Submitted to:
Dr. Masood Subzwari

Presented By:
  

Muhammad Danish Muhammad Ali Jan Mohammad Khan

8796 5979 8694

Table of Contents
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19

Letter of Acknowledgement Executive Summary Introduction Importance of Supply Chain Risk Management The Risk of prevailing Supply Chain best practices Proactively analyzing and mitigating Supply Chain Risk Responding to Supply Chain Events Capabilities needed to support Supply Chain Risk Management Supply Chain Risk Management Three Risk Management Guidelines Distinctive capabilities for managing risk and achieving high performance Supply Chain Risk Management is A Strategic Concern Supply Chain Risk Management Frame work Designing for Risk Planning for undesirable Understanding Supply Chain Risk Monitoring and Executing to Risk Events Conclusion References

Page Number
II 1 2 6 9 10 16 18 21 26 30 34 37 39 44 48 51 56 58


Letter of Acknowledgement
April 29, 2009

Dear Reader, Now that it’s all done, there’s finally time to reflect on the process. No report ever grows full-bloom from a student’s head. It has hands to help it along the way: phone calls for advice, serious review by professionals, critical notes and information from the World Wide Web, and most of all the endless support of always available professor and friends at the other end. It is an honor for us to prepare the report on “Supply Chain Risk Management” which was assigned to us by our respected instructor Dr. Masood. We would like to thank Dr. Masood for providing us the guidance all along in order to materialize our content for the report. It was a pleasure creating such a report, on a topic so informative and practical, and which also plays an important role in our lives today.

Sincerely Muhammad Danish Muhammad Ali Jan Muhammad 8796 5979 8694


Executive Summary

Recent supply chain management optimization practices, while reducing costs and leaning inventory levels, have left companies with unprecedented levels of risk exposure and very little buffer inventory with which to recover. Many companies have recognized this and are now undertaking supply chain risk management programs. There are two sides to supply chain risk management;
 

Risk assessment and mitigation, Responding to unanticipated supply chain disruptions.

Both are necessary components to an effective supply chain risk management strategy. With strong risk mitigation strategies in place a company is ready to face a given supply chain event. However, not all events may be anticipated. When these events occur, a company must be prepared to respond quickly and effectively or risk suffering financial and customer service losses. To have an effective supply chain risk management strategy, a tool is required that addresses both sides risk assessment and mitigation and event response. This tool must support;
 

Visibility and analytics capable of modeling the entire supply chain, Simulation combined with the ability to compare resolution alternatives.


Unanticipated supply disruption or supply risk is a fact in business. Some of the undesirable outcomes associated to its occurrence are firm’s inability to meet customer’s demand or cause disruption to the operation of the organization. Therefore, it is important for businesses to manage their supply risk. Clearly choosing the right set of suppliers is an important decision as corporations continue to emphasize supply chain partnerships to grow their businesses. Furthermore, as a result of the widespread adoption of Just-In-Time production philosophy, typically smaller amounts of raw materials or inventories are kept. This decision however has the undesirable side effects of resulting in lost production capability in case of supplier delivery disruptions. Such disruptions occurs due to supplier failure as well as from a variety of other factors such as natural disasters, war, terrorism, outbreak of diseases and logistical factors

Since the early part of this decade, supply chain risk management has become increasingly more recognized as a critical part of the corporate strategy. The move to leaner, global supply chains and events such as severe weather, terrorist attacks and financial instability have highlighted the risk of disrupted supply. Traditional approaches to supply chain risk management have focused on risk assessment and mitigation, the process of identifying those points in the supply chain that are at risk and developing strategies to mitigate the risk should the worst happen. This


process is necessary and correct. Those companies best able to recover from a supply chain event are those that are prepared. There is another side to supply chain risk management. Despite the best planning and the best preparation, sometimes an event happens that was not anticipated, or, the event that was planned for happens, but the mitigation strategy didn’t work as planned. When this happens, companies need to be able to react quickly to the situation, assess the impact, determine the best response(s) and implement these responses in a timely manner. An analogy to consider would be that of driving a car. Most of us drive our vehicles every day. The worst case scenario would be to get into an accident. Similar to a supply chain event, a car accident can result in injured people and always costs money. To prevent accidents from happening, good drivers will,
   

Follow the rules of the road, Keep their vehicle well maintained, Avoid high accident areas, Try to avoid inclement weather.

These are the mitigation strategies of a good driver. Despite our best efforts, dangerous situations, most of which are caused by external factors out of our control, occur that could result in a serious accident if not handled. Our ability to respond when these situations occur can determine whether or not the accident happens. Response in this situation uses the following process;

Assess the situation (there is somebody in my lane going the wrong way),


    

Evaluate alternatives, Hit the brakes (not enough time to stop), Swerve to the left (cars in that lane) Swerve to the right (looks clear) Implement the maneuver. (swerve to the right and avoid the oncoming car).

To avoid the accident, the response must be instantaneous. If the reaction is too long, the results could be disastrous. This is the response to an unplanned event. In supply chain risk management, companies strive to understand and mitigate the possible risks, but despite these efforts, events caused by external factors outside of their control may occur that were not anticipated. This means that the company must now respond. This response must be very fast if the company is to recover from the event. The most prevalent lag in the system is access to information on which decisions can be made, often referred to as supply chain visibility. There are several primary elements to a company’s reaction time, The speed with which,
   

The event is detected, The consequences are determined and evaluated, The people responsible for the consequences are identified, The team for responding to the event can evaluate several alternatives in a rational and coordinated manner, and

The suggested responses can be evaluated and a final decision made by senior management.

The combination of these factors determines how fast a company can respond when a disruptive event occurs.


Importance of Supply Chain Risk Management (SCRM)

In realizing the business objectives, organizations are very much dependent on the supply chain partners and the influence of any link in the supply chain. To ensure that the organizational objectives stand a better chance of being attained, it becomes necessary to gain a full understanding of all the developments and uncertainties that could emerge at any point in the supply chain. Effective Supply Chain Risk Management provides a number of direct benefits:
   

The ability to anticipate and respond promptly to external trends and developments. A focus on uncertainties rather than the certainties. Greater influence over your supply chain partners. Greater mutual understanding of the interests and problems of all supply chain partners.

  

A better balance between opportunities and threats. Management which is not based on the cost factor alone. Competitive edge through the acceptance of controlled risks. In recent years, supply chain risk management’s profile has increased. A 2007 AMR

Research report indicated that:
“Nearly 50% of firms plan to implement or evaluate SCRM technology in the next 12 to 24 months, indicating that penetration is relatively low and interest levels are quite high.”


“Managing Supply Chain Risk in the Supply Chain – a Quantitative Study;” AMR Research;

Mark Hillman and Heather Keltz; January, 2007

Source: “Managing Supply Chain Risk in the Supply Chain – a Quantitative Study;” AMR Research; Mark Hillman and Heather Keltz; January, 2007

According to the same report, the following business trends are contributing to the growing awareness of supply chain risk management.

Leaner supply chains
We have been driving the inventory out of our supply chains, saving money and avoiding liability. Unfortunately, when a supply chain event occurs, there is very little buffer with which to recover.

Global sourcing
More and more, companies are sourcing supply from around the world. Lead times have stretched, visibility is limited and communications are difficult.


Higher customer expectations
Consumers want instant gratification. Once the decision has been made to buy, they want the product immediately. Slowdowns in the supply chain causing late orders can often result in lost customers.

Complexity and interdependency of supply base
Instead of dealing with a set of component suppliers, supply chains today consist of a network of contract manufacturers, with material flowing in all directions (it is not uncommon for the brand owner to supply materials for their contract manufacturers – making the brand owner a supplier and customer at the same time.)

Volatility and variability of demand
Add to this the shorter life cycle of today’s consumer products and life gets interesting fast!

Increasing commodity costs and tighter logistics capacity
Making it harder and more expensive to ship goods around the world.


The Risks of Prevailing Supply Chain Best Practices


Proactively analyzing and Mitigating Supply Chain risk

There are three key phases to proactively managing supply chain risk,
  

Visualize and understand risks that apply to the supply chain, Measure and prioritize the risks, and Take action – decide which risks need to be addressed and develop mitigation strategies for those risks.

Let us describe one-by-one to understand how to accomplish each and the tools needed to support these efforts.

Visualize and understand risks

The first step is to assess supply sources to determine which ones are most critical to the business. The most effective approach is to evaluate which suppliers contribute the most to top-level revenue. From an analytics perspective, a tool is needed that will identify the ultimate parent of each component, then assess the component’s revenue contribution. Further, the assessment must be deep as well as broad. The assessment can’t stop at the contract manufacturer. The assessment must also evaluate components that the contract manufacturer uses. A low risk contract manufacturer that uses high risk sources is still a high

risk. This broad and deep analysis requires a tool that provides visibility to the whole supply chain including lower tier suppliers. Once the supply base is prioritized in terms of their contribution to revenue, the risk factors that apply to each supplier need to be assessed. This assessment is typically done against the suppliers that contribute most to revenue first. Supply chain risks can come in many forms. It is the responsibility of the risk assessment team to imagine and understand these various types of risks. Supply chain risks at a high level fall under these general categories;

Natural disasters, (severe weather, fire, earthquake) that disrupt the supply chain. These types of events are very difficult to plan for; however, knowledge of the local geography of a supply source helps to identify those suppliers more at risk. (Is the area known for hurricanes, earthquakes or wild fires?)

Flu / pandemic, these types of events are similar to natural disasters in that they are very difficult to predict.

 

Economic risks, which supply sources, are experiencing financial difficulties? Political risks, which supply sources, are in an area of the world that is politically unstable?

Transportation risks, what transportation routes are used to move materials and finished goods? What if that route is closed?


Unstable Demand, is demand relatively stable? What if demand falls far below expectation? What inventory liability will the company experience? What if demand far exceeds expectations? Will the supply chain be able to keep up?

Unstable Supply, is the source reliable? Do they provide good quality products on time?

Measure and Prioritize Risks
These risk factors need to be applied to the supply base such that each supplier is scored according to the risk factors outlined above. With the scoring of the suppliers and the assessment of the impact each supplier has on the business, the supplier can be plotted on a risk matrix similar to the one shown below, Basic Risk Matrix

Source: “Supply Chain News: Understanding Supply Chain Risk Matrices”; SupplyChainDigest; SCDigest Editorial Staff; July 13, 2008


The colors indicate the relative urgency for risk mitigation. Red indicates that a risk mitigation strategy should be developed and implemented immediately. Yellow, is less urgent and green indicates a low urgency.

Take Action
Once there is an understanding of the various risk factors, there is a need to determine where action needs to be taken. Not all risks will necessarily be addressed. For risks that fall into the green areas on the matrix above a company may decide not to develop a mitigation strategy at all. The mitigation strategies can be different depending on the situation. For risks related to the supply base, mitigation strategies could include;
   

Sourcing from different suppliers, Developing supply sources in other parts of the world, Alternate modes of transportation, and Products re-design to use standard components.

For risks related to demand variability, mitigation strategies could include;
  

Demand shaping, Postponement strategies, and Buffer inventory.


The mitigation strategies must be modeled and tested. Given a different source, how would the different lead times, costs, supply constraints impact the corporate metrics? To test this effectively, the mitigation strategy is simulated and the results evaluated relative to other alternatives and relative to corporate goals. If the mitigation strategy chosen does not yield acceptable results, then a different strategy needs to be chosen and evaluated.

Monitor, Review and Maintain
As time moves on, risk areas will change as will the mitigation strategies. Both the risks and mitigation strategies need to be reviewed on a regular basis to ensure that new factors are considered. Supply chain risk management should not occur only a few times per year; it should be a continuous process and monitoring of supply chain risk. It should include trends, not just absolute numbers. Trends should be used as an early indicator to prevent risk situations from occurring. Procurement teams need to be trained in risk management so that when sourcing new suppliers, they can strive to add suppliers that reduce overall supply chain risk. Logistics teams need to be trained to understand what routes are at risk and when. Supply management teams need to recognize potential for inventory liability should demand for given products disappear.


The Supply Chain Risk management Process


Responding to Supply Chain Events
As described in the introduction, there is a second side to supply chain risk management; responding to supply chain events. Depending on whether or not the disruption was anticipated or not, responding to supply chain events can take two forms;
 

Responding to an unanticipated supply disruption Responding to an anticipated supply disruption by implementing the mitigation strategy

In both cases, the key element is timely alerting that an event has taken place. You can’t respond to something if you don’t know it has happened. The supply chain should be monitored and an alert triggered when a disruption has occurred so that those who need to respond are provided timely notification. That being said, alerting on the event is not enough. The alert mechanism should be smart enough to alert you on the events that impact the business. An unanticipated event is a disruption that despite best efforts was not foreseen and therefore does not have a mitigation strategy prepared. In this case, the speed with which the company can react and respond can mean the difference between an insignificant blip and a full-scale crisis. An anticipated event is a disruption for which a mitigation strategy has been prepared. In most cases, implementation of the strategy goes as planned, but sometimes there are


unanticipated problems; material shortages, capacity shortfalls, quality issues. In these cases, being able to respond effectively can mean the difference between a fast recovery and a painful crisis.


Capabilities needed to Support Supply Chain Risk Management

While the need is high for supply chain risk management tools, the capabilities of most supply chain risk management tools are not keeping pace. Companies are looking for tools to help them assess supply chain risk, develop mitigation strategies and respond to supply chain events both anticipated and unanticipated. As companies begin their evaluation they should ensure that any risk management assessment and response tool provide the following capabilities;

In order to properly assess supply chain risk and respond to events, visibility across the supply chain is required. This means that the supply chain risk management tool must be capable of integrating with, and modeling ERP analytics from, multiple disparate ERP systems, including systems supporting the supply and distribution nodes.


Event detection and alerting
The sooner a supply chain disruption is recognized, the faster the response. An alert that shows up in e-mail or a portable e-mail device will ensure that the appropriate people are made aware of the event when it happens. Too many times, event detection is based on the event itself. To be truly valuable, alert should be triggered based on the anticipated impact of the event. For example, if a supplier goes out of business, but the loss of this supplier doesn’t impact key metrics, an alert may not be necessary.

The full suite of supply chain analytics needs to be modeled in the supply chain risk management tool to ensure the impact of a potential supply chain event is understood. When an event happens, analytics are used to model the event and determine the impact. Above all, these analytics need to be performed in real time, especially when responding to an unanticipated supply chain disruption. When an event happens, every second counts and a company can’t wait days or weeks to understand the impact or to determine resolution alternatives.

Simulation is critical to both sides of supply chain risk management. When assessing the risks, simulation helps to model different risk scenarios. Further, simulation is used to model alternative mitigation strategies to ensure that they are sound. When responding to


an unanticipated supply chain event, simulation is used to model and compare the various response alternatives.

The risk management team will need to evaluate several possible mitigation alternatives. Members of the team will likely not have the detailed knowledge necessary to explore all alternatives in the detail needed to develop a robust mitigation strategy. The ability to bring other people into the evaluation process is critical both to validate the proposed strategy and to propose key improvements to the strategy. Similarly when responding to an unanticipated supply chain event, collaborating with those with the detailed knowledge ensures that the response alternatives are reasonable.

Scenario comparison
In the process of developing mitigation strategies or responses, the team may develop multiple approaches that potentially resolve the problem, but in differing ways. The team needs to make a decision on which resolution or mitigation alternative best meets the goals of the organization. One approach may extend lead times by 30 days, while the other may increase the cost of goods sold by 10%. The decision on which approach is best needs to be evaluated in light of corporate goals.


Supply Chain Risk Management

A pro-active approach to ensure effective management of all potential risks throughout the supply chain.

Controlling risks throughout the supply chain in the most effective and efficient manner.

Establishing internal and external accountability to stakeholders with regard to risks and their management.

Monitoring current performance in supply chain risk management and the results achieved.


Every company has its own worst nightmares, its own way of thinking about what risk means and implies. A brief list of supply chain risks are given below,
                 

Volatile fuel prices Disrupted supplies of raw materials or parts Increased complexity of products or service offerings Increases in cost of labor due to currency fluctuations Supplier planning/communication issues Changes in customer/consumer preferences Problems with manufacturing capacity Port operations and customers delays Service failures due to longer supply chain lines/lead times Service failures caused by supply chain partners (delivery, quality) Geopolitical instability Shortage of skilled resources Reduced accuracy of forecasting/planning Problems with logics capacity/complexity Inflexible supply chain technology Natural disasters Intellectual property risks from offshore supply chain relationships Terrorist infiltration

However, the sheer volumes of supply chain risk events are stark reminder that formulating plans for each specific event is impractical at best. A more feasible and fruitful approach is to,

Determine what kinds of risks are most probable and impactful, and

Construct categories of events that make it simpler to manage and mitigate risk. One possible way to accomplish this is to compartmentalize various types of supply

chain risk and determine the general relationship that exists between their probability and their cost/exposure.

Logistics risk
Refers to the dangers associated with the physical movement of goods and materials. The frequency and impact of logistics risks are best addressed by maximizing visibility across the global supply chain using technologies such as GPS tracking, real-time monitoring, and dynamic routing and scheduling.

Supply and supplier risk
Speak to the potential disruption of raw material and component supplies. For this category, prediction is critical, being proactive about supply analysis and having contingency plans and relief suppliers available in the bullpen. Companies also mitigate supply risk by doing frequent network and capacity modeling. And many have implemented advanced tools with embedded business rules that help them formulate optimal responses. There generally is a slightly higher risk associated with suppliers than with supplies. Still, both types are top of mind, given today's political instabilities and fluctuating fuel prices. Reducing supply and supplier risk could involve using more distribution facilities that reduce shipping distances, and possibly implementing more near- or onshore material and manufacturing sources to reduce shipping timetables and fuel costs. On the technology side, advanced inventory optimization technologies are available that help quantify supply and supplier risk and perform simulation analyses to gauge risk impact. To manage these risks, a company must have the ability to gather comprehensive data and apply analytics to garner new insight.

Cost/commodity risk
Is closely related to supply and supplier risk. All companies hope to discover supply alternatives that are less expensive than what they are currently using. The risk is either failing to recognize these opportunities or not being able to migrate when the opportunities are discovered. Supply chain models can help avoid this scenario by determining at what price or cost it makes sense to switch from one commodity to another.


Capacity risk
Relates primarily to the integrity of a company's facilities or those of its business or outsourcing partners. In this context, some failure probabilities can be calculated and risk mitigated by using asset lifecycle management systems. Unfortunately, many companies simply don't know what they have in terms of assets or what parts go into those assets. This undermines their ability to understand and mitigate risk. Other risks noted in probability and cost/exposure chart includes

Intellectual property risk
Which is often at the forefront in new product development.

Profitability risk and demand risk
Relate more closely to the supply chain than intellectual property risk. They also can be addressed by more proactively shaping demand with analytical and pricing tools and by applying lifecycle management technology to make core product decisions. Profitability risk and demand risk are also a huge manufacturing issue.


Three risk management guidelines

A holistic lifecycle-focused resilience capability can reduce the magnitude and duration of major disruptions.

Innovative companies can do more to minimize risk, not just craft a response to it. They can manufacture locally as well as globally; source contingent suppliers and logistics providers; better monitor and adjust inventories and safety stock; and establish more geographically distributed or near-shore supply bases. They also can reduce risk by updating their supply chain strategies more often than the usually accepted three to five years. After all, the world's rapidly changing business conditions require supply chain networks that also should change more frequently. Change is more of a constant then ever before, so companies must design their supply networks with resilience and agility in mind. Following are three basic guidelines for enabling effective risk-focused actions.

Effective risk management programs are formal constructs

The leading-edge technology must be combined with business processes that are both risk-aware and to the maximum extent possible self healing. In effect, the goal is to create a formal entity-wide "resilience capability." Think of this as a lifecycle-focused methodology for understanding, anticipating, accommodating and minimizing disruptive events. Most organizations do not have a formal capability for quantifying, anticipating and mitigating/ minimizing risk. Instead, their risk management strategies or "continuity of operations plans" focus on major disruptions and specific assets, such as backup data centers or offsite data-storage facilities. In effect, they are "asset-resilient" but not "missionresilient." In addition, few entities have evaluated the risks associated with new operating models, such as increased global interdependencies; expanded outsourcing relationships; and new mergers, acquisitions and partnerships.

Effective risk management programs are holistic

Companies need to think holistically about how to develop their risk management and mitigation programs. Historically, most entities' approaches have mirrored the shortcomings of their organizational models: poorly connected "functional silos," inconsistent access to information, limited management-reporting capabilities, minimal collaboration, and insufficient risk awareness across the enterprise.


In recent years, many have sought to remedy the problem by developing enterprisewide (end-to-end) approaches to process-management and organizational structure. Such insights are reflected in their development of more integrated risk management models. However, these efforts still fall several steps short of an holistic, centrally guided and governed approach to maximizing resilience, an approach characterized by,
      

Unified presentation of data. Contextualization of data into actionable information. Real-time response capabilities. Robust, seamless reporting across all levels. Fully integrated access to information. Built-in collaborative capabilities. On-demand risk status and readiness assessments.

The net effect should be a "resilience lifecycle", a continuous improvement process enacted to support and sustain key operating processes and reduce both the magnitude and duration of major disruptions.

Effective risk management programs emphasize symptoms rather than scenarios

The guiding force behind any company's risk management and mitigation program is preparation: understanding what potential disruptions exist; the likelihood, severity and duration of their occurrence; and the range of prioritized responses. The complexities of today's environments make it nearly impossible to accurately identify all of the scenarios that might occur. A better and more practical course is to focus on commonalities across scenarios, shared symptoms. This means developing resilience frameworks not for work

stoppages, hurricanes, terrorist attacks and so forth, but rather for labor shortages, destruction of property, supply disruptions and service outages. Building a risk program around symptoms (the effects) rather than scenarios (the causes) makes resilience development manageable because it acknowledges that many events share characteristics, impacts and, most importantly, responses. As discussed above, there simply are too many potential disruptions for a business to develop comprehensive resilience programs for every one. For example, problems as varied as weather events and labor-driven port closures evince a similar need to maintain core services and suppliers. We often cannot know in advance when or where such upheavals will occur. But we can develop symptom-based programs that speak to the need for quick responses regardless of the specifics.


Distinctive capabilities for managing risk and achieving high performance

One of the most important aspects of high performance is the development of "distinctive capabilities", using innovation to build hard-to-replicate sets of processes. Companies develop distinctive capabilities by thinking and acting in distinctive ways, one of which is the ability to understand, anticipate, respond to, and (to varying extents) predict and even avoid risk. Here are several of the most distinctive risk-relevant capabilities.

Global visibility

Every year, supply chains get longer. As a result, visibility, observing the complete endto-end supply chain from the point of demand, through design, supply and manufacturing, all the way to sales, consumption and/or obsolescence, becomes more essential. And it's not just visibility; it's timely visibility, as close to real time as possible.


Intelligent alerts

Shipping goods from Asia into the United States or Europe invariably means multiple parties, ports and transportation modes. Discovering quickly where a delay will or likely will occur for example, having alerts pop up via a global sensing mechanism, is key to finding alternative ways to move goods. The more sophisticated a company is with intelligent alerts, the leaner it can generally make its inventories.

Advanced analytics
It's not enough to capture, present and summarize information. Companies must have the tools to work with the information they receive to walk the talk. These analytical capabilities have not traditionally been part of applications that gather, summarize and present data, but they are now key to making risk control part of a broader information management package. Leading-edge supply chain analytics embedded in planning applications enable companies to interpret and classify alerts (for example, "Is this a supply issue, a demand issue, a capacity issue, a customer-preference change, etc.?") and form conclusions about what the data mean. Analytics also epitomize continuous improvement because they constantly appraise the accuracy of conclusions reached in previous iterations. Traditionally, only demand planning applications have done this. However, analytics capabilities can now be imbedded in supply chain management transactions.


Standardized processes and technologies
As companies expand and merge, the need becomes stronger to create business processes that are consistent across internal functions and operations, as well as among companies and the business partners and third parties with which they operate. A good example is working with distributors to serve Asia Pacific markets. While it's unlikely that identical systems and processes across organizations will be possible, it is nonetheless vital that they be compatible, for example, with aligned order-management processes, naming conventions, item definitions, enterprise applications and so forth. Technologically speaking, priority must be given to bringing systems together. Service problems brought on by technological incompatibilities are clearly a major risk item, one that can be significantly reduced by adherence to open standards and business process integration.

Dynamic operations management
In the aggregate, the above four capabilities comprise dynamic operations management, the ability to see and interpret supply chain information and dynamically adapt sourcing, inbound supply, manufacturing and distribution operations accordingly. Imagine that out of five containers on a delayed shipment, only two are critical (e.g., for a scheduled trade promotion). Dynamic operations management could offer informed (cost/benefit based) suggestions about what alternatives might be enacted for only those containers. It's the leading-edge embodiment of event management, folding in actionable business rules to identify, interpret and respond in near real time.


There are innumerable ways that risk can be reduced and material value enhanced when exceptional risk management capabilities are built into a supply chain's basic structure. This is the nature, and the reward, of high performance, knowing better than the competition what to expect, and having the capabilities to turn that knowledge to your advantage.


Supply Chain Risk Management Is A Strategic Concern

Supply chain risk is about managing variability
Risk can be described as the possibility that a future state or outcome may not turn out as desired. In a steady state environment, this possibility is low because there is minimal variability in the system. But supply chains are constantly changing where the sources of variability can come from customers, partners, suppliers, and internal operations. Today, supply chain variability is increasing due to a number of trends. For example, demandrelated trends that contribute to variability include:

Increasing product variety While more choices make customers happy, increasing features and options make it

harder to forecast accurately at the SKU or end-item level.

Increasing competition Competition creates price elasticity, and the demand picture must be continuously

fine-tuned to attain revenue and margin targets.

Decreasing product lifecycles Changing customer trends are compressing product lifecycles and the time window

required to make margins.


Supply trends that contribute to variability include

Global operations Along with its benefits, globalization has also opened a “Pandora’s Box” of risks, Lack

of standardization due to market or cultural reasons, political unrest, exchange rate fluctuations, intellectual property theft due to lack of security or enforceability are all part of the deal.


Process fragmentation While a focus on core competency has made companies more competitive, a multi-

enterprise supply chain also creates operational silos and communications disconnects, making coordination extremely challenging.

Long lead times

Many companies are forced to trade off the cost advantage of off-shore operations with longer transportation lead times. The root cause behind the dramatic increase in supply chain risk can be summed up as follows,

On one dimension, the scope of change is increasing (driven by customer trends), but on another dimension, the scope of control is decreasing (due to outsourcing, etc.)


Supply Chain Risk Management Framework

Strategy: Designing the supply chain for risk
The Design phase essentially defines the boundaries of the risk management strategy. It works just like an insurance policy in the sense that it about understands what risks you want to protect yourself against, and how much you are willing to pay for that protection. It is a deliberative exercise that involves a number of techniques and tools to weigh all the decision variables and finally converge on the optimal supply chain network design that balances all these objectives. The design phase also deals with the more qualitative aspects


of risk since it is often relative to a number of factors like industry characteristics, management culture, etc

Tactical: Planning the risk mitigation scenarios
With the optimal network in place that is aligned with your tolerance for risk, the Planning phase focuses on surfacing all potential deviations from the normal operating plan, evaluating their impact, ranking these risks, and developing detailed contingency plans that are to be put into action in the event of a disruption. The planning exercise reveals that the total numbers of feasible options to mitigate risk are actually finite and relatively manageable, where the event and its resolution can only be expressed in terms of three dimensions: Material, Capacity, and Information

Execution (& Monitor): Exercising the supply chain “reflexes”
The quality of planning is reflected in execution in terms of how quickly you can recover from a disruption. The more thorough and detailed the planning scenario, the less time needed to design or deliberate the appropriate course of corrective action. The other key aspect of this phase is defining clear alert criteria that serve as the trigger mechanism to launch the mitigation plan into action.


Strategic: Designing for Risk

The strategic or design phase must satisfactorily address the following question:

Do I have the right supply chain network structure that is aligned with my risk management objectives?

Answering the above question involves a number of activities or tasks which are discussed below. The framework needs to be flexible some of these activities can be accomplished in a different sequence than listed below, and sometimes it may need multiple iterations. Ultimately, the point of the exercise is to be thorough while understanding that the design phase essentially defines the boundary of possibilities for the risk mitigation plans that will be put into action.

State the risk management objective
Documenting the risk management objective helps provide guidelines to the executive management team in terms of how it aligns with the business agenda, how important it is relative to other initiatives, and what the cross-functional team needs to look like. Start by asking some basic questions at a high level to create a vision for Risk Management,

     

Why are we doing this? What is it that we want to protect ourselves against? (Disruptions) What should we do? (Alternatives) How long it will take to recover? (Time) How much inventory do we need to carry to cover for disruptions? (Cost) How will we know success? (Metrics)

Determine the risk appetite
This step is about gaining a deeper understanding of what risks you want to protect yourself against. A few points to keep in mind,

It should be comprehensive

Currently, there is no single formula or standard approach to assessing the risk appetite for a company’s supply chain. While we chose to classify the risks in the four categories as how you choose to do this for your business can be different.

It should be interactive

A facilitated discussion would be a good way to administer the questionnaire to capture all the relevant risk dimensions (at least initially, in case you wish to administer this to a larger audience as a traditional survey.)


It should be iterative

The discussion format helps to evolve the questionnaire by verifying, adding, modifying, or deleting questions to get to the one that is right for you.

It should be both qualitative and quantitative

Since tolerance for risk varies by individual, there is an element of subjectivity to the exercise. The ability to capture these inputs across multiple respondents and “normalize” the answers for the group will require knowledge of data collection and analysis methods to accomplish this exercise.


Define the Risk Management organization
The Risk Profile helps the executive team understand (at a high level) if there are indeed, gaps in the current risk management strategy, and subsequently create the appropriate organization who is tasked with closing these gaps. In addition to the team internal to the enterprise, the organization chart should also identify the appropriate Risk Management counterparts in the partner organizations upstream and downstream in the supply chain.

Perform the SWOT analysis
In addition to reviewing the data from the Risk Appetite survey, a SWOT analysis (Strengths/Weaknesses/Opportunities/Threats) can be an effective tool to help the members of the Risk Management team get aligned on a shared, high-level view of the Risk Management strategy.

Design the optimal supply chain network
The final task in the strategy phase is to ensure that the supply chain network is designed to meet the stated Risk Management objectives. It is an iterative process that involves the following steps;

Since there is already a network structure in place, the first step is to map the “as-is” network structure in terms of cost, lead times, inventory levels, supplier quality, etc.

Next, we analyze the alternatives and compare the implications of different structures such as nearshore, off-shore operations, etc.. This step must wait until the Planning phase flushes out the various mitigation strategies.

Analyze the network in terms of redundancy vs. reliability


Select the optimal network structure. Given the strategic nature of these changes, it may take time to implement some of the decisions to align the network with the risk management objectives.


Tactical: Planning for the “Undesirable”

Following the decisions regarding the optimal network structure, the tactical or planning phase must satisfactorily address the following questions;

Do I understand all the possible risk events or deviations from normal operating plan?

And do I know of all possible alternative plans in case these events happen?

Planning for Risk requires a different perspective. Traditional supply chain planning is about creating a single optimal plan that is released to execution. This supply chain plan assumes “normal operating conditions” and assumes a fixed network path across the nodes (i.e. N1—N2—N3—N4…Nx) as depicted in Figure.


In contrast, Risk Management involves MULTIPLE “network paths” or contingency plans for any deviation. The example shown in Figure above shows an exception event occurring at N2. We show two possible mitigation plans to correct the deviation, each triggered when a certain level has been reached in the “risk threshold”. The thresholds can be time-based (expedite window) or cost/severity-based (port strike), or tied to specific KPIs defined by the Risk Appetite assessment. Unanticipated events are a fact of life and deviations will occur, but through proper planning it is possible to quickly get back on track before it is too late. i.e., before they have exceeded the risk tolerance level. Developing these mitigation plans for the “undesirable” constitutes the majority of the effort behind the Risk Management exercise. Good contingency planning is all about being proactive, because the goal of execution is get back on track in the shortest possible time. By having well-thought out contingency plans ready to be put into action, immediately upon knowledge of the event, companies can ensure they can indeed protect themselves before certain cost/quality/time thresholds have been crossed. Many companies don’t formally do Risk Management because they believe that the future is too uncertain to plan for every contingency. While it is possible that any number of events can happen, the numbers of feasible options available to mitigate those events are actually finite. To be more precise, they fall into three dimensions Material, Capacity, and Information, which means the mitigation strategies can be identified, ranked, documented, and prepared for deployment with reasonable effort and management commitment.


For a given network, Planning involves the following activities or tasks:

Identifying the points of failure and alert criteria
In this step, the Risk Management team looks at each node in the supply chain network structure and identifies all the potential constraints and failure points. As shown in Figure above, every risk event can be related to one of three types: inventory (material), capacity, or information. In effect, we portray the enterprise as being supported by these “three legs” or dimensions that the Risk Management strategy rests upon.

Prioritize or rank the failure points
This is often one of the more challenging aspects of a Risk Management strategy because it requires associating a probability for each disruption.


Identify the alternative courses of action (for each failure point)
In this step, we come up with potential alternatives for each failure point. The team enumerates the advantages and disadvantages for each alternative as well as estimates the cost and effort to implement it. The teams can also proactively build detailed contingency plans using Microsoft Project as ready-to-deploy templates to compress the reaction time.

Rank the alternatives (for each failure point)
This step underscores another key challenge for Risk Management because in order to rank the alternatives, we also need to be able to quantify the impact as well as the cost of the alternatives. If possible, cost models can be built to support these decisions. Otherwise, techniques like AHP are useful for managing qualitative decision criteria.

Build the Risk Management database
Finally, all the preparation, analysis, and design of the various contingency plans are recorded in the Risk Management database. While it needs to capture some basic data elements (Alert Criteria, Type of Risk, Preferred Mitigation strategy, Alternative strategies, Owner) to be minimally functional, the type of knowledge that is critical to execution velocity will become clearer as we delve into the Execution phase discussion. Evolving this “knowledgebase” and keeping it up to date falls to the responsibility of the Risk Management organization.


Tactical: Understanding Supply Chain Risk

At this point, it is worthwhile to help understand the different types of supply chain risk. In fact, Risk Management is a broad term that encompasses a number of different activities and initiatives that you may already be doing today, such as Supply Chain Event Management and Business Continuity Planning, etc. Nevertheless, the key point here is that all these activities need to be aligned along a clear and cohesive strategy for managing the different types and sources of variability and risk in supply chains. One approach to identify and classify these risks is illustrated in figure below, along two dimensions, Frequency and Impact.


Quadrant 1: Desirable but not necessarily viable

While this quadrant represents the least risk it is not always a viable goal due to supply chain realities.

Quadrant 2: When Exception Management isn’t the exception

Typical supply chain examples in this category include transportation delays, inventory short/over-supply situations, capacity shortages, etc. that are now increasingly common due to coordination challenges in a complex, multi-enterprise setting. While the more severe types of disruptions may provide the impetus for a formal Risk Management initiative, not effectively addressing the challenges of this quadrant can create losses as a result of “death by a thousand paper cuts”. But by monitoring these events, root causes can be analyzed and strategies can be devised to reduce the frequency of these occurrences. With good planning, recovery time can be kept to a minimum.

Quadrant 3: Think business continuity planning
Examples of high impact/low frequency events include terrorism, port shutdowns, or a supplier loss situation (fire, labor strike, etc.) where continuity of the business is at risk. While detailed contingency plans can reduce recovery time, the nature of the disruption and conditions on the ground will influence how quickly you can get back on track.


Quadrant 4: Need for structural change
The most effective way to mitigate the risk from these types of events is to change the supply chain network structure. Because of their higher frequency or probability of occurrence, examples of such disruptions are typically associated with trends. The external trends are often geo-political in nature such as rising energy prices, corruption, unfavorable exchange trends, regulatory trends, etc. Trends could also be internal where management changes may be necessary to implement a change in strategy. In any event, the recovery time is often the longest due to the structural changes required to reduce this type of risk.


Operational: Monitoring and Executing to Risk Events

The operational or execution phase must satisfactorily address the following questions:
  

Do I know when to put my alternative plan into action? What must I do quickly to get back on track — or minimize the impact of the event? And what can I learn from this to improve for the next time?

Executing your supply chain’s “reflexes”

When an event or deviation happens, each contingency plan will be put to the test in terms of its “reflexes”. As shown in above figure, speed of execution is everything because the slower your reaction time, the longer it will take to “get back on track” and the greater your potential loss. In some cases, there may be multiple mitigation plans driven by time sensitivity.

Transportation is a typical example that illustrates both points: The cost of expediting goes up and the options change with each day until action is finally taken.

Monitor vs. Inform: Who “triggers” the alert?
This is a key decision in preparing the execution environment because some events (e.g., natural disasters or calamities) are hard to anticipate and require someone outside the organization to activate the alert. In other cases, a company can also proactively monitor for events (e.g., failed to receive advance shipment notification), and by keeping a history of risk events and exceptions, they may be able to analyze and predict the next likely occurrence.

Improving execution velocity with the “4-C’s”

Once the alert criteria has been defined for the monitoring process, the Execution phase involves the following set of activities or tasks, which are,
   

Capture (the event) Communicate (the situation to all relevant parties) Collaborate (on selecting the optimal mitigation strategy) Continuously Improve (by updating the database with lessons learned)


The Execution phase involves the following activities or tasks:

Capture the risk event

In this step, the disruptions are identified, categorized, and the details are recorded in the Risk Database, and the resolution process is triggered by the request for a meeting. Suggestions for improving execution velocity include,

Pre-assigning each risk event or category to specific owners ensures that someone immediately begins driving the resolution process. And the Risk Management organization chart should make the escalation process clear should it warrant senior level attention.

Communicate the risk event and impact

The first meeting is convened to brief relevant parties, the situation is discussed, and tasks and deadlines are assigned to team members to gather more information (if required) before deciding upon the best course of action. Suggestions for improving execution velocity include,


Auto-notification of all relevant departments and risk team members and scheduling of first meeting.

Send a summary of the risk situation along with attachments or links to appropriate mitigation plans for preparation or review prior to meeting.


If the planning phase is thorough and contingency plans were created in detail, then collaboration is likely to be minimal. But for events with low probability of occurrence but high severity of impact (natural disaster, terrorism, etc.), there will be unique information arriving in real time that must be considered before making an optimal decision. In this case, there may be multiple meetings before a final decision is put into action. Suggestions for improving execution velocity include,

Reach out to other companies who are willing to share their experiences in dealing with such events

Consider subscribing to a newsflash service for each region in your global supply chain

For terrorism or natural disaster events, proactively contact your local, state, and federal emergency services for any program information that should be known ahead of time.


Continuously Improve

To some extent, good Risk Management is also a matter of experience because empirical knowledge makes the contingency plans better. But the learning curve can only be compressed if there is a continuous improvement process that tracks how often risk events happen, what was done, how effective it was, and how it could be improved for the next time. This is how you build a sophisticated Risk Management knowledgebase, and it becomes your ultimate tool for survival and success in an increasingly uncertain world.



The philosophy and management principles articulated in this paper can be summarized as follows, Increasing variability (due to a number of factors) creates both risk as well as opportunity in Supply Chain Management. While the “adaptive” supply chain philosophy is recognized as key to dealing with variability, few companies actually do it well. To get to the next step in the SCM journey, Planning needs to expand its current perspective to plan for BOTH the “desirable” and the “undesirable”:

The MRP to APS evolution was about creating more “desirable” plans (this is an accepted paradigm focusing on the optimality of a supply chain plan)

The Risk Management evolution is about planning for “undesirable” events (this is an emerging paradigm focusing on improving a supply chain’s “reflexes”.)

Since it is the “undesirable” part that forces rapid adaptation, Supply Chain Event Management (SCEM) needs to go beyond alerting to enable a continuous, closed-loop management approach. The processes that come after the alert are what need to be formalized as the next step in the Adaptive SCM evolution. What makes this effort feasible and worthwhile are the following,

While disruptions happen for a variety of reasons, its’ impact can be only of three problem types: Material, Capacity, or Information.


To recover from these problems, the universe of feasible mitigation strategies isn’t unlimited. In reality, only a finite number of options are available.

These need to be proactively developed with proper planning and with the right guidance and technology enablers, the implementation effort and cost can be made attractive for greater adoption.


“Essential Characteristics of a Supply Chain Risk Management Strategy”

“Supply Chain Risk Management”

“Keeping ahead of supply chain risk and uncertainty”

“A Framework for Risk Management in Supply Chains”


Sign up to vote on this title
UsefulNot useful