For njosh only
RISK MANAGEMENT
Final Assignment (5392 words)
Coralie Boyer (Group 1A) [email protected]
C o u r s e I n s t r u c t o r : S u z a n n e S e t o
M a r c h , 2 7 -‐ 2 8 , 2 0 1 5 2 8 R u e d e s F r a n c s -‐ B o u r g e o i s , 7 5 0 0 3 , P a r i s
April 28
ISM MBA PROGRAM
2
TABLE OF CONTENTS E x e c u t i v e S u m m a r y . … … … … … … … … … … … … … . … . . . p . 3
I n t r o d u c t i o n … … … … … … … … … … … … … … … … … … . … … . p . 4
1 . C o m p a n y ’ s m i s s i o n & C u r r e n t s t r a t e g y … … . … … . . … … p . 6
2 . R i s k i d e n t i f i c a t i o n & I m p l i c a t i o n s … … . . … … … … . . … … … p . 8
3 . R i s k M a n a g e m e n t P r o c e s s … … … … … … … … … … … . . … … . . . p . 1 3
4 . B e n e f i t s o f E R M . … … … … … … … … … … … … . … … … . … … . … … … p . 1 5
5 . R i s k O r g a n i z a t i o n … … … … … … … … … … … … … . . … … . … … … . . p . 1 8
6 . O r g a n i z a t i o n a l C u l t u r e … … … … … … … … … … … … … … … … . . p . 2 0
R e c o m m e n d a t i o n s & C o n c l u s i o n s … … … … … … … . p . 2 1
L i s t o f r e f e r e n c e s … … … … … … … . … … . … … … … … … … . p . 2 2
3
EXECUTIVE SUMMARY This paper explores the risk management process of one of the leading automobile
manufacturers: the French car maker Renault. This report aims to analyze some potential
risks the company faces including psychosocial risk, legal and compliance risk, IT risk,
Supplier risk and currency risk and their implications for the company. But Renault is well
prepared in terms of risk management with a well developed ERM, an effective organization
and infrastructures and finally a risk culture and behaviors that fits with its risk management.
4
INTRODUCTION Michael Porter has defined risk as “a function of how poorly a strategy will perform if the
wrong scenario occurs.” (Michael Porter, 1985). Another definition from COSO (Committee
Of Sponsoring Organizations of the Treadway Commission), defines it as the “possibility that
an event will occur and adversely affect the achievement of objectives”. Risk is a
combination of likelihood and consequence (or probability and impact). It can occur in all
the domain of a company: technology, sales, customer, employee, supplier etc. No company
is immune to the risk that is why companies have to manage it intelligently. Indeed, risk can
have a disastrous impact for companies and may tarnish their reputation. On the other
hand, taking risk is the only way to achieve something (some entrepreneurs for example
have been tremendously successful because they take risks), if you do not take risk, you
probably have no reward. But not all the risk can be managed, some risks are unpredictable,
such as September 11, there are called “black swan”. However you can adopt measures and
control to limit their impact. But as you could understand, risk is not easy to define because
it can affect all the aspects of the company and is quite complex to link issues with a factor
risk.
Although risk can be eliminated 100%, the companies have to monitor and manage it in
order to create value through what we called Risk Management. Risk management has been
defined by ASX Corporate Governance Principles as “the culture, processes and structures
that are directed towards taking advantage of potential opportunities while managing
potential adverse effects”. In other words, risk management is about optimizing risk to
create value while balancing conformance and performance. Thanks to a strong risk
management, your company will be able to create value. Risk management is a systemic,
structured and transparent process which align risk profile (what risk the company is
currently taking?) with risk appetite (what risk the company is willing to take in pursuit of its
objectives?). But risk management is also a management issue and must be part of the
corporate culture and behaviors. That is why risk management governance is extremely
important to tone at the top but also to foster a culture of risk awareness and openness.
5
For this paper, I have chosen one of the leading automobile manufacturers, the French car
maker: Renault. Through this paper, we are going to determine some of the risks (both
internal and external) the automotive industry and particularly Renault is exposed to and
analyze what are the implications of these risks for the French company Renault. Then,
based on these risks, we will try to go through the risk management process in detail in
order to proactively manage the risks. Next, we will discuss ERM within Renault and
management structures in place to ensure the risks are effectively managed. In a last part,
we will describe the tone at the top and culture of the company and assess if they are in line
with the risk management process. Obviously, we will finish this paper with eventual
recommendations as regards risk management within Renault.
6
1. Company’s Mission & Current Strategy
Renault is a French leading automobile French manufacturer located in France and existing
since 1898. The Renault group is today a multi-‐brand international group composed of three
distinct brands:
-‐ Renault, the group’s global brand
-‐ Dacia, the group’s regional brand (sold in 44 countries in Europe, Northwest Africa
and Turkey
-‐ Renault Samsung Motors, the group’s local brand (sold in South Korea)
The Group is linked to the Japanese manufacturer Nissan since 1999 through the Renault-‐
Nissan alliance (Renault has a 43.4% controlling stake in Nissan while Nissan has
shareholding of 15% in Renault). In 2014, Renault-‐Nissan is the fourth largest global
automotive group.
The French brand designs, develops, manufactures and sells vehicle. It is an international
player present in 125 countries with 46% of group sales outside Europe. In 2014, the Renault
Group sold 2.7 million vehicles all around the world for a turnover of 41,055 million euros. It
represents an industrial network composed of 36 sites employing 117 395 people
(December 31, 2014). In 2014, the ten countries where Renault sells more vehicles are:
France (577,601), Brazil (237,187); Russia (194,531); Germany (173,479); Turkey (133,212);
Italy (130,996); Spain (127,666); UK (109,014); Algeria (91,800); Argentina (84,946).
Carlos Ghosn is the current chairman and CEO of the Group. Renault’s mission is to “drive
the change” and being a pioneer in “sustainable mobility for all”. With over 110 years of
experience, Renault strives to offer quality products and services always more innovative
while integrating social concerns in their actions and creations to invent the automobile of
7
tomorrow. Renault’s objective is to “ensure that sustainable mobility is a driver of worldwide
development and progress for everyone.”1
Renault’s strategy is built around four axes2:
✓ Acting for the access to sustainable mobility for all
✓ Innovation and proximity to their customers
✓ Educate, inform and share with stakeholders
✓ Constantly improve their quality approach
The purpose of Renault’s strategy is to secure profitable and sustainable growth for Renault.
In order to address the great technological challenges of the future and pursue its profitable
growth strategy, the Renault group3:
✓ is committed to sustainable mobility for everyone, through innovative solutions
such as electric vehicles;
✓ relies on a proactive international growth strategy;
✓ is strengthening its partnerships: its Alliance with Nissan, its cooperation with
AVTOVAZ in Russia, its partnership with Daimler, and its agreement with Dongfeng in
China;
✓ takes advantage of the complementarity of its three brands: Renault, Dacia, and
Renault Samsung Motors.
Furthermore, Renault is strongly engaged in a CSR (Corporate Social Responsibility) policy. Its
current strategy presents 7 key drivers:
✓ A continuing policy of innovation
✓ A robust product plan
✓ A strengthened Renault brand
✓ The excellence of our network in managing customer relations
✓ Optimized R&D and investment expenditures
1 Source: Renault Registration Document 2014 2 Source : www.renault.fr 3 Source: Renault Registration Document 2014 4 POLITI, C. (February 10, 2011). Comment Renault et France Télécom gèrent les salariés.
2 Source : www.renault.fr 3 Source: Renault Registration Document 2014
8
✓ Reduced costs
✓ Steady position in Europe and international expansion
As a result, the risk management within Renault must be aligned with this strategy. That is to
say it must support the company’s objectives and mission.
2. Risk Identification & Implications
As part of the automotive industry, especially expanding internationally, the company
Renault faces several risks. For this paper, we are going to explore five of them both internal
and external. Indeed internal risks correspond to risks inherent to the company itself. As for
the external risks they refer to the risks that can occur in the external environment
(economy, politics, demographics etc.) and that have an impact on the company. The risks I
have chosen to identify in this paper are not the most important or the less dangerous, they
are just as important as all other risks that the company faces. But often because of the
topicality I find them more relevant, that is why I want to explore them in this paper.
-‐ Psychosocial risk: I have chosen to talk about this internal risk because few years ago
the French company Renault has experienced a succession of suicides among its
employees. This had a negative impact on the company’s reputation but it also
represents a loss of key employees for the company. The car company was not the
only one affected by this scourge; another French company France Telecom has also
known a more intense wave of suicides within its business. In 2010, the
telecommunication company was at the heart of a social and media crisis without
precedents. The management was accused and the Paris prosecutor opened a
judicial investigation for "moral harassment" against the group. Thus, it is interesting
to see how the company can deal with this internal risk as part of the Renault
company. Although, this risk almost exclusively concern the French auto maker as
9
regards the news, it is part of working condition risks, and each industry should
prevent this type of risk because they are all vulnerable.
Psychological risk and more generally working condition risks are quite dangerous for
the company because it affects one of its more important assets: its employees. This
risk affects the overall performance of the company. During the vague of suicides
that have taken place in Renault’s technopole, Renault did not notice that its
employees were suffering and that there was a broader feeling of lack of trust and
misunderstanding.4 Renault is aware that they “have forgotten the essential role of
proximity” (Bernard Ollivier, Renault’s previous Transformation Director). This risk is
quite complex because it constitutes a shock situation for the entire company and
involves a feeling of insecurity within the company. This generally engaged into a
vicious circle. Suicide or suicide attempt is an emergency situation to manage in the
company, especially if the suicidal act occurred at the place of work. This is also a
warning signal for the company. The extreme suffering of the person who is acting
out can testify an unease situation widespread in the company. “Many
epidemiological studies have established a link between working conditions
generating chronic stress and the development of a depression. This can then
facilitate suicide attempt. Among the work constraints studied, we found notably the
imbalance between high psychological demands and lack of room for maneuver, also
called job strain”. (INRS5, 2015). As we can understand, this risk can be managed to
prevent suicides and other psychosocial risks (psychological harassement, burnout,
violent behaviors etc.). Furthermore, it also exists a strong causal link between well-‐
being at work and business efficiency (Jean-‐Pierre BRUN) that is why this risk is also
important to be managed in order to create value.
4 POLITI, C. (February 10, 2011). Comment Renault et France Télécom gèrent les salariés. Lexpress.fr Retrieved at : http://www.lexpress.fr/emploi/comment-‐renault-‐et-‐france-‐telecom-‐gerent-‐le-‐ stress-‐des-‐salaries_960878.html 5 INRS is the French National Institute of Research and Safety for the prevention of workplace accidents and diseases.
10
-‐ Legal and Compliance risk: those risks are linked with non-‐compliance with laws and
regulations. In other words, these risks are linked to the company’s environment.
Automotive manufacturers are subject to various legal proceedings in terms of safety
or more generally product liability, technical and environmental regulations,
intellectual property but also financial reporting, competition, fraud and corruption,
tariffs, safety workplace among others. Such risks can lead to additional costs (if the
company is fined), damage its reputation, loss of customers and thus loss of
revenues, change strategy and practices (operations) and more radically interrupt
business continuity. Beyond respecting regulatory compliance obligations, Renault
must be able to anticipate future change in laws and regulations (in each country
where the company is present) and thus adapt it in a timely manner. This risk must
be adequately managed because Renault is present in several countries which means
that it is subject to various laws and regulations that are very different from country
to country.
-‐ IT risks: the automotive industry is largely dependent on IT (Information Technology).
IT risk has been defined by ISACA (an international profession association focused on
IT governance) as “the business risk associated with the use, ownership, operation,
involvement, influence and adoption of IT within an enterprise” (ISACA, 2009). As a
result, the companies are exposed to numerous IT risks (which are part of
operational risk) such as default of system, computer virus, loss of data, outages, and
cybercrime. Also, with the emergence of IT in the automotive industry, industrial
espionage represents a major risk for the companies. Although, IT plays a crucial role
in the automotive industry, IT risks can have a huge impact on the company. Indeed,
IT can be considered as a risk multiplier because IT systems are generally used to
control the entire risk profile of the company thus it can have significant risk
management damages (IBM6). Thus, it exists legal obligations as regards privacy,
transactions, but IT risk management should be implemented in order to minimize
hardware and software failures, computer hackers and other cyber attacks, malware
(malicious software designed to disrupt computer operation), virus, spam and human
6 IBM : Operational Risk Management and IT : Implications for Financial Services Retrieved from : https://www-‐935.ibm.com/services/uk/gts/pdf/opriskmgmt-‐oct-‐06.pdf
11
error. Also natural disasters such as fire at the plant, floods or even cyclones can
damage data and infrastructure. Indeed, companies possess huge data volume and
other private data, which are key components for the companies. As a result, they
have to maximize protection for IT systems and infrastructures and managed it well
also because it can be a source of benefits for the all management process.
-‐ Supplier risk: this risk is quite interesting because it can affect several industries
regardless of the automotive industry. Suppliers are an important part of the
business for automotive industries since they heavily rely on them in terms of raw
materials, some key components, operations and prices. These suppliers are
generally located all around the world. As we can understand, such risk can impact
the entire production process of the company. Supplier risks cover several domains:
it can deal about suppliers’ bankruptcies; merchandise delay, flaw in the design, poor
quality of products, cost of the recall, reputation and ethics of the supplier (child
labor). For example, in the automotive industry, a defective item concerning
passenger safety would have dramatic consequences and could lead to the
liquidation of the manufacturer and damage its reputation. As we can understand,
some suppliers such as suppliers manufacturing brake components have more risk
than suppliers manufacturing radio or hood (RIMS 7 ). Furthermore, during the
recession, although automotive makers have significantly increased their production
of car, many suppliers have not been able to follow the movement and provide
components needed so quickly because they were not prepared and have suffered
from cut operations and close of plants (Bureau Van Dijk). Also, another problem
emerges: the automotive manufacturer can rely on a large number of suppliers
(called first-‐tier suppliers) whom themselves can rely on other suppliers (called
indirect suppliers or second-‐tier supplier). Hence a larger risk for the company since it
cannot control all the suppliers. Similarly, the automotive maker can rely on a few
numbers of suppliers in order to better monitor safety, quality and reliability.
However, what happens if one of the suppliers cannot supply the order in a timely
7 Risk and Insurance Management Society, Risk Management in Automotive Industry Retrieved from : http://community.rims.org/blogs/chris-‐pentago/2013/07/15/risk-‐ management-‐in-‐automobile-‐industry
12
manner? Or if another supplier rely on a second-‐tier supplier who cannot supply the
elements ordered because of a fire in his plant for example? More concretely, it may
result to supply chain disruptions. As a result, this risk is quite linked to supply chain
management but also quality management and can impact the entire process of
production. Another element of the supplier risk is the ability to obtain competitive
price in order for the car manufacturer to be cost-‐effective and maintain stable prices
for its cars. As we can understand all these risk factors such as delays, flaw in the
design or increase in costs can dramatically impact the production and delivery of
cars for Renault and affect its entire operations and reputation (especially in case of
lack of safety). Although such risks are not always under Renault’s ability, Renault can
still manage these risks.
-‐ Currency risk: this risk is part of the financial risks that could affect the company
Renault and more generally companies from the automotive industry. Indeed,
automotive companies have often several plants in different countries and sell
vehicle all around the world. Consequently, currency fluctuations can dramatically
affect the company in terms of price of operations and sales of vehicles but more
precisely from a financial point of view it can affect the company’s working capital
requirement, net financial income, share in the net income of associated companies,
shareholders’ equity and net financial debt. That is why, Renault has to mitigate this
risk. However, this risk is no more important than the other financial risk such as
credit risk, liquidity risk or interest rate risk, but I believe it would be pertinent to
mention this risk because of the actual situation of the recent collapse of the rouble
(Russian money). And we know that Renault is currently making large operations in
Russia through the acquisition of Avtovaz in 2014 (new purchasing organization
located in Russia) with Nissan. Russia is the third largest market for Renault after
France and Brazil. With this new acquisition, Renault has become the first local
automotive group, making it strong on the market but also vulnerable to the
country’s economic health in particular currency fluctuations. As a result, it is
interesting to know if the French company has implemented procedures to mitigate
this risk.
13
All these risks can have consequences for Renault in terms of economic performance and
professional reputation but also consequences for the consumer and the environment. That
is why a good risk management can help to mitigate those risks and create value for the
company.
3. Risk Management Process Risk management is a continuous improvement process which aims to define and mitigate risks
the company faces. It exists several risk management processes and framework but as part of
this paper, we are going to analyze a typical risk management process: ISO 31000-‐2009 that can
be used by Renault.
ISO 31000 – 2009 is a process that provides a framework and guidelines for managing any form
of risk. This standard is not only designed for the automotive industry but for any type of
organization regardless its size or activity sector. Thanks to this process, companies are better
able to identify opportunities and threats, to allocate and efficiently use resources for risk
management and finally increase their chances of achieving their goals (ISO).
-‐ The first step of this process consists in establishing the context:
✓ External context (country-‐specific): market condition, regulatory requirements,
economy, technology trends, government (rating agencies)
✓ internal context: complexity of organization, who are the stakeholders? (Internally
(employees) and externally (vendors, suppliers, internal auditors, customers))
✓ Risk Management process context: define what is the objective of the risk
function, what is the responsibility of the risk manager, what is the method to
identify the risks
✓ Risk Criteria (done on department level): first of all it is necessary to determine
what is the risk appetite of the company (set by the Board of directors). Risk appetite
corresponds to the risk the company is willing to take in pursuit of its objectives. For example
Renault could choose a risk appetite 0 for psychosocial risk because it may tarnish its reputation.
Then the company has to determine the tolerance of risk, that is to say the amount of risk the
14
company choose to retain after risk mitigation The risk criteria is based on the objective of the
company that is why we say that risk should be aligned with the company.
-‐ The second step is risk identification: that is to say identify the different types of risk that
the company can face. For example, in this paper, we have identify five risks
(psychosocial risk, legal and compliance risk, IT risk, supplier risk and currency risk) but
there are many more. It is also important to analyze when, where, how and why this risk
can occur. To help identify risks, the company can use different methods such as
brainstorming or scenario analysis.
-‐ After identify the risks, we need to analyze them. It is the third step of the process.
Obviously, this step will provide an understanding of the risks (is the impact high or low?)
to make decisions on risk treatment and acceptance. For this analysis, we can use
qualitative and/or quantitative method depending on the risk. For example, psychosocial
and compliance risk will require qualitative method such as the intervention of an expert
(doctors) whereas IT risk will include more quantitative method. The goal of this step is to
estimate the likelihood of events and their consequences based on risk criteria previously
established in order to estimate the level of risk.
-‐ Thus, the fourth step aims to evaluate the risk: the organization must evaluate risk
treatment in order to compare against risk criteria. Then, the organization will define
what kind of control it needs in order to prevent and avoid these risks. To do so, the
company can use different tools that can be combined (risk matrix, voting, testing by
focus group, statistical analysis etc.). Also, the company has to establish the risks that
need to be prioritized. It is important to communicate to decision makers the results so
they are aware of these risks.
-‐ Finally, the last step of this process is risk treatment: the company assesses risk
treatment options and implements selected controls. Risk assessment is a proactive
control that needs constant monitoring.
15
This risk management process should be documented in order to, in case of litigation or product
failure claims, prove that your company had implemented an accurate and effective process to
prevent risks.
On the other hand, it is important for large organizations to implement other risk management
processes and techniques in order to even more prevent and mitigate the risks. Very often,
companies use more than one framework to guide the implementation of risk management. For
example, the company can use its own framework (internally created) combined with other
prominent framework such as COSO or the ISO 31000-‐2009 (Lundqvist, 2014).
4. Benefits of ERM Enterprise Risk Management (commonly referred as ERM) provides a framework for risk
management. ERM has been defined by the COSO (Committee of Sponsoring Organizations
of the Treadway Commission) as a “process, effected by an entity's board of directors,
management, and other personnel, applied in strategy setting and across the enterprise,
designed to identify potential events that may affect the entity, and manage risk to be
within its risk appetite, to provide reasonable assurance regarding the achievement of entity
objectives” (2004). The Committee adds that ERM includes:
-‐ Aligning risk appetite and strategy
-‐ Enhancing risk response decisions
-‐ Reducing operational surprises and losses
-‐ Identifying and managing multiple and cross-‐enterprise risks
-‐ Seizing opportunities
-‐ Improving deployment of capital
Beasley, Marks and Scott Showalter underline that as part of ERM process “executives have
attempted to identify all types of potential risks that might be most impactful to the
organization’s strategic success, and they’ve developed processes to prioritize those risks
16
and have allocated resources to manage them.” (p.34). They go even further by stating that
“there’s a tremendous argument for marrying an organization’s ERM and sustainability
initiatives to address risks and opportunities that are most likely to impact the organization’s
ability to sustain its strategies and its business model for creating long-‐term value.” (p. 35).
Indeed, if ERM is successfully implemented, it generally leads the company to create value
through:
-‐ Achievement and pursuit of strategic objectives
-‐ Reducing costs
-‐ Improve risk management process and risk governance
-‐ Better mitigate risk
-‐ Improving relationship with stakeholders (employees, suppliers, shareholders,
partners, associates, customers, investors, local communities, associations)
-‐ Ensuring business continuity
Risk is dynamic, it changes and evolves all the time that is why beyond a risk management
process, risk management must integrated in business practices. Also, communication within
the organization is important. ERM must include all people playing a role in the company,
people have to be aware of changes and be proactive. Also, as risk evolves, you have to
regularly monitor and update your policy. That is why, as part of Renault, ERM is necessary
because the automotive industry, in addition to being a highly competitive market, is facing
constant change (environmental regulation, innovations, new regulations in terms of safety)
that can disturb the company if risk is not adequately managed in a timely manner.
Consequently, we observe that Renault has already a well implemented ERM. For example,
for each risk identified above (part 2), Renault has management procedures and principle in
order to mitigate those risks.
-‐ Psychosocial risk: following the succession of suicides within Renault, managers
received training in order to better identify psychological risks and improve well-‐
being within the organization while occupational doctors regularly monitor
employees and offer psychological help (Renault Registration Document 2014). Along
with this prevention of psychosocial risk, executives have analyzed the events and
17
realized that they have forgotten the crucial role of relationship. They have revived
the dialogue with the employees. Each position has been redesigned so that
employees regain their original function; annexes tasks that caused additional stress
have been removed.
-‐ Legal and Compliance Risk: “The Company follows a structured procedure to analyze
the robustness of regulatory compliance for a number of well-‐defined regulated
areas, established by Internal Control department in collaboration with the Legal
department. These include competition, fraud and corruption, environment, health-‐
safety-‐working environment, technical regulations, etc. This approach is led by the
Regulatory Compliance department, part of the Internal Control department, and is
monitored by the Ethics and Compliance Committee.” (Renault Registration
Document 2014). This procedure includes three distinct actors: the operational
entities, the decision-‐making departments and the regulatory compliance
department which all ensure different mission which respectively consists in
ensuring, monitoring and evaluating regulatory compliance systems and finally
deploy them within the company. As regards regulatory changes, beyond dialoging
with national authorities in order to anticipate future changes and ensure
compliance with regulations, Renault is involved in an internal control with
employees and regulatory monitoring.
-‐ IT risk: Renault is well aware of these risks and has implemented procedures and
controls improving IT risk perception and engagement: (1) at operational level with a
process defining security requirements, IT security specialists managing data security,
providing high level of protection for the Group’s network and creating awareness
among employees; (2) at organizational and governance level with an IT Risk
Committee coordinated by the IT Group Security department providing reports to
the Renault IT department and other governance committees coordinated by the
Group IT security monitoring the effective application of IT security procedures; (3)
regular controls of robustness of the system, machines and IT crisis management
processes; (4) security supports for projects; (5) coordination of the network of
security officers (Renault Registration Document 2014).
18
-‐ Supplier risk: to prevent this risk, Renault has a very accurate system which involves
the responsibility of the Renault Nissan Purchasing Organization (RNPO) using five
systems: a prevention policy, the use of Renault-‐Nissan standards, processes to
detect non-‐compliance in the quality of delivered parts and traceability, permanent
monitoring of supplier risk (in terms of operations, finance and CSR), action plans in
case of non-‐compliance or other detected risk. Obviously this control also involves
Risk Management and Control department among other departments. Still part of
this system, Renault uses several tools to prevent and detect such risks such as an
annual questionnaire to anticipate capacity requirements and solutions two years in
advance, an audit matrix, annual ratings conducted by the buyer and experts in
supplier risks, strict steps and procedures to follow for validation and compliance
involving a score chart to rate eventual faults during the design stage (Renault
Registration Document 2014). Also, Renault closely monitors safety standards of
second-‐tier suppliers. As the result, Renault can quickly identify eventual troubled
suppliers and react in a timely manner.
-‐ Currency risk: the department Renault Finance is in charge of this risk in order to
anticipate it and limit damages on the entire organization.
5. Risk Organization To be effective, risk management must be also ensured by good corporate governance. It
must be a structured and transparent process.
As a global manufacturing company, Renault has an active risk management policy based
among others in a highly effective organization. As we have seen, Renault’s risk
management system relies on a lot of structure to ensure the risks are effectively managed,
but also it relies particularly on a “collaboration between the Risk Management department
at Head Office (risk manager), the operational risk managers at country level and the expert
19
risk managers within certain business functions and corporate activities. This network of
different levels strengthens the risk management system and provides it the means to be
proactive in controlling risks.” (Renault Registration Document 2014). A special Committee
has been created (“Risk and Ethics Audit Committee”) to carry out risk and ethics issues. This
committee is composed of directors appointed by Renault Group’s Board of Directors. This
committee “makes sure accounting methods comply with applicable standards, advises on
the appointment and re-‐appointment of auditors, and on the quality of their work, oversees
compliance with rules on auditors’ independence, verifies the relevance of internal
inspection methods, and examines the scope of consolidated companies.”
(www.group.renault.com). Renault Group also comprises an Internal Audit department and
an Internal control department who works on risk management issues.
In order to be effective, Renault’s Risk Management department involved two key networks:
-‐ Employees known as Operational Risk Managers working on operational
implementation of risk management systems within the organization
-‐ Experts known as Expert Risk Managers managing specific area of risks
Here is a the organization of the Internal Control and Risk Management Systems:
Source: Renault Registration Document 2014
20
6. Organizational Culture In a company, the Board of Directors sets the tone at the top by promoting a corporate
culture, in other words values and behaviors that is spread in the entire organization. Risk
management is a management issue and must be part of the corporate culture and strategy.
Renault Group has a strong culture of risk management. “Risk management, which is
essential for any global manufacturing Company, needs to be reinforced and made
proactive. It is therefore an integral part of the Group’s operational management
procedures” (Renault Registration Document, 2013). Indeed, the French group has faced
several crisis, as a result, they have developed a culture of greater crisis (in other words a
risk culture) which go through risk management, in order to be better able to avoid new one
in the future. Consequently, the Internal Control and Risk Management departments have
implemented a specific program, further training for managers and communication in order
to raise awareness of the risk culture among the entire organization (including management
and employees) (Renault Registration Document, 2013). This risk-‐aware culture is even more
developed and encouraged each year. Furthermore, beyond relying on experts to mitigate
risks, the Risk Management Department involves also the employees (operational risk
managers) to control and monitor risks. It is an openness process.
Finally, as part of risk culture, risk management at Renault’s Group is considered to be both
strategic and operational in order to create even more value (Delaroche, 2010).
21
Recommendations & Conclusion Renault Group is quite aware of potential risks inherent to its industry and risk management
appears to be crucial for the company. However, this has not always been the case (suicides
among employees and managers few years ago). But it seems that Renault has considerably
improved its risk management both internally and externally.
But, despite a strong culture of risk management, Renault must regularly review and update
its policy of risk management and eventually identify new risks. The automotive industry
faces rapid changes in terms of regulations and innovations. It would be a mistake to
concentrate only on risks identified and not anticipate new risks. I know the company
actually do it, but I fear that by the fact they focus on managing so much risk; they do not
see potential new risks. Consequently, I would advise the company to regularly use several
risk management process (ISO 31000, COSO combined with an internal process) if it is not
the case in order to be more accurate and efficient in identifying and managing new risks.
Moreover, although, Renault’s ERM relies on well organized structure, I would advise a more
collaborative structure among each department at every level and to take into account the
different perceptions of stakeholders involved. Also, I am not sure that all the employees are
well aware of the entire process; as a result, I would recommend more communication at
every level to provide a cohesive risk management process.
22
List of References Renault Registration Document, 2013 Renault Registration Document, 2014 www.group.renault.com
BEASLEY; MARKS, S. & SCOTT SHOWALTER, D. (March 2015). ERM and Sustainability
Together on the Road Ahead. Strategic Finance, Vol. 97, Issue 3, p3.
Retrieved from EBSCO
DELAROCHE, P. (October 1, 2010). Vers une culture de la gestion du risque. Lexpress.fr
Retrieved from: http://www.lexpress.fr/emploi/gestion-‐carriere/vers-‐une-‐culture-‐de-‐la-‐
gestion-‐du-‐risque_1386704.html
LUNDQVIST, S.A. (July, 2014). An Exploratory Study of Enterprise Risk Management: Pillars of
ERM. Journal of Accounting, Auditing & Finance. Vol.29, Issue 3, p393-‐429.
Retrieved from EBSCO
PORTER, M. E. (1985). Competitive Advantage: Creating and Sustaining Superior
Performance. New York, Free Press (page 476).
Risk and Insurance Management Society, Risk Management in Automotive Industry
Retrieved from : http://community.rims.org/blogs/chris-‐pentago/2013/07/15/risk-‐
management-‐in-‐automobile-‐industry
IBM : Operational Risk Management and IT : Implications for Financial Services
Retrieved from : https://www-‐935.ibm.com/services/uk/gts/pdf/opriskmgmt-‐oct-‐06.pdf
23
Bureau Van Dijk. (April 19, 2013). US vehicle manufacturers expressing supplier risk
management. Bureau Van Dijk
Retrieved from: http://www.bvdinfo.com/industrynews/procurement-‐and-‐risk-‐
management/us-‐vehicle-‐manufacturers-‐expressing-‐supplier-‐risk-‐management/801574326
Enterprise Risk Management – Integrated Framework : Executive Summary (September
2004). Committee of Sponsoring Organizations of the Treadway Commission.
Retrieved from:
http://www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf