DEPARTMENT OF PROCUREMENT AND SUPPLYCHAIN

MANAGEMENT

PLM2201: PROCUREMENT AND SUPPLY CHAIN RISK MGT

1
Course Description:
All organizations need to prepare themselves to cope with crises from whatever source. In an ideal
world, managers would identify everything bad that could happen to them, and develop a
contingency plan for each of these sources of crisis. It is a good idea to be prepared. However,
crises by definition are almost always the result of nature, malicious humans, or systems catching
us unprepared (otherwise there may not have been a crisis). We need to consider what could go
wrong, and think about what we might do to avoid problems. We cannot expect to cope with every
contingency, however, and need to be able to respond to new challenges. Managing suppliers
involves taking several risks, for a supply chain to operate optimally then these risks have to be
mitigated. This course unit will address ways of mitigating these risks.

Learning Objectives:
1) Understand the concept of Supply Chain Risk management
2) Identify strategic, tactical and operational risks in organizations.
3) Understand risk management strategies applicable in various situations.
4) To train you to analyze complex business situations in real time and to teach you the tools used
by Risk managers
5) To improve your skills in problem identification including the ability to determine what is most
important
6) To teach you to make immediate decisions under conditions of uncertainty or incomplete
knowledge

2
 INTRODUCTION TO SUPPLY CHAIN RISK MANAGEMENT:
Most supply chains consist of many separate companies, each linked by virtue of their part in
satisfying the specific need of the end consumer. It is quite possible for each of the links in the
chain to have their own objectives, each of which can easily be in conflict with those of another.
For example, manufacturing operations are aimed at achieving maximum output without taking
optimum inventory levels or distribution capacity into account. Supply chain management has
emerged as a technique for reconciling and accommodating these differences, thereby maximizing
the efficiency level of the supply chain as a whole.
Supply chain management (SCM) is the integration and management of supply chain organizations
and activities through cooperative organizational relationships, effective business processes, and
high levels of information sharing to create high-performing value systems that provide member
organizations a sustainable competitive advantage.
In supply chain Management, we include both its upstream supplier network and its downstream
distribution channel.
A risk refers to the possibility of suffering a harm/loss/danger. It is an exposure to the adverse
(unfavorable) consequences of uncertainty events. It is a situation where one is required to make
a choice between two different alternatives which may result into differing rewards for success or
penalties for failure. It is a situation involving exposure to danger.
For our purposes we define Risk as the probability of realizing an unintended or unwanted
consequence that leads to an undesirable outcome such as loss, injury, harm, or missed
opportunity.

Risks occur because we can never know exactly what will happen in the future. We can use the
best forecasts and do every possible analysis, but there is always uncertainty about future events.
It is this uncertainty that brings risks.
The basic problem with discussing risks is that they come in so many different forms. They can
appear at any point in a supply chain from initial suppliers through to final customers; they can
interrupt the supply of materials or the demand for products; they can cause sudden peaks in
demand or collapses; they can range in scope from a minor delay through to a natural disaster;
their effects can range from short-term and lasting only a few minutes through to permanent
damage; their effects might be localized in one part of a supply chain, or passed on to threaten the
whole chain. And different risks can be linked, in the way that an outbreak of some disease can
cause a spike in demand for surgical masks, vaccines and antiseptic wipes, but a drop in the
availability of people to produce them.
Supply chain management is responsible for the movement of materials all the way from initial
suppliers through to final customers. Supply chain risk appears as any event that might affect this
movement and disrupt the planned flow of materials.
What is risk in Supply Chain?
Risks to the supply chain are unforeseen events that might interrupt the smooth flow of materials.
When a supplier delivers materials to a customer, there are always risks that the delivery will be
later than promised, the goods will be damaged or lost, the wrong products will be delivered or the
wrong amounts, the delivery will go to the wrong place, the invoice will have a mistake, the
3
customer will not pay or the many other things that can go wrong. These immediate symptoms can
lead to more widespread effects throughout the chain.

Risks to the supply chain come in a huge variety. Some arise from external effects in the
environment, while others come from internal operations; some are long-term that might strike at
any point into the far future, and others are short-term and soon disappear; some have minor
impact, while others destroy entire supply chains; some appear regularly in normal operations, and
others are one-off disruptions such as natural disasters. But the risks only really materialize when
some harmful events actually occur.
Therefore, Supply Chain Risk Management (SCRM) is the process of identifying, assessing,
and mitigating the risks of an organization's supply chain.
Supply Chain Risk Management is the implementation of strategies to manage both every day
and exceptional risks along the supply chain based on continuous risk assessment with the
objective of reducing vulnerability and ensuring continuity.
Key Concepts in Risk Management:
Risk Exposure: Risk exposure involves the quantified potential for loss that might occur as a
result of a risk event. The risk exposure value is often the outcome of a comprehensive risk analysis
that uses algorithms to combine risks according to their probability of occurring against the
potential loss if the risk occurs.
Risk Vulnerability: For our purposes we view risk exposure and vulnerability as closely related
concepts, although vulnerability tends to be a less quantified concept. We are vulnerable to
something if we are susceptible to harm or injury. Anyone who has built a house on an earthquake
fault will grasp the concept of vulnerability to earthquakes. Or, someone traveling to certain parts
of the world without getting proper vaccinations should appreciate being more vulnerable to
diseases.
Risk Resilience: At a basic level, resilience refers to the ability to recover from or adjust to
misfortune or change. It represents the ability of a company and supply chain to “bounce back”
after an event. Risk resilience is becoming one of the most researched and discussed topics in
supply chain risk management.
Risk Appetite: Risk appetite reflects the degree of risk that an organization or individual is willing
to accept or take in pursuit of its objectives. This can be measured in terms of both quantitative
and qualitative dimensions. Some also refer to this concept as risk tolerance or risk propensity, a
topic that is well grounded in the financial community.
Risk Analysis or Assessment: This is the process of qualitatively and quantitatively assessing
potential risks within a supply chain. At a basic level risk analysis involves identifying risks and
then evaluating or mapping these events, at a minimum, across two dimensions. These dimensions
include the probability of a risk occurring and the impact if the risk were to become a risk event.
Some techniques will score the two dimensions and multiply them together to arrive at an overall
risk score.

4
Risk Response Plan: This is a logical extension of a risk analysis. The risk plan is a document
that defines known risks and includes descriptions, causes, probabilities or likelihood of risk
occurrence, costs, and proposed risk management responses. A word of caution is in order here.
Risk Compliance: Risk compliance includes the internal activities taken to meet required or
mandated rules and regulations, whether they are governmental, industry specific, or internally
imposed. Companies have always had compliance requirements relating to financial reporting,
environmental compliance, and a host of other areas. At an organizational level, compliance is
achieved through management processes that (1) identify applicable laws, regulations, contracts,
strategies, and policies; (2) assess the current state of compliance; (3) assess the risks and potential
costs of noncompliance against the projected expenses to achieve compliance; and (4) prioritize,
fund, and initiate any corrective actions deemed necessary.
Risk Governance: Risk governance includes the frameworks, tools, policies, procedures,
controls, and decision-making hierarchy employed to manage a business from a risk management
perspective. At times the governance structure includes a chief risk officer, who is normally
identified as the person responsible to coordinate and oversee the risk management process and
approve reports to the corporate audit committee of the board of directors. Chapter 3 will address
the pros and cons of designating chief risk officer.
The risk concepts presented here are certainly not the only ones that comprise the vocabulary of
SCRM. They are, however, the more important ones. It would be difficult to proceed with our risk
discussion without having this working knowledge of risk terminology
Supply Risk Sources:
Environmental Risk Sources: This consist of any uncertainties arising from the supply chain and
environmental interactions. These may be the result of accidents (such as fires, explosions, etc.),
man-made (terrorist attacks), or natural disasters (earthquakes, tsunamis, and other extreme
weather events).
Organizational Risk Sources: This lie within the scope of the boundaries of the supply chain
parties and include labor issues such as strikes, production uncertainties (quality and machine
failures) to IT-based uncertainties.
Network-Related Risk Sources: This arise from interactions between the organizations involved
in the supply chain.
• Lack of Ownership: Lack of ownership risk sources is due from the blurring of boundaries
between suying and supplying companies in the chain. With outsourcing, there may be confused
lines of responsibility.
• Chaos: There may be chaos effects in a supply chain due to mistrust, overreaction, and distorted
information.
• Inertia: Such risks are due to a lack of responsiveness to changing environmental conditions and
market signals. Flexibility may be sacrificed, especially in global supply chains, where they may
be an emphasis on cost reduction

Risk Management Process:

5
A Risk Management Cycle is a process that helps organizations identify, assess, and mitigate
risks that could negatively impact their operations. The first step in the cycle is to identify potential
risks that could affect the organization. This can be done by brainstorming with your team or
studying data from previous projects in a similar industry. Once you have identified the risks, you
need to assess their potential impact on your operations. This will help you prioritize which risks
to address first.
Steps of the Risk Management Lifecycle:
1. Identifying Risks: As soon as the project starts, it is essential to: list the different risks the
project could face during its execution, define their characteristics considering the context in which
the project will take place.
2. Assessing their impact: Once the risks have been listed, the next step consists of conducting
a risk assessment. The goal is to assess the risk level, meaning to sort risks according
to quantitative and qualitative criteria. These should allow you to categorize risks (high, moderate
or low) regarding possible impact in terms of scope, delays or costs. To classify risks, you should
consider: The probability of the risk occurring, and Its degree of importance and priority level.
3. Defining Risk Control Strategies: Risk mitigation is based on control strategies and careful
response planning. The goal is to describe the actions to be taken to: Avoid the risk, Mitigate the
adverse effects produced by the risk if it cannot be avoided and Find an alternative if the identified
risk could compromise a key part of the project.
4. Monitoring Your Actions: Set up a process for tracking and monitoring risks throughout the
project development. This ensures that new risks are identified and always controlled. For effective
risk management, the risk register should be updated on a regular basis, and the risk monitoring
phase should go on even after the project has ended. When new risks arise, reevaluate the measures
taken previously. This is to check whether the methodology you used was accurate and relevant,
or if it should be revised.
5. Reporting the Results: As a project manager, be sure to save your analysis and record your
tracking to make the history available to others. This makes it possible to derive good practices for
future projects from your experience. Accurate reporting is very important for stakeholders and
your company as a whole.
Strategies to Manage / Mitigate / Control Risks:
Risk mitigation refers to the process of planning and developing methods and options to reduce
threats or risks to project objectives. A project team might implement risk mitigation strategies to
identify, monitor and evaluate risks and consequences inherent to completing a specific project,
such as new product creation. Risk mitigation also includes the actions put into place to deal with
issues and the effects of those issues regarding a project.
a) Risk Avoidance / Termination: This involves not taking the activity where a risk is seen to
happen. However, this means that the business loses out on the possible benefits that could
have come incase the risk never happened. The avoidance strategy presents the accepted and
assumed risks and consequences of a project and presents opportunities for avoiding those
accepted risks. Some methods of implementing the avoidance strategy are to plan for risk and
then take steps to avoid it. For example, to mitigate risk of new product production, a project
team may decide to implement product testing to avoid the risk of product failure before the

6
 final production is approved. The following examples are other ways to implement the
avoidance strategy.
b) Risk Transfer / Spreading: When risks are identified and taken into account, mitigating the
consequences through transference can be a viable strategy. Develop insurance source for
insuring of the risk with an insurance company such that it can come in during the occurrence
of the risk. The transference strategy works by transferring the strain of the risk and
consequences of another party. This can present its own drawbacks, however, and when an
organization implements this risk mitigation strategy, it should be in a way that is acceptable
to all parties involved. The following example shows how and when transference strategies are
used for risk mitigation.
c) Risk Minimization / Treatment: Risk minimization is the process of doing
everything possible to reduce the probability and/or impact of a risk towards zero. This is
reserved for risks that are viewed as unacceptable to a society, organization or individual.
d) Risk Acceptance / Assumption: The acceptance strategy can involve collaboration between
team members to identify the possible risks of a project and whether the consequences of the
identified risks are acceptable. This is good for those risks whose impact or probability is low.
This strategy is commonly used for identifying and understanding the risks that can affect a
project’s output, and the purpose of this strategy helps bring these risks to the business’
attention so everyone working on the project has a shared understanding of the risks and
consequences involved. The following example shows how the acceptance strategy can be
implemented for commonly-identified risks.

Sources of Risks:
There are basically two kinds of risk to a supply chain: 1) internal risks that appear in normal
operations, and 2) external risks that come from outside the supply chain.
External Supply Chain Risks
As the name implies, these global supply chain risks come from outside of your organization.
These risks are harder to predict and typically require more resources to overcome. Some of the
top external supply chain risks include:
• Demand Risks: Demand risks occur when you miscalculate product demand and are often
the product of a lack of insight into year-over-year purchasing trends or unpredictable
demand.
• Supply Risks: Supply risks occur when the raw materials your business relies on are not
delivered on time or at all, thereby causing disruption to the flow of product, material, and/or
parts.
• Competition Risk: A competition risk can happen when a competitor takes an increasing share
of the market for a product or service. It is sometimes called a comfort risk because it can result
from a company's executives becoming so comfortable with a company's performance that
they fail to make continual improvements with the company's products or services.
• Environmental Risks: Environmental risk in the supply chain is the direct result of social-
economic, political, governmental, or environmental issues that affect the timing of any
aspect of the supply chain.

7
• Business Risks: Business risks occur whenever unexpected changes take place with one of
the entities you depend on to keep your supply chain running smoothly, for example, the
purchase or sale of a supplier company.
• Physical Plant Risks: These are risks created by the state of a supplier’s physical facility and
regulatory compliance.
• Political Risk: Political climate modification or governmental policies affecting financial
matters are referred to as political risk. Amendments in export and import rules, taxes, tariffs,
and other restrictions can all negatively impact a corporation. Because external hazards cannot
be accurately predicted, it is challenging for a corporation to decrease these three risk elements.
Specific forms of credit insurance can safeguard a corporation from foreign political events,
for example, changes in export-import restrictions, strikes, war, trade embargoes, strikes, and
confiscations.
• Economic Risk: Changes in market circumstances are one example of economic risk. A
general economic slump, for instance, might result in a sudden and unanticipated revenue loss.
If a corporation sells to Americans and consumer sentiment is low because of a recession or
high unemployment, expenditure will decline. Businesses can react to financial shocks by
lowering expenses or broadening their customer base, ensuring that income is not dependent
on a single segment or location.
• Natural Risk: Natural risks include natural calamities that disrupt routine company
operations. An avalanche, for example, may impair a retail business's ability to stay open for
several days or weeks, resulting in a significant reduction in the total month's sales, and it may
potentially endanger the premises and the items being sold. Companies frequently carry
insurance to offset a percentage of the lost profits caused by natural catastrophes. Nevertheless,
the insurance funds may not be sufficient to compensate for the income loss caused by being
closed or operating at a lower capacity.

Internal Supply Chain Risks

This refers to any supply chain risk factors that are within your control, and that can be identified
and monitored using supply chain risk assessment software, robust analytics programs. Although
internal supply chain risks are more manageable than external ones, they are still to some degree
unavoidable. Here are some examples:
• Manufacturing Risks: Manufacturing risks refer to the possibility that a key component or
step of your workflow could be disrupted, causing operations to go off schedule.
• Business Risks: Business risks are a product of disruptions to standard personnel,
management, reporting, and other essential business processes, how business purchases
connect with suppliers and customers.
• Planning and Control Risks: Planning and control risks are caused by inaccurate
forecasting and assessments and poorly planned production and management.
• Mitigation and Contingency Risks: Mitigation and contingency risks can occur if your
business does not have a contingency plan for supply chain disruptions.
• Planning and Control Risks: Insufficient evaluation and planning pose planning and control
risks, resulting in poor management.
• Cultural Risks: A company’s cultural predisposition to conceal or postpone undesirable
information can pose cultural Risks.

8
• Human Risk: Human concerns may cause operational difficulties. Employees who are ill or
wounded and unable to work might reduce output. The human-factor risk may include the
following: Strikes by unions, Employee corruption etc.
• Technological Risk: Unforeseen manufacturing, distribution, or dissemination changes in a
firm's product or service are examples of technological risk. For instance, a technological risk
a corporation may encounter is obsolete operating systems that reduce manufacturing
capability or disruptions in supply or inventories. A technological change could also entail
failing to invest in IT staff to help the company's infrastructure. Network and software issues
that cause technical failures can raise the risk of output shortages and financial losses owing to
lower revenue and idle employees.
• Legal Risk: A legal risk is a specific type of compliance risk that occurs when a company fails
to follow a government's rules for companies. Legal risks can result in expensive lawsuits and
a negative reputation for companies. Here are a few types of legal risks for companies:
• Strategic Risk: A strategic risk occurs when a company's business strategy is faulty or its
executives fail to follow a business strategy at all. A company may fail to reach its goals due
to strategic risks. Example: If a pharmacy chain positions itself in its market as a provider of
low-cost prescriptions and a competitor begins selling prescriptions at a lower rate than the
pharmacy chain, it puts the pharmacy chain at a strategic risk of losing profits to a competitor.
• Reputational Risk: A reputational risk threatens a company's standing or public opinion.
Reputational risks can result in a profit decrease and lack of confidence among company
shareholders. Example: A clothing company prints an offensive image on a sweatshirt, and the
story goes viral on social media, causing a wave of negative news coverage. This bad press
damages the company’s reputation and causes sales to drop.
• Operational Risk: Operational risk occurs when a business' day-to-day activities threaten to
decrease its profits. Internal systems or external factors can cause operational risks for
companies. Here are a few specific types of operational risks: Employee errors: A business can
experience a threat to its operations if employees make significant mistakes at work. Damage
to assets: A natural disaster can damage a company's physical assets, which is an operational
risk.
It is important that you have a complete picture of the supply chain risk factors you are
susceptible to in order to get ahead of potential disruptions. Familiarizing yourself with any
potential issues that might arise puts you in a better position to implement supply chain risk
management strategies.
Vulnerability of within the Supply Chains:
Supply- Chain Vulnerability can be defined as: 'An exposure to serious disturbance, arising from
risks within the supply-chain as well as risks external to the supply-chain.

Supply Chain Networks can comprise hundreds if not thousands of companies which may stretch
globally and which can be subject to numerous risks. These risks can be largely classified into two
types:
1) Weaknesses and potential risks within the SCN that impact on the ability to meet customer
needs.

9
2) Instability arises when demand and supply are not in balance. Not only can price be affected,
but also the total cost, time and performance.
Fragility of the SCN’s to external events/threats both now and in the future.
There will always be an inherent tolerance built into any network (which results from the
assumptions/design parameters made when they are set up) but if any effect causes an impact
outside of the natural tolerance a point of vulnerability will occur.
In complex networks there may be multiple points of vulnerability occurring at any one time in
different parts of the SCN, and potentially a compounding effect may begin to happen

Causes of Supply Chain Vulnerability

• Susceptibility arising out of modern techniques leading to lean supply networks
• External corruption of the SC, e.g. fraud via counterfeit products.
• Quality failure
• Lack of visibility along the full length of the SC
• The global economic and political situation
• “Silos” in both the customer and supplier organizations, i.e. disjointedness in the SC
• Market régulation (quotas, taxes etc)
• Disconnection between an organization’s strategy and the practical application of SCM
• The difficulties in planning and forecasting demand
• Designing the SC system to be more flexible and reactive and responsive (e.g. to
seasonality, fashion etc)
• The dependency of organisation on IT systems to manage complex SCN’s, can lead to
increased vulnerability.
• The volumes of demand in the supply chain/network,
• The capacities in the supply chain/network, and
• Outsourcing

10
Supply chain Mapping:
Supply Chain Mapping means gathering information about your suppliers, their own suppliers,
and the people who work in your supply chain to create a global map of your supply network. This
information can be held in a single data platform for ease and to facilitate analysis.

How to Map Your Supply Chain:

Mapping your supply chain is a five-step process in which you create a visual representation of
all the entities and functions that exist within and around your business. At each stage, you can
ask questions to work out if the process could be more efficient, or less risky, expensive or time-
consuming.

1. Identify Stakeholders:
Identify everyone who contributes to the production, storage and distribution of your product. You
can document the name of the business and your points of contact either on paper or using supply
chain planning software. You may have different supply chains for different products. Are you
using the most efficient communication channel for the key businesses? Perhaps you could suggest
creating a dedicated space for consistent, real-time communication with the contractor who
handles your returns (such as a shared channel on Slack).
2. Understand Supplier Relationships:
Understand the relationships between all parties (e.g., are they each other’s sole supplier or one of
many?). Ask your first-tier suppliers to join the mapping process. They can then send the same
invitation to second-tier suppliers, and so on. Each entity details what they sell, to whom, and what
they buy next in the chain. As the map expands, you and your suppliers get a better view of
potential risks, bottlenecks, and the dangers of relying on single suppliers and businesses with long
lead-times.
3. Establish costs and timings
You should work out the costs and time frames involved in each part of the chain. Which functions
offer the most and least value to your business? It can be helpful to think of the supply chain as a
“value chain” by considering how costs and time frames either produce or prohibit value. Calculate
how long each element takes on average, including small things (e.g., receiving an email reply
from your supplier) and bigger things (e.g., transportation of goods to the customer).
4. Acknowledge Risks
Acknowledge of the risks associated with each entity, including political, legal, economic, and
environmental threats. Are unseen silos increasing the risk of disruptions? E.g., between
procurement, marketing, sales, and fulfilment, or between your business and your suppliers and
customers? Can you remove these silos by improving knowledge sharing?
5. Data tracking
Track the flow of information and data through the supply chain. Transferring information
efficiently, including orders, shipments, and returns, can be as important in controlling costs as the
movement of physical goods.

11
The Benefits Of Mapping Your Supply Chain:

• Identify where value is added or lost. E.g., Quality issues with your raw materials could be
slowing down production
• Mitigate the impact of risks ahead of time. E.g., How would your brand be affected if a
third-tier supplier broke environmental laws?
• Strengthen the entire chain. By bolstering relationships between companies in your supply
chain through clear communication, you help them better understand their place in the business
ecosystem, including your expectations and goals.
• Streamline and speed up processes. By analyzing the connections between the entities in
your supply chain, you can spot where delays originate and focus on fixing them. E.g., You
have three suppliers from whom you buy the same materials. One is 30% faster at fulfilling
your orders than the other two. Can you order more from the faster supplier, or negotiate with
the others to speed them up?
• Discover the elements that most affect your cashflow. Some suppliers may have shorter
payment terms, and some customers may tend to pay later than others. The biggest risk to
smaller suppliers’ supply chains was customers failing to pay for goods or services. If mapping
your supply chain shows that your cashflow is at risk, you could benefit from using a Business
Card to pay expenses.

12