Supply Risk Management
Supply Risk Management
Mitigate Risks and Reap Rewards
Supply chain risk can formally be defined as the potential loss resulting from a variation in an expected supply chain outcome. It is the mismatch between supply and demand.
Traditionally, supply chain risk was often the result of inadequate spend visibility, lack of deep supplier and market information, poor inventory management, poor supplier collaboration, and inefficient coordination heightened by a lack of infrastructure, skills, resources, research, and technology as well as language and cultural barriers.
Today, matters are much worse. With today’s focus on efficiency, lean “just in time” inventories, outsourcing, supply base reduction, centralized distribution, more and faster product launches, low cost country sourcing and supply chain globalization in a highly volatile global market place, companies are at greater risk than ever before. When one considers that 10% of active suppliers represent 80% of spend in many of today’s enterprises, and that many companies lack visibility into their supply chains beyond their tier one suppliers, supply risk management is becoming key to ensuring continued operations in a profitable manner.
After all, the effect of a supply chain disruption goes beyond just late shipments, lost production time, and delayed execution times. It can cause stock outs and lost sales, missed customer expectations, quality and safety concerns, project failure, market exposure, and lost credibility. It can increase costs, reduce bargaining power, and even influence poor supplier selection as the organization struggles to correct the imbalance. (It can even devastate a company’s stock price. A recent study in the International Journal of Operations and Production Management that analyzed the effect of supply chain disruptions on long-run stock price performance over a three year period found that stock returns of companies experiencing significant supply chain disruptions trailed returns of their peers by 33% to 40%.)
The importance of supply chain risk management cannot be ignored. According to Aberdeen’s benchmark study on Supply Risk Management in October of 2005, more than 80% of supply managers at 180 global enterprises reported that their companies experienced supply disruptions within the past 24 months. Supply glitches negatively impacted their companies’ customer relations, earnings, time-to-market cycles, sales, and overall brand perception. Furthermore, it found that more than 75% of companies expect supply risks to increase over the next three years.
And yet, according to the follow-up study Supply Risk Increasing While the Market Stands Still in April of 2007, only 49% of organizations have bothered to implement a Supplier Performance Management and Risk Management program.
However, enterprises that have adopted comprehensive supply risk assessment and management programs, which include the leverage of deep supplier and market information, have reduced the frequency of supply risks and outperformed their peers in supply performance and costs. More specifically, best-in-class companies that have had programs in place for at least three years, measure over half of their supply base regularly, and engage in risk management in at least 70% of their supply base enjoy:
- 92% effectiveness in product and service quality
- 91% on-time-delivery
- 87% price competitiveness
- 85% service and performance capability
There are various types of supply chain risks, which extend well beyond simple supply disruptions, the need for resilience in daily operations, and the classic strategies for dealing with such risks. An organization needs to prepare for different types of supply chain risk, build resiliency into its daily operations, and be aware that not all of the classic strategies used to prepare for risk are applicable in today's operating environment.
Risks arise at many levels. They can be internal risks that result from daily operations, network risks within supply chain or partner interactions, industrial risks common to all companies operating in the industry, or environmental risks beyond anyone’s control. They range in severity from minor deviations in supply and demand through supply chain disruptions that can knock out part of an organization’s supply chain to serious disasters that will force a temporary irrecoverable shutdown of (a substantial) part of an organization’s supply chain.
This wiki uses the definitions of R. Gaonkar & N. Viswanadham of The Logistics Institute (Asia Pacific) at the National University of Singapore, as found in their Indian School of Business Working Paper “A Conceptual and Analytical Framework for the Management of Risk in Supply Chains”. Specifically, a deviation is when one or more parameters stray from an expected value without any changes to the underlying supply chain structure. A disruption is when the structure of the supply chain is radically transformed through the unavailability of certain facilities, suppliers, or transportation options. A disaster is when a temporary irrecoverable shutdown of the supply chain network occurs due to unforeseen catastrophic system wide disruptions.
Within an organization, there can be machine related issues, quality problems, materials and parts shortages, and communicable illnesses among staff on an almost daily basis that could lead to deviations. Furthermore, unexpected employee strikes and opportunistic behavior by senior management could lead to significant supply chain disruptions in the long term.
From a network perspective, an organization is subject to the risks associated with increasing customization, outsourcing, and collaboration. A disruption to the supplier or third party logistics carrier is a disruption to the organization. Their organizational risks and performance problems become the organization’s network risks. Furthermore, the organization risks deviations due to fluctuating transportation capacity constraints, disruptions due to failures in communication lines, customs delays, port slowdowns, supplier bankruptcy, and government (over) reactions to crisis situations (such as border closings).
From an industry perspective, the emergence of a new technology or a new business model could cause considerable deviations and disruptions to the business across the spectrum.
From an environmental perspective, an organization is subject to variations and deviations in expected demand, supply, and lead times that can result from shifts in consumer spending, inflation, and unpredictable economic changes such as foreign exchange fluctuations, governmental policy changes, free trade zones, and energy price fluctuations. An organization is also subject to disruptions from human perpetrated acts such as sabotage, theft, crime, strikes, and slowdowns and disasters that result from terrorist attacks, civil wars, failing states, freshwater shortages, large scale natural disasters such as earthquakes, hurricanes, typhoons and pandemics, and major geopolitical events.
Regulatory and compliance risk is becoming more and more common around the world. It used to be just Sarbanes-Oxley that an average organization had to worry about, but now there are multiple security related acts and programs such as Customs Trade Partnership Against Terrorism (C-TPAT), the World Customs Organization (WCO) SAFE framework, and the European Union (EU) Authorised Economic Operator (AEO) programs in addition to the Office of Foreign Assets Control (OFAC) regulations, in addition to multiple versions of the European Union’s (EU) Restrictions on Hazardous Substances act and the European Commission (EC) Waste Electrical and Electronic Equipment (WEEE) directive popping up all around the world (even in China!).
Strategies for Resilience
In order to effectively manage these disruptions when they occur and maintain profitability and effective operations, an organization needs to be resilient to predictable and recoverable supply chain risks. Resilience is the inherent ability of an enterprise to return to normal performance levels following a supply chain disruption. Resilience can be achieved through classic redundancy mechanisms or built-in flexibility.
lassic mechanisms for dealing with unforeseen supply chain deviations and disruptions included adding safety margins to lead times, maintaining extra “just in case” inventory, frequent queries of order status, reserving capacity, lining up distribution alternatives, dual sourcing, and order expediting when a disruption occurred.
With safety margins, a company produces more slightly units than it is forecasting to sell in case demand spikes to insure that it has enough units to meet customer demand. The advantage is ensured customer satisfaction and no negative stock-out stories hit the press, but the disadvantage is that the company incurs additional costs and if the company sells less units than forecasted, the company might not even break even because of the additional cost associated with the safety margin.
With just-in-case inventory, the company maintains extra inventory of all of the raw materials or component parts it uses in production, in case of a demand spike, where it has to make more units quickly, a supply shortage, where demand unexpectedly exceeds supply, or a missed shipment or late delivery, where the raw materials or components do not arrive on time and it can’t afford to shut down a production line. The advantage of this startegy is, obviously, reduced downtime and stock-outs, but it also has the disadvantages of increasing costs and decreasing an organization’s ability to respond rapidly to demand changes and consumer preference shifts.
With reserved capacity, a company will take one of two approaches. If it produces in house, it will not maximize utilization of a production line in planning to allow for more units of a product to be created quickly in case of a demand spike. If it uses a contract manufacturer, it will reserve up-front, usually through a cash payment, more production time than it actually expects to need to allow for rapid production of additional units. Reserved capacity has the advantage of allowing the organization to respond to demand spikes quickly, but it decreases the value of, and return on, operational investment.
In order expediting, it will accelerate a planned shipping schedule by paying for a faster shipping method at the last minute. For example, parts that would usually ship by sea will be shipped by air instead. This usually happens to meet a demand spike or to prevent a plant shutdown if a scheduled shipment does not arrive on time. Although order expediting, when judiciously applied, has the advantage of preventing a production line shutdown, it has the serious disadvantage of significantly increased logistics costs while diverting shipment capacity away from other products.
A company using this strategy will plan out alternative methods of distribution in advance, in case a preferred carrier can’t handle the demand, a port slowdown or shutdown occurs, or another predictable supply interruption using the primary supply method or route occurs. It might even contract with its secondary suppliers for reserved capacity on such routes. This is one of the two classic strategies whose advantages, when applied correctly, outweight its disadvantages. Simply planning for alternatives and having those plans in place ready to go in case of emergency requires very little time and investment.
A company employing the dual-sourcing strategy will either source from two different suppliers, preferably in two different locations, or source from one supplier with multiple, geographically dispersed, plant locations and either use materials and products from both locations or insure that production can be moved to a second location within a very short timeframe should a production interruption occur at the first location or demand exceed the capacity of the first production location. This is the other of the two classic strategies discussed whose advantages generally far outweigh its disadvantages.
The good news is that it is possible to design supply chains that are robust enough to profitably continue operations in the face of expected deviations and unexpected disruptions and quickly recover from disasters. The foundation is a strong, stable supply network forged from good supply base management, strong supplier links, and continuous improvement and a corporate culture that embraces change and flexibility.
In fact, the factor that has been found to most clearly distinguish companies that bounce back quickly from a disruption from those that do not is a corporate culture geared towards flexibility. A flexible culture is one where communication is pervasive and continuous. Low-level employees have the power to make decisions and the end goal is continuous improvement.
True resilience comes from attacking supply chain risk from all the angles and having operational, tactical, and strategic plans to deal with it. Operationally, companies need to be able to quickly fill in gaps that result from disruption and reschedule activities so that business processes remain synchronized and deliveries are made within customer delivery windows. Tactically, plans need to have redundancies in terms of human resources, machine resources, logistics and supply organizations to allow for this flexibility. Strategically, companies need reliable partners with intrinsic capabilities in deviation and disruption handling, and the skills and ability to adapt to changing market conditions.
Five common strategies for building resilience into the supply chain and mitigating risks are production versatility, concurrent processes, decision postponement, risk-mitigating sourcing strategies aligned with organizational supply base management strategies, and business process management. These are sometimes complemented by cycle time reduction, market intelligence, price hedging, contracts, collaboration, training, and incentives.
Production versatility is the ability to move production between plants, use interchangeable and generic parts (Build to Order), and apply employees to different tasks. The ability to move production between plants minimizes risk of complete supply disruption with respect to a part or product, the use of a small number of commodity parts simplifies operations and concentrates procurement outlays and creates the flexibility to move the business among suppliers, and flexible cross-trained employees will be able to step in and get the business back on track when something goes wrong.
Concurrent processes with respect to product development, ramp-up, and production/distribution allow an organization to reduce time to market, decrease the time required to recover from supply disruptions, and improve overall operating efficiency.
Designing products and processes for maximum postponement of as many operations and decisions as possible in the supply chain, thereby enabling build to order operations, allows for the diversion of parts and semi-finished material from surplus areas and products to satisfy shortages.
Risk-mitigating sourcing strategies aligned with supply base management initiatives minimize the possibilities of preventable disruption, maximize response time, and allow for the definition of contingency plans for immediate execution upon a supply chain disruption. There should be a contingency plan for each priority disruption that includes both a detailed description of the procedure to follow and a definition of roles and responsibilities in the event of the disruption.
Business Process Management
With regards to supply risk management, especially with regards to suppliers, it is important to establish clear expectations, provide timely feedback when performance falls short, and manage consequences. Reward suppliers that succeed and penalize suppliers that fail. Undertake joint efforts with strategic suppliers to optimize cost, inventory, processes, and flexibility. Manage key categories with a sound understanding of the commodity markets and devise substitution options when an impending shortage might be on the horizon.
Cycle Time Reduction
One of the best general ways to mitigate risks is to minimize the cycle times it takes to complete each stage of the product lifecycle. If the time for inception, design, prototype, sourcing, manufacture, distribution, and shipping is reduced, it will not ony minimize the chances of something going wrong within the cycle, but minimize the time it takes to correct a disruption, especially if the organization has already optimized not only its corresponding continuity plans but also its continuity planning process. Having the ability to react and execute quickly is always key in not only preventing, but recovering from, a disruption.
Another great way to mitigate risks is to understand what the various risks are that are relevant to the organization are and how likely they are to occur. Hurricanes just aren’t very common in the middle of large landmasses, earthquakes tend to happen along fault lines, and tornados and tsunamis also only happen in locations where the right weather conditions could form. Civil war is not likely to break out in areas where there is no civil or political unrest, exchange rate fluctuations are usually predicted by changing economic indicators, and prices don’t generally rise for raw materials where demand is falling. Knowing what the risks are, where they are likely to occur, and what their probabilities are lets the organization focus on creating contingency plans for the right risks.
It’s a lot easier to recover from a disruption with help than it is to recover from a disruption without help, and collaborating with suppliers and partners up front on the creation of contingency plans greatly increases the probability that the plans will be able to be executed without unexpected surprises or the introduction of further disruption.
“Incentivize for success” has the same relevance in risk management as it does in other areas of sourcing and procurement. Provide incentives for supply chain partners and suppliers to go above and beyond the call should a disruption occur, and it is much more likely that they will.
If market intelligence indicates that the price of a commodity is likely to fluctuate wildly during the term for which the organization desires to establish a contract, consider using price hedging to provide it both with stable supply and cost. The organization might pay a little more up-front, but it might ultimately save a lot of cost and, more importantly, grief to lock in desperately needed supply up front.
This strategy can be used to augment each of the other strategies by making sure that personnel are not only well trained on how to do proper risk assessments and continuity planning, but on how to execute those plans and perform other functions as back-ups in case the organization happens to lose key personnel either due to strikes, natural disasters, or forced relocation from its primary facilities.
If one were to ask the legal term, they’ll probably tell hear the best way to mitigate risks is to insure they are someone else’s responsibility and put contracts in place to that effect. They’re at least partially right. Although it should be a company’s responsibility to insure continuity of the supply it needs to keep operating, it should not be a company’s responsibility to also be responsible for it’s suppliers continuity of supply. A good contract can help the organization to combat authority limit risks, regulatory non-compliance risks, security risks, terms and conditions risk, environment, health, and safety risks, and reputation risks, just to name a few.
Major Risks and Mitigation Strategies
This section discusses six major types of risk and the appropriate mitigation strategies and management approaches for each.
This is the risk associated with not choosing the right supply management strategy. What’s right for one business might not be right for another. For example, a small family-run business may opt to source locally because they do not have the resources needed to manage a global supply base.
The mitigation approach is to define the right strategy up front, possibly with assistance from external consultants and experts, identify and qualify the right suppliers for the business, and use reliable market intelligence to drive decisions, possibly supplemented by external sources.
This is the risk associated with brand management, compliance management, financial performance, and market exposure. Remember that when an organization outsources part production or even entire product lines, it is putting itself at the mercy of its suppliers. If they deliver a sub-par product, or fail to deliver completely, it is the organization that will be on the line. The customers will be looking to the organization, not to its suppliers, for an explanation.
The mitigation approach is to pinpoint the product line’s quality standards tolerance, and determine the possible impact of a compromise. Monitor production batches closely to detect early warnings before potential issues wreak havoc with the firm’s brand, ability to meet compliance regulations, and the bottom line.
This is the risk associated with supplier implementation lead-times and production/performance ramp-up. It’s critical that an organization have a good understanding of the suppliers they are working with, what their capacity issues are, and where they could improve before contracting with them. It’s also important that an organization remember that working with a supplier where its business is only a fraction of the supplier’s total revenue means that the organization may not get the level of attention the organization desires.
The mitigation approach is to ramp up new suppliers quickly to gain early visibility into potential risk factors that might hinder production, lead times, or initial performance. Then collaborate with the supplier on resolving these potential risk factors before they become a problem.
This is the risk associated with ongoing supplier quality and financial issues. After a supplier is selected, even if a considerable amount of work went into the qualification process, there’s still considerable risk and a lot of work to be done. Companies can be acquired, go out of business, or shift strategy at any time. Constant vigilance is required.
The mitigation approach is to continuously monitor all organizational suppliers to avoid disruptions caused by bankruptcies, performance issues, ownership changes, labor strikes, geopolitical changes, and other unpredictable occurrences. Don’t be afraid to tap technology to achieve the level of monitoring necessary to insure this risk is mitigated to the full extent it can be.
This is the risk associated with inventory fluctuations and challenges. Note that while some suppliers may jump at the opportunity to take on new challenges, enthusiasm does not imply that they are in the best position to deliver.
The mitigation approach is to watch suppliers carefully for signs they are overwhelmed with new business and take action to shift demand away to other suppliers if this appears to be the case. A supplier’s desire to grow their business should not affect organizational decisions.
At the foundations, supply chains are made of people – people sourcing product, people building product, people shipping product, people selling product, and people taxing product – and people are fallible. A recent article highlighted six types of human risk that one needs to watch out for in order to succeed in his or her risk management efforts:
- assuming disruptions can only occur at normal operating strength
- assuming your company is the only company that can be affected by a disruption
- ignoring the supply risk associated with demand pooling tactics
- ignoring demand risk when choosing supply-continuity tactic
- allowing managers' risk attitudes and timelines to determine strategy
- building short-term resiliency at the cost of long-term vulnerability
The proper mitigations are, of course, awareness, education, and training.
Robust Supply Chain Design
Designing a robust supply chain and a resilient supply base is a straight-forward seven-step process that starts with defining risks and ends with the definition of mitigation and forward-looking monitoring activities. Specifically:
- Assess Risk Probabilities and Risk Impacts
- Select the top n high-probability high-impact risks
- Identify Risk Mitigation Strategies
- Maintain executive level visibility into exposure and dependency
- Implement the strategies
- Monitor the supply chain
- Maintain complete, accurate, and forward looking supplier information
Risks can be classified according to how likely they are to occur and how devastating the consequences can be. Contingency plans must exist for every risk that is both likely and known to have a significant impact. Remaining risks should be prioritized and contingency plans outlined for the top 10 or 20, depending on how many make sense from a cost-benefit analysis. All potential risks from an organizational, network, industry, and environmental perspective should be considered. In order to identify the top 10 or 20 supply chain risks, start by evaluating high-margin, high-revenue products to identify which disruptions could potentially have the greatest financial impact. Then identify the key processes that are likely to be affected by disruptions and characterize the facilities, assets, and human populations that may be affected.
Once a risk is identified, risk mitigation strategies should be identified and the best ones implemented. In addition, executive level visibility into exposure and dependency should be maintained at all times. This will insure that the executive team is aware of the potential issues that could arise and that the proper focus on risk management will be maintained, helping to ensure the procurement group gets the support that it needs.
Implementation will include a modification of internal processes or defining a contingency plan, depending on the type of risk and its severity. For example, demand fluctuations would probably be dealt with by implementing order visibility systems that monitor consumption and spending levels and analyzing trends for unexpected changes whereas a disaster that took out suppliers and distributors within a region would require a contingency plan that specified the ramp up mechanisms for alternate suppliers and distribution centers in an unaffected region.
The supply chain will need to be monitored on a regular basis to detect deviations and disruptions quickly to insure that contingency plans, when required, are initialized and executed as efficiently as possible. Effective management and monitoring is a core business discipline that defines and enforces standard performance and risk measures and assessments, collaborates with suppliers to detect and mitigate risks, and leverages sourcing technologies and information services to improve risk planning, monitoring and response. It consists of appropriate supply chain and sourcing strategies that balance cost, performance, and risk and strong supply base management focused on continual improvement.
Furthermore, it’s important that complete, accurate forward-looking supplier information be maintained. It’s not just the business that an organization is doing with its supplier today that is important, but the business the organization plans on doing with its supplier tomorrow, next month, and next year. It’s important to insure that they have the capability and sustainability to deliver not only now but in the future. By maintaining complete, accurate data the organization can run regular analysis and apply predictive analytics to determine if there are any signs of future issues that need to be resolved before they arise.
Proper supply base management is the process of determining not only what the right number of suppliers are but who the right suppliers are. It’s the right balance between supply base reduction to reduce administrative overhead and cost and supply base expansion to mitigate single source or dual source risks. It requires a good understanding of supplier capabilities and supply market dynamics. It includes continual supplier development, which is not just a reactive process that identifies and fixes problems but a proactive process where an organization works with suppliers to drive continual performance improvements to make sure the supply base stays best in class. This is generally accomplished by performance incentives, direct involvement, which may take the form of training and education or collaborative projects, and regular supplier monitoring and assessment.
Note that there are lots of ways to add resiliency to the supply chain. These include, but are not limited to:
- using common components and configure to order processes whenever feasible,
- avoiding sole source arrangements,
- reserving capacity, implementing maintenance and spares strategies when single sourcing must be used, and allowing for process redundancy,
- distributing supply among multiple cities, countries, and regions
- centralizing safety stocks regionally,
- holding inventory in unprocessed states for flexibility,
- consistently and regularly measuring and improving forecast accuracy,
- rationalizing product lines,
- building rapid re-supply provisions into supplier contracts,
- collaborating with customers for "early warning" of potential needs,
- using performance-based contracts with Service Level Agreements, and
- sourcing locally within the target market to facilitate site visits, minimize cultural differences, and increase manageability.
One of the bests ways to start a new risk management initiative is with a comprehensive supply chain risk audit, especially when Aberdeen’s Global Supply Chain Benchmark Report found that only 11% of companies are actively managing risk, even though a single disruption could easily cost six, seven, and even eight figures to recover from.
A good supply chain audit will identify where an organization’s supply chain may be vulnerable, the strengths and weaknesses of the supply chain, where response programs are weak, and where safeguards or alternative sources are missing.
A supply chain vulnerability audit is a three-step holistic process that encompasses the entire supply chain, starting with a company’s customers and the products they purchase, then working backward to the up-most tier of raw material suppliers. The result is a plan for resiliency in the form of the right facilities, the right suppliers, the right logistics plans, and the right amount of flexibility.
A Selected Bibliography
Aggregating Risk and Intelligence in Networked Value Chains by William Mougayar, May 2001
Conceptual and Analytical Framework for the Management of Risk in Supply Chains by Roshan Gaonkar & N. Viswanadham
Globalization and the Supply Chain: Today's Risks are not Yesterday's Risks by Lora Cecere of AMR Research, January 2007
Global Supply Chain Benchmark Report Industry Priorities for Visibility, B2B Collaboration, Trade Compliance, and Risk Management by Beth Enslow of Aberdeen Group, June 2006
Global Trade Management in 2007: Benchmarking Trade Compliance, Global Supply Chain Visibility and Risk Management Practices by Viktoriya Sadlovska of Aberdeen Group, April 2007
How to Identify and Manage Supply Risk, Part 1 by Mark Clouse & Jason Busch, Supply Chain Planet, October 2003
How to Identify and Manage Supply Risk, Part 2 by Mark Clouse & Jason Busch, Supply Chain Planet, November 2003
Managing Risk, Improving Efficiency, Delivering Value by Danile Cotti, ABN AMBRO, March 2005
Managing Supply Chain Risk: Building in Resilience and Preparing for Disruption by John Murphy, June 2006
Mid-Market Can't Hide From Risk by William Browning of Aberdeen Group, July 2007
Mitigate Risk, Sustain Supply by John Yuva, September 2006
On the Front Lines of Risk Management: Case Studies from the Stanford Supply Chain Forum by Mark Hillman of AMR Research, January 2007
Risk in the Global Supply Chain by Shoumen Palit Austin Datta
Supply Chain Risk Management by DecisionCraft.com
Supply Risk Happens in Your Industry by William Browning & Vance Checketts of Aberdeen Group, April 2007
Supply Risk Increasing While the Market Stands Still by William Browning III, Vance Checketts & Andrew Bartolini of Aberdeen Group, March 2007
Supply Risk Management: Weathering the Storm by Yossi Sheffi, Winter 2005
Three Techniques for Managing Supply Risk by Mark Hillman of AMR Research, March 2006
Michael G. Lamoureux, Ph.D. of Sourcing Innovation