Littelfuse, a leading U.S. electronics company, is rebooting its approach to risk for a more connected world. “In today’s economy, where you are talking about cyberspace, the cloud and global operations, there are vastly different ways to look at the classic risk and internal control module,” says John Quille, vice president and chief accounting officer at Littelfuse. “It becomes imperative to monitor exposures much more closely and in real time. For example, we’re deploying technologies around our control environment that will allow us to monitor transactions real time and globally, across the organization. It’s not just reconciling and accounting; it’s monitoring in real time. We've gone much more to preventive, rather than detective, controls.”
Innovative approaches such as this are essential given that executives face a growing and daunting risk agenda. Digital technologies are creating new risks, with increasingly sophisticated cybercrime — as well as growing concerns over data privacy — significant disruptions. New regulatory frameworks are creating additional compliance needs. Extended ecosystems of suppliers and partners are creating third-party exposures. And the globalization of the world economy is creating intensified competitive risk, or exposing businesses to the risk of falling demand in key markets.
In our survey of leading U.S. manufacturers, we found the sector’s leaders are particularly concerned about risks to their market and operational performance. As Chart 1 shows, there are two standout risks for manufacturers. First, market risk, which is defined as lower demand arising from competition or problems faced by your customers. And in second place, supply chain disruption. Looking ahead, these two risks continue to top the risk agenda, demonstrating that manufacturing leaders expect to keep losing sleep over these exposures in the future.
In this report, we take a closer look at the challenges of market and supply chain risk. We also consider an important exposure — cyberrisk — and ask whether this is getting the attention it deserves given the hyperconnected, digitally disrupted world we live in.
Managing market risk — from defense to offense
Managing market risk means taking initiative. Organizations need to identify the signals and performance indicators that will expose areas of uncertainty and risk, as well as ensuring compliance and control (defense), so that you can act decisively and quickly to reset direction (offense). This means understanding in detail the current state of your competitive environment through having the right management information and data, and using that insight to act quickly on key strategic and tactical questions.
The experience of Big Tex Manufacturing, a maker of customized trailers, illustrates the need for this more offensive approach when market risk combines with broader economic problems across a region. Company President Lance Reinhard says: “Right now, probably our biggest challenge is some of the uncertainty in the economy.” This tends to be reflected both in the difficulties of companies in specific sectors and the resultant knock effects on local economies.
For example, Reinhard notes, the current troubles of the oil and gas industry are affecting sales not only to the sector’s companies — which account for less than 10% of Big Tex’s revenues — but to whole states such as Texas and North Dakota through the effect that the oil patch has on overall regional economies. This means his company needs to focus on other sectors and geographies, which in turn may involve modifying attributes of the company’s product based on specific customer needs. For example, Big Tex has changed the type of paint used on some of its trailers to account for the impact that distinct weather patterns in different parts of the country will have on the wear of products that are mostly used outdoors.
Can you hear what the market is telling you?
Russell Tiejema, formerly CFO of Lennox International Residential and now CFO at Masonite — one of the world’s leading manufacturers of interior doors and entry door systems — believes that companies need to have a close ear to the market to catch the signals that flag a market at risk. However, this can be a problem for manufacturers who have many intermediaries between them and the end customer. “Your ability to manage market risk is often best supported by your relationship with the distribution channel,” he says. “There are manufacturers who sell through large distribution companies who in turn sell on to installing contractors. That can make the sight line into what’s actually happening in the market a little bit murkier. But if you have visibility into your distribution channel, you can see risk in advance and begin to put operating actions in place. For example, you could shift your product to different markets or focus on new product applications to meet gaps that are emerging in the market.”
Market risks on their own, or intertwined with economic ones, make a proactive approach to risk management a core element of long-term success. This can be difficult to achieve. In our survey, economic risks were identified as the second-most difficult risk to manage (see Chart 2). Data analysis, management information and the right indicators are becoming increasingly important as companies try to manage a core risk: What might happen when you don’t make sure you will still have customers tomorrow?
The complex web of supply chain risks
Like a spider’s web, a supply chain is a complex creation, but vulnerable, particularly to threats that cannot be foreseen. Chad Moutray, chief economist of the National Association of Manufacturers (NAM), notes that “people have re-evaluated their supply chains quite a bit over the last few years. That was exacerbated by things like the tsunami and the floods of Thailand a few years ago.”
Such events can, without warning, bring your company’s production to a halt. Nature is not the only potential problem, as Beth Allen, vice president of finance and procurement at Prayon — a chemical manufacturer — explains. “Our main raw material is located in France,” she says. “They have port strikes all the time. Whenever they have one, getting products across the ocean causes us huge problems.” This in turn has knock-on effects on Prayon’s main customers.
On one level, there is little that you can do to address many of these risks directly, especially if you rely on an input where supply is limited, such as certain natural resources. As Allen puts it, “You can’t necessarily control what’s going in your own supply chain, and you certainly can’t control what’s going on around you.”
Survey respondents agree. They are far more likely to say that supply chain disruption
is the most difficult risk to manage (see Chart 2).1
This is particularly the case for midsized firms, where close to one-third make it a top risk. Midsized firms may well be trying to obtain the benefits of global supply chains. However, they may not be able to make their weight felt half a world away if things go wrong.
While supply chain risk is difficult to manage, you can take a number of useful steps to build resilience, particularly through understanding where exposures are and having a contingency plan.
Martin Richenhagen, CEO of AGCO, a farm equipment manufacturer, describes his company’s supply chain risk management as beginning with a structured approach to understanding the business and situation of its suppliers: “You have risk that is specific to a supplier, or industry, or to certain raw materials that a supplier might be using. You also have country risk and geographical risk. So, you need to make sure that, for example, if you have a supplier in Ukraine, you are prepared for possible political and social unrest there.” AGCO evaluates and then scores all these risks. In order to use that supplier if they are high in aggregate risk, “there must be a huge advantage, which normally is price and cost,” Richenhagen explains. “Also, you would certainly not make a very high-risk supplier your only source. You always want to have another supplier or two in the same area,” he says.Cyberthreat: A major risk still under the radar
Do you remember when a hack attack was someone defacing the company website? Today, cyberattacks and data breaches are compromising the operations and reputations of major corporations around the world.
Our survey shows that companies are all too aware of the substantial risk of supply chain disruption, but there is a concern that many manufacturers may not appreciate — the significant risks arising from cybersecurity and data protection. Today, it lies in fifth place on manufacturers’ risk agendas and still only occupies fourth place in the future, as shown in Chart 1 earlier.
This seems inconsistent with the rapid increase in the use of IT by the same respondents, with innovations like automation and the Internet of Things (IoT) seen as significant opportunities. These new technologies hold out exciting opportunities for companies like yours, but also for the hackers and fraudsters who are thriving in the current business environment.
For NAM’s Chad Moutray, the disconnect between the risk concern and technology implementation is very worrying. “We talk about manufacturing now being a data-driven industry — about how incredibly valuable data, patents and trade secrets are to every single company out there that’s starting to create them. As these assets become more valuable, the more of a target they become to the bad actors out there. At the board and C-suite level, people cannot just understand the investments they have to make in technology. They also have to understand the risks that are out there.”
This is a view echoed by Kurt Bauer, president/CEO of Wisconsin Manufacturers and Commerce. “The risk can’t be overstated,” he maintains. “IoT opens us up to many new opportunities, but also to all kinds of vulnerabilities. It could be a cyberattack to access information in files that can embarrass a company. Or worse, it could be stealing its IP, replicating it in a foreign market and then dumping it into the market to the point where the company is no longer competitive and viable. I think it’s a huge threat, and it’s only getting worse. I believe our members are aware of the threat, but if they’re not, it’s at their peril.”
This understanding may be lacking because midmarket manufacturers may not have seen the effects of a data breach on their own firms or those of near competitors, or because they may consider the attention of hackers to be on the major corporations. But as Johnny Lee — leader of Grant Thornton LLP’s Forensic, Investigative & Dispute Services— points out, manufacturing facilities may be the springboard to an attack against a larger supplier or producer because by virtue of that relationship, you have access to their networks. “A discrete manufacturing facility may not be the ultimate target of a cyberattack. You may be the vector — as security specialists call it — to someone in your supply chain where you have access to their networks. If you think you are less of a risk, you are actually the primary conduit that a sophisticated attacker would consider. If I were to launch an attack on a castle, I wouldn’t necessarily go right at the perimeter wall. Instead, I could hop on the cart of the vendor who brings the food in every morning. There’s no reason to do it the hard way. I can attack a much softer, peripheral avenue.”
And the results of an attack are not trivial — they have significant financial and reputational impact. For example, Bloomberg has reported
that Target reached a settlement with Visa over a hack attack in 2013 that would see the retailer pay as much as $67 million to banks that issue Visa cards. As well as the significant financial and reputational cost, the very ability of your company to function may be on the line.2
Based on other computer issues in the past, Prayon’s Allen explains that although hackers have not mounted any major successful attacks on her company, if they did something, which either brought down its computers directly or required them to stop working while remediation took place, the impact would be significant. “If our system goes down,” she says, “it’s almost like the end of the world. If we’re down for five minutes, people start to get hysterical. After one day, you can’t put orders in. You’re at a standstill without technology.”
It is tempting to look away because taking action is not easy. Survey respondents listed cybersecurity and data risks as the third-most difficult of all to deal with, as shown in Chart 2 earlier. It was also easier to look away from increasingly complex supply chains until various incidents — which led to results very similar to those described by Allen — made that impossible. Cybersecurity failures and data incidents are inevitable in the future, especially if companies do not address these issues now.
Grant Thornton’s Lee points out that managing cyberrisk is particularly challenging because the strongest of firewalls can be undone by a single employee’s mistake. “A lot of companies are building these bulletproof fortresses but overlooking a lack of awareness and sophistication in some of the most trusted users on the network. Breaches can occur when someone is using their personal email or iPad. These issues have to be addressed head-on with training and awareness. This is not about a technological fix; it’s about change enablement and awareness training, deployed regularly and consistently.”
The worrying aspect of cybersecurity is that it’s a threat that isn’t even standing still. Cyberthreats are multiplying as the connectivity of people, machines and devices continues to grow. Cyberattackers are also determined to employ new techniques and levels of sophistication to target organizations. As manufacturing companies respond to this moving threat, they need to embed protection into their processes, and ensure their people have the right mindset and training to provide a strong line of defense across the organization.
Enterprise risk as a competitive advantage
Because risk exposures are often revealed when a company is firefighting a breach or disruption, risk management can seem like quite a reactive discipline. However, a proactive risk management approach can be more than just good operational discipline — it can be a competitive advantage. Proactive risk management strengthens supplier and partner relationships, improves business decisions, anticipates disruptions, and can allow you to outsmart the competition. It is critical to not only maintaining your company’s value, but to building it.
Effective risk management has to begin with knowing the nature of current risks. Companies, therefore, need to review their risk management model, governance and resources to ensure that they are able to understand the challenges they face —whether competitors, supply chain choke points, technology weaknesses or other issues.
Consider the risk management talent and skills needed in the organization — the gaps and how to attract and retain the right people. Risk management requires not only technical skills, but also softer skills, such as creativity and the ability to influence and coach.
Companies should also determine whether risk assessments in all areas are frequent enough to allow executives to make key strategic decisions or even identify emerging risks.
Risk management must not be a standalone exercise or afterthought, but integrated into corporate strategy, supply chain management and technology implementation. Doing so will make all of these areas more effective.
Senior leadership need to take the lead in managing cyberrisk demonstrating to your people that it is a critical issue.