Chipotle needs risk management rehab. In less than two years, the Mexican grill has changed CEOs twice in an effort to regain their once-held reputation as a beloved fast-food chain. A new CEO, however, isn’t the solution. Multiple cases of food-borne illness before, during, and since executive switch-ups have proven the restaurant needs to adopt a stronger enterprise risk management process.
Let’s consider a timeline of events:
This timeline reveals that the company has failed to identify the correct root cause of their repeat food-safety failures.
There are many companies that have failed to uncover and address systemic risk. Wells Fargo was recently dubbed a “repeat offender” by the OCC for their cross-selling and auto-insurance scandals, while Uber acquired a new CEO amidst scandals involving sexual harassment and hacking.
Often, when companies suffer one scandal, they drum up a short-term solution that leaves them open to subsequent scandals down the road. It’s a trend that can only be reversed by effective risk management. Corporations need to put systems in place that can identify the root causes of their risks and mitigate them before they materialize.
Chipotle is the latest company I’d like to enroll in risk management rehab. Let’s take a deeper look at the root cause of the chain’s foodborne illness outbreaks, as well as how they can regain customer loyalty and market value.
The 2015 outbreaks occurred shortly after the restaurant launched an innovation to include locally sourced food in their recipes. Knowing this, we can begin to uncover the root cause of these outbreaks. The problem did not lie with unclean restaurants or poorly trained chefs. Rather, the scandal was a risk management failure.
A civil lawsuit filed in January 2016 in the U.S. District Court of Southern New York alleged that the chain’s food-borne illness outbreaks were at least partially caused by the company’s decision to shift the process of prepping produce from central commissary kitchens to individual locations.
As I often say, a company can outsource the process, but they can’t outsource the risk. In Chipotle’s case, they innovated their industry with decentralized locally sourced food, but did not follow-up with risk management practices to match their innovative business model.
With a decentralized business model, they now have 1000 or so points of food sourcing and contamination whereas typical centralized systems have a fraction of that. Chipotle neglected to assess this risk, decentralize controls, and have monitoring at the activity level.
Risk programs need to have a robust taxonomy capability where vendors can be linked to policies, risks, controls, and monitoring at an operations level.
Though the risk stemmed from third-party vendors, Chipotle suffered the consequences. The company disclosed to investors that its profits had plummeted by 95% in 2016 compared to the year prior. The stock price of company shares also plummeted by 45% the year following the outbreaks.
Chipotle suffered another scandal shortly after its first, proving that the company failed to accurately identify and mitigate the root cause of their risk. In July 2017, multiple customers who ate at a Chipotle restaurant in Sterling, Virginia complained of symptoms consistent with the highly contagious norovirus, which impacted the chain a year prior.
CEO Steve Ells said a breakdown in the company’s sick policy was the culprit, claiming that an employee was working while sick and had consequently contaminated the food. Ells defended the company's existing health protocols, calling them “excellent” and “designed by leading experts.” But those rules are only effective if employees follow them, he said.
In response, Ells and other Chipotle executives said the company's employees will undergo another round of “comprehensive communication and training” to make sure everyone working at the company understands that they can’t work while contagious.
Ells was right when he said that rules are only effective if employees follow them, but “relentless training” (to use his words) is not the answer, evidenced by the fact that a Chipotle restaurant in L.A. is currently under investigation after receiving multiple reports of sick customers.
Since the fall of 2015, Chipotle shares have shed more than half their value; they’ve undergone two shifts in executive management within two years; and customers continue to shy away from supporting the chain despite increased advertisement and food giveaways.
If Chipotle hopes to come back from these losses, they’ll need to take risk management seriously and implement the proper tools to help them identify, prioritize, and mitigate critical risks.
Whether the food-borne illnesses stem from employees working while sick or disparate food quality assurance practices, the way to preventing future scandals is ensuring a common policy is followed across all locations.
All organizations, including Chipotle, need to implement a risk-based approach to policy management and ERM by:
1) identifying the stakeholders of the policy
2) identifying the root-cause risks that threaten adherence to that policy across the organization
3) addressing those risks with appropriate controls
4) monitoring the effectiveness of those controls on a regular basis
5) instituting incident and complaint management for employees, customers and vendors to report and escalate observations.
As Chipotle searches for a CEO to take Ells’ place, it will be important that he or she believes in the operational and reputational benefits of ERM. But as important as a healthy tone from the top is, it’s just as important to seek out and implement strong ERM processes and systems down through the front lines to ensure the company’s goals are achieved without impediment.