SUPPLY CHAIN RISK MANAGEMENT

Submitted to:
Dr. Masood Subzwari

Presented By:
 Muhammad Danish 8796
 Muhammad Ali 5979
 Jan Mohammad Khan 8694
 Table of Contents
S.No Contents Page Number

1 Letter of Acknowledgement II

2 Executive Summary 1

3 Introduction 2

4 Importance of Supply Chain Risk Management 6

5 The Risk of prevailing Supply Chain best practices 9

6 Proactively analyzing and mitigating Supply Chain Risk 10

7 Responding to Supply Chain Events 16

8 Capabilities needed to support Supply Chain Risk Management 18

9 Supply Chain Risk Management 21

10 Three Risk Management Guidelines 26

11 Distinctive capabilities for managing risk and achieving high performance 30

12 Supply Chain Risk Management is A Strategic Concern 34

13 Supply Chain Risk Management Frame work 37

14 Designing for Risk 39

15 Planning for undesirable 44

16 Understanding Supply Chain Risk 48

17 Monitoring and Executing to Risk Events 51

18 Conclusion 56

19 References 58

I
 Letter of Acknowledgement
April 29, 2009

Dear Reader,

Now that it’s all done, there’s finally time to reflect on the process. No report ever

grows full-bloom from a student’s head. It has hands to help it along the way: phone calls

for advice, serious review by professionals, critical notes and information from the World

Wide Web, and most of all the endless support of always available professor and friends at

the other end.

It is an honor for us to prepare the report on “Supply Chain Risk Management” which

was assigned to us by our respected instructor Dr. Masood.

We would like to thank Dr. Masood for providing us the guidance all along in order

to materialize our content for the report.

It was a pleasure creating such a report, on a topic so informative and practical, and

which also plays an important role in our lives today.

Sincerely

Muhammad Danish 8796

Muhammad Ali 5979

Jan Muhammad 8694

II
Executive Summary

Recent supply chain management optimization practices, while reducing costs and

leaning inventory levels, have left companies with unprecedented levels of risk exposure

and very little buffer inventory with which to recover. Many companies have recognized this

and are now undertaking supply chain risk management programs.

There are two sides to supply chain risk management;

 Risk assessment and mitigation,

 Responding to unanticipated supply chain disruptions.

Both are necessary components to an effective supply chain risk management strategy.

With strong risk mitigation strategies in place a company is ready to face a given supply

chain event. However, not all events may be anticipated. When these events occur, a

company must be prepared to respond quickly and effectively or risk suffering financial and

customer service losses.

To have an effective supply chain risk management strategy, a tool is required that

addresses both sides risk assessment and mitigation and event response.

This tool must support;

 Visibility and analytics capable of modeling the entire supply chain,

 Simulation combined with the ability to compare resolution alternatives.

1
Introduction

Unanticipated supply disruption or supply risk is a fact in business. Some of the

undesirable outcomes associated to its occurrence are firm’s inability to meet customer’s

demand or cause disruption to the operation of the organization.

Therefore, it is important for businesses to manage their supply risk. Clearly choosing

the right set of suppliers is an important decision as corporations continue to emphasize

supply chain partnerships to grow their businesses. Furthermore, as a result of the

widespread adoption of Just-In-Time production philosophy, typically smaller amounts of

raw materials or inventories are kept. This decision however has the undesirable side effects

of resulting in lost production capability in case of supplier delivery disruptions. Such

disruptions occurs due to supplier failure as well as from a variety of other factors such as

natural disasters, war, terrorism, outbreak of diseases and logistical factors

Since the early part of this decade, supply chain risk management has become

increasingly more recognized as a critical part of the corporate strategy. The move to leaner,

global supply chains and events such as severe weather, terrorist attacks and financial

instability have highlighted the risk of disrupted supply.

Traditional approaches to supply chain risk management have focused on risk

assessment and mitigation, the process of identifying those points in the supply chain that

are at risk and developing strategies to mitigate the risk should the worst happen. This

2
process is necessary and correct. Those companies best able to recover from a supply chain

event are those that are prepared.

There is another side to supply chain risk management. Despite the best planning

and the best preparation, sometimes an event happens that was not anticipated, or, the

event that was planned for happens, but the mitigation strategy didn’t work as planned.

When this happens, companies need to be able to react quickly to the situation, assess the

impact, determine the best response(s) and implement these responses in a timely manner.

An analogy to consider would be that of driving a car. Most of us drive our vehicles

every day. The worst case scenario would be to get into an accident. Similar to a supply

chain event, a car accident can result in injured people and always costs money. To prevent

accidents from happening, good drivers will,

 Follow the rules of the road,

 Keep their vehicle well maintained,

 Avoid high accident areas,

 Try to avoid inclement weather.

These are the mitigation strategies of a good driver.

Despite our best efforts, dangerous situations, most of which are caused by external

factors out of our control, occur that could result in a serious accident if not handled. Our

ability to respond when these situations occur can determine whether or not the accident

happens. Response in this situation uses the following process;

 Assess the situation (there is somebody in my lane going the wrong way),

3
  Evaluate alternatives,

 Hit the brakes (not enough time to stop),

 Swerve to the left (cars in that lane)

 Swerve to the right (looks clear)

 Implement the maneuver. (swerve to the right and avoid the oncoming car).

To avoid the accident, the response must be instantaneous. If the reaction is too long, the

results could be disastrous. This is the response to an unplanned event.

In supply chain risk management, companies strive to understand and mitigate the possible

risks, but despite these efforts, events caused by external factors outside of their control

may occur that were not anticipated. This means that the company must now respond. This

response must be very fast if the company is to recover from the event. The most prevalent

lag in the system is access to information on which decisions can be made, often referred to

as supply chain visibility.

There are several primary elements to a company’s reaction time,

The speed with which,

 The event is detected,

 The consequences are determined and evaluated,

 The people responsible for the consequences are identified,

 The team for responding to the event can evaluate several alternatives in a rational

and coordinated manner, and

 The suggested responses can be evaluated and a final decision made by senior

management.

4
The combination of these factors determines how fast a company can respond when a

disruptive event occurs.

5
Importance of Supply Chain Risk Management (SCRM)

In realizing the business objectives, organizations are very much dependent on the

supply chain partners and the influence of any link in the supply chain. To ensure that the

organizational objectives stand a better chance of being attained, it becomes necessary to

gain a full understanding of all the developments and uncertainties that could emerge at

any point in the supply chain.

Effective Supply Chain Risk Management provides a number of direct benefits:

 The ability to anticipate and respond promptly to external trends and developments.

 A focus on uncertainties rather than the certainties.

 Greater influence over your supply chain partners.

 Greater mutual understanding of the interests and problems of all supply chain

partners.

 A better balance between opportunities and threats.

 Management which is not based on the cost factor alone.

 Competitive edge through the acceptance of controlled risks.

In recent years, supply chain risk management’s profile has increased. A 2007 AMR

Research report indicated that:

“Nearly 50% of firms plan to implement or evaluate SCRM technology in the next 12 to 24 months,

indicating that penetration is relatively low and interest levels are quite high.”

6
“Managing Supply Chain Risk in the Supply Chain – a Quantitative Study;” AMR Research;

Mark Hillman and Heather Keltz; January, 2007

Source: “Managing Supply Chain Risk in the Supply Chain –

a Quantitative Study;” AMR Research; Mark Hillman and Heather Keltz; January, 2007

According to the same report, the following business trends are contributing to the

growing awareness of supply chain risk management.

Leaner supply chains

We have been driving the inventory out of our supply chains, saving money and

avoiding liability. Unfortunately, when a supply chain event occurs, there is very little buffer

with which to recover.

Global sourcing

More and more, companies are sourcing supply from around the world. Lead times

have stretched, visibility is limited and communications are difficult.

7
 Higher customer expectations

Consumers want instant gratification. Once the decision has been made to buy, they

want the product immediately. Slowdowns in the supply chain causing late orders can often

result in lost customers.

Complexity and interdependency of supply base

Instead of dealing with a set of component suppliers, supply chains today consist of a

network of contract manufacturers, with material flowing in all directions (it is not

uncommon for the brand owner to supply materials for their contract manufacturers –

making the brand owner a supplier and customer at the same time.)

Volatility and variability of demand

Add to this the shorter life cycle of today’s consumer products and life gets

interesting fast!

Increasing commodity costs and tighter logistics capacity

Making it harder and more expensive to ship goods around the world.

8
The Risks of Prevailing Supply Chain Best Practices

9
Proactively analyzing and Mitigating Supply Chain risk

There are three key phases to proactively managing supply chain risk,

 Visualize and understand risks that apply to the supply chain,

 Measure and prioritize the risks, and

 Take action – decide which risks need to be addressed and develop mitigation

strategies for those risks.

Let us describe one-by-one to understand how to accomplish each and the tools needed

to support these efforts.

Visualize and understand risks

The first step is to assess supply sources to determine which ones are most critical to the

business. The most effective approach is to evaluate which suppliers contribute the most to

top-level revenue. From an analytics perspective, a tool is needed that will identify the

ultimate parent of each component, then assess the component’s revenue contribution.

Further, the assessment must be deep as well as broad. The assessment can’t stop at the

contract manufacturer. The assessment must also evaluate components that the contract

manufacturer uses. A low risk contract manufacturer that uses high risk sources is still a high

10
risk. This broad and deep analysis requires a tool that provides visibility to the whole supply

chain including lower tier suppliers.

Once the supply base is prioritized in terms of their contribution to revenue, the risk

factors that apply to each supplier need to be assessed. This assessment is typically done

against the suppliers that contribute most to revenue first.

Supply chain risks can come in many forms. It is the responsibility of the risk assessment

team to imagine and understand these various types of risks. Supply chain risks at a high

level fall under these general categories;

 Natural disasters, (severe weather, fire, earthquake) that disrupt the supply chain.

These types of events are very difficult to plan for; however, knowledge of the local

geography of a supply source helps to identify those suppliers more at risk. (Is the

area known for hurricanes, earthquakes or wild fires?)

 Flu / pandemic, these types of events are similar to natural disasters in that they are

very difficult to predict.

 Economic risks, which supply sources, are experiencing financial difficulties?

 Political risks, which supply sources, are in an area of the world that is politically

unstable?

 Transportation risks, what transportation routes are used to move materials and

finished goods? What if that route is closed?

11
  Unstable Demand, is demand relatively stable? What if demand falls far below

expectation? What inventory liability will the company experience? What if demand

far exceeds expectations? Will the supply chain be able to keep up?

 Unstable Supply, is the source reliable? Do they provide good quality products on

time?

Measure and Prioritize Risks

These risk factors need to be applied to the supply base such that each supplier is scored

according to the risk factors outlined above. With the scoring of the suppliers and the

assessment of the impact each supplier has on the business, the supplier can be plotted on

a risk matrix similar to the one shown below,

Basic Risk Matrix

Source: “Supply Chain News: Understanding Supply Chain Risk Matrices”;

SupplyChainDigest; SCDigest Editorial Staff; July 13, 2008

12
 The colors indicate the relative urgency for risk mitigation. Red indicates that a risk

mitigation strategy should be developed and implemented immediately. Yellow, is less

urgent and green indicates a low urgency.

Take Action

Once there is an understanding of the various risk factors, there is a need to determine

where action needs to be taken. Not all risks will necessarily be addressed. For risks that fall

into the green areas on the matrix above a company may decide not to develop a mitigation

strategy at all.

The mitigation strategies can be different depending on the situation. For risks related to

the supply base, mitigation strategies could include;

 Sourcing from different suppliers,

 Developing supply sources in other parts of the world,

 Alternate modes of transportation, and

 Products re-design to use standard components.

For risks related to demand variability, mitigation strategies could include;

 Demand shaping,

 Postponement strategies, and

 Buffer inventory.

13
 The mitigation strategies must be modeled and tested. Given a different source, how

would the different lead times, costs, supply constraints impact the corporate metrics? To

test this effectively, the mitigation strategy is simulated and the results evaluated relative to

other alternatives and relative to corporate goals.

If the mitigation strategy chosen does not yield acceptable results, then a different

strategy needs to be chosen and evaluated.

Monitor, Review and Maintain

As time moves on, risk areas will change as will the mitigation strategies. Both the risks

and mitigation strategies need to be reviewed on a regular basis to ensure that new factors

are considered.

Supply chain risk management should not occur only a few times per year; it should be a

continuous process and monitoring of supply chain risk. It should include trends, not just

absolute numbers. Trends should be used as an early indicator to prevent risk situations

from occurring. Procurement teams need to be trained in risk management so that when

sourcing new suppliers, they can strive to add suppliers that reduce overall supply chain risk.

Logistics teams need to be trained to understand what routes are at risk and when. Supply

management teams need to recognize potential for inventory liability should demand for

given products disappear.

14
The Supply Chain Risk management Process

15
Responding to Supply Chain Events

As described in the introduction, there is a second side to supply chain risk

management; responding to supply chain events. Depending on whether or not the

disruption was anticipated or not, responding to supply chain events can take two forms;

 Responding to an unanticipated supply disruption

 Responding to an anticipated supply disruption by implementing the mitigation

strategy

In both cases, the key element is timely alerting that an event has taken place. You can’t

respond to something if you don’t know it has happened. The supply chain should be

monitored and an alert triggered when a disruption has occurred so that those who need to

respond are provided timely notification. That being said, alerting on the event is not

enough. The alert mechanism should be smart enough to alert you on the events that

impact the business.

An unanticipated event is a disruption that despite best efforts was not foreseen and

therefore does not have a mitigation strategy prepared. In this case, the speed with which

the company can react and respond can mean the difference between an insignificant blip

and a full-scale crisis.

An anticipated event is a disruption for which a mitigation strategy has been prepared.

In most cases, implementation of the strategy goes as planned, but sometimes there are

16
unanticipated problems; material shortages, capacity shortfalls, quality issues. In these

cases, being able to respond effectively can mean the difference between a fast recovery

and a painful crisis.

17
Capabilities needed to Support Supply Chain Risk

Management

While the need is high for supply chain risk management tools, the capabilities of most

supply chain risk management tools are not keeping pace. Companies are looking for tools

to help them assess supply chain risk, develop mitigation strategies and respond to supply

chain events both anticipated and unanticipated. As companies begin their evaluation they

should ensure that any risk management assessment and response tool provide the

following capabilities;

Visibility

In order to properly assess supply chain risk and respond to events, visibility across

the supply chain is required. This means that the supply chain risk management tool must

be capable of integrating with, and modeling ERP analytics from, multiple disparate ERP

systems, including systems supporting the supply and distribution nodes.

18
 Event detection and alerting

The sooner a supply chain disruption is recognized, the faster the response. An alert

that shows up in e-mail or a portable e-mail device will ensure that the appropriate people

are made aware of the event when it happens. Too many times, event detection is based on

the event itself. To be truly valuable, alert should be triggered based on the anticipated

impact of the event. For example, if a supplier goes out of business, but the loss of this

supplier doesn’t impact key metrics, an alert may not be necessary.

Analytics

The full suite of supply chain analytics needs to be modeled in the supply chain risk

management tool to ensure the impact of a potential supply chain event is understood.

When an event happens, analytics are used to model the event and determine the impact.

Above all, these analytics need to be performed in real time, especially when responding to

an unanticipated supply chain disruption. When an event happens, every second counts and

a company can’t wait days or weeks to understand the impact or to determine resolution

alternatives.

Simulation

Simulation is critical to both sides of supply chain risk management. When assessing

the risks, simulation helps to model different risk scenarios. Further, simulation is used to

model alternative mitigation strategies to ensure that they are sound. When responding to

19
an unanticipated supply chain event, simulation is used to model and compare the various

response alternatives.

Collaboration

The risk management team will need to evaluate several possible mitigation

alternatives. Members of the team will likely not have the detailed knowledge necessary to

explore all alternatives in the detail needed to develop a robust mitigation strategy. The

ability to bring other people into the evaluation process is critical both to validate the

proposed strategy and to propose key improvements to the strategy. Similarly when

responding to an unanticipated supply chain event, collaborating with those with the

detailed knowledge ensures that the response alternatives are reasonable.

Scenario comparison

In the process of developing mitigation strategies or responses, the team may

develop multiple approaches that potentially resolve the problem, but in differing ways. The

team needs to make a decision on which resolution or mitigation alternative best meets the

goals of the organization. One approach may extend lead times by 30 days, while the other

may increase the cost of goods sold by 10%. The decision on which approach is best needs

to be evaluated in light of corporate goals.

20
Supply Chain Risk Management

 A pro-active approach to ensure effective management of all potential risks through-

out the supply chain.

 Controlling risks throughout the supply chain in the most effective and efficient

manner.

 Establishing internal and external accountability to stakeholders with regard to risks

and their management.

 Monitoring current performance in supply chain risk management and the results

achieved.

21
 Every company has its own worst nightmares, its own way of thinking about what risk

means and implies. A brief list of supply chain risks are given below,

 Volatile fuel prices

 Disrupted supplies of raw materials or parts

 Increased complexity of products or service offerings

 Increases in cost of labor due to currency fluctuations

 Supplier planning/communication issues

 Changes in customer/consumer preferences

 Problems with manufacturing capacity

 Port operations and customers delays

 Service failures due to longer supply chain lines/lead times

 Service failures caused by supply chain partners (delivery, quality)

 Geopolitical instability

 Shortage of skilled resources

 Reduced accuracy of forecasting/planning

 Problems with logics capacity/complexity

 Inflexible supply chain technology

 Natural disasters

 Intellectual property risks from offshore supply chain relationships

 Terrorist infiltration

However, the sheer volumes of supply chain risk events are stark reminder that formulating

plans for each specific event is impractical at best. A more feasible and fruitful approach is to,

 Determine what kinds of risks are most probable and impactful, and

22
  Construct categories of events that make it simpler to manage and mitigate risk.

One possible way to accomplish this is to compartmentalize various types of supply

chain risk and determine the general relationship that exists between their probability and

their cost/exposure.

Logistics risk

Refers to the dangers associated with the physical movement of goods and

materials. The frequency and impact of logistics risks are best addressed by maximizing

visibility across the global supply chain using technologies such as GPS tracking, real-time

monitoring, and dynamic routing and scheduling.

23
 Supply and supplier risk

Speak to the potential disruption of raw material and component supplies. For this

category, prediction is critical, being proactive about supply analysis and having contingency

plans and relief suppliers available in the bullpen. Companies also mitigate supply risk by

doing frequent network and capacity modeling. And many have implemented advanced

tools with embedded business rules that help them formulate optimal responses. There

generally is a slightly higher risk associated with suppliers than with supplies. Still, both

types are top of mind, given today's political instabilities and fluctuating fuel prices.

Reducing supply and supplier risk could involve using more distribution facilities that reduce

shipping distances, and possibly implementing more near- or onshore material and

manufacturing sources to reduce shipping timetables and fuel costs. On the technology side,

advanced inventory optimization technologies are available that help quantify supply and

supplier risk and perform simulation analyses to gauge risk impact. To manage these risks, a

company must have the ability to gather comprehensive data and apply analytics to garner

new insight.

Cost/commodity risk

Is closely related to supply and supplier risk. All companies hope to discover supply

alternatives that are less expensive than what they are currently using. The risk is either

failing to recognize these opportunities or not being able to migrate when the opportunities

are discovered. Supply chain models can help avoid this scenario by determining at what

price or cost it makes sense to switch from one commodity to another.

24
 Capacity risk

Relates primarily to the integrity of a company's facilities or those of its business or

outsourcing partners. In this context, some failure probabilities can be calculated and risk

mitigated by using asset lifecycle management systems. Unfortunately, many companies

simply don't know what they have in terms of assets or what parts go into those assets. This

undermines their ability to understand and mitigate risk.

Other risks noted in probability and cost/exposure chart includes

Intellectual property risk

Which is often at the forefront in new product development.

Profitability risk and demand risk

Relate more closely to the supply chain than intellectual property risk.

They also can be addressed by more proactively shaping demand with analytical and

pricing tools and by applying lifecycle management technology to make core product

decisions. Profitability risk and demand risk are also a huge manufacturing issue.

25
Three risk management guidelines

A holistic lifecycle-focused resilience capability can reduce the

magnitude and duration of major disruptions.

Innovative companies can do more to minimize risk, not just craft a response to it.

They can manufacture locally as well as globally; source contingent suppliers and logistics

providers; better monitor and adjust inventories and safety stock; and establish more

geographically distributed or near-shore supply bases. They also can reduce risk by updating

their supply chain strategies more often than the usually accepted three to five years. After

all, the world's rapidly changing business conditions require supply chain networks that also

should change more frequently. Change is more of a constant then ever before, so

companies must design their supply networks with resilience and agility in mind. Following

are three basic guidelines for enabling effective risk-focused actions.

26
 Effective risk management programs are formal constructs

The leading-edge technology must be combined with business processes that are both

risk-aware and to the maximum extent possible self healing. In effect, the goal is to create a

formal entity-wide "resilience capability." Think of this as a lifecycle-focused methodology

for understanding, anticipating, accommodating and minimizing disruptive events.

Most organizations do not have a formal capability for quantifying, anticipating and

mitigating/ minimizing risk. Instead, their risk management strategies or "continuity of

operations plans" focus on major disruptions and specific assets, such as backup data

centers or offsite data-storage facilities. In effect, they are "asset-resilient" but not "mission-

resilient." In addition, few entities have evaluated the risks associated with new operating

models, such as increased global interdependencies; expanded outsourcing relationships;

and new mergers, acquisitions and partnerships.

Effective risk management programs are holistic

Companies need to think holistically about how to develop their risk management and

mitigation programs. Historically, most entities' approaches have mirrored the shortcomings

of their organizational models: poorly connected "functional silos," inconsistent access to

information, limited management-reporting capabilities, minimal collaboration, and

insufficient risk awareness across the enterprise.

27
 In recent years, many have sought to remedy the problem by developing enterprise-

wide (end-to-end) approaches to process-management and organizational structure. Such

insights are reflected in their development of more integrated risk management models.

However, these efforts still fall several steps short of an holistic, centrally guided and

governed approach to maximizing resilience, an approach characterized by,

 Unified presentation of data.

 Contextualization of data into actionable information.

 Real-time response capabilities.

 Robust, seamless reporting across all levels.

 Fully integrated access to information.

 Built-in collaborative capabilities.

 On-demand risk status and readiness assessments.

The net effect should be a "resilience lifecycle", a continuous improvement process

enacted to support and sustain key operating processes and reduce both the magnitude and
duration of major disruptions.

Effective risk management programs emphasize symptoms rather than

scenarios

The guiding force behind any company's risk management and mitigation program is

preparation: understanding what potential disruptions exist; the likelihood, severity and

duration of their occurrence; and the range of prioritized responses. The complexities of

today's environments make it nearly impossible to accurately identify all of the scenarios

that might occur. A better and more practical course is to focus on commonalities across

scenarios, shared symptoms. This means developing resilience frameworks not for work

28
stoppages, hurricanes, terrorist attacks and so forth, but rather for labor shortages,

destruction of property, supply disruptions and service outages.

Building a risk program around symptoms (the effects) rather than scenarios (the

causes) makes resilience development manageable because it acknowledges that many

events share characteristics, impacts and, most importantly, responses. As discussed above,

there simply are too many potential disruptions for a business to develop comprehensive

resilience programs for every one. For example, problems as varied as weather events and

labor-driven port closures evince a similar need to maintain core services and suppliers. We

often cannot know in advance when or where such upheavals will occur. But we can

develop symptom-based programs that speak to the need for quick responses regardless of

the specifics.

29
Distinctive capabilities for managing risk and achieving
high performance

One of the most important aspects of high performance is the development of

"distinctive capabilities", using innovation to build hard-to-replicate sets of processes.

Companies develop distinctive capabilities by thinking and acting in distinctive ways, one of

which is the ability to understand, anticipate, respond to, and (to varying extents) predict

and even avoid risk.

Here are several of the most distinctive risk-relevant capabilities.

Global visibility

Every year, supply chains get longer. As a result, visibility, observing the complete end-

to-end supply chain from the point of demand, through design, supply and manufacturing,

all the way to sales, consumption and/or obsolescence, becomes more essential. And it's

not just visibility; it's timely visibility, as close to real time as possible.

30
 Intelligent alerts

Shipping goods from Asia into the United States or Europe invariably means multiple

parties, ports and transportation modes. Discovering quickly where a delay will or likely will

occur for example, having alerts pop up via a global sensing mechanism, is key to finding

alternative ways to move goods. The more sophisticated a company is with intelligent alerts,

the leaner it can generally make its inventories.

Advanced analytics

It's not enough to capture, present and summarize information. Companies must have

the tools to work with the information they receive to walk the talk. These analytical

capabilities have not traditionally been part of applications that gather, summarize and

present data, but they are now key to making risk control part of a broader information

management package.

Leading-edge supply chain analytics embedded in planning applications enable

companies to interpret and classify alerts (for example, "Is this a supply issue, a demand

issue, a capacity issue, a customer-preference change, etc.?") and form conclusions about

what the data mean. Analytics also epitomize continuous improvement because they

constantly appraise the accuracy of conclusions reached in previous iterations. Traditionally,

only demand planning applications have done this. However, analytics capabilities can now

be imbedded in supply chain management transactions.

31
 Standardized processes and technologies

As companies expand and merge, the need becomes stronger to create business

processes that are consistent across internal functions and operations, as well as among

companies and the business partners and third parties with which they operate. A good

example is working with distributors to serve Asia Pacific markets. While it's unlikely that

identical systems and processes across organizations will be possible, it is nonetheless vital

that they be compatible, for example, with aligned order-management processes, naming

conventions, item definitions, enterprise applications and so forth. Technologically speaking,

priority must be given to bringing systems together. Service problems brought on by

technological incompatibilities are clearly a major risk item, one that can be significantly

reduced by adherence to open standards and business process integration.

Dynamic operations management

In the aggregate, the above four capabilities comprise dynamic operations management,

the ability to see and interpret supply chain information and dynamically adapt sourcing,

inbound supply, manufacturing and distribution operations accordingly. Imagine that out of

five containers on a delayed shipment, only two are critical (e.g., for a scheduled trade

promotion). Dynamic operations management could offer informed (cost/benefit based)

suggestions about what alternatives might be enacted for only those containers. It's the

leading-edge embodiment of event management, folding in actionable business rules to

identify, interpret and respond in near real time.

32
 There are innumerable ways that risk can be reduced and material value enhanced

when exceptional risk management capabilities are built into a supply chain's basic

structure. This is the nature, and the reward, of high performance, knowing better than the

competition what to expect, and having the capabilities to turn that knowledge to your

advantage.

33
Supply Chain Risk Management Is A Strategic Concern

Supply chain risk is about managing variability

Risk can be described as the possibility that a future state or outcome may not turn out

as desired. In a steady state environment, this possibility is low because there is minimal

variability in the system. But supply chains are constantly changing where the sources of

variability can come from customers, partners, suppliers, and internal operations. Today,

supply chain variability is increasing due to a number of trends. For example, demand-

related trends that contribute to variability include:

 Increasing product variety

While more choices make customers happy, increasing features and options make it

harder to forecast accurately at the SKU or end-item level.

 Increasing competition

Competition creates price elasticity, and the demand picture must be continuously

fine-tuned to attain revenue and margin targets.

 Decreasing product lifecycles

Changing customer trends are compressing product lifecycles and the time window

required to make margins.

34
 Supply trends that contribute to variability include

 Global operations

Along with its benefits, globalization has also opened a “Pandora’s Box” of risks, Lack

of standardization due to market or cultural reasons, political unrest, exchange rate

fluctuations, intellectual property theft due to lack of security or enforceability are all part

of the deal.

35
  Process fragmentation

While a focus on core competency has made companies more competitive, a multi-

enterprise supply chain also creates operational silos and communications disconnects,

making coordination extremely challenging.

 Long lead times

Many companies are forced to trade off the cost advantage of off-shore operations with longer

transportation lead times.

The root cause behind the dramatic increase in supply chain risk can be summed up as follows,

On one dimension, the scope of change is increasing (driven by customer trends), but on

another dimension, the scope of control is decreasing (due to outsourcing, etc.)

36
Supply Chain Risk Management Framework

Strategy: Designing the supply chain for risk

The Design phase essentially defines the boundaries of the risk management strategy. It

works just like an insurance policy in the sense that it about understands what risks you

want to protect yourself against, and how much you are willing to pay for that protection. It

is a deliberative exercise that involves a number of techniques and tools to weigh all the

decision variables and finally converge on the optimal supply chain network design that

balances all these objectives. The design phase also deals with the more qualitative aspects

37
of risk since it is often relative to a number of factors like industry characteristics,

management culture, etc

Tactical: Planning the risk mitigation scenarios

With the optimal network in place that is aligned with your tolerance for risk, the Planning phase

focuses on surfacing all potential deviations from the normal operating plan, evaluating their impact,

ranking these risks, and developing detailed contingency plans that are to be put into action in the

event of a disruption. The planning exercise reveals that the total numbers of feasible options to

mitigate risk are actually finite and relatively manageable, where the event and its resolution can

only be expressed in terms of three dimensions: Material, Capacity, and Information

Execution (& Monitor): Exercising the supply chain “reflexes”

The quality of planning is reflected in execution in terms of how quickly you can recover

from a disruption. The more thorough and detailed the planning scenario, the less time

needed to design or deliberate the appropriate course of corrective action. The other key

aspect of this phase is defining clear alert criteria that serve as the trigger mechanism to

launch the mitigation plan into action.

38
Strategic: Designing for Risk

The strategic or design phase must satisfactorily address the following question:

 Do I have the right supply chain network structure that is aligned with my risk

management objectives?

Answering the above question involves a number of activities or tasks which are

discussed below.

The framework needs to be flexible some of these activities can be accomplished in a

different sequence than listed below, and sometimes it may need multiple iterations.

Ultimately, the point of the exercise is to be thorough while understanding that the design

phase essentially defines the boundary of possibilities for the risk mitigation plans that will

be put into action.

State the risk management objective

Documenting the risk management objective helps provide guidelines to the executive

management team in terms of how it aligns with the business agenda, how important it is

relative to other initiatives, and what the cross-functional team needs to look like. Start by

asking some basic questions at a high level to create a vision for Risk Management,

39
  Why are we doing this?

 What is it that we want to protect ourselves against? (Disruptions)

 What should we do? (Alternatives)

 How long it will take to recover? (Time)

 How much inventory do we need to carry to cover for disruptions? (Cost)

 How will we know success? (Metrics)

Determine the risk appetite

This step is about gaining a deeper understanding of what risks you want to protect yourself

against. A few points to keep in mind,

 It should be comprehensive

Currently, there is no single formula or standard approach to assessing the risk appetite

for a company’s supply chain. While we chose to classify the risks in the four categories as

how you choose to do this for your business can be different.

 It should be interactive

A facilitated discussion would be a good way to administer the questionnaire to capture

all the relevant risk dimensions (at least initially, in case you wish to administer this to a

larger audience as a traditional survey.)

40
  It should be iterative

The discussion format helps to evolve the questionnaire by verifying, adding, modifying,

or deleting questions to get to the one that is right for you.

 It should be both qualitative and quantitative

Since tolerance for risk varies by individual, there is an element of subjectivity to the

exercise. The ability to capture these inputs across multiple respondents and “normalize”

the answers for the group will require knowledge of data collection and analysis methods to

accomplish this exercise.

41
 Define the Risk Management organization

The Risk Profile helps the executive team understand (at a high level) if there are indeed, gaps in

the current risk management strategy, and subsequently create the appropriate organization who is

tasked with closing these gaps. In addition to the team internal to the enterprise, the organization

chart should also identify the appropriate Risk Management counterparts in the partner

organizations upstream and downstream in the supply chain.

Perform the SWOT analysis

In addition to reviewing the data from the Risk Appetite survey, a SWOT analysis

(Strengths/Weaknesses/Opportunities/Threats) can be an effective tool to help the members of the

Risk Management team get aligned on a shared, high-level view of the Risk Management strategy.

Design the optimal supply chain network

The final task in the strategy phase is to ensure that the supply chain network is designed to

meet the stated Risk Management objectives. It is an iterative process that involves the following

steps;

 Since there is already a network structure in place, the first step is to map the “as-is”

network structure in terms of cost, lead times, inventory levels, supplier quality, etc.

 Next, we analyze the alternatives and compare the implications of different structures such

as nearshore, off-shore operations, etc.. This step must wait until the Planning phase flushes

out the various mitigation strategies.

 Analyze the network in terms of redundancy vs. reliability

42
 Select the optimal network structure. Given the strategic nature of these changes, it may

take time to implement some of the decisions to align the network with the risk

management objectives.

43
Tactical: Planning for the “Undesirable”

Following the decisions regarding the optimal network structure, the tactical or planning

phase must satisfactorily address the following questions;

 Do I understand all the possible risk events or deviations from normal operating

plan?

 And do I know of all possible alternative plans in case these events happen?

Planning for Risk requires a different perspective. Traditional supply chain planning is

about creating a single optimal plan that is released to execution. This supply chain plan

assumes “normal operating conditions” and assumes a fixed network path across the nodes

(i.e. N1—N2—N3—N4…Nx) as depicted in Figure.

44
 In contrast, Risk Management involves MULTIPLE “network paths” or contingency

plans for any deviation. The example shown in Figure above shows an exception event

occurring at N2. We show two possible mitigation plans to correct the deviation, each

triggered when a certain level has been reached in the “risk threshold”. The thresholds can

be time-based (expedite window) or cost/severity-based (port strike), or tied to specific KPIs

defined by the Risk Appetite assessment.

Unanticipated events are a fact of life and deviations will occur, but through proper

planning it is possible to quickly get back on track before it is too late. i.e., before they have

exceeded the risk tolerance level.

Developing these mitigation plans for the “undesirable” constitutes the majority of

the effort behind the Risk Management exercise. Good contingency planning is all about

being proactive, because the goal of execution is get back on track in the shortest possible

time. By having well-thought out contingency plans ready to be put into action, immediately

upon knowledge of the event, companies can ensure they can indeed protect themselves

before certain cost/quality/time thresholds have been crossed.

Many companies don’t formally do Risk Management because they believe that the

future is too uncertain to plan for every contingency. While it is possible that any number of

events can happen, the numbers of feasible options available to mitigate those events are

actually finite. To be more precise, they fall into three dimensions Material, Capacity, and

Information, which means the mitigation strategies can be identified, ranked, documented,

and prepared for deployment with reasonable effort and management commitment.

45
For a given network, Planning involves the following activities or tasks:

Identifying the points of failure and alert criteria

In this step, the Risk Management team looks at each node in the supply chain network

structure and identifies all the potential constraints and failure points. As shown in Figure

above, every risk event can be related to one of three types: inventory (material), capacity,

or information. In effect, we portray the enterprise as being supported by these “three legs”

or dimensions that the Risk Management strategy rests upon.

Prioritize or rank the failure points

This is often one of the more challenging aspects of a Risk Management strategy

because it requires associating a probability for each disruption.

46
 Identify the alternative courses of action (for each failure point)

In this step, we come up with potential alternatives for each failure point. The team

enumerates the advantages and disadvantages for each alternative as well as estimates the

cost and effort to implement it. The teams can also proactively build detailed contingency

plans using Microsoft Project as ready-to-deploy templates to compress the reaction time.

Rank the alternatives (for each failure point)

This step underscores another key challenge for Risk Management because in order to

rank the alternatives, we also need to be able to quantify the impact as well as the cost of

the alternatives. If possible, cost models can be built to support these decisions. Otherwise,

techniques like AHP are useful for managing qualitative decision criteria.

Build the Risk Management database

Finally, all the preparation, analysis, and design of the various contingency plans are

recorded in the Risk Management database. While it needs to capture some basic data

elements (Alert Criteria, Type of Risk, Preferred Mitigation strategy, Alternative strategies,

Owner) to be minimally functional, the type of knowledge that is critical to execution

velocity will become clearer as we delve into the Execution phase discussion. Evolving this

“knowledgebase” and keeping it up to date falls to the responsibility of the Risk

Management organization.

47
Tactical: Understanding Supply Chain Risk

At this point, it is worthwhile to help understand the different types of supply chain

risk. In fact, Risk Management is a broad term that encompasses a number of different

activities and initiatives that you may already be doing today, such as Supply Chain Event

Management and Business Continuity Planning, etc.

Nevertheless, the key point here is that all these activities need to be aligned along a

clear and cohesive strategy for managing the different types and sources of variability and

risk in supply chains. One approach to identify and classify these risks is illustrated in figure

below, along two dimensions, Frequency and Impact.

48
 Quadrant 1: Desirable but not necessarily viable

While this quadrant represents the least risk it is not always a viable goal due to supply

chain realities.

Quadrant 2: When Exception Management isn’t the exception

Typical supply chain examples in this category include transportation delays, inventory

short/over-supply situations, capacity shortages, etc. that are now increasingly common due

to coordination challenges in a complex, multi-enterprise setting.

While the more severe types of disruptions may provide the impetus for a formal Risk

Management initiative, not effectively addressing the challenges of this quadrant can create

losses as a result of “death by a thousand paper cuts”. But by monitoring these events, root

causes can be analyzed and strategies can be devised to reduce the frequency of these

occurrences. With good planning, recovery time can be kept to a minimum.

Quadrant 3: Think business continuity planning

Examples of high impact/low frequency events include terrorism, port shutdowns, or

a supplier loss situation (fire, labor strike, etc.) where continuity of the business is at risk.

While detailed contingency plans can reduce recovery time, the nature of the

disruption and conditions on the ground will influence how quickly you can get back on

track.

49
Quadrant 4: Need for structural change

The most effective way to mitigate the risk from these types of events is to change

the supply chain network structure. Because of their higher frequency or probability of

occurrence, examples of such disruptions are typically associated with trends. The external

trends are often geo-political in nature such as rising energy prices, corruption, unfavorable

exchange trends, regulatory trends, etc. Trends could also be internal where management

changes may be necessary to implement a change in strategy. In any event, the recovery

time is often the longest due to the structural changes required to reduce this type of risk.

50
Operational: Monitoring and Executing to Risk Events

The operational or execution phase must satisfactorily address the following questions:

 Do I know when to put my alternative plan into action?

 What must I do quickly to get back on track — or minimize the impact of the event?

 And what can I learn from this to improve for the next time?

Executing your supply chain’s “reflexes”

When an event or deviation happens, each contingency plan will be put to the test in

terms of its “reflexes”. As shown in above figure, speed of execution is everything because

the slower your reaction time, the longer it will take to “get back on track” and the greater

your potential loss. In some cases, there may be multiple mitigation plans driven by time

sensitivity.

51
 Transportation is a typical example that illustrates both points: The cost of expediting

goes up and the options change with each day until action is finally taken.

Monitor vs. Inform: Who “triggers” the alert?

This is a key decision in preparing the execution environment because some events (e.g.,

natural disasters or calamities) are hard to anticipate and require someone outside the

organization to activate the alert. In other cases, a company can also proactively monitor for

events (e.g., failed to receive advance shipment notification), and by keeping a history of

risk events and exceptions, they may be able to analyze and predict the next likely

occurrence.

Improving execution velocity with the “4-C’s”

Once the alert criteria has been defined for the monitoring process, the Execution phase

involves the following set of activities or tasks, which are,

 Capture (the event)

 Communicate (the situation to all relevant parties)

 Collaborate (on selecting the optimal mitigation strategy)

 Continuously Improve (by updating the database with lessons learned)

52
The Execution phase involves the following activities or tasks:

 Capture the risk event

In this step, the disruptions are identified, categorized, and the details are recorded in

the Risk Database, and the resolution process is triggered by the request for a meeting.

Suggestions for improving execution velocity include,

 Pre-assigning each risk event or category to specific owners ensures that someone

immediately begins driving the resolution process. And the Risk Management

organization chart should make the escalation process clear should it warrant senior

level attention.

 Communicate the risk event and impact

The first meeting is convened to brief relevant parties, the situation is discussed, and

tasks and deadlines are assigned to team members to gather more information (if required)

before deciding upon the best course of action.

Suggestions for improving execution velocity include,

53
  Auto-notification of all relevant departments and risk team members and scheduling

of first meeting.

 Send a summary of the risk situation along with attachments or links to appropriate

mitigation plans for preparation or review prior to meeting.

 Collaborate

If the planning phase is thorough and contingency plans were created in detail, then

collaboration is likely to be minimal. But for events with low probability of occurrence but

high severity of impact (natural disaster, terrorism, etc.), there will be unique information

arriving in real time that must be considered before making an optimal decision. In this case,

there may be multiple meetings before a final decision is put into action.

Suggestions for improving execution velocity include,

 Reach out to other companies who are willing to share their experiences in dealing

with such events

 Consider subscribing to a newsflash service for each region in your global supply

chain

 For terrorism or natural disaster events, proactively contact your local, state, and

federal emergency services for any program information that should be known

ahead of time.

54
  Continuously Improve

To some extent, good Risk Management is also a matter of experience because empirical

knowledge makes the contingency plans better. But the learning curve can only be

compressed if there is a continuous improvement process that tracks how often risk events

happen, what was done, how effective it was, and how it could be improved for the next

time. This is how you build a sophisticated Risk Management knowledgebase, and it

becomes your ultimate tool for survival and success in an increasingly uncertain world.

55
Conclusion:

The philosophy and management principles articulated in this paper can be

summarized as follows,

Increasing variability (due to a number of factors) creates both risk as well as

opportunity in Supply Chain Management. While the “adaptive” supply chain philosophy is

recognized as key to dealing with variability, few companies actually do it well. To get to the

next step in the SCM journey, Planning needs to expand its current perspective to plan for

BOTH the “desirable” and the “undesirable”:

 The MRP to APS evolution was about creating more “desirable” plans (this is an

accepted paradigm focusing on the optimality of a supply chain plan)

 The Risk Management evolution is about planning for “undesirable” events (this is an

emerging paradigm focusing on improving a supply chain’s “reflexes”.)

Since it is the “undesirable” part that forces rapid adaptation, Supply Chain Event

Management (SCEM) needs to go beyond alerting to enable a continuous, closed-loop

management approach. The processes that come after the alert are what need to be

formalized as the next step in the Adaptive SCM evolution. What makes this effort feasible

and worthwhile are the following,

 While disruptions happen for a variety of reasons, its’ impact can be only of three

problem types: Material, Capacity, or Information.

56
  To recover from these problems, the universe of feasible mitigation strategies isn’t

unlimited. In reality, only a finite number of options are available.

These need to be proactively developed with proper planning and with the right guidance

and technology enablers, the implementation effort and cost can be made attractive for

greater adoption.

57
References:
“Essential Characteristics of a Supply Chain Risk Management Strategy”

www.iwchallenge.com/0109/images/0109SupplyChainRisk.pdf

“Supply Chain Risk Management”

www.riskcentral.org/e107_files/public/1188463346_scr_overview.pdf

“Keeping ahead of supply chain risk and uncertainty”

www.accenture.com/NR/rdonlyres/.../0/InfoDriven_POV_single.pdf

“A Framework for Risk Management in Supply Chains”

www.som.utdallas.edu/centers/c4isn/documents/c4isn-framework-August06.pdf

58