Posted on

HEINEKEN’s Magne Setnes: Resiliency, Risk Management, and “The Swiss Army Knife” CSCO

The supply chain continues to be an ever-growing complex system that, just like precariously stacked dominoes, can be affected and disrupted by several things. Be it from transportation breakdowns (Suez Canal obstruction) or shortage of resources (global chip shortage), the chances of something that can impact a business’s supply chain system are correlatively rising.

With the gaps within businesses’ supply chains being evident, especially after the wake of the pandemic, it is obvious that supply chain leaders and CSCO will need to focus on resilience to overcome them.

As the Chief Supply Chain Officer for HEINEKEN, Magne Setnes shares with us his insights on why resiliency and financial understanding need to be the priority for organizations today and why being a “Swiss Army Knife” is necessary for a modern CSCO.

 
Want more insights from Magne Setnes? Join him and many other industry leaders in Management Events’ 600Minutes Supply Chain Management event in the Netherlands.
 

Prioritizing visibility, resiliency, and sustainability in the supply chain

The supply chain landscape has undergone massive change due to the pandemic, a majority of which had negative effects on many companies and businesses. These changes and disruptions have pushed many supply chain leaders to rethink the importance of visibility and resiliency within their organizations.

Setnes echoes these priorities in his role as CSCO for HEINEKEN, but at the same time, highlights the broader picture that other supply chain leaders will need to focus on for the future.

 

What are the priorities for organizations in facing disruptions? What key areas should supply chain leaders focus on for the future?

 

When it comes to disruption, very often you can make the mistake of thinking that once you deal with the disruption, it will go away. I am not so sure that is going to be the future moving forward and we are seeing now that disruptions are staying longer than expected. As we move into the future, we will see more of these disruptions.

So, you must create a resilient supply chain, which is good advice for the future. And there are other areas that your organization needs to be very aware of, such as the various tiers in the supply chain. It’s not enough to just look one tier downstream or upstream. As a CSCO, you need to start looking at, for instance, your supplier’s supplier and try to understand how all of your supply chain system works.

Of course, to operate on that level, you will need to have more visibility in your supply chain. I see many companies, including ourselves, working hard on creating better insights and visibility, both upstream and downstream. In addition to working on other areas like scenario planning and forecasting consumers’ and customers’ needs.

Another one that is also on the table of supply chain officers around the world is the whole impact on the environment and how it impacts us. Sustainability and social responsibility are very much something that will impact more in the supply chain and might lead to some disruption. 

For instance, the availability of certain raw materials and how they are not sustainably supplied can lead to disruption. Your supply chain needs to pursue sustainability and achieve the goal of being a sustainable company.

 

Tackling supply chain risk management and initiating change in operating models

The supply chain is the fuel that keeps the engine moving for all things retail and manufacturing. Take that out, and you have no product, no inventory, and no revenue. When faced with disruptions to the supply chain, retailers and manufacturers are often scrambling to get everything in order.

Based on a survey conducted by Gartner in 2020, only 21% of respondents have built a highly resilient network, which is less than ideal. Setnes highlights the need for having proper risk management strategies and operating models that can help supply chain leaders get ahead of those risk factors. 

 

How should CSCOs strategize their approach in achieving good risk management? What aspects should they focus on?

 

We have a well-regulated and governed risk management process in the company as a whole. But when it comes to strategizing risk management, our approach is to, as a company across all functions, get together and identify what the biggest risks are and make sure we create a picture of success.

I think that it is important to create a picture of success, work your way back from that, and in this way create a plan on how to get there. Of course, this is not an easy task, and quite a lot of work goes into this, but it is also very helpful for organizations as it shows you the things that you need to get done and what you need to get organized in your supply chain or your value chain. 

In managing this, scenario planning becomes very important. To create ideas and consider, “What if this happened, or if that happens”, and to develop scenarios in order to activate solutions when something does happen. In reality, of course, the scenario you plan for is not exactly going to be what’s happening, however, it brings that mindset of being ready and creating some resilience in your supply chain.

Another important aspect is to look at and understand the financials of your value chain. To get away a little bit from averages, to understand not only the average performance but also certain product lines. That way, when a disruption happens or if you experience a big shift from the consumers, you understand how it is going to impact you financially as well.

Last but not least, having a pulse on customers and consumers is very, very important. 

 

What are the challenges and approaches for CSCOs in initiating change within their supply chain operating models?

 

I think many supply chain officers have to deal with the fact that, in the leadership of the companies where they participate, conversations are very often commercially oriented. 

But the supply chain is a collective of small pieces and it can be difficult to convey changes in supply chain operating models in a way that is easy to grasp. You change something here and several tiers further something else changes and this is not always straightforward to work with.

So, having a clear understanding of all your product lines, understanding where the costs are, and where your bottlenecks and difficulties are, are key factors in the decision-making process at the company level as they directly relate to the financial or sustainability outcome of your company.

Typically, when you have a certain product, it will have a product owner, maybe a marketeer who will eventually own a product line. And if you want to make changes, if you cannot illustrate the true impact of the change in terms of sustainability, financials, or customer appreciation, it’s going to be very difficult to have that discussion.

Having that value chain view will be key in these types of decision-making processes and in initiating change. 

And in the past, we were driven by KPIs that were typically about efficiency, productivity, and availability. However, you have to add the financial and sustainability impact and I think CSCOs are finding themselves having more and more conversations with their commercial and financial colleagues to further strengthen the understanding of the value chain as a whole.

 

Equipping The Right Tools and Traits For The Modern CSCOs

The unprecedented disruptions organizations faced in recent years have shown the importance of the chief supply chain officer in encouraging supply chain sustainability and resilience. This newfound importance and influence the role has on the rest of the C-suite and the entire organization means CSCOs must equip themselves with the right tools for the future.

However, Setnes points out that the necessary traits that the modern CSCO must be equipped with are often not so clear-cut. Rather, it’s about being a “Swiss Army Knife” of sorts where they need to use the right tool in the right situation.

 

Are there necessary traits that CSCOs need to be equipped with within today’s post-pandemic landscape?

 

I think it very much relates to the company or the culture in the company and how they are organized. The supply chain has always required deep expertise and you still need core competencies, whether it’s in technology, logistic management, or business.

So, the core competencies are still very much needed but now, you need to be much wider because the supply chain is an end-to-end game, not just a department in a company. It’s a process that runs from one end to the other end of your entire value chain. A process supported by digital tools, to deliver financial results, customer satisfaction, and overcome the sustainability challenge we all face.

Because of that, the future supply chain officer will need to be more oriented towards understanding the dynamics of their entire value chain and also be well-equipped in terms of customers, consumers, digital and financial understanding. So you can talk with marketeers and commercial colleagues just as easily as with the IT and finance departments. Last, but not least, is the whole dimension of sustainability. 

CSCOs today are becoming broader and broader in their orientation. And while you cannot have deep knowledge of everything, you need to have good core competencies from which you can build your “umbrella”. We are like the Swiss Army Knife. The most used tool might differ a little bit from industry to industry, company to company, but in general, the Swiss Army Knife is becoming bigger.

Posted on

Sofia van Berlekom: Why Risk Management and Business Continuity Must Exist Together

The last 18 months have been synonymous with risk and uncertainty. More organizations are pushing risk management initiatives to the top of their agenda to prepare for unprecedented threats in the new world of work.  

In this article, we share highlights from our conversation with Sofia van Berlekom, Risk, Business Continuity and Compliance Director at AstraZeneca Sweden Operations; on emerging risk & compliance trends, effective risk & compliance communication and the importance of risk management in business continuity.  

 

Risk as a Vital Process in Business Continuity 

An effective risk management system not only protects an organization, but helps in recognizing new market opportunities. According to van Berlekom, “The pandemic has taught us that we have a lot of common risks and compliances regardless of business sector. But there are opportunities as well, not just risk and compliance issues that have emerged.”  

Risk management is one of the most vital processes companies can do, allowing them to be prepared and mitigate whatever they can in a proper fashion. “Business continuity and risk are linked from a risk perspective, and you know what to focus as resources never are unlimited.,” van Berlekom says. When it comes to allocation of resources, she stresses that “it’s also about priorities, and not wasting resources on something that is not needed.” 

A high level of organizational flexibility is needed for viable business continuity, especially in the wake of a global health crisis. “With the pandemic hitting hard, it was important to be agile and be able to think differently,” van Berlekom says. 

 

Communication Challenges in the Risk Space 

NAVEX Global predicts a rise in Chief Risk Officer (CRO) or Chief Risk and Compliance Officer (CRCO) appointments in the next few years. More organizations will have a more holistic risk management strategy, integrating compliance, IT, operational, reputational, third-party, and ESG practices. The success of this rests heavily on effective communication and van Berlekom says it’s much broader than the 3LoD.  

Communication around risk is difficult because it’s a specialized area. It’s also an area which is very general and generalized in the everyday life of people.” There is difficulty speaking the right language that can be understood company-wide. “It’s quite easy to get people confused when you’re talking about business risks compared to the general risks people encounter in their everyday life,” van Berlekom states.  

Risk & compliance managers on all levels need to practice good oversight without getting lost in the details,” van Berlekom adds. In risk management, a big communication challenge is to find that balance and ensure employees understand “what they can do and what they are obliged to do.” At AstraZeneca, risk identification and risk discussions are incorporated into the tier structure. Regular meetings are held where questions such as “Has anybody seen any risks?” and “Are there any risks that should be mitigated?” are commonplace. Risk awareness at all levels of an organization will improve decision-making and support a culture of innovation. 

 

Effective Digital Tools in Risk & Compliance  

The shift towards cloud technology has resulted in an exponential increase in data. There is a high demand for trusted data for compliance purposes in addition to real-time data to deal with unexpected events. Therefore, companies need to have a good grasp of technologies that can help them understand and interpret important data about potential risks. Another use of digital tools in the risk space is to increase transparency, according to van Berlekom. 

Here are the top technologies used in risk & compliance: 

  • Robotic process automation (RPA) is helpful in automating rules-based GRC processes. With RPA, all business tasks can be managed through a single device, effectively facilitating compliance.  
  • Advanced data analytics in risk data management is useful for predicting, measuring and reducing risk. 
  • AI and its subsets — machine learning, and natural language processing — can be applied to large data sets to help find indicators of known and unknown risks
 

Risk & Compliance in 2022

The digital world presents a lot of threats such as cyber threats and information threats,” van Berlekom says. It is no secret that the remote working environment brought IT risks such as data breaches, policy violations, audit failures, and third-party risk to the GRC space.  

Therefore, it makes sense that cybersecurity is now weaved into an organization’s risk management strategy. “At AstraZeneca, digital threats and cyber threats are a part of our risk landscape. We also have the IT department connected to the global operations network, which means that it is a natural part of the risk discussion,” van Berlekom states.   

In addition, van Berlekom says that the effects of the global political landscape should not be underestimated, as they can impact an organization’s operations and value chain. Moving forward, companies must be aware of the latest developments in today’s geopolitical environment and the possible regulations and enforcements that will follow. Risk & compliance officers must also extend their expertise to supply chain teams to build a strong supplier risk management strategy.  

 

Risk management professionals will play a key role in creating future-proof business continuity plans alongside C-level peers. As workplaces continue to evolve, risk & compliance initiatives will remain a priority as organizations find new and innovative ways to do business. 

Posted on

Magnus Solberg: Does Your Organization Have a Robust Security Culture?

Hybrid work models and digital device dependency have greatly increased an organization’s susceptibility to cyber attacks. As these attacks become more intense and complex, cyber resilience and awareness are critical. We speak with Magnus Solberg, VP & Head of Security Governance at Storebrand, on his experience building the company’s security culture, the link between cybersecurity and risk management, and more. 

 

How are cybersecurity and risk management connected in today’s organizations? 

Cybersecurity and risk management are at this point deeply intertwined. In almost every industry, cyber risk is in the top three categories of both operational and business risks. This is because nearly all critical assets are now digital. Of course, this leads to an enormous number of risks that an organization didn’t have 20 years ago.  

Unfortunately, the sheer speed of this development has caused difficulties for a lot of organizations. This goes down to simple things like definitions of risk, and of static policies and processes. Many governance structures are not rigged for disruptive change, such as “new categories of threats and risks.” I think that anchoring the understanding and competence necessary to include cyber in broader risk management is also a challenge. Beyond tech companies, it’s a fact that the board of directors and to a certain extent, C-suites, do not include technologists, which slows down the adoption of modern risk management. Cybersecurity and risk management are very connected but there is still a long way to go to make them as connected as they should be. 

 

What makes for a robust risk culture beyond the traditional 3LoD? 

As I see it, organizations often put too much emphasis on having a formal three-part structure of control and reassurance, and far too little emphasis on building an actual culture that identifies and steers risk as part of its DNA. Of course, building a strong culture of security and implicitly, a risk culture – means including all employees, from the CEO to the bottom-rung shift worker, from the service partner to the short-term consultant. Including all the human risks and employees are key to making an actual risk-based culture.  

You need to really engage the human factor by having a bottom-up approach that enables your employees to think and act in a risk-based approach as a reflex. This can be done by teaching them about threats and potential consequences by training them to perform not only ad hoc, subconscious risk assessments, but also give them the tools to perform more structured and documented assessments – mental tools as well as strong policies and guidelines, and the proper software tools. In my opinion, building a robust security culture is both dependent on and a fundamental ingredient of building a robust risk culture.

 

What are the most effective digital tools and technologies in risk management? 

Can I answer PowerPoint and Excel? Or even the good old whiteboard? [laughs] Of course, I’m only partly joking because I think the biggest revolution in the last couple of years has been the way home officing has exploded the way we utilize collaboration platforms. At the same time, these platforms were forced to provide more robust solutions for things like proper access control, document or file revision history, classification, and of course, API connectivity to other tools. This means that we can get a lot of what we need in terms of managing risks.  

Workshops, creating assessments, performing audits, and even tracking remediation can be done via these platforms. We can use everything from OneNote to the tired but time-tested spreadsheets without losing control because it’s all protected, indexed, and searchable. That being said, I still see the need for a proper enterprise risk management tool that tracks risks, makes people accountable and responsible and of course, pleases our auditors. Exactly which technological solution or which software that should be, I don’t really have any strong opinions about but there are a lot of good ERM tools out there. 

 

Do you think employees are the weakest link when it comes to an organization’s level of cybersecurity? 

It’s irrefutable but it’s the wrong way of looking at it. People are not a simple chain in a link, people are at the nexus of it all. The only reason why we have cybersecurity issues is that there are people out there who are after either stealing, changing, or making information unavailable. No company was ever created simply to be secure: We exist to create services or products for people, and there are people out there who want to benefit illegally from that. Some experts like to say that people are the weakest link, but so is technology. People are the ones configuring that technology or using that technology wrong. Some even have the hubris of buying their way into security, which is equally a weak link. I think putting the blame on people for poor security is misunderstanding the issue completely. You can’t have security without people. But then again because of people, we need security

 

What were the biggest challenges during the implementation of Storebrand’s security culture program and how did you overcome them?   

We’ve been at it for six years and we started very much from scratch. When we started, there was nothing in terms of security awareness training, much less a security culture program. There were several challenges that had to do with mid-management buy-in. Although we did have support from the top management, we were also not given an adequate budget or allowed to make the training portion of the program mandatory. The latter made it especially hard to motivate our mid-level managers to introduce this training to their employees. Mid-level management is all about delivering results and eating up their time and resources does not land you on their friend list.  

So, it did take a lot of time and dedication to make them understand that a secure employee is a low-risk employee. As soon as we reached that turning point, it was immensely satisfying, because mid-level managers are key to enhancing the security message to all their employees. But they’re also an important target group, constituting human risks in themselves. As time went on, we could point to concrete results including the avoidance of huge risks due to more risk-aware workers. We finally received an unbroken chain of buy-in all the way from the top and down via the mid-level managers. That ended up landing us a nice budget and made training mandatory. 

 

How did you develop the program’s framework to ensure it was dynamic enough to handle the evolving threat landscape?  

The framework we developed is in its essence, dynamic, and scalable because it’s all about answering five fundamental questions: Why are we going to do this? Who are we? What do we need to address? How should we go about doing that, and When should we do it?  

In order to answer these questions, we revise and update a number of working documents. For example, we have a program strategy, a target group analysis, and learning objectives based on the current threat and risk landscape. We then test out a lot of different learning platforms and other engagement activities. This is done continuously to allow for emerging risks to be included almost instantly. However, we also do it more formally once every two years, where we do a full audit and revision of the whole program. We’re actually in the middle of doing a full revamp and plan to launch a new version of the program next summer.  

 

How do you measure the program’s success? 

We use a lot of different metrics to measure success and have KPIs linked to distribution, which measures how many employees we reach and how many complete various parts of the training. We have KPIs linked to knowledge where we can see if an employee received and internalized the message. Finally, there are KPIs related to behavior — this allows us to see if training has actually changed risky behavioral patterns.  

Additionally, we perform a group-wide security culture audit every two years performed by our internal audit, who, among other things, performs a comprehensive self-assessment that is sent to all employees. With this independent report, we get a clear picture of how we fare with security culture and whether the success of the program addresses our current needs.  

Our most recent group-wide security culture audit was completed in January this year, the third one we’ve had in six years. That means we can now begin to accumulate historical data that shows encouraging results. Yes, our employees are more competent, more motivated, and a lot more risk-aware than they were before the program started.  

Finally, another measure of success is a bit more qualitative. It has to do with how the program itself has been received. We do gain a lot of positive attention from both regular employees as well as the high reps. And even externally: My team and I do presentations at various conferences, and for other companies as well, just to share how we have “cracked the human code.” 

 

Can you share some current highlights of the program?    

Yeah, absolutely. As I mentioned earlier, we are in the middle of our biannual revamp. I think one of the best things about maturing the program is its correspondence with the maturing of the organization. We now have various security tools on the technology side that help us create more individually tailored training programs. For example, every employee is invested with a security score, which is automatically set defined by their actions — whether they fall for phishing assessments if they are reporting incidents, and so on. This also paves the way for rudimentary gamification, which will be quite fun to see how we can implement.  

Secondly, I’ll have to highlight our security month. This is something we’ve been doing for six years, and it’s been one of the most important boosts to communicate risk and security, and by extension, the security culture program itself. Every October, we skip the focus on corporate security and put the focus on each person instead. “Why is security important for you and your loved ones?” We pull in external speakers every week to address some common people security problems, such as social media, digital tracking and manipulation, and fake news. We also have weekly security quizzes that are a bit tongue in cheek as well as having great prizes. We do hackathons, we do cool stunts such as “hack yourself”’ competitions, and we do physical stands with security cupcakes. It’s a lot of work, but very fun. 

One of our goals is to make our employees more secure at home, which means they are going to be more secure at work. But also, it has to do with simply marketing our security efforts by getting out there and meeting people. It makes security, if not fun, then at least interesting, because for a lot of people security is boring, or they think it has nothing to do with them.  

On a personal note, I felt we were getting somewhere a couple of years ago when I was invited to do a three-hour workshop on building our security culture program at the security conference in the EU parliament in Strasbourg. Knowing that we built something that works and helping other organizations do the same makes me very happy and fulfilled

 

*The answers have been edited for length and clarity.