Risks exist at discrete levels and entities within an organization. Manufacturing risks exist at manufacturing sites.
Supplier risks exist at supplier sites (including those of sub-tier suppliers). Distribution risks exist at suppliers and in upstream and downstream transportation and logistics systems. Legislative, compliance, intellectual property, and regulatory risks exist at the country or regional level for multinational enterprises. Finally, strategic risks exist at the business-unit or corporate level.
Enterprises must identify, own, and manage risks at the level they exist. Enterprises must also aggregate and report risks across the organization and vertically through business reporting structures. Enterprises should give risks that exist within multiple entities common, coordinated treatments.
When lower-level risks are identified at higher levels of the enterprise but not owned at those levels, it may be necessary to implement governance controls to assure that risks are managed throughout the enterprise and supply chain. Such risks may arise when franchises make for local consumption a final product whose performance will affect reputation of a more widely used corporate brand. They may also arise when performance of a lower-tier supplier disproportionately affects the reputation of a large manufacturer as has happened, for example, in the use of lead paint by lower-tier suppliers on toys ultimately assembled and sold by large firms with strong brand-name recognition.
Governance controls to manage such risks may include corporate leadership setting policies, procedures, and standards for lower levels to follow, with governance supported by compliance activities such as auditing. Enterprises cannot tell franchises how to operate their facilities, but, as they do with ensuring compliance with corporate social responsibility practices, they can provide guidelines.
The presence of differing risks at differing levels of an enterprise underscores the importance of defining the context within which a risk-management program is implemented. This includes suppliers, manufacturing, logistics (e.g., warehousing and distribution), customers, and other elements that can affect the supply chain. These elements will vary by industry, as will the efforts an organization can make to address them. For example, a manufacturing plant may have more control over assembly risks than a higher-level business unit, while a business unit may be better able to address supply-chain risks posed by legislative and regulatory issues and to coordinate efforts to mitigate some procurement risks.
A key decision in developing an SCRM program is the scope of the supply chain to include. Enterprises may initially focus on Tier 1 suppliers, or even prioritize among Tier 1 suppliers. In most cases, the scope should include all tier 1 suppliers and customers. In determining how much of the supply chain to include beyond the first tier, managers may wish to characterize inputs by the number of suppliers and number of customers. For example, at one extreme, for commodities with a large number of suppliers, it is likely not necessary to go beyond the first tier in considering supply chain risks. At another extreme, for materials with few suppliers or only one, it is necessary to consider risks among second-tier suppliers. Between these two extremes firms need to assess how critical a particular component is or how easily a supplier can be replaced and, if necessary, consider supply risks in the second tier for critical components or suppliers.
By repeating this process for increasing numbers of tiers of suppliers and customers, enterprises can capture the portions of the supply chain that have the greatest risks to operations. Such an approach is only a guideline; specific knowledge of an organization and its industry is necessary to guide decisions.
Mapping supply-chain processes can help enterprises understand the potential risks that exist as well as the organizations involved. Upstream, it originates with raw materials, parts, assemblies, and packaging going to suppliers, some of which may flow directly to the final production or assembly point as well. Distribution systems, including trucks, trains, ships, and aircraft, move components from suppliers to the inventory of manufacturers, as well as from manufacturers to the inventory of customers. Several elements are common to all these elements and can be the source of risks throughout the supply chain.
These include infrastructure such as buildings and equipment, utilities whether “raw” (e.g., water) or “converted” (e.g., refrigeration), process functions such as production planning or sales and operation planning (S&OP), and personnel, including salaried and hourly workers as well as temporary workers and contractors. Not all these nodes will have risks for all operations, but all should be considered.
Information flows should also be documented. Information can flow both upstream and downstream. In particular, information flows on downstream conditions can help upstream processes provide the correct quantity and quality of materials needed.
Organizations should map the supply-chain elements for which they are directly responsible and that they control. They should also extend the supply-chain map at least one tier up and one tier down, considering direct suppliers and direct customers including transportation and information links for them.
Firms may use several criteria to identify risks. Pareto analysis, also known as A-B-C analysis, can help firms identify the proportion of goods and suppliers on which it is most dependent in terms of profitability or criticality, and hence the goods and suppliers that can pose the most risk to the supply chain. More sophisticated portfolio analysis can help firms identify goods by both their value and the vulnerability of supply, and lead firms to focus their SCRM first on strategic or critical goods of high value and high supply vulnerability. These may include scarce or high-value items, major assemblies, or unique parts, which may have natural scarcity, few suppliers, and difficult specifications.
