Risk management processes: How to ensure supply chain resilience

While the emergence of COVID-19 and its impact on the world’s supply chains can be likened to other mega disasters or force majeures such as the 2011 Fukushima earthquake and tsunami in Japan, there’s one major differentiator. What began as a health scare in a single province in China has morphed into a global pandemic that has spread to almost every corner of the world.

As the second largest pandemic since the Spanish flu of 1918, COVID-19 has created temporary ‘manufacturing deserts’ whereby a city, region or whole country’s production  drops so substantially, they become a no-go area to source anything apart from essential items such as food stuffs and pharmaceuticals. Mitigating the devastating impact of COVID-19 on manufacturers and supply chains thus requires both new approaches and new forms of collaboration to increase overall resilience. Businesses now need to focus on how to minimize supply chain disruption and to adjust rapidly to a changing economic landscape.

Because historical data on these rare mega disasters are limited or nonexistent, their risk is hard to quantify using traditional models. As a result, many companies do not adequately prepare for them. This can have catastrophic consequences when they do strike and can force even operationally sound companies to scramble after the fact — Toyota, in the wake of the Japanese tsunami being a good case in point. Add economic turmoil to the mix, and the risk of supply chains being affected by such unforeseen disruptions is likely to escalate.


Changing risk profile

With increased fragmentation of the supply chain, the risk profile may change significantly. Greater complexity in interactions and coordination are likely to introduce increasing variability and uncertainty in delivery from suppliers. While the impact of certain risks, such as the guaranteed supply of raw materials, may decrease with broader supply sources, this same action increases the number of potential risks across a larger number of suppliers.

Many organizations struggle with supply chain risk management processes that are fragmented and inconsistent across functions, business units and geographic regions. In 2008, a study conducted by Marsh Consulting and Risk Insurance magazine found that this fragmentation leads to redundant efforts or unaddressed risks, as well as increasing the difficulty of identifying domino risk effects and hidden interdependencies across functions and regions.

By not managing risk, the organization exposes itself to potential consequences which may include the following:

  • Damage to tangibles — human and physical assets such as property, products, infrastructure, personnel and the environment
  • Damage to intangibles — nonphysical assets such as reputation, market position and goodwill
  • Further harm to the organization including community status and regulatory issues

Prior to the COVID-19 pandemic, supply chain risk management principles often only applied to top-tier suppliers, leaving firms blindsided and vulnerable to shocks affecting their less visible, lower-tier suppliers. However, the reality is that the lower-tier suppliers are critically important to the overall supply chain hierarchy, and disruptions at these levels can quickly cause instabilities throughout the value chain.


The need for an integrated supply chain continuity plan

Responsive and resilient supply chains that can withstand the effects of major disruptions without negatively affecting the customer experience, or suffering significant recovery costs, will enable organizations to have a sustainable competitive advantage in their markets. They will also be better prepared for economic recoveries, particularly when the operating environment is highly volatile.

To achieve this resilience and responsiveness, organizations need to develop a comprehensive supply chain risk management plan and the capabilities to support it. Such a plan defines how supply chain risks will be managed and may include the following techniques:

  • Avoiding the risk — changing plans in order to prevent the problem from arising (e.g. employee training, lead indicators)
  • Mitigating risk — lessening its impact through intermediate steps
  • Transferring the risk to another party (e.g. by contract)
  • Accepting that some portion of a risk is inevitable, given the organization’s work and accounting for that probability (e.g. setting aside a risk fund) — this should be a last option, given the reputational and financial implications of this technique

The risk management plan should answer the following questions:

  • Which supply chain risks must be managed?
  • How much supply chain risk is acceptable?
  • Who is responsible for the supply chain risk management activities?
  • What relative significance does time, cost, benefits, quality and stakeholders have in managing the supply chain risks?

The plan should consist of two parts, both of which are interrelated and reviewed on a regular basis, namely:

  1. Risk analysis, which involves the identification, evaluation and prioritization of risks.
  2. Risk control, which includes the monitoring and reporting of identified risks and related actions.

risk management

With the focus of many companies on profitable growth, they also need to consider the risks inherent in new markets, facilities and partners. Critical suppliers should be included in the risk management plan at this early stage to ensure that business continuity and contingency plans are in place. An integrated supply network design process can enable the company to make decisions in an informed, creative and systematic way that takes into account risk and still finds cost-effective solutions.

An example of this is described in the article ‘From Superstorms to Factory Fires’ (David Simchi-Levi, William Schmidt and Yehua Wei, Harvard Business Review, January 2014), which shows how Ford Motor Company applied Simchi-Levi’s Risk Exposure Index (REI). This enabled them to focus their mitigation efforts on the most important suppliers and risk areas instead of ignoring them or using an exhaustive approach.


Risk communication

The formal recording of information is an important element in risk analysis and risk management. Risk information needs to be reported and communicated on a regular basis in an appropriate and simplified form, so that responsive action can be taken timeously.

Risk communication to all employees should include what the risk information reveals as well as the visible signs of actions to address the risks. In other words, employees need to see how senior management identifies, prepares for and mitigates against risk.

Furthermore, risk communication should be a dialogue rather than an instruction. By providing employees with the context of risk management and inviting them to question and discuss risks, they become more aware of how risks might affect both the extended supply chain and their departments, as well as gain an understanding on how to identify, prevent and mitigate risks.