Risk Management and Economic Change A Catalyst for Re-evaluating Business Preparedness, Mitigation and Response

Printer version  PDF

by Gary S. Lynch

When the economy changes, business priorities and perspectives must also change. This is not only crucial to survive, but to persevere. Maintaining liquidity might seem like the most important organizational priority; however, a company needs to fortify itself against ongoing disruptions, such as the loss of critical infrastructure as well as the fallout from initial change. Putting risk management aside while tending to “daily survival” is expected, but organizations need to realize that other disruptions are inevitable and economic volatility increases the chances of an adverse event occurring.

The goal of risk management is to minimize an organization’s exposure and to keep the business running smoothly during disruptive situations. What could be more unsettling than the failure of business partners, deterioration in quality standards, consolidation of facilities, loss of corporate memory via reductions in the workforce, and offloading assets – all symptoms of changing economic times?

Change has been thrust upon us – industry change, business change, supply chain network change, operational change, third-party relationship change, even change in customer demand. These changes have put a company’s preparedness, mitigation and response capabilities at risk – and in worst cases, made them obsolete.

Warning lights that change was imminent were flashing in boardrooms around the world as demand rapidly declined, trade credit tightened, and suppliers ran out of cash. For example, the continuity of the textile industry supply chain was impacted when the number of suppliers rapidly shrunk from 22,099 in July 2008 to 6,262 in October 2008 – a reduction of 72%.¹ As a result, composition of the supplier base varied, configuration of warehouses in relation to customers was altered, and inventory levels decreased throughout the supply chain. This directly impacted existing preparedness, mitigation and response strategies.

Though change surrounds us, the expectations of a company’s customers, investors, business partners or regulators do not change. Businesses are still accountable for providing value to the market and maintaining the ongoing entity during adverse times. There is no excuse for ignoring sound and proven risk management practices just because economic times are tough. And auditors, rating agencies, regulators, and other external parties that measure an organization’s risk management practices can add fuel to the fire by offering a negative opinion that translates into a greater cost of capital or worse – negative press. Who wants to do business with a seemingly risky company?

To counteract the potential threat of obsolete or ineffective continuity risk management programs, organizations must move quickly and efficiently. All organizations should consider whether they are actively engaged in the change as it occurs for the purpose of understanding what products and services are considered of greatest value. Businesses should ask if these changes have been documented and validated by executive management.

A company must understand its business operations, its supply chain interdependencies, and the final configuration of its processes and resources as a result of change — in people, technology, physical assets or relationships. Companies need to move beyond continuity risk management focusing on a facility or function to an approach that begins with value and processes. The goal should be to align risk investments against that which could have the greatest impact to the value produced by the organization. This is an economic exercise, where businesses should try to do the most with the least: in other words, understanding that there will be a finite amount of available risk capital, time, resources and management bandwidth.

Organizations should expand the scope of their planning activities to take into account the potential effects of change.

• Planning should include the extended operation and third parties — from raw materials through supplies and logistics providers to the final customer.
  
  
• The mitigation strategy should include the strategic design layer (warehouses, factories, and supplier locations) or the day-to-day operations (transportation, inventory management and production scheduling).
  
  
• The preparedness, mitigation and response capabilities should include:
  
  
• what is of greatest value to the organization (value segmentation and the priorities of the organization);
  
  
• the resources and processes that are needed to support the creation, delivery, and servicing of value (process and resource mapping);
  
  
• the quantifiable and qualitative impact from loss of a critical resource, according to value ¡V revenue, assets, liquidity, strategic, brand/confidence, and compliance;
  
  
• analysis of the required risk investments compared to potential impacts (risk financing/insurance, retention, or retention with mitigation); and
  
  
• validation of the risk mitigation (test, audit and simulation), monitoring of the environment, and assessing and optimizing risk solutions continuously.
  
  

An organization should also have preparedness, mitigation and response plans in place and updated regularly to reflect changes such as: the consolidation of warehouses or the shutdown of a plant, elimination of suppliers, decreased inventory levels or new transportation carriers, and, most importantly, have those organizations they rely on understand and meet their expectations.

At the time of disruption, the goal becomes to minimize the financial and brand impact by utilizing information gathered prior to the disruption on the potential effect on the organization¡¦s failed resources.

A company’s preparedness, mitigation and response programs should contain event identification, including criteria for recognizing and responding to an event, which, if determined, will activate incident/emergency plans, such as evacuation and life safety, product tampering, civil disturbance/terrorism, or contractor contingency procedures. The response programs should have as their primary focus ensuring the survivability of the organization as well as a clear direction and communication with key stakeholders.

Containment should be determined if the desired impact thresholds and recovery times will be exceeded. Escalation should be based on predefined protocols and thresholds for escalating or promoting information and news flows in a timely, relevant, consistent, and accurate manner. There should be a clearly defined path for information among all stakeholders.

During post-disruption, organizations should conduct a postmortem review of lessons learned, focusing on questions such as how the organization improved its risk mitigation and financing activities as a result of the event; what problems were encountered; was the response effective; was the impact contained from the event; and if not, was the organization able to recover, restore and resume normal operations.

In changing economic times, assumptions may be altered, but it is clear that expectations are greater as organizations experience more volatility and stakeholders require greater diligence. Failure to align with these expectations could be interpreted as a failure to exercise proper governance and due care – putting everyone at risk.

Gary S. Lynch, CISSP, is a managing director in the Supply Chain Risk Management Practice of Marsh Risk Consulting. He is the author of At Your Own Risk, Wiley, 2008, and of the forthcoming Single Point of Failure – The Ten Essential Laws of Supply Chain Risk Management, to be published by Wiley. Mr. Lynch can be reached at .