The number of businesses with integrated enterprise risk management (ERM) programs, technologies and strategies is on the rise. Most businesses surveyed by RIMS in its 2017 ERM Benchmark Survey have either partially or fully integrated their ERM programs, and fewer firms say they have no plans to do so, compared to 2013 figures.
However, a wholly effective risk management strategy still appears out of reach for many companies. Forty percent of businesses surveyed in the report said their organizations are not using insights from their ERM programs to influence their company's overall strategy, or they aren't sure if this is happening. Respondents cited challenges in the ownership of their ERM programs, and a high rate of dissatisfaction in how their risk management strategies actually align with their firms' strategic decision-making.
Part of the problem, said David Nolan, CEO at Fusion Risk Management, is that organizations may be making some critical mistakes, and hold important misconceptions about risk overall. One of the largest missteps can be failure to look outside the four walls of a company. Indeed, risks from third-party service providers, suppliers and other partners can have a detrimental effect on a business.
"What is significant is the realization that supply chains represent, in many cases, material points of risk," Nolan told PYMNTS in a recent interview. "An impact on the supply chain can be just as severe as an impact within the organization."
That recognition led Fusion to recently announce the expansion of its corporate risk mitigation offerings for enhanced third-party risk analysis. This is key because, considering how many players operate in a single supply chain, it is significantly more likely that a company will be exposed to risks from a third party, he explained.
Yet, simply looking at one's supplier base for risk is hardly enough. Too often, said Nolan, companies will narrow their risk analysis to Tier One suppliers — the vendors that sell directly to the company — or fail to recognize that risks emerge far beyond the black-and-white financials of these third parties. One of the biggest mistakes is for a company to "think about third-party risk in the context of financial risk," he explained. "They do the research and say this vendor is financially stable."
Unfortunately, that stability may not be the biggest point of risk for an organization. For instance, if a significant portion of that vendor's supplies stem from a single factory in the tornado belt, or in a hurricane zone, that factory presents a "single point of failure" (SPOF) for the corporate buyer.
In another example, Nolan pointed to a client focusing its risk strategy on Tier One suppliers that provided at least $100 million worth of material. However, a deeper look at the company's risk exposures revealed that the largest SPOF would not come from one of these vendors. Instead, that company relied on a single ingredient found in $8 billion worth of their product. That, Nolan noted, was the biggest point of risk.
"The single point of failure is not a matter of what you spend," he said. "And most risk management companies don't think of Tier One suppliers properly. What they should think about is, 'What is the potential downstream impact?'"
Businesses must ask simple questions of their vendors to identify their suppliers' own SPOFs, which could cause that company to fail in delivering to a corporate customer — even if that supplier is financially sound. Those points stretch beyond finances and into geographic territory, diversity of a product portfolio, technologies used and more.
Within the enterprise, firms must also understand that the risk mitigation process may not necessarily rest on one professional or one department's shoulders. RIMS research found in its 2017 survey that most organizations place responsibility of risk management onto a designated risk management department. However, because all areas of the enterprise can be exposed to risk in one way or another, Nolan said all departments under an organization must participate in the risk mitigation process so that they can understand how to respond.
That response strategy, when exposed to a risk, should be "just as familiar to them as an evacuation of the building might be," he added.
While everyone can — and should — participate, today's C-Suite executives need to step up and round out their companies' risk management strategies. That includes not only assessing third parties' risks down the supply chain and beyond financials, but taking a sometimes-difficult look inward to analyze whether the company is holding itself to the same standards to which it holds its supplier base.
"I've never met an executive who wanted to guess," said Nolan. "You have an absolute responsibility to understand how your organization works, how it might break and how you might protect it. You cannot get caught off guard."