Assessing the Time Element of Supply Chain Risk Management

Stephen DeAngelis

February 23, 2012

Last year, the Editorial Staff at Supply Chain Digest wrote, “Risk management was … little talked [about] a decade or so ago, but now it is near the top of every supply chain executive’s priority list.” [“Adding a Velocity Dimension to Risk Management,” 26 May 2011] According to the staff at Logistics Manager, things haven’t changed, it reports, “Retailers and manufacturers are increasingly focusing on risk in their supply chains, according to KPMG’s latest global CFO Consumer Markets survey.” [“Supply chain risk moves up the agenda,” 13 February 2012] The article continues:

“The current economic uncertainty is cited by nearly half of respondents (44 per cent) as the biggest risk that these global consumer companies face. This is followed by political instability (27 per cent) where recent clashes have been seen in China and the Far East over large scale job cuts. Consumer companies also cite supply chain issues as presenting one of their greatest operating risks in emerging markets. Recent examples include the explosion of the Fukushima nuclear plant in Japan, the political upheaval in Asia, floods in Thailand and earthquake in New Zealand. The report ‘Turning global risk into an opportunity’ surveyed 350 senior finance executives in the retail, food, drink and consumer goods manufacturing industry. It found that companies are showing greater appetite for risk reviews, as finance leaders and their boards meet more frequently to discuss the key risks.”

I found it interesting that KPMG survey interviewed Chief Financial Officers about risk management; but, I’m not surprised. Henry Ristuccia, a partner with Deloitte & Touche, told Russ Banham, “While more companies are now appointing chief risk officers, many don’t have that position, and therefore responsibility for risk management ends up with the board and the CFO.” [“Disaster Averted?CFO Magazine, 1 April 2011] To learn why some analysts believe that defaulting to the CFO is a bad idea, read my post entitled Supply Chain Risks: Who’s in Charge and What are They Looking At? Regardless of who is paying more attention to risk management, Gerry Penfold, risk consulting partner at KPMG, concludes, “More regular communication with senior colleagues on risk issues will lead to greater resilience at a time of increased uncertainty and more tangible assurance for the board.”


It is little wonder that risk management is climbing the priority list. As I’ve pointed out in several past posts, events that could potentially disrupt supply chains are on the rise. The following graphs, taken from an article by Stephan Wagner and Nikrouz Neshat, provides one such analysis. [“Assessing the Vulnerability of Supply Chains Using Graph Theory, International Journal of Production Economics, Vol. 126, No. 1, July 2010, pp. 121-129]




Daniel Dumke, commenting on the Wagner and Neshat paper, notes that “several factors help increase the vulnerabilities of today’s supply chains. When supply chain complexity increases (e.g., supply chain length, higher division of labor, …), the vulnerabilities also rise. Furthermore there is evidence that natural and man-made disasters are on the rise as well.” [“Assessing Vulnerability of a Supply Chain,” Supply Chain Risk Management, 10 October 2011] Rather than throw one’s hands up in despair over rising risks, Dumke reports that Wagner and Neshat recommend that companies hire mathematicians to help them “calculate a Supply Chain Vulnerability Index (SCVI).” The SCVI involves “a four step algorithm based on graph theory.” Dumke concludes:

“I really like the graph approach to assessing supply chain vulnerabilities. And I think it is a great method to support the understanding of a complex system like the supply chain. The article combines two very interesting aspects of it: the practical implementation and the assessment of supply chain vulnerability and a survey to compare different vulnerability levels across industries. … From a business and research point of view this article should direct the supply chain risk management efforts especially in the industries with the highest risk levels, Automotive and ICT.”

One aspect of risk management that didn’t seem to be addressed in the SCVI process is the element of time. The Supply Chain Digest article notes, “Many companies have or still use a simple 2 x 2 framework for assessing and managing risk, where on one dimension is the likelihood of occurrence (high or low) and the other the level of impact (high or low).” A more sophisticated framework, the article states, is one that uses “a higher level of granularity, recognizing that there are more intervals of supply chain impact or likelihood than just High or Low.” The article provided the following framework as an example.




The article went on to report that at an “ISM conference, supply management veteran Robert Kemp made an interesting point during one session: that another dimension beyond likelihood and impact needs to be added, and that is the likely velocity of the event or risk.” That’s a great point. Even an imminent event might unfold slowly. For example, a hurricane making its way across the Atlantic unfolds much more slowly than a tornado spawned suddenly by a super-cell. The article muses, “Though you could argue that there is some overlap between velocity and impact, we think there are also differences, and that it makes a lot of sense to add velocity to these frameworks. We are struggling, however, to figure out how to represent that in a now three-dimensional image.” If you have any good ideas, they’d like to hear from you.


Daniel Dumke discusses a chapter from the book Managing Supply Chain Risk and Vulnerability: Tools and Methods for Supply Chain Decision Makers, edited by Teresa Wu and Jennifer Vincent Blackhurst, that discusses the time dimension of risk in a slightly different way. [“Let me help you with… Time-Based Risk Management,” Supply Chain Risk Management, 31 August 2011] The chapter was written by Professors ManMonhan S. Sodhi and Christopher S. Tang. Dumke writes:

“The time-based risk management approach aims to travel on this thin line [between the cost of reducing risks and maximizing profits] and delivers a strategy to mitigate disruption risk without compromising profits. It consists of three time frames which should be [the] focus of the risk manager:

  • time to detect a disruption (D1),
  • time to design a solution (D2),
  • time to deploy (D3),
  • time to response is set to the sum of D1 to D3 (R1), and
  • time to recover (R2)

“The authors argue, that prior work has pretty much focused on the generation and selection of recovery plans, but only after the event has occurred. … Time-based risk management now tries to reduce the time needed for the other elements, since ‘just as 80% of the total cost of a product is determined during the product design phase, the activities that take place for designing response can have significant effect on the overall impact of a disruption.’ … Furthermore, based on three case studies … the authors argue that a longer response time can also lead to hugely increased recovery times. ‘This is mainly because the magnitude of the problem triggered by the event escalated exponential[ly] over time.'”

The thing I like about this approach is that it forces risk managers to focus on situations in which the time between detection and response is near zero (i.e., events with very high velocity). Dealing with events that unfold more gradually is a much easier task if a company can master responses to high velocity events. Dumke continues:

“The authors name five time-based disruption management strategies to reduce the response time (R1) and therefore also the recovery time (R2).

  1. Work with suppliers and customers to map risks
  2. Define roles and responsibilities
  3. Develop monitoring/advance warning systems for detection
  4. Design recovery plans
  5. Develop scenario plans and conduct stress tests”

Dumke concludes:

“Sodhi and Tang use very illustrative cases to make their points for a time-based risk management approach. This approach represents a corporate strategy which of course has to include a very broad definition of supply chain management. So not only the logistics and manufacturing parts are included, but also product design, finance, [and so forth].

I suspect that the time element is often overlooked in corporate risk management discussions. Carol McIntosh writes, “Recent natural disasters are forcing supply chain executives to take a hard look at their supplier relationships. There has always been a risk of natural disasters but the frequency is increasing with more substantial consequences. The global nature of the supply chain creates more risk as the consumer is much more likely to buy elsewhere. Companies can’t rely on customer loyalty.” [“What’s the cost of addressing supply chain risk?” The 21st Century Supply Chain, 26 July 2011] She continues, “Supply chain risk analysis involves a number of criteria. Cost is one, but also the characteristics of the material. Is it custom? Are their capacity limitations with your supplier? Are there currency risks? What is the lead-time?” I think the folks at Supply Chain Digest are right to add: How fast can the risk unfold? McIntosh cites an article that concludes, “Companies that manage supply chain risks effectively will outperform those that ignore or are blindsided by them.” One of those blindsides could be time.