Skip to content
Detail shot of pile of microchips

Risk Management for sustainable growth in the semiconductor industry

Photographic portrait of Maurice van der Sanden
Maurice van der Sanden

EY EMEIA Risk Consulting Enterprise Resilience Leader

8 minute read 19 Dec 2024

The semiconductor industry must strengthen risk management to achieve sustainable growth and profitability in a complex market.

In brief:

  • The semiconductor industry must invest in robust risk management to secure profitability amid rapid growth.
  • By implementing process and control improvements, companies can prepare for higher demand without expanding headcount.
  • Responsible use of AI is critical for sustainable growth and aligning with ethical business values.

The global semiconductor market is on the verge of experiencing massive growth, with predictions suggesting that revenues will exceed US$1 trillion by 2030. To sustain this exponential growth, the semiconductor sector must become a leader in risk management. In 2012, McCredie and Weijermars argued in the Petroleum Review that sustainable profits are generated by companies with the most rigorous risk management frameworks.

At that time, the oil and gas industry was experiencing high growth, largely driven by technological and operational advancements in hydraulic fracturing and new technologies enabling the safe extraction of hydrocarbons from challenging deepwater environments. However, the industry's aggressive pursuit of higher production rates and efficiency gains sometimes overshadowed the need for enhanced risk management practices such as rigorous safety protocols, resulting in a series of incidents. The aftermath of the Deepwater Horizon spill in 2010 highlighted the consequences of inadequate risk management, almost leading to the bankruptcy of BP p.l.c.

According to McCredie and Weijermars,  a corporate disconnection from the changing business landscape and industry’s best practice commonly leads to a steep increase in the corporate risk profile. The authors explain that “Such a disconnection does not occur abruptly, but evolves gradually due to a decline in the organisational learning capacity, of which risk assessment is a key component. Corporate IQ development at all levels and accelerated corporate risk management must be in line with industry’s best practice. If the disconnect remains unrecognised and is not halted by management, the likely outcome is the eventual demise of the company.”

Graph: Business Environment Change & Adaptation Rates

Source: McCredie and Weijermars

The semiconductor industry now finds itself at a similar crossroads. Like oil and gas, the chip industry has primarily prioritized growth and cost efficiencies, often overlooking the risks associated with the logistical and technological complexities of its intricate supply chain. With the learnings from other industries in mind we explore two areas where the semiconductor industry should invest to remain aligned to best practice and achieve sustainable growth.

How EY can Help

  • Risk consulting services

    Discover how EY's risk consulting team can help your organization embrace disruption and turn risk into a competitive advantage.

    Read more

  • Technology sector

    Discover EY's technology sector insights & services and learn how our teams can help your business improve organizational and operational effectiveness.

    Read more

Excellence in Process and Controls

Operational risk refers to the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events. The semiconductor industry is highly complex and sensitive to operational risks due to its reliance on precision manufacturing, sophisticated technology and the global nature of its supply chains. The many single-to-limited source dependencies mean that individual risks could become choke points in the entire supply chain that could cause shortages in the supply of critical materials and components. For example, material contamination has struck several of the large chip manufacturers in the past few years, causing entire production batches to be worthless. The automotive chip supply in 2021 was hit when electricity outages due to a winter storm halted production at one competitor, while another competitor experienced a factory fire. The number of incidents is likely to increase as the sector grows and companies are looking to include alternative suppliers, while the potential costs of failure increase as the feature sizes get smaller and the technologies become more sophisticated.

 

To manage these risks, companies must refine their business processes and controls to support exponential growth without relying on additional human resources. Across industries, we often see that companies are not maintaining and continuously reviewing their process and controls design against best practice. During periods of increased demand, companies often add human resources to scale up, while control incidents increase due to human error.

Companies in the semiconductor sector should now invest in the evaluation of their processes and controls to identify opportunities for simplification, standardization and automation, preparing their capabilities for handling larger volumes without adding human resources.

 

There are currently two other regulatory drivers which companies should leverage:

  1. The inclusion of provisions relating to the risk management statement in the Dutch Corporate Governance Code. The statement should provide insight into how an organization manages its operational processes and prepares for potential challenges, so that it can achieve its objectives.

  2. The EU Corporate Sustainability Reporting Directive (CSRD) requires Audit Committees to monitor the internal quality control and risk management systems regarding sustainability reporting. Many companies are aiming to complete the design of this control framework, initially aiming at limited assurance while targeting reasonable assurance towards 2028 when the EU likely requires this level of assurance from the external auditors. However, the limited versus reasonable assurance debate applies to the opinion of the external auditors. Company directors are already being held accountable for the reliability of both financial and non-financial information disclosed in the annual report. Any material misstatement will lead to reputational damage, legal consequences and loss of investor confidence. Hence, companies should manage this reputational risk by aiming for an internal controls framework that provides reasonable assurance to protect its company directors now, rather than meeting a compliance requirement towards the external auditors in 2028.

While building on the momentum of these two additional drivers companies should also take the opportunity to integrate internal control efforts. Many companies still have separate control frameworks for SOX404, operational controls and most recently for controls over ESG reporting. This siloed approach originated from the time when SOX404 controls were introduced, implying that they have a single purpose.

 

However, we now recognize that many controls serve multiple objectives. For example, materials inventory tracking and reconciliations are critical for revenue recognition (SOX404) but also to meet industry-specific regulations, such as the Restriction of Hazardous Substances (RoHS) and Registration, Evaluation, Authorisation, and Restriction of Chemicals (REACH). Additionally, these controls aid operational purposes in effective production planning and scheduling, which is critical in the semiconductor industry where production cycles are complex and time-sensitive.

 

Responsible AI

As the semiconductor industry positions itself for unprecedented growth, another critical area of focus emerges: the integration of Artificial Intelligence (AI). Many companies in the semiconductor industry are embracing AI to enhance chip design, manufacturing processes, supply chain management and supporting functions like finance and HR. Indeed, this sector should be at the forefront of utilizing the capabilities which are only possible due to their own technologies. The semiconductor sector should also be a frontrunner in managing the risks related to AI models. Currently, financial institutions are leading the way in this domain, building on their extensive experience with model risk management (MRM) capabilities in response to regulatory guidance that now serve as core components to their AI governance frameworks. The semiconductor sector can learn from the lessons of bank MRM programs as they seek to mitigate risks associated with large language models (LLMs), machine learning (ML), and other types of AI applications or models.

Building such capabilities involves several key steps and questions to consider:

1. Define the governance over AI to align on AI adoption purpose, values and principles. An AI governance policy should provide direction on how AI technologies are used in a way that aligns with the organization's values, legal obligations, and societal expectations, while also maximizing the benefits and minimizing the harms of AI. It should also define roles and responsibilities across the AI model lifecycle between business, technology and various risk and compliance functions.

  • How do we prioritize use-cases considering business value, cost to build and the risk score?
  • Do we have the right governance practices in place to ensure that the use of AI does not harm our organization’s reputation or operations?

2. Define the AI risk management framework to ensure that appropriate controls are in place to mitigate risks related to AI.

  • Do we have an inventory of the AI solutions in our organization?
  • Do we have a framework to evaluate AI risks and controls?
  • Is our organization ready and aligned to emerging regulations?
  • Has our organization acknowledged the AI risks inherent in vendor-supplied software, hardware, and software-driven services?
  • Has internal controls testing been performed for AI risks?

3. Define an objective metric or scoring methodology (such as the EY AI Confidence Index) to evaluate and quantify risks of individual AI models and instill confidence in the models across the lifecycle, from inception to decommission. This means defining evaluation criteria and metrics across all responsible AI dimensions including accountability, bias and fairness, explainability, privacy (data protection), reliability, security, sustainability, transparency, and compliance. Aggregation into a single score enables decision making based on a trusted, holistic calculation for confidence, promoting responsible AI through measurable confidence levels.

  • Do we have a good view of our portfolio of AI solutions and the associated metrics across Responsible AI principles, to inform our AI strategy and help prioritize our innovation efforts?
  • Do we have a good view of the distribution of AI risks in our portfolio, to ensure it is aligned with our risk appetite?

4. Enable AI model monitoring through a technology platform where checks and balances are an integrated part of the AI model lifecycle. This promotes scalability through building and deploying AI solutions consistently.

  • Are our systems efficiently integrated with each other to be ready to scale our AI solutions in production?
  • Do we have an e2e automated process in place to ensure that our AI solutions are streamlined from development to deployment with version control, experiment tracking and continuous monitoring?
  • Is our solutionOps platform ready to adopt latest emerging trends in AI e.g. GenAI, LLMs?

Responsible AI is a cornerstone for the semiconductor industry's future. It ensures that as the industry progresses, it does so with a commitment to ethical principles, fostering innovation that is not only technologically advanced but also socially responsible and aligned with the greater good.

Summary

The article highlights the importance of continuously improving risk, process and internal control capabilities in line with best practice for companies in the semiconductor sector. Exponential growth requires scaling operations quickly. Processes and controls need to be ready for increased demand on resources, supply chains, and infrastructure, ensuring that growth does not outpace the capacity to deliver products and services reliably.

Just as the brakes in a car enable it to go faster by providing the driver with the confidence to accelerate, knowing they can stop safely when needed, risk management empowers the semiconductor sector to pursue exponential growth. This security allows companies to push the boundaries of innovation and market expansion, accelerating growth with the knowledge that their processes and controls are designed to prevent major incidents.

About this article

Photographic portrait of Maurice van der Sanden
Maurice van der Sanden
EY EMEIA Risk Consulting Enterprise Resilience Leader
Transforming risk management through technology. Hands-on collaborator interested in the details. Husband and father. Enjoys time with family and friends, ideally over a good meal. Global citizen.
Related topics
Risk
Technology

Related articles

The future of technology: The Netherlands as Europe’s Silicon Valley

The Netherlands is on the eve of a technological revolution. This article explores the challenges and opportunities for the Netherlands and Europe.

01 Jul 2024 Ratna Kroneman

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
    You are visiting EY nl (en)
    nl en