How do you assess this risk?
A risk practitioner is working with operating management to assess the risk of inventory losses due to theft at either or both of its two satellite warehouses.
These are the facts:
- The two warehouses are in industrial areas of Sydney, Australia and Paris, France.
- Crime and policing levels are approximately the same. Neither is considered a high crime area.
- Inventory levels fluctuate but are comparable, as are the sales they support.
- The Security department has inspected and evaluated security measures at both sites. They are considered up to industry standards and appear to be operating effectively.
- Background checks are performed for all new hires, and quarterly drug tests are mandated.
- Employee turnover at both locations are within normal ranges for the industry and the local economies.
- Your recent inspections of the fencing around the sites found one small hole in each where a child could get through.
- Losses due to employee or other theft are considered acceptable if they remain below 10 units per month, as industry research has shown that additional measures would cost at least as much as any reduction in losses.
- It would take shortages of 50 units to seriously affect the ability to fulfil sales orders and generate revenue. At that level, customers might consider moving to a competitor. Loss of any major customer would have a significant effect on revenue and the ability to meet annual corporate targets.
- Sydney reported shrinkage of 100 in one month. An investigation did not determine how the units had been stolen. One employee (who left the next month) was suspected of being involved.
- Inventory losses over the last twelve months at each location have been:
- Sydney: 1, 100, 3, 2, 0, 0, 2, 3, 0, 4, 2, 1 (a total of 118, or just below 10 per month)
- Paris: 2, 5, 2, 8, 1, 10, 8, 3, 10, 10, 22, 37 (also a total of 118)
How would you go about assessing the risk?
There are no tricks in the question. If you need, state any assumptions you are making.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
Nice layout to the situation! I would place Paris at higher risk for theft due to:
1. KPI of shrinkage at a steadily increasing level month-to-month, and approaching the 50-unit danger level
2. Sydney’s one-month of 100 is an anomaly, the other months are single digit and not trending up
3. I would investigate reasons why Paris may be increasing month-on-month (such as degrading economic conditions, employment conditions, etc.) and create a Key Risk Indicator(s) to monitor the likelihood for increased shrinkage
Interested in others’ ideas.
Thanks, John
I don’t think there is a risk to assess but a threat occurring which requires controlling. But is it worth controlling?
The increasing Paris losses are a concern.
We need more information.
Is a single inventory item involved or a range?
When are the items going – on a particular shift or at night or weekends? Can we use regular inventory counts to determine this?
Is there any CCTV to help us?
Are we sure the losses are actual and we don’t have a problem in the system?
What is the value of goods being stolen?
What are the options for stopping the losses, and their cost?
Having gathered all this information, we are then in a position to decide on future action.
David, why is there no “risk” but a threat?
Norman, I’m probably just being pedantic to distinguish a risk which might occur, and therefore needs a ‘risk practitioner’ and a risk which is probably occurring (theft in Paris) which needs an experienced internal auditor.
OK, I think we agree that both are risks
Hi Norman, great exercise that serves to highlight the limitations of risk matrices and single point assessments.
Suppose we use the risk matrix to present the risk assessment based on the facts presented in the case and considering what happened in the last 12 months.
Then, for the Sydney plant we would have to choose 1 value for frequency and 1 for impact. We already have a problem here because the minimum value is 0 and we know that if we say zero materializations in the year that would not be real, and the maximum value is 100 and if we say 100 that would not be real either because it was a one-time event, atypical and unlikely to happen again. So, it would seem that the best value is the average, which would be 9.8 per month and the impact at that monthly value would be within the company’s acceptance. Following this logic, which we are bound to if we use a single-point risk matrix, the conclusion we reach is that the risk remains within the acceptable value.
For the Paris plant we would have to follow the same procedure and the result would be exactly the same, a frequency of 9.8 per month, which places the risk within the acceptable value.
As can be seen, following this method we reach the same conclusion for both plants, however, the data and facts show that the plants are under different risk conditions. In fact, Sydney shows a much smaller variation in theft data compared to Paris, without considering the one-time event of 100, which cannot be considered in the analysis of risk behavior because it is an event that is clearly out of the ordinary and was due to specific causes under investigation. Paris, on the other hand, shows a higher incidence of robberies than Sydney and seems to be following an upward trend in recent months. There is clearly a need here to find out why this increased level of risk and to review whether controls are being applied in the correct way.
In conclusion, looking at the data of what has happened, without simplifying through the risk matrix, the conclusion would be otherwise:
Sydney had a punctual out of tolerance materialization 1 time in the year and with a high impact that cost the company the exit of a customer and significant economic losses (we make the assumption that this was the impact, according to the forecasts presented in the case). It is reported that investigations are continuing in order to clarify what happened and that current data show that the normal frequency of this risk remains within the limits considered acceptable and that nothing more needs to be done. Since the causes of the theft are not yet clear, it can be advised that it is prudent to take out insurance to be covered in case of a new occurrence.
Paris did not have spikes above what is considered unacceptable (greater than 50 thefts in a month) but the data shows that there has been an increase in thefts during the last few months of the year and further investigation is needed to find out if there are assignable causes which are moving the incidence of risk outside of its normal and considered acceptable variation. This is a priority before the level of risk continues to worsen and begins to have a major impact on production and customer satisfaction.
That was the analysis evaluating the risk with respect to what happened in the past, in a context of operating controls, that is the residual risk analysis. And what about the future risk? what is our prediction for what will happen in the next year?
Again, if we stay with the average, we cannot say anything about the future except that, according to the estimate, this risk will remain at the acceptable level. If we use statistical analysis on the data as statistical control charts for example, we can say in the case of Sydney that the variation is within normal and therefore the risk is controlled. And in the case of Paris we can say that the data show variations outside the normal and therefore it is necessary to intervene to know what is happening and prevent increases in risk. We have then, thanks to the statistical analysis of the data, a future prediction based on past information. To complete the analysis of future risk we should also consider the risk factors identified in order to make reasonable recommendations. Both plants are in a similar condition with respect to all the risk factors that are important: crime, turnover, security controls, etc. The only thing that was detected in both plants was a small hole in the fence and it would have to be analyzed whether this hole could represent a real vulnerability conducive to risk. If so, we would have to add to the conclusions dictated by the data the recommendation to close the hole to mitigate possible theft scenarios.
All the analysis presented above cannot be put into a risk matrix and therefore if this were the instrument to present the risk assessment we would have a problem to effectively communicate the relevant information and support a good decision. What is the alternative then? Not to use the risk matrix and present a report with the data and conclusions.
Why would they spend time conducting a risk assessment when they have an actual problem to address? The allowable leakage (less than 10) has been exceeded 6 times across both warehouses, including each of the last 4 months at the Paris facility. Without knowing the relative costs, I’m not sure which solution would be most appropriate, but they could be looking at added security personnel, increased cycle counts, CCTV installations (with monitoring), RFID or magnetic tags on the inventory, or any of a number of other options or combinations. After they have implemented a corrective action and reduced the leakage, then they can assess the risks of unacceptable leakage as a forward looking exercise with the added benefit of knowing the impact and likelihood fairly accurately.
Thank you for the comments that talk about actions management should be taking.
The challenge is that management and the board want all these sources of risk reported. How would you do that? How would you assess the level of risk and include it on a report to management?
I think we can all agree that a risk is an event that may happen in the future, and that risk management involves assessing those risks and, where necessary, identifying mitigating actions that will reduce the impact or likelihood should those events transpire. But in the scenario you’ve described, we are not looking at potential leakage; we are looking at unacceptable levels of current leakage. The time to address this is now, not when the losses are over 50 units and the company is losing customers and revenue (in addition to assets). Based on the trends in the Paris warehouse, they will exceed a loss of 50 units next month.
Actually, I don’t think we all will agree with that definition of risk. I prefer ISO definition of the effect on objectives – is something that might happen, negative or positive.
OK, I can agree with that definition too. Nevertheless, we have in your scenario a known and present negative impact on objectives. This is not something that might happen. It is, in fact, happening and is likely to continue without some management action. We have the condition, criteria and consequence. What’s needed is not a risk assessment but instead a root cause analysis and a corrective action to address it.
It’s interesting how we all jump to “solving” the problem. Might it be better to define the risk (i.e. uncertainty on objectives), analyze it, estimate the likelihood and consequence levels, and based on this decide how to respond to the risk? The risk event here is shrinkage at the warehouses. Causes could include internal and external (theft, destruction of products, …). Consequences could include annoyance to loss of customers. There could be a high likelihood of a minor consequence to a low likelihood of a major consequence. Judgement–and any available data–can help decide the best combination(s) to use. The KPI of actual shrinkage indicates the Paris warehouse is problematic. It might be better to develop KRIs (increasing unemployment levels, decreasing employee morale…) and track these. Must be careful to avoid the trap embodied in “The Flaw of Averages”. A report to management could include both KPIs and KRIs with a recommendation on actions to take based on these metrics. But here I am trying to solve the problem without the full picture…
Well said
Fantastically detailed post! I hate being difficult and I am not trying to be a jerk. But I really don’t understand these types of questions. I mean this truthfully and literally. What is meant by a “risk assessment”? What’s the goal? Are you trying to estimate losses for the reliability of financial reporting? Are you trying to determine if current security strategies are appropriate (that’s really a cost-justification exercise for additional security measures)? Are you trying to determine if current security personnel are competent to carry out an assigned strategy? Or, are you trying to determine if this problem (among the thousands of potential problems) is worthy of management’s attention? That’s simple – does it exceed an acceptable loss threshold (in other words, does it turn the dashboard metric from green to red)? If you don’t have such a threshold, then the overall risk exercise is irrelevant because it’s clearly not strategically important enough to even monitor.
As to “what’s the risk level” – my answer to most questions of this type is: the risk of a little theft is very high. The risk of a lot of theft is much lower. How much is “a lot”? Well, that’s up to management to decide based on strategy and risk attitudes. That’s pretty much always the answer if you’re dealing with a likelihood/impact assessment. I’ve never seen them provide any useful benefit.
Well said. The practitioner may believe his or her job is to assess the level of risk. But does that create any value?
As per David above, I would ignore the Sydney 100 event in the trend analysis, assuming it is more of a high-consequence, low likelihood event. That said, it would be important to properly understand root causes and to ensure that the control gaps are properly understood and addressed to prevent recurrence.
What you are then left with is two sets of time dependent data. It is easy enough to then fit curves to the data – using quantitative methods or simply by eye. Sydney looks pretty stable, but Paris is heading for trouble in the relatively short term.
Address the high consequence risk event in Sydney; sort out the control environment in Paris urgently!
I agree in principle. However, the risk officer is charged with assessing and reporting the level of risk. How would you do that?
In Sydney, we have at least one major control weakness, which exposes us to losses that impact on our capacity to meet customer expectations, and which is still present – undiscovered and unresolved. Experience (well mine at least) suggests that where there is one major control weaknesses, there are likely to be others.
We do not even know if the losses occurred because of theft or negligence. Even if it was theft, we do not know who the thief was. So if there is a thief, he/she is more likely than not, still there.
Given this, could it be that (a) we were lucky to discover the losses in month 2; and (b) the rest of the time the culprit(s) are successful in covering their tracks? In fact, are the losses in the other months too low, given our control tolerance? Or am I reading too much into the data?
On Paris, I do not think we have enough data to draw a conclusion. The spike towards the end of the year may be due to seasonal factors (for example increased throughput, higher leave).
On this basis, I would be more concerned about Sydney. Send down an audit (or equivalent) team for a thorough assessment. On Paris; I would want to see (a) comparisons with other years and (b) month 1 and 2 data from this year.
If there is a model answer, I would be interested to see it.
Thanks, but the question is how the risk practitioner and management should assess the risk and report it.
Sorry, I thought I had answered the question. .
The Sydney warehouse has the higher risk: it has stock wasteage beyond a level that customers are likely to find acceptable, impacting on future revenue streams and brand, and the most prudent assumption (given the unknowns) is that the underlying causes are still present. Impact high, likelihood high of the same problem occurring in the next year. Until you get confirmation that this is just an anomaly. Which it might be.
On Paris, there is not enough contextual information to establish there is an emerging problem, especially if months 10, 11 and 12 are Oct Nov Dec. So the risk is in the concern zone, with monitoring and enquiry as the response.
Sorry to be pedantic, but the question did not ask about reporting, I assumed as the risk practitioner was working with operational management, reporting would be through the operational management line. The risk practitioner was advising them, and they make the call. After all, (1) there will be factors that they are aware of and you are not; and (2) didn’t someone once say something about risk supporting informed decision making? or something like that.
I would suggest Paris is recorded on the supervisors risk register (so that this potential emerging concern is not forgotten). I suspect that Sydney requires urgent attention. It is more of a problem than a risk, so not really suitable for a risk register. At this stage.
The risk practitioner appears to have already done the assessment. The risk team has apparently looked at the risk of inventory loss, determined that the loss of less than 10 units is acceptable (high likelihood, low impact), and estimated that a loss of over 50 units will result in objectives likely not being met (low likelihood, high impact). With that assessment, management has accepted the risk as the control costs would exceed the loss value.
Perhaps
‘A risk practitioner is working with operating management to assess the risk of inventory losses due to theft at either or both of its two satellite warehouses.
How would you go about assessing the risk?’
Presumably management wish to know if further action can be taken which costs less the likely losses. However the facts state, ‘Losses due to employee or other theft are considered acceptable if they remain below 10 units per month, as industry research has shown that additional measures would cost at least as much as any reduction in losses’.
So the first stage in the assessment is to look at the controls preventing and detecting losses. The facts indicate that this is partially been done but no mention has been made about checking the integrity of the computer systems highlighting the losses. For example the Sydney ‘loss’ may have resulted in the booking of stock against an incorrect item code, so there is a corresponding surplus of 100 units somewhere which won’t be identified until somebody, literally, trips over them. The Paris losses may result from stock being ‘borrowed’ for an advertising shoot, without being recorded.
There is also the possibility that all necessary controls are present but not working. For example CCTV may have been turned off in Paris while contractors were working at weekends.
Having thoroughly identified all the controls which should be operating and any circumstances in which they were not, I would sit down with management, security and other relevant parties to consider, ‘Are there any other cost effective preventive/detective controls which we can implement to prevent stock losses?’
I would then report accordingly.
I can’t say for certain which location is a higher priority. However, when inventory theft is a recurring event every month, shouldn’t we treat this as a “problem” rather than a “risk”? A risk practitioner trying to estimate probability or likelihood is nonsense since we know theft is expected to happen, the only uncertainty is how many units will we lose in the following months.
It is uncertain how much will be lost. That meets the ISDO definition that risk is the effect of uncertainty on objectives.
The same things applies to the risk of losing employees, cyber breaches, etc.