The past few days I’ve reflected on enterprise risk. The recent news reports about flooding in Thailand and the resulting impact on supply chains is certainly cause for reflection. You can read more about those issues here and here and here. What is interesting about this is that companies frequently know some things(locations) about their suppliers, but they likely know almost nothing about their suppliers and then their supplier’s suppliers, etc. Even trying to find out that information and develop of dependency map of some kind quickly becomes a hugely complex problem. It just explodes in size.
Consider the tsunami in Japan and its impact on supply chains where the same problem happened. That event affected factories, transportation and employees as well as local services around affected facilities. Auto manufactures are still struggling to catch up.
Frequently risk conversations in the enterprise is limited to just the financial risk around the financial systems and their control. Auditors like to focus on access control, segregation of duties and mitigating controls. Audits frequently zoom into huge detail in these areas to prevent and lower risk due to fraud or insider actions.
I’m now thinking the risks in other areas like securing the intellectual property of the company and assuring business continuity due to ‘black swan’ events affecting the supply chain are likely the bigger risks. Funny thing to me today is that I wrote about this Risk in IT back in 2009. I wrote about IT Hard Problems a few times, but I didn’t include understanding the supply chain risks and mapping dependencies.
More to think about here. Would love to hear your thoughts.