The case of the troublesome homograph

 

Confusion sometimes arises in our non-profit governance and management work where a word we use is assumed to have a particular meaning, but actually another meaning is intended. I think a case can be made for that to be the case with regard to the terms “business use case” and “business case“.

Here the word ‘case’ is used four times, with at least three (and arguably four) separate meanings:

1. an argument or proposition
2. an instance or example
3. a business process
4. a governance decision-making tool – a particular type of argument or rationale.

Polysemes and homographs

Polysemy is the capacity for a word or phrase to have multiple meanings
Polysemes are words possessing multiple meanings
Homonyms* are words that sound the same but have different meanings
Homographs are a subset of homonyms, describing words with the same spelling but more than one meaning e.g. mean/mean
Homophones are a subset of homonyms, describing words that sound the same but which have different spellings and meanings e.g. see/sea

Confusing narratives with arguments

We usually use the words adjacent to a polyseme or homograph to discern the particular meaning intended. e.g. legal case, brief case, case study, upper case, case load, hopeless case, etc.

When reading or hearing the terms “business case” and “business use case” however, that method could mislead us. While these two terms share two words, they refer to quite different things. As illustrated in the first chart below, a business case is essentially an argument or rationale for proposed action or inaction. A “business use case” however, is a description of processes used by actors to complete a task, usually in a digital environment. (Hence, ‘the case of the troublesome homograph‘.)

A related example of similar words being used for different purposes focuses on the word ‘story’. The use case is sometimes confused with a user story, and that in turn can be confused with the storylines method. The following chart seeks to further differentiate these, by outlining the steps and stages involved for each. (While at opposite ends of these charts, it is worth noting that the storyline method can be used to present a business case.)

Context and Meaning

While it is widely recognised that truth is a relative concept, it remains true that the words we use need to hold specific meanings in our work context. Otherwise, misunderstandings will occur, leading to risks that could have been avoided by adherence to standards, including nomenclature.

In another time, the difference between a narrative, a description, and an argument seemed clearer. While there is an important role for descriptions, and narrative approaches in many aspects of non-profit governance and management, directors and managers cannot rely on those methods for effective decision-making. Argument and evidence-based reasoning are the right tools for that job.

(*Not to be confused with Houyhnhnms. A fictional race of intelligent horses described in the last part of Jonathan Swift’s satirical 1726 novel Gulliver’s Travels. According to Wikipedia, Swift apparently intended all words of the Houyhnhnm language to echo the neighing of horses.)

https://polgovpro.blog/

20:20 Hindsight

 

Hindsight bias

‘Hindsight bias’ has been defined as believing that the onset of a past event was predictable and completely obvious, when actually, the outcome could not have been predicted. Politicians, media (and social media) commentators, and sometimes Counsel Assisting commissions of inquiry, all demonstrate a tendency to this form of cognitive distortion. Directors and managers are no less at risk of this.

Three levels of hindsight bias have been identified as follows:

• Predictability – “I KNEW it would happen”
• Inevitability – “IT HAD to happen”
• Memory Distortion – “I SAID it would happen”

While understanding the risk of hindsight bias, non-profit directors and managers nonetheless have an obligation to reflect on past events in order to identify opportunities for improvement, or the need for new control measures to prevent an adverse event from occurring or recurring.

From my observations, directors have little difficulty looking at their historical development to gain insights which allow them to foresee an imagined future strategy. They can recognise that hindsight, insight and foresight are really three aspects of one activity. It is less common however, for directors to recognise that the same can be said of incident analysis as a source of insights about ways to improve future risk controls.

Systematic Cause Analysis

In a recent post, I explored a process of root cause analysis following a risk event, using a set of questions to determine what happened, the contributing factors and the basic or root cause of the incident or event.

A variation on that method is called the Barrier Based Systematic Cause Analysis Technique (BSCAT), illustrated below, which takes the analysis down to the level of preventive and mitigation controls to ask which of these failed and why. This process allows identification of missing or ineffective controls which, had they been well designed and applied appropriately, would have prevented the incident.

The recent NSW Ruby Princess Inquiry, the Victorian Hotel Quarantine Inquiry and the Federal Aged Care Royal Commission all offer topical insights into risk management failures. They also share certain common factors, including under-funding, poorly structured coordination structures and processes, and people at all levels being expected to respond effectively to a massively complex collection of challenges ‘on the fly’.

As we have seen during the pandemic, people involved in response roles across all sectors had no opportunity to catch their breath, and to do the kind of detailed planning which is a foundation for effective response coordination. Often, they were working extended hours, suffering stress and exhaustion, and yet they are still expected to make fault-free decisions.

In some ways, the accumulated impact of government decisions over some decades meant that the capacity to respond effectively simply wasn’t there. The system failed. Both conservative and progressive governments have played their part in that legacy over an extended period.

To the extent that incident analysis indulges the luxury of looking back with 20:20 hindsight, it may seem obvious now what steps and systems would have helped prevent each crisis. For those of us faced with responsibility for managing future risks, the precise nature of which we cannot know, the benefit of allocating time to incident analysis is that we gain insights into at least some of the types of issues we could be faced with. Those insights can then translate into control measures to prevent risk events, and mitigate outcomes if they do occur.

Root cause analysis seeks to ensure that an underlying causal factor is addressed so that a similar incident cannot occur again for that reason. If one only addresses contributing factors, while leaving the root cause undeclared and unaddressed, then the opportunity to take the required preventive action is missed. Thus, we can see that incident analysis is not just looking backwards. In fact, it’s a key measure by which to prevent repetition of an incident, or to entirely remove a hazard from the operating environment.

Agile non-profit strategy

Many non-profit organisations have limited resources, and yet ask their volunteers and staff to achieve success and avoid faults in executing complex strategies.

At a time when volatility, uncertainty, complexity and ambiguity (the negative VUCA) are strongly in evidence, boards and their management teams can help their people by creating space to reflect on priorities (vision), use data and insights to improve understanding, clarify the short to medium term goals, and promote agility by testing and progressively refining problem solutions (the positive VUCA).

This last element is not granting permission to fail, but is offering the freedom to discover problems with an initial plan. The ‘agile strategy’ approach is meant to allow greater flexibility in strategy execution, but also recognition that a plan is likely to require adjustment along the way, whether due to unforeseen (sometimes unforeseeable) external factors, or due to insights gained through the implementation process.

‘Foresight bias’

If ‘hindsight bias’ describes a form of distorted thinking about the past, how should we describe distorted thinking about the future? Optimism and pessimism are the two extremes on the continuum of future thinking modes, and yet each of these in themselves represents a spectrum of positive and negative elements.

Optimism is good when it expresses confidence in growth opportunities and drives effective strategy. It is risky however, when it is simply ‘wishful thinking’. It can be unrealistic and fail to adequately account for resource constraints and external circumstances which prevent success.

Pessimism is good when it is risk averse and takes care of the people involved, the environment, and anything else that could be harmed if something were to go wrong. It is bad however, when it causes leaders to avoid new ventures and responses to emerging needs.

Boards therefore need to calibrate their risk appetite so that innovation is prudently supported, and consequently, so that progress can be achieved. Balancing entrepreneurial energy with appropriate controls is at the heart of good governance.

https://polgovpro.blog/

Sharing Risk while avoiding a Blame Game

 

Responsibility and Accountability in Risk Governance

My previous post highlighted governance issues associated with multiple parties sharing certain risk management responsibilities around the disembarkation of passengers from the Ruby Princess, at a time when COVID-19 infections were on the rise. The importance of establishing shared understandings about the risk perspectives of affected and involved parties was highlighted, along with enhanced coordination and communication.

In this further reflection on the theme of ‘boundaries, borders and bridges‘ (referenced in the previous post), the issues of third party risk for non-profit organisations are in focus.

Third Party Risk

Third party risk relates to hazards arising from your relationships with contractors, service providers, and joint venture partners. Some part of their risk inventory intersects with yours (crosses your boundary), and as illustrated in the header image above, this means people in each organisation share certain responsibilities. Comment on the RACI ‘bridge‘ which spans the shared responsibility space appears below.

When engaging contractors or tendering for services, risk is a central concern of the selection process, and associated due diligence activities. Service standards, including risk controls and escalation measures, will usually be documented in the contract or service agreement. For potentially serious and catastrophic risks, more care needs to be taken to align expectations of those performing key roles, as the ‘cracks’ and ‘gaps’ often occur in the grey zone where the two entities have overlapping responsibilities.

Project Managers have developed useful measures to manage risk in projects involving contributors from more than one organisation, or from multiple functional areas within a larger organisation. They use the RACI model of assigning responsibility and accountability, identifying who needs to be consulted before a decision or action is taken, and who needs to be informed afterwards. This model can also be usefully applied to any third party relationship in which the allocation of risk management roles and responsibilities needs to be clear.

The nature of each of the roles in the RACI model is outlined in the image below, and the distinctions between each must be well understood if finger pointing is to be avoided following an adverse incident. Distinguishing between responsibility and accountability is often an issue. We can see ample evidence of that in the NSW and Victorian COVID-19 inquiries.

The chart below illustrates how each of the four roles could be assigned to the steps and tasks involved in managing a shared risk, and includes some useful notes from the authors at simplilearn.com.

Advocacy Partners and Allies

Some partnerships will be subject to formal agreements, and in that sense the risks involved are similar to those shared with contractors and service providers, especially where they are acting in your name.

Others alliances are somewhat informal, especially where the focus of the relationship is an advocacy campaign. Agreeing to issue a joint media release, or to authorise use of your logo alongside others on a joint submission or poster, are not in the same league as going into business together to deliver a service to a target group of members or consumers. Understanding each other’s risk appetite and sensitivities is nevertheless important to such an alliance.

Often the key issues to be considered are the ‘no-go’ zones, on which there are known differences of opinion or policy. These will be avoided during the course of the campaign, and neither party will imply the agreement or support of the other, when in fact they hold different views. The emphasis is on areas of agreement, not difference. A breach of this commitment would not only damage the campaign, but would probably inhibit any future alliance.

Federated risk

The coordination of risk management within a federated structure (still used by many associations) has some similarity to third party shared risk governance. As there are also other issues involved however, I will reserve comment on these for a future post.

https://polgovpro.blog/

The Incident ‘Post Mortem’: Facts, Causes and Factors

 

Most non-profit boards rightly focus their risk governance on identifying and assessing risks before developing a set of escalating controls to prevent an adverse event. They then consider how their organisation should respond should the hazardous event actually occur, and how those measures can best mitigate the damage that arises.

Some also consider their incident response methodology, recognising that this is their opportunity to add value as directors by improving future risk management plans. Maintaining an incident register is merely a bureaucratic exercise in record keeping unless your risk committee reflects on the pattern of incidents, and digs deeper into the causes and contributing factors which allowed adverse events to occur.

The effort required to do incident analysis can be considerable, and allocation of the necessary time and other resources to do this formally may only be required by your board in ‘severe’ cases, involving critical or catastrophic outcomes. Informal review processes may be used for less severe ‘incidents’, so that these too are remedied. Some organisations use a critical incident report template to capture relevant data, and to record the analysis of the root cause and contributing factors.

Most adverse events demonstrate an array of coinciding factors that allowed things to ‘go wrong’. Understanding the root cause is essential to preventing recurrence, but identifying other contributing factors can also be very helpful in refining prevention and mitigation measures.

The definitions offered above may assist your interpretation of the Risk Event Analysis chart which appears in the header image. This is a simplified outline of the steps used in determining causes and contributing factors as part of your adverse event ‘post mortem‘.

Incident Analysis Process

A more detailed procedure is outlined in the larger chart below, and this emphasises the importance of moving beyond simply confirming what happened and why. Identifying what can be done to prevent a similar event occurring in future, and to respond more effectively should it recur despite those enhanced preventive measures, are essential to the ‘value adding’ process.

The factor analysis step (Step 7) suggests that it will be beneficial to classify contributing factors according to type. The chart below suggests seven categories, and depending on which of these were involved, different responses would be required to enhance risk management of processes, people, and systems/technology.

If your non-profit risk committee has not yet considered its approach to incident analysis, they may find some of the ideas covered in this post of interest.

https://polgovpro.blog/

Strategy and Risk: 2 sides of one coin

 

The argument that strategy and risk are two aspects of one governance activity has been highlighted by many pundits over time. In practice however, some non-profit boards still separate strategic planning from development and review of their risk register.

My previous two posts (see links below) promoted the concept of continuous monitoring of the external and internal environments, and adjustment of strategy in the light of significant changes in stakeholder needs and emerging priorities. This post looks at the parallel issue of ensuring that risk considerations are integrated into strategic planning.

Risk Bow-ties

Let’s start with a schematic called the risk bow-tie, illustrated below. Risk managers use risk bow-ties to help them identify various threats associated with a particular type of hazard, and then to assign escalating threat controls to each in order to prevent the hazard being triggered. Subsequently, for each of the possible consequences of that hazard, a range of escalating mitigation measures is assigned, to minimise the harm or damage caused by the event.

A variation on the risk bow-tie makes provision for both unexpected threats, and unforeseeable events (often called ‘black swan’ events, like the COVID-19 pandemic).

Strategy Bow-ties

The bow-tie chart device has also been used as a marketing tool to identify ways of optimising customer retention. My version however, is more closely aligned with the risk bow-tie, as it adopts similar graphic elements to describe the consideration of options, strategic decision making, and execution measures for primary and secondary goals.

Adaptive Governance

COVID-19 has dramatically demonstrated the need for boards to be resilient, and to employ ‘adaptive governance‘. Recognising the continuous nature of the board’s strategic and risk management roles therefore, and the need to integrate strategy and risk deliberations, the chart below combines the risk and strategy bow-ties in a mirrored timeline. As the strategic question “What should we do and why?” is asked, the risk question “What could go wrong?” is posed simultaneously. That question is applied to each of the action options before the board, including the option to do nothing.

The parallel chains of strategy and risk bow-ties reminds us that responsible boards integrate their risk deliberations into all their decision-making and strategic planning. Treating them as separate and potentially unrelated activities, possibly addressed at different times on the board governance calendar, is likely to result in more adverse outcomes, with negative consequences for your organisation’s reputation and finances.

Whenever we schematise complex concepts and processes like strategy and risk governance, we are likely to over-simplify and generalise. That said, this ‘adaptive governance’ schematic is primarily intended to encourage non-profit directors to see risk as a key dimension of every decision they make, rather than a matter they attend to once a year when the risk register is updated.

https://polgovpro.blog/

Diagnosis and Treatment in Leadership

 

I’ve long valued Bryan Whitefield’s insights and guidance on risk and adaptive leadership matters, and his recent article (highly recommended) on diagnosis and action at the Self and System levels, reminded me of another broad parallel I had noticed between health service and leadership concepts and processes.

Diagnosis Precedes Action in Leadership

Whether you are planning to lead on tackling a problem in your organisation or an opportunity to improve your own leadership, diagnosis comes first. A mechanic should not start stripping the engine before conducting some diagnostics. Nor should you buy a personal development book without asking yourself what type of book might serve you best.

In The Practice of Adaptive Leadership, Heifetz et al makes the point very clearly that there are two core processes to leadership. Diagnosis and action. And that diagnosis precedes action. They present a 2×2 matrix showing the four different positions you could be taking in your leadership role. I have gone one step further and named the quadrants with the key action you should be undertaking in each. See Figure 1.

I remember one poignant moment early in the program that brought home to me that I was in a leadership DEVELOPMENT program, and not a program to reward only my exceptional leadership.

We were split into teams and I was picked by the team as team leader. We also had to pick a deputy leader. I quickly nominated a person in the team who I liked and had developed some respect for. There was immediate rebellion in the team and I was quick to learn that while they had elected me their leader, they had not elected me as universal decision maker on all things affecting the team.

The learning curve had begun. I was in a Leadership DEVELOPMENT Program and the diagnosis had started!

Stay safe and adapt – quickly.

https://cutt.ly/572eKOZ

The ‘standard’ treatment process used by health practitioners includes diagnosis as one step in a sequence, preceded by taking a history of general health and other significant developments from the patient. Having identified the patient’s context and purpose in attending for treatment, the examination can be completed, with an eye to identifying the root causes of any presenting condition, along with any other issues not necessarily identified or recognised by the patient.

Once these processes have been completed, a diagnosis may then be determined, and in the light of that, a proposed treatment plan or options for treatment can be presented to the patient before obtaining consent to proceed with treatment. Following treatment, the practitioner and patient review the outcomes, and this forms part of the context for the next visit at some future date (where appropriate).

In my experience, governance and management approaches to strategy, risk, and execution issues involve a similar sequence of steps and processes – albeit with different names, and some additional considerations and activities required for each of these domains.

I have found it helpful in discussions with some of my mentees and clients who have a health background, to use the treatment process as a metaphor for their non-profit governance and/or management roles. Given the simplicity of the model, it may be relatable by people in other fields as well.

The chart above includes simplified parallel sequences for each of Treatment, Strategy, Risk, and Management Decision Processes. ‘The map is not the territory‘ (Alfred Korzybski ) is certainly true of these flowcharts, as they reduce a multitude of process variations into a ‘straight line’ summary – and such simplicity rarely exists in reality. Nonetheless the comparability of methods used for different purposes illustrates the importance of gathering and analysing all relevant data (looking for the ‘signal in the noise’) before completing a diagnosis of the problem or issue.

This stepwise approach is also similar to the knowledge management model DIKW (modified by my addition of the Decision, Action, and Reflection levels), illustrated in the header image above.

If your directors are not familiar with strategic, risk, and decision process steps, you could try using a metaphor such as the health treatment process to introduce them to the core concepts.

https://cutt.ly/w72yK1v

Supply chain risk: take back control

 

How to make risk management a strategic asset and a source of competitive advantage

Over the past two years, global supply chains have been in a state of turmoil. For businesses across the economy, supply shocks and shortages have become a fact of life, and a financial headache: the cost of shipping containers on many major global trade routes has more than doubled.

With substantial supply chain risks set to remain for the foreseeable future, risk management needs to become a strategic function. Get it right and your business will gain a substantial competitive advantage.

Customers are demanding better and more transparent risk management. Their purchasing strategies are increasingly oriented toward suppliers’ ability to deliver (as well as cost).

As existing supply chains become less reliable, alternate sources are in big demand. But they are also few and far between. Key raw materials, such as lithium and magnesium, are hard to procure, while the supply base of several key sectors, such as semiconductors, is now highly concentrated.

Other risks include non-compliance with increasingly onerous trade restrictions, a lack of transparency, and a tricky transition from low-cost and just-in-time-based value chains to ones that revolve around environmental, social, and governance (ESG) factors. Each of these dynamics may contribute to shortages and high prices that ripple through supply chains. In some cases, businesses try to innovate their way out of trouble, but that can jeopardize their financial viability.

Risk management needs to be rethought

The market has responded to the reemergence of supply chain risk by offering a range of mapping and scoring technology/services, but many organizations fail to create sustainable competitive advantages and business cases around supply chain risk management by focusing too much on platform-driven approaches.

That is a mistake: companies that are adept at risk management will gain a competitive advantage. Trusted by customers, they are more likely to win new business. In fact, successful and transparent risk management increases the marketable quantity of end products by ensuring the ability to deliver. An important competitive differentiator in today’s world, robust risk management can justify higher prices.

It is important to recognize that a structured and systematic approach to identifying risks is now a must. Supply dynamics are too complex to be addressed ad hoc. Businesses need to take a comprehensive and fully transparent approach to risk management throughout the value chain. The organizational culture must reward the identification of risks and encourage open exchanges on this topic, while risk management should be embedded into the existing roles within the organization.

How do we approach risk management?

Drawing on our deep expertise in procurement and supply chain management, Kearney works with clients to develop a governance model to monitor the impact of risk across the organization. We aim to build a central, stringent, and cross-functional process for the systematic management of risks. Ideally, this process will be fully automated to address risks across all areas and for all customers in the best possible way.

A cognitive risk engine can be used to provide full risk transparency. If you can create a digital twin of your value chain, you can address risks throughout the entire value chain and logistics, right down to which customers are affected. Global, detailed, and real-time risk modeling, using a scalable cloud-based solution, is the best possible way to gauge risk and optimize the mitigation strategy.

But a risk management solution also needs to be flexible. To evaluate suppliers based in countries where information is difficult to obtain, a business may need to employ alternative forms of finance and risk modeling. It is important to receive this information in real time before another competitor terminates this supplier so that, in this case, a safety stock can be built up unnoticed.

How clients typically apply risk management in their supply chain

We see three supplier risk archetypes:

1. Risk seeker

Focused on regulatory compliance and mitigation of short-term risks. Risk management strategy characterized by specific risks and problematic suppliers. Uses streamlined technology diagnostic tools for identification and assessment of risk. This archetype may be first to move, but can miss quite a bit of the picture if they move forward without a robust process and governance to manage the process and act on identified risks.

2. Disruption avoider

Focused on future and buried risk, but potential disrupters take precedence. Risk management strategy characterized by broad supply chain bottlenecks including suppliers’ risk and performance, and crucial risk categories such as raw material or cyber. Uses identification of critical suppliers’ potential issues for identification and assessment of risk.

3. Strategic differentiator

Focused on risk management as a competitive advantage. Risk management strategy characterized by building strategic capability, and views risk as an input into business operation optimization. Uses strategy, process, governance, and technology for identification and assessment of risk including full digital twin of supply chain to reconfigure for resilience, and risk map as trigger for continuous management.

Additionally, the companies differentiating risk strategically as a competitive advantage encourage its strategic partners to follow Supply Chain Risk Management Standard (SCRM) culture and processes. Intellectual property and business sensitivity can prevent the level of openness desired to directly monitor supply chain risk, but if your partners can adopt the right mindset and process, you can be more comfortable with the level of risk and potential exposure.

Key questions to ask before setting out to improve the management of risk

Strategic

• What do you want to achieve—mitigate short-term risk and secure business continuity in the coming 24 months or drive strategic decision-making?
• Are you ready to adopt a predictive mindset to identify vulnerabilities and enable avoidance strategies?

Process

• Are you willing to create full transparency and connect key downstream processes to risk management?
• What performance improvements process are you willing to embed to ensure processes are self-healing and relevant?
• Are you willing to dedicate resources to contact second- and third-tier suppliers directly and obtain more information?

Governance

• Are you ready to make risk management a part of your main steering mechanism?
• Will you make sure that accountabilities are embedded in roles?
• Which key performance indicators (KPIs) will be used to incentivize risk mindset, and are they appropriate?

Technology/enablement

• What is your ambition for transparency and automation?
• Are your aspirations limited by existing technology and datasets?

Capabilities and culture

• Will you come up with a clearly articulated and socialized case for change?
• Do you have the ability to connect strategy and culture through metrics and performance management?

How to make the management of risk a source of competitive advantage

To provide guidance to our clients, Kearney has developed the risk management reference model (see figure 1).

Mindset

Understanding risk management. Make risk management a strategic function under the responsibility of the CPO with regular reporting and steering committees. It should be fully integrated along the entire value chain (R&D, purchasing/supply chain, sales).

Tone from the top. Risk management should be sponsored by the CEO, with the CPO taking technical responsibility, supported by a risk management committee consisting of relevant managers and employees from purchasing, supply chain, and R&D.

Transparency and honesty. Develop a risk management manual setting out risk management’s eight core dimensions (see below), which is accessible to the entire organization and the subject of recurring training courses and onboarding. Create an incentive model that rewards people for identifying and addressing risks, together with an organizational model that defines roles and responsibilities.

1. Values and culture
2. Communication and training
3. Technical infrastructure and IT
4. Risk management
5. Goal setting
6. Programs and processes
7. Organization and control
8. Monitoring and improvements

First line of defense

Risk identification and opportunities. Perceive risks as opportunities to gain a competitive advantage and introduce processes to identify risks. These should include:

• Scoping: Selection of industries, categories, value creation steps for risk sensing
• Sensing: Linking of internal (BOM—bill of materials), supplier (risks), and market (logistics) data
• Interpreting: Transfer of the harmonized data into the respective risk dimensions
  • Dimension #1 (risk category): information security, regulations
  • Dimension #2 (components): semiconductors, batteries
  • Dimension #3 (supplier): …
• Evaluating: Prioritization of risks using a multidimensional scoring approach
• Planning: Development of actions to mitigate risks via cross-functional teams

Execution, steering, and monitoring. Introduce regular reporting mechanisms, such as business area-specific reviews of risks and cross-divisional review of risks, and ad hoc reporting mechanisms, such as external risk panels or a whistleblower system that can escalate and mitigate risks as appropriate. Control mechanisms could include an OBK-driven (objectives and key results) model based on a cross-functional organizational and process landscape and an internal system for monitoring the risk management process and its efficiency.

Tools and methods. Aggregate internal BOM, supplier risks, and market logistics data, while developing a fully automated and fully integrated IT solution for identifying and assessing risks, as well as tracking responsibilities and mitigation strategies.

Capabilities. Develop risk identification, mitigation, and prevention capabilities related to the technical, financial, and administrative capacity of an organization.

Continuous process improvement. Take a structured approach to identifying potential for improvement and corresponding measures, supported by a mindset of continuous improvement.

Second line of defense

Corporate risk management encompassing values and culture, goal setting, communication and training, programs and processes, technical infrastructure and IT, organization and control, risk management, and monitoring and improvement.

Legal: safeguarding buyers. Provide buyers with a defined framework for the selection of suppliers/components/raw materials, and a real-time overview of the risks via the integrated IT solution for risk management. Request that suppliers regularly fill out a questionnaire on the current risk situation and risk mitigation.

Third line of defense

Process and documentation audit, random sampling, and traceability. Develop a risk management handbook and a database that tracks risks and associated responsibilities.

What does “good risk management” look like?

In our experience, very few organizations can count themselves as leaders in risk management, nor use it to establish a competitive/business advantage. In many cases, they have assembled some pieces of the puzzle, but not all (see figure 2).

Here is a summary of what leaders will have implemented in each area of the risk management reference model:

Risk identification and opportunities. The supply chain has been modeled completely and transparently (in other words, which risks exist and which customers are exposed to these risks).

Execution, steering, monitoring. Cross-functional processes have been implemented to address risks. These will include a weekly reporting routine, structured approach, and checklist to assess risks and set up a task force. The organization will have a catalog of measures for known risks.

Tools and methods. An integrated and near real-time (less than five hours) cloud solution will collect all relevant data centrally and model risks. A risk management tool will present risks transparently along the value chain, with an interface to suppliers.

Capability setup. The organization will have the data science skills to model relationships and to create and manage IT solutions, together with cross-functional knowledge regarding industry-specific relationships, since parts are reused everywhere via platform models. The organization will have the skills to ensure process security and the mentality to identify the best possible solutions.

Continuous process improvement. After each incident, the organization will hold workshops with the process participants, possibly involving the respective suppliers and customers, and extract the potential for improvement.

Second line of defense. The buyer, supply chain manager, and risk manager will be involved in the development process with the value proposition of “Go” and “No go” component lists. If a supplier does not meet the relevant risk criteria, the buyer, supply chain manager, and risk manager will be able to exercise a veto.

Third line of defense. The organization will conduct internal and external audits on a regular basis to obtain expert opinions.

Ready to make risk management a strategic asset and a source of competitive advantage?

We understand the complexities of establishing a strategic risk management function and its implementation toward a competitive advantage. Our transformation approach ensures a comprehensive perspective with a clear business case. To talk more about your ambitions and how we can help, please contact the authors below.

The authors would like to thank Andreas Foitzik for his contributions to this article.

Authors

Michael Roemer

Partner

Ryan Elliott

Partner

Daniel Santiago

Partner

Emal Ehsan

Director

https://bit.ly/3teEmwx