Colonel – we have a problem
In mid-February KFC announced that it was shutting the majority of its stores across the UK and Ireland due to, of all things, a chicken shortage that was caused by the introduction of a new delivery contractor, that had taken over from an established food distributor that had worked with the fried chicken brand for some years.
A crisis of this magnitude is unprecedented in modern history. Given the size of KFC, it is not unreasonable to expect that the chickens will just keep on arriving and stores will keep selling the deep-fried treats to the millions of customers who rely on the Colonel for part of their dietary intake.
So, let’s look at this in some depth.
The risk in this case that I would have captured in the risk register is as follows:
Disruption to distribution operations
The first thing to do is to identify the potential causes:
| Risk | Causes |
|---|---|
| Disruption to distribution operations | Disease affecting chickens results in shortage |
| Contract/contractor issues with producers | |
| Failures at distribution contractor | |
| Loss of warehouse | |
| Trucks grounded due to non-compliance | |
| Software system failures within ordering/distribution system | |
| Sabotage |
Although not completely familiar with the controls that would be/should be in place, below is an overview of what some of those controls might/should have been (stressing that these are an outsider/layman’s view of the organisation):
I have also assigned criticality to the controls based on the following table:
So, what does our risk register look like with all of this information included?
No surprises – this is one of KFC’s biggest risks, so all the controls would be critical.
The issues surrounding this risk did not materialise until after the awarding of a contract to a new distribution company. What this shows us is how important it is to continually assess the level of risk when the environment changes.
If we use the Likelihood Matrix below, we could assume, because there had been no such disruption previously, that KFC’s control environment was either very effective (most likely) or they had been extremely lucky:
| Ratings | Description |
|---|---|
| Almost Certain | Less than 10% of the critical controls associated with the risk are rated as either Effective or Mostly Effective. Without control improvement, it is almost certain that the risk will eventuate at some point in time. |
| Likely | 10-30% of the critical controls associated with the risk are rated as either Effective or Mostly Effective. Without control improvement, it is more likely than not that the risk will eventuate. |
| Possible | 30-70% of the critical controls associated with the risk are rated as either Effective or Mostly Effective and, if there is no improvement the risk may eventuate. |
| Unlikely | 70-90% of the critical controls associated with the risk are rated as either Effective or Mostly Effective. The strength of this control environment means that it is more than likely that the risk eventuating would be caused by external factors not known to the Agency. |
| Rare | 90% or more of the critical controls associated with the risk are rated as either Effective or Mostly Effective. The strength of this control environment means that, if this risk eventuates, it is most likely as a result of external circumstances outside of the control of the Agency. |
To that end, prior to the commencement of the procurement process, I would have assessed the risk as follows:
Prior to embarking on the tender process, it would have been important to recognise that, if there was a change of contractor, during the transition period, the likelihood of the risk would increase, based simply on the fact that the company was moving from a known to an unknown. To that end, I would have changed the risk level at the time the announcement was made to be as follows:
As a result, there should have been a significant emphasis on the controls during the transition to the new contractor. The likelihood may have increased further if the warning from the GMB Union had been taken into consideration:
When you consider that:
- The distributor’s IT system went down;
- There were massive traffic delays at the warehouse;
- The warehouse did not have the appropriate approvals to operate as a cold storage plan; and
- There were insufficient staff at the warehouse
then it would be fair to assume that these controls were not in place and were not effective.
What this clearly demonstrates is that whenever there is a change in operations or a new project within an organisation, there needs to be an assessment done on the extent to which the change or project will impact on the current risks to the organisation.
No chicken and no gravy makes for a massive hit to reputation as well as to the bottom line.
