Risks that impact manufacturers continue to evolve and grow. We have identified nine enterprise level risk areas that manufacturing companies should be addressing today. You may have a good sense of the risk assessment process you currently have in place, but it may not be clear how your internal controls address the areas of greatest enterprise-wide risk. Once you know which risks you’re addressing, you can ensure an effective Enterprise Risk Management (ERM) system is in place.
The following nine major risks are interconnected and require risk management best practices to mitigate. As you manage the risks throughout these areas, stay focused on your organization’s mission statement and how initiating an effective risk management process can help you achieve your objectives.
Third Party/Supply Chain Risk
This includes your supply chain and the vendors you use for billing, technology, or payroll. Key consideration should be given to suppliers of core ingredient, components, services, and equipment used for the finished product. This may also include fluctuation in fuel, energy, and transportation costs.
Use these questions to help you consider how third-party/supply chain risk will impact how your company addresses ERM:
- What is your product’s distribution channel? For example, if labor relations at a distributor are strained or temporarily unavailable, do you have redundancy of supply built into your contracts? What do those contract clauses say you can do to keep your product in the hands of customers?
- How quickly do you need critical supplies? Should you have suppliers in close physical proximity, or do you need to maintain reserves enough to meet production in instances of supply delays?
- Are you aware of the ways your suppliers impact your business continuity or information technology footprint? Have you gone through a Business Impact Analysis to identify areas of vulnerability?
Technology & Cybersecurity Risk
In addition to software and applications used to run the business and connect with third parties, technology and cybersecurity risk has evolved to include the internet of things (IoT). As more equipment connects to the internet to facilitate processing, and the reliance on cloud storage increases, data security must be extended to these areas. If you allow customers to place orders through technology, you must also consider Payment Card Industry (PCI) requirements.
Use these questions to help you consider how technology and cybersecurity risk will impact how your company addresses ERM:
- Have you identified all items that connect to the internet?
- Do your patching procedures extend to all these items to ensure that vulnerabilities are not left open as an entry point for an attacker?
- Is appropriate training conducted to prevent social engineering from hackers or industrial espionage?
Business Continuity Risk
While the potential for natural disasters gets the attention of many business continuity plans (BCP), most downtime is actually caused by human error. Such downtime must be considered in your supply chain in the event that one of your key suppliers has their own business disruption. Areas your business continuity plan should include are employee availability, communication, and documentation.
Use these questions to help you consider how business continuity risk will impact how your company addresses ERM:
- Have you communicated the BCP to all employees? How recently and how often? When was the last time you tested the plan in a tabletop exercise?
- Has documentation backup been created and made available at offsite locations?
- In the case of a regional weather impact, have you considered how you will get your people into the facility or your product out? Do you plan to use alternate production locations? If so, how?
Transaction Risk/Operational Risk
This is a broad category that encompasses key employees, production, and recoding financial transactions. It may incorporate retention efforts of key personnel, onboarding of new personnel, and integration technologies during acquisitions, or how the acquisition is likely to affect your culture and operations.
Use these questions to help you consider how transaction/operational risk will impact how your company addresses ERM:
- Do employment contracts protect trade secrets and maintain a competitive advantage?
- How confident are you in integrating an acquisition? Are you prepared to on-board new employees in new regions while integrating different processes and technologies?
- How are you evolving your production procedures to stay current in the market? How confident are you that you can keep ahead of competition?
Regulatory Compliance Risk
Regulations that must be considered are coming from many different organizations: OSHA, EPA, FDA, and EHS are just a few of the federal agencies making the laws businesses must adhere to. Start adding in the international, state, and local regulations and the compliance environment becomes exponentially more complex. You need someone monitoring compliance across your organization, including all key third parties relied upon for your operations.
Use these questions to help you consider how regulatory compliance risk will impact how your company addresses ERM:
- How do the personnel responsible for your compliance stay informed of the compliance requirements? How does the Board of Directors monitor compliance?
- Have you invested enough in professional development to ensure your compliance personnel are staying on top of regulations?
- Do you have the expertise in-house, or relationships in place with outside expertise, to respond to compliance issues quickly and effectively?
This risk focuses on price competition and pricing strategies, changes in consumer spending or preferences, and identifying and utilizing emerging markets in a timely manner. Business Continuity Risk (#3) will connect to this area if you are operating in a more commoditized market. The easier it is for your customers to replace your product during a business interruption, the more impact the downtime will have on your bottom line. It may also affect your ability to recapture market share.
Use these questions to help you consider how market risk will impact how your company addresses ERM:
- What are you doing in terms of research and development to ensure relevance in the future?
- How have you differentiated the product you are offering to minimize market fluctuation?
- Can you truly call the differentiation a competitive advantage?
Foreign Exchange Risk
With globalization, the world is made smaller by the day. Many companies that never had to consider foreign exchanges now feel an impact to operations when something happens across the world. If you have any kind of global ordering, supply chain, or distribution, you need to ensure that you are monitoring changes in applicable markets and are prepared to act at a moment’s notice.
Use these questions to help you consider how foreign exchange risk will impact how your company addresses ERM:
- Have you identified which global markets have material impact to your business?
- What monitoring programs do you have to assess changes in those markets?
- Have you evaluated if hedging programs are needed to offset risk? If so, how?
Keeping ahead of competition by seeking innovation and product development is critical to maintaining and growing your market share. This may include acquisitions to vertically integrate your supply chain, implementing new ideas or technology, and identifying succession challenges like adding and retaining key personnel to maintain the company’s competitive advantage.
Use these questions to help you consider how strategic risk will impact how your company addresses ERM:
- How do you assess strategic initiatives to ensure they are delivering the returns you envisioned?
- Do you conduct debrief sessions to identify what went well and areas of improvement?
- Are retention or succession plans sufficient for key personnel or executives who are important to the company’s competitive advantage?
Reputational risk evaluates the impact to the Company’s perceived image if a public risk area has a failing. This could result from a decrease in quality (supply or product), mislabeling as organic, product recalls, environmental implications of your manufacturing process, or if a third party in your supply chain causes your data to be compromised or your product to become unavailable.
Use these questions to help you consider how reputational risk will impact how your company addresses ERM:
- How do you currently evaluate the magnitude an event must be to impact your reputation?
- How do you ensure you respond to potential events in a timely manner to minimize impact? Have you considered this as a part of your BCP?
- How will you address the media when you have an event that could impact your reputation? Who will be responsible for doing so?
Once you know what risks you’re addressing, you can ensure you have the proper controls in place.