ERM Exchange has provided enterprise risk services to a number of organizations across a variety of industries including life sciences, research, manufacturing, distribution, e-commerce, managed services, healthcare, higher education, and other not-for-profits. While certain risks are inherent across most industries (e.g., intense competition, pricing pressure, investments in technology, information security, talent management), other risks are unique to the industry, and even more distinct to each enterprise.
Risk Management Response Strategies
Industries Served
E-commerce
- Continued product diversification
- Heavy reliance on critical third-party providers including product manufacturers, freight, fulfillment, network availability, security, and call center services
- Managing negative customer feedback to mitigate litigation, consumer and investor confidence
- Regulatory oversight by several Federal and state agencies
- Ongoing integrity of spokespersons and other influencers
- Information security and data privacy
- E-commerce platform integrity
- Heavy call center employee turnover and maintaining consistent brand messaging
Higher Education
- Declining market share and challenges in meeting enrollment targets
- Increasing tuition and room & board rates create a financial strain on students and applicants, clouding tuition strategies
- Challenges in achieving debt covenants
- Weaker financial performance results in reduction or deferral of capital projects
- Tuition strategies
- Significant regulatory compliance including athletics
- Challenges in creating and maintaining a brand
- Institutionalizing new revenue streams is inherently challenging
- Crisis management, social media, and risks associated with loss of digital assets
- Safety, security, and inherent challenges with student misbehavior
- Information security and privacy
- Sustained academic success
Healthcare
- Significant and ongoing changes in reimbursement driven by bundled payment, value-based purchasing, and Accountable Care Organizations
- Reduced length of stay placing greater pressure on the entire healthcare continuum
- Negotiated payment strategies
- Constriction on service providers by managed care plans and risk-based contracts
- Paradigm shifts due to Population Health initiatives
- Declining census
- Staffing challenges
- The capital intensity of healthcare as a business
- Rapid changes in healthcare sector cloud strategic decision-making process
- Information security and privacy
- Regulatory burden
Life Sciences
- Substantial investment in product development with uncertain outcomes
- Limited liquidity and generating additional capital
- Supply chain interruption
- Insufficient internal compliance and negative regulatory inspection
- Communication response failure to issues cited in the public arena
- Responsiveness to market dynamics
- Information security and privacy
- Product liability litigation
Managed Services
- Compliance with contractual performance and administrative obligations
- Intensifying competition from large scale and smaller, more nimble competitors
- Staff recruitment and talent management
- Union workforce and labor management
- Maintaining service quality, reputation, and brand management
- Crisis management and social media awareness
- Workplace safety
Other Not-for-Profit
- Inherent challenges in seeking new funding sources and retaining existing sources
- Economic challenges of the institution may impact the faith and confidence of donors and other funding sources
- Inherent regulatory compliance burden
- Information security and privacy
- Brand and reputation preservation
- Retaining adequately skilled staff
- Expanding mission, fiscal constriction
Research
- Significant dependence on government-sponsored funding sources
- Intensifying competition for funding sources
- Maintaining quality, accuracy, and integrity of research publications
- Retention of key personnel, especially principal investigators
- Technology transfer and the inherent difficulty of converting discovery to commercialization
- Avoiding conflicts of interest and foreign affiliation disclosure
- Regulatory compliance
- Information security and privacy
Manufacturing
- Market sector cyclicality and seasonality impact on sales and cash flow
- Heavy reliance on a smaller number of customers
- Substantial investment in product innovation and development with uncertain outcomes
- Union and labor-management
- Geopolitical risks and unexpected supply chain interruptions can impact revenue and reputation
- Intellectual property infringement and the cost of litigation
- Acquisition strategies require substantial capital and focus to ensure a successful return on investment
Distribution
- Intensifying competition from large scale and smaller, more nimble competitors
- Inventory management and same-day delivery model capacity planning
- Customer purchasing functions emphasizing low pricing as key purchasing criteria
- Vendors and customers demanding more sophisticated technologies to transact business
- Union workforce and labor management
- Regulatory compliance managing fleet of delivery vehicles and drivers
- Workplace safety
Risk Management Response Strategies
Risk management response strategies are often unique to their related risk. A pattern of response strategies in risk management has emerged when drawing from a variety of organizations that have undergone risk assessments… irrespective of the industry.
Communication
Mechanisms to enhance communication dominate risk management response strategies. Regardless of whether the communication is insufficient within an organization, or communication to educate customers and the public due to negative information rapidly spreading outside the organization in news media or in social media, management teams continue to employ activities to ensure speedy and clear communication about their risk response strategies, products, and services – especially when things go bad.
Cybersecurity Resiliency
Improving security over operational, financial, and technical data continues to grow in cost and complexity, as the sophistication and complexity of cybersecurity threats will not abate in the near term. Cyber threat protection and response strategies and tactics are demanding a greater re-allocation of capital year-over-year to ensure as little disruption as possible, and the continued confidence of customers in handling their financial, operational, and other data.
e-Commerce Resiliency
The accelerating pace of change in the e-commerce landscape can result in serious consequences to the growth, planning, and delivery of products and services. New and ongoing investments of time, energy, and money to mitigate the risks associated with e-Commerce can be enormous and the expected ROI on such investments can often be fuzzy when considering the implications of customers, suppliers, and intensifying competition. The best risk management response strategies are often developed by a team with a wide mix of skills and talent including operations, finance, sales & marketing, and compliance, as well as technology. These strategic risk response teams often lean on outside expertise to decipher ‘what’s next?’ and ‘for how much?’
Supply Chain Resiliency
Concerns regarding disruptions to the supply chain are nothing new. Fire, natural disaster, raw material shortage, equipment failure, access to water and electricity, loss of information/data connectivity, loss of contract manufacturers and other key vendors are just some of the risks to the supply chain … not to mention inflationary pressure. Who would have thought a disabled container ship in the Suez Canal would impact the supply chain of four continents? Yet, most supply chain failures have an almost immediate impact on revenue generation and liquidity. Your special sauce is no longer special if a key ingredient is missing. Most supply chain risk management response strategies emphasize a fiscally conservative yet practical view of the product, process, and people redundancy.
Accountability
People want to be treated fairly and equitably. It’s human nature. Yet perceived imbalances in accountability are often cited when anonymously polling managers at the start of an ERM program. Specific examples include ambiguous lines of reporting, and a general lack of enforcing accountability for actions taken (or not taken) by certain managers to mitigate risks. Accountability in managing risk response strategies ranges from improving the performance management program including the perceived fairness of rewards to improving the clarity of responsibilities for managing certain risks and establishing quantifiable measures to gauge the success of certain risk management response strategies.
Re-allocation of Capital
For nearly every organization, there is only so much money to go around. Re-allocating capital to the most deserving risk management response strategies demands a considerable amount of time, energy, and focus to ensure the most important risks are sufficiently mitigated. For instance, a life sciences organization granted $10,000 for a contingency planning application/tool only after months of debate. While several managers argued the prolonged debate was senseless given the perceived value and relatively inconsequential cost, the use of the tool subsequently resulted in $800,000 of reduced cost associated with an unexpected and immediate product recall by the vendor of a key ingredient.
Cultivating the Workforce
On a macro scale, promoting enterprise-wide thinking about risks may be the most effective risk management response strategy. Big issues often emerge from small areas of the enterprise. Often enough it is the individuals who are low on the totem pole that identify big risks, yet do not have the confidence, empowerment, or other mechanisms to safely raise concerns without the fear of reprisal. The janitors at Penn State, branch banking personnel within Wells Fargo and mid-level engineers within Volkswagen were acutely aware of “the problem”. However, neither of these organizations had the mechanisms in place to inform the right people of the risks until the rupture was far too great. Risk management response strategies should begin at the top of an organization, but an effective ERM program must incorporate all individuals from within the enterprise.