Chapter 7 – Operational Risk

Supply Chain Risk Management: An Emerging Discipline

First Edition
by
Gregory L. Schlegel and Robert J.
Instructor: Ms. Saba Farooq
 Operational Risks
 Supply chain risks include internal and external quality problems, late deliveries anywhere in
the supply chain, service failures due to poorly managed inventory, problems related to poor
forecasting, and a thousand other events related to operational performance failures.
 The two prevalent horizons affecting supply chain risk management are the operational horizon,
covering 0–45 days into the future, and the tactical horizon, which normally covers 1–
18 months into the future.
I. Supply Risk: To further focus our discussion, we’ll classify these risks into supplier, logistics, and
fraud, corruption, and counterfeiting.
I. Supplier Risks: As mentioned, procurement professionals have been trained for many years to think about
risk and contingencies, probably much more so than any other discipline within the supply chain community.
One of the main reasons is most manufacturers’ cost of raw material represents approximately 50%–70% of
their total cost of goods sold. That’s a huge portion of the total cost of finished products and an abnormally
large risk element to the organization.

Ms. Saba Farooq 2

 Operational Risks (Contd.)
 Supply Risks:

Ms. Saba Farooq 3

 Operational Risks (Contd.)
II. Logistics Risks: Around the year 2000, during the Internet and e-business boom came the concept of Business
Process Outsourcing (BPO). IBM was a big proponent of this concept within its own supply chain and
promoted doing what you do best and outsourcing the rest. Why did IBM and many other companies embrace
this approach to supply chain management? One reason was companies found that there were many
organizations around the globe that could do certain business functions better, faster, and cheaper. And at that
time, as the Internet was exploding on the supply chain scene, there was renewed interest in exploiting the
World Wide Web to collaborate with these new BPO organizations and new partners to drive overwhelming
top-line growth.
III. Fraud, Corruption, and Counterfeiting Risks: Fraudulent practice means any action or omission, including
misrepresentation, that knowingly or recklessly misleads or attempts to mislead a party to obtain a financial
benefit or to avoid an obligation. Corrupt practice means the offering, giving, receiving, or soliciting, directly
or indirectly, of anything of value to influence improperly the actions of another party. Counterfeiting occurs
when something is made in imitation so as to be passed off fraudulently or deceptively as genuine

Ms. Saba Farooq 4

 Operational Risks (Contd.)
2. Demand Risk: Demand management has always been a difficult discipline by definition. Part of this
is due to the tendency of forecasts that are almost always wrong to some degree. Demand
management and forecasting techniques and solutions have been available to the supply chain
profession for over 80 years. There are hundreds of deterministic, statistical solution providers that
provide companies with the ability to scan historical sales to arrive at a forecast using techniques
such as least squares, time series analysis, and regression analysis. We’ll segment the demand risk
discussion into customer risk, product risk, and logistics risk.
I. Customer Risk: There are plenty of risks on the customer side of the equation. The demand issue tends to get
the most focus because the purpose of demand estimation is to project what a customer will buy, when they
will buy it, and how many they will buy. With complex supply chains and large product portfolios, not even
considering global markets, seasonal products and other extraneous factors, the task is somewhat daunting

Ms. Saba Farooq 5

 Operational Risks (Contd.)
 Demand Risks:

Ms. Saba Farooq 6

 Operational Risks (Contd.)
II. Product Risk: Poor product portfolio management is another important aspect of this risk pillar. By far the
largest risk in this category is product failure and warranty issues. An example we all have witnessed over the
last couple of years is Toyota’s issues with braking systems, accelerators, and massive product recalls.
Automobile manufacturers run the numbers on their risks associated with product liability and warranty
probably better than most manufacturers. Their risk appetite is usually quite high and they utilize many diverse
liability, tort, and warranty insurance packages to mitigate those risks. However, continued product recalls,
regardless of the industry, can lead to customer loss, fines, penalties, and potential bankruptcy. One of the
most difficult elements in this pillar is new product introduction. Forecast error for products continually
produced and sold to customers can become as large as 40% for a given product. Forecast error and the impact
on the company of poorly launched new products can be even more dramatic.
III. Logistics Risk: In this risk pillar, logistics relates to outbound material that perhaps goes to a final
assembly/package partner, a distribution or warehouse, or the final customer.

Ms. Saba Farooq 7

 Operational Risks (Contd.)
3. Process Risk: These risks are inherently positioned within an organization. Another way to think
about this is that the organization has better control of these risks because they occur within their
own domain. The frequency of occurrence and the remedies many organizations utilize to solve these
issues lie within their own four walls. Our categories for this risk pillar discussion will be known or
hard risks, unknown or soft risks, and chronic risks that can arise within a company’s four walls.
I. Known Risks: These are risks that are measurable and can be planned for. Known risks, also called hard risks,
include process breakdowns, poor material, poor quality control, criminal activity, poor and unreliable
systems, and failure of a company’s facilities and assets.

Ms. Saba Farooq 8

 Operational Risks (Contd.)
 Process Risks:

Ms. Saba Farooq 9

 Operational Risks (Contd.)
 Process Risks (Contd.):

Ms. Saba Farooq 10

 Operational Risks (Contd.)
II. Unknown Risks: These risks are difficult to determine and are sometimes called soft risks. Examples of soft
risks might be a radically new product or technology that renders a company’s existing approach to the market
obsolete. Unknown risks could also be a fire that destroys a plant, an attack on a plant, a weather event, and
time delays or any unforeseen disruption. An effective way to respond to these risks is to develop and practice
response scenarios, what we call business continuity planning (BCP).
III. Chronic Risks: The primary characteristic of chronic risks is that when these occur they tend to cause only
minor internal disruptions. They may occur continually and because of the nature of their low impact,
organizations tend to absorb the risk and develop work-arounds. The disruptions could be persistent and the
root causes may not be obvious and therefore become tolerated over time. Some of the risks that could fall into
this category include manufacturing yield, capacity issues, time delays, human errors, and equipment failure.

Ms. Saba Farooq 11

 Operational Risks (Contd.)
4. Environment/Ecosystems Risk: The fourth risk pillar is probably the most immature pillar since
there are so many new government rules and regulations, weather events, and fraud and corruption
possibilities emerging around the globe.
I. Known Risks: In this arena we could categorize risks such as currency rates, customs regulations,
environmental regulations, industry regulations, and country regulations. We may not like all the regulatory
statutes placed upon us, but they tend to be known and developed over a wide time span, thus providing
organizations ample time to prepare for and comply with these rules. Many companies do not have the skill
sets to understand and manage all the rules and regulations and therefore rely on 3PLs and freight forwarders
to ensure compliance. One caveat before we move to the unknown risks is that all companies have a distinct
style and attitude regarding risk, and sometimes their risk appetite is not what it should be. Subsequently, they
may or may not choose to adhere to all the rules.

Ms. Saba Farooq 12

 Operational Risks (Contd.)
 Environment/Ecosystems Risk

Ms. Saba Farooq 13

 Operational Risks (Contd.)
II. Unknown risks: Risks within this category could be political, weather and acts of God, fraud, corruption,
counterfeiting, and competition. The bulk of these risks is mitigated and managed through the use of scenario-
based planning approaches, be it at a specific facility level or throughout an entire supply chain network. Most
of the unknown or soft risks in this category can and should be planned for using scenario-based BCP or risk
response plans. However, a few of these risks, such as fraud, corruption, theft, and counterfeiting lend
themselves to a more reactionary approach.

Ms. Saba Farooq 14

 Business Continuity Planning
 Adopting a business continuity plan (BCP) is the start of a journey that ensures continuous
operations of critical processes within a company and expands to include critical suppliers as
the program matures. It is a concept that is absolutely central to effective risk management.
 Business continuity is the process of planning for and implementing procedures that are
designed to enable continuous operations of critical business processes and functions.
 Incident management is the process that is responsible to guide the company through an
incident or disaster and execute the overall business continuity plan. The incident management
team focuses on incidents that have escalated beyond emergency response and that could
impact business operations (i.e., business continuity).

Ms. Saba Farooq 15

 Business Continuity Planning (Contd.)
 The responsibilities of the incident management team include the following:
1. Activate department business continuity plans and disaster recovery plans as appropriate.
2. Make workplace recovery decisions.
3. Activate disaster recovery decisions.
4. Allocate resources among recovering departments/groups.
5. Coordinate efforts between recovery and response teams.
6. Approve disaster-related purchases.
7. Develop and distribute messages to employees, customers, and vendors.
8. Provide direct updates to the executive team.
9. Carry out governance board and executive directives.
 Emergency response is the process that is responsible for human and life safety issues during an incident. The
emergency response team leads the evacuation and assembly or shelter-in-place activities.
Ms. Saba Farooq 16
 Business Continuity Planning Objective
 The objective of a business continuity plan is to ensure the availability, reliability, and
recoverability of business processes servicing a company’s customers, partners, and stakeholders.
 In order for business continuity to be effective, it must be an integral part of the business
planning life cycle. Whenever business changes impact a process or function, business continuity
considerations must be evaluated and adjusted as necessary to understand the effect to existing
recovery strategies and plans.
 We all make plans based on trade-offs of cost and benefits. Business continuity formalizes a
company’s overall approach to effective risk management and should be closely aligned to a
company’s incident management, emergency response management, and information technology
disaster recovery. Successful business continuity management requires a commitment from the
company’s executive team in order to show commitment, raise awareness, and implement sound
approaches to build resilience.

Ms. Saba Farooq 17

 Business Continuity Planning Objective (Contd.)
 The Business Continuity Life Cycle: The business continuity life cycle includes six stages:
1. Governance
2. Business Impact Analysis
3. Risk Assessment
4. Recovery Strategies
5. Business Continuity/Disaster Recovery Planning
6. Test and Verification

Ms. Saba Farooq 18

 Business Continuity Planning Objective (Contd.)
1. Governance: Senior management involvement and support are critical to the success of a company’s
business continuity program. Executive buy-in enables the business continuity program to be in alignment
with the company’s strategic direction and business objectives. This also ensures that the program is able to
obtain appropriate resources and visibility. Without adequate senior management involvement and support,
a business continuity program risks losing effectiveness and alignment with business strategy, misspent or
unfit resources, gaps between capability and requirements, or in the worst case, senior management
eliminating business continuity altogether because they do not see the value in the investment.
2. Business Impact Analysis (BIA): A BIA is a methodology to identify critical business processes and
functions based on operational and/or financial impacts. This is accomplished by interviewing business
process owners and asking them to describe their business processes. This interview includes the
identification of critical resource requirements (staff, equipment, etc.), vital records and data, along with
internal and external dependencies. Analysis of the data gathered through these interviews paints a picture
of the critical paths within a business at any given time. This step also identifies the business threshold for
disruption loss, including applications, systems, platforms, and infrastructure

Ms. Saba Farooq 19

 Business Continuity Planning Objective (Contd.)
3. Risk Assessment: The risk assessment stage identifies business continuity risks that could result in a
business process disruption or hinder recovery. A risk assessment usually includes a facility
assessment and an environmental analysis. A high-level physical inspection of a facility should
include a review of the electrical design, mechanical heating ventilation and air-conditioning
(HVAC) design, communications and network architecture review, physical security evaluation,
emergency egress/ingress, and structural design of the data center and call center (as applicable). The
environmental risk analysis includes the analysis of the likelihood of natural and man-made disasters
at a specific location. After the risks are identified, they should be ranked and rated by criteria
specified in the business continuity standards.
4. Recovery Strategies: The data gathered from the BIA and risk assessment portray the existing
business continuity capabilities and gaps. Recovery strategies are developed to mitigate these
potential risks. Recovery strategies and the associated estimated costs for implementation are
developed and presented to the business continuity governance board for review. It is up to the
governance board to approve and fund the chosen recovery strategies.
Ms. Saba Farooq 20
 Business Continuity Planning Objective (Contd.)
5. Business Continuity/Disaster Recovery Plans: Business continuity planning allows for the availability of critical
business processes in the event of an incident that renders facilities, computer systems, and/or employees inoperable or
inaccessible. The goal of the creation and implementation of business continuity and disaster recovery plans is to
minimize economic losses resulting from disruptions to business functions. These plans provide steps and procedures
to facilitate an orderly recovery of critical business functions and/or systems. Business continuity plans address the
recovery of business functions and workspaces; disaster recovery plans address the recovery of the information
technology environment and systems that support the business. The provisions in these types of plans are used as the
basis for providing guidance, preparing for, and effecting recovery activities in connection with executive
management’s discretion. Tactically, the business continuity/disaster recovery plans address how to do the following:
I. Minimize business losses resulting from disruptions to business processes.
II. Provide a plan of action to facilitate an orderly recovery of critical business processes and technical infrastructure.
III. Identify key individuals or teams who will manage the process of recovering and restoring the business and/or technology after an
incident or disaster.
IV. Specify the critical business and technical activities that need to continue after an incident.
V. Outline the logistics of recovering critical business processes and technical infrastructure.

Ms. Saba Farooq 21

 THANK YOU!

Ms. Saba Farooq 22