Supply Chain Risk Management: Fewer Risks or More Complacency?

Stephen DeAngelis

April 07, 2014

Earlier this year, Allianz, a global insurer, reported, “Business interruption and supply chain risks remain atop a list of the major hazards drawing companies’ attention this year, according to the recently released Allianz Risk Barometer, a survey of some 400 of the firm’s corporate insurance experts from more than 30 countries.” [“Supply Chain Heads List of Increasingly Connected Corporate Risks,” SupplyChainBrain, 14 February 2014] That conclusion differs dramatically from one reached in the annual Horizon Scan published by the Business Continuity Institute (BCI). According to Malory Davies, that survey reports that supply risks have “dropped out of the top ten – only coming in 16th.” [“Relax: supply chain risk recedes,” Supply Chain Standard, 11 March 2014] Who’s right? Davies is skeptical about the Business Continuity Institute’s findings. He writes, “I’ll bet you believe it about as much as I do.” He concludes:

“The BCI points out that this is despite increasing supply chain complexity featuring within the top five emerging trends, in addition to the recent BCI Supply Chain Resilience Survey, which revealed that 75 per cent of respondents experienced at least one supply chain disruption during the previous year. So does this mean that supply chain risks really are receding? Hardly. Managers might have become more mindful of some other concerns, but I see no evidence of a significant lessening in supply chain risk. In fact, many of the threats identified by business continuity managers could have a significant impact on organisations’ supply chains. Relax? Not just yet.”

What the BCI survey really reveals is that too many executives still fail to understand how the supply chain is really at the heart of their business. Gurjit Degun, commenting on the BCI survey, noted, “Three quarters of business continuity managers fear the possibility of an unplanned IT and telecoms outage. It added that 73 per cent worry about the possibility of a cyber attack or data breach. Adverse weather impacts, interruption to utility supply, a fire, a security incident, a health and safety incident and an act of terrorism were also among the top 10 concerns.” [“Supply chain disruptions drop out of this year’s top 10 business concerns,” Supply Management, 9 March 2014] Those business continuity managers should ask executives from the retail giant Target whether their concerns about cyber-attacks involve the supply chain. As I reported in a post entitled “Supply Chain Risk Management: A Company’s Weak Link?” Target’s infamous data breach began with a minor vendor.

If the BCI survey is correct and many executives perceive that supply risks are diminishing, then maybe it’s time to take a new approach to risk management. John Bugalla and Kristina Narvaez insist, “As companies develop business relationships around the world into more complex supply chains, protecting these essential links from disruption is becoming harder to manage.” [“Five Ways to Manage Supplier Risks,” CFO, 25 February 2014] To ensure that supply chain risks remain high on C-level priority lists, they recommend developing an enterprise risk management (ERM) framework and “other holistic risk management approaches to respond to an increasingly uncertain global business environment.” Although enterprise risk management plans may look eerily similar to supply chain risk management plans, the name change alone emphasizes that the supply chain can’t be siloed from the rest of the business. The more that C-level executives come to appreciate the centrality of the supply chain to their business the more resilient a company is likely to become. This is not a new problem. Almost a decade ago, Lisa Harrington wrote, “While some CEOs understand the value of the supply chain, the majority do not, according to Gene Tyndall, partner, Supply Chain Executive Advisors.” [“Logistics at the C-Level. Are We There Yet?” Inbound Logistics, June 2005] Tyndall insisted that one of the reasons for this lack of understanding was that supply chain professionals are “not communicating in C-level terms and language.” The enterprise risk management approach can help overcome this communication failure. Bugalla and Narvaez explain:

“Developing ERM programs make it easier for companies to focus on the root causes rather than on the symptoms of disruption in their business operations and thus prevent such disruptions over the long term. Via such approaches, companies can actively anticipate, track, and manage the various types of risks in their supply chain. Given the complexity of managing third-party risks across different business units, many companies are turning to predictive analytics to gain a better and more comprehensive view of long, complex supply chain and distribution networks. There are many challenges in doing business with suppliers in unfamiliar markets, each with its own unique array of threats. Problem areas can include language barriers, unstable local politics, geographical issues and vastly different legal systems.”

Bugalla and Narvaez mention predictive analytics, an activity that involves the collection and analysis of Big Data. They go on to make it clear that collecting data is important for more than simply predicting potential problems. They note, “Supplier risks are also becoming more challenging because of the inherent difficulty in achieving supply-chain visibility in a setting where suppliers are arranged in multiple tiers.” Some would argue that supply chain visibility remains an achievable but unrealized vision. It’s hard to do. It involves numerous kinds of systems, some of them incompatible, and a wide variety of data types. As a result, Bugalla and Narvaez report, “Many companies don’t have the ability or the will to map even their first-tier suppliers. That can leave them blind to risks buried deep in their supply chains and extremely vulnerable to a failure of a tier-two or tier-three supplier.” They continue:

“Companies with successful risk management strategies use a variety of tools to manage specific threats to adverse supplier events, and collective action … can be one of them. In addition, those that use data-driven tools are significantly more likely than those that do not to successfully manage their supplier risks. Of course, it’s important that there’s a process in place for proper aggregation of risk information throughout the organization. And that should be a process in which the use of advanced data tools enhances, rather than displaces, management’s judgment.”

I agree with them. In my discussions about the value of cognitive computing systems, I’ve always reiterated that such advanced tools should be used to enhance human decision-makers’ judgment not displace it (see, for example, my post entitled “Cognitive Computing and Human/Computer Interactions.” Bugalla and Narvaez conclude:

“Advanced analytics and ‘Big Data’ are set to play as big a role in risk management as it has in other aspects of business management. The new, sophisticated, data-driven techniques will make ERM more efficient, freeing managers and executives to focus more on the task of rationalizing risk across the company. Data is a supporting element of a high-performance, cross-functional organization, but managers must integrate what the data’s saying into their companies’ workflow and culture for it to be effective. What if your company can’t invest in advanced analytics? Here are some basic risk practices that can be implemented to better control supplier risks in your organization:

“1) Assess the risk landscape. Use tiered risk assessments that establish the likelihood and impact of a risk event from suppliers. Develop risk mitigation strategies for each supplier tier and a risk governance model that establishes roles and responsibilities for executives and employees.

“2) Deploy comprehensive supplier reviews. Periodically review risk control practices of existing suppliers and a verification process to qualify new suppliers.

“3) Deploy risk metrics. Create Key Risk Indicators that you can use to alert your company to problems in the supply chain.

“4) Report on risks internally. Set up a process to monitor risks in your supply chain, collect the information about the risks and report on them.

“5) Improve continuously. Assess your risk monitoring and governance frequently and close gaps in those systems.

“Company boards are expecting more proactive efforts in developing a holistic view of supply-chain risks. The presence of effective ERM programs can help assure those directors that disruptions are being kept to the barest minimum.”

The bottom line is that risks to the supply chain are not decreasing they are increasing. That’s why risk managers cannot afford to let complacency creep into their corporate culture. If it takes a name change, like enterprise risk management instead of supply chain risk management, then make the change. Risk management remains a critical process for businesses; especially, any business whose supply chain crosses one or more borders.