OECD calls for increased focus on Outsourcing, IT and Supplier Risk

At a recent conference, the Twelfth Annual Corporate Accountability Conference, 12 June 2014, Cercle National Des Armées, Paris, Pierre Poret, Counsellor, Directorate for Financial and Enterprise Affairs at the The Organisation for Economic Co-operation and Development, told the audience, referring to the OECD’s Risk Management and Corporate Governance report, that “too often, in the enterprise, there was little or no board-level responsibility, with the burden (and oversight responsibility) [for risk management] effectively stopping at the level of the line manager“.  According to Monsieur Poret, the OECD’s findings showed that companies’ boards often played only a very limited role in risk management and that risk management standards were often set at too high a level, with outsourcing and supplier-related risk a key but much overlooked risk.

The report is the output of the OECD’s peer review process which is designed to facilitate effective implementation of the OECD Principles and to assist market participants, regulators and policy makers.  The process covers the corporate governance framework and practices relating to corporate risk management of the 26 jurisdictions that participate in the OECD Corporate Governance Committee.  Its findings are based on general survey responses from participating jurisdictions as well as an in-depth review of corporate risk management practices in Norway, Singapore and Switzerland.

The report, which analysed both private sector and state-owned enterprises, found that “while risk-taking is a fundamental driving force in business and entrepreneurship, the cost of risk management failures is still often underestimated, both externally and internally, including the cost in terms of management time needed to rectify the situation.”  Risk governance standards tend to be very high-level.  This limits their practical usefulness, says the OECD, as they should be more operational.  And in the nonfinancial sectors, risk management is less prevalent.  “Outsourcing- and supplier-related risks …deserve attention in both the financial and the nonfinancial sector.”

The effectiveness of an enterprise’s risk management culture can be critical to an organisation’s success (or failure).   The OECD lists accounting frauds (Olympus, Enron, WorldCom, Satyam, Parmalat), foreign bribery cases (Siemens) and environmental catastrophes (Deep Water Horizon, Fukushima) to demonstrate that the headlines are not restricted to the financial sector; cases where wrong-doing was compounded by corporate governance failure and deficient risk management systems, with company boards which failed to fully appreciate the risks that the companies were taking (if they were not engaging in reckless risk-taking themselves).

The typical modern enterprise has a complex supply chain with a multitude of third party and outsourced relationships.   In the absence of an adequate risk management and assurance framework, says the OECD, reliance on these outsourced and third party relationships can quickly contaminate the organisation, especially if “only lip service only is paid to important parts of the company’s value chain that are outsourced”.  A risk management framework should address all dependence on key suppliers or joint venture partners, with particular sensitivity to suppliers or other third parties located in countries that may follow different standards from the home country.  Companies with diverse, global supply chains should operationalise strategies to cope with the risks which result from a lack of control over their suppliers and contractors spread out across various parts of the world.

Given high profile supplier failures such as Satyam Computer Services (subsequently rescued by Mahindra Group although not before several significant customers including Merrill Lynch (now a part of Bank of America) and State Farm Insurance terminated their contracts with Satyam), as well as headline hitting events such as factory fires and a building collapse in Bangladesh, companies should ensure that third party supplier risk management is given adequate resource and attention, including examining available insurance and other mitigation strategies such as dual sourcing, supplier assessments, contract compliance reviews, exit strategies and stress testing contractual remedies, where these have been negotiated, such as step-in rights and exit plans.