The world has always been a risky place. Survival has been a constant historical theme. Despite all our modern inventions, we haven’t been able to eliminate risk from our lives. That’s why business professionals pay close attention to risk management. Matt Kunkel (@MK_LogicGate), CEO of LogicGate, writes, “2020 was a wake-up call for many of us. In a year marked by disruption and uncertainty, businesses faced many unique challenges. And as businesses navigated these challenges, the idea of resilience gained popularity.” Even company executives who believed their firms had a robust risk management plan, found the pandemic uncovered areas of weakness. Kunkel goes on to note that the analytic firm Gartner calls organizational resilience a strategic imperative. “According to Gartner,” Kunkel writes, “organizational resilience is ‘the ability of an organization to resist, absorb, recover and adapt to business disruption in an ever-changing and increasingly complex environment to enable it to deliver its objectives, and rebound and prosper.’ Essentially, it’s how quickly an organization can bounce back from adversity.” For many organizations, risk management and resilience starts with the supply chain.
Omer Abdullah, cofounder and managing director of The Smart Cube, argues supply chain risk management processes must be both proactive and reactive. He writes, “Proactivity and reactivity aren’t opposing schools of thought in supply chain risk management. They’re distinct parts of a complete, holistic strategy.” He continues, “For a long time now, thought leaders have professed the need to take a proactive approach to supply chain risk, and get better at anticipating disruptive events before they happen, in order to better mitigate their impacts. And for good reason. There really is no better way to safeguard your operations, supply chain or organization against disruptive events than to prepare for them before they strike. But, that perspective overlooks one critical point — there will always be a number of events that nobody sees coming.”
Preparing for Known and Unknown Risks
Abdullah is correct that organizations must prepare for both known and unknown risks. Fortunately, good planning and preparation for known risks generally makes an organization better prepared to handle unexpected risks. In an article written with his Smart Cube colleague Subash Chandar, Abdullah notes, “To manage [risk] effectively, you need to assess it at every level.” They identify four different levels of supply risk:
Level 1: Value Chain Risk. Abdullah and Chandar write, “A common pitfall in supply risk management is assessing risk at an individual supplier level first, then working your way up to developing a holistic risk view. But, in practice, assessments should always start at the value chain level. By starting with a broad, comprehensive evaluation that considers the full stream of activities required to supply or ‘develop’ a commodity or category, you can establish a deep understanding of the factors, drivers, and variables that can influence it.” The Resilient Corporation suggests there are ten major categories of Resilient Performance Indicators (RPIs) that every company needs to address. They are: Disaster management; ecosystem; financial stability; human capital; information security; legal & regulatory; public relations & media; operational risk; strategy & culture; and supply chain & procurement. All of those areas are part of the value chain.
Level 2: Category risk. As you dig deeper into your risk assessment, Abdullah and Chandar observe, “The next logical analysis level is category risk — which is to recognize the inherent factors that influence risk for a specific category. Practically, this requires a deep understanding of both the economic model that underpins a particular category and the specific influencers of those economics.”
Level 3: Supply base risk. “With the value chain and category analyses as the foundation,” Abdullah and Chandar write, “attention must now turn to assess risk across the supply base. Critically, this isn’t a one-off exercise — it’s a continuous process, where organizations constantly evaluate and re-evaluate their supply base. This is where supply risk management gets challenging — and technical. Many organizations have hundreds of suppliers to manage and keep track of, each with a unique risk profile.”
Level 4: Individual supplier risk. Many organizations learned during the pandemic that they had supplier issues. Abdullah and Chandar write, “A big advantage of using AI and dashboards to automatically assess risk across your supplier base is that it can help surface the individual suppliers that most need deep individual analysis, so that the right strategic decisions can be made about them. Historically, supplier risk assessment entailed a cursory credit check, some sort of basic financial evaluation, or an outreach to the suppliers themselves for more information. Today, however, there is a far wider toolset available to procurement executives, enabling them to consider both the quantitative and qualitative factors that make up financial sustainability and business viability.”
As the above discussion makes clear, supply chain risk management is a complex process. Jan Burian, a senior director at IDC, observes “vision, culture, process and tech must all come together” in what he calls “the complex choreography of supply chain resilience.” I like that imagery because it stresses how all parts of an organization must work together to become more resilient.
Burian reports that a recent IDC survey found that the main focus of a majority of respondents “is to improve end-to-end supply chain visibility. This aligns with the perception that a lack of supply chain visibility/flexibility hinders the ability of managers to observe changes and react to them in a timely and effective manner.” Abdullah insists simply monitoring current events and reacting to them is a losing strategy. I agree, although I don’t think that is what Burian is implying. Abdullah asserts organizations need solutions “that not only monitor the broader supply chain — identifying issues, threats and opportunities — but also the more immediate category and supplier environments. Equipped with those tools, procurement and supply chain operations teams can focus on delivering the five foundational elements of a proactive supply chain risk management strategy.” He explains what those five proactive elements entail:
1. Risk Assessment. Abdullah indicates risk assessment includes “determining the right risk focus areas, including which suppliers to monitor most closely, and key categories that are either most exposed to risk, or most critical to your operations.”
2. Data Collection. This activity means “acquiring and bringing together the right data about those categories and suppliers, to help you learn more about them.”
3. Insight Generation. This element involves “converting [collected] data into insights, organizing and understanding how each data point could influence relevant micro and macro risk categories.” Of course, in order to generate these insights, organizations need cognitive solutions, like the Enterra Supply Chain Optimization System™, that leverages embedded advanced analytics and machine learning to provide decisionmakers with actionable insights.
4. Collaboration. According to Abdullah, sharing and disseminating insights is essential “to ensure the right people are equipped with the information they need to make the right decisions at the right time.”
5. Implementation. None of the above elements matter much if you don’t (or can’t) do anything with the insights you’ve gained. Implementation requires “driving the right actions and ensuring that people at all levels are empowered to convert insights into actions proactively.”
Abdullah adds, “A proactive approach to supply chain risk management can help you mitigate threats, ensure business continuity, and prevent your organization from being blindsided by unforeseen crisis events. But, it can’t fully mitigate their impact. That’s where reactivity comes in. … The key to reacting successfully is balancing speed with strategy. You want to implement changes quickly, but that can’t come at the expense of your strategic priorities. Every choice must help you adapt to today’s conditions, while keeping you on the path to a better, more efficient tomorrow.” By periodically testing risk management plans, personnel are better prepared to react when an adverse event occurs. Period exercises also help ensure plans are up-to-date and revised when weaknesses appear. Kunkel insists, “Organizational resilience starts at the top with an enterprise risk management (ERM) strategy.”
Burian concludes, “A buoyant, hardy supply chain alone does not make a company resilient. Resiliency arises based on all elements of a complex value chain: demand, production, [and] supply.” In other words, the entire organization must be involved. Kunkel explains, “In order to lead a truly resilient organization, leaders must think about risk differently. This involves two things. First, create a risk-aware culture. A risk-aware organization understands that ERM is a team sport. In a risk-aware culture, each employee is empowered and equipped to recognize and act on anything they might perceive as risky. Organizational resilience cannot be siloed from department to department — it must be a unified effort across the company. Second, the approach to risk management needs to change from being reactive to proactive.” If given an opportunity to rewrite that last line, I believe Kunkel would agree with Abdullah that organizations need to be both reactive and proactive.
 Matt Kunkel, “Why Enterprise Risk Management Is Key To Organizational Resilience,” Forbes, 30 April 2021.
 Omer Abdullah, “Supply Chains Must Be Proactive and Reactive. Here’s How to Do Both.” SupplyChainBrain, 4 May 2021.
 Omer Abdullah and Subash Chandar, “The Four Levels of Supply Chain Risk,” Global Trade, 2 may 2021.
 Jan Burian, “The Complex Choreography of Supply Chain Resilience,” IndustryWeek, 6 May 2021.