December 2006

Risky Business

A new survey of internal auditors finds that trust and internal controls are core attributes of effective strategic collaborations. 

Shannon W. Anderson, PHD
Associate Professor of Management, Rice University

Margaret H. Christ, CIA
Doctoral Student of Accounting, The University of Texas at Austin

Karen L. Sedatole, PHD
Associate Professor of Accounting, Michigan State University

As risky as they are, collaborative alliances offer partner firms many important strategic advantages, which may explain why they have become a dominant force in the world's economy in the past two decades. In the United States, partnerships can account for as much as 25 percent of a firm's revenue, according to McKinsey & Co., an international business consulting firm based in New York. Yet, a variety of studies show that even when there is full cooperation between partners, more than half of all alliances fail.

According to past studies, trust appears to play a critical role in the success of strategic alliances, but it is unclear how firms create or measure it. Although trust between partners is important for reducing risks associated with interorganizational collaborations, formal controls are also critical to the success of these collaborations.

Practitioner Survey Facts

Researchers at Rice University, the University of Texas at Austin, and Michigan State University surveyed 151 chief audit executives (CAEs) and internal audit consultants in March 2005 to identify, categorize, and quantify common and systematic risks associated with strategic alliances. Sixty-five percent of respondents were CAEs, while 35 percent were consultants. The CAEs averaged 13 years' experience performing internal audit work and five years conducting external audits. Half of the respondents were from U.S.-based companies, and about 62 percent indicated that their organizations perform all internal audit services in-house.

 

The internal audit consultants were from a variety of service companies, including Big Four public accounting firms, other certified public accounting (CPA) firms, and boutique firms specializing in internal audits and risk management. Forty-eight percent of respondents were partners or directors of their respective firms, 43 percent were certified internal auditors, and 36 percent were CPAs. Consultant respondents averaged eight years of internal audit experience and seven years of external audit experience. In addition, they averaged four years of experience working with strategic alliances.

In the past, the task of identifying and managing a firm's risks has fallen on those who work on corporate strategy. Increasingly, controls between alliance partners are becoming the responsibility of internal auditors, according to a recent report by researchers at Rice University in Houston, the University of Texas at Austin, and Michigan State University in East Lansing. To identify the common and systematic risks managers and internal auditors can expect when organizations engage in collaborative arrangements, the study's authors conducted a Web-based survey of 151 IIA members who are chief audit executives (CAEs) and internal audit consultants in March 2005 (see "Practitioner Survey Facts," at right). The survey, Managing Strategic Alliance Risk: Survey Evidence of Control Practices in Collaborative Interorganizational Settings, describes the likelihood and impact that specific risks will occur depending on the collaborative arrangement and outlines the control practices used by a diverse cross section of firms to manage those risks.

IDENTIFYING RISK

To help organizations systematically identify, assess, and manage risk, many internal auditors focus on the organization's various business objectives and the specific risks that may prevent it from achieving each of those goals. A commonly used risk management framework, The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) Enterprise Risk Management–Integrated Framework, provides a logical, visual representation of the business risks organizations face, including those arising from their relationships with strategic partners. Designed to be easily understood by personnel at all levels of an Risk Classificationsorganization, the COSO enterprise risk management (ERM) framework bases an organization's business objectives on its strategic goals, operations, reporting, and compliance capabilities (see "Risk Classifications" at right — click to enlarge). Strategic goals relate to the organization's mission, while operational objectives have to do with the firm's use of resources. Reporting and compliance objectives reflect the organization's ability to monitor and evaluate its partner's performance and its adherence to various laws and regulations. Collectively, the four types of business objectives are meant to increase stakeholder value.

Risks associated with strategic goals vary. Strategic partners might not meet the organization's objectives regarding innovation, or they might use proprietary information in a way that could negatively affect the organization. Another risk is product or service failure.

When considering the operations of a collaborative arrangement, managers need to anticipate an array of risks. For example, a strategic partner may be unable or unwilling to provide raw materials or key components in time to meet the organization's regular schedule or when there is unexpected high demand. A partner may not be able to meet the organization's quality standards, or it may seek unexpected price increases in the raw materials or components it provides. Strategic partnerships may also expose the organization to credit risk. Moreover, an organization's ability to verify, monitor, and evaluate its partner's performance accurately and promptly may be at risk. Regarding compliance and regulatory risk, an organization may be exposed to sanctions or may fail to meet customer needs if its partner is unable to comply with laws and regulations.

ASSESSING RISK FOR EACH TYPE OF ALLIANCEGreatest Risk by Alliance Type

When assessing an organization's risks, internal auditors typically consider each risk's potential impact and the likelihood that it will occur. Respondents to the Managing Strategic Alliance Risk survey report that the magnitude and probability that any of the risks would occur varies by the type of alliance (see "Greatest Risks by Alliance Type" at right — click to enlarge). Respondents assessed the inherent risks of four types of partnerships: alliances with upstream partners that supply raw materials or other products and services; downstream partners that oversee the product's final assembly, or that are distribution partners; marketing partners, including co-branding relationships; and research and development (R&D) partners.

Upstream Partnerships
Auditors familiar with upstream partnerships indicate that compliance and regulatory risk, surge capacity risk, product or service failure risk, financial viability risk, and input supply risk would cause significant detrimental effects, although they are only moderately likely to occur. Compliance and regulatory risks involve partners that fail to adhere to customer requirements, organizational policies, or laws and regulations. Surge capacity risk is the risk that a partner is unable or unwilling to provide necessary components or raw materials in time to meet unexpected or unusually high customer demand. Input supply risk involves a partner that cannot provide the components or raw materials necessary to meet typical demand. Financial viability risk refers to the possibility that a partner will experience financial distress and will be unable to meet the organization's consumption needs. Alternatively, survey respondents consider outside scope risk — the risk that the alliance will create products or services that are not within the scope of the original alliance agreement — to be both unlikely and of low impact. 

Downstream Partnerships
In the case of downstream partnerships, survey respondents indicate that output demand risk and verification and evaluation risk would have the greatest negative impact on their organization. Output demand risk is the risk that an organization's downstream partners' actions would adversely affect customer demand for its products, and verification and evaluation risk refers to a firm's inability to verify, monitor, or evaluate the activities of its downstream partners. According to respondents, the least serious threats to downstream partnerships are demand and outside scope risks, as well as innovation risk in which partners cannot maintain adequate levels of innovation to support the organization's needs. 

Marketing Partnerships
Respondents who are familiar with marketing partnerships claim that quality performance risk is the most likely and most detrimental risk to their organization. This risk refers to partners that are unable to provide products or services that meet the organization's quality and reliability standards. Other high-impact risks include compliance and regulatory risk, product or service failure risk, and contribution valuation risk. Contribution valuation is the risk that the organization's nonmonetary contributions to the alliance will be undervalued. The auditors also indicate that outside scope risk and financial viability risk would have the least detrimental impact on the organization's operations.

R&D Partnerships
The two risks posing the most negative impact to R&D partnerships are product and service failure risk and input supply risk. According to respondents, the least detrimental threats to these types of alliances are outside scope risk and credit risk.

Regardless of the type of alliance, internal auditors surveyed consider a strategic partner's failure to comply with customer requirements, organizational policies, or laws to be a highly probable risk that would have a large negative impact. Similarly, respondents note that product or service failure and problems regarding supply, financial viability, or performance quality on the part of the partner are more likely to occur than other risks and would have a highly negative impact.

BALANCING OPPORTUNITY AND CONTROL

Typically, organizations involved in collaborative alliances require flexibility and innovation. At the same time, some type of formal control is necessary to help prevent uncertainty and Anderson Control PracticesAnderson Control Practices Commonly Usedopportunistic behavior by one or both partners. However, previous studies by the survey's authors and other researchers suggest that formal control systems may signal a lack of trust and lead to decreased cooperation. To maintain a balance between opportunity and control while encouraging innovation and a trusting environment, managers rely on many types of control mechanisms, including those identified by Harvard Business School Professor Robert Simons in his "Levers of Control" framework (see "Control Practices Commonly Used in Strategic Partnerships" at right, click to enlarge). Simons' framework, first published in 1995, is widely taught in accounting and graduate-level business courses. Respondents to the IIA survey indicate that they rely equally on each of the four levers of control.

The first control lever described by Simons is an organization's belief system — the standards, core values, or mission statements that reinforce the organization's purpose and direction. To internal auditors, this form of control is often classified as a preventive control and, in an alliance setting, is reflected in a high level of trust between partners.

The second control lever, boundary systems, are composed of preventive controls that provide an organization's minimum standards, spelling out what partners are not allowed to do. They include written policies and procedures regarding the partnership's operations, contract terms, authorization levels for making investment decisions within the alliance, and controls to safeguard proprietary information. 

The most traditional controls used by managers are generally the organization's feedback or diagnostic control systems (third lever) — a firm's means of measuring outputs and comparing results against a predetermined benchmark. Examples would be a formal review process for selecting suppliers, as well as terms within a contract that specify how performance will be measured and how the partnership can be dissolved.

Organizations may also establish interactive feedback (fourth lever) within the firm regarding partner selection and alliance management. Interactive feedback across firms may be accomplished with periodic announced and unannounced audits. In particular, many companies are conducting periodic reviews of their partner's financial information in the wake of the U.S. Sarbanes-Oxley Act of 2002, which puts greater demand on firms to assess risks and internal control practices related to financial reporting. Interactive feedback is also provided by formal information systems that allow managers to involve themselves directly in their partner's activities. For example, Web-based procurement portals allow suppliers and buyers to see one another's inventory needs as well as information on past performance. Similar virtual work spaces can be used to collaborate on product development.

VIEWS ON CONTROLS

To investigate controls over alliances, researchers asked CAEs and internal audit consultants a series of questions regarding the management of strategic partner networks as a whole and the management of individual partnerships. Specifically, CAEs had to identify and classify one critical partner and describe the risks and control mechanisms used to manage that relationship. The consultants, on the other hand, were asked to identify the type of partnership most familiar to them and their overall impressions of the specific risks and controls they have gained from their experiences with clients engaged in this type of partnership.

Both groups of respondents identified the formal control and risk frameworks currently used by their organization or clients. The largest percentage use the COSO Internal Control–Integrated Framework to evaluate their internal control system, while COSO ERM is the most commonly used risk framework. Eighteen percent of respondents report that their organization or clients lack a formal control framework, and approximately 10 percent say their organization or clients have not implemented a risk framework. CAEs and audit consultants rely equally on each of the four control levers, and half say they apply each lever moderately, suggesting that organizations are seeking a balance in their control practices. 

In general, respondents say their organization relies only moderately on written codes of conduct, regardless of the type of alliance — such codes are found less in R&D collaborations. Importantly, most respondents for each type of alliance admit that their organization depends heavily on trust between partners. However, in many cases, the specific control used differs depending on the type of strategic partnership.

Strategic Marketing Partners
Although most organizations with strategic marketing partners in the survey rely heavily on contract terms detailing specific payment conditions and delivery dates, participants involved in marketing partnerships place greater reliance on language dealing with property rights and a partner's failure to meet contract terms. Organizations engaged in marketing partnerships are also more likely to form formal profit-sharing arrangements such as joint ventures. Importantly, the choice of the joint venture form of organization is itself a control choice in which the partners rely on court systems and legal precedent to ensure that agreements are met. However, these legal protections have costs associated with the creation of a legal entity and the corresponding increased reporting requirements. The survey results suggest that for firms with marketing alliances, the control benefits of joint ventures are more likely to outweigh the costs.

Upstream and Downstream Partners
According to the survey, organizations engaged in strategic alliances with partners that supply raw materials or other products and services, as well as those companies whose partners assemble or distribute their products are more likely to have a formal review process during partner selection. However, those firms are less likely to depend on Statement on Auditing Standards (SAS) 70 reports — standardized reports indicating that a third-party organization has completed a thorough audit of its control activities — than firms engaged in other types of partnerships. Further, although organizations with downstream partners do not tend to use joint ventures as a means of controlling risk, they do emphasize accountability when it comes to selecting and managing their partners. Organizations with upstream partners rely less on the composition of the alliance management team, but they depend more on contract terms specifying cost-sharing arrangements than do other types of partnerships. 

R&D Partners
Many organizations surveyed perform periodic announced audits of their partners, but those engaged in R&D collaborations place more emphasis on unannounced audits. Companies with R&D partners do not depend on formal review processes for partner selection or contract terms specifying performance measurement. They also rely much less than other firms on contract terms related to dissolving their partnership.

SARBANES-OXLEY'S IMPACT

Researchers questioned participants about how their organization or clients have changed their control system to comply with Sarbanes-Oxley requirements. About half of CAEs and 57 percent of audit consultants indicate that their organization and clients have implemented new control systems over their strategic partners since the enactment of Sarbanes-Oxley. To ensure compliance, most organizations are invoking the right-to-audit clause of their original partnership contract and relying on their partners' controls to provide adequate protection. Respondents report that their organizations depend far more on SAS 70 reports in the wake of Sarbanes-Oxley; many did not require SAS 70s from partners before the law took effect. More than half of organizations surveyed now place a moderate to high reliance on SAS 70s compared to 25 percent before Sarbanes-Oxley took effect.

PARTNERSHIP RISKS AND CONTROLS ARE EVOLVING

As strategic alliances continue to be a dominant force in the global business community, their effective management and control is critical. As evidenced by the study, firms face a wide variety of risks when they engage in strategic alliances. Internal auditors are in a unique position, as risk and control experts, to evaluate strategic alliances before their formation, throughout their life cycle, and through their dissolution. Risk frameworks, such as COSO ERM, can aid internal auditors in these assessments. Effective risk management by way of a variety of complementary control mechanisms can increase the likelihood that an organization's strategic partnership will be successful and propel the organization toward achieving its goals. What constitutes effective risk management, however, is evolving as organizations focus increased attention on compliance with new regulations.

To comment on this article, e-mail the authors at shannon.anderson@theiia.org.

 


Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

Name:

Email:

Subject:

Comment:

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>

April 2012 IA Online Cover

CCH 2012-2

UCMC 2012 

 International Conference Boston 2012

 

GRC August 2012 

 

 Twitter 
 

facebook IAO 

IA APP