Supply Risk Management (SRM) is a widely publicized topic (and heavily covered on Spend Matters, obviously), so my goal today is to hash out some strategies to suggest that companies think about supply risk proactively rather than reactively.
Let's start by defining what we mean by Supply Risk Management -- not "supplier risk management." There's a difference, and our viewpoint centers around supply to the ultimate customer, which is a broader context. It addresses any risk that may impair the organization's ability to supply a product or service within the parameters and objectives set forth by the organization (cost, quality, time-frame, volume, etc.). It covers a broad scope, from supplier-centered risks (bankruptcy, financial insolvency, performance and quality issues, discontinued production), to external or environmental factors (regulatory, legal, natural disasters), internal factors (under forecast, manufacturing capacity, performance or quality issues, warehousing, failure of critical systems) and other supply chain issues (product damage during distribution, labor strikes, geopolitical events).
Having said that, other than the discussion around specific risk events, the principles of identifying, assessing, prioritizing, monitoring, and mitigating "supply" risks are no different than those specifically focused on supplier related issues.
When it comes to managing supply or supplier-based risks, most publications talk about mitigating controls. That is, what are things that can be done to respond to a risk once it happens? Beyond just mitigating controls, there are other means of addressing or responding to potential risks before they occur, or after they occur. In other words, companies can put in place risk responses strategies that cover the full spectrum of activities and actions when dealing with potential supply risks.
There are two ways to deal with supply risks. The first is reactive methods, and most companies fall under this category. They wait for a risk event to occur and then scramble to find the best scenario to recover without having previously thought through what can and should be done. This is the worst-case scenario, and what I would call passive acceptance of the risk, where there is no understanding or awareness no action taken prior to the risk occurring. Another (slightly better) reactive strategy that many companies follow is Contingency planning. This type of risk response, where there is a defined process or response plan, will limit the impact or/or duration of the risk event after a risk has occurred. A common contingency plan is having a previously identified alternate supplier or source of supply.
Now let's look at a better alternative: proactive risk response strategies, which typically fall into one of six buckets, as defined below.
- Avoidance -- avoid inherent risks through a change in strategy, process, etc. An example is where products or processes are re-designed to remove high risk components or suppliers, thus avoiding the potential risks events altogether.
- Monitoring and Detection -- This is real-time and ongoing monitoring and reporting of potential risks and key risk indicators (KRI's). An example is a monitoring dashboard with pre-defined KRI's, acceptable performance or trigger thresholds, and alerts. These can monitor things such as Supplier, Plant and Distribution Performance, Regulatory Alerts & News, Supplier Alerts -- Financial Risk, External News & Weather reports. Monitoring and detection and predominately affect the probability of risk occurrence.
- Mitigation -- A response or control to limit the impact or duration of the risk during or after the risk has occurred. An example would be to increase supply chain responsiveness - reduce order fulfillment lead times (planning and scheduling, manufacturing, distribution).
- Transference -- transfer an element of risk burden to a third party through contractual means, insurance, etc. Of course, the risk cannot be transferred in its entirety.
- Prevention -- detect and prevent risk from occurring. Example: Improve Supplier Development capabilities; increase supplier's risk management capabilities (including process performance, quality, capacity, etc.). Prevention-based risk response strategies attack probability, meaning they reduce the probability of the risk from occurring.
- Active Acceptance -- understanding or awareness of risk, no action. Given the limited resources companies have at their disposal, this is an acceptable response as long as it is an informed decision, and not one out of ignorance or lack of awareness.
Regardless of the type, response plans should be documented and clearly define ownership, trigger dates and/or events, and the specific actions that will be taken to reduce the probability of the risk occurring and/or the resultant impact if it does occur.
-- Chris Monk, Director, Supply Chain, Protiviti Consulting