Chipotle Case Study: Either Manage Risk or Disclose Lack of Risk Management
Steven Minsky | Feb. 9, 2016
Back in 2009, we blogged about the SEC’s decision to require board-level accountability for ERM. This decision was based on the conclusion that inadequate risk management allowed the regulatory failures that ultimately led to the financial crisis. As we wrote in that post, “boards are now required by the SEC to report in depth on how their organizations identify risk, set risk tolerances, and manage risk/reward trade-offs throughout the enterprise.”
That blog detailed an important ruling: it refers not only to integrated risk management competency at the executive level, but at all employee levels that have an impact on company performance. This perfectly mirrors a risk management mantra – risk should make up a part of everyone’s – not just risk managers’ – job description.
In 2007, regulators released Sarbanes-Oxley Audit Standard 5 (SOX AS5), which holds management accountable for the risk of misstated company financials. The SEC disclosure rule is similar in the sense that it uses materiality, not specific risks, as a measure of what needs to be mitigated. It differs, however, in the sense that it applies to all risks, not only financial concerns, and does not take into account an organization’s size. In other words, everyone should be concerned with ERM compliance.
This leads to a fork in the road; organizations need to either adopt an effective risk management program or bite the bullet and disclose their ineffectiveness. There is no third option – maintaining ineffective risk management tools without disclosure is considered negligence, and is easier to prove than fraud is.
Chipotle’s recent fiasco demonstrates the results of poor risk management
According to Business Insurance, Chipotle’s problems don’t end with a host of recent salmonella outbreaks, which have been linked to food sold in numerous branches. The company also “failed to disclose that its ‘quality controls were inadequate to safeguard consumer and employee health,’ according to a civil lawsuit.”
The company is now suffering a major reduction in share prices (“35% since the end of October”), reduced sales (December sales were down 30% in some locations), and a marred reputation that relies upon the appeal of safe, sustainably grown food. The manner in which the company misled shareholders is almost entirely responsible for the civil suit.
Chipotle introduced a great innovation in the food industry: fresh, healthy, locally sourced fast food. However, the company failed to implement the risk management necessary to support that innovation. Enterprise risk management is as much about enabling innovation as it is about facilitating compliance, health, and safety. The check-the-box approach of disclosing the “usual risks” was made unacceptable back in 2010, if ever it was acceptable. Every business innovates, and every business therefore needs to find the unique risks it introduces, get them covered, and disclose them to shareholders.
Had Chipotle’s management implemented an enterprise risk management solution, either of two outcomes would have occurred:
- Food might never have been contaminated, since ERM extends to a robust vendor risk management methodology that helps identify risks associated with a company’s supply chain.
- Even if the outbreaks had still happened, Chipotle would have been able to use enterprise risk management reporting capabilities to evidence its risk program. This would have avoided regulatory penalties, provided evidence of control activities, and guided risk disclosure, all of which would have eliminated liability for non-disclosure of risk.
These outcomes aren’t just possible, they’ve happened before. In 2009, a Morgan Stanley executive was found to have evaded internal controls. The company itself avoided prosecution thanks to the robustness of its internal policies and procedures. Unlike Chipotle, Morgan Stanley “maintained a system of internal controls meant to ensure accountability,” and pointed to these systems when asked about the adequacy of its risk management program.
There is never a 100-percent guarantee that surprises won’t happen. Sometimes, human error and external threats can’t be predicted. What’s important is minimizing the likelihood of those surprises, and ERM software accomplishes just that. At the very least, a robust, well-documented solution provides an easy way for organizations to maintain full disclosure and avoid regulatory action.