Supply Chain Risk Management: An Emerging Discipline
First Edition by Gregory L. Schlegel and Robert J. Instructor: Ms. Saba Farooq Operational Risks Supply chain risks include internal and external quality problems, late deliveries anywhere in the supply chain, service failures due to poorly managed inventory, problems related to poor forecasting, and a thousand other events related to operational performance failures. The two prevalent horizons affecting supply chain risk management are the operational horizon, covering 0–45 days into the future, and the tactical horizon, which normally covers 1– 18 months into the future. I. Supply Risk: To further focus our discussion, we’ll classify these risks into supplier, logistics, and fraud, corruption, and counterfeiting. I. Supplier Risks: As mentioned, procurement professionals have been trained for many years to think about risk and contingencies, probably much more so than any other discipline within the supply chain community. One of the main reasons is most manufacturers’ cost of raw material represents approximately 50%–70% of their total cost of goods sold. That’s a huge portion of the total cost of finished products and an abnormally large risk element to the organization.
Ms. Saba Farooq 2
Operational Risks (Contd.) Supply Risks:
Ms. Saba Farooq 3
Operational Risks (Contd.) II. Logistics Risks: Around the year 2000, during the Internet and e-business boom came the concept of Business Process Outsourcing (BPO). IBM was a big proponent of this concept within its own supply chain and promoted doing what you do best and outsourcing the rest. Why did IBM and many other companies embrace this approach to supply chain management? One reason was companies found that there were many organizations around the globe that could do certain business functions better, faster, and cheaper. And at that time, as the Internet was exploding on the supply chain scene, there was renewed interest in exploiting the World Wide Web to collaborate with these new BPO organizations and new partners to drive overwhelming top-line growth. III. Fraud, Corruption, and Counterfeiting Risks: Fraudulent practice means any action or omission, including misrepresentation, that knowingly or recklessly misleads or attempts to mislead a party to obtain a financial benefit or to avoid an obligation. Corrupt practice means the offering, giving, receiving, or soliciting, directly or indirectly, of anything of value to influence improperly the actions of another party. Counterfeiting occurs when something is made in imitation so as to be passed off fraudulently or deceptively as genuine
Ms. Saba Farooq 4
Operational Risks (Contd.) 2. Demand Risk: Demand management has always been a difficult discipline by definition. Part of this is due to the tendency of forecasts that are almost always wrong to some degree. Demand management and forecasting techniques and solutions have been available to the supply chain profession for over 80 years. There are hundreds of deterministic, statistical solution providers that provide companies with the ability to scan historical sales to arrive at a forecast using techniques such as least squares, time series analysis, and regression analysis. We’ll segment the demand risk discussion into customer risk, product risk, and logistics risk. I. Customer Risk: There are plenty of risks on the customer side of the equation. The demand issue tends to get the most focus because the purpose of demand estimation is to project what a customer will buy, when they will buy it, and how many they will buy. With complex supply chains and large product portfolios, not even considering global markets, seasonal products and other extraneous factors, the task is somewhat daunting
Ms. Saba Farooq 5
Operational Risks (Contd.) Demand Risks:
Ms. Saba Farooq 6
Operational Risks (Contd.) II. Product Risk: Poor product portfolio management is another important aspect of this risk pillar. By far the largest risk in this category is product failure and warranty issues. An example we all have witnessed over the last couple of years is Toyota’s issues with braking systems, accelerators, and massive product recalls. Automobile manufacturers run the numbers on their risks associated with product liability and warranty probably better than most manufacturers. Their risk appetite is usually quite high and they utilize many diverse liability, tort, and warranty insurance packages to mitigate those risks. However, continued product recalls, regardless of the industry, can lead to customer loss, fines, penalties, and potential bankruptcy. One of the most difficult elements in this pillar is new product introduction. Forecast error for products continually produced and sold to customers can become as large as 40% for a given product. Forecast error and the impact on the company of poorly launched new products can be even more dramatic. III. Logistics Risk: In this risk pillar, logistics relates to outbound material that perhaps goes to a final assembly/package partner, a distribution or warehouse, or the final customer.
Ms. Saba Farooq 7
Operational Risks (Contd.) 3. Process Risk: These risks are inherently positioned within an organization. Another way to think about this is that the organization has better control of these risks because they occur within their own domain. The frequency of occurrence and the remedies many organizations utilize to solve these issues lie within their own four walls. Our categories for this risk pillar discussion will be known or hard risks, unknown or soft risks, and chronic risks that can arise within a company’s four walls. I. Known Risks: These are risks that are measurable and can be planned for. Known risks, also called hard risks, include process breakdowns, poor material, poor quality control, criminal activity, poor and unreliable systems, and failure of a company’s facilities and assets.
Ms. Saba Farooq 8
Operational Risks (Contd.) Process Risks:
Ms. Saba Farooq 9
Operational Risks (Contd.) Process Risks (Contd.):
Ms. Saba Farooq 10
Operational Risks (Contd.) II. Unknown Risks: These risks are difficult to determine and are sometimes called soft risks. Examples of soft risks might be a radically new product or technology that renders a company’s existing approach to the market obsolete. Unknown risks could also be a fire that destroys a plant, an attack on a plant, a weather event, and time delays or any unforeseen disruption. An effective way to respond to these risks is to develop and practice response scenarios, what we call business continuity planning (BCP). III. Chronic Risks: The primary characteristic of chronic risks is that when these occur they tend to cause only minor internal disruptions. They may occur continually and because of the nature of their low impact, organizations tend to absorb the risk and develop work-arounds. The disruptions could be persistent and the root causes may not be obvious and therefore become tolerated over time. Some of the risks that could fall into this category include manufacturing yield, capacity issues, time delays, human errors, and equipment failure.
Ms. Saba Farooq 11
Operational Risks (Contd.) 4. Environment/Ecosystems Risk: The fourth risk pillar is probably the most immature pillar since there are so many new government rules and regulations, weather events, and fraud and corruption possibilities emerging around the globe. I. Known Risks: In this arena we could categorize risks such as currency rates, customs regulations, environmental regulations, industry regulations, and country regulations. We may not like all the regulatory statutes placed upon us, but they tend to be known and developed over a wide time span, thus providing organizations ample time to prepare for and comply with these rules. Many companies do not have the skill sets to understand and manage all the rules and regulations and therefore rely on 3PLs and freight forwarders to ensure compliance. One caveat before we move to the unknown risks is that all companies have a distinct style and attitude regarding risk, and sometimes their risk appetite is not what it should be. Subsequently, they may or may not choose to adhere to all the rules.
Operational Risks (Contd.) II. Unknown risks: Risks within this category could be political, weather and acts of God, fraud, corruption, counterfeiting, and competition. The bulk of these risks is mitigated and managed through the use of scenario- based planning approaches, be it at a specific facility level or throughout an entire supply chain network. Most of the unknown or soft risks in this category can and should be planned for using scenario-based BCP or risk response plans. However, a few of these risks, such as fraud, corruption, theft, and counterfeiting lend themselves to a more reactionary approach.
Ms. Saba Farooq 14
Business Continuity Planning Adopting a business continuity plan (BCP) is the start of a journey that ensures continuous operations of critical processes within a company and expands to include critical suppliers as the program matures. It is a concept that is absolutely central to effective risk management. Business continuity is the process of planning for and implementing procedures that are designed to enable continuous operations of critical business processes and functions. Incident management is the process that is responsible to guide the company through an incident or disaster and execute the overall business continuity plan. The incident management team focuses on incidents that have escalated beyond emergency response and that could impact business operations (i.e., business continuity).
Ms. Saba Farooq 15
Business Continuity Planning (Contd.) The responsibilities of the incident management team include the following: 1. Activate department business continuity plans and disaster recovery plans as appropriate. 2. Make workplace recovery decisions. 3. Activate disaster recovery decisions. 4. Allocate resources among recovering departments/groups. 5. Coordinate efforts between recovery and response teams. 6. Approve disaster-related purchases. 7. Develop and distribute messages to employees, customers, and vendors. 8. Provide direct updates to the executive team. 9. Carry out governance board and executive directives. Emergency response is the process that is responsible for human and life safety issues during an incident. The emergency response team leads the evacuation and assembly or shelter-in-place activities. Ms. Saba Farooq 16 Business Continuity Planning Objective The objective of a business continuity plan is to ensure the availability, reliability, and recoverability of business processes servicing a company’s customers, partners, and stakeholders. In order for business continuity to be effective, it must be an integral part of the business planning life cycle. Whenever business changes impact a process or function, business continuity considerations must be evaluated and adjusted as necessary to understand the effect to existing recovery strategies and plans. We all make plans based on trade-offs of cost and benefits. Business continuity formalizes a company’s overall approach to effective risk management and should be closely aligned to a company’s incident management, emergency response management, and information technology disaster recovery. Successful business continuity management requires a commitment from the company’s executive team in order to show commitment, raise awareness, and implement sound approaches to build resilience.
Ms. Saba Farooq 17
Business Continuity Planning Objective (Contd.) The Business Continuity Life Cycle: The business continuity life cycle includes six stages: 1. Governance 2. Business Impact Analysis 3. Risk Assessment 4. Recovery Strategies 5. Business Continuity/Disaster Recovery Planning 6. Test and Verification
Ms. Saba Farooq 18
Business Continuity Planning Objective (Contd.) 1. Governance: Senior management involvement and support are critical to the success of a company’s business continuity program. Executive buy-in enables the business continuity program to be in alignment with the company’s strategic direction and business objectives. This also ensures that the program is able to obtain appropriate resources and visibility. Without adequate senior management involvement and support, a business continuity program risks losing effectiveness and alignment with business strategy, misspent or unfit resources, gaps between capability and requirements, or in the worst case, senior management eliminating business continuity altogether because they do not see the value in the investment. 2. Business Impact Analysis (BIA): A BIA is a methodology to identify critical business processes and functions based on operational and/or financial impacts. This is accomplished by interviewing business process owners and asking them to describe their business processes. This interview includes the identification of critical resource requirements (staff, equipment, etc.), vital records and data, along with internal and external dependencies. Analysis of the data gathered through these interviews paints a picture of the critical paths within a business at any given time. This step also identifies the business threshold for disruption loss, including applications, systems, platforms, and infrastructure
Ms. Saba Farooq 19
Business Continuity Planning Objective (Contd.) 3. Risk Assessment: The risk assessment stage identifies business continuity risks that could result in a business process disruption or hinder recovery. A risk assessment usually includes a facility assessment and an environmental analysis. A high-level physical inspection of a facility should include a review of the electrical design, mechanical heating ventilation and air-conditioning (HVAC) design, communications and network architecture review, physical security evaluation, emergency egress/ingress, and structural design of the data center and call center (as applicable). The environmental risk analysis includes the analysis of the likelihood of natural and man-made disasters at a specific location. After the risks are identified, they should be ranked and rated by criteria specified in the business continuity standards. 4. Recovery Strategies: The data gathered from the BIA and risk assessment portray the existing business continuity capabilities and gaps. Recovery strategies are developed to mitigate these potential risks. Recovery strategies and the associated estimated costs for implementation are developed and presented to the business continuity governance board for review. It is up to the governance board to approve and fund the chosen recovery strategies. Ms. Saba Farooq 20 Business Continuity Planning Objective (Contd.) 5. Business Continuity/Disaster Recovery Plans: Business continuity planning allows for the availability of critical business processes in the event of an incident that renders facilities, computer systems, and/or employees inoperable or inaccessible. The goal of the creation and implementation of business continuity and disaster recovery plans is to minimize economic losses resulting from disruptions to business functions. These plans provide steps and procedures to facilitate an orderly recovery of critical business functions and/or systems. Business continuity plans address the recovery of business functions and workspaces; disaster recovery plans address the recovery of the information technology environment and systems that support the business. The provisions in these types of plans are used as the basis for providing guidance, preparing for, and effecting recovery activities in connection with executive management’s discretion. Tactically, the business continuity/disaster recovery plans address how to do the following: I. Minimize business losses resulting from disruptions to business processes. II. Provide a plan of action to facilitate an orderly recovery of critical business processes and technical infrastructure. III. Identify key individuals or teams who will manage the process of recovering and restoring the business and/or technology after an incident or disaster. IV. Specify the critical business and technical activities that need to continue after an incident. V. Outline the logistics of recovering critical business processes and technical infrastructure.