Intro
Your supply chain is like the lubricant that keeps an engine running, and any disruption to that smooth flow can bring your operations to a grinding halt. Unfortunately, the supply chain risks are only increasing as the world becomes more interconnected, digitally reliant, and large-scale instability looms everywhere, from the environment to the economy.
The number of organizations experiencing multiple disruptions increased dramatically in 2020, according to the 2020 Supply Chain Resilience Report by The Business Continuity Institute. Now, as a result of the COVID-19 pandemic, even average consumers understand the impacts of supply chain disruption in their everyday lives.
The benefits of supply chain risk management can ripple throughout your company just as widely as a disruption can. This guide will give a detailed overview of the potential risks to your supply chain and describe how to mitigate them.
We’ll define key terms and lay out processes step-by-step. By the time you finish using this guide, you’ll be able to identify the risks specific to your organization, assess and prioritize them, and create a plan of action.
What Is Supply Chain Risk Management (SCRM)?
Supply chain risk management, or SCRM, is the external face of your overall risk management. It consists of the strategies you implement to manage every day risks and rarer incidents along your supply chain that can negatively impact your organization. And, when well executed, it can create a competitive advantage for your organization.
Risk mitigation in your supply chain requires continuous risk assessment, determining and reducing vulnerabilities as much as possible. SCRM is essential to business continuity; the more complex your supply chain, the more complex SCRM will be.
Main Supply Chain Risks
Every supply chain faces risks the organization is aware of, and others that are not—or cannot—be known. Many of these potential risks to your supply chain are due to external forces. Sometimes, however, the risk to your business comes from within the supply chain itself, as we’ll discuss later. As you define risks as part of your SCRM plan, you’ll need to understand the difference between these risks and more general uncertainty.
Known risks are those that can be identified, quantified, managed, and sometimes avoided altogether. Common known risks:
- Seasonal weather patterns
- Cybersecurity vulnerabilities
- Known resource scarcity
- Laws or regulations
- Climate change
- Economic uncertainty
Unknown risks, on the other hand, are difficult or impossible to predict. Unknown risks include the following:
- Geopolitical upheaval
- Pandemics
- Economic crashes
- Rare natural disasters, such as volcanic eruptions
- Industrial crimes, such as cargo theft
- Human error
The above are risk factors that could impact any supply chain. But every organization has its own unique mix of risks. Only a comprehensive review of your company can tell you which risks should be most important to you.
Uncertainty is distinct from risk, though you may have seen them used interchangeably. Uncertainty is what creates the environment for risks to occur. The outcomes of uncertainty can’t be determined, unlike the outcomes of specific risks. Uncertainty exists when there’s not enough knowledge, information, or understanding to know what will happen.
It will require a cross-functional team to identify your organization’s known and unknown risks, and determine which uncertainties are important for your SCRM.
When to Assess SCRM Policies
There are many times in a business cycle where it makes sense to assess (or reassess) your risk mitigation plans and policies. A slight majority of organizations across industries are assessing their supply chains every 12 months or less. Unfortunately, the rest are assessing only sporadically, if at all.
In an increasingly uncertain world, annual assessments might be a good minimum threshold for assessing your supply chain. However, the following events can trigger the need for an assessment at any time:
- Onboarding new suppliers
- Reporting on supply chain compliance
- Completing related annual assessments
- Up to a year before a supplier contract is up for renewal
- When product or customer growth is rapidly outpacing your budget
- Ahead of any merger or acquisition
- After a major service failure
- During times of high uncertainty
You should also employ automation to capture risk data continually.
Overview: Supply Chain Risk Management Plans
A supply chain risk management plan is your game plan for mitigating the risks threatening your business continuity. Your organization will use a strategy and set of procedures to enable a swift, effective response to supply chain risks.
While your plan will be unique, these are the four elements of a successful supply chain risk management plan:
Identify > Assess > Monitor > Review
These are discussed in more detail below, but this checklist gives you an idea of the scope of your activities.
-
Identify and document all known risks.
- Gather a team of knowledgeable stakeholders across your organization.
- Map the value chains of your most important products and services.
- Document all the available information.
- Also, document any needed information that’s missing.
-
Assess each risk you identified.
- Determine the likelihood of each risk.
- Determine its potential impact on your business.
- Determine how prepared the organization is to deal with each risk.
- Use or create a consistent scale to score each of the above.
-
Monitor risk.
- Use the weighted scale you developed earlier to keep track of risks.
- Spell out how an early warning system will be activated as threats arise.
- Assign clear responsibilities to those who will have to respond to emergent risks.
-
Review
- Periodically and as needed, reconvene your cross-functional team for a risk assessment.
- Whether the risk environment has changed or not, this group can make recommendations for continual supply chain improvement.
Who Needs a Supply Chain Risk Management Plan?
It’s not only manufacturers or companies moving materials around the world that have to worry about their supply chain. The reality is that even cloud-based businesses rely on some sort of outside suppliers for goods, services, information, or infrastructures.
Mitigating supply chain risk overlaps compliance concerns for many companies. That includes those that are subject to industry standards or state, federal, and local regulations. If your supply chain is global, there could also be trade agreements, contractual obligations, or standards from non-governmental organizations that you need to factor into your SCRM plan.
General areas of compliance to pay close attention to are:
- Environmental responsibility
- Product safety and integrity
- Social responsibility
- Labor and employment
- Security
- Technical regulations
- Logistics and distribution
Specific compliance frameworks that address supply chain management include:
-
GDPR
- All suppliers who handle personal data, such as data controllers, processors, and subprocessors, must be identified
- Agreements with them must contain GDPR data protection obligations
- Suppliers must be audited periodically and provide evidence of their compliance
- Supplier must be included in an enterprise data protection impact assessment
-
HIPAA
- Suppliers are known as “business associates”
- Hospitals must inform suppliers that suppliers must meet HIPAA security rule requirements
- Suppliers are legally and contractually obligated to protect protected healthcare information
-
ISO
- Section 27002:2013, “Supplier relationships,” requires contractual agreements to information security policies, procedures, and awareness throughout the supply chain
- Service delivery by external suppliers should be monitored, and reviewed/audited against the contracts/agreements. Service changes should be controlled
-
NIST
- SCRM was added to the core of the NIST compliance framework
- Section 3.3 “Communicating Cybersecurity Requirements With Stakeholders” explains cyberSCRM
United States federal regulations that might also impact your supply chain include:
- Dodd-Frank Act provision on conflict minerals
- Drug Supply Chain Security Act for traceability of pharmaceuticals and medical equipment
- The FDA’s Title 21 CFR Part 11 delineates protocols for documenting information
For global supply chains, regulation that likely impact your supply chain include:
- RoHS (Restriction of Hazardous Substances), a rule from the European Union
- REACH (Registration, Evaluation, Authorization and Restriction of Chemicals)
- WEE (Waste from Electrical and Electronic Equipment)
State laws in the U.S. vary widely. However, labor laws in all states where your suppliers operate will likely be included in your assessment as you build an SCRM. These can include highly specific issues, such as the background checks and previous salary requests in employee recruitment.
When Supply Chain Risk Policies Fail
It only takes one supplier to throw your enterprise off the rails. While SCRM can feel overwhelming, failing to have a thorough plan can bring even more painful consequences.
Your organization is susceptible to everything from wildfires and bankruptcies to cybercrime and PR disasters that are completely out of your control. All of these can impact businesses continuity, profits, or reputation.
When these problems arise, you will face internal and external scrutiny of your risk management strategy—perhaps for the first time. Without a proactive risk management strategy, you’re susceptible to avoidable threats, unable to bounce back quickly or demonstrate an appropriate level of accountability.
You might face direct costs from fines, penalties, lost sales, and scared investors.
Indirect costs can compound over years. These include damaged internal morale, tarnished reputation, and a reframing of your organization’s history always in terms of damage caused by supply chain mismanagement.
Common Types of Supply Chain Risk
Potential risks to your supply chain fall into categories that make it easier to create an SCRM plan.
- Financial Risk: This threatens a company’s financial health. These events can occur as a result of market volatility, supplier bankruptcy, or significant fines due to compliance failures.
- Reputation Risk: There is always a possibility that a supplier will engage in activity that negatively affects your brand perception. These can include breaches of social responsiblity and compliance, and criminal activities such as child labor or bribery.
- Natural Disaster Risk: Disruptive seasonal weather and natural disasters can strike at any time. Earthquakes, volcanoes, and tornadoes come with little-to-no warning. Heat waves, winter storms, hurricanes, and extreme weather events are becoming more frequent and intense due to climate change.
- Geopolitical Risk: Political upheavals in far away parts of the world can endanger global supply chains. They can disrupt product shipping, access to raw materials, financial transactions, and access to customers in that part of the world.
- Cyber Risk: Cybersecurity risks are inevitable as online transmissions are central to business. As a result, cybercriminals who breach suppliers can put your clients’ data at risk or impact your compliance. Such third-party breaches also result in stolen intellectual property and ransomware attacks.
- Man-made Risks: This type of risk is usually caused by a specific action or inaction taken by a person or group. These can include fires, explosions, data breaches, utility outages, and transportation incidents.
Supply Chain Risk Management vs. Supply Chain Resilience
In your supply chain, resilience is the goal. Management is how you achieve it.
Supply chain resilience is the capacity of a supply chain to persist, adapt, or transform in the face of the threats listed above. BCI reported that resilience has become central to business operations for many companies as a result of COVID-19 impacts.
Here are four steps to developing a resilient supply chain:
- Increase visibility. Tracking and monitoring supplier performance, and patterns from supplier to end user lets you be proactive.
- Improve flexibility. Be ready with alternative sourcing for important materials and services.
- Collaborate. Build trust by including customers and suppliers in planning throughout the lifecycle.
- Maintain control. Use appropriate metrics and monitoring tools in your SCRM.
Think of resilience in terms of a rubber band: it is the ability of your supply chain to stay intact and effective during and after it’s stretched (stressed). SCRM, then, is what maintains that elasticity, or ensures the supply chain will bounce back.
The continual review process that is part of your SCRM is key to ensuring supply chain resilience. With every improvement to your SCRM, you’re building greater resilience.
Steps to Identifying Supply Chain Risks & Vulnerabilities
Here is some additional detail about how to identify, measure, and assess supply chain risk.
Your SCRM plan will only work if you’ve done thorough groundwork to identify the risks you need to mitigate. Any supplier you miss or underestimate presents a serious threat to your risk management. Similarly, leaving important internal stakeholders out of the process means you might be caught off guard without even minimal capability to respond to a supply chain emergency.
Connect With Your Team
Supply chain management is a team sport. No one person will have enough experience or expertise to think through all the factors or scenarios that put your supply chain at risk. You’ll need participants from diverse departments in your organization, such as finance, IT, human resources, customer service, procurement, and communications.
Each of these people should be able to go deep into their area of expertise to identify specific supply chain threats. Your team will help map the value chains of your most important products and services, and be responsible for ongoing review.
Remember, your suppliers are a part of your team as well. Good business relationships will allow for smoother involvement in your SCRM plan. Including key suppliers helps increase your supply chain visibility, and enables your team to make the most comprehensive plan possible.
Identify Risks
Now your team will go through a detailed process of listing every supply chain threat—known and unknown. These should include direct risks like natural disasters, government shutdowns, product recalls, and indirect risks, such as a supplier issue that could hold up business processes.
Segment your supply chain with the following method:
- List all of your organization’s unique supply chains.
- Identify key performance indicators (KPIs) that are most important to your organization.
- For each KPI, assign a rank to each product-channel group based on how well (or not) that group contributed to the KPI.
Your team will have some of this information. For example, IT specialists should have a good handle on the latest cyber risks impacting your industry, as well as vulnerabilities that could be introduced by third-party vendors.
Meanwhile, communications and HR professionals will have information pertaining to reputation risk. Finally, your chief financial officer will be a resource for analyzing your suppliers for potential financial risk.
Unlike broader risk management, some of your supply chain threats might be far removed from your organization. You will likely need to consult outside resources to identify natural disaster and geopolitical risks. Both historic and current data will be instructive here.
Quantify Risks
Now that you know the risks, they need to be prioritized based on how severe they are. The basic formula for quantifying risks is below, followed by the steps needed to prepare to use it.
Risk = Probability of the risk occurring x Impact of that occurrence
- First, create a 5-point scale that looks something like the following, then assign one of these numbers to each of the risks and impacts your team identified.
- 1 — negligible
- 2 — marginal
- 3 — significant
- 4 — critical
- 5 — crisis
- Next, define which scores will be considered low, medium, and high risks.
- Finally, calculate your organizational supply chain risk score by weighting each risk category on a 0 to 100 percent scale based on its strategic impact to your supply chain.
- This can be calculated with a spreadsheet or other simple software.
Complex organizations might need additional steps in between, or complex scenario planning. An organization with multiple locations or types of shipments may need to have different risk measurements for each. You might also need to include separate internal supply chains in this process if your organization is very complex.
Auditing Your Supply Chain
According to McKinsey & Company, a strategic management firm for thousands of organizations, most companies are getting by without doing supply chain audits. But anyone selling goods or involved in retail or manufacturing should absolutely audit their supply chains. However, all companies gain a competitive advantage from doing a supply chain audit, which can uncover ways to improve processes and reduce costs. It also enables a more comprehensive SCRM plan.
The main categories to review when auditing a supply chain are:
- Strategy: How closely is your supply strategy aligned with business goals?
- Organization: Does your organization’s structure allow collaboration with suppliers to achieve supply chain goals?
- Process: How effectively do processes implement the strategy?
- Information: Is information used for supply chain planning accurate and up-to-date?
- Performance: How well is the supply chain impacting finances?
To find these answers, your SCRM team will need to evaluate management of the following areas.
- Order fulfillment
- Customer service
- Supplier relationships
- Manufacturing flow
- Service delivery flow
- Product development
Together, all of this data will allow you to create an effective framework for undertaking an SCRM plan as described earlier.
Developing Your Supply Chain Risk Management Strategy
With a mountain of information organized and prioritized, it’s the planning that brings the benefits of a supply chain risk management strategy. Ideally, you design and implement your strategy in three phases: identification, assessment, and mitigation. After taking the steps above, you’re now ready to move into the mitigation phase of a supply chain risk management lifecycle.
You will need to build contingencies for the threats you’ve identified and ranked. Here are common elements you might find necessary for your strategy.
- Predictive analytics can give you insights into cyber risks, logistics trends, and other areas of concern.
- Unknown risks still need contingency plans that include all possible scenarios, and promote a risk-aware culture.
- Alternate suppliers should be listed for the most critical resources.
- Internal communication protocols should be documented, along with a chain of command and task list for responding to emergent risks.
- External communication protocols should also be established for major clients, both ahead of and in response to supply disruptions.
- An early warning system should be outlined for the most critical risks.
- Define the exact triggers and required response time. These can include things like management changes at supplier organizations, shifts in commodities prices, changes in supplier quality, or trends among competitors.
- Surpluses of critical supplies can buffer against major disruptions. Create a plan for developing and maintaining surplus supplies.
- Insurance can be increased or modified to help optimize your supply chain.
The Future of Supply Chain Risk Management
Supply chain risk has increased rapidly in recent years, and the simultaneous, worldwide impact of the pandemic heightened the urgency of supply chain management. Meanwhile, the 2020 SolarWinds cyber attack compromised hundreds of private and government organizations for whom that company supplied system management tools for network and infrastructure monitoring. What’s more, that attack has been attributed to foreign entities.
The future of SCRM will mean continuing to prepare for risks that are unfortunately increasing in frequency and impact. Uncertainty has also increased, and will remain at the forefront for the foreseeable future. It is telling that the U.S. federal government in 2021 updated its supply chain resources, podcasts, live programs, and new best practices guidance for specific sectors.
According to McKinsey, the most important aspect of SCRM will be organization-wide involvement. Risk awareness must be a part of the entire culture, not just the concern of one or two departments. An appropriate mindset shift will ensure people implement your SCRM plan toward the best possible outcomes.
Simplify Your Supply Chain Risk Management Process
This guide has outlined how supply chain risk impacts organizations of all sizes, across sectors. The best practices for supply chain risk management include:
- Understanding the common risk categories
- Engaging involvement across your organization
- Identifying and quantifying your specific vulnerabilities
- Engaging suppliers and partners
The hidden thread among all these is the software support that is crucial at nearly every step. The Business Continuity Institute’s annual report showed that more than half of organizations are using technology to help analyze and report on supply chain disruptions. The number uses technology to help with supply chain mapping nearly doubling from 2019 to 2020.
More companies are using specialized software for supply chain mapping and analytics. Monitoring and reporting software solutions are also key to SCRM. The right software helps streamline workflows, and eases communication among your team by making information clear and accessible to everyone.
Reciprocity’s ZenGRC helps track a myriad of tasks associated with SCRM. Additionally, an easy-to-use dashboard simplifies compliance tracking across frameworks—for you and your suppliers. The vendor tracking capabilities can also strengthen your early warning capabilities, and enable a robust, effective response to inevitable supply chain disruptions.