Philip O'Keeffe and Chris Monk say that many organisations are still failing to embrace effective supply risk management – and give some tips on how it should be done
Dangerous time
Philip O'Keeffe and Chris Monk say that many organisations are still failing to embrace effective supply risk management – and give some tips on how it should be done
Almost all organisations that deliver goods or services to customers use supply chains. As a result, whether you are an electronics manufacturer using just-in-time inventory, a financial institution using an outsourced provider for clearing and settlement, a global pharmaceutical company with outsourced manufacturing, or an online retailer using a shipping provider for order fulfilment, there is risk of supply interruption affecting your own and your customers' businesses.
The real risk of supply disruptions is reduced revenue and profitability, decline in stock price, loss of market share, customer dissatisfaction, and reputation damage. The risk is real; the impact can be catastrophic.
More and more organisations recognise these risks to their businesses and the leading ones are now implementing capabilities to help identify all possible disruptions and sources of disruption within their supply chains. This involves taking steps to either prevent significant supply disruptions from occurring or minimise the impact if a supply disruption does occur.
This is the process of supply risk management.
Defining supply risk management
Supply chain management concepts and practices have been with us for decades and have contributed greatly to the effectiveness and efficiency of many organisations. Risk management is a topic that once exclusively concerned commodity traders, auditors and insurance professionals, but it has since spread throughout the business community. In this feature, we will show the relationship between supply chain and risk management by defining the basics of supply risk management, and describing what organisations need to do to begin to move from an ad-hoc, reactive approach to a more repeatable and active strategy.
Let us start by defining risk. A risk can be defined as a process variation (or uncertainty) and its impact on the output (or exposure) of that process. To put it another way, risk equals the product of exposure and uncertainty. Risk applies to all organisations, across all industries, in all processes and in all applications and technologies. If controls are not in place to help ensure the desired outcome of a process each time it is performed, the result is process variation, with potentially undesirable outcomes or exceptions.
Risks are also inherent in core business strategies. For example, there is risk of supply interruption where the source of supply to an organisation is impeded by some internal or external factor, causing a delay in operations. This can trigger a cascading effect on supply and affect customer service, costs, and lead times. Some of the business strategies that increase this risk are the very ones that ‘best in class’ organisations are employing to improve their supply chains and cost performance, including low cost country sourcing (LCCS), outsourcing, sole/single sourcing, just-in-time and lean manufacturing.
These strategies often enable organisations to realise lower costs, higher margins, and improve quality and performance. However, strategies like these have increased the risk of supply interruptions. If not properly mitigated, there is often a direct correlation between an increase in supply chain efficiency and an increase in supply interruption risk.
These strategies are inherently more risky from a supply assurance perspective. For example, by executing an LCCS strategy, organisations expose themselves to a new set of risks and issues. Terrorist attacks, natural disasters, tariffs and trade agreements and customs are now a common concern for continuity of supply. Outsourcing can reduce the visibility of supply networks and increase the risk of nasty surprises. Single and sole sourcing can improve product cost, quality and replenishment lead times. However, the more dependent a company becomes on a single supplier, the greater the risk of supply interruption if that supplier has financial, operational, regulatory or other problems, or becomes subject to external factors that affect their operations.
What risk management entails
Risk management is the process of assessing, monitoring and managing risk exposure. By actively recognising the risk, reducing the potential impact or the likelihood of occurrence, and putting contingency plans in place, an organisation can ultimately achieve competitive advantage – increase market share, reduce costs, improve process performance, improve customer service and so forth. If a risk also affects your competitors and you are adequately prepared to mitigate, exploit or respond to it, that risk can be viewed as a competitive opportunity.
Supply risk management addresses any source or outcome of risk that may impair the organisation's ability to supply a product or service. It covers a broad scope, from supplier-centred risks (bankruptcy, financial insolvency, performance and quality issues, discontinued production), to external or environmental factors (regulatory, legal, natural disasters), internal factors (under forecast, manufacturing capacity, performance or quality issues, warehousing, failure of critical systems) and other supply chain issues (product damage during distribution, labour strikes, geopolitical events).
Determining risk management capabilities
The approach we use to assess a company's or product's supply risk and the methodologies applied to help identify, measure and manage it are shown in Fig 1.
Effective supply risk management has several critical and interdependent elements:
• an executive-led supply risk management commitment, strategy, policies
• a defined and sustainable set of processes and procedures
• a process that is managed and run by skilled teams and individuals from all relevant departments across the organisation
• a process enabled by real-time, relevant and actionable information for decision making and control
• information that is produced using efficient tools and dashboards connected to all necessary sources of risk and control information
• availability of high-integrity data from internal operations and external operations systems, subscription and other websites.
These six elements comprise a holistic view of risk management, taking into account all capability components necessary (see Fig 2).
If any one element is deficient, the entire process will be undermined. All six elements of supply risk management capability are required in order to:
• determine appropriate vision, strategies, policies and commitment to process capabilities – and a roadmap from initial assessment and continuous risk identification and management ('project to process')
• design and implement the range of processes to identify, monitor, report and mitigate the risks
• assign responsibilities for supply risk management, train people in risk management practices and concepts, and embed risk management in the organisation's culture
• develop metrics, reporting capabilities and decision-making capabilities to identify, manage and monitor risks
• define information methodologies and dashboard tools (what-if analysis, contingency planning, strategic sourcing, supplier and supply market risk assessments, contract management)
• develop (a) connectivity and (b) data integrity standards required for the extraction of market and supplier-specific data, emerging forecasts and news as the foundation for risk management processes.
There lies the danger
Supply risk management has garnered a lot of attention as a result of terrorism, hurricanes, famous supply interruption case studies, regulatory changes and so on. There are compelling reasons to adopt emerging supply risk management concepts and practices. However, our studies and those by other firms reveal that the majority of organisations have yet to embrace supply risk management. The most recent study by the Aberdeen Group, published in March 2007, has the warning title Supply Risk Increasing While the Market Stands Still.
There are a number of symptoms or indicators of need, that if present, should be given immediate attention. These include:
• recent supply interruptions or fear of interruption
• lack of visibility throughout the supply chain, including to key second or other tier suppliers
• supplier capacity issues and constraints
• inconsistent product quality or performance
• regulatory changes or exposures
• supplier rationalisation and consolidation initiatives
• heavy reliance on outsourcing or global sourcing
• use of single or sole sourcing arrangements for critical items
• dependency of key supplier on too few customers
• high dependency on a specific product for profitability
• use of lean processes and just-in-time inventory principles
• lack of understanding of risks, the impact of risk and the likelihood of risk
• lack of supply interruption contingency plans.
Some tips for getting supply risk management in motion
Successful companies start with a vision, get to the basics, build a repeatable process, and gradually build capabilities to achieve the desired state over time. This is what we call 'project to process'.
Start by agreeing upon a set of what are considered to be the most relevant areas of supply risk. Then, conduct detailed risk assessments that are focused across critical sources of risk for supply and delivery (internal manufacturing, suppliers, contract manufacturers, distribution centres, regulatory and geopolitical events). Include relevant recent internal audit reports and resurrect information on significant disruption events or near misses. Look also for trends or recurring themes. If required to comply with the Sarbanes-Oxley Act, use process, risk and control documentation from that initiative. And many current supply chain and procurement best practices can and should be leveraged for effective supply risk management and control.
Use procurement spend analyses to answer the basic questions: how much is spent, with whom, and for what. Understand the procurement category profile, risk areas and supplier dependencies. Begin to understand specific risks for critical categories or sources of supply and distribution. Supply risk management will probably lead to a (re)commitment to excellence in strategic sourcing and supplier management disciplines – core and key proactive supply risk management practices.
Revisit contract management and control practices, from planning, through selection, to post award management – critical supply risk management and control tools! Assess the financial viability of key suppliers continuously and work to achieve visibility of second tier suppliers. Examine how effectively planning data is shared among the supply chain partners. Start to build out the reporting, analytical and exception management dashboards and systems required.
Use financial measures to further prioritise potential issues, impact and opportunities. Document existing controls and capabilities, assess control design effectiveness, and test control operating effectiveness to determine likelihood or probability of risk occurrence and subsequent residual risks. Improvements or control mitigation plans should be prioritised based on a return on investment (ROI) calculation. And executive-led and cross-functional sales and operations planning techniques should be leveraged to help to put the risk and opportunity decisions and scenarios in front of senior management routinely.
In summary
If supply risk management is a concern for your organisation, we recommend that management act right away to design and implement a supply risk management process to:
• identify, understand and address current and emerging supply risks
• make the decisions and investments and take the actions to mitigate key and imminent risks
• commit the organisation to evolve from the initial assessment and corrective action (project to process) state by developing and implementing a vision and plan to achieve effective risk management across all elements of process capability.
Philip O'Keeffe, Tel: 312 476 6393, E-mail: philip.okeeffe@protiviti.com, and Chris Monk, Tel: 713 314 4970, E-mail: christopher.monk@protiviti.com, are members of Protiviti Inc's supply chain risk management services line leadership team