MANAGING RISK AND LEADING
IN UNCERTAIN TIMES
Manufacturers face a multitude of headwinds and risks such as:
• Anemic underlying economic growth in the U.S., Europe, Japan and other developed markets
• Dramatic slowdowns in the economies of China, Brazil, Russia and other emerging markets
• Anti-trade threats from U.S. presidential candidates in both parties
• Supply chain risks from some countries because of economic, natural disaster or weather-related threats
• Price swings in oil and other commodities
• Cybersecurity and terrorism risks
Cybersecurity is a huge and growing risk to most businesses. While headlines focus on large scale breaches at the largest companies and government agencies, small and mid-market companies are vulnerable targets, as well.
• In addition to financial scams and the release of sensitive customer data (e.g., health records and credit card info), there is also a risk to companies’ intellectual property from competitors in countries such as China and Russia.
• Many executives at the table had experienced cyberattacks against their companies first-hand.
Some ideas to mitigate and protect their companies included:
• Make sure your IT team is up to the task and “audit” them regularly. Just as you trust your CFO but have an outside accounting firm audit your financial reports and systems at least annually, one should consider doing the same with your IT team. Cybersecurity is a fast-moving area, so you need to make sure your IT team is on top of the latest threats and solutions.
Some IT leaders had built secret “back doors” to their systems they were able to access remotely—another point of vulnerability that an outside auditor could detect (or prevent if the IT staff knew there were ongoing audits).
• Up-to-date firewalls and cybersecurity software are key, but training to prevent human error is just as important.
• It’s difficult to prevent employees from checking private emails or visiting non-business websites during their breaks, so they need to be trained and made aware of the risks from Phishing and not to provide sensitive information on any site that they haven’t verified is real.
• Many cyber thieves are now researching companies’ organizational charts and posing as senior executives and asking financial staff to wire funds. New processes need to be put into place to require verbal confirmation before wiring funds.
One participant’s finance team got new bank account wiring instructions from a supplier, or so they thought. Fortunately that accounting department clerk called the supplier to confirm the new information on the phone, and was told it was a scam. They have now put in place new processes to validate changes in banking and wiring information.
• There are new soft ware tools such as MAAS 360 which allows one to partition employee cell phones and control the business emails and content—and wipe out records remotely if the phone is lost.
• Insurance is the last line of defense—better to do what you can to avoid a problem before it happens—but it is still a necessary line of defense. Make sure your insurance policies cover cybersecurity threats appropriately. The best cyber insurance policies are being underwritten by London-based insurance companies. A good insurance broker should be able to guide and manage this process for you.
Natural Disasters and Business Continuity
Threats from fire, floods, earthquakes, tornadoes, etc. vary by region, but most companies face some of these risks at their HQ, factories, and/or along their supply chain. Most companies have business continuity plans to respond to catastrophes that include backing up data and computer systems remotely, but there are short-term, medium-term and long-term backup plans, and most small and mid-market companies only have the short-term plans in place.
• A key vulnerability is suppliers—do key suppliers have adequate emergency plans?
• Short-term plans involve ensuring that the company has backup computer systems and phone systems so they can access customer and financial records remotely if there is damage to their facility. Many short-term plans also have arrangements for temporary new buildings where employees can come to work if their facility is damaged or destroyed, but these short-term plans don’t ensure that the company can still produce their goods and services; they’re mainly for offices.
• A best practice is to have a medium-term plan if your plant is destroyed. One company has a mutual aid agreement with a competitor—they will produce for each other in case of an emergency.
Others have arrangements with suppliers to put some production capacity in their locations in case of an emergency. Others have private-label arrangements with competitors set
up in case of emergency.
• Long-term plans should include facility and equipment rebuild contingencies, including a centralized place to store plans, vendors, etc.
• Some companies require their key suppliers to share their emergency backup plans to make sure their supply chains are adequately protected and have annual audits of their key supplier’s
business continuity and disaster recovery plans.
• Most companies have backup suppliers for key inputs lined up—although some don’t have enough geographic diversification if a natural or man-made disaster wipes out a cluster of suppliers in a region.
• One participant keeps 6- to 12-month inventories of key raw material inputs to protect them from supply chain interruptions—need to weigh costs vs. alternatives.
The CEOs Role in Monitoring/Mitigating Risks
Risk is a part of doing business and will never be completely eliminated. CEOs need to learn to live with some risk, but:
• Having a strong team of executives below you is the best defense
• Apply the 80/20 rule to focus on the the key risks
• Create backup plans where you can, have adequate insurance protection as the ultimate backup
• Need to learn to cope with stress and uncertainty—exercise the mind and body to deal with the ongoing stress
• Strong executives will worry about the risks so you don’t have to.
• More importantly, they’ll build contingency plans so you don’t have to.
• It’s best to delegate what you can to your leadership team and ask them to identify the key risks to overall business and their function—and review it periodically with them.
Facilitator: Wayne Cooper, Executive Chairman, Chief Executive Group
Expert Resource: Ivor Bamberger, President, Chief Executive Insurance Services (www.ChiefExecutiveInsurance.com)