Ordered risk management

Alessandro Mazzeranghi

Today some important facts “force” us to return to this subject with even stronger emphasis. I will list them in chronological order:

• The fall in demand and price of commodities has caused a crisis for those entrepreneurs involved in the field - especially in shale oil - with insufficiently solid financial bases who confided in continuous market growth. The larger, stronger companies will go through hard restructuring processes; the smaller ones, more exposed to banks, will, for the most part, face bankruptcy. 

• The VW scandal highlights instead how a problem in governance (independently of the individual blame, it is obvious that governance here totally failed) can undermine the credibility of a very large company, making it lose value even before all the consequences become blatantly clear.

• In its albeit small range of action, the new ISO 9001, 2015 edition, underscores risk and opportunities management, clearly implying above all those risks and opportunities that can radically change a company’s future.

Personally, I have learned a term which I find rather representative from one of my customers: threat (for business continuity). It gives the idea of a risk so big as to question the survival of a factory, a brand or an entire company or corporation.

IF IT WANTS TO CONTINUE TO EXIST, A SELF-GOVERNING INDUSTRIAL STRUCTURE must know and control the threats it is exposed to. Know and control! 

Allow me to illustrate an example: a prestigious company is exposed to flooding of the river that flows near its facilities. It is perfectly insured against this (in relation to the potential damage) and in its contracts it features a clause stating that fines cannot be applied for a delay in delivery attributable to natural disasters. But two floods one year apart make the company accumulate a delay of one year on its most important order, and this entails such a loss of credibility on the market and organizational difficulties in program management that the company risks closing down, saved only by an increase in capital. What can we infer from this? The risk of flooding was known, “standard” control measures were taken, but the overall threat was out of control. Perhaps it was underestimated?

RISK MANAGEMENT: THE ROLE OF RISK ASSESSMENT. If a threat is known, then we presume that corporate management is trying to deal with it, that it will take some sort of action. But if it is not known, it is clear that management will do nothing on a preventive level.

Such an obvious concept should not even need to be expressed, if it weren’t for the fact that, often, not knowing the threats lies at the root of the greatest failures in corporate governance.

If, for example, we consider the European directives on regulating of the administrative responsibility of legal persons and of agencies/bodies free from legal personality, that tend to continuously broaden the violations to which they can be applied, we realize that the consequent threats for companies are not always well known or properly assessed. And this strikes us because we are speaking of specific laws (aimed explicitly at regulating business management and referred to in detail in related texts), and hence “well known” and “easily interpretable”.

JUST IMAGINE HOW MUCH MORE FLEETING OTHER THREATS that do not derive from such well-addressed (and hence “recognizable”) rules - even legal ones - can be. And then there are risks that do not derive from written laws but rather from the sensitivity of the clientele, or from risks that are apparently only borne by the clientele. Let’s take an “industrial” example, albeit from another field, of a company that manufactures a semi-finished product pursuant to customer specifications destined for an oil refinery and indispensable in order to be able to start the plant.

What damage could be caused if, due to problems in the production system, delivery is delayed by 5 months, causing one month’s delay in the start-up of the refinery? It is clear that in our field, such catastrophic situations do not exist, but of course leaving the shelves of French supermarkets empty of a given brand of premium toilet paper for a month could turn into a substantial damage, or if you prefer, an appreciated gift to the competition …

Obvious facts, once we mention them. But let us ask ourselves: do we really know all the risks our company is exposed to? 

BASICALLY, WE ARE TRYING TO HIGHLIGHT THAT IN RISK MANAGEMENT, THE FOUNDATIONAL POINT (that we cannot afford to get wrong) is risk assessment, i.e., identifying risks and their estimation and evaluation. 

This is an important and in a certain sense innovative aspect compared to companies’ usual business management system. And it is comforting too, that ISO 9001:2015 places important emphasis on this topic. Indeed, without saying it as explicitly as we will in the upcoming lines, it underscores a further foundational concept: 

• if we must first perform a risk assessment to understand in orderly and systematic (hence we hope also complete) fashion what are the risks a company is exposed to since it is a unitary and monolithic structure, 

• immediately afterwards, it is fundamental to understand what are the industrial processes within which “errors” can be made that would generate such risks.

PROCESS ANALYSIS UNDER THE RISK PROFILE IS THEREFORE OF PARAMOUNT IMPORTANCE, and in truth, a rather rare practice. It should be instituted, especially in those contexts where risks acknowledged as probable for the company are several.

Let’s take an example in our own field by considering the classical topic (process) of maintenance. Within it are embedded “passages” critical to occupational health and safety, others that are foundational for environmental safeguard, still others necessary to protect cor-porate strategic assets and goods, and then even others strongly correlated to product quality and compliance. Perhaps this example is not among the most complex of its kind (the purchasing process of goods and services is certainly even more complicated), but we believe it can give the idea of how risk assessment of a multi-disciplinary process is not something that can be done using mere “common sense” but that instead requires a systematic and analytical approach. Once this is done, as we were saying, it will not be so difficult to then introduce those process management modalities and controls necessary to keep eventual risks under control. Naturally, then comes the application of established laws, a topic that we will not deal with here due to its extreme complexity.

THE FLOW TO FOLLOW. If we acknowledge that the risks companies are exposed to today are infinitely more pressing than those they had to face not more than thirty years ago, we per force find ourselves concluding that governing a company without controlling risks is hazardous, to say the least. 

Let’s try to summarize the “steps” to follow then:

• Performing an assessment of the risks a company may be exposed to starting from those connected to legal violations whose consequent penalties could harm or destroy business continuity, to then proceed with risks connected to possible loss of credibility on the market, to eventual loss of know-how, etc.

• Based on the outcome of risk assessment procedures, identify a limited number of critical risks to be given priority in terms of prevention and protection (not more than five pursuant to the renowned Pareto chart); better not to extend the risks to be considered too much, otherwise there is the concrete possibility of creating organizational structures that are too complex and that become veritable paralyzing super-structures;

• For the selected risks, investigate the corporate processes within which these risks can be generated; basically, the results of this analysis is a list of critical corporate processes, and for each one, the potential associated risks will be indicated;

• For the critical processes, define procedures to identify the management measures of “existing” risks, control points and (founda-tional) persons responsible for the different actions. We warmly recommend clearly defining who must do what and when; the “how” can be “delegated” to the competences and abilities of the different persons, or clearly defined (based on the characteristics of the human resources available but also on the degree of autonomy to be given to individuals). 

NATURALLY, UPSTREAM OF THE REASONING ON PROCEDURES AND PROCESSES, we recommend to always map out and precisely define the corporate organization through a job description, a necessary activity that is in some way located above the definition of processes and intends to define which managerial resources for risk prevention are employed by the company.

SMALL CONCLUSION We would just like to reiterate a concept: today, a correct corporate management cannot ignore the aspect of controlling risks (for the company) that are increasingly growing in importance and that have become one of the inevitable elements of a correct corporate governance oriented towards maintaining/enhancing the value of the company over time.

Today, the idea that “we are not so unlucky that something like this should happen to us!” has lost all practical credibility! Hence we must understand and then act. *