Michele J. Flynn, President, Expense Management Solutions, Inc.
Over the last several decades, companies around the world accelerated deployment of a business model that has enabled them to thrive in a globally competitive economy by building an “extended enterprise” of suppliers, joint ventures, partners, channel partners and distributors. In the extended enterprise, a company identifies its critical competencies and strengthens its ability to excel in those areas while identifying strategic partners to deliver the other infrastructure, services, or materials required for success. One consequence of this evolution is the need for businesses to enhance the management of the relationships within this extended enterprise. These relationships are subject to an intricate web of contractual specifications, legal and regulatory requirements, corporate compliance programs, and demands from customers, shareholders and other stakeholders. And while the conduct of business has always included the management of internal risk, a comprehensive, enterprise-wide approach to risk management is incomplete without a thorough solution for managing risk across the extended enterprise. To manage the risk across the extended enterprise effectively, an organization must have:
• A standardized approach,
• A clear understanding of the risks inherent within the enterprise, and
• A program to mitigate and manage inherent and actual risk.
Whether your corporation operates in multiple regions across the United States, or in multiple regions across the globe, your strategic relationships will involve many stakeholders and are subject to a variety of laws and regulations. TARP, the American Recovery and Reinvestment Act, Sarbanes-Oxley, HIPAA and a virtual alphabet soup of other laws not only compel companies to comply with a variety of regulations, but place responsibility for certification of the compliance of their extended enterprise with the contracting company as well. Development of a standardized approach, supported by the appropriate tools, technology, policies, procedures and infrastructure is the only way to ensure that your program will be effective. Are all of your relationship managers collecting the same information in the same format on the same recurring schedule? Are they using compatible technology? Do you have visibility across multiple relationships with a single provider? Does management have real-time access to information? Does your strategy track legal and regulatory compliance as well as compliance with corporate programs, contract compliance and performance management? Do you have standards for analysis of the data received, as well as policies and procedures for actions based on the results?
One of the fundamental requirements to manage extended enterprise risk effectively is to be able to define those risks that are critical the organization. For instance, banks are subject to specific requirements of the Office of the Comptroller of the Currency (OCC). However, risks associated with supplier compliance with OCC regulations are irrelevant for a biotech firm whose products are likely subject to FDA regulations. Access to personally identifiable information from customers is critical to all companies, yet access to private healthcare data is even more critical to insurers and those who provide medical services. Are certain scarce products or specialty services more critical to the survival of your business than others where the availability of suppliers is high or cost of switching is low?
Earlier this year, Expense Management Solutions conducted a survey of companies to assess which risks companies deemed to be the most critical and to weight each category for importance. At the height of recession the most critical category was financial viability followed in quick succession by criticality of the product or service offered by the supplier, and third party access to personally identifiable data. Knowing which of these is relevant for each relationship and how critical each is, enables a company to assign a valid classification to determine resource allocations and management strategies to implement.
This is a critically important concept. It’s simply not possible to eliminate risk. Therefore, your goal is to manage risk to an acceptable level. Where risk is high and compliance is unacceptable, intervention will be required to bring the level of risk back into alignment. However, in some areas where the compliance rating is unacceptable, but the inherent risk is low, it may be more cost effective to monitor the situation and be prepared to simply replace the supplier, rather than allocate resources to try and bring that supplier back into compliance.
The challenges each company faces with designing and implementing an effective Risk Assessment and Management Program (RAMP™) vary widely. However in the ever increasing regulatory environment in which we all operate, delaying development of a RAMP™ program is a decision few can afford. It does not have to be overwhelming or exorbitantly expensive. While managing risk across the extended enterprise is a relatively new area of focus there are platforms, templates and working groups available to help. If you’d like to learn more check out www.expensemanagement.com, send me an email at firstname.lastname@example.org or attend the SIG Summit in Savannah on March 30 – April 1 and connect with me and others in the industry.