Enterprise Risk Management (ERM) is only as effective as the amount to which the methodology has been adopted holistically by a business. The adoption of risk management throughout a business becomes increasingly difficult as the a business grows and becomes more complex. It is clear that Unilever is a complex business with global operations, this necessitates a potent and successful risk management presence within the company.
A key strength of Unilever’s approach to risk manangement processes is the level at which risk management is reported to the C-board.
Unilever has created a board committee (named the audit committee) which ensures the C-board understands the company’s position relative to their risks, through discussion of external auditors’ performance, internal controls arrangements, financial statements, etc. This level of direct communication with the most influencial leaders within the company (C-Level) is a strength of the processes Unilever has applied. However, a critism of this method of communicating risk with C-Level could be that there is no chief risk officier (CRO).
A single leader for risk management at Unilever could be instrumental in increasing the efficiency and effectiveness of the risk management programme. The CRO would provide expertise and clear strategic guidance on implementing risk management across the complex organisation.
Unliever have worked through their risk management processes and been able to demonstrate a robust knowledge of their most relevant risks (and their mitigations). This can be observed in their annual report designating their principle risks (reference). Having the capability to outline specific principle risks should be considered a strength of the business, as it publically demonstrates a level of strategic alignment and embedding of risk management.
However, it could be argued that this process of outlining principle risks introduces additional weaknesses into their risk management methodology. Having these defined and enshrined processes reduces Uniliver’s ability to response to new emerging risks, such as data leakage or intellectual property theft. This risks would need to be reviewed, categorised, analysed and brought before the committee before they could be aligned to a principle risk, and appropriately prioritised. Having a CRO may allow Unilever to reprioritise risks in a more agile fashion. Assurance and re-assurance processes within Unilever demonstrate a comprehensive understanding of risk management processes and the three lines of defense methodology, illustrated below. (reference)
Unilever highlight their internal controls, compliance teams, internal audit and external audit practices. This comprehensive program is a clear strength of Unilever. As it reduces the likelihood of a risk being missed or inappropriate mitigation controls being implemented. It also ensures Unilever has a diverse set of experiences and skills to call on to deal with emerging risks. However, maintaining this extensive program of internal and external auditors will create significate overhead for Unilever, and it may be challegnging to prove its value, as risks sometimes do not become material. Similiarly from the positions I have held in several security and risk commitees it could be argued that when first line are the subject matter experts in particular risks, additional lines of defense often have little value to add to the conversation, and may infact reduce the efficiency with which first line can mitigate risks. Unilever could consider implementing a fast track option for some mitigating controls that need less auditing when first line are certified as SMEs may increase risk management process efficienes.
Reviewing the role of external auditors within Unilever it could be argued as a strength that they choose to keep KPMG as external auditors. The continuous relationship may increase efficiency as KPMG will have a matured working relationship with stakeholders, this may allow them to access deep information within Unliever more efficiently than a new external auditor. Similiarly given KPMG is also a shareholder they may be insentivied to investigate Unilever robustly. While there may be safeguards in place for the external auditors there can no ansolute removal of conflicts of interest in this relationship. KPMG as shareholders in Unliever are incentivised in some degree that Unliever’s risk management processes/results receive a positive interuptation in the annual report, as it may impact share prices.
Embedding risk management in all operations within a business is a complex task. Unilever claim to have accomplished this (reference). If true the complete risk management embedding should be considered a strength of their risk management process. As this means whatever the operation is, risk management are aware of it, and can implement controls to prevent company damage. While this allows Unilever to operate with a robust risk management organisation, it may be stretching the risk management resources within the company reducing their impact in specific areas in order to have a holistic view.