Internal Audit: Keeping Pace with Changing Time
section-ed7d92c
Optimism Bias towards Risks
Humans, by nature (at least a large percentage) are optimistic about future. But this optimism becomes dangerous when it leads to the belief that "it won't happen to me". That's why many people are under-insured, overspeed on the roads or walk freely without masks & precautions during Covid pandemic.
The same optimism bias translates into the approach towards managing risks in the business. Which parts of the business have the maximum exposure to the risks? No points for guessing right - Supply Chain and Finance. While a structured framework of identifying and controlling Financial risks exists in every business, the Supply Chain risks are left to the fait accompli. The reason is the optimism bias, "It never happened to us, why should we even bother", until one day it happens. The "long term" risks management loses the battle to the "short term" costs savings, when it comes to choosing one over another.
Why Supply Chain is a major source of business risks?
What percentage of end to end supply chain is controlled by one company? Hardly much!
With increasing outsourcing of Supply Chain including the manufacturing operations, the extent of direct control of the focused firms is continuously reducing. There have been number of instances of violation of compliances and norms by the contract manufacturers and outsourcing partners, leading to both loss of business and reputation.
The reasons why Supply Chain is becoming a major source of business risks, are:
According to a study done by Supply Chain Insights LLC, the factors contributing to the. supply chain risks have changed over last 5 years. According to the study, in 2013, 80% of the supply chain leaders accepted to have been impacted by, on an average, 3 material disruptions. The source of most critical risks in the near future will be from Operations Complexity, Regulatory Compliance and Geo-politics events.
How should one prepare for disruptions?
1. Shed Optimism Bias: This step requires a "foresight" into the changing environment and its potential impact on the entire value chain. The value chain includes your tier 2, tier 3 suppliers if these can't be easily and quickly switched-over to the alternative sources. These risks may have profound impact on the strategic supply chain decisions e.g. how many and which suppliers, logistics partners you will have for a category, the design of distribution network, location of the supply chain facilities, the inventory holding etc.
2. Identify Risks in Operations: Map the processes so that you have visibility of what happens in your operations. Process mapping is a useful tool for risk assessment and continued risk management by enabling business owners to better understand the processes and controls associated with identified risks. Once the processes have been mapped, then assess what may go wrong, what could be impact on the business and what controls exist to prevent the short-cuts & leakages. Prepare a Risk Register and update it periodically.
3. Structure Audit Programs to check the effectiveness of Process Controls: Operational audit or Internal audit has been effective and a tested technique to test the effectiveness of the process controls and risks management. Higher the perceived risk, higher is the periodicity of audits required. However, most of the companies have a very rudimentary system of conducting the audits, using pen & paper or excel sheets that do not provide end to end visibility into the audit management program. Also, few companies use an integrated audit management system that assesses the gaps and tracks the linked corrective & preventive action plans to plug the gaps. Implementing such an integrated system may not cost much but may give multiple times ROI in preventing the process control failures.
Operational or Internal Audits in most of the companies are riddled with long established manual processes, which results into high audit cost of in-house resource, lack of end-to-end audit visibility, and gaps in compliance.
Another gap in the audit process is that it is mostly focused on the internal operations. In the areas of outsourced logistics and sales channels, the audit means only inventory counting, as-if that is one and only risk that exist in the logistics operations. There are whole lot of risks in the categories of safety, security, legal and regulatory compliances, product quality, process adherence that are mostly ignored. What about the supplier audits? How many key suppliers are audited for a comprehensive risks assessment? A structured and automated audit workflow management e.g. SIMSA, based on the framework of operational excellence (Plan, Do, Check and Act) is a best practice to identify and mitigate risks in the operations.
4. Constitute a Risks Management Committee: A committee of senior management as well as independent board members should look into the overall effectiveness of the risks management, assess the risks associated with the gaps observed in various audits and monitor whether the gaps are being closed in a time bound manner. The committee also sets the risks management guidelines, policies, define the roles and responsibilities of the frontline and supporting roles in risks management and approves major decisions involved in the risks mitigation.
5. Build Agility and Resilience in Supply Chain: Despite taking all the possible measures internally, the external disruptions cannot be ruled out. Agility is about how quickly you can shift gears to counter the impact of any disruption. Resilience is the ability to bounce back to business as normal after encountering the disruptive event. Building agility and resilience requires proactive planning involving "what-if" scenarios and preparing a response for each scenario. Systemic use of predictive analytics and market intelligence involving weather data, port & transportation strikes, geo-political situation & impact on trade-policies / duties etc. go a long way in minimising the "time to recover" in the event of disruption.
Given that the frequency and impact of supply chain risks is increasing by the day, the risk management should be one of the top 3 priorities for any company. A structured risk management and business continuity planning is not just an option but a business imperative to survive and become more resilient to the shocks of disruptions.