18th EurOMA Conference, Cambridge UK: 3-6 July 2011
Managing the Operations-Risks interface:
A Proposal for Protocol Analysis of the Operational
Risk Management
Luiz Carlos Di Serio - luiz.diserio@fgv.br
Escola de Administração de Empresas de São Paulo - EAESP
Fundação Getúlio Vargas – FGV – São Paulo, Brasil
Luciel Henrique de Oliveira – luciel.oliveira@fgv.br
Escola de Administração de Empresas de São Paulo - EAESP
Fundação Getúlio Vargas – FGV – São Paulo, Brasil
Centro Universitário as Faculdades Associadas de Ensino – FAE
São João da Boa Vista - São Paulo, Brasil
Luiz Marcelo Siegert Schuch - marcelo.schuch@gmail.com
Escola de Administração de Empresas de São Paulo - EAESP
Fundação Getúlio Vargas – FGV – São Paulo, Brasil
Abstract
This work aims at contributing to operating risk evaluation methodology by introducing
an analyses instrument that combines the benefits of risk management with
organizational transformation. The protocol consists of an analysis of the
implementation process, current stage, facilitating and complicating factors and impact
of risk management. We have analyzed internal documentation from three world-class
companies that won the Brazilian Quality Award Prize (PNQ) and examined the results
of interviews conducted with their risk managers. This study’s main contributions are
the systematization of concepts and the organization of a risk analysis protocol based on
the experiences of these companies.
Keywords: Enterprise Risk Management (ERM), Operating risks, supply chain risks.
Introduction
At the end of 2009 and beginning of 2010 Toyota made a worldwide recall of over nine
million vehicles in order to fix potentially dangerous acceleration and break problems.
How could this happen to a world-class company that was a famous point of reference
for product and services excellence? Supply chain optimization, company
interdependence and the establishment of global operating networks have all made
companies more susceptible to uncertainty and risk. Toyota’s case illustrates this trend,
exposing companies’ vulnerability in this context and showing the need for increased
attention to risk management and organizational transformation.
According to the Global Risks 2008 report, published by the World Economic
Forum, the main current risks stem from supply chains, the financial system, food
safety, and issues related to energy availability and use. Enterprise Risk Management
(ERM) has been devised to help organizations create a sustainable program to manage
corporate risk and draw up a practical framework to disseminate knowledge and training
within the organization (BEASLEY, BRANSON, HANCOCK, 2009).
This work is based on a practical experiment at three organizations that won the PNQ
National Quality Award - whose requirements include the identification, classification,
1
18th EurOMA Conference, Cambridge UK: 3-6 July 2011
analysis and handling of significant corporate risks. The fact that the winners’
management systems are more mature in terms of development and integration enabled
a more complete evaluation of the factors proposed in this study. Based on questions
such as “How do companies that are considered as examples of world-class
management handle their organizational risk?” and “How does risk management affect
the culture and results of these organizations?” we developed an operating risks analysis
protocol that was empirically employed and tested in the three organizations. This paper
aims at contributing to operating risk evaluation methodology by introducing an
analyses instrument that combines the benefits of risk management with organizational
transformation. It can be adapted and employed by organizations of any size and sector
for the identification, classification, analysis and handling of their main operating risks.
1. Theoretical References
1.1. Risk Management
According to the Committee of Sponsoring Organizations of the Treadway
Commission, COSO (2004) corporate risk management must be undertaken by the
board of directors, management and other personnel, applied at a strategic level and
throughout the company.
Based on the previous definition and according to Cohen and Kunreuthwer (2006);
Matook, Lash and Tamaschke (2009), we can infer that organizational risk management
is: a process (meaning that it has an end and it is not an end in itself); undertaken by
people (from all levels of an organization); applied to strategy; employed in the
company as a whole (every level and unit); planned to identify potential events that
could affect the organization and to manage risks within acceptable levels; a guarantee
for management and for the board of directors; and adapted for the achievement of
goals. Over the past decades the operations area has reemerged as a crucial part of
strategic planning. Skinner’s article (1969) proposed that manufacturing be included in
the strategic process rather than be limited as a specialization focused on the plant’s
everyday routine. Operational strategy has gained more space and become a link
between market requirements and operating resources (SLACK LEWIS, 2002).
JÜTTNER et al (2003) propose a structure to direct studies related to risk management
in the supply chain. The authors conclude that the goal of risk management in the
supply chain is to identify potential risk sources and implement appropriate actions to
avoid or contain the vulnerability of the chain as a whole.
1.2. Generic risk management models
An increase in corporate scandals together with recent legislation such as the SarbanesOxley Act of 2002 has led companies to focus more on risk management. Currently
there are models in the market designed to direct risk management in an organization.
The publication of COSO (2004) introduces an ERM model that includes strategic and
operating aspects associated to risk management (Figure 1). The Sarbanes-Oxley Law’s
main goal was to restore the credibility of the capital market by preventing the
occurrence of new mistakes, such as those which contributed to the bankruptcy of large
US corporations at the end of the 1990s (ARNOLD, 2007; SANTOS and LEME, 2007).
Corporate risk management consists of eight inter-related components: internal
environment; objective setting; event identification; risk assessment; risk response;
control activities; information and communication; and monitoring. In the COSO
Report model (2004), internal control is undertaken by the board of directors, managers
2
18th EurOMA Conference, Cambridge UK: 3-6 July 2011
and employees. It is designed to offer a reasonable degree of security for the
achievement of goals in the following categories: operating efficiency and effectiveness,
reliable financial reports and compliance with applicable legislation and regulation.
Meanwhile, ERM (GATES and HEXTER, 2006; BARTON, SHENKIR and WALTER
2010) is undertaken by the organization’s directors, managers and employees.
Figure 1: COSO ERM Integrated Framework
Source: COSO (2004)
1.3. Assessing risk management maturity
Risk management maturity can be assessed through classic cumulative competitive
priorities models that are used to describe management practices that offer
simultaneous advantages to a large number of variables. Among these models are the
“sand cone” (FERDOWS, DE MEYER, 1990), diamond (PORTER, 1989) and the
Venkatraman models (1994). The “sand cone” is a cumulative priorities model that
makes an analogy with a sand cone. The sand layers represent action programs (related
to priorities) that are gradually implemented so each priority is settled before the next
layer is placed (FERDOWS, DE MEYER, 1990; SLACK at. al. 2009).
Venkatraman (1994) proposes a framework that creates paths to allow
implementation of Information Technology within an organization. This framework
presents five organizational transformation stages and their respective impacts:
Localized exploration; Internal integration; Redesign the business process, and
Redefining the business scope. It is the company’s task to determine what type of
transformation it plans to introduce. The choice of a specific level of transformation
depends on costs incurred and estimated benefits.
2. Methodological Procedures
This research followed the multi-case study model proposed by YIN (1984). We first
contacted the latest winners and finalists of the PNQ award and identified the
companies that adopt risk management systems. Initial contact was made with the
company’s representative on the FNQ (National Quality Foundation) data bank, who
then referred us to the person in charge of risk management. One of the requirements for
involvement in the study was for the company to work with the subject of ‘risk
management”, even if this system was still being structured. This premise enabled a
preliminary glimpse of the results obtained through the implementation of the risk
management system.
3
18th EurOMA Conference, Cambridge UK: 3-6 July 2011
Three of the companies we contacted agreed to share information and experiences. In
many cases risk management involves the organization’s strategic questions, thus
hindering access to some information and, in some cases even preventing the
company’s participation in the study. This problem was dealt with through a
confidentiality agreement stating that the participants’ names remain undisclosed, and
through prior submission of a script containing the main themes discussed during the
interviews.
After consulting the literature on the subject, we drew up the following research
protocol for the interviews and analyses of the results: (1) Risk management
implementation – factors that facilitate and hinder risk management in the company. (2)
Current stage of the risk management system – risk management governance; risk
identification and analysis; risk monitoring and crisis management, the use of
technology and integration, and how and whether risks were communicated to
stakeholders.(3) Impacts of risk management – the organizational culture’s approach to
risk and to decision-making and the impact on organizational results.
We chose to conduct semi-structured interviews with a previously drawn up
questionnaire containing specific sections aimed at helping map out the implementation
process, the current stage of the risk management system and the results obtained. For
each case analyzed we conducted interviews with the executive in charge of the
organization’s risk management. The interviews were based on a prepared script and
were conducted at the company’s facilities during scheduled meetings. They lasted an
average of 3 hours and covered the entire scope established in the script.
Table 1: Characteristics of the companies analyzed
Company A – Brazilian industrial company and a traditional player in its segment. One of the
country’s most profitable private business conglomerates, it combines family control, high performance
professional management, and partnerships with the capital market. Its trajectory has been marked by a
capacity for innovation, risk taking and the adoption of bold new business models and products for the
achievement of value solutions for the organization and society as a whole.
Company B – A holding company that operates through subsidiaries in the production, distribution
and commercial sectors. It is Brazil’s largest company in its segment. It has great experience and
knowledge of its activities, acquired from significant expertise and tradition.
Company C – A diversified global industrial company that supplies products and services to clients
worldwide. It is Brazil’s main producer and supplier of its products. Through a combination of the
strength and expertise acquired as a global company, it has become a supplier of value and innovation to
its clients. In Brazil this company has a high level of quality and commitment and supplies excellent
brands, products and solutions to its clients in the South American market.
In each question the interviewees were asked to describe the company’s experience.
At the end of questions with previously-established factors, it was requested that the
interviewee grade the degree of agreement with this practice and the degree to which it
has been implemented. The interview was not restricted to the suggested factors, so the
interviewees were free to propose new ones. This approach aimed at obtaining a
minimum group of factors for future comparison between companies. The companies,
which are loosely described in table 1, did not authorize the disclosure of their names or
details that could identify them. Both the interviews and the data collection were carried
out by the authors. In addition to the interviews, we used information from the
companies’ sites, minutes of meetings, internal presentations about the subject, annual
reports and documents available to the market.
4
18th EurOMA Conference, Cambridge UK: 3-6 July 2011
4 Results and Discussion
4.1. Facilitating factors in risk management
We identified the main aspects for the analysis of facilitating and complicating factors
in risk management (Tables 2, 3 and 4).
Based on these and other frameworks, we asked the interviewees to grant grades
from one (of little importance) to five (very important), bearing in mind the experience
acquired with the implementation of risk management in the company.
Observation of the results showed the determining factors were implementation
through a multifunctional team and the leadership’s support. The leadership’s support
was crucial to mobilize people, as it placed the issue in the executives’ agenda. In
Company A this was made clear by the inclusion of the subject in the Chief Executive
Officer and Chief Financial Officer’s (leaders of the implementation process) variable
remuneration plan and by the definition of a specific action plan for the Financial Area
within strategic planning. The interviewees did not consider it relevant to use a
specialized consultancy firm to support the implementation process. According to them,
the necessary information was obtained through participation in events about the subject
and from COSO’s framework, which establishes the necessary stages for the
implementation of the model.
Table 2: Framework for an analysis of facilitating factors in risk management





Support from leadership
 A team focused on implementation
Previous experience with management systems
Multifunctional team actions
 Use of a norm or reference standard
Employment of a specialized consultancy firm
Specific manager training for the development of risk assessment skills
4.2. Complicating factors in risk management
The answers did not suggest that any of the proposed factors had a significant impact on
the implementation of the risk management system. In Company A, the support of the
leadership was considered effective and as a result the proposals item scored low on the
interviewees’ evaluation, although all the interviewees recognized the item as being a
very important factor. The factor that generated the greatest difficulty, according to the
interviewees, was the executives’ relative lack of knowledge about risk assessment.
According to them, this difficulty was attenuated by a request for each executive to
identify the factors that made them “lose sleep”. Afterwards, the risks were detailed and
analyzed.
Table 3: Framework for analysis of complicating factors in risk management




Lack of leadership support
 Difficulty to identify effective results
Lack of knowledge about risk assessment among those involved
Lack of information about the probability and impacts of events that cause deviations
Long implementation process  Culture of informal analysis of alternatives and their risks.
4.3. The current stage of risk management
Each company opted for different risk management implementation structures. Whilst
Company A set up an implementation team and a Risk Subcommittee to manage the
process, Company B created a Chief Risk Office that reported directly to the CEO.
5
18th EurOMA Conference, Cambridge UK: 3-6 July 2011
Company C created a post for someone with a deep knowledge of operations at the
plant (Chief Projects Officer), as this was the focus of risk assessment in Brazil.
Literature on the subject shows the adoption of different implementation models,
whether in the form of a specific area, a committee or a post (LIEBENBERG and
HOYT, 2003). In terms of complicating factors, field results show that the biggest
hindrance to implementation stems from lack of knowledge about risk assessment
among those involved. As for the extent of the assessments, both Company A and B
affirmed that their respective risk assessments were focused on the company itself and
that supply chain risks were not evaluated. Only Company C made an analysis of its
client and suppliers’ risks. This is in line with the Gates and Hexter (2006) research
conclusion that risk management starts with the financial area and is followed by
strategic and operating risks.
4.3.1 Process governance
Table 4: Framework for the analysis of risk management governance
Management establishes risk policies and achieves a consensus about risk appetite with other
management levels.
Upper management shows its commitment to risk management by highlighting its importance
Risk acceptance criteria are available to executives in order to help with their decision-making
Central coordination supports management’s strategic decisions by assessing risks and uncertainties.
Each unit or relevant sector, as well as all specialized risk groups, have a risk team or committee
linked to central coordination.
The central coordination’s mission is to ensure implementation of measurable standardized risk
management in all the units and sectors.
The evaluation based on the criteria in Table 4 showed that companies B and C opted
for creating specific risk processing governance areas, whilst company A assigned this
task to a multidisciplinary committee coordinated by the Chief Financial Officer.
According to the Corporate Risk Management Framework (IBGC, 2007), there is a
tendency to create a unit responsible for this new role, be it an area or a committee. In
overall terms, Company C’s operating unit scored lower than the other two companies.
This could be due it having somewhat distant corporate governance, which keeps the
unit isolated from the upper-management’s decisions and influence.
4.3.2 Risk analysis and identification
Table 5 – Example of taxonomy or risk classification
Competition
D&R
Project
Operating control
Organizational and
Management
Image
System
Commercial
Regulatory Risks
Control & Compliance
Political
Credit
Social and
Environmental
Supply
Logistics
Market
In company A, risk identification is limited to the company itself and does not
acknowledge risks in the supply chain, while the other companies do include the supply
chain. As described in the Corporate Risk Management Framework (IBGC, 2007), there
is no consensual risk classification that can be applied to all organizations; it must be
developed according to the characteristics of each organization and take into account the
specificities of the company’s industrial sector, market and operating area. Each
6
18th EurOMA Conference, Cambridge UK: 3-6 July 2011
company has its own risk classification system and does not consider the difference
relevant, as there must be a standard classification system per organization. In all the
companies the handling of significant risks has been monitored by the areas in charge of
risk management. This control is centralized and justified by efforts to integrate risks
and risk handling.
Strategic Planning is crucial for risk management. It is essential for evaluating how
Multiannual Plans enable scenario analyses; project valuation through medium-term
simulation models and financial evaluations; the prioritization of higher-value projects;
and the verification of potential strategies’ inclusion in long-term goals. For each of the
identified risks we propose the adoption of the template, which considers the event,
classification, the responsible area and short-term and medium-term probabilities and
their respective impact. The final evaluation only considers probability and the shortterm impact (1 year). For each risk analyzed we list existing and future action plans,
including establishment of the period in which implementation can occur, and a budget
estimate for implementation of the actions. To measure risk management maturity in
terms of quantification and handling we propose the factors described in Table 6.
Table 6 – Framework for Risk Quantification and Handling
Common definition of risk (taxonomy) and methodology to calculate and report eventual risk exposure.
Front-line executives and support staff are trained to quantify and report exposure.
Exposure is assessed by a committee or its equivalent, which defines the need to make accounting
provisions or include them in the financial projections.
Significant exposure is handled through projects or initiatives recognized by central management.
The various types of risk applicable to the organization are jointly assessed, handled and reported so that
management can evaluate their interrelated impacts.
Internal controls used to mitigate risks are kept in a common data bank.
An aspect that featured less in all three companies is training. This is because risk
management in these companies is still centralized in the project coordinator, committee
or CRO (Chief Risk Officer). As a result, the methodology is less disseminated and
consequently there is less training. When training actually took place, it was not as a
long-duration program but as workshops introducing the generic concept of risk and
showing how to fill in the templates. Although both the COSO and ISO 31000 models
stress the importance of risk management being handled by adequately trained
personnel, this has been underdeveloped by the companies studied here and must be
evaluated further.
4.3.3 Risk monitoring and crisis management
An assessment of the current stage of risk monitoring and crisis management in
accordance with the criteria described in Table 7 requires the use of a 1 to 5 scale,
where 1 means that it has not been implemented yet and 5 that it has and is at a
developed stage.
Table 7 – Framework for risk monitoring and crisis management
Risk indicators are defined through a common methodology, monitored through a management
information system and used for critical analysis by management.
Internal controls used to mitigate risks are audited on a periodic basis.
There is a financial exposure value attributed to periodically monitored risks
There is a contingency plan system for handling crises and ensuring the continuity of operations.
Both crisis simulations and real crises are used as lessons for plan revisions.
7
18th EurOMA Conference, Cambridge UK: 3-6 July 2011
The factors related to crisis monitoring and management were significantly dispersed
among the three companies. The most relevant in Company B was the periodic auditing
of controls, in compliance with the Sarbanes Law’s requirement for an annual
evaluation of established controls. In the case of companies A and C the most developed
aspect was the contingency plan system, which is also the main focus of risk
management in Company C’s production plant. Company A draws up contingency
plans for priority risks and constantly monitors its Cash Flow at Risk and Value at Risk
– although these are considered as market risks. None of the companies evaluated
adopts a systematic simulation of their contingency plans. This is only to be applied in
the future in specific cases outside of the planned risk management structures.
4.3.4 Integration and the use of technology
Although the company uses credit management (SAP) and market risk management
software, there is no indication of an operating risk management system. All risk
identification spreadsheets and resulting action and contingency plans are available in
document files on the risk analysts’ restricted-access website. This structure does not
enable progressive monitoring of risk exposure and trajectory, thus hindering
longitudinal data analysis. As the companies use an integrated system (ERPs) they have
risk control criteria as part of the system’s parameterization, such as control for the
approval for certain operations (credit, refunds, payments, etc.) whose adequacy should
also be analyzed. None of the companies employs risk management systems or
computer tools. Instead, they use spreadsheets with manually entered data that are
available on the company’s internal computer network (with restricted access). Thus,
despite using integrated systems the companies do not seem to benefit from the
information technology facilities and resources available on the market.
4.3.5 Risk Disclosure
Although the entire process of risk identification and analysis is considered a restricted
activity subject to the signing of a confidentiality agreement by the parties involved, the
companies disclose main risks in their sustainability report. As a result, the company is
subject in the long-term to market risks related mostly to product volume and price
volatility in the market where it operates. This is prompted by variations in production
capacity and global demand and by fluctuations in international exchange rate and
interest rates. Risk disclosure is considered confidential and therefore is restricted to
members of the risk committee and to the company’s upper management. The main
risks that are usually described in the sustainability report are: product prices; big
competitors and imported products; delays in expansion projects; reliance on third-party
suppliers and whether or not insurance is sufficient to cover losses and damages.
4.4 Impacts of risk management
The analysis protocol considers three aspects to assess the degree to which risk
management changes an organization’s culture: (1) Risks are identified by the
executives in a proactive manner; (2) Risks are assessed during strategic planning,
projects and everyday operations; (3) Executives base their routine decisions on prior
risk analyses. The companies evaluated are still far from undergoing a cultural
transformation that could effectively change their decision-making process. In all three
cases the perception is that only a portion of those involved have incorporated risk
8
18th EurOMA Conference, Cambridge UK: 3-6 July 2011
management into everyday decision-making. Structured risk identification is still
reactive and conditioned to the initiatives of the organization’s risk management
coordination.
Strategic planning executives in all three companies have had initial contact with the
risk management model and its developments. However, as these are recently
implemented processes whose methodology and concepts have not been fully
disseminated to all levels of the company, cultural transformation has not yet occurred.
According to the interviewees, the implementation of corporate risk management has
increased “awareness” about the fact that each decision comes with new risks, or
changes the shape of existing ones. The biggest change in the analyzed companies’
current risk management is in strategic planning, which has started to incorporate the
main risks to which the companies are exposed when making strategic choices.
The analysis protocol considers thirteen aspects for the identification of the results
obtained with risk management, as shown in Table 8.
Table 8 – Framework for an assessment of risk management results








Ability to avoid events that could interrupt operations
 Reduction in losses
Improvement in incident management and prevention
Improvement in operating results
 Improvement in corporate governance
Increase in shareholders’ trust in the company  Increase in other interested parties’ trust
Reduced insurance premiums
 Reduced fundraising costs in the market
Compliance with applicable regulatory and legal requirements
Improvement of financial reports
 Trust and a rigorous basis for decision-making
Improvement in opportunities and in threat identification
The companies have noticed benefits in practically all the items proposed,
although the strongest perception is that risk handling helps prevent events that could
lead to an interruption in operations. After wide discussions with representatives from
the companies, we concluded that contingency plans are rarely put into action. One of
the interviewees claimed that it is difficult to measure the risk management system’s
efficiency, comparing it to a soccer goalkeeper: “No one knows how many goals a
goalkeeper has prevented, but everyone knows how many he has let in.” This remark
summarizes the difficulties in measuring the efficiency of a risk management system
and leads to a much more qualitative than quantitative analysis of its impact.
In addition to operating results, the companies also acknowledged an improvement in
shareholders’ trust, corporate governance and to a lesser degree in trust from other
interested parties. Regarding this last item, the companies have acknowledged that there
is no disclosure to other interested parties (government, suppliers, the community
around the plant and society as a whole) about ongoing risk management.
4.5. A Model of risk management maturity
According to the model proposed by Venkatraman (1994), analysis of the cases studied
during this research suggests that companies A and B are more aligned to the Internal
Integration stage. In these two companies the efforts are mostly focused on risk
consolidation and integration, although in both cases the processes were redesigned in
accordance with initial assessments. In corporate terms, company C might be at a more
advanced stage (transition to Stage 4) as individual analysis of the case shows it is more
concerned with business networks - more precisely its supply chain. Finally, it is
9
18th EurOMA Conference, Cambridge UK: 3-6 July 2011
important to point out that the model aims at aligning expectations and enabling the
companies to make more conscious choices. It is possible in practice, however, that the
company is at uneven stages of development depending on each particular aspect. In
this respect, the “sand cone” and “Porter diamond” models could be used to analyze the
level of maturity in risk management.
5. Final Considerations
Analysis of the three empirical cases enabled us to employ and adapt a protocol that
placed the intervenient factors (facilitating and complicating), benefits and results of the
process into an instrument for assessing the implementation of organizational risk
management systems. The protocol is an analysis instrument that can be used in any
organization.
The main contributions to the study in the academic field are the systematization of
concepts and the structuring of a risk analysis protocol based on the experiences of three
world-class companies, with a focus on operating risk management in the supply chain.
From an empirical point of view, this research has enabled us to: identify different risk
management development models in organizations with quite advanced management
systems and which consequently have experience with this type of initiative; present the
facilitating and complicating factors for the initiative’s success from the point of view
of the world class companies that are implementing risk management; look into what
the companies perceive as the results gleaned from the implementation of systems, thus
allowing a more realistic analysis of the benefit-cost-ratio.
Risk management systems in the companies analyzed are at their initial maturation
stage, thus limiting perceptions about the cultural issues during the process. As risk
management has not been effectively implemented in all areas, the interviews were
restricted to direct participants in the implementation process, thus introducing a certain
bias to the answers. None of the companies gave access to their specific risks or their
respective handling (mitigation, elimination, transfer, etc.). Consequently, it was not
possible to evaluate the extent to which each of these alternatives has been applied.
For future research we suggest the adoption of a reporting system to consolidate
organizations’ risks on a global scale and to assess the impacts of risk management on
organizational culture and its influence on processes related to innovation. Furthermore,
we suggest an assessment of the level of adherence to the model among companies with
more mature risk management systems.
References
ARNOLD, Vicky et. al. The Unintended Consequences of Sarbanes-Oxley on Technology Innovation and
Supply Chain Integration. Journal of Emerging Technologies in Accounting, 2007, Vol. 4. pp.103–
121
BARTON, Thomas L. Barton, SHENKIR, William G. Shenkir, WALTER, Paul L. ERM after the
FinancialCri$i$.
Financial
Executive.
April
2010.
pp.18-22
Available
in:
www.financialexecutives.org. Access in 02/04/2010.
BEASLEY, Mark S., BRANSON, Bruce C., HANCOCK, Bonnie V. Take your risk management system
to the next level. Journal of Accountancy. September 2009. pp.28-32 Available in:
www.iournalofaccountancy.com
COHEN, Morris A. Cohen, KUNREUTHER, Howard. Operations Risk Management: Overview of Paul
Kleindorfer’s Contribution. Production and Operations Management. 16(5), 2007. pp. 525–541.
COSO- Committee of Sponsoring Organizations of the Treadway Commission. Enterprise Risk
Management - Integrated Framework. Executive Summary. September 2004.
10
18th EurOMA Conference, Cambridge UK: 3-6 July 2011
FERDOWS, K., DE MEYER, A. Lasting improvements in manufacturing performance: in search of a
new theory. Journal of Operation Management. v.9, n.2, Apr 1990.
FNQ. Fundação Nacional da Qualidade. Critérios de Excelência 2010. Available at http://www.fnq.org.br
GATES, S. e HEXTER, E. The Strategic Benefits of Managing Risk. MIT. Sloan Management Review.
Vol 47, n°3, Spring, 2006.
GLOBAL RISK 2008. A Global Risk Network Report, 2008. Available at http://www.weforum.org
IBGC – Instituto Brasileiro de Governança Corporativa. http://www.ibgc.org.br. 2010.
MATOOK, S.; LASCH, R.;TAMASCHKE, R. Supplier development with benchmarking as part of a
comprehensive supplier risk management Framework. International Journal of Operations &
Production Management. 2009. V.29 No. 3. pp. 241-267
PORTER, M. E. Estratégia Competitiva: técnicas para análise da indústria e da concorrência, Rio de
Janeiro: Campus, 1989.
SANTOS, L.A.A., LEMES, S. Desafios das companhias brasileiras na implantação da Lei SarbanesOxley. BASE – Revista de Administração e Contabilidade da Unisinos. 4(1):37-46, janeiro/abril
2007
SKINNER, W. Manufacturing – missing link in corporate strategy. Harvard Business Review, MayJune 1969
SLACK, N., CHAMBERS, S., JOHSNTON, R. Administração da Produção. 3ª Ed. São Paulo: Atlas.
2009.
SLACK, N; LEWIS, M. Operations Strategy. Prentice Hall, 2002.
VENKATRAMAN, N. IT – Enable business transformation: from automation to business scope
redefinition. Sloan Management Review, Winter, v.35, n.2, p.73-87, 1994.
YIN, R. K. Case study research: design and methods. London: Sage, 1984.
11