The so-called “EU Regulation 1223/2009” was planned to be in place by July 2013, aimed at strengthening the safety of cosmetic products and modifying the rules for all players in that sector. New responsibilities, tech material usage, reporting & transparency rules, etc.
This morning, the local risk manager had organized a specific workshop to identify any risks related to this regulation shift and propose a strategic action plan to the board the next week.
As external consultants, we had done this exercise across different departments over the last few weeks. We were reviewing operational processes and their objectives to identify relevant risk information, and then analyzing and evaluating it properly to prioritize and provide an adequate treatment option. This morning, the attention of the focus group was on the impact that delivering an inaccurate report to the national authorities would have on the company’s reputation. This report is necessary as it is one of the new requirements of the regulation. The group quickly came up with several scenarios, cause analysis, evaluation of the inherent risks and current treatment actions that are in place.
Most of experts around the table were not familiar with the risk management framework in place. By the time we reached the treatment option discussion, the conclusion was set. The client will do whatever it takes and costs to mitigate that risk. No discussion. We “just-cannot-afford-the-consequences”.
But let’s take a step back here. Treating a risk does not mean you have to dedicate 50% of your revenue to push it down to the zero% frequency or impact level. And this is the reason why: You do not want to spend more money treating a risk than on the actual short or long term economic impact of hitting the wall. Risks do not only need to be mitigated, they have to be managed. There are many ways to achieve this. Managing a risk means considering all of the following options: a risk can be reduced, avoided, transferred, accepted, raised, and mitigated. Determining which of the six treatment actions will be chosen will depend on the corporate/local risk appetite, explicit or otherwise implied.
This morning, it was determined that the risk would cost too much to avoid, there would be a very high (and unknown) price if we tried to transfer the risk, and for the board, it would be very difficult to agree to accept or even raise. So the mitigation option was the only light in the dark, dark future of European regulations.
Over the next 12 months, teams from several European departments joined together to provide the best report possible so that they could be on time for the regulation enforcement. Month after month, this task started to become one of the most costly projects on the agenda.
May 2013. Two months before the regulation, the report was hardly ready. Not because the client did not know what to present, but because the data was simply not available nor reliable. The board concluded at that time that they would rather be late on releasing the report than present an unreliable report that would have exposed the entire brand to heavy compliance issues and a bad market reputation backlash.
They made a strategic decision to temporarily accept the risk for one year in order to give themselves the best possible chance to provide the best compliance report in their industry … this was simply the best economic and strategic choice given the circumstances. And they achieved it eight months later by officially releasing the report to the public with no major compliance issues.
Risk treatment and risk management in general should always be taken into account in the light of the company’s strategy and objectives. Overall governance of the risk management framework and its integration into the entire organization is key to avoid decisions based on a myopic focus.
Cross governance and risk platforms help companies to integrate strategy, objectives, and appropriate treatment strategies for more efficient decision-making.