From time to time, I am asked about the best risk management activity I have seen. Perhaps the best overall ERM was at SAP. I wouldn’t say it was perfect but it did include not only periodic reviews but the careful consideration of risk in every revenue transaction (including contracting) and development activity.
The best risk management activity was when I was with Maxtor, a $4b hard drive manufacturing company. It was based in the US but had major operations in Singapore, which is where I saw this.
The head of procurement for the region, a vice president, and his director were evaluating bids to supply the two Singapore plants with critical materials.
Margins in that business were not high, so the effective management of cost was very important indeed.
[David Griffiths has pointed out that my post, as originally written, did not specify the objectives to which we have risks. I am adding them here:
- Procure critical materials at the lowest possible cost to optimize margins
- Ensure timely delivery of critical materials to support manufacturing and timely delivery of finished products to customers with a positive effect on customer satisfaction
- Minimize supply chain disruption risk
- Ensure quality materials so that scrap and rework are minimized, manufacturing is not delayed, costs are contained, and customers are satisfied]
But, there were additional issues or ‘risks’ to consider:
- The choice of a single vendor would increase the likelihood and extent of supply chain disruption if that vendor was hit by floods or other situations that could disrupt its ability to manufacture and deliver.
- If we were dependent on a single vendor, that vendor could demand price increases.
- If we were dependent on a single vendor, we could not switch with agility to another should the single vendor have quality manufacturing problems.
- If the decision was made to select two vendors, the total cost would be likely to increase.
- If two vendors were selected and the supply split between them, there would be less desire for them to make us a priority customer.
- If only two vendors were selected, there would still be significant supply-chain disruption risk.
- If more than two vendors were selected, additional agility would be obtained, but at a cost.
- If more than two vendors were selected, they might be less reliable because they would be less dependent on us as a major customer.
Cost was not the only consideration. Quality, timely delivery, and our agility to respond to any form of disruption were also very important.
The procurement VP gathered together all the potentially affected parties to participate in the decision, including the vice presidents for finance, sales, manufacturing, and quality.
They considered all the options, the consequences of each decision (both positive and negative), and decided to select three vendors and split the allocation between them. They also decided to negotiate backup supply contracts with a couple of other companies.
The decision involved taking a higher level of some risks and lower levels of others.
Basing the decision on whether one risk was too high would not have led to the optimal overall result.
Now, how would a risk appetite statement have helped the VP of procurement?
I believe the answer is “not at all”.
What do you think?
I welcome your comments.
He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
Latest posts by Norman D. Marks, CPA, CRMA (see all)
- How effective are your systems of governance, risk, and control/compliance (GRC)? - October 19, 2021
- Delivering value from IT audit - September 22, 2021
- Selecting software for risk management - August 18, 2021