Let me tell you a story because it is the time of year for fables.
A Scottish company (Dundee Ltd) is growing rapidly after only a couple of years in existence and needs to find a supplier that has the capacity to scale up to meet increasing demand.
The CEO approaches RA Ltd. (known in the industry for its risk averse philosophy and for being limited in other ways), which is based in Newcastle,.
RA responds with caution, as we might all expect. While they are very interested in having a major new customer that could grow its revenue by 20% if Dundee’s forecasts are reliable, they can see significant risks, including:
- They would have to invest in new tooling to meet Dundee’s design requirements. While they expect that their margins on sales to Dundee would be double their existing level, there is a risk that the tooling costs would not be recovered if Dundee either fails to purchase in the quantities they are forecasting, cancels after one year or less, or there are problems manufacturing to Dundee’s quality requirements.
- If Dundee hits its projected sales numbers and gives them the purchase orders it is forecasting, they will quickly run out of capacity. They will have to not only expand their footprint at a substantial cost, but also hire significantly more people. What happens if the Dundee business fades away later and they are left with significant excess capacity?
- The credit that Dundee is asking for exceeds their credit limits and their risk appetite. Even asking for prepayment is insufficient to pass the risk appetite requirements; Dundee has indicated they would only make a 10% deposit rather than full prepayment, and then only for the first three months’ orders. The credit Dundee needs is expected to increase rapidly, further violating risk limits.
- A commitment to Dundee would make it very difficult to take on other new customers. In addition, investors and regulators might be concerned about the company’s over-reliance on sales to a single customer.
RA’s CEO listens to his CFO and Chief Risk Officer. They are very concerned about breaching the risk appetite that has been set by the board. “What will the auditors tell the board when they find out? What will the regulators say?”
The CEO decides not to take the risk and tells Dundee that they can only accept purchases that are prepaid and only to the extent of its existing capacity.
Dundee’s CEO is disappointed and informs RA that she will have to think about it and get back to him. (No point in burning bridges.)
She then contacts another potential supplier based in Blackpool, RP Limited (that has a reputation for being risk-practical).
RP is about the same size as RA, with similar capacity and ability to meet Dundee’s current needs. Like RA, it would have to invest in new tooling and may have to expand at a cost and risk if Dundee’s sales projections are accurate.
RP’s CEO listens attentively to Dundee’s CEO and says she will have to get back to him but is very interested.
The CEO calls a meeting of her direct reports, including the CFO and CRO. They talk about both the pros, which are significant, and the cons, which are also significant.
The CRO confirms what the CEO fears, which is that the risk will exceed their stated credit limits and the risk appetite approved by the board.
However, the RP CRO is business practical. While the rest of the executive team flesh out how they could manage the additional sales volume, what it would take to get the new tooling in place, and so on, the CRO uses his laptop to run the (risk) numbers.
The CRO signals the CEO that he wants to share the results of his analysis.
He explains that the projected return on the deal is significant, and the team can probably take a number of steps (such as obtaining funding from Dundee for the tooling, which is not uncommon) to mitigate the risks to some extent.
Overall, he is comfortable taking the risk.
The opportunity outweighs the risks.
He comments that COSO explains in its ERM Framework that there are times when the risk appetite should be exceeded or modified, and this is probably one of them. (He takes the opportunity to share his view that a risk appetite statement is of limited value, and he would like to talk about that subject with the CEO later.)
After the meeting, the CEO calls the chair of the board and they agree that this is an opportunity that the company should take. With leadership from the CRO, management can take reasonable steps to manage the related risks. This is one of those cases where even high risks should be taken!
The chair undertakes to call the rest of the board members to confirm, while the CEO gets back to Dundee to start contract negotiations.
Which company is more likely to succeed?
Which CRO would you be?
What should the CAE at each company do?
I welcome your thoughts.
- What is quality internal auditing? - April 17, 2024
- Conflicting research and thoughts on ESG - March 20, 2024
- Useful ethics training for internal auditors - February 21, 2024