8/8/2019 Inst of Int Aud V.3

1/5

INTERNAL CONTOLS ARE NO LONGER ENOUGH!

In todays connected world, events on the other side of the world can have asignificant impact closer to home. While terrorism, SARS, foot and mouthgrab the headlines, there are many other more mundane risks putting supplychains under great pressure. Every headline grabbing corporate collapsecauses thousands of organisations to struggling to survive. The same can besaid about mergers, acquisitions, legal change and any other event that shiftspower in the supply chain.

Ask the board to describe what they want from Internal Audit and RiskManagement and their reply will be something along the lines of to guaranteethat we meet our legal obligations, and to ensure that we manage our business in a way that maximises the likelihood of achieving our corporategoals.

In highly integrated businesses the traditional risk management approach of assessing internal controls, is fairly well aligned with meeting the boardsgoals. But for organisations with significant outsourcing internal controls arenot enough. Organisations must adopt processes that allow them to lookoutside their organisation, and where possible influence the externalenvironment. With outsourcing exceeding 80% in some organisations, thereis little point in only reviewing internally.

CORPORATE GOVERNANCE

In July 2002 the UK Government published its white paper modernisingcompany law. Contained in the white paper is a recommendation thatcompanies over a certain size (basically the top 1500 companies) should berequired to prepare and publish an Operating and Financial Review (OFR).

The high level objective of the OFR is to enable users to assess thestrategies adopted by the business and the potential for successfully achieving them . The OFR may contain qualitative and quantitativeinformation, and is aimed at an audience of all the organisationsstakeholders.

Two categories of information have been identified for inclusion in the OFR;items that must always be included and those that would be includedwhenever the directors judge them material . These optional categoriesinclude corporate governance, values and structure; an account of key relationships with employees, customers, suppliers and others; polices and

performance on environmental, community, social, ethical and reputational issues; and receipts from and returns to shareholders . For thoseorganisations operating in large networks, this requires them to understandthe risks as well as benefits contained within them.

A CHANGING RISK LANDSCAPE

8/8/2019 Inst of Int Aud V.3

2/5

So whats happened to change the risk landscape? As organisations haveoutsourced globally to focus on core competencies, and seek out low costresources, they have created large and complex supply networks. Supplychain, or more accurately supply network, can be an ambiguous description.For the purposes of this article I use the definition provided Cranfield

University the network of organisations that are involved, through upstreamand downstream linkages, in the different processes and activities thatproduce value in the form of products and services in the hands of theultimate customer.

Many organisations consider that they have reduced their total risk in thisoutsourced environment; experience is showing us that this is not the case.Toyota, Cisco, Ericsson and Land Rover, to name a few, have all sufferedmajor business disruption which has been inflicted by another member of their network. With the adoption of lean and agile supply network, failure in onepart of the network can bring all its members to a standstill, costing thenetwork millions per day. Whether explicitly stated or not it is expected thatsupply managers will take responsibility for the strategy and operation of these networks, and that Internal Audit will assess how well they aredischarging their responsibility.

AN EXPANDING ROLE FOR INTERNAL AUDIT

So what does this mean for the organisation and its Risk Managementactivities?

Firstly the organisation must recognise how much of its total risk comes fromoutside its legal boundary. My advice is that an organisation should accept nomore risk from its partners than it would internally. In fact it should consider what its risk appetite is, irrespective of what the risk is or where it comes from.Organisations with significant external risk must decide how to manage it.

The single biggest challenge in managing supply network risk may beidentifying a senior management owner within the organisation. In myexperience the individual elements of the supply network are still managed bythe traditional silos of purchasing, logistics, manufacturing, marketing etc.While this complicates the challenge, it also represents an opportunity for

Internal Audit to act as a consolidator of supply network risk information, andto ensure consistency across disciplines and business units.

Within the network environment both the range of risks and the amount of riskincreases (see figX). Todays reality is that an organisations network canenhance or diminish key intangible assets such as reputation and brandvalue. It is also relevant to recognise that an organisations network is nowseen as an asset of the organisation.

Through the downsizing that normally follows outsourcing the focal companywill have dramatically reduced its expertise in the outsourced area. Not only

does this make the organisation more dependent, but it also reduces its abilityto assess performance (including risk management).

8/8/2019 Inst of Int Aud V.3

3/5

Network Loc Political Economic Social Technologic

a l t o t h

e

i s a

t i o n

/

w o r k

ADDITIONS TO THE AUDIT

Im not going tell experts what a risk management programme should look

like, or how to audit it, but I would suggest that assessments of supplynetworks would include the following;

The organisation or specific business units conduct an assessment of the inherent risks associated with the structure of its supply networks.

Having identified unacceptable risks within the supply network thatactions have been taken to reduce either the impact or probability to anacceptable level. Research from Cranfield University indicates that less than 50% of organisations have business continuity planning or crisis management procedures for the loss of suppliers, and less than25% plan for pressure group action.

That limits of acceptable risk are agreed with senior management andcommunicated throughout the organisation and to its partners in thesupply network.

That partners in the network have robust risk managementprogrammes of their own . It is interesting to note that a study by theChartered Management Institute (2002) found that only 9% of companies that outsourced activities insisted on their outsourced

partner having business continuity plans .

8/8/2019 Inst of Int Aud V.3

4/5

Where possible risk is transferred to the partner with management of the risk built into the contract and forming part of the performancereview process.

A supply network risk register is maintained and monitored and wherepossible preventative actions are taken.

Because of the vast and complex nature of supply networks, brandedorganisations will ultimately have to trust the members of the network tomanage the risks they own. However, the branded (focal) organisation mustspot changes in the supply network structure and assess whether they alter the overall level of risk in the network. Environmental scanning should identifynew laws or changing political agendas that would impact a whole industry.Perhaps more importantly it should identify changes within the network thatcould impact its stability. Mergers and acquisitions, demergers and partnerswith financial difficulties are obvious examples. Less obvious may be theimplication of a major supplier landing a huge new order or the impact of changes in an associated industry. Whenever power bases shift, supplynetwork risk needs to be reviewed.

NEW TALENTS REQUIRED

Underpinning all the issues raised is the assumption that supply staff areactively managing risk and that auditors have the skills and experience toconduct a review of the area. In my experience neither of these assumptions

is correct. Although many organisations will formally manage supply networkvariability, and on occasion review what they believe their main risks are, fewwill have a formal risk management programme or train their staff to identifyand manage risk.

Audit groups will face a significant challenge in covering supply network risk.Few will have any first hand operational experience of managing within asupply network, and less will have received any specific training in this area.Supply networks are complex and dynamic, and like most areas of businessdo not lend themselves to a tick box review. The risks in each supply networkare different and the tolerance to risk will be highly context specific. While a

sound audit background and approach could raise really poor performance tothe attention of senior management, in the margins were most successfulgroups operate, poor technical knowledge will be exposed. I have seenorganisations extend the responsibilities of their financial auditors into thisarea, only to have the credibility of the whole function undermined by poor assessments. To audit in this area an auditor must have an appropriate levelof skill, experience and be respected.

CONCLUSION

In the past decade supply networks have grown internationally and becomemore complex. For some organisations over 80% of activities are purchasedfrom others. Risk in these supply networks more often comes from the other

8/8/2019 Inst of Int Aud V.3

5/5

members of the network rather than internally. With an increasing number of stakeholders watching the activities within these networks, Internal Auditgroups need to ensure that business risk is identified and managed. To dothis they must ensure that they bring the appropriate skills and experience intotheir group. Only in this way can they deliver what the board needs, and what

the law will require.

Summary of the Author

Richard is the founder of Core Risk. He has a practical and academicbackground in both risk and supply networks. More information about CoreRisk can be found at www.corerisk.com , and Richard can be contacted atrichard@corerisk.com .

http://www.corerisk.com/mailto:Richard@corerisk.comhttp://www.corerisk.com/mailto:Richard@corerisk.com