A solid risk management program, from initial deployment to sustainable operation, includes a robust and ongoing risk identification and assessment process. That is, it includes a risk-assessment process that is able to evaluate a wide variety of risks over time.
The risk-assessment process should distinguish between risks that should be included in the risk-management process and those that should not. Normal variations in product demand and quality, and those that are maintained within acceptable limits, do not represent risks that should be included in the risk-management process. Characteristics that can cause abnormal variations, that is, those which the supply chain cannot flex and respond to, should be included.
Risk Identification
Developing an initial risk register, which is a one-time effort, is necessary to identify baseline risks. Too many organizations start a risk management program without knowing what threats the organization faces, or what consequence a disruption would have. As a result, they focus too much protecting against the wrong threats or too little protecting against threats that matter. Worse, they may fail to anticipate important threats, or fail to recognize the consequence an apparently minor threat may have.
Risk identification might begin with brainstorming sessions, previous risk assessments, surveys, or still other efforts to identify and list potential risks within supply-chain processes. Reference works that can help with identifying risks include those from the British Standards Institution (BS 31100:2008), which offers a code of practice for risk management, and from the ISO (ISO 31010:2009), which offers a compendium of risk assessment techniques.
A business-impact analysis can help a firm evaluate the threats a firm might face and their consequences. Such analysis might start with a “worst-case” scenario focusing on the business process that are most critical to recover and how they might be recovered remotely. A business-impact analysis should identify critical business functions and assign a level of importance to each function based on the operational or financial consequence. It should also set recovery-time objectives and the resources required for these.
Examples of threats an organization may wish to consider for mitigation, are
External, End-to-End Risks
- Natural disasters
- Accidents
- Sabotage, terrorism, crime, war
- Political uncertainty
- Labor unavailability
- Market challenges
- Lawsuits
- Technological trends
Supplier risks
- Physical and regulatory risks
- Production problems
- Financial losses and premiums
- Management risks
- Upstream supply risks
Distribution Risks
- Infrastructure unavailability
- Lack of capacity
- Labor unavailability
- Cargo damage or theft
- Warehouse inadequacies
- IT system inadequacies or failure
- Long, multi-party supply pipelines
Internal Enterprise Risks
- Operational
- Political uncertainty
- Demand variability
- Personnel availability
- Design uncertainty
- Planning failures
- Financial uncertainty
- Facility unavailability
- Testing unavailability
- Enterprise underperformance
- Supplier relationship management
To identify risks, firms may also wish to consider
- Number and location of suppliers. For example, are there suppliers in countries with social unrest, terrorist or drug activity, or high levels of corruption?
- Number and origin of shipments. For example, have increased quantities or values of shipments posed additional risks?
- Contractual terms defining responsibility for shipping. For example, firms may specify security controls and procedures for their suppliers.
- Modes of transport and routes for shipments. For example, firms may ask their suppliers follow certified security procedures for ocean-container or truck-trailer shipments.
- Other logistics providers or partners involved in the supply chain (e.g., packaging companies, warehousing, trucking companies, freight forwarders, air or ocean carriers), who handle shipments. For example, firms may that logistics providers meet all certification standards form an official supply-chain security program.
Not all possible risks, of course, will threaten organizations equally. Locations are not, for example, equally at risk for meteorological threats to their operations. Organizations may wish to use operational exercises to determine if they have identified all plausible threats for a given location. They may also wish to use such exercises to analyze risks and evaluate their responses to them.
The initial risk register, even if including all identified risks for mapped processes, will likely not cover all risks, or even all significant risks to the supply chain. It is a starting point to identify relevant supply-chain risks. Once the baseline risks are identified, the organization should periodically review the status of risks in the risk register, incorporating new risks as they develop and eliminating risks that are no longer relevant.
Risk Analysis
The risk analysis process should estimate the likelihood and consequence of risks facing a firm and accordingly prioritize them for ultimate treatment. To begin, firms may choose to rank risk events based on a qualitative overall risk level. Such a simplistic approach should only be used for the initial risk register, but provides an easy way to quickly prioritize perceived risks and select those that should receive priority attention.
Once an enterprise has identified its top risks, it may use more sophisticated methods, such as the bow-tie method, to fully understand the nature of the risk and to rate the likelihood and consequence of inherent risk (i.e., risk in the absence of any treatment) and residual risk (i.e., level of risk remaining after treatment). The bow-tie risk analysis method is a form of cause and consequence analysis—the two dimensions of risk events—and it clearly ties treatment actions against each dimension of a risk event.
For example, a manufacturer may face risk of shutdown resulting from an earthquake, a fire, a flood, failure of a key supplier, or temporary loss of workers due to an infectious disease outbreak. In analyzing its risks, it may wish to determine the likelihood of each of these events. Likewise, it may wish to rate the consequences of such events. Five-point scales of likelihood (ranging, for example, from less than 5 percent for the least probable to more than 90 percent for the most probable) and consequence (ranging, for example, from less than 2 percent of gross revenue or 4 percent of net revenue for the least consequential to more than 20 percent of gross revenue or 40 percent of net revenue for the most consequential) may suffice for this. Inherent and residual risks may then be calculated and compared by combining likelihood and consequence ratings before and after treatment.
Risk Evaluation
Enterprises may use their ratings of the likelihood and consequence of risks before and after treatment to evaluate residual risk levels against acceptable risk levels, that is, their risk tolerance. If the likelihood and consequence of residual risks is found to be greater than their risk tolerance, then enterprises need to devise further risk treatments to reduce the level of residual risk.
Acceptable risk levels will be unique to each organization and supply chain. They may vary by commodity, product, or service, as well as over time. Different risk-tolerance levels may be set for different levels of the organization. While generally tied to financial impact, through which risks may best be understood and compared, risks may also be tied to other corporate assets such as reputation. One leading firm even considers the consequence of potential risks by impact to stock price.
One way an organization may wish to assess its risk tolerance is through a risk “frontier” graph, plotting the likelihood of events by their consequence. Enterprises may find some risks to be of such low likelihood or to have such limited consequence that they do not warrant any further treatment or consideration. Those of greater likelihood or consequence enterprises may wish to reduce through various buffering (e.g., use of multiple suppliers or safety stocks) or other mechanisms of risk avoidance or elimination. Such mechanisms may seek to reduce the likelihood, duration, or consequence of a risk event.
Another means of evaluating risk is to use a “heat-map” showing risk-events on a matrix defining likelihood and consequence levels. This technique allows managers to easily see the relative likelihood and consequence of differing risks. To use this method effectively it is critical to have well-defined and consistently used criteria for the different likelihood and consequence levels.
