business case study enterprise risk management at toyota

Enterprise Risk Management Case Studies: Heroes and Zeros

By Andy Marker | April 7, 2021

• Share on Facebook
• Share on LinkedIn

Link copied

We’ve compiled more than 20 case studies of enterprise risk management programs that illustrate how companies can prevent significant losses yet take risks with more confidence.   

Included on this page, you’ll find case studies and examples by industry , case studies of major risk scenarios (and company responses), and examples of ERM successes and failures .

Enterprise Risk Management Examples and Case Studies

With enterprise risk management (ERM) , companies assess potential risks that could derail strategic objectives and implement measures to minimize or avoid those risks. You can analyze examples (or case studies) of enterprise risk management to better understand the concept and how to properly execute it.

The collection of examples and case studies on this page illustrates common risk management scenarios by industry, principle, and degree of success. For a basic overview of enterprise risk management, including major types of risks, how to develop policies, and how to identify key risk indicators (KRIs), read “ Enterprise Risk Management 101: Programs, Frameworks, and Advice from Experts .”

Enterprise Risk Management Framework Examples

An enterprise risk management framework is a system by which you assess and mitigate potential risks. The framework varies by industry, but most include roles and responsibilities, a methodology for risk identification, a risk appetite statement, risk prioritization, mitigation strategies, and monitoring and reporting.

To learn more about enterprise risk management and find examples of different frameworks, read our “ Ultimate Guide to Enterprise Risk Management .”

Enterprise Risk Management Examples and Case Studies by Industry

Though every firm faces unique risks, those in the same industry often share similar risks. By understanding industry-wide common risks, you can create and implement response plans that offer your firm a competitive advantage.

Enterprise Risk Management Example in Banking

Toronto-headquartered TD Bank organizes its risk management around two pillars: a risk management framework and risk appetite statement. The enterprise risk framework defines the risks the bank faces and lays out risk management practices to identify, assess, and control risk. The risk appetite statement outlines the bank’s willingness to take on risk to achieve its growth objectives. Both pillars are overseen by the risk committee of the company’s board of directors.  

Risk management frameworks were an important part of the International Organization for Standardization’s 31000 standard when it was first written in 2009 and have been updated since then. The standards provide universal guidelines for risk management programs.  

Risk management frameworks also resulted from the efforts of the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The group was formed to fight corporate fraud and included risk management as a dimension. 

Once TD completes the ERM framework, the bank moves onto the risk appetite statement. 

The bank, which built a large U.S. presence through major acquisitions, determined that it will only take on risks that meet the following three criteria:

• The risk fits the company’s strategy, and TD can understand and manage those risks. 
• The risk does not render the bank vulnerable to significant loss from a single risk.
• The risk does not expose the company to potential harm to its brand and reputation. 

Some of the major risks the bank faces include strategic risk, credit risk, market risk, liquidity risk, operational risk, insurance risk, capital adequacy risk, regulator risk, and reputation risk. Managers detail these categories in a risk inventory. 

The risk framework and appetite statement, which are tracked on a dashboard against metrics such as capital adequacy and credit risk, are reviewed annually. 

TD uses a three lines of defense (3LOD) strategy, an approach widely favored by ERM experts, to guard against risk. The three lines are as follows:

• A business unit and corporate policies that create controls, as well as manage and monitor risk
• Standards and governance that provide oversight and review of risks and compliance with the risk appetite and framework 
• Internal audits that provide independent checks and verification that risk-management procedures are effective

Enterprise Risk Management Example in Pharmaceuticals

Drug companies’ risks include threats around product quality and safety, regulatory action, and consumer trust. To avoid these risks, ERM experts emphasize the importance of making sure that strategic goals do not conflict. 

For Britain’s GlaxoSmithKline, such a conflict led to a breakdown in risk management, among other issues. In the early 2000s, the company was striving to increase sales and profitability while also ensuring safe and effective medicines. One risk the company faced was a failure to meet current good manufacturing practices (CGMP) at its plant in Cidra, Puerto Rico. 

CGMP includes implementing oversight and controls of manufacturing, as well as managing the risk and confirming the safety of raw materials and finished drug products. Noncompliance with CGMP can result in escalating consequences, ranging from warnings to recalls to criminal prosecution. 

GSK’s unit pleaded guilty and paid $750 million in 2010 to resolve U.S. charges related to drugs made at the Cidra plant, which the company later closed. A fired GSK quality manager alerted regulators and filed a whistleblower lawsuit in 2004. In announcing the consent decree, the U.S. Department of Justice said the plant had a history of bacterial contamination and multiple drugs created there in the early 2000s violated safety standards.

According to the whistleblower, GSK’s ERM process failed in several respects to act on signs of non-compliance with CGMP. The company received warning letters from the U.S. Food and Drug Administration in 2001 about the plant’s practices, but did not resolve the issues. 

Additionally, the company didn’t act on the quality manager’s compliance report, which advised GSK to close the plant for two weeks to fix the problems and notify the FDA. According to court filings, plant staff merely skimmed rejected products and sold them on the black market. They also scraped by hand the inside of an antibiotic tank to get more product and, in so doing, introduced bacteria into the product.

Enterprise Risk Management Example in Consumer Packaged Goods

Mars Inc., an international candy and food company, developed an ERM process. The company piloted and deployed the initiative through workshops with geographic, product, and functional teams from 2003 to 2012. 

Driven by a desire to frame risk as an opportunity and to work within the company’s decentralized structure, Mars created a process that asked participants to identify potential risks and vote on which had the highest probability. The teams listed risk mitigation steps, then ranked and color-coded them according to probability of success. 

Larry Warner, a Mars risk officer at the time, illustrated this process in a case study . An initiative to increase direct-to-consumer shipments by 12 percent was colored green, indicating a 75 percent or greater probability of achievement. The initiative to bring a new plant online by the end of Q3 was coded red, meaning less than a 50 percent probability of success. 

The company’s results were hurt by a surprise at an operating unit that resulted from a so-coded red risk identified in a unit workshop. Executives had agreed that some red risk profile was to be expected, but they decided that when a unit encountered a red issue, it must be communicated upward when first identified. This became a rule. 

This process led to the creation of an ERM dashboard that listed initiatives in priority order, with the profile of each risk faced in the quarter, the risk profile trend, and a comment column for a year-end view. 

According to Warner, the key factors of success for ERM at Mars are as follows:

• The initiative focused on achieving operational and strategic objectives rather than compliance, which refers to adhering to established rules and regulations.
• The program evolved, often based on requests from business units, and incorporated continuous improvement. 
• The ERM team did not overpromise. It set realistic objectives.
• The ERM team periodically surveyed business units, management teams, and board advisers.

Enterprise Risk Management Example in Retail

Walmart is the world’s biggest retailer. As such, the company understands that its risk makeup is complex, given the geographic spread of its operations and its large number of stores, vast supply chain, and high profile as an employer and buyer of goods. 

In the 1990s, the company sought a simplified strategy for assessing risk and created an enterprise risk management plan with five steps founded on these four questions:

• What are the risks?
• What are we going to do about them?
• How will we know if we are raising or decreasing risk?
• How will we show shareholder value?

The process follows these five steps:

• Risk Identification: Senior Walmart leaders meet in workshops to identify risks, which are then plotted on a graph of probability vs. impact. Doing so helps to prioritize the biggest risks. The executives then look at seven risk categories (both internal and external): legal/regulatory, political, business environment, strategic, operational, financial, and integrity. Many ERM pros use risk registers to evaluate and determine the priority of risks. You can download templates that help correlate risk probability and potential impact in “ Free Risk Register Templates .”
• Risk Mitigation: Teams that include operational staff in the relevant area meet. They use existing inventory procedures to address the risks and determine if the procedures are effective.
• Action Planning: A project team identifies and implements next steps over the several months to follow.
• Performance Metrics: The group develops metrics to measure the impact of the changes. They also look at trends of actual performance compared to goal over time.
• Return on Investment and Shareholder Value: In this step, the group assesses the changes’ impact on sales and expenses to determine if the moves improved shareholder value and ROI.

To develop your own risk management planning, you can download a customizable template in “ Risk Management Plan Templates .”

Enterprise Risk Management Example in Agriculture

United Grain Growers (UGG), a Canadian grain distributor that now is part of Glencore Ltd., was hailed as an ERM innovator and became the subject of business school case studies for its enterprise risk management program. This initiative addressed the risks associated with weather for its business. Crop volume drove UGG’s revenue and profits. 

In the late 1990s, UGG identified its major unaddressed risks. Using almost a century of data, risk analysts found that extreme weather events occurred 10 times as frequently as previously believed. The company worked with its insurance broker and the Swiss Re Group on a solution that added grain-volume risk (resulting from weather fluctuations) to its other insured risks, such as property and liability, in an integrated program. 

The result was insurance that protected grain-handling earnings, which comprised half of UGG’s gross profits. The greater financial stability significantly enhanced the firm’s ability to achieve its strategic objectives. 

Since then, the number and types of instruments to manage weather-related risks has multiplied rapidly. For example, over-the-counter derivatives, such as futures and options, began trading in 1997. The Chicago Mercantile Exchange now offers weather futures contracts on 12 U.S. and international cities. 

Weather derivatives are linked to climate factors such as rainfall or temperature, and they hedge different kinds of risks than do insurance. These risks are much more common (e.g., a cooler-than-normal summer) than the earthquakes and floods that insurance typically covers. And the holders of derivatives do not have to incur any damage to collect on them.

These weather-linked instruments have found a wider audience than anticipated, including retailers that worry about freak storms decimating Christmas sales, amusement park operators fearing rainy summers will keep crowds away, and energy companies needing to hedge demand for heating and cooling.

This area of ERM continues to evolve because weather and crop insurance are not enough to address all the risks that agriculture faces. Arbol, Inc. estimates that more than $1 trillion of agricultural risk is uninsured. As such, it is launching a blockchain-based platform that offers contracts (customized by location and risk parameters) with payouts based on weather data. These contracts can cover risks associated with niche crops and small growing areas.

Enterprise Risk Management Example in Insurance

Switzerland’s Zurich Insurance Group understands that risk is inherent for insurers and seeks to practice disciplined risk-taking, within a predetermined risk tolerance. 

The global insurer’s enterprise risk management framework aims to protect capital, liquidity, earnings, and reputation. Governance serves as the basis for risk management, and the framework lays out responsibilities for taking, managing, monitoring, and reporting risks. 

The company uses a proprietary process called Total Risk Profiling (TRP) to monitor internal and external risks to its strategy and financial plan. TRP assesses risk on the basis of severity and probability, and helps define and implement mitigating moves. 

Zurich’s risk appetite sets parameters for its tolerance within the goal of maintaining enough capital to achieve an AA rating from rating agencies. For this, the company uses its own Zurich economic capital model, referred to as Z-ECM. The model quantifies risk tolerance with a metric that assesses risk profile vs. risk tolerance. 

To maintain the AA rating, the company aims to hold capital between 100 and 120 percent of capital at risk. Above 140 percent is considered overcapitalized (therefore at risk of throttling growth), and under 90 percent is below risk tolerance (meaning the risk is too high). On either side of 100 to 120 percent (90 to 100 percent and 120 to 140 percent), the insurer considers taking mitigating action. 

Zurich’s assessment of risk and the nature of those risks play a major role in determining how much capital regulators require the business to hold. A popular tool to assess risk is the risk matrix, and you can find a variety of templates in “ Free, Customizable Risk Matrix Templates .”

In 2020, Zurich found that its biggest exposures were market risk, such as falling asset valuations and interest-rate risk; insurance risk, such as big payouts for covered customer losses, which it hedges through diversification and reinsurance; credit risk in assets it holds and receivables; and operational risks, such as internal process failures and external fraud.

Enterprise Risk Management Example in Technology

Financial software maker Intuit has strengthened its enterprise risk management through evolution, according to a case study by former Chief Risk Officer Janet Nasburg. 

The program is founded on the following five core principles:

• Use a common risk framework across the enterprise.
• Assess risks on an ongoing basis.
• Focus on the most important risks.
• Clearly define accountability for risk management.
• Commit to continuous improvement of performance measurement and monitoring. 

ERM programs grow according to a maturity model, and as capability rises, the shareholder value from risk management becomes more visible and important. 

The maturity phases include the following:

• Ad hoc risk management addresses a specific problem when it arises.
• Targeted or initial risk management approaches risks with multiple understandings of what constitutes risk and management occurs in silos. 
• Integrated or repeatable risk management puts in place an organization-wide framework for risk assessment and response. 
• Intelligent or managed risk management coordinates risk management across the business, using common tools. 
• Risk leadership incorporates risk management into strategic decision-making. 

Intuit emphasizes using key risk indicators (KRIs) to understand risks, along with key performance indicators (KPIs) to gauge the effectiveness of risk management. 

Early in its ERM journey, Intuit measured performance on risk management process participation and risk assessment impact. For participation, the targeted rate was 80 percent of executive management and business-line leaders. This helped benchmark risk awareness and current risk management, at a time when ERM at the company was not mature.

Conduct an annual risk assessment at corporate and business-line levels to plot risks, so the most likely and most impactful risks are graphed in the upper-right quadrant. Doing so focuses attention on these risks and helps business leaders understand the risk’s impact on performance toward strategic objectives. 

In the company’s second phase of ERM, Intuit turned its attention to building risk management capacity and sought to ensure that risk management activities addressed the most important risks. The company evaluated performance using color-coded status symbols (red, yellow, green) to indicate risk trend and progress on risk mitigation measures.

In its third phase, Intuit moved to actively monitoring the most important risks and ensuring that leaders modified their strategies to manage risks and take advantage of opportunities. An executive dashboard uses KRIs, KPIs, an overall risk rating, and red-yellow-green coding. The board of directors regularly reviews this dashboard.

Over this evolution, the company has moved from narrow, tactical risk management to holistic, strategic, and long-term ERM.

Enterprise Risk Management Case Studies by Principle

ERM veterans agree that in addition to KPIs and KRIs, other principles are equally important to follow. Below, you’ll find examples of enterprise risk management programs by principles.

ERM Principle #1: Make Sure Your Program Aligns with Your Values

Raytheon Case Study U.S. defense contractor Raytheon states that its highest priority is delivering on its commitment to provide ethical business practices and abide by anti-corruption laws.

Raytheon backs up this statement through its ERM program. Among other measures, the company performs an annual risk assessment for each function, including the anti-corruption group under the Chief Ethics and Compliance Officer. In addition, Raytheon asks 70 of its sites to perform an anti-corruption self-assessment each year to identify gaps and risks. From there, a compliance team tracks improvement actions. 

Every quarter, the company surveys 600 staff members who may face higher anti-corruption risks, such as the potential for bribes. The survey asks them to report any potential issues in the past quarter.

Also on a quarterly basis, the finance and internal controls teams review higher-risk profile payments, such as donations and gratuities to confirm accuracy and compliance. Oversight and compliance teams add other checks, and they update a risk-based audit plan continuously.

ERM Principle #2: Embrace Diversity to Reduce Risk

State Street Global Advisors Case Study In 2016, the asset management firm State Street Global Advisors introduced measures to increase gender diversity in its leadership as a way of reducing portfolio risk, among other goals. 

The company relied on research that showed that companies with more women senior managers had a better return on equity, reduced volatility, and fewer governance problems such as corruption and fraud. 

Among the initiatives was a campaign to influence companies where State Street had invested, in order to increase female membership on their boards. State Street also developed an investment product that tracks the performance of companies with the highest level of senior female leadership relative to peers in their sector. 

In 2020, the company announced some of the results of its effort. Among the 1,384 companies targeted by the firm, 681 added at least one female director.

ERM Principle #3: Do Not Overlook Resource Risks

Infosys Case Study India-based technology consulting company Infosys, which employees more than 240,000 people, has long recognized the risk of water shortages to its operations. 

India’s rapidly growing population and development has increased the risk of water scarcity. A 2020 report by the World Wide Fund for Nature said 30 cities in India faced the risk of severe water scarcity over the next three decades. 

Infosys has dozens of facilities in India and considers water to be a significant short-term risk. At its campuses, the company uses the water for cooking, drinking, cleaning, restrooms, landscaping, and cooling. Water shortages could halt Infosys operations and prevent it from completing customer projects and reaching its performance objectives. 

In an enterprise risk assessment example, Infosys’ ERM team conducts corporate water-risk assessments while sustainability teams produce detailed water-risk assessments for individual locations, according to a report by the World Business Council for Sustainable Development .

The company uses the COSO ERM framework to respond to the risks and decide whether to accept, avoid, reduce, or share these risks. The company uses root-cause analysis (which focuses on identifying underlying causes rather than symptoms) and the site assessments to plan steps to reduce risks. 

Infosys has implemented various water conservation measures, such as water-efficient fixtures and water recycling, rainwater collection and use, recharging aquifers, underground reservoirs to hold five days of water supply at locations, and smart-meter usage monitoring. Infosys’ ERM team tracks metrics for per-capita water consumption, along with rainfall data, availability and cost of water by tanker trucks, and water usage from external suppliers. 

In the 2020 fiscal year, the company reported a nearly 64 percent drop in per-capita water consumption by its workforce from the 2008 fiscal year. 

The business advantages of this risk management include an ability to open locations where water shortages may preclude competitors, and being able to maintain operations during water scarcity, protecting profitability.

ERM Principle #4: Fight Silos for Stronger Enterprise Risk Management

U.S. Government Case Study The terrorist attacks of September 11, 2001, revealed that the U.S. government’s then-current approach to managing intelligence was not adequate to address the threats — and, by extension, so was the government’s risk management procedure. Since the Cold War, sensitive information had been managed on a “need to know” basis that resulted in data silos. 

In the case of 9/11, this meant that different parts of the government knew some relevant intelligence that could have helped prevent the attacks. But no one had the opportunity to put the information together and see the whole picture. A congressional commission determined there were 10 lost operational opportunities to derail the plot. Silos existed between law enforcement and intelligence, as well as between and within agencies. 

After the attacks, the government moved toward greater information sharing and collaboration. Based on a task force’s recommendations, data moved from a centralized network to a distributed model, and social networking tools now allow colleagues throughout the government to connect. Staff began working across agency lines more often.

Enterprise Risk Management Examples by Scenario

While some scenarios are too unlikely to receive high-priority status, low-probability risks are still worth running through the ERM process. Robust risk management creates a culture and response capacity that better positions a company to deal with a crisis.

In the following enterprise risk examples, you will find scenarios and details of how organizations manage the risks they face.

Scenario: ERM and the Global Pandemic While most businesses do not have the resources to do in-depth ERM planning for the rare occurrence of a global pandemic, companies with a risk-aware culture will be at an advantage if a pandemic does hit. 

These businesses already have processes in place to escalate trouble signs for immediate attention and an ERM team or leader monitoring the threat environment. A strong ERM function gives clear and effective guidance that helps the company respond.

A report by Vodafone found that companies identified as “future ready” fared better in the COVID-19 pandemic. The attributes of future-ready businesses have a lot in common with those of companies that excel at ERM. These include viewing change as an opportunity; having detailed business strategies that are documented, funded, and measured; working to understand the forces that shape their environments; having roadmaps in place for technological transformation; and being able to react more quickly than competitors. 

Only about 20 percent of companies in the Vodafone study met the definition of “future ready.” But 54 percent of these firms had a fully developed and tested business continuity plan, compared to 30 percent of all businesses. And 82 percent felt their continuity plans worked well during the COVID-19 crisis. Nearly 50 percent of all businesses reported decreased profits, while 30 percent of future-ready organizations saw profits rise. 

Scenario: ERM and the Economic Crisis  The 2008 economic crisis in the United States resulted from the domino effect of rising interest rates, a collapse in housing prices, and a dramatic increase in foreclosures among mortgage borrowers with poor creditworthiness. This led to bank failures, a credit crunch, and layoffs, and the U.S. government had to rescue banks and other financial institutions to stabilize the financial system.

Some commentators said these events revealed the shortcomings of ERM because it did not prevent the banks’ mistakes or collapse. But Sim Segal, an ERM consultant and director of Columbia University’s ERM master’s degree program, analyzed how banks performed on 10 key ERM criteria. 

Segal says a risk-management program that incorporates all 10 criteria has these characteristics: 

• Risk management has an enterprise-wide scope.
• The program includes all risk categories: financial, operational, and strategic. 
• The focus is on the most important risks, not all possible risks. 
• Risk management is integrated across risk types.
• Aggregated metrics show risk exposure and appetite across the enterprise.
• Risk management incorporates decision-making, not just reporting.
• The effort balances risk and return management.
• There is a process for disclosure of risk.
• The program measures risk in terms of potential impact on company value.
• The focus of risk management is on the primary stakeholder, such as shareholders, rather than regulators or rating agencies.

In his book Corporate Value of Enterprise Risk Management , Segal concluded that most banks did not actually use ERM practices, which contributed to the financial crisis. He scored banks as failing on nine of the 10 criteria, only giving them a passing grade for focusing on the most important risks. 

Scenario: ERM and Technology Risk  The story of retailer Target’s failed expansion to Canada, where it shut down 133 loss-making stores in 2015, has been well documented. But one dimension that analysts have sometimes overlooked was Target’s handling of technology risk. 

A case study by Canadian Business magazine traced some of the biggest issues to software and data-quality problems that dramatically undermined the Canadian launch. 

As with other forms of ERM, technology risk management requires companies to ask what could go wrong, what the consequences would be, how they might prevent the risks, and how they should deal with the consequences. 

But with its technology plan for Canada, Target did not heed risk warning signs. 

In the United States, Target had custom systems for ordering products from vendors, processing items at warehouses, and distributing merchandise to stores quickly. But that software would need customization to work with the Canadian dollar, metric system, and French-language characters. 

Target decided to go with new ERP software on an aggressive two-year timeline. As Target began ordering products for the Canadian stores in 2012, problems arose. Some items did not fit into shipping containers or on store shelves, and information needed for customs agents to clear imported items was not correct in Target's system. 

Target found that its supply chain software data was full of errors. Product dimensions were in inches, not centimeters; height and width measurements were mixed up. An internal investigation showed that only about 30 percent of the data was accurate. 

In an attempt to fix these errors, Target merchandisers spent a week double-checking with vendors up to 80 data points for each of the retailer’s 75,000 products. They discovered that the dummy data entered into the software during setup had not been altered. To make any corrections, employees had to send the new information to an office in India where staff would enter it into the system. 

As the launch approached, the technology errors left the company vulnerable to stockouts, few people understood how the system worked, and the point-of-sale checkout system did not function correctly. Soon after stores opened in 2013, consumers began complaining about empty shelves. Meanwhile, Target Canada distribution centers overflowed due to excess ordering based on poor data fed into forecasting software. 

The rushed launch compounded problems because it did not allow the company enough time to find solutions or alternative technology. While the retailer fixed some issues by the end of 2014, it was too late. Target Canada filed for bankruptcy protection in early 2015. 

Scenario: ERM and Cybersecurity System hacks and data theft are major worries for companies. But as a relatively new field, cyber-risk management faces unique hurdles.

For example, risk managers and information security officers have difficulty quantifying the likelihood and business impact of a cybersecurity attack. The rise of cloud-based software exposes companies to third-party risks that make these projections even more difficult to calculate. 

As the field evolves, risk managers say it’s important for IT security officers to look beyond technical issues, such as the need to patch a vulnerability, and instead look more broadly at business impacts to make a cost benefit analysis of risk mitigation. Frameworks such as the Risk Management Framework for Information Systems and Organizations by the National Institute of Standards and Technology can help.  

Health insurer Aetna considers cybersecurity threats as a part of operational risk within its ERM framework and calculates a daily risk score, adjusted with changes in the cyberthreat landscape. 

Aetna studies threats from external actors by working through information sharing and analysis centers for the financial services and health industries. Aetna staff reverse-engineers malware to determine controls. The company says this type of activity helps ensure the resiliency of its business processes and greatly improves its ability to help protect member information.

For internal threats, Aetna uses models that compare current user behavior to past behavior and identify anomalies. (The company says it was the first organization to do this at scale across the enterprise.) Aetna gives staff permissions to networks and data based on what they need to perform their job. This segmentation restricts access to raw data and strengthens governance. 

Another risk initiative scans outgoing employee emails for code patterns, such as credit card or Social Security numbers. The system flags the email, and a security officer assesses it before the email is released.

Examples of Poor Enterprise Risk Management

Case studies of failed enterprise risk management often highlight mistakes that managers could and should have spotted — and corrected — before a full-blown crisis erupted. The focus of these examples is often on determining why that did not happen. 

ERM Case Study: General Motors

In 2014, General Motors recalled the first of what would become 29 million cars due to faulty ignition switches and paid compensation for 124 related deaths. GM knew of the problem for at least 10 years but did not act, the automaker later acknowledged. The company entered a deferred prosecution agreement and paid a $900 million penalty. 

Pointing to the length of time the company failed to disclose the safety problem, ERM specialists say it shows the problem did not reside with a single department. “Rather, it reflects a failure to properly manage risk,” wrote Steve Minsky, a writer on ERM and CEO of an ERM software company, in Risk Management magazine. 

“ERM is designed to keep all parties across the organization, from the front lines to the board to regulators, apprised of these kinds of problems as they become evident. Unfortunately, GM failed to implement such a program, ultimately leading to a tragic and costly scandal,” Minsky said.

Also in the auto sector, an enterprise risk management case study of Toyota looked at its problems with unintended acceleration of vehicles from 2002 to 2009. Several studies, including a case study by Carnegie Mellon University Professor Phil Koopman , blamed poor software design and company culture. A whistleblower later revealed a coverup by Toyota. The company paid more than $2.5 billion in fines and settlements.

ERM Case Study: Lululemon

In 2013, following customer complaints that its black yoga pants were too sheer, the athletic apparel maker recalled 17 percent of its inventory at a cost of $67 million. The company had previously identified risks related to fabric supply and quality. The CEO said the issue was inadequate testing. 

Analysts raised concerns about the company’s controls, including oversight of factories and product quality. A case study by Stanford University professors noted that Lululemon’s episode illustrated a common disconnect between identifying risks and being prepared to manage them when they materialize. Lululemon’s reporting and analysis of risks was also inadequate, especially as related to social media. In addition, the case study highlighted the need for a system to escalate risk-related issues to the board. 

ERM Case Study: Kodak 

Once an iconic brand, the photo film company failed for decades to act on the threat that digital photography posed to its business and eventually filed for bankruptcy in 2012. The company’s own research in 1981 found that digital photos could ultimately replace Kodak’s film technology and estimated it had 10 years to prepare. 

Unfortunately, Kodak did not prepare and stayed locked into the film paradigm. The board reinforced this course when in 1989 it chose as CEO a candidate who came from the film business over an executive interested in digital technology. 

Had the company acknowledged the risks and employed ERM strategies, it might have pursued a variety of strategies to remain successful. The company’s rival, Fuji Film, took the money it made from film and invested in new initiatives, some of which paid off. Kodak, on the other hand, kept investing in the old core business.

Case Studies of Successful Enterprise Risk Management

Successful enterprise risk management usually requires strong performance in multiple dimensions, and is therefore more likely to occur in organizations where ERM has matured. The following examples of enterprise risk management can be considered success stories. 

ERM Case Study: Statoil 

A major global oil producer, Statoil of Norway stands out for the way it practices ERM by looking at both downside risk and upside potential. Taking risks is vital in a business that depends on finding new oil reserves. 

According to a case study, the company developed its own framework founded on two basic goals: creating value and avoiding accidents.

The company aims to understand risks thoroughly, and unlike many ERM programs, Statoil maps risks on both the downside and upside. It graphs risk on probability vs. impact on pre-tax earnings, and it examines each risk from both positive and negative perspectives. 

For example, the case study cites a risk that the company assessed as having a 5 percent probability of a somewhat better-than-expected outcome but a 10 percent probability of a significant loss relative to forecast. In this case, the downside risk was greater than the upside potential.

ERM Case Study: Lego 

The Danish toy maker’s ERM evolved over the following four phases, according to a case study by one of the chief architects of its program:

• Traditional management of financial, operational, and other risks. Strategic risk management joined the ERM program in 2006. 
• The company added Monte Carlo simulations in 2008 to model financial performance volatility so that budgeting and financial processes could incorporate risk management. The technique is used in budget simulations, to assess risk in its credit portfolio, and to consolidate risk exposure. 
• Active risk and opportunity planning is part of making a business case for new projects before final decisions.
• The company prepares for uncertainty so that long-term strategies remain relevant and resilient under different scenarios. 

As part of its scenario modeling, Lego developed its PAPA (park, adapt, prepare, act) model. 

• Park: The company parks risks that occur slowly and have a low probability of happening, meaning it does not forget nor actively deal with them.
• Adapt: This response is for risks that evolve slowly and are certain or highly probable to occur. For example, a risk in this category is the changing nature of play and the evolution of buying power in different parts of the world. In this phase, the company adjusts, monitors the trend, and follows developments.
• Prepare: This category includes risks that have a low probability of occurring — but when they do, they emerge rapidly. These risks go into the ERM risk database with contingency plans, early warning indicators, and mitigation measures in place.
• Act: These are high-probability, fast-moving risks that must be acted upon to maintain strategy. For example, developments around connectivity, mobile devices, and online activity are in this category because of the rapid pace of change and the influence on the way children play. 

Lego views risk management as a way to better equip itself to take risks than its competitors. In the case study, the writer likens this approach to the need for the fastest race cars to have the best brakes and steering to achieve top speeds.

ERM Case Study: University of California 

The University of California, one of the biggest U.S. public university systems, introduced a new view of risk to its workforce when it implemented enterprise risk management in 2005. Previously, the function was merely seen as a compliance requirement.

ERM became a way to support the university’s mission of education and research, drawing on collaboration of the system’s employees across departments. “Our philosophy is, ‘Everyone is a risk manager,’” Erike Young, deputy director of ERM told Treasury and Risk magazine. “Anyone who’s in a management position technically manages some type of risk.”

The university faces a diverse set of risks, including cybersecurity, hospital liability, reduced government financial support, and earthquakes.  

The ERM department had to overhaul systems to create a unified view of risk because its information and processes were not linked. Software enabled both an organizational picture of risk and highly detailed drilldowns on individual risks. Risk managers also developed tools for risk assessment, risk ranking, and risk modeling. 

Better risk management has provided more than $100 million in annual cost savings and nearly $500 million in cost avoidance, according to UC officials. 

UC drives ERM with risk management departments at each of its 10 locations and leverages university subject matter experts to form multidisciplinary workgroups that develop process improvements.

APQC, a standards quality organization, recognized UC as a top global ERM practice organization, and the university system has won other awards. The university says in 2010 it was the first nonfinancial organization to win credit-rating agency recognition of its ERM program.

Examples of How Technology Is Transforming Enterprise Risk Management

Business intelligence software has propelled major progress in enterprise risk management because the technology enables risk managers to bring their information together, analyze it, and forecast how risk scenarios would impact their business.

ERM organizations are using computing and data-handling advancements such as blockchain for new innovations in strengthening risk management. Following are case studies of a few examples.

ERM Case Study: Bank of New York Mellon 

In 2021, the bank joined with Google Cloud to use machine learning and artificial intelligence to predict and reduce the risk that transactions in the $22 trillion U.S. Treasury market will fail to settle. Settlement failure means a buyer and seller do not exchange cash and securities by the close of business on the scheduled date. 

The party that fails to settle is assessed a daily financial penalty, and a high level of settlement failures can indicate market liquidity problems and rising risk. BNY says that, on average, about 2 percent of transactions fail to settle.

The bank trained models with millions of trades to consider every factor that could result in settlement failure. The service uses market-wide intraday trading metrics, trading velocity, scarcity indicators, volume, the number of trades settled per hour, seasonality, issuance patterns, and other signals. 

The bank said it predicts about 40 percent of settlement failures with 90 percent accuracy. But it also cautioned against overconfidence in the technology as the model continues to improve. 

AI-driven forecasting reduces risk for BNY clients in the Treasury market and saves costs. For example, a predictive view of settlement risks helps bond dealers more accurately manage their liquidity buffers, avoid penalties, optimize their funding sources, and offset the risks of failed settlements. In the long run, such forecasting tools could improve the health of the financial market. 

ERM Case Study: PwC

Consulting company PwC has leveraged a vast information storehouse known as a data lake to help its customers manage risk from suppliers.

A data lake stores both structured or unstructured information, meaning data in highly organized, standardized formats as well as unstandardized data. This means that everything from raw audio to credit card numbers can live in a data lake. 

Using techniques pioneered in national security, PwC built a risk data lake that integrates information from client companies, public databases, user devices, and industry sources. Algorithms find patterns that can signify unidentified risks.

One of PwC’s first uses of this data lake was a program to help companies uncover risks from their vendors and suppliers. Companies can violate laws, harm their reputations, suffer fraud, and risk their proprietary information by doing business with the wrong vendor. 

Today’s complex global supply chains mean companies may be several degrees removed from the source of this risk, which makes it hard to spot and mitigate. For example, a product made with outlawed child labor could be traded through several intermediaries before it reaches a retailer. 

PwC’s service helps companies recognize risk beyond their primary vendors and continue to monitor that risk over time as more information enters the data lake.

ERM Case Study: Financial Services

As analytics have become a pillar of forecasting and risk management for banks and other financial institutions, a new risk has emerged: model risk . This refers to the risk that machine-learning models will lead users to an unreliable understanding of risk or have unintended consequences.

For example, a 6 percent drop in the value of the British pound over the course of a few minutes in 2016 stemmed from currency trading algorithms that spiralled into a negative loop. A Twitter-reading program began an automated selling of the pound after comments by a French official, and other selling algorithms kicked in once the currency dropped below a certain level.

U.S. banking regulators are so concerned about model risk that the Federal Reserve set up a model validation council in 2012 to assess the models that banks use in running risk simulations for capital adequacy requirements. Regulators in Europe and elsewhere also require model validation.

A form of managing risk from a risk-management tool, model validation is an effort to reduce risk from machine learning. The technology-driven rise in modeling capacity has caused such models to proliferate, and banks can use hundreds of models to assess different risks. 

Model risk management can reduce rising costs for modeling by an estimated 20 to 30 percent by building a validation workflow, prioritizing models that are most important to business decisions, and implementing automation for testing and other tasks, according to McKinsey.

Streamline Your Enterprise Risk Management Efforts with Real-Time Work Management in Smartsheet

Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change. 

The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed. 

When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time.  Try Smartsheet for free, today.

Discover why over 90% of Fortune 100 companies trust Smartsheet to get work done.

Watch: Lessons From — and for — Toyota About Risk Management

Toyota and other automakers were hit hard by parts shortages because they failed to obtain visibility of their supply chains beyond tier-one suppliers, says Alkis Vazacopoulos, teaching associate professor in the Online Masters of Science in Business Intelligence and Analytics program at the Stevens Institute of Technology.

In the early months of the microchip shortage now plaguing automotive manufacturers, Toyota fared better than most because it had purchased additional inventories years ahead of the crisis. But the advantage of having made that far-seeing move didn’t last. The effects of the COVID-19 pandemic, including interrupted production lines, inadequate supplies of parts and components, and surging customer demand, caught up with the automaker, which announced a 40% cut in vehicle production in September.

The reason, says Vazacopoulos, was a failure by Toyota and others to acquire visibility of tier-2 suppliers and others further up the chain. At the same time, a long-time over-reliance on minimizing standing inventories through a just-in-time approach to feeding the production line left them vulnerable to the effects of supply disruption. “They don’t understand their supply chain,” he adds. “That’s a major mistake.”

It’s more than a matter of too few microchips. Automakers are burdened by legacy applications, having failed to undertake a major investment in supply-chain software over the last decade, he says.

There’s no quick fix available to the industry; it will likely take years to fix the problem, Vazacopoulos says. The situation will only get worse with the increasing popularity of electric vehicles, which require more of the chips and batteries that are currently at such a premium.

The key to long-term success — and avoiding situations such as the one currently bedeviling the industry — lies in embracing a risk-management mentality that considers the entire supply chain, and is able to withstand the impact of future disruptions.

RELATED CONTENT

RELATED VIDEOS

Watch: Deloitte's Annual Report on Technology in Supply Chains

Subscribe to our daily newsletter.

Timely, incisive articles delivered directly to your inbox.

Popular Stories

ESG Compliance: It’s a Problem of Scope

Red Sea Risk Matrix: A Model for Managing Supply Chain Disruption

Houthis Threaten to Attack Ships in Mediterranean Sea

How AI Can Power Eco-Friendly Deliveries

Podcast | Can We Regulate AI Without Killing It? (And Will It Kill Us?)

Digital edition.

2024 Supply Chain ESG Guide

Case studies, recycled tagging fasteners: small changes make a big impact.

Enhancing High-Value Electronics Shipment Security with Tive's Real-Time Tracking

Moving Robots Site-to-Site

Jll finds perfect warehouse location, leading to $15m grant for startup, robots speed fulfillment to help apparel company scale for growth.

• Cyber & Technology
• Geopolitical Risks
• Workplace Risks
• Talent & Benefits
• Agribusiness
• Construction
• Food & Beverage
• Local Government
• Real Estate
• Transport & Logistics
• Alternative Risk Financing
• Asset Valuation
• Brand & Reputation
• Business Interruption
• Crisis Management
• Directors & Officers
• Insurance Market Insights
• Reinsurance
• Risk Consulting
• Supply Chain
• Trade & Credit Risk
• Artificial Intelligence
• Emerging Risks
• Sharing Economy
• Climate Risk
• Mental Health
• People Risk
• Workers Compensation
• Work, Health & Safety
• Workforce Resilience
• Diversity & Inclusion
• Employee Benefits
• Financial Wellbeing
• Health & Wellbeing
• Recruitment & Assessment
• Remuneration & Benchmarking
• Risk Culture
• Superannuation

Home » Topics » Resilience » Risk Consulting » Toyota Case Study: Insights into a Global Corporation’s Risk Management Journey

Toyota Case Study: Insights into a Global Corporation’s Risk Management Journey

Jason Disborough

Chief Executive Officer – Multinational Clients (International), Aon

• Toyota Motor Corporation’s proactive risk management approach is focussed on future success and sustainability.
• Deputy Chief Officer for Global Risk, Christopher Reynolds shares insights on the automobile manufacturer’s risk philosophy.

The Aon Insights Series is designed to help you shape mission-critical business decisions for the better. Click here to watch the full range of sessions on-demand.

Toyota Motor Corporation is one of the world’s largest automobile manufacturers.

In this Virtual Aon Insights Series Pacific 2021 webinar, Deputy Chief Officer for Global Risk, Christopher Reynolds shares insights into the global organisation’s risk philosophy and how they are proactively taking greater control of their innovative risk management program to ensure future success and sustainability.

Speakers include:

• Christopher Reynolds Chief Administrative Officer, Corporate Resources, Toyota Motor North America Deputy Chief Officer, General Administration & Human Resources Group, Toyota Motor Corporation, Deputy Chief Officer, Global Risk, Toyota Motor Corporation
• Jason Disborough, Chief Executive Officer – Multinational Accounts (International), Aon

Please view the session recording below.

Related Articles

2021 Global Risk Management Survey: Underrated risks and the future impact

2021 Global Risk Management Survey: Cyber attacks, reputational risk and innovation gaps in Australia

Directors & Officers Insurance Market Insights Q3 2021

Want to keep up to date with our insights.

State ACT NSW NT QLD SA TAS VIC WA International

Country Australia United States United Kingdom Canada India Netherlands South Africa France Germany Singapore Sweden Brazil -------------- Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia and Herzegovina Botswana Bouvet Island Brazil Brit/Indian Ocean Terr. Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo Congo, The Dem. Republic Of Cook Islands Costa Rica Côte d'Ivoire Croatia Cuba Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Terr. Gabon Gambia Georgia Germany Ghana Gibraltar United Kingdom Greece Greenland Grenada Guadeloupe Guam Guatemala Guinea Guinea-Bissau Guyana Haiti Heard/McDonald Isls. Honduras Hong Kong (SAR of China) Hungary Iceland India Indonesia Iran Iraq Ireland Israel Italy Jamaica Japan Jordan Kazakhstan Kenya Kiribati Korea (North) Korea (South) Kuwait Kyrgyzstan Laos Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Macau (SAR of China) Macedonia Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montserrat Morocco Mozambique Myanmar N. Mariana Isls. Namibia Nauru Nepal Netherlands Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Norway Oman Pakistan Palau Palestinian Territory, Occupied Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Reunion Romania Russian Federation Rwanda Saint Kitts and Nevis Saint Lucia Samoa San Marino Sao Tome/Principe Saudi Arabia Senegal Serbia and Montenegro Seychelles Sierra Leone Singapore Slovak Republic Slovenia Solomon Islands Somalia South Africa Spain Sri Lanka St. Helena St. Pierre and Miquelon St. Vincent and Grenadines Sudan Suriname Svalbard/Jan Mayen Isls. Swaziland Sweden Switzerland Syria Taiwan (Province of China) Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks/Caicos Isls. Tuvalu Uganda Ukraine United Arab Emirates United States US Minor Outlying Is. Uruguay Uzbekistan Vanuatu Vatican City Venezuela Viet Nam Virgin Islands (British) Virgin Islands (U.S.) Wallis/Futuna Isls. Western Sahara Yemen Zambia Zimbabwe

Industry Aged Care Agribusiness Construction Education Energy, Power and Utilities Financial Institutions Food & Beverage Health Care Legal and Professional Services Manufacturing Mining Public Sector and Local Government Real Estate Retail Tourism, Entertainment, Leisure and Sport Transport & Logistics Other

I agree to your Legal Notice and that you may handle my information as stated in your Privacy Policy

• SUGGESTED TOPICS
• The Magazine
• Newsletters
• Managing Yourself
• Managing Teams
• Work-life Balance
• The Big Idea
• Data & Visuals
• Reading Lists
• Case Selections
• HBR Learning
• Topic Feeds
• Account Settings
• Email Preferences

What Really Makes Toyota’s Production System Resilient

• Willy C. Shih

“Just-in-time” only works as part of a comprehensive suite of strategies.

Toyota has fared better than many of its competitors in riding out the supply chain disruptions of recent years. But focusing on how Toyota had stockpiled semiconductors and the problems of other manufacturers, some observers jumped to the conclusion that the era of the vaunted Toyota Production System was over. Not the case, say Toyota executives. TPS is alive and well and is a key reason Toyota has outperformed rivals.

The supply chain disruptions triggered by the Covid-19 pandemic caused major headaches for manufacturers around the world. Nowhere was this felt more acutely than in the auto industry, which faced severe shortages of semiconductor chips and other components. This led many people to argue that just-in-time and lean production methods were dead and being superseded by “just-in-case” stocking of more inventory.

• Willy C. Shih is a Baker Foundation Professor of Management Practice at Harvard Business School.

Partner Center

• Search this site
• Sustainability

Risk Management

Risk management system, investment cycle management.

We define "risk" as "an event with the potential to cause unexpected losses in business operations, or cause damage to the Toyota Tsusho Group's assets and trust, etc." as laid out in the company's Risk Management Basic Policy. The company's fundamental approach is to identify and consider the various risks that occur in the course of business operations, ensure management safety, and increase corporate value by exposing itself to risk only within an appropriate and controlled range. In concretely implementing the Risk Management Basic Policy, besides risk management by the respective departments responsible for risks carried out individually in the past, the former Enterprise Risk Management Committee was evolved in April 2020 into the Integrated Risk Management Committee, which verifies the state of risk management on a more global basis, referring to the COSO*-ERM Framework and other concepts. The committee, chaired by the CFO, is mainly joined by the head of risk management in each overseas region, as well as the general managers of the planning department of each sales division and the directors and general managers in charge of each risk. The committee applies our "Check 10" consolidated risk management system.

Check 10 activities are defined as the 10 risk items (product, credit, business, foreign exchange and funding, internal controls, human resources and labor, information security, misconduct, logistics, and occupational safety and environment) that should be given the highest priorities among the risk items. Each business entity evaluates and scores on the two axes of risk and a management system, prepares a heat map, and realizes visualization of both quantitative and qualitative risks. The relevant risk assessment is then analyzed and supported by the Risk Supervisory Department. To identify global risks and problems, and then work to eliminate and minimize them, we discuss and promote the necessary countermeasures to establish and strengthen the risk management system on a consolidated basis for the risk of our group companies.

The committee also clarifies risks through the meetings that could give significant impacts on the Toyota Tsusho Group’s management, identifies important company-wide risks related to management objectives, discusses and decides on response policies, verifies the effectiveness of the risk management process, and reports to the CEO. The committee makes recommendations to the Board of Directors meeting regarding risk management. Based on the recommendations, the Board of Directors meeting continuously supervises the effectiveness of the risk management process and takes appropriate actions when changes are necessary.

* Committee of Sponsoring Organizations of the Treadway Commission

Risk Assets (RA) and Risk Buffer (RB)

To verify that the total amount of financial risks is within the scope of our management capabilities, the company regularly measures its risk assets (RA)—the maximum expected loss on a consolidated basis—and endeavors to ensure that risk assets are balanced by the risk buffer (RB), which is the company's financial corporate strength. RA are calculated by multiplying the risk asset principle based on each account on the balance sheet by the risk weight (RW) indicated by the maximum expected loss ratio, while the RB is defined and calculated as the corporate group's total financial corporate strength. We are striving to maintain a sound and stable financial position by continuing to increase the RB based on profit for the year attributable to owners of the parent.

The risk management of RA is carried out by maintaining the ratio of RA to RB below 1.0. Our policy is to maximize operating cash flow by promoting cash flow management down to the business unit level and increasing business profitability and working capital efficiency, and then use the cash created to maintain a balance between investment in growth and shareholder returns. As a result of these continued initiatives, in the fiscal year ended March 31, 2023, we again maintained RA within the scope of the RB. (The ratio of RA to RB was 0.7, which is below 1.0.)

Also, we conduct country risk management to prevent an excessive accumulation of risk by evaluating the total amount of RA and keeping this total beneath the upper limit determined for each country. We also introduced Risk-adjusted Value Added (RVA) as a measure of risk profitability to secure returns commensurate with risks.

Major Risks

Product risk.

Toyota Tsusho sets position limits for market product transactions that are exposed to the risk of commodity price fluctuations, such as non-ferrous metals, petroleum products, rubber, foodstuffs, and textiles, regularly monitors whether these limits are being applied, and takes measures to mitigate price fluctuation risks.

Credit Risk

Toyota Tsusho rates business partners on eight levels based on their financial position using independent criteria and specifies limits for each type of transaction, such as accounts receivable or advance payments. For business partners who receive low ratings, our company establishes loss-prevention transaction policies such as reviewing transaction conditions, protecting accounts receivable or withdrawing, and conducting individually focused management.

Business Investment Risk

We aim to expand existing businesses, strengthen functions, and enter new businesses by strengthening existing partnerships and forming new alliances. We discuss the strategic nature and company-wide priorities for new investments. Both the sales department in charge as well as those in charge of the Administrative Unit participate in the review process, examining investment returns and various risk analyses from a wide range of perspectives. In addition, after investments are made, we monitor whether investment returns are achieved as planned and whether profits commensurate with risk assets are secured, and strictly apply restructuring and withdrawal rules for projects that are not progressing as planned.

Foreign Exchange Risk

Toyota Tsusho implements hedge measures, including using forward exchange contracts, for transactions denominated in foreign currencies, as they are exposed to the risk of fluctuations in foreign exchange rates. In the event we are unable to hedge a transaction, we implement measures that mitigate foreign exchange rate fluctuation risks by setting position limits and regularly monitoring the results of these transactions.

Risks Related to the Fund Procurement

We strive to minimize liquidity risk by maintaining sound business relationships with financial institutions, engaging in asset liability management (ALM), and procuring funds in accordance with the nature of our assets.

Human rights risks

We began conducting human rights due diligence at all consolidated subsidiaries in the fiscal year ended March 31, 2022 in order to respond to human rights risks that could have an impact on society through business activities.

Based on the opinions of internal and external experts, we analyzed human rights risks at all consolidated subsidiaries around the world from three perspectives: business natures (business sector), location (country), and products handled. We identified 93 companies where confirmation of priority risks is thoroughly needed. The four salient human rights issues that we investigated during this due diligence process were forced labor, child labor, discrimination, and the freedom of association and right to collective negotiations.

We surveyed the 93 subject companies using a questionnaire to understand the management status of anticipated specific human rights risks. Based on the results of the questionnaire, we identified companies that we believed required further investigation. We then investigated the actual situation through an interview with the presence of third-party organizations and established the direction of specific measures to reduce risks.

No human rights issues of immediate concern were identified through this process, but we will continue our efforts to reduce human rights risks.

The status of this process and the evaluation results are reported to the Sustainability Management Committee.

• Human rights due diligence

Information Security Risk

Based on our Information Security Policy, we implement risk management through the following measures.

• Toyota Tsusho group standard Information security management guidelines (All Toyota Security Guideline) have been established and deployed globally, and compliance with these guidelines is continuously monitored and improved.
• We review this guideline regularly to deal with ever-increasing risks of cyber attacks, etc. and at the same time, make efforts to improve the management capability of each group company.
• We have established group standard security systems and are deploying and managing them globally in order to promote adherence to the guidelines efficiently and uniformly.
• As the group standard security systems, we have standardized Major IT functions such as network security, email security, and PC security globally and we will expand them as appropriate in the future.
• We have established a Computer Security Incident Response Team (CSIRT) and the CSIRT are implementing preventive activities to reduce the risk of security incident by continuous collecting / analyzing threat information and monitoring activities using the group standard security systems.
• In order to minimize damage in the event of a security incident, we have established a collaboration and support system with group companies, and are working to create an environment where we can identify the scope of impact, take measures, and prevent recurrence immediately.

Compliance Risks

We established the Compliance & Crisis Management Department to strengthen the compliance system of the entire Group. In doing so, we aim to raise awareness of compliance, including thorough compliance with laws and regulations.

Occupational Safety & Health Risk and Environmental Risk

We establish management rules or guidelines concerning occupational safety & health and environmental risk and appropriately identify and manage these risks.

Environmental Risk Management

The Group's business entities are operated in accordance with environmental policies and biodiversity guidelines. For existing business units, we are working to reduce the risk of environmental pollution by quantitatively evaluating the degree of environmental pollution risk for each facility and the management level of work sites. In addition, we carry out a compliance evaluation for environmental laws and regulations every six months, and double-check the status of legal compliance of priority issues through internal and external audits.

• Due diligence in occupational safety and health

Country Risks

We strive to reduce risks for projects in countries with high country risk through export and investment insurance and other means. We also aim to reduce the concentration of risk in specific regions or countries by monitoring risk-weighted assets, which is the maximum expected loss, for each country and keeping it within an upper limit set for each country.

Crisis Management

Overseas crisis management.

In response to a major terrorist attack in Algeria in January 2013, the Security Management Group was established as a specialist organization within the Global Human Resources Department in April of that year. Currently, the Crisis Management & BCM Group of the Compliance & Crisis Management Department conducts education and training includes pre-assignment seminars for employees (and their families) stationed overseas and hands-on training that enables them, in a controlled environment, to learn about and to experience the risks unique to their country or region.

• 1 A seminar on basic precautions while on business trips abroad is held for young employees with little overseas experience.
• 2 Hostile Environment Training, which includes topics such as terrorism, is conducted for personnel assigned to high-risk countries. We have stepped up our monitoring and analysis of security information and have developed a website through which we share information with Toyota Tsusho Group employees all around the world. We have also established a 24/7 response system offering medical consultation with a physician by telephone and emergency medical transport for employees stationed overseas.

Business Continuity

The Toyota Tsusho Group has established a Business Continuity Management (BCM) system led by the Crisis Management & BCM Group of the Compliance & Crisis Management Department. Toyota Tsusho's Business Continuity Plan (BCP) is an all-hazard BCP that takes into account all risks, including natural disasters such as earthquakes and typhoons, terrorist acts, pandemics, and cyber-attacks, and has been formulated for 210 businesses in Japan and overseas. Specifically, in accordance with the Toyota Tsusho Group Basic Business Continuity Principles, we have prepared plans to prevent business interruption or, to restore operations as quickly as possible even in the event of interruption, assuming scenarios in which key management resources are unavailable, such as employees not being able to come to work, not being able to enter the headquarters, long-term power outages, or not being able to use IT systems. Based on the formulated response plan, we conduct initial disaster response drills in September and March of each year, based on the scenario of a large-scale earthquake. We also conduct educational and awareness-raising activities for our employees worldwide by publishing a collection of case studies of businesses that have formulated BCPs and regularly issuing newsletters in both Japanese and English. Based on the BCP formulated to maintain an appropriate management system, we conduct periodic exercises and improvements, and continue to operate through the PDCA cycle.

TTC Group Business Continuity Principles

• 1 The Safety of employees and their families is the first priority.
• 2 Even if unexpected contingencies occur, we will not forget the Corporate Philosophy: Living and prospering together in society. All employees will fulfill their social responsibilities.
• 3 We take preventive measures against predictable risks. We maximize Team Power to recover quickly from unexpected contingencies. We minimize impact to customers and continue our business.
• 4 We promote the understanding of our Business Continuity Principles to all employees by means of education and training. We consistently perform KAIZEN (continuous improvement) to tackle Business Continuity Management (BCM), which should be based on Real Places, Real Things, and Reality.

Conflict Mineral

There are worldwide concerns that mineral resources mined in the Democratic Republic of the Congo (DRC) and nine neighboring countries are the source of funding for armed groups that are causing human rights abuses and environmental destruction. A survey has been conducted every year since 2013 to check whether these conflict minerals are contained by going back to the supply chain globally, centered on US-listed companies, and we are also actively participating in the survey as a member of the supply chain.

To achieve sustainable growth, Toyota Tsusho believes it is important to appropriately manage risk and generate reliable results from investments. Rather than investments aimed at short-term profits, based on strategic investment whereby a business is developed over the medium to long term leading to expansion and strengthening of the Toyota Tsusho Group's value chain, we have developed a system that optimizes the knowledge and experience accrued throughout the company to engage in deliberations at each stage of investment, from initial investigation to implementation. We have also enriched our systems for investment follow-up to solve problems faced by our business companies and replace assets.

We closely examine all aspects of balance sheet, and we have inspection processes on geopolitical and country risks from a wide point of view, as well as continuous analytic processes on the risks of fluctuations in foreign exchange rates, interest, commodity price, and credit risk, etc. These are also applied to the screening process for new investment, all of which are inspected thoroughly prior to the Investment and Loan Committee and the Investment Loan Meeting.

Regarding new investment projects, major policy is decided at the Mid-term Business Plan Meeting and the Investment Strategy Meeting, while decisions on individual projects are made by the organization concerned based upon business plans screened by the Investment and Loan Meeting and the Investment and Loan Committee. At the Investment and Loan Meeting, chaired by the Assistant to CFO, and the Investment and Loan Committee, chaired by the CFO, we use TVA, *1 which is our original indicator for verifying that the expected revenue scale is achieved corresponding to the invested capital, and RVA, *2 which is an indicator used to verify that obtained revenue is appropriate for the risk, to carry out entry management. At the same time, we conduct assessments of climate change and other environmental risks, greenhouse gas emissions and reduction effects, and other aspects using our original environmental check sheets, to quantitatively verify projects from various perspectives. Some of our affiliated companies, both in Japan and overseas, have been authorized to make investment decisions to accelerate the investment decision-making process.

After investments are implemented, the Administrative Unit and the sales divisions concerned jointly and continuously monitor and support projects facing issues ("check and support"). In addition to monitoring by the sales divisions, the Administrative Unit also monitors through balance sheets and profit/loss (BS/PL) *3 standards. If a project falls short of quantitative standards, we assess the sustainability of the business and decide whether to restructure or exit.

By continuing to repeat this investment cycle, we aim to allocate management resources optimally and improve capital efficiency.

• *1 An abbreviation of Toyotsu Value Achievement, TVA = (Ordinary income – Interest income or expenses) × (1 – Respective country's tax rate) – Invested capital × Cost rate of invested capital by country Ordinary income is profit before income taxes, adjusted for non-recurring, extraordinary, and significant gains and losses arising from non-operating activities, which indicates the "earning power" of a sales division or business entity The cost rate of invested capital by country, is the cost rate derived from the weighted average of the cost of capital and government bond yields by country, resulting from the invested capital used in operating and business activities
• *2 An abbreviation of Risk-adjusted Value Added, RVA = (Ordinary income × 60%) – Risk asset × Risk cost rate, where risk asset is the maximum amount of expected loss should a contingency (a once-in-a-century event) occur, and risk cost rate is the shareholder expected rate of return based on Toyota Tsusho's return on equity (ROE) target of 13% or more
• *3 BS standard: If the capital impairment ratio is 50% or higher PL standard: If there is a net loss for two consecutive periods, or if a downturn is at least 30% of the planned value at the time of investment

Thank you for visiting this website. Please accept the saving and use of cookies based on our policy to allow this website to provide even better information to you and improve our services.

• About cookies

Brought to you by:

Toyota's Disrupted Global Supply Chain: Covid-19 and the Global Chip Shortage

By: William E Youngdahl, Kannan Ramaswamy

Toyota's supply chain, long admired as an industry benchmark for efficiency and effectiveness, was unable to supply critical parts to replenish inventory in its plants pursuant to the global chip…

• Length: 12 page(s)
• Publication Date: Dec 31, 2021
• Discipline: Operations Management
• Product #: TB0648-PDF-ENG

What's included:

• Teaching Note
• Educator Copy

$4.95 per student

degree granting course

$8.95 per student

non-degree granting course

Get access to this material, plus much more with a free Educator Account:

• Access to world-famous HBS cases
• Up to 60% off materials for your students
• Resources for teaching online
• Tips and reviews from other Educators

Already registered? Sign in

• Student Registration
• Non-Academic Registration
• Included Materials

Toyota's supply chain, long admired as an industry benchmark for efficiency and effectiveness, was unable to supply critical parts to replenish inventory in its plants pursuant to the global chip shortages that resulted from the general disruption created by the Covid-19 pandemic. During the first quarter of 2021, the delta variant of the virus was spreading across the globe. Southeast Asia, where Toyota sourced many auto components, was particularly hard hit. As demand for automobiles was surging during the second half of 2021, a critical shortage of microchips forced Toyota and other automakers to shut down some of their assembly lines. Set against this backdrop, the case focuses on options that firms might pursue in preparing for black swan events such as Covid-19.

Learning Objectives

This case provides a context for examining how companies can manage supply risks for black swan such as the global microchip shortage that Toyota and other automakers faced during the Coronavirus pandemic. Discussion and analysis of this case provide several learning benefits. - To expose participants to the Toyota Production system and lean supply chains - To provide some understanding of the unique challenges associated with global supply shortages, especially during black swan events - To provide practical insights into how leaders can identify and manage supply chain risks

Dec 31, 2021

Discipline:

Operations Management

Geographies:

Industries:

Automotive industry

Thunderbird School of Global Management

TB0648-PDF-ENG

We use cookies to understand how you use our site and to improve your experience, including personalizing content. Learn More . By continuing to use our site, you accept our use of cookies and revised Privacy Policy .

• Business Reports
• Case Studies
• Industry Case Packs
• Free Resources

Company Specific Case Studies

Case related links.

Detailed Subject-wise Listing Company-wise Listing Case Study Method Best Selling Case Studies Prize Winning Case Studies ICMR Cases Used in Textbooks Institutions Using ICMR Cases ICMR News

Risk Management at Toyota | PDF

Added on   2020-03-16

End of preview

Want to access all the pages? Upload your documents or become a member.

Health and Safety Measures - Assignment lg ...

Health and safety table of contents introduction 1 main body1 1. hazard in workplace environment and coshh principles lg ..., occupational health hazards in chemical industries lg ..., love canal by name. lg ..., managing risk in chemical manufacturing: hazards, risk register, and technology lg ..., managing risk in dechra pharmaceuticals lg ....