Supply Chain Risk Management

Supply chain risk management (SCRM) is “the implementation of strategies to manage both every day and exceptional risks along the supply chain based on continuous risk assessment with the objective of reducing vulnerability and ensuring continuity”

Supply chain exposures: SCRM attempts to reduce supply chain vulnerability via a coordinated holistic approach, involving all supply chain stakeholders, which identifies and analyses the risk of failure points within the supply chain. Mitigation plans to manage these risks can involve logistics, finance and risk management disciplines; the ultimate goal being to ensure supply chain continuity in the event of a scenario which otherwise have interrupted normal business and thereby profitability.

Sometimes, it’s possible for supply chain logistics techniques such as supply chain optimization to prejudice contingency planning which would otherwise reduce the overall risk level for that particular supply chain.

Contingency options Some options to engineer an acceptable risk level include:

  • Managing stock
  • Considering alternative sourcing arrangements
  • Business interruption / contingency insurance

Risk Management Process

The risk management process describes systematically the framework and methods from initially identifying the risks to finally controlling them.

The first activity is to identify and describe all actual and future sources of risk – at this stage of the argumentation – to the company.

In a second step the risks are assessed. When determining the exposure of a company, risks are characterized through the quantification of the probability of the occurrence and the extent of the potential damage or gain.

The risk exposure can be illustrated by means of a risk map or risk portfolio, leading to a segmentation of risks into commonly three categories. Category A risks represent risks that have a potentially disastrous impact on the company, in terms of both high probability of occurrence and high damage potential (with only adverse risks normally included in the analysis). On the basis of this analysis, appropriate measures can be taken in order to control risks.

Measures are taken in accordance with the stipulations of the risk management policy. A feedback loop is obligatory to ensure the effectiveness of the measures.

SCRM Principles

Efforts to implement SCRM (Supply Chain risk Management) must address four principles: leadership, governance, change management, and the development of a business case.

Leadership support and guidance is essential to any successful SCRM program. An integrated and engaged leadership team can not only help identify risks well before they cause disruptions but also provide a quick and thorough response to any incidents that might occur. Ultimately, leadership, reporting and ownership of supply-chain risk should rest with senior management.

An effective SCRM team should include leaders from functions such as

  • Business continuity
  • Engineering and design
  • Enterprise risk management
  • Finance
  • Governance
  • Import/export compliance
  • Logistics
  • Manufacturing
  • Procurement
  • Quality
  • Security
  • Supplier management.

Differing functions should have representation on both the executive steering team and the implementation team. It is most effective to have an executive sponsor who is skilled in the area in which the firm faces the greatest risk. For example, if timely transportation of components is the most vital function for a firm and the one where it may face the greatest risks, then it may wish to have a logistics executive be the executive sponsor of the SCRM team.

Corporate culture, including the area that a company most wishes to emphasize to build its reputation, may also determine executive sponsorship for the SCRM team. For example, a manufacturing firm may choose to have a manufacturing executive be the executive sponsor of the SCRM team, regardless of the greatest supply-chain risks. One leading firm rolls up risks to the chief information officer, to whom responsibility for supply-chain risks was originally given. Another has a vice president of risk manager. A leading insurance provider has its chief operating officer assume ultimate responsibility for risk management. In many mid-sized companies, the chief financial officer may have ultimate responsibility for risk management.

The team should ensure that risk-management processes are embedded into business-function processes so as to ensure proper communication and collaboration on events. Regular (e.g., monthly) meetings of the implementation team can help ensure proper communication, as can less frequent but still regular (e.g., quarterly) meetings of the executive steering team. One leading firm briefs its executive board quarterly on supply-chain risks and what is being done to address them.

Ideally, a firm will have detailed governance procedures for a continuing supply-chain risk management team, including those on meeting structure, attendees, standard agenda items, and business-process deliverables. Typical agenda items might include process maturity, metrics, compliance, and audits; a review of risks and how the firm is addressing them, and sharing of knowledge and best practices. Supply-chain risk management teams should use inputs from lower-level working groups and process users to influence decisions of higher-level executives in determining appropriate resources and priorities for their efforts.

Establishing or improving SCRM in most enterprises represents a major change. Consequently, those implementing SCRM will need to pay particular attention to the tenets of successful change management. These include a compelling case for change, unwavering senior leadership support, and a clear vision of the future with the change. They also include development of an action plan for implementation as well as ongoing monitoring and refinement to reflect lessons learned. Lastly, they require sustained communication with key stakeholders through the change, proactive education and training so that personnel have the skills to execute the change, incentives aligned with the desired outcomes of the change, and adequate resources to successfully manage and implement the change.

Because resistance is natural and to be expected with a major change, those implementing SCRM also need to pay attention to the psychological and emotional aspects of the change. Linking it to other corporate supply chain objectives such as corporate social responsibility and carbon footprints can also be useful.

The business case for SCRM has several components. SCRM can offer cost savings by protecting against sales and market-share loss and rebuilding costs. SCRM can also offer enterprises a competitive advantage if it enables an enterprise to recover faster than its competitors. Disruptions carry costs as do workers who must log additional hours to compensate for shortfalls caused by disruptions and warehouses needed to store items needing key parts for completion. Identifying these cost savings can help justify SCRM investments, especially if these investments can otherwise help firms make the most of their resources. SCRM can also offer intangible benefits.

These include avoiding damage to reputation or brand that may accompany a supply-chain disruption as well as breaking down organizational silos, which is not only necessary for SCRM but can also help enterprises in other initiatives. As an example, a leading firm with an established, strong SCRM program, uses a metric titled “Time to Recover (TTR)” to reflect and measure the business case for investing in their SCRM program. Product output and revenue are directly impacted under multiple risk scenarios. By identifying, assessing, and mitigating these risks, this firm targets specific reductions in the TTR for their business. Forecasting TTR with and without risk mitigation shows the effects, in revenue, of SCRM. Indeed, this firm claims a focus on TTR metrics in its SCRM helped it save millions it would have lost in subsequent events.

Supply chain Integrity

Supply chain management can be described as a holistic management approach to integrating and coordinating the material, information and financial flows along a supply chain. Further, this includes the management of the interfaces between the partners involved in this chain, particularly from an information management and technology point of view.

A supply chain is basically a sequence of processes – however, the processes are owned and managed by different legal entities. This requires inter-organizational cooperation. Conflicting interests due to the legal and economic independence of the supply chain partners need to be aligned to a single supply chain objective. If successful, the competitive advantage of these partners increases considerably.

There are a number of implications of supply chain management on risk management. As already said, risk management is an important tool in ensuring the economic integrity of an organization. This holds particularly true if the boundaries of the organization are clearly set, for example by means of arm’s-length transactions. In a supply chain management environment these boundaries become blurred, which does not mean that they no longer exist legally, but operations-wise it becomes very difficult to identify the separating line between the two companies. Just consider employees of a logistics provider doing packaging work on the premises of the shipper. The implications on the risk management system are obvious – the scope of traditional risk management is to be extended to integrate a supply chain. At the same time, having to ensure process quality, risk management evolves into logistics.

Parallel to an expansion of the scope of managing a supply chain, risk management has to grow in responsibility as well higher the degree of integration along a supply chain is, the larger the required scope of risk management becomes. And the concept of supply chain risk management is raised.

Practitioners can agree to these definitions and clarifications, and they will clearly see the need for an inter-organizational management of risks. As with organizational or company-specific risk management, identifying the relevant risks is the first task to master in the process of supply chain risk management. It is here that the first challenges are encountered.

Risk Assessment and Mitigation

The process of supply chain risk management is similar in all respects to the process of company-specific risk management. A preparatory step is to define a risk management policy. Along a supply chain, companies with different industry backgrounds, sizes and ownership structures have

to work together to achieve a common goal. Their differing interests have to be merged in a consistent risk management policy.

Having clarified how much risk the partners are prepared to take, the identification of supply chain risks is the next step. The different types of risks inherent to a supply chain: exogenous and endogenous risks. The former result from the interaction of the supply chain with its environment, whereas the latter stem from the interaction of the supply chain partners.

The endogenous risks can be divided into the categories of organizational risks (those of individual partners) and specific risks from integrating, coordinating and cooperating along the supply chain. Company-specific risks are adequately described in traditional risk management maps. Specific supply chain risks can now be identified, for example risks from the sharing of information on integrated platforms (integration), risks of a high level of interdependence among the partners (cooperation) and risks stemming from interwoven processes (coordination).

The prime objective of supply chain risk management is to identify those risks posing a major threat to the supply chain. A measurement tool is needed here to help transfer (existing) company-specific risk maps into a supply chain risk map and to integrate the supply-chain-specific plus the endogenous risks.

The company-specific risk portfolios form the basis for an ABC classification of these risks, ideally after an inter-organizational risk-controlling process. The ABC classification leads to a two-dimensional matrix showing the probability of the risk-relevant event and the net impact (after company- specific risk management) of this event (level of damage in monetary terms). The product of the two gives the expected value of the risk.

The ability to reduce business risks is to be preferred over other measures. On a supply chain level, risk reduction includes a particular focus on interfaces. Risk transfer – although comparatively easy to achieve in traditional risk management, for example by means of buying insurance – is by definition a difficult approach for a supply chain, as we are obliged to look not at individual companies but at the whole chain. Risk compensation along a supply chain – on a company level achieved through provisions or hedging – manifests itself in rules governing cooperation between the partners. One partner is obviously not prepared to compensate another one monetarily. However, compensation can be initiated through behaviour. Partners might agree on defined actions to be taken on a mutual basis.

Risk compensation in terms of mutual rules is to be delimited from risk transfer measures, for example outsourcing or vendor-managed inventory (VMI). The latter measures feature a far more institutionalized contractual basis. Whereas in rules-based risk compensation schemes each partner takes risks (close to risk acceptance), transferring risks among the partners means selecting those partners that are willing to take a risk from another. In a supply chain perspective this only contributes to an indirect reduction of risks, as the risk is transferred to the partner that can manage it better than the other.

Supply Chain Risk Factors
SCM Internal and External Environments

Get industry recognized certification – Contact us