Supply Chain Risk: Is it Really so Complicated?
When talking to practitioners and academics about supply chain risk, the sheer breadth and depth of the topic can result in hours of debate, endless expansions of the discussion scope, and much hand-wringing over the futility of efforts to manage risk. In short – supply chain risk is complicated.
Managing Risk is Paramount
The first step towards understanding the potential threats in a supply chain is to compile a comprehensive inventory of the risk factors that are present.
In their fourth annual "Risk Barometer" report 1 on the top ten global business risks, Allianz Global Corporate & Specialty (AGCS - a global provider of corporate and specialty insurance services) lists business interruptions and supply chain risk as the number one concern of the companies surveyed for the third year in a row.
There are several factors as to why managing risk has replaced cost control as the primary concern of supply chain managers over the past decades. One element is that supply chains have become increasingly global in their nature, with many products and services being outsourced to multiple nations and resulting in the movement of goods and services across many borders.
According to United Nations Conference on Trade and Development (UNCTAD) statistics2 , the number of trans-national companies (TNCs) has increased from 7,000 in 1966 to almost 104,000 at present, and could reach more than 140,000 by 2020.
Another factor is that supply chains are getting longer, both as a result of the aforementioned globalization and also as a result of specialization which leads to a greater number of intermediaries and connections. Finally, advances in global communications and the rise of social media fueling our constant inter-connectedness have magnified the negative outcomes and increased the stakes when something in a supply chain goes wrong.
A Map of the Risks
The first step towards understanding the potential threats in a supply chain is to compile a comprehensive inventory of the risk factors that are present. To assist with this analysis, we have found that having a "road map" of possible areas of risk is a valuable aid. To create this map, we started with an aggregation of common risk factors, and aligned those risks with the Supply Chain Council's "Supply Chain Operations Reference" or "SCOR" model 3. We then further organized the individual factors into categories. The result is the Supply Chain Risk Matrix shown in Figure 1 below:
Figure 1 - Supply Chain Risk Matrix
It is likely that there are additional elements of risk not captured in this table. The number of risks that are shown simply underscores the daunting nature of attempting to develop a comprehensive risk mitigation strategy and plan for a complex supply chain.
Further confounding our efforts to enumerate supply chain risks is the inter-related nature of these factors. It is often difficult to determine if a particular factor such as cybercrime is a root cause, or in fact an effect of another area of exposure, such as lack of effective information technology controls. Is the small manufacturer delivering critical parts to your company on the brink of insolvency because of poor management, or because their shipments are held up in the West Coast ports because of strikes and slowdowns?
A Closer Look
Let’s take a closer look at just a sample of specific risk events, to further appreciate the complex nature of the forces at play. Cyber Risk: It seems we cannot get through a week without another report of a cyber-attack on a business enterprise. In the past year, data breaches at Home Depot and Target exposed customers’ personal data including names and credit card information, and the hack of Sony’s corporate systems exposed emails which ultimately resulted in the embarrassment and resignation of the CEO. There is a direct economic impact for these events. Kaspersky Lab’s “IT Security Risks Survey 2014” 4 estimates that the average economic impact of a single data security incident was $720,000 in damages, and “one successful targeted attack could cost a company as much as $2.54 million.” But beyond these direct costs to plug IT security holes, re-issue credit cards, and reimburse consumers for fraudulent charges – these companies incurred damage to their reputations and brands that could have an ongoing financial effect for years. AGCS’ report states “The almost automatic blow to a company’s reputation following a cyber-attack can have a dramatic impact on balance sheets. According to the Edelman Privacy Risk Index 71% of customers say they would leave an organization after a data breach.” 5
Natural Disaster: As a smart supply chain manager, you established multiple sources of supply for critical components to reduce the risk of a single point of failure. The only problem is that all the suppliers are geographically co-located, creating what supply chain experts call “concentration risk.” It never occurred to you to evaluate the risks associated with losing an entire region. Then in March of 2011, an undersea earthquake off the coast of Japan triggered tsunami waves of up to 130 feet high, traveled 6 miles inland, caused nuclear meltdowns at a power plant, destroyed or damaged over a million buildings, and damaged roads, railways, and dams 6. Because your company sourced materials from suppliers that were all within that region you were faced with crippling supply chain disruptions as you scrambled to identify and develop new sources of materials.
There is Hope
In light of the multiple risk factors and complex interactions that can cause knock-on effects to ripple through supply chains, you may be feeling that identifying and indeed managing or mitigating supply chain risks is an insurmountable task
The good news is that even though it is complex, being prepared for these risks is achievable. The key is to divide the large problem into smaller and simpler ones, until individually – they are solvable. Here is a very high-level approach to identifying and mitigating supply chain risks:
- Identify the risks
Creating a map of your supply chain can be useful in identifying sources of risk. The map may be a computer model or even visual diagram of the movement of materials, products, and information. Overlays of transportation routes, supplier locations, and geographic and political boundaries can bring new insights into potential areas of risk.
In the creation of your supply chain map, you may also want to identify constraints such as capacity limitations of manufacturing facilities, limitations of sources of supply, and transportation hubs that represent choke points.
- Evaluate the economic impact
Calculating the costs associated with a failure at any particular point in the supply chain is a critical exercise to be able to prioritize your planned responses. Costs associated with identifying and “on-boarding” new suppliers (sometimes called “switching costs”) would accrue when sources of supply are disrupted. Increasing or decreasing capacity to address abrupt changes in demand may have costs related to purchasing or renting manufacturing facilities, or even laying off employees. Configuring new transportation chains to circumvent disruptions such as the labor actions at the ports of Los Angeles and Long Beach have significant economic impacts.Evaluate all the associated costs, including procurement, inventory management, production, and delivery costs.
- Prioritize the risk areas
Using the classical approach of laying all your supply chain risks and their associated costs on a four-quadrant matrix with axes of Impact (business and economic) and Likelihood, you can begin to separate the mildly-annoying from the truly devastating. Analyses such as these allow you to focus on those risks that migrate to the “top right” quadrant of high impact and high likelihood.
- Analyze risks and develop plans
For each risk factor, perform what-if analyses, and explore a variety of responses. Evaluate each response for its ability to limit costs, re-establish normal supply chain operations, and protect your brand. Develop an aggregate “scoring” model to objectively compare different responses.
For the response model with the “best” overall score, develop comprehensive plans to execute the necessary actions. Make sure the conditions under which that plan would be set in motion are clearly defined. Communicate the plan to internal stakeholders, and assign individuals to critical roles in carrying out the plan. Communicate the plan to your suppliers and other third parties so they understand their roles if the plan ever needed to be executed. Perform periodic tests for various parts of the plan to ensure readiness.
We carry out a great many highly-complex tasks every day. From regenerating an MRP run, to performing surgery, these complicated jobs are achievable because we have taken the time to understand their nature and to deconstruct the whole event into a sequence of simple actions. So yes, identifying and mitigating supply chain risk is complicated, but with the proper analysis and planning it is within your reach.
1 Risk Barometer. (2015, January 14). Retrieved February 12, 2015, from http://www.agcs.allianz.com/assets/PDFs/Reports/Allianz-Risk-Barometer-2015_EN.pdf
2 Unctad.org | Statistics. (n.d.). Retrieved February 11, 2015, from http://unctad.org/en/pages/Statistics.aspx
3 SCOR®. (n.d.). Retrieved February 11, 2015, from http://www.apics.org/sites/apics-supply-chain-council/frameworks/scor
4 IT SECURITY RISKS SURVEY 2014: A BUSINESS APPROACH TO MANAGING DATA SECURITY THREATS. (2014, July 29). Retrieved February 12, 2015, from http://media.kaspersky.com/en/IT_Security_Risks_Survey_2014_Global_report.pdf
5 Risk Barometer
6 2011 Tōhoku earthquake and tsunami. (2015, February 11). Retrieved February 12, 2015, from http://en.wikipedia.org/wiki/2011_Tōhoku_earthquake_and_tsunami