- Corporate Security
- Governance, Risk & Compliance
- Information Security
Governance, Risk and Compliance
By Resolver Modified February 7, 2021
Lululemon Athletic Inc. is, by all accounts, one of the most successful clothing retail companies in North America. The industry leader for yoga apparel has been known for its impressive growth, brand and profit stories ever since opening its first store in Vancouver, British Columbia in 1998. With over 200 stores throughout Canada and the United States, and more than $1 billion in annual revenue, Lululemon is an organization that many Canadian retailers try to emulate.
However, on March 18th, in a classic example of the old adage that “nobody is invincible,” one of Lululemon’s greatest risks became a reality.
After several customers complained about the overly revealing nature of Lulu’s signature black Luon yoga pant, the company was forced to recall 17% of its bottoms and remove the remaining inventory of the product from their stores. The recall will cost the company an estimated 67-million dollars this year alone.
“The ingredients, weight and longevity qualities of the pants remain the same but the coverage does not, resulting in a level of sheerness in some of our women’s black Luon bottoms that falls short of our very high standards,” the company said in a statement shortly after the recall.
Lululemon attributed the issue to the complexity of manufacturing Luon and their supplier’s failure to create a product that met company standards.
“While the fabric involved may have met testing standards, it was on the low end of Lululemon’s tolerance scale and we have found that our testing protocols were incomplete for some of the variables in fabric characteristics,” said the company in a statement describing what went wrong. “When combined with subtle style changes in pattern, the resulting end product had an unacceptable level of sheerness.”
From a risk manager’s perspective, some key questions should be asked; what caused this risk to become a reality, what lessons can be learned from this risk materializing and what can be done to prevent this risk from creating other risk occurrences.
What makes the Lululemon case so interesting is that they had identified the exact risks that occurred in formal documentation. In their most recent Form-10K, released in March 2013, the company lists 26 risks.
Two of those listed risks relate directly to the threat of poor manufacturing resulting in a poor product:
Now that we know Lululemon was aware of these risks, the glaring question becomes: Why wasn’t their risk management process able to prevent this from occurring?
Did they identify any action items that would attempt to mitigate or prevent this risk – and were they significant enough to warrant independent, objective testing of the key controls that had been installed to address the risk? Based on the fact that Lulu clearly identified the above risks in their 10K we can infer that a quality control process existed, and that this process should have been responsible for review of the material quality as new products were introduced and changes were made to materials and the manufacturing process. So, how did it go wrong?
The controls they had in place to ensure “very high standards” were either A, not operating effectively or B, not designed to adequately reflect the impact of this risk on the organization. Failure A has a simple solution: Monitor the control effectiveness, perform testing and independent audit or review, and close any gaps found. Failure B is more complex: What priority was given to this risk? Was the impact of this risk assessed with a large enough magnitude to warrant strict controls? Did efforts to drive down costs and increase profits compromise the “very high standards” Lululemon swears by?
It’s easy to see how an organization seeking to lower manufacturing costs would accept a higher risk around manufacturing quality if they had assessed the quality in isolation. However, enterprise risks have, as the name infers, an enterprise effect. It is extremely rare that a risk occurs in isolation.
We will likely never know exactly what caused the risk related events at Lululemon to materialize, but a review of risks listed in their Form 10K suggests there are opportunities for improvement.
The first opportunity links to how Lululemon’s articulation of risks could be enhanced. In some cases the risk descriptions were too vague and in other cases too specific. Sometimes multiple risks were even grouped together, leaving room for confusion.
The best practice when communicating risks is to list them as events. In listing a risk as an event, it is easier to assess the impact and likelihood and consider what risk treatments could be applied to prevent the risk. A graphic example of one of Lululemon’s risk descriptions that could be improved is their third-party supplier risk:
“We rely on third-party suppliers to provide fabrics for and to produce our products, and we have limited control over them and may not be able to obtain quality products on a timely basis or in sufficient quantity.”
If we were to describe this risk as an event, it would look as follows:
“A third-party fabric provider delivers product that does not meet our specifications.”
“A third-party fabric provider is unable to provide quality products on a timely basis.”
“A third-party fabric provider is unable to provide quality products in sufficient quantity.”
The first thing you’ll notice is that there are now three risks, not one. When written in their original form, it would have been easy for a risk manager to be confused. Now that the specific events have been separated, they can be voted on as unique risks in which the impact and likelihood will vary.
Another area of improvement is the clarity of the risk descriptions. Previously, the risk description was vague, which often leads to poor estimation of risk likelihood and impact. In the new format the risk management team can assess each risk, understand its likelihood and impact and prioritize based on the results.
Secondly, identifying key relationships between risks can help management better understand critical points of failure. In doing so, management may see the need for added control testing to help detect and prevent a cascading risk event. A cascading risk event occurs when one risk triggers a number of additional risks to be realized. In an effort to identify some of these potential risk relationships, we brought together several risk management professionals in a risk assessment session. Using Resolver Ballot, a risk assessment technology, the group gathered to vote on the relationship between risks listed by Lululemon in its annual Form-10K. Officially known as “Relationship Modeling,” this voting process allows risk managers to vote on whether or not the occurrence of one risk will increase the likelihood of another risk occurring. Once the process is complete, a flow chart is automatically created, using the voting results, to give a visual representation of the relationship between risks. Interestingly, the risk assessment session indicated strong relationships between supplier risk and other risks on their 10k which have, in fact, now materialized. These risks include:
Indeed the potential domino effect spurred by these relationships has come to life, demonstrating the potential for risks to cascade and impact the organization across multiple dimensions. For example, shortly after Lululemon’s recall, a couple of major actions were taken by the company:
Fortunately, long term impact to the company’s reputation and shareholder value can be minimized by employing a strong crisis management response. To do so, the company must identify and communicate what went wrong, as well as the steps being taken to prevent future occurrences, in a timely and transparent fashion.
Lululemon appears to be well on their way to a strong recovery and will assuredly emerge with enhanced risk management and assurance processes in place. That comfort will allow their suppliers, management team and the Board to move confidently toward supplying the market with technically advanced, highly functional and fashionable clothing in which yoga practitioners can relax, breathe and not worry about risk.
If you wish to learn how to assess and manage risk in your organization, request a demo from Resolver and one of our representatives will contact you to schedule the time. For more risk management case studies visit our Resources hub.
UPDATE: On June 11th, 2013 Lululemon CEO Christine Day resigned. Although the organization has yet to release an official reason for her departure, RBC Capital Markets’ Howard Tubin says it likely has to do with the original pant recall.
“We assume her pending departure is in some way related to the sheer pant issue,” Tubin wrote in a note to clients. “Ms. Day’s departure, along with the recent departure of the chief product officer, continues to bring a new level of uncertainty to the Lulu story.”