Assessing Supply Chain Risk

Stephen DeAngelis

June 16, 2014

“In 2013,” writes Lora Cecere, “80% of supply chain leaders had a material supply chain disruption. It was not just one. The average company had three.” [“Can You Take the Risk?Supply Chain Shaman, 11 April 2014] She goes on to report that a study conducted by her company, Supply Chain Insights, found that, despite the unsettling truth that disruptions are common, corporate executives rate the “business pain” associated with supply chain risk as low. She asks, “How come?” How come indeed! It appears that executives are simply putting on a good face and hoping that by ignoring it the pain will go away. Cecere explains:

“[Supply chain risk management] is new. It lacks a consistent definition and set of practices. Companies reward the urgent. Risk management requires a focus on the important. It requires leadership and orchestration. Teams don’t know what to do. The companies that are the most mature learned the hard way. They had a disruption.”

For the purposes of their study, the analysts at Supply Chain Insights defined “supply chain risk management as the proactive identification and resolution of potential risks to the supply chain.” Cecere asserts, “The key word in this sentence is proactive. Unfortunately, too many supply chains are reactive. The systems respond, but they do not sense. Performance is measured by indicators, not by performance predictors. The reward systems focus on the urgent, not the important.” I’ve had a number of discussions with Cecere and we agree that sensing is going to be an essential feature of supply chains in the future. Nowhere is sensing more important than in assessing risk. Cecere concludes, “The largest gap in risk management expected over the next five years will be the management of global operations.” She believes this will be the case because global operations will continue to be more complex and there will be more variability in global demand. She recommends that companies do three things to meet these challenges. The first recommendation deals with supply chain simplification. She writes:

Recognize the Issue. Simplify Operations. This includes simplification of the product lines and the definition of standard ingredients and/or interchangeable parts. Our research supports that getting this on the product development agenda is a barrier. Mitigating this risk issue requires striking the right balance between global and local governance. There is less variability in the management of regional supply chains. Accountability and priorities are clearer.”

For several years, I have predicted that regionalization will play a much larger role in the broader context of globalization. The fact that managing regional supply chains is easier than global supply chains is only one of the reasons. Other reasons include transportation costs, regional taste preferences, and better response times. Cecere’s second recommendation deals with demand sensing.

Use Channel Data and Build Demand Sensing Capabilities. Reduce demand latency and automate the processes of demand. I work with many companies on the differences between marketing-driven and sales-driven processes and the journey to become market driven. When marketing and sales operate as functions, they are not aligned to more holistic end-to-end processes. This is growing as an enterprise risk.”

One of the reasons that Big Data analytics have received so much attention is that they can help break down corporate silo thinking and foster organizational alignment and holistic end-to-end processes. A good analytics package can also help with demand sensing as well as providing information sharing and insights. Cecere’s final recommendation involves focusing on the most important things.

Focus Where It Matters. … I hosted a webinar with David Simchi-Levi of MIT. He has defined a Risk Index which analyzes the Time for Recovery and the Financial Impact (FI) to analyze the risk of the supplier base. It is a great technique to use in supplier development and network design. … David’s methodology is a stark contrast to the conventional work on supplier development and network design. In the conventional approach, companies would look at the suppliers with the greatest spend and miss the impact on the tier 2 suppliers with low spend.”

Simchi-Levi’s approach is a good one. In a previous post [“Preparing for Supply Chain Disruptions“], I noted that no company can make itself immune to risks and supply chain disruptions. The best companies can do is make themselves more resilient. In that same post, I noted that Simchi-Levi introduced his Risk Exposure Index in 2012 and that the methodology helps companies calculate the financial impact of supply chain disruptions as well as the estimated time to recovery or TTR. [“Risk Exposure Index Starting to Gain Traction, Change Supply Chain Thinking, David Simchi-Levi Says,” Supply Chain Digest, 24 April 2013] Simchi-Levi told Supply Chain Digest editor-in-chief Dan Gilmore that “the effort to collect information on TTR across the supply chain changes a company’s approach to risk management. First, such companies realize they don’t have this data, and when they do collect the information there are usually some surprises. Second, the approach then often spurs companies to find ways to reduce TTR, and thus the financial impact.”

 

In an interview, Dr. Patchin Curtis, director of Deloitte & Touche LLP, was asked a series of questions dealing with risk assessment. [“Five questions on risk assessment,” Risk Angles, 11 February 2013] The article notes:

“Companies can spend an enormous amount of effort cataloguing the risks that could affect them at any given moment, on every front. While it’s important to develop that visibility, it’s just as important to measure and prioritize risks so that the organization is prepared to respond to them in an appropriate manner. Because the environment in which you’re operating is constantly — and quickly — evolving, it’s important that organizations are focusing on the right risks, at the right time, in the right ways. That’s where risk assessment comes in.”

The first question asked of Curtis dealt with the unknown: “Our assessments already cover everything we know can affect our business. Why would we invest time in worrying about the unknown?” Curtis responded:

“Your current assessment is only a snapshot reflecting what you know today. But your risk environment can change in a matter of days, or even hours. So your risk assessment process should incorporate monitoring activities as dynamic as your business and the threats and opportunities it faces. For example, recent advances in text analytics makes it possible to analyze large quantities of text to identify emerging threats and generate alerts.”

Clearly, Curtis agrees with Cecere that sensing is critical if you are going to make your supply chain more resilient. The second question posed to Curtis dealt with frequency of assessments: “We conduct formal risk assessments once a year. Isn’t that enough?” She responded:

“A once-a-year assessment just isn’t enough for most organizations. It may be fine for ‘static’ risks, but dynamic risks require ongoing monitoring. Consider the rate at which the risks to your organization change. Some organizations are developing near real-time monitoring capabilities for internal and external conditions using big data mining, text analytics, and data visualization techniques. These mission control centers can feed actionable information to decision makers and form the basis for a dynamic risk assessment process.”

Curtis underscores an important point. Gathering information in real-time is only a valuable activity if it can be assessed immediately so that actionable insights can be developed. After all, it is not the assessment that makes a company resilient; rather, it is the ability to respond quickly and effectively to events. The third question Curtis was asked dealt with the return on investment of risk assessment programs: “It’s hard to make the business case to invest more resources on risk management when we can’t measure the results. How do you measure the avoided costs from an improved risk assessment?” Curtis responded:

“This is one of the tougher questions in risk assessment, and the truth is that there’s no commonly accepted way to measure avoided costs. But you can and should identify the range of potential cost avoidance — and the ability to do that has improved significantly in recent years. Also, don’t forget that an effective risk assessment may equip leaders with the information they need to take advantage of value-creating risks.”

Proving a negative is a classic philosophical problem. Fortunately, for supply chain professionals, there is ample evidence of how much disruptions can cost and that they do occur. The real question is not how to measure avoided costs but whether or not a company can financially survive a disruption without being prepared. The fourth question posed to Curtis dealt with the value of technology in doing risk assessment: “Can’t we just invest in more technology to improve our risk assessments?” She responded:

“Technology can play a big role in an improved risk assessment initiative. Technology can make it easier to micro-target particular audiences and risk challenges, analyze large amounts of data from different parts of the business, and develop actionable intelligence. But technology is only as good as the underlying processes you have in place, and the people running them. Don’t expect better technology to do all the work — people are still required to validate and interpret results.”

That’s a good answer; however, I probably would have used the word “essential” instead of “big” in describing the role that technology should play. Supply chains are too complex to monitor without the aid of technology. The final question asked of Curtis dealt with the unknown: “So far we haven’t been hit with any major surprises when it comes to risk. Why change?” Curtis responded:

“The dynamics affecting the risks you’re already taking evolve endlessly, changing the potential impact to your business, and to each other. If you haven’t been struck by a major risk event, don’t take that as a reason for standing still.”

When it comes to dealing with risk, complacency and inaction are not the answer. Complacency often sets in when a lengthy period of time follows a disruptive event. That’s why Curtis recommends not standing still. Not allowing complacency to emerge is one good reason to ensure that you have a good risk management process in place. “Even if you’re on the right track,” quipped Will Rogers, “you’ll get run over if you just sit there.”