A few years ago, during the process of moving a client from another partner, the original partner ended up deleting the client’s cloud infrastructure which included their ERP systems. Obviously, company operations ceased, invoicing stopped, and they could not produce the daily reports their client required. As a federal contractor providing parts to military aircraft, this act also caused a breach of contract with the military and a reputational loss that they are still trying to rebuild. When we stepped in to “fix” the situation, I had to assign a team of engineers who spent 48 hours straight rebuilding the client’s infrastructure and attempting to recover as much as they could. The client experienced revenue losses of +$100,000 per day. Thankfully with the help of Microsoft, digging in to remnant images of the infrastructure, our team was able to rebuild the client’s cloud resources and data estate. That one simple act of a sub to a subcontractor almost caused the bankruptcy of an organization.
So how do we break this down into what the client experienced regarding compliance risk, and organizational and reputational loss?
The compliance risks this client faced during those 48 hours was staggering. Their financial health was put under stress as they were unable to continue invoicing orders (average number of orders per day = 200). Because their inventory system was in the cloud, they could not scan orders and maintain/report on inventory levels which was another contract requirement. Their old partner did not have a risk management plan in place. Additionally, they did not establish a process to predict and manage those risks to help their clients protect themselves from events that might eventually lead to non-compliance. The partner, essentially a subcontractor of the client, did not understand the client’s business processes, the regulatory requirements dictating how the client needed to conduct business and report to their client. Thus, they did not protect the interests, both financial and operational, of the client.
Business is changing so rapidly and what we saw was an old, reactive way of managing compliance risks which led this partner to fall behind the competition. Also, due to the connected ecosystem created between buyer, supplier, and all associated contractors, non-compliance, risk remediation and fines extend through every entity. This left every organization exposed to larger regulatory or reputational risks than what would have been expected.
Organizations need to find ways to better manage compliance risks and be more risk intelligent, which involves being more aware of how non-compliance affects the ecosystem. An integrated compliance model (in this client’s case, it was dictated by their client) across the organization (people, processes and technology) would have kept compliance risk in check and ensured that ethics policies were followed at every level in the organization. The external benefits of this strategy would have reduced risk, provided faster time to market, reduced costs, and enhanced customer experience.
There was no consideration given to this client’s reputation as there was no process in place to identify risk or non-compliance events. It was overlooked because too much time was focused on operations. It was easy to focus on operations because they are tangible and something the partner and the client had control over. Because reputational risk occurs outside of the organization, it is more difficult to control it. Managing it means managing customers, employees, contractors, buyers, suppliers, and the media. These activities were owned by the client, but still requires ethical and compliant behavior throughout the ecosystem. Due to the events that occurred, the client’s reputational loss equated to a market value drop of 12% affecting business requirements such as future lines of credit.
The following lays out what can be implemented to assist in mitigating risks that can occur throughout the interconnected supply chain:
- Technology and Tools – today’s technology and tools can extract data from current operations and compare that to the compliance framework you put in place and identify where in the ecosystem there is a deviation from set policies.
- Adopt a Framework to Identify and Manage Compliance Risk – Regardless of whether your client is requiring compliance or not, building or adhering to a risk framework defines the guidelines and policies that everyone within the ecosystems must adhere to. Not only will this more proactively identify non-compliance, in some cases insurance companies will require a very documented procedure on how you respond to disruptive events.
- Increase Internal and External Collaboration – including all entities within the ecosystem will ensure that any risk and compliance issues are not held in isolation. Automating the workflow and identifying the owners of the risk will help the client make timely and well-informed decisions.
- Training – Establish a well-defined process with well-documented policies, procedures, and guidelines. This should be communicated within the organization and externally to ensure awareness of what everyone needs to adhere to, regulations, laws, and policies.
Even though this is not a case study, we learned a lot through this process. We need to step back from the operations of technology. Technology and services work as well as they are implemented. Services must be implemented based on the client’s business outcomes and any requirements that are placed on them. But if you are truly focused on protecting the client, then one of the most important things you can learn is the client’s ecosystem, who they are and what is necessary in order for them to operate as a secure organization. Without that, you are living on borrowed time.
President | COO