6 Steps to Managing Risk

Supply management is not just about acquiring goods and services at

the best possible price. It's also about identifying possible
disruptions to the supply chain and taking steps to mitigate them.
Following this six-step process can help companies make sure they
have a comprehensive risk management plan that's right for their
company.

By James Kiser and George Cantrell -- Supply Chain Management

Review, 4/1/2006

The headlines from the last five years have included terrorist acts, the start
of a war, a tsunami hitting two continents, and back-to-back category-3
hurricanes hitting the United State's Gulf Coast. That ought to be enough to
convince any supply manager to start thinking about "the unthinkable." Yet
too often supply management professionals are focused only on
negotiating the best bargain for their materials. They forget that a
seemingly great bargain could be prone to a catastrophic disruption in
supply and result in a costly halt to production.

Executives are waking up to the fact that disruptions in the supply chain
can bring disasters to the bottom line. They are more often requiring all
staffing levels in all departments to participate in effective risk management
planning. The rationale for this is that risk management planning needs to
go beyond the effects of major calamities. Executive management
understands that a company's failure to plan, measure, and mitigate risk
factors in their supply chains can negatively affect product quality,
customer retention, brand strength, and corporate earnings. Particularly for
products that provide high profit margins, risk management takes on an
increasingly important role.

A good risk management strategy has several key components.

 It must identify risks for the entire life cycle of every product or service
the company provides—from initial research and development through
commercialization. To unearth potential supply-related problems, the
entire organization needs to be involved—from purchasing through R&D,
marketing, operations, and sales.
 It must be able to predict the financial impact that a supply disruption
can cause.
 It must offer strategies that can mitigate the effects of any disruption
of supplies—with costs and benefits associated with each alternative.
 It must delve deeper into the supply chain than the first tier. Many
organizations fail to recognize risk throughout all tiers of the supply chain.

This article will discuss ways to identify and analyze supply chain risks. In
addition, we will present six steps that a company can take to build a plan
for dealing with potential supply disruptions.

Understanding the Nature of Supply Risks

Many companies struggle with the question of what constitutes risk in their
business. They realize that risk management is important, yet they aren't
sure where to start or what to measure. For this reason, it can be helpful to
understand the general types of risk drivers. There are two main types of
risk: external risks, or those that are outside of your company's control, and
internal risks, or those that are within your company's control.

External risks can be driven by events either upstream or downstream in

the supply chain. There are five main types of external risk:

1. Demand: Risks related to unpredictable or misunderstood customer

or end-customer demand.
2. Supply: Risks related to any disturbances to the flow of product
within your supply chain, from raw material to parts on your
receiving dock.
3. Environment: Risks that originate from shocks outside the supply
chain. These typically have been related to economic, social,
governmental, and climate factors. They now also include the threat
of terrorism.
4. Business: Risks related to factors such as suppliers' financial or
management stability and acquisition and divestiture of supplier
companies.
5. Physical plant: Risks related to the condition of a supplier's physical
facility, sprinkler systems, cleanliness, and regulatory compliance.

Supply management traditionally has been most concerned about gaining

access to material sources and moving that material from its origin to the
 factory floor for production. For this reason, this article will primarily focus
on supply-side drivers in addressing external risks.

Internal risks provide better opportunities for mitigation because they

operate within the control of the purchasing company. They generally fall
into the following categories:

 Manufacturing risks caused by disruptions of internal operations or

processes.
 Business risks caused by changes in key personnel, management,
reporting structures, or business processes, such as the way purchasers
communicate to suppliers and customers.
 Planning and control risks caused by inadequate assessment and
planning, which amount to ineffective management.
 Mitigation and contingency risks caused by not putting in place
contingencies.

Of course, risk areas overlap and disasters often occur because of a

combination of factors. For example, we have a client that imports craft
products from China and supplies them to large retailers. His customers
created a demand risk by threatening large fines if he did not produce fill
rates of 100 percent for the products they purchased. At the same time, he
was also being squeezed by supply-side risks. Our client had not allowed
for the time it took for his manufacturers in China to retool and build his
products nor had he factored in time to cover weather or other delays
transporting them to U.S. ports. To top it all off, he also had an internal
source of risk: the lack of a proper planning process that would have
identified those external drivers.

The sum of all the overlapping risk factors—both internal and external—is
the "total risk" for a given supply chain (see Exhibit 1). By assessing the
total risk, managers can analyze their situations and assign resources to
improve their risk mitigation efforts. To arrive at that total risk, however,
they must undertake a risk management process to identify the
vulnerabilities in each of the risk areas, the circumstances that create the
vulnerability, the probability of occurrence, and a process to mitigate the
risk.

The Six-Step Risk Management Process

Employing a process methodology for risk management will help a
business stay ahead of any market changes and plan for cause/effect risk
contingencies. The following six-step process can help your company begin
to plan a risk management program. Start by forming a multidiscipline
team to define and rank the risks in your supply chain. Then put them to
work.

Step One: Profile Supply Base

To identify potential risks, start by making sure you have a thorough

understanding of your entire supply stream.

Identify each raw material. Begin by building a flow chart for all the raw
material inputs. Work backward from the actual material you are
purchasing to the origin material sources. Delve deep into each material to
understand and capture the processes used by each supply source. These
might be the supplier's processes for acquiring raw materials or
manufacturing the product. Expand the chart to include potential as well as
existing suppliers to gain an assessment of competition and backup
sources. Identify the value-added steps in the flow of materials to assess
the possibility of buying materials closer to origin to improve
competitiveness as well as reduce potential supply risks.

Unless your supply chain management team is aware of the complete

supply stream from raw materials to your supplier's actual product, a
disruption could threaten your product long before you become aware of it.
For example, consider a company that purchases a specialty chemical
manufactured in a sole-sourced plant in Europe. The chemical is a vital
ingredient in a perfume formula for a consumer product that the company
produces and markets in the USA. Unless this specialty chemical is
identified as an external risk, there will be no contingency plans to cover a
possible supply disruption. If the plant suffers an accidental explosion or
labor stoppage, supplies could be cut off immediately. The chemical may
be one of the least costly ingredients in the perfume formula, but it may
also be the most critical because of the limited supply base and long
pipeline. Potential mitigations against that risk could include carrying an
emergency inventory or having a backup manufacturing location in another
part of the world.
Identify strategic materials. From the flow chart, determine which
materials are strategic to the business. This determination may be based
on such factors as whether it is a high spend product, whether you require
the material to meet in-depth specifications, how many suppliers there are
for the material, and what the effect would be on your business if the
material flow was interrupted. Then compile data for these key purchased
materials and build a summary table for all the inputs. This data might
include cost and usage data for materials, approved suppliers, information
about manufacturing plants, the supplier's financial status, manufacturing
and procurement processes, physical condition of the supplier's facilities,
any areas of environmental vulnerability (for example whether the supplier's
facility is in a flood plain or on a earthquake fault), supplier's own risk
management efforts (such as fire readiness or disaster plans), freight
routing, and recommended inventory levels at each stage in the chain.

Your team should carefully consider what makes an item strategic.

Sometimes a small change can knock a "strategic" item off the list and
reduce your risk. For instance, say a company started testing the resin it
uses in a process to reline old pipes. It had been specifying a "special"
resin that was supposed to seal better before liquid chemicals are applied.
Several suppliers offered it, but it was priced at a premium. Testing
revealed no difference in performance when off-the-shelf resin was used
instead of the preferred one. At that point, the material became a
commodity, and the company had much better control of price and supply
risks.

Understand supplier's organization. For each strategic material,

penetrate the organization of each supplier to know its divisions, plant
locations, and the operating units that will be interacting with your
company. An efficient way of gathering information on your supplier's
operations is by making a structured supplier visit. Take the time with a
group of internal stakeholders to plan who you are going to speak with and
what things you would like to discuss. Before you go, draw up the right
questions that will draw out the critical information you need to make a
detailed assessment. Ask about cost control, systems compliance,
operational processes, use of price control contracts, financial controls, and
robust supply management techniques.

Better understanding its suppliers' processes could have helped a Midwest

manufacturer of specialty refrigeration equipment stave off increases in
 product prices. For years this company had bought pre-cut, pre-formed,
and annealed tubing from a strategic supplier. It wasn't until steel prices
skyrocketed that the company realized its supplier did not have hedged
contracts or other mechanisms to control the costs of basic rolled steel
tubes. Over a reasonable period of time, the company essentially began
buying the tube itself and turning it over to the supplier for processing. Steel
prices could change, but the company will take its own actions to mitigate
the effects of those price swings.

The information gained from the supplier visit will form the basis of the
supplier summary that the team will create. Developing supplier information
is an ongoing process and must include:

 Analyzing all potential suppliers' technology bases and attributes.

 Ranking suppliers in each material category from strongest to
weakest.
 Understanding each supplier's competitive position.
 Knowing each supplier's long-range business goals.

This analysis should also include a profit impact by item by supplier. A

profit impact analysis is a critical component of the calculation of the total
financial risk. The supplier summary that the team creates will provide vital
information for identifying potential supply chain issues.

Step Two: Assess Vulnerability

Outlining the assessment process for all of the risk factors would be
beyond the scope of this article. Instead we will focus on those that are
most important to the supply manager.

Supply risks. Evaluate the supply risks for each identified strategic
material throughout its entire supply chain. What are the potential
vulnerabilities or events that create the risk? Work stoppage, raw material
outage, unreliable material supply at origin—these are all potential risks to
consider.

For each potential risk event, assess its impact on your company's
production:

 Are there alternate material suppliers or is material single sourced?

 How much time is required to obtain alternate materials or qualify
another supply source?
 Are inventories of materials adequate to protect from an event?
 Is another technology available to provide a backup in case an event
occurs?
 Are suppliers financially stable?
 Are regulatory issues likely to negatively affect or impede a new
supplier or raw material?
 Is there a disaster recovery plan?

Demand risks. It's also important to determine the demand risks for your
company's finished goods. These risks typically center on the following:
number and size of customers, stability of demand, frequency of new
product introductions, and the financial condition of customers and industry.
Are there emerging technologies that could make your product and
company obsolete? Are there barriers to new competition such as high
capital or patented technology? Assess your company's position relative to
the risk factors to understand demand risk.

Environmental risks. To assess environmental risks, look at key elements

such as political stability in the supply country, natural disaster risk (such as
earthquakes and hurricanes), currency risk, and any other potential
hazards that can be measured. Also evaluate the possibility of local or
foreign governments imposing legislation or regulations that could affect
the supply (production) as well as the market price of the materials being
purchased because of environment or other concerns.

Process and plant risks. Develop a thorough understanding of the

process(es) involved at each stage in the supply chain and the risks that
should be mitigated. Are there opportunities for a chemical reaction or
release, explosion, fatalities, or property damage? Are there agricultural
crops involved that could require a year or more to recover from a crop
failure? How long would be required to resume production after an event
has occurred? Ask the questions and look for alternative sources or
processes to mitigate risk.

Business risks. It can sometimes be difficult to gain a true sense of your

suppliers' financial stability. Faced with obstacles in this area, you need to
look at measures of financial health that are both hard and soft. Hard
qualifiers are measurements directly related to profit and loss, such as
increases in the cost of goods, inventory turnovers, and asset-to-debt
ratios. Soft qualifiers are slow bill payment cycles, operational bottle necks,
price increases out of the norm, workforce reductions, poor morale of
personnel, or shortages of raw materials and parts. Without a process in
place to measure and monitor these signs of distress, it's difficult to
implement an effective mitigation plan. (For more on the nuances of
supplier business risks, see the sidebar "Assessing Supplier Business
Risk" below.)

Internal Planning and Control Risks. Also know what your internal
financial risks are and the controls in place to manage those risks. There
may be other planning risks to review including the cost and time needed to
add production or sales capacity, qualify alternate supply sources, obtain
government regulatory approval, and make decisions.

For example, the requirements of Sarbanes-Oxley and other regulations

may pose internal risks if your controls are not robust. Buyers must
properly manage, control, and reconcile purchase orders with deliveries,
payments, and inventory. Contracts must exist for purchasing transactions.
Supply, legal, operations, finance, and executive managers must all review
the types of contracts in place to understand whether or not the Sarbanes-
Oxley requirements have been met.

Step Three: Evaluate Implications

Take into account all the identified risks and prioritize them. Using some
sort of risk template, rank the risks in order by assigning a risk score. This
template could be a risk spreadsheet, a Monte Carlo simulation, or your
own internal system based on scenario planning. To establish the risk
score, estimate the probable duration of the disruption and costs to
recover. Include a "worst possible scenario" to assess the effects of a long
period of supply disruption. Then evaluate if other options will provide a
measure of protection and what the cost would be for that protection.
Defining the probability of disruption occurrence along with risk costs will
lead to a "probabilized" total cost of the risk. A Monte Carlo simulation of
the occurrence based on random games of chance will assist in developing
variable values at random to simulate a model and can be placed into a
computer spreadsheet to simulate the risk.

Step Four: Identify Mitigation and Contingency Actions

Risk mitigation encompasses loss prevention and developing acceptable
alternatives and plans to reduce the probability that a risk event will occur.
Mitigation plans must include contingency actions for all high-probability
risk events. There should be precise signals or triggers that touch off the
action that will commence efforts to mitigate the risk. The action step and
timing should be clearly spelled out. Example: Within 24 hours of a supply
disruption of material X, purchase orders will be placed with the alternate
supply source to assure there will be no disruption in the supply of X.

The best way to drive down the cost of risk management is to develop a
thorough risk mitigation plan that considers all the cost drivers associated
with the risk. Use the risk template and information developed in step three
to rate or quantify the identified risks after mitigation. By describing action
steps and estimating costs for these actions, a total mitigation cost can be
estimated after factoring in the probability of an occurrence. In business, it
is essential to present the risk assessment in financial terms.

Step Five: Complete Cost/Benefit Analysis

After completing step four, it is time to evaluate the cost-benefits of each

mitigation action. To do this, take a "net present value" (NPV) approach
that compares the investment required for the mitigation action against the
expected cash-flow benefits to be realized down the road. For example,
say that a critical material is being manufactured in an area with a high risk
of earthquakes and political instability. What are the costs and benefits of
possible mitigating actions, such as requiring a second manufacturing site?
What is the NPV of requiring the supplier to prepare a second
manufacturing operation in another location? What is the NPV of qualifying
a competitive supply source in another geographic location?

The investment of resources (cash) today prevents or reduces the

probability of lost revenue (cash) in the future. By comparing resource
investments today to the probability of lost revenue tomorrow, managers
can decide whether or not to make an investment. This comparison can be
charted (see Exhibit 2). A cross-functional risk management team can be
commissioned to generate the analysis of whether the action should be
taken and to develop a detailed implementation plan. Once the plan has
been finalized, communicate clearly to executive management what you
are asking them to do.
 Step Six: Gain Management Support and Implement Plan

With the risk analysis data developed, build a professional business case
presentation and present the information to executive management. This
effort should be led by the head of supply chain management or
purchasing. Be specific on the risks identified and clear on the action steps
and commitments needed. Schedule periodic progress reviews with an
executive management steering committee. It is critical to have executive
management support when developing and implementing a risk
management strategy to the organization. They provide a strong voice and
commitment to the goals being outlined and eventually executed.
Management will usher in support from different departments, which will
lend commercial insights and technical expertise to the risk plan.

Once the strategy and plan have been approved, stay the course and hold
periodic team reviews to ensure the strategy remains effective and sound.
When circumstances demand changes, be ready to recommend and
implement those changes to the plan with executive management.

Roles and Responsibilities

Risk management planning should also include a process for encouraging

suppliers to provide risk management to the greatest extent possible. This
could be in the form of back-up manufacturing facilities, stockpiles of raw
materials, or even assumption of purchasing materials from their
competitors in the event of a supply issue. The point is, do not overlook an
opportunity to have a supply source assume a role in managing a risk
factor.

Before reaching out to your suppliers, however, you need to clarify

internally who is responsible for:

 Identifying the needs that suppliers must meet.

 Identifying and qualifying potential supply sources.
 Establishing sound commercial relationships.
 Integrating suppliers with your company.
 Managing supplier performance.

The partnership can provide mutual benefits that will enhance the overall
performance of the two companies while managing the appropriate areas
of risk in an open way. Collaborating on information sharing can help
identify potential areas of vulnerability and lead to stronger emergency
plans. Your suppliers must understand the performance expectations they
have to meet. Continual, documented feedback is essential, and both
companies might benefit from formal performance review meetings. (For
more on the importance of communication, see the sidebar on "Don't
Overlook Communications.")

For your risk management to be effective, it must be fully integrated into

your company's business processes. The process of identifying risks,
analyzing them, and planning mitigation strategies must be documented
and reported throughout the organization. To effectively evaluate risk
strategy, management must balance the cost of mitigation with available
resources and optimum cost management objectives. The risk
management strategy should apply to everyone at all levels in the
organization and focus on achieving the company's business objectives.
When this happens, supply chain risk management will be a more viable
and sustaining long-range corporate business plan. Remember that
effectively managing risk is an on-going process and requires continuing
attention and priority.

Author Information
James Kiser is vice president of operations and George Cantrell is a senior
consultant with ADR North America, a procurement consulting firm.

Assessing Supplier Business Risk

While it is important to monitor all of the risk factors, supply managers

should pay particularly close attention to supplier business risk. Hurricanes
are hard to miss, and it's easy to imagine how a fire at a supplier's factory
would impact the delivery of parts to your company. However, risks driven
by business factors are much easier to overlook, even though they can be
just as serious. Ask executives at General Motors about the risks facing
their company because it has relied so heavily on parts from bankrupt
Delphi Corporation, its spin-off supplier. That's why the financial health and
business processes of suppliers merit special consideration.

Companies often form relationships with suppliers without understanding

their financial position. Is the supplier's business healthy or showing sign of
financial distress? It may be difficult to find out. Privately held suppliers are
 more difficult to assess because subtle problems are not required to be
publicly divulged. Even when suppliers are business units of a larger
holding corporation, their individual financial results may be hidden within
the holding company's overall financial statements.

Even if a supplier is fiscally sound, it may put a buying company at risk if it

is not in compliance with the latest standards of corporate controls. Public
corporations face much more stringent reporting requirements under the
Sarbanes-Oxley Act. Not only must senior management take the necessary
steps to ensure that their public corporate financial statements are
accurate, they must also certify that the methods used to generate the
reports reflect adequate internal control structure and procedures for
financial reporting. Companies can face major fines if they cannot measure,
track, or verify their own supply chain transactions down to the line-item
ledger and subsequently miss these assets in their books. CEOs and CFOs
can be held personally responsible if they sign compliance statements that
are incorrect. If any of these negative events does happen to a company
supplying you, the fines could turn into pricing pressures and the distraction
of the charges could lead to other disruptions in their deliveries.

Don't Overlook Communications

You may have noticed references to communicating throughout this article.

The importance of including clear communication procedures in the risk
management process cannot be overemphasized. Effective communication
plans will help create a corporate culture that embraces the need for
effective risk management and the flexibility that is essential in dealing with
disruptions that may occur. Be sure to continually ask these questions in
the process:

 Have we included all relative people in identifying risk factors? Have

we encouraged everyone to participate who should?
 Are risk issues communicated to all internal stakeholders?
 Are we discussing risk with external stakeholders?
 Have we developed a communications strategy in the event that a
risk event occurs?
 Do we have communications staff identified who have clear
responsibility for insuring the appropriate people get information and take
action when needed?
 Have the contingency plans been evaluated and tested to be certain
they will work in actual practice?