As Hurricane Harvey took aim at Houston, a large manufacturer and supplier well away from the hurricane’s path figured it was safe from disruption. The risks of the storm so far away seemed small. But it soon became evident how many critical raw materials and key suppliers were in the hurricane’s path of destruction. Days of downtime became weeks. As shipments were missed, it was difficult to explain to customers why such a risk was not mitigated. In retrospect, it all seemed so obvious to company leaders. Why didn’t they build safety stock? Why didn’t they have multiple suppliers? Why hadn’t they adequately identified these obvious risks and mitigated them? Why, indeed!
Risks can develop as a result of external uncontrollable factors like severe weather, added regulations, or sudden, changing market demand. More commonly, however, risks develop and change within the operations you are charged to govern. Internal factors can include aging infrastructure and electrical systems, fire suppression systems designed for your plant 30 years ago, or critical spare parts which may not have been adequately stored and conditioned. The possible risk factors are endless, especially if your operation is complex, aging, and being stretched to accomplish more than it was originally designed to do.
Failure to identify your key external and internal risks—and actively track, manage, and mitigate them—can result in unsafe operations, financial loss, customer alienation and even a broader industry impact. If you govern a manufacturing operation as an executive or board member, you should insist on a strong risk management process that is integrated and becomes a natural part of your executive management team’s day-to-day activities. Note I said “process.” An effective risk assessment process is continually seeking inputs from the operation and your external environment to understand emerging risks that need to be managed, and just as importantly, which risks no longer need active oversight.
You likely have some form of risk assessment in your organization. Perhaps it is a report done annually or part of a year-end audit. Is your current approach sufficiently comprehensive? As a CEO, a key responsibility is to ensure that you have the required information to make informed strategic decisions to protect the stakeholders, ensure business continuity, and make wise future investments. Does your current risk management process adequately provide you, your shareholders, customers and employees with all the information they need? A robust process allows you to focus on your organization’s most critical issues and assure your customers and stakeholders that your team has its eye on the right issues and is actively taking steps to solve them. A robust process is not done annually; it is a living process which captures risks as they appear and evolve.
“The accountability of executives is expanding daily and there are real expectations that you are not just sitting in meetings rubber-stamping the status quo.”
So how do you know if your risk management process is robust? In my experience, these four scenarios are warning signs that your system may need an upgrade.
You dig the details. On your path to becoming an executive, you excelled at the details. That’s what made you successful. However, if you find your executive team or directors are focusing on operational details, it’s a sign that you do not have a strong risk assessment process. With a robust process, your executive team and board naturally deal with higher level issues as they focus on the five biggest risks facing the enterprise. The conversation is about resourcing, tracking progress, and understanding if the risk is increasing or is being mitigated effectively. In our hurricane preparedness example, the collective experiences of those around the table can contribute to the comprehensiveness of the mitigation plan. It’s less likely those executives can provide true insight on the details of your shop floor operations.
Unplanned outages become the norm. Let’s face it, unplanned outages do occur, but they should not become commonplace. Listen for indications that the operating staff is becoming comfortable with the frequency of unplanned outages, and they expect you to understand “that’s just the way it is.” Unchecked, this will result in excessive unbudgeted overtime, extended repair times due to the unexpected timing, and reduced outputs impacting sales volumes. A robust risk management process will capture the information about these failures and help you focus on the big-picture issues you, as an executive, can and must manage. Examples may include inadequate preventive maintenance, inadequate reliability systems, and inadequate skills. You need to understand these underlying issues and drive the organization to fill the gaps.
The solution is too easy. When outages or accidents occur and your team seems to have an immediate remedy or fix, chances are high that the risk was known in advance and not adequately addressed. Operations are complex and usually require careful analysis to solve the issue, so an immediate diagnosis is a warning sign. An example is the care and time it takes to fully understand what caused a sudden critical pump failure. Potential causes range from a problem with the original casting to improper alignment, bearing failure, or vibration. Working through the root cause analysis is the key to avoiding future failures. If your team has an instantaneous answer, chances are they’ve seen the issue developing and thought about it for a while. Or they may not be determining a true root cause, leaving you vulnerable yet again. In your governance role, you need a process where these risks are brought to light, options for resolution discussed, and a path chosen. As a governing body you may choose the same course, but you do so with the knowledge of the risk and an understanding of the potential impact on your stakeholders. At a minimum, you need to consider the risk from a holistic perspective of customers, owners, safety, and business continuity. In the absence of this governance process, the holistic review will not occur.
The one-off incident keeps recurring. As an executive or board member, you sit through many reviews. Take notice when you begin to hear that an outage or incident was a “freak accident” or a “one-off” occurrence. These explanations may indicate a lack of rigor in understanding root causes of failure. Pay particular attention when these “one-offs” are concentrated in a specific department or related to a certain type of equipment. This may be an indication of inadequate risk awareness and mitigation.
If one of these warning signs hits close to home, what can you do?
Truly understanding risks related to business, and manufacturing in particular, is a difficult task and one that often gets postponed as the daily swirl of the urgent prevents you and your team from finding time for the critically important. As a president, CEO, or board member it is critical that you drive a process where you accurately understand your risks of business interruption and are able to deliberate and be intentional about the action plan related to that risk. So how do you drive the needed change? Without some injection of knowledge or process, improvement will not occur quickly. I recommend a two-part approach.
- Introduce a third party that will evaluate the situation and work with your leadership team to do a deep, rapid risk assessment to stabilize operations and introduce a new set of risk identification processes. The fresh eyes will more rapidly identify risks previously overlooked. A prioritized plan to mitigate risks will provide a tool for the organization to rally around.
- Provide tiered training in risk identification and risk assessment throughout the organization to build internal depth and strength which eventually transitions to a culture of continuous risk assessment on a personal and business level.
I recommend the use of a third party, recalling a quote from W. Edwards Deming: “your system is perfectly designed to give you the results that you get.” Given that we have verified time and time again that this is true, the introduction of an outside change agent is critical to driving a meaningful change in a reasonable period of time. The introduction of a third party is often met with trepidation but this does not need to be the case. Your goal is to enhance a well-functioning organization, not tear down the systems and start over. You need to find a third party organization that is aligned with this premise.
The accountability of CEOs and board members is expanding daily and there are real expectations that you are not just sitting in meetings rubber-stamping the status quo. The risks of manufacturing are real, but with a robust risk identification, assessment and mitigation process, you can be assured that you are doing your part to minimize those risks to your team, your shareholders and your customers. However you choose to do it, as an executive or board member it is critical that you insure your organization has a robust risk assessment process. For those of us who are sitting in a positions responsible for manufacturing equipment and lives, an independent risk assessment provides the assurance necessary to know you are managing an appropriate governance process.