Risk without frontiers

Not surprisingly, most respondents (81%) to our survey worked for multinational organisations, either global or across a number of regions. And their companies had all been pretty active in the areas that you would expect, such as outsourcing and mergers and acquisitions.

Almost 60% had outsourced significant functions to organisations located outside their country of incorporation in the last five years. However, of these, only slightly more then half had undertaken any risk assessment of the organisations to which the work was outsourced – a surprisingly low proportion in view of the fact that these are ‘significant’ functions.

For those who had done risk assessments, the most common was due diligence on the company, cited by three quarters. Over half had also examined the external company’s supply chain risk management and also its security procedures. But only a third had looked at its ethical policies.

One risk manager commented: ‘From the expanding use of overseas outsourcing, I am not convinced, as a risk manager, that some global and national operations/organisations are undertaking the required risk assessments.’

Other remarks included:

- ‘If outsourcing, it is of course of utmost importance to demand certain minimum standards as regards protection from the manufacturer. A careful RM study should be organised. The insurance coverage should include BI resulting from a claim in the outsourced entity.’

- ‘It is vital that a robust process of due diligence is used to ensure that factors such as language, distance, culture, business ethics and financial processes are understood and built into service level agreements and formal business or financial agreements.’

- ‘For our company, risk management and risk assessments are vital parts when outsourcing.’

- ‘It is important to facilitate integration between insourced staff and outsourced staff to guarantee a valuable work product.’

A slightly higher proportion – 66% of respondents – said that their organisation had conducted a cross border M&A within the last five years. Reassuringly, in over three quarters of these, the risk management function was actively involved in the due diligence process. Indeed, comments suggest that such involvement is key.

- ‘Depending on the type of M&A transaction, it may be that confidentiality constraints limit the circle of involved executives to a very small number. This is particularly the case where due diligence investigation is not permitted by law. It is also the case that the risk management function tends to be more deeply involved, and at an earlier stage in the process, when business segments are divested/spun-off /sold.’

- ‘My experience of the M&A process is that only ‘insured’ risk and current claims and potential liabilities are actively considered, rather than a detailed holistic due diligence.’

- ‘It is extremely important that the risk management department is involved in the earlier stages of the process.’

- ‘Involvement in the process is important to secure ‘no surprises’ within insurance after take-over.’

- ‘It is vital to be included – also from an insurance programme assessment point of view.’

- ‘Due diligence often limited to financials.’

Risk and region

Our question on whether respondents considered some world regions more risky than others for outsourcing or M&As did not produce any surprises. China topped the list with Russia a close second, cited by over half of respondents. Around a third of respondents mentioned Africa, Eastern Europe, Latin America, India/Pakistan and the Middle East. But as one respondent pointed out: ‘There are risks in all locations used.’

“My experience of the M&A process is that only insured risk and current claims and potential liabilities are actively considered, rather than a detailed holistic due diligence

Other comments included:

- ‘My experience was in China … where the main challenge was (and, I understand, continues to be) a lack of transparency in the laws and regulations.’

- ‘USA – dangers of long-tail legacy liabilities eg: environmental/pension funding etc; Russia – questionable business practices and physical threats to personnel; China – outsourced manufacture product quality.’

- ‘It is vital to understand the reality behind any arrangements and not to assume that what is custom and practice in the UK and large parts of the West also applies in the region/country you are considering.’

- ‘Don’t presume that your way is the only way to do business. Develop a forum within the due diligence group to incorporate regional intelligence.’

Despite the problems, three-quarters of respondents believed that the business opportunities presented by increasing globalisation outweigh the risks, with another 17% considering that there was an equal balance between risks and benefits. One respondent remarked that developing global activities inside the group had given it the capacity to adapt to any kind of circumstances, so flexibility was an important benefit.

In terms of the practical risks that the trend towards globalisation poses, easily top of the list were communication and control difficulties (cited by 76%). Second (67%) was compliance with a wide variety of regimes and third (57%) were cultural differences. Responding to the question of what are the biggest challenges in embedding risk management in a global business operation, respondents made the following comments.

- ‘Cultural differences – both personal and business (many businesses are an amalgam of other businesses acquired at different times) – and related communication challenges with respect to business strategy, key business drivers and a definition of business risk management that is relevant and supportive to both.’

- ‘Crossing those cultural barriers, especially in countries where human life is not highly valued (for example China and Colombia, in my experience), that may make it difficult for local businesses openly to admit that there is any risk or room for improvement – or, if there is, to invest in such improvements.’

- ‘Having a consistent set of strategies, policies and standards that can be profiled and assessed in all areas of operation, to allow the development of local action plans and with the ability to benchmark performance internally and externally.’

- ‘1 Understanding what risks are inherent in different cultures and regions. 2 Applying enough control while keeping at arms length to allow flexibility.’

- ‘The perception of being part of a global operation is not shared the same way around the world. The adhesion to global strategies/policies is difficult to achieve in non-western areas.’

- ‘Securing the leadership and support of the senior management to support the change in culture – attitudes and behaviour.’

- ‘Cultural acceptance at the top that gets translated effectively into acceptance within business units.’

- ‘Local focus is on margin and profitability. Managing risk is grudgingly done.’

- ‘Communicating consistently and overcoming cultural differences.’

Sue Copeman is editor, StrategicRISK