As discussed in part 1, the ‘people’ element of risk underpins the behavioural approaches to risk management in organizations; but the ‘tolerance’ and ‘prudence’ over risks within the supply chain ultimately determines the process for managing these risks in practice.
Again, Guy Allen discussed a solid process for risk management in the supply chain: from identification of the risks > to subsequent evaluation of those risks > to the prevention / treatment of those risks > and ongoing monitoring / assessment of residual risks. This process is cyclical rather than end-to-end. I’d like to expand on the thoughts here, considering some additional challenges through the risk management process:
- Identification Stage: As discussed in my last blog, goal-setting defines the strategic approach for an organization, but how does an organization collate all the risks that are relevant to the supply chain? With a dependency on an organization’s relationship with the supply chain, this can be a large project in its own right. As a snapshot, to generate an overall risk profile of the supply chain, consideration needs to be given to the various types of risk associated with the supply chain (see part 1 of this blog), the internal stakeholders (in upstream, downstream and operational procurement) and external stakeholders (suppliers, customers and shareholders). Some risks can be identified in various forums, whereas others are symptomatic or reactionary. Setting up appropriate and multi-pronged approaches to capture this feedback and information is advisable during this stage.
- Evaluation / Assessment Stage: Risk evaluation models and impact assessments are in abundance and vary in complexity. As previously discussed, the main elements to consider in evaluation are impact, likelihood and also criticality (which equates to time-sensitivity). Once risks are plotted against a relevant matrix, it’s advisable to develop a risk prioritization charter for the risks that need the most focus, without ignoring the other risks. A simple Red, Amber, Green status may suffice here.
- Planning Stage: This is a supplementary – yet optional – stage in Guy’s risk management process, based on the size of the risk prioritization charter. With more complex risk charters, by segmenting and slicing the risk profile in different ways, an effective plan of action can be developed that can be driven by both central and local procurement teams. Nevertheless, this plan should remain time-sensitive to drive momentum and be managed centrally to keep focused on the prioritization matrix from the evaluation stage.
- Treatment / Mitigation Stage: With or without the planning – and in terms of negative risks – the inevitable goal is to treat, mitigate and minimize as much risk as possible based on the organization’s tolerance. This will require auditing existing processes and profiles, delivering corrective actions and implementation of appropriate systems for ongoing management. In multi-nationals or organizations with multiple business units, this risk management system needs to be incredibly robust, again, with the capability to involve internal and external supply chain members for input and maintenance.
- Residual Monitoring Stage: I liked Guy’s final link in the chain, residuality, as this is fundamental to viewing the risk management process as a cycle. As he mentions, residuality mainly boils down to ‘acceptance’; how much is an organization willing to accept against ongoing risks such as dispute resolution, fines etc. As risk is intrinsically linked to tolerance, executives should remember that ‘risk management’ doesn't necessarily mean removing the risk entirely, instead bringing it to an acceptable level for the organization’s lenience. However, tracking and tracing these risks over time through appropriate systems is imperative to ensure that they retain acceptability.
However, in my opinion, the governance that underpins the majority of risk management profiling / process management has to be communication. The frequency and sensitivity of communication needs to be carefully drafted. In addition, engagement with all stakeholder groups is critical; for instance a key operational buyer / requisitioner may have the most knowledge of a supplier’s risk based on strong relationships and repetitive ordering. If risks aren't communicated effectively across both internal and external supply chains or indeed up and down organizational hierarchies, the benefits can get lost in redundant processes and systems, with only a few people caring about it. Arguably, the risk management process should be managed by an individual with sole responsibility for driving the right inputs and outputs.
In part 3, I’ll focus on how information / communication technologies and systems can greatly assist in managing supply chain risk.
Meanwhile, click here for your copy of Guy's slides