compliance framework requires the identification and classification of all the risks which would prevent the organization from reaching its goals, including the ability to create timely and accurate financial statements. Just reading that statement alone probably overwhelmed you; to identify all the risks would be an almost never-ending task! And yes, this makes the Risk Assessment seem daunting and is surely why people may be reluctant to undertake such an endeavor.
Risks include everything, whether we can control them or not, whether they are internal or external in nature: weather interruptions, computer system failures, personnel problems, fraud, suppliers, customers, competition, market conditions, global events, political shifts, regulatory restrictions and reporting, internal discord or chaos, departmental politics, dysfunctional computer systems, etc. The failure to be able to adequately identify risks is a risk in-and-of-itself.
Each risk must each be analyzed and classified based upon such characteristics as source, severity, frequency, and impact. In terms of supply chain governance, we must identify the risks that could cause a disruption to our supply chain. With an understanding that the supply chain is internal and external, we must look holistically at our operations and the impediments to its optimal performance. The more risk we identify, the more integrity we instill in our supply chain. The more integrity on our supply chain, the greater the likelihood that our organization will meet its desired goals and produce the first quality outputs – whether they are products, services, or financial statements – expected of us.
Vendor scorecards are a common means of identifying a supplier’s performance, and can warn us of a supplier who may put our supply chain at risk. Common vendor scorecard metrics include on-time shipments, fulfillment percent, back order rate, and failure rate. Under performing suppliers can cause order fulfillment delays, down-time, and product quality failures. A note of caution here is that the organization must be capable of accurately performing the vendor scorecard analysis; the organization must in effect be better than the best vendor. Training and technology tools are an absolute requirement to be able to accurately monitor and judge the performance of a supplier. The failure to do so is not only unfair to the supplier but also puts the organization at risk in the relationship, whereby the supplier may increase costs to cover for unwarranted expense offsets or may look to severe the relationship with the customer.
Customer sales analysis can help to mitigate an overstocking of goods due to a reduction in sales order volume or quantity, which can result in tying up cash and storage space on products that may not sell. A rush to produce due to the failure to monitor an increase in sales order volume or quantity which may lead to the need for overtime, additional production capacity, or increased shipping costs to expedite orders delayed due to longer production times imposed by a lack of capacity or raw materials, which themselves may require expedited shipping to bring in.
These types of risk analysis also help to protect the organization’s available cash position by looking to control unnecessary costs, examining expected-versus-actual expenditures and income, and head off greater losses by reviewing trends. Thus, the Risk Assessment exercise is not static, it is fluid; it is not just reactive, but can very much be proactive. The benefit is that the more proactive the organization is to its risk assessment, the less reactive the organization will have to be when risks occur; damage control is often a very expensive proposition, and can be more costly than the (mitigation of) risk itself.
Due diligence must be done to the best of the organization’s ability to identify risks. This requires a very objective and introspective look at how the organization performs. And like any self-analysis, this may be a revealing and somewhat painful process. Personal politics and prides must be set aside, especially when it comes to the identification of risks that are created internally. Via the Control Environment, management at all levels must set the right tone and examples for collaboration for the good of the organization.
Internal risks borne from pride and politics can include forcing employees to reach unattainable goals, creating bottleneck processes or departments, the failure to train or empower (through the use of the proper tools, whether they be a functioning welding machine or software) employees in the performance of their tasks, the failure of management to allow employees to communicate problems upwards, and forcing employees and even whole departments to be responsible for tasks or data that are better suited elsewhere. All this internal discord hides many risks to organizational excellence, and yet they seem to be the ones most difficult to expose and fix.
A fresh coat of paint on an old car or old house does not fix the internal problems, it only hides them until they are exposed, often larger and more damaging then before, having the ability to fester, negatively impact other previously well-functioning aspects, and grow. Let your organization’s risk assessment start with the low-hanging fruit: what risks are easily identifiable, controllable, and easily correctable? As these risks are identified and addressed, the rest of the organization will take note, and as a side benefit, the tone of the organization will improve.
Our thanks to this article’s author, Norman Katz, CFE, President of Katzscan, Inc. (www.katzscan.com). of Katzscan, Inc. is a consulting firm located just 20 minutes north of Fort Lauderdale, Florida, specializing in supply chain technologies & operations. Norman graduated from the University of Florida in 1985 with a Bachelor of Science degree in Business Administration majoring in Computer Information Sciences. Norman is a Certified Fraud Examiner, a Florida licensed Private Investigator, and holds a Certification in Corporate Governance from Tulane University College of Law. Information on detecting and reducing fraud in the supply chain can be found at www.supplychainfraud.com. Information on supply chain governance can be found at www.supplychainsox.com. Norman can be e-mailed through his web sites or contacted by telephone at 954-942-4141.
DISCLAIMER: This Corporate Governance article is provided as an informational resource and does not constitute legal advice. The information provided in this article is based on the laws in effect at the time the article was published. Laws related to this article’s topics may change over the course of time. Visitors to this website should not rely upon or act upon this information without seeking professional legal counsel.