18th EurOMA Conference, Cambridge UK: 3-6 July 2011 Managing the Operations-Risks interface: A Proposal for Protocol Analysis of the Operational Risk Management Luiz Carlos Di Serio - luiz.diserio@fgv.br Escola de Administração de Empresas de São Paulo - EAESP Fundação Getúlio Vargas – FGV – São Paulo, Brasil Luciel Henrique de Oliveira – luciel.oliveira@fgv.br Escola de Administração de Empresas de São Paulo - EAESP Fundação Getúlio Vargas – FGV – São Paulo, Brasil Centro Universitário as Faculdades Associadas de Ensino – FAE São João da Boa Vista - São Paulo, Brasil Luiz Marcelo Siegert Schuch - marcelo.schuch@gmail.com Escola de Administração de Empresas de São Paulo - EAESP Fundação Getúlio Vargas – FGV – São Paulo, Brasil Abstract This work aims at contributing to operating risk evaluation methodology by introducing an analyses instrument that combines the benefits of risk management with organizational transformation. The protocol consists of an analysis of the implementation process, current stage, facilitating and complicating factors and impact of risk management. We have analyzed internal documentation from three world-class companies that won the Brazilian Quality Award Prize (PNQ) and examined the results of interviews conducted with their risk managers. This study’s main contributions are the systematization of concepts and the organization of a risk analysis protocol based on the experiences of these companies. Keywords: Enterprise Risk Management (ERM), Operating risks, supply chain risks. Introduction At the end of 2009 and beginning of 2010 Toyota made a worldwide recall of over nine million vehicles in order to fix potentially dangerous acceleration and break problems. How could this happen to a world-class company that was a famous point of reference for product and services excellence? Supply chain optimization, company interdependence and the establishment of global operating networks have all made companies more susceptible to uncertainty and risk. Toyota’s case illustrates this trend, exposing companies’ vulnerability in this context and showing the need for increased attention to risk management and organizational transformation. According to the Global Risks 2008 report, published by the World Economic Forum, the main current risks stem from supply chains, the financial system, food safety, and issues related to energy availability and use. Enterprise Risk Management (ERM) has been devised to help organizations create a sustainable program to manage corporate risk and draw up a practical framework to disseminate knowledge and training within the organization (BEASLEY, BRANSON, HANCOCK, 2009). This work is based on a practical experiment at three organizations that won the PNQ National Quality Award - whose requirements include the identification, classification, 1 18th EurOMA Conference, Cambridge UK: 3-6 July 2011 analysis and handling of significant corporate risks. The fact that the winners’ management systems are more mature in terms of development and integration enabled a more complete evaluation of the factors proposed in this study. Based on questions such as “How do companies that are considered as examples of world-class management handle their organizational risk?” and “How does risk management affect the culture and results of these organizations?” we developed an operating risks analysis protocol that was empirically employed and tested in the three organizations. This paper aims at contributing to operating risk evaluation methodology by introducing an analyses instrument that combines the benefits of risk management with organizational transformation. It can be adapted and employed by organizations of any size and sector for the identification, classification, analysis and handling of their main operating risks. 1. Theoretical References 1.1. Risk Management According to the Committee of Sponsoring Organizations of the Treadway Commission, COSO (2004) corporate risk management must be undertaken by the board of directors, management and other personnel, applied at a strategic level and throughout the company. Based on the previous definition and according to Cohen and Kunreuthwer (2006); Matook, Lash and Tamaschke (2009), we can infer that organizational risk management is: a process (meaning that it has an end and it is not an end in itself); undertaken by people (from all levels of an organization); applied to strategy; employed in the company as a whole (every level and unit); planned to identify potential events that could affect the organization and to manage risks within acceptable levels; a guarantee for management and for the board of directors; and adapted for the achievement of goals. Over the past decades the operations area has reemerged as a crucial part of strategic planning. Skinner’s article (1969) proposed that manufacturing be included in the strategic process rather than be limited as a specialization focused on the plant’s everyday routine. Operational strategy has gained more space and become a link between market requirements and operating resources (SLACK LEWIS, 2002). JÜTTNER et al (2003) propose a structure to direct studies related to risk management in the supply chain. The authors conclude that the goal of risk management in the supply chain is to identify potential risk sources and implement appropriate actions to avoid or contain the vulnerability of the chain as a whole. 1.2. Generic risk management models An increase in corporate scandals together with recent legislation such as the SarbanesOxley Act of 2002 has led companies to focus more on risk management. Currently there are models in the market designed to direct risk management in an organization. The publication of COSO (2004) introduces an ERM model that includes strategic and operating aspects associated to risk management (Figure 1). The Sarbanes-Oxley Law’s main goal was to restore the credibility of the capital market by preventing the occurrence of new mistakes, such as those which contributed to the bankruptcy of large US corporations at the end of the 1990s (ARNOLD, 2007; SANTOS and LEME, 2007). Corporate risk management consists of eight inter-related components: internal environment; objective setting; event identification; risk assessment; risk response; control activities; information and communication; and monitoring. In the COSO Report model (2004), internal control is undertaken by the board of directors, managers 2 18th EurOMA Conference, Cambridge UK: 3-6 July 2011 and employees. It is designed to offer a reasonable degree of security for the achievement of goals in the following categories: operating efficiency and effectiveness, reliable financial reports and compliance with applicable legislation and regulation. Meanwhile, ERM (GATES and HEXTER, 2006; BARTON, SHENKIR and WALTER 2010) is undertaken by the organization’s directors, managers and employees. Figure 1: COSO ERM Integrated Framework Source: COSO (2004) 1.3. Assessing risk management maturity Risk management maturity can be assessed through classic cumulative competitive priorities models that are used to describe management practices that offer simultaneous advantages to a large number of variables. Among these models are the “sand cone” (FERDOWS, DE MEYER, 1990), diamond (PORTER, 1989) and the Venkatraman models (1994). The “sand cone” is a cumulative priorities model that makes an analogy with a sand cone. The sand layers represent action programs (related to priorities) that are gradually implemented so each priority is settled before the next layer is placed (FERDOWS, DE MEYER, 1990; SLACK at. al. 2009). Venkatraman (1994) proposes a framework that creates paths to allow implementation of Information Technology within an organization. This framework presents five organizational transformation stages and their respective impacts: Localized exploration; Internal integration; Redesign the business process, and Redefining the business scope. It is the company’s task to determine what type of transformation it plans to introduce. The choice of a specific level of transformation depends on costs incurred and estimated benefits. 2. Methodological Procedures This research followed the multi-case study model proposed by YIN (1984). We first contacted the latest winners and finalists of the PNQ award and identified the companies that adopt risk management systems. Initial contact was made with the company’s representative on the FNQ (National Quality Foundation) data bank, who then referred us to the person in charge of risk management. One of the requirements for involvement in the study was for the company to work with the subject of ‘risk management”, even if this system was still being structured. This premise enabled a preliminary glimpse of the results obtained through the implementation of the risk management system. 3 18th EurOMA Conference, Cambridge UK: 3-6 July 2011 Three of the companies we contacted agreed to share information and experiences. In many cases risk management involves the organization’s strategic questions, thus hindering access to some information and, in some cases even preventing the company’s participation in the study. This problem was dealt with through a confidentiality agreement stating that the participants’ names remain undisclosed, and through prior submission of a script containing the main themes discussed during the interviews. After consulting the literature on the subject, we drew up the following research protocol for the interviews and analyses of the results: (1) Risk management implementation – factors that facilitate and hinder risk management in the company. (2) Current stage of the risk management system – risk management governance; risk identification and analysis; risk monitoring and crisis management, the use of technology and integration, and how and whether risks were communicated to stakeholders.(3) Impacts of risk management – the organizational culture’s approach to risk and to decision-making and the impact on organizational results. We chose to conduct semi-structured interviews with a previously drawn up questionnaire containing specific sections aimed at helping map out the implementation process, the current stage of the risk management system and the results obtained. For each case analyzed we conducted interviews with the executive in charge of the organization’s risk management. The interviews were based on a prepared script and were conducted at the company’s facilities during scheduled meetings. They lasted an average of 3 hours and covered the entire scope established in the script. Table 1: Characteristics of the companies analyzed Company A – Brazilian industrial company and a traditional player in its segment. One of the country’s most profitable private business conglomerates, it combines family control, high performance professional management, and partnerships with the capital market. Its trajectory has been marked by a capacity for innovation, risk taking and the adoption of bold new business models and products for the achievement of value solutions for the organization and society as a whole. Company B – A holding company that operates through subsidiaries in the production, distribution and commercial sectors. It is Brazil’s largest company in its segment. It has great experience and knowledge of its activities, acquired from significant expertise and tradition. Company C – A diversified global industrial company that supplies products and services to clients worldwide. It is Brazil’s main producer and supplier of its products. Through a combination of the strength and expertise acquired as a global company, it has become a supplier of value and innovation to its clients. In Brazil this company has a high level of quality and commitment and supplies excellent brands, products and solutions to its clients in the South American market. In each question the interviewees were asked to describe the company’s experience. At the end of questions with previously-established factors, it was requested that the interviewee grade the degree of agreement with this practice and the degree to which it has been implemented. The interview was not restricted to the suggested factors, so the interviewees were free to propose new ones. This approach aimed at obtaining a minimum group of factors for future comparison between companies. The companies, which are loosely described in table 1, did not authorize the disclosure of their names or details that could identify them. Both the interviews and the data collection were carried out by the authors. In addition to the interviews, we used information from the companies’ sites, minutes of meetings, internal presentations about the subject, annual reports and documents available to the market. 4 18th EurOMA Conference, Cambridge UK: 3-6 July 2011 4 Results and Discussion 4.1. Facilitating factors in risk management We identified the main aspects for the analysis of facilitating and complicating factors in risk management (Tables 2, 3 and 4). Based on these and other frameworks, we asked the interviewees to grant grades from one (of little importance) to five (very important), bearing in mind the experience acquired with the implementation of risk management in the company. Observation of the results showed the determining factors were implementation through a multifunctional team and the leadership’s support. The leadership’s support was crucial to mobilize people, as it placed the issue in the executives’ agenda. In Company A this was made clear by the inclusion of the subject in the Chief Executive Officer and Chief Financial Officer’s (leaders of the implementation process) variable remuneration plan and by the definition of a specific action plan for the Financial Area within strategic planning. The interviewees did not consider it relevant to use a specialized consultancy firm to support the implementation process. According to them, the necessary information was obtained through participation in events about the subject and from COSO’s framework, which establishes the necessary stages for the implementation of the model. Table 2: Framework for an analysis of facilitating factors in risk management Support from leadership A team focused on implementation Previous experience with management systems Multifunctional team actions Use of a norm or reference standard Employment of a specialized consultancy firm Specific manager training for the development of risk assessment skills 4.2. Complicating factors in risk management The answers did not suggest that any of the proposed factors had a significant impact on the implementation of the risk management system. In Company A, the support of the leadership was considered effective and as a result the proposals item scored low on the interviewees’ evaluation, although all the interviewees recognized the item as being a very important factor. The factor that generated the greatest difficulty, according to the interviewees, was the executives’ relative lack of knowledge about risk assessment. According to them, this difficulty was attenuated by a request for each executive to identify the factors that made them “lose sleep”. Afterwards, the risks were detailed and analyzed. Table 3: Framework for analysis of complicating factors in risk management Lack of leadership support Difficulty to identify effective results Lack of knowledge about risk assessment among those involved Lack of information about the probability and impacts of events that cause deviations Long implementation process Culture of informal analysis of alternatives and their risks. 4.3. The current stage of risk management Each company opted for different risk management implementation structures. Whilst Company A set up an implementation team and a Risk Subcommittee to manage the process, Company B created a Chief Risk Office that reported directly to the CEO. 5 18th EurOMA Conference, Cambridge UK: 3-6 July 2011 Company C created a post for someone with a deep knowledge of operations at the plant (Chief Projects Officer), as this was the focus of risk assessment in Brazil. Literature on the subject shows the adoption of different implementation models, whether in the form of a specific area, a committee or a post (LIEBENBERG and HOYT, 2003). In terms of complicating factors, field results show that the biggest hindrance to implementation stems from lack of knowledge about risk assessment among those involved. As for the extent of the assessments, both Company A and B affirmed that their respective risk assessments were focused on the company itself and that supply chain risks were not evaluated. Only Company C made an analysis of its client and suppliers’ risks. This is in line with the Gates and Hexter (2006) research conclusion that risk management starts with the financial area and is followed by strategic and operating risks. 4.3.1 Process governance Table 4: Framework for the analysis of risk management governance Management establishes risk policies and achieves a consensus about risk appetite with other management levels. Upper management shows its commitment to risk management by highlighting its importance Risk acceptance criteria are available to executives in order to help with their decision-making Central coordination supports management’s strategic decisions by assessing risks and uncertainties. Each unit or relevant sector, as well as all specialized risk groups, have a risk team or committee linked to central coordination. The central coordination’s mission is to ensure implementation of measurable standardized risk management in all the units and sectors. The evaluation based on the criteria in Table 4 showed that companies B and C opted for creating specific risk processing governance areas, whilst company A assigned this task to a multidisciplinary committee coordinated by the Chief Financial Officer. According to the Corporate Risk Management Framework (IBGC, 2007), there is a tendency to create a unit responsible for this new role, be it an area or a committee. In overall terms, Company C’s operating unit scored lower than the other two companies. This could be due it having somewhat distant corporate governance, which keeps the unit isolated from the upper-management’s decisions and influence. 4.3.2 Risk analysis and identification Table 5 – Example of taxonomy or risk classification Competition D&R Project Operating control Organizational and Management Image System Commercial Regulatory Risks Control & Compliance Political Credit Social and Environmental Supply Logistics Market In company A, risk identification is limited to the company itself and does not acknowledge risks in the supply chain, while the other companies do include the supply chain. As described in the Corporate Risk Management Framework (IBGC, 2007), there is no consensual risk classification that can be applied to all organizations; it must be developed according to the characteristics of each organization and take into account the specificities of the company’s industrial sector, market and operating area. Each 6 18th EurOMA Conference, Cambridge UK: 3-6 July 2011 company has its own risk classification system and does not consider the difference relevant, as there must be a standard classification system per organization. In all the companies the handling of significant risks has been monitored by the areas in charge of risk management. This control is centralized and justified by efforts to integrate risks and risk handling. Strategic Planning is crucial for risk management. It is essential for evaluating how Multiannual Plans enable scenario analyses; project valuation through medium-term simulation models and financial evaluations; the prioritization of higher-value projects; and the verification of potential strategies’ inclusion in long-term goals. For each of the identified risks we propose the adoption of the template, which considers the event, classification, the responsible area and short-term and medium-term probabilities and their respective impact. The final evaluation only considers probability and the shortterm impact (1 year). For each risk analyzed we list existing and future action plans, including establishment of the period in which implementation can occur, and a budget estimate for implementation of the actions. To measure risk management maturity in terms of quantification and handling we propose the factors described in Table 6. Table 6 – Framework for Risk Quantification and Handling Common definition of risk (taxonomy) and methodology to calculate and report eventual risk exposure. Front-line executives and support staff are trained to quantify and report exposure. Exposure is assessed by a committee or its equivalent, which defines the need to make accounting provisions or include them in the financial projections. Significant exposure is handled through projects or initiatives recognized by central management. The various types of risk applicable to the organization are jointly assessed, handled and reported so that management can evaluate their interrelated impacts. Internal controls used to mitigate risks are kept in a common data bank. An aspect that featured less in all three companies is training. This is because risk management in these companies is still centralized in the project coordinator, committee or CRO (Chief Risk Officer). As a result, the methodology is less disseminated and consequently there is less training. When training actually took place, it was not as a long-duration program but as workshops introducing the generic concept of risk and showing how to fill in the templates. Although both the COSO and ISO 31000 models stress the importance of risk management being handled by adequately trained personnel, this has been underdeveloped by the companies studied here and must be evaluated further. 4.3.3 Risk monitoring and crisis management An assessment of the current stage of risk monitoring and crisis management in accordance with the criteria described in Table 7 requires the use of a 1 to 5 scale, where 1 means that it has not been implemented yet and 5 that it has and is at a developed stage. Table 7 – Framework for risk monitoring and crisis management Risk indicators are defined through a common methodology, monitored through a management information system and used for critical analysis by management. Internal controls used to mitigate risks are audited on a periodic basis. There is a financial exposure value attributed to periodically monitored risks There is a contingency plan system for handling crises and ensuring the continuity of operations. Both crisis simulations and real crises are used as lessons for plan revisions. 7 18th EurOMA Conference, Cambridge UK: 3-6 July 2011 The factors related to crisis monitoring and management were significantly dispersed among the three companies. The most relevant in Company B was the periodic auditing of controls, in compliance with the Sarbanes Law’s requirement for an annual evaluation of established controls. In the case of companies A and C the most developed aspect was the contingency plan system, which is also the main focus of risk management in Company C’s production plant. Company A draws up contingency plans for priority risks and constantly monitors its Cash Flow at Risk and Value at Risk – although these are considered as market risks. None of the companies evaluated adopts a systematic simulation of their contingency plans. This is only to be applied in the future in specific cases outside of the planned risk management structures. 4.3.4 Integration and the use of technology Although the company uses credit management (SAP) and market risk management software, there is no indication of an operating risk management system. All risk identification spreadsheets and resulting action and contingency plans are available in document files on the risk analysts’ restricted-access website. This structure does not enable progressive monitoring of risk exposure and trajectory, thus hindering longitudinal data analysis. As the companies use an integrated system (ERPs) they have risk control criteria as part of the system’s parameterization, such as control for the approval for certain operations (credit, refunds, payments, etc.) whose adequacy should also be analyzed. None of the companies employs risk management systems or computer tools. Instead, they use spreadsheets with manually entered data that are available on the company’s internal computer network (with restricted access). Thus, despite using integrated systems the companies do not seem to benefit from the information technology facilities and resources available on the market. 4.3.5 Risk Disclosure Although the entire process of risk identification and analysis is considered a restricted activity subject to the signing of a confidentiality agreement by the parties involved, the companies disclose main risks in their sustainability report. As a result, the company is subject in the long-term to market risks related mostly to product volume and price volatility in the market where it operates. This is prompted by variations in production capacity and global demand and by fluctuations in international exchange rate and interest rates. Risk disclosure is considered confidential and therefore is restricted to members of the risk committee and to the company’s upper management. The main risks that are usually described in the sustainability report are: product prices; big competitors and imported products; delays in expansion projects; reliance on third-party suppliers and whether or not insurance is sufficient to cover losses and damages. 4.4 Impacts of risk management The analysis protocol considers three aspects to assess the degree to which risk management changes an organization’s culture: (1) Risks are identified by the executives in a proactive manner; (2) Risks are assessed during strategic planning, projects and everyday operations; (3) Executives base their routine decisions on prior risk analyses. The companies evaluated are still far from undergoing a cultural transformation that could effectively change their decision-making process. In all three cases the perception is that only a portion of those involved have incorporated risk 8 18th EurOMA Conference, Cambridge UK: 3-6 July 2011 management into everyday decision-making. Structured risk identification is still reactive and conditioned to the initiatives of the organization’s risk management coordination. Strategic planning executives in all three companies have had initial contact with the risk management model and its developments. However, as these are recently implemented processes whose methodology and concepts have not been fully disseminated to all levels of the company, cultural transformation has not yet occurred. According to the interviewees, the implementation of corporate risk management has increased “awareness” about the fact that each decision comes with new risks, or changes the shape of existing ones. The biggest change in the analyzed companies’ current risk management is in strategic planning, which has started to incorporate the main risks to which the companies are exposed when making strategic choices. The analysis protocol considers thirteen aspects for the identification of the results obtained with risk management, as shown in Table 8. Table 8 – Framework for an assessment of risk management results Ability to avoid events that could interrupt operations Reduction in losses Improvement in incident management and prevention Improvement in operating results Improvement in corporate governance Increase in shareholders’ trust in the company Increase in other interested parties’ trust Reduced insurance premiums Reduced fundraising costs in the market Compliance with applicable regulatory and legal requirements Improvement of financial reports Trust and a rigorous basis for decision-making Improvement in opportunities and in threat identification The companies have noticed benefits in practically all the items proposed, although the strongest perception is that risk handling helps prevent events that could lead to an interruption in operations. After wide discussions with representatives from the companies, we concluded that contingency plans are rarely put into action. One of the interviewees claimed that it is difficult to measure the risk management system’s efficiency, comparing it to a soccer goalkeeper: “No one knows how many goals a goalkeeper has prevented, but everyone knows how many he has let in.” This remark summarizes the difficulties in measuring the efficiency of a risk management system and leads to a much more qualitative than quantitative analysis of its impact. In addition to operating results, the companies also acknowledged an improvement in shareholders’ trust, corporate governance and to a lesser degree in trust from other interested parties. Regarding this last item, the companies have acknowledged that there is no disclosure to other interested parties (government, suppliers, the community around the plant and society as a whole) about ongoing risk management. 4.5. A Model of risk management maturity According to the model proposed by Venkatraman (1994), analysis of the cases studied during this research suggests that companies A and B are more aligned to the Internal Integration stage. In these two companies the efforts are mostly focused on risk consolidation and integration, although in both cases the processes were redesigned in accordance with initial assessments. In corporate terms, company C might be at a more advanced stage (transition to Stage 4) as individual analysis of the case shows it is more concerned with business networks - more precisely its supply chain. Finally, it is 9 18th EurOMA Conference, Cambridge UK: 3-6 July 2011 important to point out that the model aims at aligning expectations and enabling the companies to make more conscious choices. It is possible in practice, however, that the company is at uneven stages of development depending on each particular aspect. In this respect, the “sand cone” and “Porter diamond” models could be used to analyze the level of maturity in risk management. 5. Final Considerations Analysis of the three empirical cases enabled us to employ and adapt a protocol that placed the intervenient factors (facilitating and complicating), benefits and results of the process into an instrument for assessing the implementation of organizational risk management systems. The protocol is an analysis instrument that can be used in any organization. The main contributions to the study in the academic field are the systematization of concepts and the structuring of a risk analysis protocol based on the experiences of three world-class companies, with a focus on operating risk management in the supply chain. From an empirical point of view, this research has enabled us to: identify different risk management development models in organizations with quite advanced management systems and which consequently have experience with this type of initiative; present the facilitating and complicating factors for the initiative’s success from the point of view of the world class companies that are implementing risk management; look into what the companies perceive as the results gleaned from the implementation of systems, thus allowing a more realistic analysis of the benefit-cost-ratio. Risk management systems in the companies analyzed are at their initial maturation stage, thus limiting perceptions about the cultural issues during the process. As risk management has not been effectively implemented in all areas, the interviews were restricted to direct participants in the implementation process, thus introducing a certain bias to the answers. None of the companies gave access to their specific risks or their respective handling (mitigation, elimination, transfer, etc.). Consequently, it was not possible to evaluate the extent to which each of these alternatives has been applied. For future research we suggest the adoption of a reporting system to consolidate organizations’ risks on a global scale and to assess the impacts of risk management on organizational culture and its influence on processes related to innovation. Furthermore, we suggest an assessment of the level of adherence to the model among companies with more mature risk management systems. References ARNOLD, Vicky et. al. The Unintended Consequences of Sarbanes-Oxley on Technology Innovation and Supply Chain Integration. Journal of Emerging Technologies in Accounting, 2007, Vol. 4. pp.103– 121 BARTON, Thomas L. Barton, SHENKIR, William G. Shenkir, WALTER, Paul L. ERM after the FinancialCri$i$. Financial Executive. April 2010. pp.18-22 Available in: www.financialexecutives.org. Access in 02/04/2010. BEASLEY, Mark S., BRANSON, Bruce C., HANCOCK, Bonnie V. Take your risk management system to the next level. Journal of Accountancy. September 2009. pp.28-32 Available in: www.iournalofaccountancy.com COHEN, Morris A. Cohen, KUNREUTHER, Howard. Operations Risk Management: Overview of Paul Kleindorfer’s Contribution. Production and Operations Management. 16(5), 2007. pp. 525–541. COSO- Committee of Sponsoring Organizations of the Treadway Commission. Enterprise Risk Management - Integrated Framework. Executive Summary. September 2004. 10 18th EurOMA Conference, Cambridge UK: 3-6 July 2011 FERDOWS, K., DE MEYER, A. Lasting improvements in manufacturing performance: in search of a new theory. Journal of Operation Management. v.9, n.2, Apr 1990. FNQ. Fundação Nacional da Qualidade. Critérios de Excelência 2010. Available at http://www.fnq.org.br GATES, S. e HEXTER, E. The Strategic Benefits of Managing Risk. MIT. Sloan Management Review. Vol 47, n°3, Spring, 2006. GLOBAL RISK 2008. A Global Risk Network Report, 2008. Available at http://www.weforum.org IBGC – Instituto Brasileiro de Governança Corporativa. http://www.ibgc.org.br. 2010. MATOOK, S.; LASCH, R.;TAMASCHKE, R. Supplier development with benchmarking as part of a comprehensive supplier risk management Framework. International Journal of Operations & Production Management. 2009. V.29 No. 3. pp. 241-267 PORTER, M. E. Estratégia Competitiva: técnicas para análise da indústria e da concorrência, Rio de Janeiro: Campus, 1989. SANTOS, L.A.A., LEMES, S. Desafios das companhias brasileiras na implantação da Lei SarbanesOxley. BASE – Revista de Administração e Contabilidade da Unisinos. 4(1):37-46, janeiro/abril 2007 SKINNER, W. Manufacturing – missing link in corporate strategy. Harvard Business Review, MayJune 1969 SLACK, N., CHAMBERS, S., JOHSNTON, R. Administração da Produção. 3ª Ed. São Paulo: Atlas. 2009. SLACK, N; LEWIS, M. Operations Strategy. Prentice Hall, 2002. VENKATRAMAN, N. IT – Enable business transformation: from automation to business scope redefinition. Sloan Management Review, Winter, v.35, n.2, p.73-87, 1994. YIN, R. K. Case study research: design and methods. London: Sage, 1984. 11