Gary Lynch is in the business of risk: uncovering it, evaluating it, measuring it, responding to it.
And according to him, the biggest risks businesses face are often self-inflicted. To cut costs and remain competitive, companies are contracting out manufacturing to overseas suppliers and outsourcing their data management, but without thinking ahead of time about the possible consequences or assuming (incorrectly) that they know how to manage the risks. Lynch’s new book, At Your Own Risk (Wiley- VCH), aims to improve that.
It seems like we’re already worrying a lot about risk. But are we worrying about it in the right ways?
Often, companies don’t apply the same rigor to assessing risks that they do to making financial decisions. Or the wrong person at the company is choosing how to address risks. Then there’s timing: Companies start to think about risk only after they’ve made a decision.
So, how should we be worrying?
First, you have to get your arms around how you create value. Then, you have to get line-of-sight up and down the value chain outside the organization. Not just your biggest suppliers, but their suppliers too. You need to know your value chain, from raw material to customer.
That sounds overwhelming.
Well, you have to acknowledge the fact that you can’t do it all at once. Look around at what’s of greatest value to your company. What are the biggest risks to that? Then prioritize. You don’t have the time or money to protect everything.
What Not to Do
Lynchoffers a few examples of folks who learned the hard way that it’s better to assess the risk potential before you roll the dice.
A Perfect Storm
Sometimes companies trip themselves up by focusing too much on the wrong thing. A pharmaceuticals firm with a manufacturing plant in the Caribbean was concerned about possible hurricane damage to their facilities. The executives focused on that issue and spent their risk-management money on that.
Their real exposure, though, was the fact that they had started sourcing their active pharmaceutical ingredients from countries like Korea and China. Those ingredients had to be made properly, and then they had to be moved from those countries through various portsall the way to the Caribbean, facing all sorts of risks along the way.
What happened? The company “incentivized” employees to tell them about problems, and one divulged that a forklift had gone through a drum of liquid ingredient at the plant, puncturing it on the loading dock. The workers had scraped up the liquid and put it back in the barrel. Preparing for a hurricane doesn’t prepare you for a problem like that.
Now You See Him, Now You Don’t
A major financial institution offered treasury-management software to its Fortune 1000 customers. The software let clients look up balances, move money, and make financial transactions — large ones. For security, the institution used encryption and message authentication.
The software had to be installed on the client’s PC. To do this efficiently, the financial institution hired a Fortune 10 company. To keep costs down and be efficient, that company hired a subcontractor.
One day, the financial institution found out a client didn’t get the software as scheduled. One of the subcontractor’s employees had run off with the encryption keys — so all that financial data, even the ability to initiate transactions, was at risk.
The Fortune 10 company asked the subcontractor to find the individual, but the person had been hired by a temp agency and could not be located. (Neither the financial institution nor its vendor was aware of this.) Everyone was trying to keep costs down, and in doing so set up a situation where they didn’t know what was happening.