For njosh only

profilebj3512
RiskManagementReference.pdf

RISK  MANAGEMENT    

Final  Assignment  (5392  words)  

 

Coralie  Boyer  (Group  1A)   [email protected]    

 

                                               C o u r s e   I n s t r u c t o r :   S u z a n n e   S e t o                                                                                                                            

M a r c h ,   2 7 -­‐ 2 8 ,   2 0 1 5                                                                                                                                         2 8   R u e   d e s   F r a n c s -­‐ B o u r g e o i s ,   7 5 0 0 3 ,   P a r i s  

April      28  

ISM  MBA  PROGRAM    

  2  

TABLE  OF  CONTENTS E x e c u t i v e S u m m a r y . … … … … … … … … … … … … … . … . . . p . 3

I n t r o d u c t i o n … … … … … … … … … … … … … … … … … … . … … . p . 4

1 . C o m p a n y ’ s m i s s i o n & C u r r e n t s t r a t e g y … … . … … . . … … p . 6

2 . R i s k i d e n t i f i c a t i o n & I m p l i c a t i o n s … … . . … … … … . . … … … p . 8

3 . R i s k M a n a g e m e n t P r o c e s s … … … … … … … … … … … . . … … . . . p . 1 3

4 . B e n e f i t s o f E R M . … … … … … … … … … … … … . … … … . … … . … … … p . 1 5

5 . R i s k O r g a n i z a t i o n … … … … … … … … … … … … … . . … … . … … … . . p . 1 8

6 . O r g a n i z a t i o n a l C u l t u r e … … … … … … … … … … … … … … … … . . p . 2 0

R e c o m m e n d a t i o n s & C o n c l u s i o n s … … … … … … … . p . 2 1

L i s t o f r e f e r e n c e s … … … … … … … . … … . … … … … … … … . p . 2 2

  3  

EXECUTIVE SUMMARY   This   paper   explores   the   risk   management   process   of   one   of   the   leading   automobile  

manufacturers:  the  French  car  maker  Renault.  This  report  aims  to  analyze  some  potential  

risks   the   company   faces   including   psychosocial   risk,   legal   and   compliance   risk,   IT   risk,  

Supplier  risk  and  currency  risk  and  their  implications  for  the  company.  But  Renault  is  well  

prepared  in  terms  of  risk  management  with  a  well  developed  ERM,  an  effective  organization  

and  infrastructures  and  finally  a  risk  culture  and  behaviors  that  fits  with  its  risk  management.    

                                                                   

  4  

INTRODUCTION   Michael  Porter  has  defined  risk  as  “a  function  of  how  poorly  a  strategy  will  perform  if  the  

wrong  scenario  occurs.”  (Michael  Porter,  1985).    Another  definition  from  COSO  (Committee  

Of  Sponsoring  Organizations  of  the  Treadway  Commission),  defines  it  as  the  “possibility  that  

an   event   will   occur   and   adversely   affect   the   achievement   of   objectives”.   Risk   is   a  

combination  of  likelihood  and  consequence  (or  probability  and  impact).    It  can  occur  in  all  

the  domain  of  a  company:  technology,  sales,  customer,  employee,  supplier  etc.  No  company  

is  immune  to  the  risk  that  is  why  companies  have  to  manage  it  intelligently.  Indeed,  risk  can  

have   a   disastrous   impact   for   companies   and   may   tarnish   their   reputation.   On   the   other  

hand,  taking  risk   is  the  only  way  to  achieve  something  (some  entrepreneurs  for  example  

have   been   tremendously   successful   because   they   take   risks),   if   you   do   not   take   risk,   you  

probably  have  no  reward.  But  not  all  the  risk  can  be  managed,  some  risks  are  unpredictable,  

such  as  September  11,  there  are  called  “black  swan”.  However  you  can  adopt  measures  and  

control  to  limit  their  impact.  But  as  you  could  understand,  risk  is  not  easy  to  define  because  

it  can  affect  all  the  aspects  of  the  company  and  is  quite  complex  to  link  issues  with  a  factor  

risk.    

 

Although   risk   can   be   eliminated   100%,   the   companies   have   to   monitor   and   manage   it   in  

order  to  create  value  through  what  we  called  Risk  Management.  Risk  management  has  been  

defined  by  ASX  Corporate  Governance  Principles  as  “the  culture,  processes  and  structures  

that   are   directed   towards   taking   advantage   of   potential   opportunities   while   managing  

potential   adverse   effects”.   In   other   words,   risk   management   is   about   optimizing   risk   to  

create   value   while   balancing   conformance   and   performance.   Thanks   to   a   strong   risk  

management,  your  company  will  be  able  to  create  value.  Risk  management  is  a  systemic,  

structured   and   transparent   process   which   align   risk   profile   (what   risk   the   company   is  

currently  taking?)  with  risk  appetite  (what  risk  the  company  is  willing  to  take  in  pursuit  of  its  

objectives?).   But   risk   management   is   also   a   management   issue   and   must   be   part   of   the  

corporate   culture   and   behaviors.   That   is   why   risk   management   governance   is   extremely  

important  to  tone  at  the  top  but  also  to  foster  a  culture  of  risk  awareness  and  openness.  

 

  5  

For  this  paper,  I  have  chosen  one  of  the  leading  automobile  manufacturers,  the  French  car  

maker:   Renault.   Through   this   paper,   we   are   going   to   determine   some   of   the   risks   (both  

internal  and  external)  the  automotive  industry  and  particularly  Renault   is  exposed  to  and  

analyze   what   are   the   implications   of   these   risks   for   the   French   company   Renault.   Then,  

based  on  these  risks,  we  will   try  to  go  through  the  risk  management  process   in  detail   in  

order   to   proactively   manage   the   risks.   Next,   we   will   discuss   ERM   within   Renault   and  

management  structures  in  place  to  ensure  the  risks  are  effectively  managed.  In  a  last  part,  

we  will  describe  the  tone  at  the  top  and  culture  of  the  company  and  assess  if  they  are  in  line  

with   the   risk   management   process.   Obviously,   we   will   finish   this   paper   with   eventual  

recommendations  as  regards  risk  management  within  Renault.    

 

 

     

           

 

 

 

 

 

 

 

 

 

 

 

 

 

  6  

1. Company’s Mission & Current Strategy

Renault  is  a  French  leading  automobile  French  manufacturer  located  in  France  and  existing  

since  1898.  The  Renault  group  is  today  a  multi-­‐brand  international  group  composed  of  three  

distinct  brands:  

-­‐ Renault,  the  group’s  global  brand  

-­‐ Dacia,  the  group’s  regional  brand  (sold  in  44  countries  in  Europe,  Northwest  Africa  

and  Turkey  

-­‐ Renault  Samsung  Motors,  the  group’s  local  brand  (sold  in  South  Korea)  

The  Group  is  linked  to  the  Japanese  manufacturer  Nissan  since  1999  through  the  Renault-­‐

Nissan   alliance   (Renault   has   a   43.4%   controlling   stake   in   Nissan   while   Nissan   has  

shareholding   of   15%   in   Renault).   In   2014,   Renault-­‐Nissan   is   the   fourth   largest   global  

automotive  group.    

The  French  brand  designs,  develops,  manufactures  and  sells  vehicle.   It   is  an   international  

player  present  in  125  countries  with  46%  of  group  sales  outside  Europe.  In  2014,  the  Renault  

Group  sold  2.7  million  vehicles  all  around  the  world  for  a  turnover  of  41,055  million  euros.  It  

represents   an   industrial   network   composed   of   36   sites   employing   117   395   people  

(December   31,   2014).   In   2014,   the   ten   countries   where   Renault   sells   more   vehicles   are:  

France  (577,601),  Brazil  (237,187);  Russia  (194,531);  Germany  (173,479);  Turkey  (133,212);  

Italy  (130,996);  Spain  (127,666);  UK  (109,014);  Algeria  (91,800);  Argentina  (84,946).    

 

 

Carlos  Ghosn  is  the  current  chairman  and  CEO  of  the  Group.  Renault’s  mission  is  to  “drive  

the  change”  and  being  a  pioneer  in  “sustainable  mobility  for  all”.  With  over  110  years  of  

experience,  Renault  strives  to  offer  quality  products  and  services  always  more  innovative  

while  integrating  social  concerns  in  their  actions  and  creations  to  invent  the  automobile  of  

  7  

tomorrow.  Renault’s  objective  is  to  “ensure  that  sustainable  mobility  is  a  driver  of  worldwide  

development  and  progress  for  everyone.”1  

 

Renault’s  strategy  is  built  around  four  axes2:  

  ✓  Acting  for  the  access  to  sustainable  mobility  for  all  

    ✓  Innovation  and  proximity  to  their  customers  

  ✓  Educate,  inform  and  share  with  stakeholders  

  ✓  Constantly  improve  their  quality  approach  

 

The  purpose  of  Renault’s  strategy  is  to  secure  profitable  and  sustainable  growth  for  Renault.    

In  order  to  address  the  great  technological  challenges  of  the  future  and  pursue  its  profitable  

growth  strategy,  the  Renault  group3:    

  ✓   is  committed  to  sustainable  mobility  for  everyone,  through   innovative  solutions  

           such  as  electric  vehicles;    

✓  relies  on  a  proactive  international  growth  strategy;    

✓   is   strengthening   its   partnerships:   its   Alliance   with   Nissan,   its   cooperation   with  

  AVTOVAZ  in  Russia,  its  partnership  with  Daimler,  and  its  agreement  with  Dongfeng  in  

  China;    

✓  takes  advantage  of  the  complementarity  of  its  three  brands:  Renault,  Dacia,  and  

  Renault  Samsung  Motors.  

 

Furthermore,  Renault  is  strongly  engaged  in  a  CSR  (Corporate  Social  Responsibility)  policy.  Its  

current  strategy  presents  7  key  drivers:  

  ✓  A  continuing  policy  of  innovation  

  ✓  A  robust  product  plan  

  ✓  A  strengthened  Renault  brand  

  ✓  The  excellence  of  our  network  in  managing  customer  relations  

  ✓  Optimized  R&D  and  investment  expenditures  

                                                                                                                1  Source:  Renault  Registration  Document  2014   2  Source  :  www.renault.fr       3  Source:  Renault  Registration  Document  2014   4  POLITI,  C.  (February  10,  2011).  Comment  Renault  et  France  Télécom  gèrent  les  salariés.  

2  Source  :  www.renault.fr       3  Source:  Renault  Registration  Document  2014  

  8  

  ✓  Reduced  costs  

  ✓  Steady  position  in  Europe  and  international  expansion  

 

As  a  result,  the  risk  management  within  Renault  must  be  aligned  with  this  strategy.  That  is  to  

say  it  must  support  the  company’s  objectives  and  mission.    

 

 

2. Risk Identification & Implications

As   part   of   the   automotive   industry,   especially   expanding   internationally,   the   company  

Renault  faces  several  risks.  For  this  paper,  we  are  going  to  explore  five  of  them  both  internal  

and  external.  Indeed  internal  risks  correspond  to  risks  inherent  to  the  company  itself.  As  for  

the   external   risks   they   refer   to   the   risks   that   can   occur   in   the   external   environment  

(economy,  politics,  demographics  etc.)  and  that  have  an  impact  on  the  company.  The  risks  I  

have  chosen  to  identify  in  this  paper  are  not  the  most  important  or  the  less  dangerous,  they  

are  just  as   important  as  all  other  risks  that  the  company  faces.  But  often  because  of  the  

topicality  I  find  them  more  relevant,  that  is  why  I  want  to  explore  them  in  this  paper.  

 

-­‐ Psychosocial  risk:  I  have  chosen  to  talk  about  this  internal  risk  because  few  years  ago  

the   French   company   Renault   has   experienced   a   succession   of   suicides   among   its  

employees.   This   had   a   negative   impact   on   the   company’s   reputation   but   it   also  

represents  a  loss  of  key  employees  for  the  company.  The  car  company  was  not  the  

only  one  affected  by  this  scourge;  another  French  company  France  Telecom  has  also  

known   a   more   intense   wave   of   suicides   within   its   business.   In   2010,   the  

telecommunication  company  was  at  the  heart  of  a  social  and  media  crisis  without  

precedents.   The   management   was   accused   and   the   Paris   prosecutor   opened   a  

judicial  investigation  for  "moral  harassment"  against  the  group.  Thus,  it  is  interesting  

to   see   how   the   company   can   deal   with   this   internal   risk   as   part   of   the   Renault  

company.  Although,  this  risk  almost  exclusively  concern  the  French  auto  maker  as  

  9  

regards   the   news,   it   is   part   of   working   condition   risks,   and   each   industry   should  

prevent  this  type  of  risk  because  they  are  all  vulnerable.    

Psychological  risk  and  more  generally  working  condition  risks  are  quite  dangerous  for  

the  company  because  it  affects  one  of  its  more  important  assets:  its  employees.  This  

risk   affects   the   overall   performance   of   the   company.   During   the   vague   of   suicides  

that   have   taken   place   in   Renault’s   technopole,   Renault   did   not   notice   that   its  

employees  were  suffering  and  that  there  was  a  broader  feeling  of  lack  of  trust  and  

misunderstanding.4  Renault  is  aware  that  they  “have  forgotten  the  essential  role  of  

proximity”  (Bernard  Ollivier,  Renault’s  previous  Transformation  Director).  This  risk  is  

quite  complex  because  it  constitutes  a  shock  situation  for  the  entire  company  and  

involves   a   feeling   of   insecurity   within   the   company.   This   generally   engaged   into   a  

vicious  circle.    Suicide  or  suicide  attempt  is  an  emergency  situation  to  manage  in  the  

company,  especially  if  the  suicidal  act  occurred  at  the  place  of  work.  This  is  also  a  

warning  signal  for  the  company.  The  extreme  suffering  of  the  person  who  is  acting  

out   can   testify   an   unease   situation   widespread   in   the   company.   “Many  

epidemiological   studies   have   established   a   link   between   working   conditions  

generating   chronic   stress   and   the   development   of   a   depression.   This   can   then  

facilitate  suicide  attempt.  Among  the  work  constraints  studied,  we  found  notably  the  

imbalance  between  high  psychological  demands  and  lack  of  room  for  maneuver,  also  

called  job  strain”.  (INRS5,  2015).  As  we  can  understand,  this  risk  can  be  managed  to  

prevent  suicides  and  other  psychosocial  risks  (psychological  harassement,  burnout,  

violent  behaviors  etc.).  Furthermore,  it  also  exists  a  strong  causal  link  between  well-­‐

being  at  work  and  business  efficiency  (Jean-­‐Pierre  BRUN)  that  is  why  this  risk  is  also  

important  to  be  managed  in  order  to  create  value.    

 

                                                                                                                4  POLITI,  C.  (February  10,  2011).  Comment  Renault  et  France  Télécom  gèrent  les  salariés.   Lexpress.fr   Retrieved  at  :  http://www.lexpress.fr/emploi/comment-­‐renault-­‐et-­‐france-­‐telecom-­‐gerent-­‐le-­‐ stress-­‐des-­‐salaries_960878.html       5  INRS  is  the  French  National  Institute  of  Research  and  Safety  for  the  prevention  of   workplace  accidents  and  diseases.    

  10  

-­‐ Legal  and  Compliance  risk:  those  risks  are  linked  with  non-­‐compliance  with  laws  and  

regulations.   In   other   words,   these   risks   are   linked   to   the   company’s   environment.  

Automotive  manufacturers  are  subject  to  various  legal  proceedings  in  terms  of  safety  

or   more   generally   product   liability,   technical   and   environmental   regulations,  

intellectual  property  but  also  financial  reporting,  competition,  fraud  and  corruption,  

tariffs,  safety  workplace  among  others.  Such  risks  can  lead  to  additional  costs  (if  the  

company   is   fined),   damage   its   reputation,   loss   of   customers   and   thus   loss   of  

revenues,   change   strategy   and   practices   (operations)   and   more   radically   interrupt  

business   continuity.   Beyond   respecting   regulatory   compliance   obligations,   Renault  

must  be  able  to  anticipate  future  change  in   laws  and  regulations  (in  each  country  

where  the  company  is  present)  and  thus  adapt  it  in  a  timely  manner.  This  risk  must  

be  adequately  managed  because  Renault  is  present  in  several  countries  which  means  

that  it  is  subject  to  various  laws  and  regulations  that  are  very  different  from  country  

to  country.    

 

-­‐ IT  risks:  the  automotive  industry  is  largely  dependent  on  IT  (Information  Technology).  

IT  risk  has  been  defined  by  ISACA  (an  international  profession  association  focused  on  

IT  governance)  as  “the  business  risk  associated  with  the  use,  ownership,  operation,  

involvement,  influence  and  adoption  of  IT  within  an  enterprise”  (ISACA,  2009).  As  a  

result,   the   companies   are   exposed   to   numerous   IT   risks   (which   are   part   of  

operational  risk)  such  as  default  of  system,  computer  virus,  loss  of  data,  outages,  and  

cybercrime.   Also,   with   the   emergence   of   IT   in   the   automotive   industry,   industrial  

espionage  represents  a  major  risk  for  the  companies.  Although,  IT  plays  a  crucial  role  

in  the  automotive  industry,  IT  risks  can  have  a  huge  impact  on  the  company.  Indeed,  

IT  can  be  considered  as  a  risk  multiplier  because  IT  systems  are  generally  used  to  

control   the   entire   risk   profile   of   the   company   thus   it   can   have   significant   risk  

management   damages   (IBM6).   Thus,   it   exists   legal   obligations   as   regards   privacy,  

transactions,  but  IT  risk  management  should  be  implemented  in  order  to  minimize  

hardware  and  software  failures,  computer  hackers  and  other  cyber  attacks,  malware  

(malicious  software  designed  to  disrupt  computer  operation),  virus,  spam  and  human  

                                                                                                                6  IBM  :  Operational  Risk  Management  and  IT  :  Implications  for  Financial  Services   Retrieved  from  :  https://www-­‐935.ibm.com/services/uk/gts/pdf/opriskmgmt-­‐oct-­‐06.pdf    

  11  

error.   Also   natural   disasters   such   as   fire   at   the   plant,   floods   or   even   cyclones   can  

damage  data  and  infrastructure.  Indeed,  companies  possess  huge  data  volume  and  

other  private  data,  which  are  key  components  for  the  companies.  As  a  result,  they  

have  to  maximize  protection  for  IT  systems  and  infrastructures  and  managed  it  well  

also  because  it  can  be  a  source  of  benefits  for  the  all  management  process.    

 

-­‐ Supplier   risk:   this   risk   is   quite   interesting   because   it   can   affect   several   industries  

regardless   of   the   automotive   industry.   Suppliers   are   an   important   part   of   the  

business  for  automotive  industries  since  they  heavily  rely  on  them  in  terms  of  raw  

materials,   some   key   components,   operations   and   prices.   These   suppliers   are  

generally  located  all  around  the  world.  As  we  can  understand,  such  risk  can  impact  

the  entire  production  process  of  the  company.  Supplier  risks  cover  several  domains:  

it  can  deal  about  suppliers’  bankruptcies;  merchandise  delay,  flaw  in  the  design,  poor  

quality   of   products,   cost   of   the   recall,   reputation   and   ethics   of   the   supplier   (child  

labor).   For   example,   in   the   automotive   industry,   a   defective   item   concerning  

passenger   safety   would   have   dramatic   consequences   and   could   lead   to   the  

liquidation  of  the  manufacturer  and  damage  its  reputation.  As  we  can  understand,  

some  suppliers  such  as  suppliers  manufacturing  brake  components  have  more  risk  

than   suppliers   manufacturing   radio   or   hood   (RIMS 7 ).   Furthermore,   during   the  

recession,  although  automotive  makers  have  significantly  increased  their  production  

of   car,   many   suppliers   have   not   been   able   to   follow   the   movement   and   provide  

components  needed  so  quickly  because  they  were  not  prepared  and  have  suffered  

from   cut   operations   and   close   of   plants   (Bureau   Van   Dijk).   Also,   another   problem  

emerges:   the   automotive   manufacturer   can   rely   on   a   large   number   of   suppliers  

(called   first-­‐tier   suppliers)   whom   themselves   can   rely   on   other   suppliers   (called  

indirect  suppliers  or  second-­‐tier  supplier).  Hence  a  larger  risk  for  the  company  since  it  

cannot  control  all  the  suppliers.  Similarly,  the  automotive  maker  can  rely  on  a  few  

numbers   of   suppliers   in   order   to   better   monitor   safety,   quality   and   reliability.  

However,  what  happens  if  one  of  the  suppliers  cannot  supply  the  order  in  a  timely  

                                                                                                                7  Risk  and  Insurance  Management  Society,  Risk  Management  in  Automotive  Industry   Retrieved  from  :  http://community.rims.org/blogs/chris-­‐pentago/2013/07/15/risk-­‐ management-­‐in-­‐automobile-­‐industry    

  12  

manner?  Or  if  another  supplier  rely  on  a  second-­‐tier  supplier  who  cannot  supply  the  

elements  ordered  because  of  a  fire  in  his  plant  for  example?  More  concretely,  it  may  

result  to  supply  chain  disruptions.  As  a  result,  this  risk  is  quite  linked  to  supply  chain  

management   but   also   quality   management   and   can   impact   the   entire   process   of  

production.  Another  element  of  the  supplier  risk  is  the  ability  to  obtain  competitive  

price  in  order  for  the  car  manufacturer  to  be  cost-­‐effective  and  maintain  stable  prices  

for  its  cars.  As  we  can  understand  all  these  risk  factors  such  as  delays,  flaw  in  the  

design  or   increase  in  costs  can  dramatically   impact  the  production  and  delivery  of  

cars  for  Renault  and  affect  its  entire  operations  and  reputation  (especially  in  case  of  

lack  of  safety).  Although  such  risks  are  not  always  under  Renault’s  ability,  Renault  can  

still  manage  these  risks.    

 

-­‐ Currency   risk:   this   risk   is   part   of   the   financial   risks   that   could   affect   the   company  

Renault   and   more   generally   companies   from   the   automotive   industry.   Indeed,  

automotive   companies   have   often   several   plants   in   different   countries   and   sell  

vehicle   all   around   the   world.   Consequently,   currency   fluctuations   can   dramatically  

affect  the  company  in  terms  of  price  of  operations  and  sales  of  vehicles  but  more  

precisely  from  a  financial  point  of  view  it  can  affect  the  company’s  working  capital  

requirement,  net  financial  income,  share  in  the  net  income  of  associated  companies,  

shareholders’  equity  and  net  financial  debt.  That  is  why,  Renault  has  to  mitigate  this  

risk.   However,   this   risk   is   no   more   important   than   the   other   financial   risk   such   as  

credit  risk,   liquidity  risk  or  interest  rate  risk,  but  I  believe  it  would  be  pertinent  to  

mention  this  risk  because  of  the  actual  situation  of  the  recent  collapse  of  the  rouble  

(Russian  money).  And  we  know  that  Renault  is  currently  making  large  operations  in  

Russia   through   the   acquisition   of   Avtovaz   in   2014   (new   purchasing   organization  

located   in   Russia)   with   Nissan.   Russia   is   the   third   largest   market   for   Renault   after  

France   and   Brazil.   With   this   new   acquisition,   Renault   has   become   the   first   local  

automotive   group,   making   it   strong   on   the   market     but   also   vulnerable   to   the  

country’s   economic   health   in   particular   currency   fluctuations.   As   a   result,   it   is  

interesting  to  know  if  the  French  company  has  implemented  procedures  to  mitigate  

this  risk.    

 

  13  

All  these  risks  can  have  consequences  for  Renault  in  terms  of  economic  performance  and  

professional  reputation  but  also  consequences  for  the  consumer  and  the  environment.  That  

is  why  a  good  risk  management  can  help  to  mitigate  those  risks  and  create  value  for  the  

company.    

     

3. Risk Management Process Risk  management  is  a  continuous  improvement  process  which  aims  to  define  and  mitigate  risks  

the  company  faces.  It  exists  several  risk  management  processes  and  framework  but  as  part  of  

this  paper,  we  are  going  to  analyze  a  typical  risk  management  process:  ISO  31000-­‐2009  that  can  

be  used  by  Renault.      

 

ISO  31000  –  2009  is  a  process  that  provides  a  framework  and  guidelines  for  managing  any  form  

of   risk.   This   standard   is   not   only   designed   for   the   automotive   industry   but   for   any   type   of  

organization  regardless  its  size  or  activity  sector.  Thanks  to  this  process,  companies  are  better  

able   to   identify   opportunities   and   threats,   to   allocate   and   efficiently   use   resources   for   risk  

management  and  finally  increase  their  chances  of  achieving  their  goals  (ISO).    

 

-­‐ The  first  step  of  this  process  consists  in  establishing  the  context:    

✓   External   context   (country-­‐specific):   market   condition,   regulatory   requirements,  

  economy,  technology  trends,  government  (rating  agencies)    

  ✓  internal  context:  complexity  of  organization,  who  are  the  stakeholders?  (Internally  

  (employees)  and  externally  (vendors,  suppliers,  internal  auditors,  customers))  

  ✓   Risk   Management   process   context:   define   what   is   the   objective   of   the   risk  

  function,   what   is   the   responsibility   of   the   risk   manager,   what   is   the   method   to  

  identify  the  risks    

  ✓  Risk  Criteria  (done  on  department  level):  first  of  all   it   is  necessary  to  determine  

what   is   the   risk   appetite   of   the   company   (set   by   the   Board   of   directors).   Risk   appetite  

corresponds  to  the  risk  the  company  is  willing  to  take  in  pursuit  of  its  objectives.  For  example  

Renault  could  choose  a  risk  appetite  0  for  psychosocial  risk  because  it  may  tarnish  its  reputation.  

Then  the  company  has  to  determine  the  tolerance  of  risk,  that  is  to  say  the  amount  of  risk  the  

  14  

company  choose  to  retain  after  risk  mitigation  The  risk  criteria  is  based  on  the  objective  of  the  

company  that  is  why  we  say  that  risk  should  be  aligned  with  the  company.    

 

-­‐ The  second  step  is  risk  identification:  that  is  to  say  identify  the  different  types  of  risk  that  

the   company   can   face.   For   example,   in   this   paper,   we   have   identify   five   risks  

(psychosocial  risk,  legal  and  compliance  risk,  IT  risk,  supplier  risk  and  currency  risk)  but  

there  are  many  more.  It  is  also  important  to  analyze  when,  where,  how  and  why  this  risk  

can   occur.   To   help   identify   risks,   the   company   can   use   different   methods   such   as  

brainstorming  or  scenario  analysis.    

 

-­‐ After   identify   the   risks,   we   need   to   analyze   them.   It   is   the   third   step   of   the   process.  

Obviously,  this  step  will  provide  an  understanding  of  the  risks  (is  the  impact  high  or  low?)  

to   make   decisions   on   risk   treatment   and   acceptance.   For   this   analysis,   we   can   use  

qualitative  and/or  quantitative  method  depending  on  the  risk.  For  example,  psychosocial  

and  compliance  risk  will  require  qualitative  method  such  as  the  intervention  of  an  expert  

(doctors)  whereas  IT  risk  will  include  more  quantitative  method.  The  goal  of  this  step  is  to  

estimate  the  likelihood  of  events  and  their  consequences  based  on  risk  criteria  previously  

established  in  order  to  estimate  the  level  of  risk.  

 

-­‐ Thus,   the   fourth   step   aims   to   evaluate   the   risk:   the   organization   must   evaluate   risk  

treatment   in   order   to   compare   against   risk   criteria.   Then,   the   organization   will   define  

what  kind  of  control   it  needs  in  order  to  prevent  and  avoid  these  risks.  To  do  so,  the  

company   can   use   different   tools   that   can   be   combined   (risk   matrix,   voting,   testing   by  

focus  group,  statistical  analysis  etc.).  Also,  the  company  has  to  establish  the  risks  that  

need  to  be  prioritized.  It  is  important  to  communicate  to  decision  makers  the  results  so  

they  are  aware  of  these  risks.    

 

-­‐ Finally,   the   last   step   of   this   process   is   risk   treatment:   the   company   assesses   risk  

treatment   options   and   implements   selected   controls.   Risk   assessment   is   a   proactive  

control  that  needs  constant  monitoring.    

 

  15  

This  risk  management  process  should  be  documented  in  order  to,  in  case  of  litigation  or  product  

failure  claims,  prove  that  your  company  had  implemented  an  accurate  and  effective  process  to  

prevent  risks.    

 

On  the  other  hand,  it  is  important  for  large  organizations  to  implement  other  risk  management  

processes   and   techniques   in   order   to   even   more   prevent   and   mitigate   the   risks.   Very   often,  

companies  use  more  than  one  framework  to  guide  the  implementation  of  risk  management.    For  

example,   the   company   can   use   its   own   framework   (internally   created)   combined   with   other  

prominent  framework  such  as  COSO  or  the  ISO  31000-­‐2009  (Lundqvist,  2014).    

 

 

 

4. Benefits of ERM   Enterprise   Risk   Management   (commonly   referred   as   ERM)   provides   a   framework   for   risk  

management.  ERM  has  been  defined  by  the  COSO  (Committee  of  Sponsoring  Organizations  

of   the   Treadway   Commission)   as   a   “process,   effected   by   an   entity's   board   of   directors,  

management,   and   other   personnel,   applied   in   strategy   setting   and   across   the   enterprise,  

designed   to   identify   potential   events   that   may   affect   the   entity,   and   manage   risk   to   be  

within  its  risk  appetite,  to  provide  reasonable  assurance  regarding  the  achievement  of  entity  

objectives”  (2004).  The  Committee  adds  that  ERM  includes:  

-­‐ Aligning  risk  appetite  and  strategy  

-­‐ Enhancing  risk  response  decisions  

-­‐ Reducing  operational  surprises  and  losses  

-­‐ Identifying  and  managing  multiple  and  cross-­‐enterprise  risks  

-­‐ Seizing  opportunities  

-­‐ Improving  deployment  of  capital  

 

Beasley,  Marks  and  Scott  Showalter  underline  that  as  part  of  ERM  process  “executives  have  

attempted   to   identify   all   types   of   potential   risks   that   might   be   most   impactful   to   the  

organization’s   strategic   success,   and   they’ve   developed   processes   to   prioritize   those   risks  

  16  

and  have  allocated  resources  to  manage  them.”  (p.34).  They  go  even  further  by  stating  that  

“there’s   a   tremendous   argument   for   marrying   an   organization’s   ERM   and   sustainability  

initiatives  to  address  risks  and  opportunities  that  are  most  likely  to  impact  the  organization’s  

ability  to  sustain  its  strategies  and  its  business  model  for  creating  long-­‐term  value.”  (p.  35).  

Indeed,  if  ERM  is  successfully  implemented,  it  generally  leads  the  company  to  create  value  

through:    

-­‐ Achievement  and  pursuit  of  strategic  objectives  

-­‐ Reducing  costs    

-­‐ Improve  risk  management  process  and  risk  governance    

-­‐ Better  mitigate  risk  

-­‐ Improving   relationship   with   stakeholders   (employees,   suppliers,   shareholders,  

partners,  associates,  customers,  investors,  local  communities,  associations)  

-­‐ Ensuring  business  continuity  

 

Risk  is  dynamic,  it  changes  and  evolves  all  the  time  that  is  why  beyond  a  risk  management  

process,  risk  management  must  integrated  in  business  practices.  Also,  communication  within  

the  organization  is  important.  ERM  must  include  all  people  playing  a  role  in  the  company,  

people  have  to  be  aware  of  changes  and  be  proactive.  Also,  as  risk  evolves,  you  have  to  

regularly  monitor  and  update  your  policy.  That  is  why,  as  part  of  Renault,  ERM  is  necessary  

because  the  automotive  industry,  in  addition  to  being  a  highly  competitive  market,  is  facing  

constant  change  (environmental  regulation,  innovations,  new  regulations  in  terms  of  safety)  

that  can  disturb  the  company  if  risk  is  not  adequately  managed  in  a  timely  manner.    

 

Consequently,  we  observe  that  Renault  has  already  a  well  implemented  ERM.  For  example,  

for  each  risk  identified  above  (part  2),  Renault  has  management  procedures  and  principle  in  

order  to  mitigate  those  risks.    

 

-­‐ Psychosocial   risk:   following   the   succession   of   suicides   within   Renault,   managers  

received   training   in   order   to   better   identify   psychological   risks   and   improve   well-­‐

being   within   the   organization   while   occupational   doctors   regularly   monitor  

employees  and  offer  psychological  help  (Renault  Registration  Document  2014).  Along  

with  this  prevention  of  psychosocial  risk,  executives  have  analyzed  the  events  and  

  17  

realized  that  they  have  forgotten  the  crucial  role  of  relationship.  They  have  revived  

the   dialogue   with   the   employees.   Each   position   has   been   redesigned   so   that  

employees  regain  their  original  function;  annexes  tasks  that  caused  additional  stress  

have  been  removed.    

 

-­‐ Legal  and  Compliance  Risk:  “The  Company  follows  a  structured  procedure  to  analyze  

the   robustness   of   regulatory   compliance   for   a   number   of   well-­‐defined   regulated  

areas,   established   by   Internal   Control   department   in   collaboration   with   the   Legal  

department.  These  include  competition,  fraud  and  corruption,  environment,  health-­‐

safety-­‐working  environment,  technical  regulations,  etc. This  approach  is  led  by  the  

Regulatory  Compliance  department,  part  of  the  Internal  Control  department,  and  is  

monitored   by   the   Ethics   and   Compliance   Committee.”   (Renault   Registration  

Document   2014).   This   procedure   includes   three   distinct   actors:   the   operational  

entities,   the   decision-­‐making   departments   and   the   regulatory   compliance  

department   which   all   ensure   different   mission   which   respectively   consists   in  

ensuring,   monitoring   and   evaluating   regulatory   compliance   systems   and   finally  

deploy  them  within  the  company.  As  regards  regulatory  changes,  beyond  dialoging  

with   national   authorities   in   order   to   anticipate   future   changes   and   ensure  

compliance   with   regulations,   Renault   is   involved   in   an   internal   control   with  

employees  and  regulatory  monitoring.    

 

-­‐ IT   risk:   Renault   is   well   aware   of   these   risks   and   has   implemented   procedures   and  

controls  improving  IT  risk  perception  and  engagement:    (1)  at  operational  level  with  a  

process  defining  security  requirements,  IT  security  specialists  managing  data  security,  

providing  high  level  of  protection  for  the  Group’s  network  and  creating  awareness  

among   employees;   (2)   at   organizational   and   governance   level   with   an   IT   Risk  

Committee   coordinated   by   the   IT   Group   Security   department   providing   reports   to  

the   Renault   IT   department   and   other   governance   committees   coordinated   by   the  

Group  IT  security  monitoring  the  effective  application  of  IT  security  procedures;  (3)  

regular   controls   of   robustness   of   the   system,   machines   and   IT   crisis   management  

processes;   (4)   security   supports   for   projects;   (5)   coordination   of   the   network   of  

security  officers  (Renault  Registration  Document  2014).  

  18  

 

-­‐ Supplier  risk:  to  prevent  this  risk,  Renault  has  a  very  accurate  system  which  involves  

the  responsibility  of  the  Renault  Nissan  Purchasing  Organization  (RNPO)  using  five  

systems:   a   prevention   policy,   the   use   of   Renault-­‐Nissan   standards,   processes   to  

detect  non-­‐compliance  in  the  quality  of  delivered  parts  and  traceability,  permanent  

monitoring  of  supplier  risk  (in  terms  of  operations,  finance  and  CSR),  action  plans  in  

case  of  non-­‐compliance  or  other  detected  risk.  Obviously  this  control  also  involves  

Risk  Management  and  Control  department  among  other  departments.  Still  part  of  

this  system,  Renault  uses  several  tools  to  prevent  and  detect  such  risks  such  as  an  

annual  questionnaire  to  anticipate  capacity  requirements  and  solutions  two  years  in  

advance,   an   audit   matrix,   annual   ratings   conducted   by   the   buyer   and   experts   in  

supplier   risks,   strict   steps   and   procedures   to   follow   for   validation   and   compliance  

involving   a   score   chart   to   rate   eventual   faults   during   the   design   stage   (Renault  

Registration   Document   2014).   Also,   Renault   closely   monitors   safety   standards   of  

second-­‐tier   suppliers.   As   the   result,   Renault   can   quickly   identify   eventual   troubled  

suppliers  and  react  in  a  timely  manner.    

 

-­‐ Currency  risk:  the  department  Renault  Finance   is   in  charge  of  this  risk   in  order  to  

anticipate  it  and  limit  damages  on  the  entire  organization.    

     

5. Risk Organization To  be  effective,  risk  management  must  be  also  ensured  by  good  corporate  governance.  It  

must  be  a  structured  and  transparent  process.    

 

As  a  global  manufacturing  company,  Renault  has  an  active  risk  management  policy  based  

among   others   in   a   highly   effective   organization.   As   we   have   seen,   Renault’s   risk  

management  system  relies  on  a  lot  of  structure  to  ensure  the  risks  are  effectively  managed,  

but  also  it  relies  particularly  on  a  “collaboration  between  the  Risk  Management  department  

at  Head  Office  (risk  manager),  the  operational  risk  managers  at  country  level  and  the  expert  

  19  

risk   managers   within   certain   business   functions   and   corporate   activities. This   network   of  

different   levels  strengthens  the  risk  management  system  and  provides   it  the  means  to  be  

proactive  in  controlling  risks.”  (Renault  Registration  Document  2014).  A  special  Committee  

has  been  created  (“Risk  and  Ethics  Audit  Committee”)  to  carry  out  risk  and  ethics  issues.  This  

committee  is  composed  of  directors  appointed  by  Renault  Group’s  Board  of  Directors.  This  

committee  “makes  sure  accounting  methods  comply  with  applicable  standards,  advises  on  

the  appointment  and  re-­‐appointment  of  auditors,  and  on  the  quality  of  their  work,  oversees  

compliance   with   rules   on   auditors’   independence,   verifies   the   relevance   of   internal  

inspection   methods,   and   examines   the   scope   of   consolidated   companies.”  

(www.group.renault.com).  Renault  Group  also  comprises  an  Internal  Audit  department  and  

an  Internal  control  department  who  works  on  risk  management  issues.    

 

In  order  to  be  effective,  Renault’s  Risk  Management  department  involved  two  key  networks:  

-­‐ Employees  known  as  Operational  Risk  Managers  working  on  operational  

implementation  of  risk  management  systems  within  the  organization  

-­‐ Experts  known  as  Expert  Risk  Managers  managing  specific  area  of  risks    

Here  is  a  the  organization  of  the  Internal  Control  and  Risk  Management  Systems:  

 

 

                         

     

Source:  Renault  Registration  Document  2014  

  20  

6. Organizational Culture In  a  company,  the  Board  of  Directors  sets  the  tone  at  the  top  by  promoting  a  corporate  

culture,  in  other  words  values  and  behaviors  that  is  spread  in  the  entire  organization.  Risk  

management  is  a  management  issue  and  must  be  part  of  the  corporate  culture  and  strategy.  

 

Renault   Group   has   a   strong   culture   of   risk   management.   “Risk   management,   which   is  

essential   for   any   global   manufacturing   Company,   needs   to   be   reinforced   and   made  

proactive.   It   is   therefore   an   integral   part   of   the   Group’s   operational   management  

procedures”   (Renault   Registration   Document,   2013).   Indeed,   the   French   group   has   faced  

several  crisis,  as  a  result,  they  have  developed  a  culture  of  greater  crisis  (in  other  words  a  

risk  culture)  which  go  through  risk  management,  in  order  to  be  better  able  to  avoid  new  one  

in  the  future.  Consequently,  the  Internal  Control  and  Risk  Management  departments  have  

implemented  a  specific  program,  further  training  for  managers  and  communication  in  order  

to  raise  awareness  of  the  risk  culture  among  the  entire  organization  (including  management  

and  employees)  (Renault  Registration  Document,  2013).  This  risk-­‐aware  culture  is  even  more  

developed  and  encouraged  each  year.  Furthermore,  beyond  relying  on  experts  to  mitigate  

risks,   the   Risk   Management   Department   involves   also   the   employees   (operational   risk  

managers)  to  control  and  monitor  risks.  It  is  an  openness  process.  

 

Finally,  as  part  of  risk  culture,  risk  management  at  Renault’s  Group  is  considered  to  be  both  

strategic  and  operational  in  order  to  create  even  more  value  (Delaroche,  2010).    

                         

  21  

Recommendations & Conclusion Renault  Group  is  quite  aware  of  potential  risks  inherent  to  its  industry  and  risk  management  

appears  to  be  crucial  for  the  company.  However,  this  has  not  always  been  the  case  (suicides  

among  employees  and  managers  few  years  ago).  But  it  seems  that  Renault  has  considerably  

improved  its  risk  management  both  internally  and  externally.      

 

But,  despite  a  strong  culture  of  risk  management,  Renault  must  regularly  review  and  update  

its   policy   of   risk   management   and   eventually   identify   new   risks.   The   automotive   industry  

faces   rapid   changes   in   terms   of   regulations   and   innovations.   It   would   be   a   mistake   to  

concentrate   only   on   risks   identified   and   not   anticipate   new   risks.   I   know   the   company  

actually  do  it,  but  I  fear  that  by  the  fact  they  focus  on  managing  so  much  risk;  they  do  not  

see  potential  new  risks.  Consequently,  I  would  advise  the  company  to  regularly  use  several  

risk  management  process  (ISO  31000,  COSO  combined  with  an  internal  process)  if  it  is  not  

the  case  in  order  to  be  more  accurate  and  efficient  in  identifying  and  managing  new  risks.    

 

Moreover,  although,  Renault’s  ERM  relies  on  well  organized  structure,  I  would  advise  a  more  

collaborative  structure  among  each  department  at  every  level  and  to  take  into  account  the  

different  perceptions  of  stakeholders  involved.  Also,  I  am  not  sure  that  all  the  employees  are  

well  aware  of  the  entire  process;  as  a  result,  I  would  recommend  more  communication  at  

every  level  to  provide  a  cohesive  risk  management  process.    

 

                 

  22  

List of References   Renault  Registration  Document,  2013     Renault  Registration  Document,  2014     www.group.renault.com        

BEASLEY;  MARKS,  S.  &  SCOTT  SHOWALTER,  D.  (March  2015).  ERM  and  Sustainability  

Together  on  the  Road  Ahead.  Strategic  Finance,  Vol.  97,  Issue  3,  p3.    

Retrieved  from  EBSCO  

 

DELAROCHE,  P.  (October  1,  2010).  Vers  une  culture  de  la  gestion  du  risque.  Lexpress.fr  

Retrieved  from:  http://www.lexpress.fr/emploi/gestion-­‐carriere/vers-­‐une-­‐culture-­‐de-­‐la-­‐

gestion-­‐du-­‐risque_1386704.html    

 

LUNDQVIST,  S.A.  (July,  2014).  An  Exploratory  Study  of  Enterprise  Risk  Management:  Pillars  of  

ERM.  Journal  of  Accounting,  Auditing  &  Finance.  Vol.29,  Issue  3,  p393-­‐429.    

Retrieved  from  EBSCO  

 

PORTER,  M.  E.  (1985).  Competitive  Advantage:  Creating  and  Sustaining  Superior  

Performance.  New  York,  Free  Press  (page  476).    

    Risk  and  Insurance  Management  Society,  Risk  Management  in  Automotive  Industry  

Retrieved  from  :  http://community.rims.org/blogs/chris-­‐pentago/2013/07/15/risk-­‐

management-­‐in-­‐automobile-­‐industry  

 

IBM  :  Operational  Risk  Management  and  IT  :  Implications  for  Financial  Services  

Retrieved  from  :  https://www-­‐935.ibm.com/services/uk/gts/pdf/opriskmgmt-­‐oct-­‐06.pdf  

 

  23  

Bureau  Van  Dijk.  (April  19,  2013).  US  vehicle  manufacturers  expressing  supplier  risk  

management.  Bureau  Van  Dijk  

Retrieved  from:  http://www.bvdinfo.com/industrynews/procurement-­‐and-­‐risk-­‐

management/us-­‐vehicle-­‐manufacturers-­‐expressing-­‐supplier-­‐risk-­‐management/801574326    

 

Enterprise  Risk  Management  –  Integrated  Framework  :  Executive  Summary  (September  

2004).  Committee  of  Sponsoring  Organizations  of  the  Treadway  Commission.    

Retrieved  from:  

http://www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf