This article was originally published in Outsource Magazine on July 29, 2014.

At the Twelfth Annual Corporate Accountability Conference held in Paris last month, Pierre Poret, Counsellor and Directorate for Financial and Enterprise Affairs at the Organisation for Economic Co-operation & Development (OECD), announced that “too often, in the enterprise, there [is] little or no board-level responsibility, with the burden and oversight responsibility [for risk management] effectively stopping at the level of the line manager.” He was referring to the findings of the OECD’s Risk Management and Corporate governance report, which showed that companies’ boards often played too limited a role in risk management and that outsourcing and supplier- related risk is much overlooked.

The report is the summary of the OECD’s peer review process which implements the OECD Principles in order to assist market participants, regulators and policy makers. It is based on survey responses from participating jurisdictions as well as an in-depth review of corporate risk management practices in Norway, Singapore and Switzerland, covering the corporate governance framework as well as practices relating to corporate risk management of the 26 jurisdictions that participate in the OECD Corporate Governance Committee.

The report, which analysed both private and public sector businesses, found that “while risk-taking is a fundamental driving force in business and entrepreneurship, the cost of risk management failures is still often underestimated, both externally and internally , including the cost...of management time needed to rectify the situation.” Risk governance standards tend to be very high-level, which limits their practical usefulness, according to the OECD, as they should be more operational. In general, the effectiveness of an enterprise’s risk management culture can be critical to an organisation’s success (or failure).

In the non-financial sectors, risk management structures are even less prevalent. The OECD lists accounting frauds (Olympus, Enron, WorldCom, Satyam, Parmalat), foreign bribery cases (Siemens) and environmental catastrophes (Deep Water Horizon, Fukushima) to demonstrate that the headlines are by no means restricted to the financial sector. These cases were compounded by corporate governance failure and deficient risk management systems, where company boards failed to fully appreciate the risks that their companies were taking–if they were not engaging in reckless risk-taking themselves.

The typical modern business relies on a complex supply chain with many third-party and outsourced relationships which can cause a multitude of problems. Without an adequate risk management and assurance framework, says the OECD, dependence on these outsourced and third-party relationships can quickly contaminate the organisation, especially if “only lip service is paid to important parts of the company’s value chain that are outsourced.” Given high-profile supplier failures such as Satyam Computer Services (subsequently rescued by Mahindra Group after several significant customers including Merrill Lynch and State Farm Insurance terminated their contracts with Satyam), as well as headline-hitting events such as factory fires and a building collapse in Bangladesh, there are many aspects for company boards to address through their risk management framework to minimise and mitigate damage to their business.

So what should a risk management framework address? It should look at its dependence on key suppliers or joint venture partners, particularly to those located in countries that may follow different standards from the home country. Companies with diverse, global supply chains suffer from an increased lack of control over their suppliers and contractors so need to operationalise strategies to cope with these more complex risks. Given the examples noted above, companies should also pay attention to examining available insurance and other mitigation strategies such as dual sourcing, supplier assessments, contract compliance reviews, exit strategies and stress testing contractual remedies, where these have been negotiated, such as step-in rights and exit plans.