A chemical plant explosion in Japan on Sunday shows the consequences of poor risk management in a really personal way. The Nippon Shokubai Co. produces a chemical that is a critical link in the supply chain for one-fifth of all the world's diapers. A diaper shortage is expected.
One, where was the risk management program to prevent the explosion? As is always with these things, in the next 6 weeks, evidence of an employee warning their management about conditions that could result in an explosion will be uncovered. It is always the front line that detects the vulnerability, but too often organization's Enterprise Risk Management (ERM) programs do not reach the front line; and therefore, there is no effective systematic risk assessment and control evaluation mechanism in place to evaluate and allocate resources properly.
Two, how can one fifth of all the world's diaper manufacturing rely on a single factory for a core ingredient? Again, poor vendor risk management. Most organizations manage vendors from a compliance standpoint and request documentation on business continuity plans but rarely do they require these plans to be tested or validated. They are typically just nice looking gibberish documented to meet a vendor compliance regulatory requirement.
Corporate vendor managers often do not incorporate ERM in their vendor management programs so that vendors can be risk assessed from various points of view for their criticality to prioritize the level of examination beyond just checking a box. In this specific case, a risk assessment would have identified that this particular supplier is extremely risky in terms of reliance and ease substitution, perhaps among other things, and thus can be identified as a critical vendor which demands more scrutiny than the standard documentation acquired through meeting compliance requirements.
Both scenarios one and two above are easily addressed by extending ERM out to the front line with an automated ERM Software that is integrated in the functional operations and governance, risk, and compliance (GRC) areas of their institutions. It typically takes only 90 days and US$15,000 to save millions or more. ERM programs are jokingly underfunded, so when you are making your next business case for automating your ERM program, help illustrate the operational consequences on business performance, and not just compliance, to get your business case approved, as you do not want your organization to be in the news for having caused a major operational risk due to negligence--or worse be shopping your resume with the equivalent of dirty diapers on your hands!
Comments