Developing Capability in Supply Chain Risk Management:

Dave HenshallRisk

Businessmen 12

Developing Capability in Supply Chain Risk Management:


Developing Capability in Supply Chain Risk Management: Vulnerability is not a word CEO’s like. But the simple fact is, as leaders we are faced with vulnerabilities every business day.

A guide for CEO’s, CFO’s and CPO’s on integrating supply chain risk management into the corporate business planning process

What’s in it for you?

Discover how implementing a enterprise level supply chain risk management process can reduce your organisations vulnerability and build resilience against supply chain failures in increasingly complex global markets.


Many large companies will face a crisis every four to five years. For CEO’s, whose Average tenure is quoted at 7.8 years, the chances that ‘a significant failure’ is going to happen on their watch, is significant. It may be a crisis on the other side of the world, a natural disaster, perhaps a failure in one of your supplier’s supply chains, but in this increasingly outsourced, global economy, your own supply chain is likely to suffer from vulnerability. Vulnerability is not something that CEO’s like. So as CPO, how can you reassure your CEO? What will you say when something goes wrong? Will you be able to defend your actions and demonstrate due diligence?

The challenge for CPO’s is to increase supply chain visibility, manage risk, and develop a good business continuity plan, so that your supply chain is more secure, disruptions are less intense and your business overall is less vulnerable – achieving this could both save your own reputation and increase influence with the CEO alike.

Sh*t Happens:

According to Aon’s 2008 Global Risk Management Survey, damage to reputation is the No.1 risk to the food & drink Sector but  1/3 of companies had no plans to tackle current and emerging threats. This is not untypical of many other industry sectors, where supply chain failures have and continue to cause damage to company reputation:

  1. “Sony battery problems could go beyond Dell laptops” – Computerworld – August 16, 2006.
  2. “Dell’s new laptop release plagued by supply chain problems” – Purchasing August 23 2007.
  3. “British Airways software failures key in T5 fiasco” – May 08, 2008
  4. “China contaminated milk formula scandal puts babies at risk in other countries “ – The Times September 20 2008

What does your ‘Risk Profile’ look like?

Your company’s risk profile is a snapshot of the organisation’s operating environment and its capacity to deal with key risks and opportunities linked to the achievement of corporate objectives and results.
At the recent Chicago Ariba LIVE event, the following were cited as the top three risk of concern to CPO’s:

  1. Supplier Viability
  2. Protecting margins by chasing the deflationary market
  3. Continuance of supply

However, unless you understand what your company’s risk profile looks like, it is unlikely that you can put an effective risk strategy in place, whatever the risk. CPO’s must therefore understand their organisations exposure and tolerance to risk and develop supply strategies to meet their specific requirements, based on analysis of the key metrics for your organisation.

There are typically three outcomes as a result of developing the risk profile:

  1. Threats and Opportunities are identified
  2. Current status of risk management is evaluated to plan risk management strategies
  3. The organisations risk profile is defined; key risk areas, risk tolerance, ability and capacity to mitigate as well as development needs

Understanding the organisations risk tolerance is a key part of this process.

Risk Tolerance:

Risk tolerance reflects your company’s attitude towards risk. By reviewing both the ‘probability’ of  risk events taking place and their resulting ‘impact ‘upon key business metrics, CPO’s can determine the appetite for risk in their organisation.

Both a company’s financial and industry status can impact its risk tolerance. Taking big risks can be beneficial to a company that is able to accept them, because it enables opportunity. For this reason, risk must be defined as including the probability of both good and bad outcomes. Likewise, companies faced with severely adverse conditions will often choose high-risk strategies in place of sure losses.

There is no absolute right answer on what is an acceptable risk until hindsight is used. It is critical however, that CPO’s understand their organisations attitude to risk when determining business impact.

Business Impact:

The purpose of a business impact analysis is to ensure threats and opportunities are identified and managed through ongoing internal and external evaluation. The process should involve both corporate level executives, and cross functional operational managers to provide analysis which will enable better strategic decisions at the corporate level to allocate resources to manage critical exposures to loss.

Specifically, it will identify impacts resulting from an inability to conduct normal business processes measured against particular scenarios, for example, the failure of a production facility, or defective material for a period of time. It should focus on those scenarios where the impact on critical business processes such as the company’s business model, its supply chains etc. is likely to be greatest and should include:

  • ‘Hard’ impacts financial loss, breach of contract, regulations, or standards, failure to achieve agreed service levels, increased costs of working etc.
  • ‘Soft’ impactspolitical, corporate reputation, competitive advantage, credibility etc.

By quantifying these impacts using key metrics such as ‘earnings’ and ‘shareholder value ’the CPO can understand for each business area, at what point the unavailability of their business process would become untenable within the organisation. I.e.: immediately, after a day, week, or month etc. This in turn supports the adoption of the most appropriate mitigation strategy.

Ability & Capability to Mitigate:

It is important that CPO’s are able to determine whether its risk processes are adequate using agreed measures to benchmark its management of risk against best practice or against its competitors. One framework for this is the “Risk Maturity Model”, which was developed as a benchmark for organisational risk capability. The model describes four levels of capability maturity:

  1. Naive risk organisation:

    • Unaware of the need for risk management and has no structured approach to dealing with uncertainty.
  2. Novice risk organisation:

    • Organisation has begun to take up risk management through a small number of individuals, but has no generic process in place.
  3. Normalised risk organisation:

    • Risk management is built into business processes and risk management is implemented and understood but not fully effective
  4. Natural risk organisation:

    • Risk aware culture, pro-active approach, fact based data actively used to improve processes. Processes are used to manage both opportunities and risk.

In determining your current capabilities we recommend you include the following checklist:

  1. Organisational readiness
  2. Clear roles and responsibilities
  3. People with appropriate skills, expertise, and resources for managing risk
  4. Identify risk management tools and techniques now in use and where
  5. Assess infrastructure, i.e. organizational stability and capacity of systems

Once the current state is defined programmes can be put in place to build capability for managing risk:

  1. Broadening the skills base through formal training
  2. Increase the knowledge base by sharing best practices and experiences
  3. Develop, adapt, and adopt corporate risk tools, techniques, practices, and processes
  4. Provide guidance on the application of tools and techniques
  5. Allow for the development and/or use of alternative tools and techniques that might be better suited to managing risk in specialized applications
  6. Adopt processes to ensure integration of risk management across the organization.

Insurance is not the answer:

It is important to note that insurance is not the solution to risk and cannot replace a formal risk management programme. While purchasing insurance is an essential part of risk management plans, it cannot replace it. The answer lies in building supply chain resilience into a robust business continuity plan.

See “A Foundation of Risk: Supply Managements ‘other’ pillar for success”


Risk Management Tools

Strategic outsourcing tools can be encompassed into the governance plan that fall into five broad areas:

  1. Porters 5 Forces
  2. Capability Maturity Model
  3. Risk Register
  4. Scoring system criticality analysis and risk evaluation
  5. Risk Management Action Plan
  6. Dash Boards and reports for visibility, tracking, and alerts


The growing complexity of supply chains and resulting vulnerabilities are forcing organizations to examine the challenge of risk in a more objective and proactive manner. Risk Management is therefore, a major challenge for CPO’s to master as a key tool in their portfolio in support of their claim to play a key role in their organisations strategic initiatives.

By developing robust risk management and business continuity plans, CPO’s will be able to demonstrate tangibly more secure supply chains, that disruptions are less intense and that their organisation overall is less vulnerable – words that any CEO will welcome.

Nuff said …