Defining Supply Chain Risk

Stephen DeAngelis

February 03, 2011

In a post entitled Defining the Supply Chain, I discussed how difficult it is to pin down exactly what the term “supply chain” means. That post was inspired by a question posed by a senior IBM consultant. This post is similarly inspired. Daniel Stengl, author of the blog entitled Supply Chain Risk Management, asks: “What is risk anyway?” [“Definition of Risk,” 5 January 2011]. He writes:

“From my previous experience I know that … in business a clear understanding of the different aspects of risks is important to stay consistent. … At a client I was involved in a company wide risk assessment. The participating middle managers were required to list and assess relevant risks using an Excel sheet. There were predefined categories for impact (eg. less than €1m, between €1m and €10m and above €10m) and probability (eg. p < 5%, 5% < p < 50% and p > 50%). The survey was therefore aimed at high impact, low probability events. One of the biggest tasks during this assignment was to train the managers on how these categories should be interpreted. But honestly, this categorization does not make this task very easy.”

Stengl provides an example to help readers understand the difficulties faces by those challenged to come up with a risk assessment. In this example, an outbreak of swine flu is considered. He continues:

“The line in Excel might look like this: Swine Flu: p < 5%, Loss < €1m. But if you think about it, this task is not very straight forward, the following questions remain: There is of course also a more remote chance that the outbreak cannot be contained so quickly as assumed here and the loss might be larger than € 1m. How should you account for this? Add another line, with p < 1%, Loss < €10m? Or should you draw a distribution of the impacts to assess the risk adequately?”

Stengl then raises several other questions that must be considered:

  • “What support is there to calculate the probabilities? Should you rely on data where possible or leave it all to gut feel?
  • “How is the loss calculated? What about events which losses in several consecutive years? Isn’t it necessary to calculate the present value?”

Those questions are important, but they don’t help answer the original question: What is risk? To help him answer that question, Stengl turns to a 1981 research paper written by Stanley Kaplan and B. John Garrick entitled “On the Quantitative Definition of Risk.” Stengl writes:

“Kaplan (1980) did some early conceptual research about what risk is. I just want to highlight the key aspects of this work here.

  • Different kinds of risks — Risks can be differentiated into different kinds like business risk, social risk, economic risk, safety risk
  • Risk and uncertainty — There is a difference between risk and uncertainty, where risk is when you know about the probabilities and uncertainties when you don’t. So most real life situations (beside the Casino) you are in the realm of uncertainty. If you are using uncertainty, then you have to think about the probabilities of the probability, how likely is it that your estimated probabilities are correct?
  • Relativity of risks — There is usually no objective measure for risk, only perceived risks. The notion of absolute risk always ends up being somebody else’s perceived risk quantitative definition of risk.
  • Risk should be view using the following triplet: Scenario, Likelihood and Consequence
  • There are different types of damage — There is no continuous measure which you can use for loss of life vs. loss of property.”

Stengl then offers his conclusions for this short post:

“Kaplan shows several important factors of risks that are relevant when applying the concept of risk in a business setting. Several other researchers have built on his work, and for example extended the definition of the consequence of risk, to not only contain a single digit for the impact but also aspects as duration, etc.”

The most important points that I draw from Stengl’s review of Kaplan’s and Garrick’s work are: “Risks can be differentiated into different kinds like business risk, social risk, economic risk, safety risk” and “There is a difference between risk and uncertainty, where risk is when you know about the probabilities and uncertainties when you don’t.” I would add that there is also a difference between a hazard, a risk, and a threat. A hazard is a theoretical event (like meteorite strike, tornado touchdown, or cyber attack). When you discuss such events as concepts outside of the conditions in which they actually take place, the event, at that point, is a hazard. A risk is a hazard for which a probability can be calculated. A threat moves beyond an event being a risk because it is both real and imminent (like a hurricane closing on the shoreline). Dave Food, Oracle’s business development director, notes that “natural calamities are only the most extreme end of a spectrum of risks to which the modern, global supply chain is exposed.” [“Balancing risk,” by Sam Tulip, Supply Chain Standard, 30 May 2008]. Natural disasters, which include everything from climate change to volcanic eruptions, are generally the most publicized events that can create supply risks, but they are not the only events. In Tulip’s article, Aidan Murphy, supply chain director of Bulmers, noted: ”Anything has risk. All you can do is mitigate against it.” offers six different definitions of risk (much like Kaplan and Garrick suggest). Those definitions are:

“1. General: Probability or threat of a damage, injury, liability, loss, or other negative occurrence, caused by external or internal vulnerabilities, and which may be neutralized through pre-mediated action.

“2. Finance: Probability that an actual return on an investment will be lower than the expected return. Financial risk is divided into the following general categories:

“(1) Basis risk: Changes in interest rates will cause interest-bearing liabilities (deposits) to reprice at a rate higher than that of the interest-bearing assets (loans).
“(2) Capital risk: Losses from un-recovered loans will affect the financial institution’s capital base and may necessitate floating of a new stock (share) issue.
“(3) Country risk: Economic and political changes in a foreign country will affect loan-repayments from debtors.
“(4) Default risk: Borrowers will not be able to repay principal and interest as arranged (also called credit risk).
“(5) Delivery risk: Buyer or seller of a financial instrument or foreign currency will not be able to meet associated delivery obligations on their maturity.
“(6) Economic risk: Changes in the state of economy will impair the debtors’ ability to pay or the potential borrower’s ability to borrow.
“(7) Exchange rate risk: Appreciation or depreciation of a currency will result in a loss or an naked-position.
“(8) Interest rate risk: Decline in net interest income will result from changes in relationship between interest income and interest expense.
“(9) Liquidity risk: There will not be enough cash and/or cash-equivalents to meet the needs of depositors and borrowers.
“(10) Operations risk: Failure of data processing equipment will prevent the bank from maintaining its critical operations to the customers’ satisfaction.
“(11) Payment system risk: Payment system of a major bank will malfunction and will hinder its payments.
“(12) Political risk: Political changes in a debtor’s country will jeopardize debt-service payments.
“(13) Refinancing risk: It will not be possible to refinance maturing liabilities (deposits) when they fall due, at economic cost and terms.
“(14) Reinvestment risk: It will not be possible to reinvest interest-earning assets (loans) at current market rates.
(15) Settlement risk: Failure of a major bank will result in a chain-reaction reducing other banks’ ability to honor payment commitments.
“(16) Sovereign risk: Local or foreign debtor-government will refuse to honor its debt obligations on their due date.
“(17) Underwriting risk: New issue of securities underwritten by the institution will not be sold or its market price will drop.

“3. Food industry: Function of the probability of an adverse effect and the magnitude of that effect, consequential to a hazard in food (FAO/WHO definition).

“4. Insurance: Situation where the probability distribution of a variable (such as burning down of a building) is known but its mode of occurrence or actual value (whether the fire will occur at a particular property) is not. A risk is not an uncertainty (where neither the probability nor the mode of the occurrence is known), a peril (cause of loss), or a hazard (agent or condition that makes the occurrence of a peril more likely or more severe).

“5. Securities trading: Quantifiable likelihood (probability) of a loss or stagnation in value. Trading risk is divided into two general categories:

“(1) Systemic risk: Affects all securities in the same class and is linked to the overall capital-market system and which, therefore, cannot be eliminated by diversification. Measured by beta coefficient, it is also called market risk or (erroneously) systematic risk.
“(2) Non-systemic risk: Any risk that is not market-related or is not systemic. Also called non-market risk, extra-market risk, (mistakenly) non-systematic risk, or un-systemic risk.

“6. Workplace: Product of the impact of the severity (consequence) and impact of the likelihood (probability) of a hazardous event or phenomenon. For carcinogen effect, risk is estimated as the incremental probability of an individual developing cancer over a lifetime (70 years) as a result of exposure to a potential carcinogen. For non-carcinogen effect, it is evaluated by comparing an exposure level over a period to a reference dose derived from experiments on animals.”

I thought that it was interesting that the “general” definition of risk included a phrase that claimed risks could “be neutralized through pre-mediated action.” That may be a bit strong and too limiting. In the Tulip article cited above, Andreas Stockert of Charles Voegele Trading, notes: ‘There is no solution [to natural disasters], but what does help is having relatively good information systems, so that we know where our orders are and what state they are in.” Under the general definition, a natural disaster wouldn’t be considered a risk because it could not be neutralized — there is a big difference between mitigation and neutralization.

One thread that is common to all of the definitions of risk is that they all link risks with probabilities. Much like the definition of the supply chain, what you see depends on where you sit. Different economic sectors and associated supply chains have unique risks; but, a number of risks are shared across supply chains. I like the general categories of risks listed under the definition of “financial risk” because they provide a good starting point for assessing risk regardless of the economic sector in which a business operates.

The Financial Times has prepared an interesting, interactive Political Risk Map that permits you to click on individual countries to see the types of risk and, on some maps, the potential likelihood of those risks (subscription may be required). The screenshot shown below (click to enlarge) depicts the map for “Supply chain vulnerability” and the side bar highlights an overview of Nigeria.

Supply Chain Risk Map

Other maps depict: All risk; Exchange transfer; Strike, riot, civil commotion, terrorism; War/civil war; Sovereign non-payment; Political interference; and Legal and regulatory. The more information that an organization can obtain about potential risks the better. Of course, information that is not acted upon is no better than information not obtained. When it comes to supply chain risk, ignorance is not bliss.