Risk Management

Ideally, the risk management system is made up of all products and services that the company purchases and sells. In addition. all relevant suppliers, customers and partners should also be involved. This way, we get a complete overview of potential disruptions and impacts. Depending on the status of the current system, this approach may not be possible in a single step. In that case, priorities must be set and criteria used for the selection. 

The depiction of the entire network, the “network mapping”, is the starting point for recognizing what we refer to as risk objects. This may be branch locations, offices, factories and/or distribution centers, but also highways, harbors, channels and/or airports.  

When mapping the network, special attention should be given to the supplier network. It should not be limited to Tier 1 suppliers only, because half of the disruptions occur below the Tier 1 level. The procurement and evaluation of the needed information may involved quite a bit of effort. However, computerized approaches can help to find, analyze and prepare the information. 

By creating risk categories and, where necessary, subcategories, it becomes evident just how far these categories apply to each individual risk object. Categories that are often used, for example, include financial risks, operational risks, risks relating to the market, reputation, natural catastrophes, human error, logistics or cyber security. What is important in this context is to account for the threats that have direct relevance to the supply chain network. 

Risks are evaluated based on two factors: their likelihood and effects. While the likelihood of certain risks can often be determined based on historic data, it is cumbersome to evaluate the effects. There is no “one-fits-all” solution. However, in most cases, a small number of parameters can provide a good overview. They may be: 

• the total time until recovery; 
• the substitutability/time required for shifting 
• the availability of qualified alternatives 
• the number of affected customers/markets 
• the effects on revenue/profit margins/results 
• one-time and ongoing costs for corrective measures 
• effects on the corporate image 

In order to determine whether the network is at risk, current and accurate information is needed, ideally end-to-end about the entire network. Transparency flows from (real-time) information about the status of the network, including people, devices, equipment, information systems, orders, inventories, etc. Without a structured approach to collecting, analyzing, and communicating information about what is going on in the network, implementing meaningful risk management is very challenging. So, in the interaction with the risk identification step, we must always consider the means and tools that can be used for monitoring. 

Monitoring and assessing risks creates the transparency needed to develop action plans. Typically, action plans are based on preventative or responsive measures. A prevention plan is focused on preventing incidents. Risk mitigation is key to proactively managing risk. In contrast, responsive plans ensure rapid intervention in the event that a risk incident occurs. Each action plan should describe the processes to be followed if a particular incident should occur. 

Compliance is one of the essential components of risk management, and its documentation requirements should not be underestimated. For example, a company must have a complete understanding of its network, including all materials being purchased. It needs to know where this material is coming from and how it will be used. Moreover, it must be ensured that current and future regulations in each market are known and how they apply to all products in the supply chain network. These processes must be continuously documented and the results recorded. Over time, this creates ever-increasing demands within the company, especially given that the standards for reporting can also vary considerably. In this case, a degree of automation in compliance reporting can reduce the time and effort required and create synergies. 

In many companies, the word risk evokes negative associations. Attaining resilience in the network therefore requires a culture of risk awareness. It helps establish and maintain efficient decision-making processes in the face of unknown risks, and also enables faster response in times of a severe crisis or operational threat. One key task for managers in this context is to clearly define and communicate an organization’s tolerance for risk. Management and employees must feel empowered to relay bad news but also to share information about where and how risks have been successfully and proactively addressed.