CPM and GRC processes. The enterprise must be fully instrumented not as a
luxury but as the only way to steer the car. To revisit our driving analogy,
instead of looking in the rear view mirror, integrated CPM and GRC turns the
lights on and allows you to see obstacles and risks sooner and to drive faster.
In the next couple of sections, we look at two examples that help illustrate
the practical benefits of integrated CPM and GRC.
Supplier concentration ......................................................................
Imagine that you work in a manufacturing firm and that your ability to produce
certain products depends on delivery of components from suppliers. As part
of your GRC program, you institute a search for concentration in specific
suppliers of key components so you can identify potential vulnerabilities.
In the typical nonintegrated approach to GRC, you might have analysts exam-
ine the bill of materials for products being manufactured, enter the key
components into a spreadsheet, sort them by supplier, and then identify the
suppliers that pose the most risk. Then a program could be initiated to find
alternative suppliers. For that moment in time, you understand your supplier
concentration and have mitigated the risk.
An integrated approach would recognize that the concentration of risk in
suppliers will change over time. Identifying and managing concentration
would be made part of routine operations. Here’s how this might work:
�The bill of materials for each product would be extracted on a monthly
basis into an automated report that would sort the components by sup-
plier to reveal any concentration. Concentrations above a certain level
would trigger an event that would notify the appropriate executives.
�The report and any events would be reviewed during a monthly GRC
meeting to determine how they should be remediated.
�The task of finding a new supplier, redesigning products to reduce con-
centration, or improving the service-level agreement with the supplier
would be assigned to the appropriate executives.
�Product design staff would be part of the team managing concentration
so that new product design could be performed in such a way to avoid
excessive concentration in one supplier.
In this way, the management of a specific risk, supplier concentration, has
become part of an improved process that provides the company with more
information about supplier concentration to meet CPM objectives and has
baked risk remediation processes into standard operating procedure.
288 Part IV: Managing the Flow of Information
