Keeping Close Tabs on Risks Pays Off

Risk assessment is an ongoing process.

A manufacturer fully reaps the benefits of risk assessment when it regularly updates its evaluations. A plastics manufacturer, for example, identified that external oil markets created an economic risk that would cause the cost of production to rise 20% within that annual period.

That rise in prices for oil used in plastics production was identified as an economic factor three to six months prior to the actual cost increase. That allowed the manufacturer to consider various proactive steps, such as adjusting sales prices early, implementing equipment to conserve oil waste in the manufacturing process, and recycling oil discarded during the production process, rather than capturing and discarding that oil as waste. When that cost increase occurred, the plastics manufacturer was prepared.

Regularly refreshing company risk assessments enables manufacturers to recognize and respond to such threats in a timely manner. Each updated assessment examines the effectiveness of existing controls, the need for any refinements and the significance of any newly-identified vulnerability. With each update or refreshment, risk assessment becomes more of an internalized discipline that continually enhances the company's business objectives, culture and values.

Management's "tone at the top" nurtures that continuous improvement. By measuring its actions against high ethical standards, management establishes benchmarks for what constitutes acceptable behavior. By repeatedly emphasizing the importance of risk assessment, management prompts others to be more diligent in recognizing and reporting vulnerabilities. For manufacturers, safety is of utmost importance. In a company that has a risk-based ethical tone at the top, no safety violation would go unnoticed, nor would other critical vulnerabilities go unaddressed.

Within such an environment, control responsibilities for entity risks and supporting processes are defined, delegated and documented to establish accountability.

Entity and Process Risk Assessments Take a Top-Down Approach

Entity-wide risk assessment focuses on a manufacturer's most crucial internal and external threats facing based on the likelihood of those risks occurring and their potential impact on the organization. Entity risks include compliance, operating effectiveness, rate of change, technology, economic, reputation, regulatory and financial concerns. Such assessments use qualitative and quantitative standards to measure vulnerabilities.

One small plant, for example, may produce a low-volume product that requires complex manufacturing processes. Although that product represents a relatively small share of company sales, it presents a higher likelihood of risk for production difficulties due to the complexity and small volume. That makes manufacturing of that product an internal, qualitative risk. Risk factors may include quality, safety, warranty and customer acceptance.

Another manufacturer may produce heavy equipment for a handful of large customers in the mining industry. Each customer represents a substantial share of sales. The manufacturer faces considerable impact of credit risk -- and an external, quantitative risk -- if one of those customers needs to reduce heavy equipment expenditures.

Focusing on the most crucial entity-level risks leads to evaluation of the related supporting processes. The company facing a qualitative risk in manufacturing that low-volume product, for example, might examine machine calibration and quality assurance processes to mitigate that vulnerability.

Among other assessments, the heavy equipment manufacturer would likely examine the processes it uses for forecasting customer sales and monitoring mining industry business cycles.

Following that top-down approach throughout the organization enables management and the internal audit staff to assess the impact and likelihood of all internal and external entity risks and the related process-level risks.

Past Assessments and Current Changes are Incorporated in Updating the Risk Assessment

When a risk assessment is updated, judgment and cumulative knowledge gained from past risk assessments can be used to determine which controls are most crucial and merit continual attention.

A metal plating company faces an array of compliance requirements for safely storing, handling and disposing of the various chemicals it uses. Past assessments highlighted potential risks for noncompliance. Based on that history, management may focus on evaluating the additional safety training, hazardous material documentation and other controls it implemented to mitigate those threats.

While reviewing the effectiveness of controls implemented for previously-identified vulnerabilities, risk assessment updates also examine recent changes to identify and evaluate risks presented by those events.

A company may be outsourcing some production to an overseas supplier. Such a change means that various internal and external risks for the supplier are now company vulnerabilities as well. Those vulnerabilities may include credit, labor, or political risks. Any difficulties associated with that supplier could disrupt production throughout the company.

Because that outsourcing will result in job losses, the company must comply with legislation governing such employment termination. The company must consider all of the entity-level risks that accompany that outsourcing.

The company must also consider the related process-level risks. Among other items, that outsourcing requires implementing revised processes for quality assurance, shipping and receiving and various accounting activities. Such change presents the possibility that unforeseen difficulties may arise, and that additional controls may be necessary to mitigate those risks.

A variety of other changes in a manufacturer's internal and external environments present new risks, too. Internal vulnerabilities may arise in meeting new compliance requirements, in migrating to new IT systems, or in resolving workflow difficulties within a new facility that were not recognized in the design and construction phases.

Rising energy prices, negative industry publicity, general economic conditions, political instability abroad, natural disasters or other external events likewise present new threats.

By addressing such changes in its internal and external environments with each risk assessment, the organization reduces the chances of a major unreported event having an adverse impact.

Risk Assessment Leads to Continual Refinement and Improvement

Each risk assessment builds upon improvements made following previous risk assessments. For entity-level assessments, a variety of existing models, such as the traditional SWOT (Strengths, Weaknesses, Opportunities, and Threats) analysis, or the COSO (Committee of Sponsoring Organizations of the Treadway Commission) frameworks for Internal Control or Enterprise Risk Management provide a structure for continually assessing risk. A manufacturer may refine those frameworks, supplement those tools with its own models, or devise entirely new models to identify and evaluate risks.

With each update or refreshment, monitoring existing controls rises in importance in comparison to implementing new controls. Process improvements resulting from risk assessments yield residual productivity gains. Continually monitoring controls and documenting control efforts nurtures a culture that values accuracy and accountability. That reduces the chances of the manufacturer being adversely affected by a significant unreported event. The organization becomes more responsive to change, more transparent, and delivers more value to all its stakeholders.

Alyssa G. Martin, CPA, MBA, is the Dallas executive partner in charge of the Risk Advisory Services group at Weaver and Tidwell, LLP. Martin can be contacted at 817.332.7905 or 972.448.6975. You may learn more about Weaver and Tidwell by visiting www.weaverandtidwell.com


Interested in information related to this topic? Subscribe to our weekly Value-chain eNewsletter.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish