Risk managers can modify what they already do in ERM to get better assurance on supply chain risks

A client, the risk manager at a mid-size Asian trading company, recently commented: ‘The other day my boss, (the company’s CFO) asked whether our ERM programme ‘covers’ supply chain risks. My answer was ‘Yes, to a degree’ which is true, since we have supply chain risks on our risk registers, but I am concerned we are not doing enough in this area. Everything I read on supply chain risk management treats it as a separate function, but after BCM and ERM, I think there would be resistance to launching a new risk programme here. How can I modify what we already do in ERM to get better assurance on supply chain risks?’

I suspect the risk manager’s experience is a common one, so too his concern. In fact, there is no reason why existing ERM frameworks and methodologies cannot be adapted to supply chain risk. Here are some pointers.

Framework: Find a way to explain, in simple practical terms that make sense to your people, how supply chain risk ‘fits in’ with ERM and BCM. Draw a chart and give examples. Do this at the start of all early discussions, meetings and workshops relating to supply chain risk.

It is easy to underestimate how often people outside risk management are confused by these distinctions, and how much it can undermine their contribution to a programme.

Types of risk: Supply chain risk management typically considers risks that impact the sufficient flow of material along the supply chain in terms of time, quantity, quality and cost. But there are risks that arise from activities along the supply chain that do not impact material flow, but do impact your company. For example, the use of child labour by a second or third tier supplier will not of itself affect supply, but may pose a severe risk to reputation or legal compliance.

The process for identifying supply chain risks (see below), lends itself to identifying risks of this type. Since they certainly fall within the ambit of ERM, a decision should be made at the outset; do we extend our supply chain risk enquiry to include risks to the business that arise from the supply chain, but do not impact it directly? If so, state this clearly, and develop risk identification questions and tools to do so.

Integration with existing ERM structure: There are two possible approaches here. ‘Supply chain resilience’ can be added as an objective to individual business units, so that supply chain risks appear on existing business unit risk registers. Alternatively, supply chain can be treated as a separate function, with its own risk register. Both can work. The choice depends on how the supply chain is already managed across business units, and the profile and priority you want to give supply chain risk within ERM.

“In general, supply chain decisions become a trade-off between lowering costs (through global procurement and lean operations) and improving resilience

Risk identification process: Most ERM risk reviews identify risks against a set of pre-defined objectives. This approach can be adapted for risks to supply chain. The supply chain objective can be defined as: ‘To ensure the sufficient flow of material along the supply chain to achieve customer satisfaction in terms of time, quantity, quality and cost.’

For a stand-alone supply chain risk review, this is broken into four objectives (time, quantity, quality and cost), which are each considered separately, by asking: ‘What events along our supply chain could prevent us meeting our supply chain objectives?’

To understand the supply chain, the process map used in ERM should be replaced by a supply chain map. The map’s level of detail depends upon the type and purpose of the review. A strategic supply chain risk review might only show each supply chain partner’s name and location, plus storage and transport locations, and potential bottlenecks. The map for an operational supply chain risk review should also include detailed information including process times, on individual supply chain processes. There are tools available, such as SCOR®, (supply-chain operations reference model) that help map supply chains in a consistent manner over differing levels of detail.

Risk assessment process: If the purpose of supply chain risk assessment is to prioritise risks and controls, existing ERM assessment tables should be adequate to rate the financial consequences of supply chain risks. However if you see the ultimate goal of your ERM programme as integrating risk management thinking into all management decisions, you will require more of your supply chain risk assessment process. Why? Because in general, supply chain decisions become a trade-off between lowering costs (through global procurement and lean operations) and improving resilience (by ‘shortening and widening’ the supply chain). Invariably, individual managers opt to lower costs at the expense of improving resilience, because cost savings can be measured. So risk managers wanting to integrate risk management thinking into supply chain decision making should consider using one of the software tools available that put numbers against the ‘value at risk’ in any point of the supply chain.

Risk control process: A full discussion of supply chain risk control is beyond the ambit of this article. However for ERM managers, two points to note are:

• Be cautious of assurances that a risk has been ‘contracted out’ to a supply chain partner. On whose reading of the contract? Is the supply chain partner capable of managing the risk? Are there commercial reasons why the supply chain partner might still choose to renege and pay damages?

• More so than other risks, the control of supply chain risks can be augmented by the use of lead indicators.Include the identification of lead indicators in your supply chain risk control process, and consider assigning ownership for monitoring each of them to an individual manager.