There have been many different definitions of supply chain risk, but it can be broadly defined as the variation in the distribution of possible supply chain outcomes, their likelihood, and their subjective values. However, this definition has since been expanded upon to account for all the different departments and functions that operate within a supply chain. This leads to an overall definition of supply chain risk as any risks for the information, material and product flows from original supplier to the delivery of the final product for the end user. Simply put, supply chain risk refers to the probability of a risk event occurring the supply line and when the product goes on sale. Furthermore, risk sources are the predominant causes of risk events, which are the environmental, organizational or supply-chain variables which cannot be predicted with certainty and which impact on the supply chain outcome variables.
Identifying Supply Chain Risk
There are a variety different approaches that a company can take in order to identify risk in their supply chain. A conceptual framework is developed for identifying the potential risk in an organizations supply chain. This process was comprised of three key steps:
- The probability of a risk event occurring in an organizations supply chain must be determined.
- Next, the organization should attempt to estimate the likely duration the risk event will last for, including when it may occur. This can usually be achieved through the analysis of past experiences.
- Lastly, an analysis should be conducted on the probable impact the risk event could have on a certain facet of the organization, such as market or financial performance.
If a company goes through these stages every time they believe a risk event may be imminent, then it will allow them to successfully identify the severity of the risk event, and put in motion any plans to prevent the risk.
Furthermore, an organization should constantly be monitoring and attempting to identify risk events, as the earlier a risk is identified, the more likely it will be that an organization that limit or completely negate the effects. If a company is conducting a new project to improve the supply chain, then risk identification should occur during the planning and preparation stage. This means that the organization will have to identify risk indices, which aim to give a quantitative analysis of the potential risks associated with a project.
Supply Chain Risk Types
After the risk has been successfully identified, it can be categorized into a variety of different supply chain risk categories. This article will aim at identifying three supply chain risk categories, and suggest ways in which risk can be mitigated or managed within these categories. The three supply chain risk categories that will be explore are; exogenous, data integrity and internal resource risks.
1. Exogenous or External Threat
The supply chain must deal with external forces, such as natural disasters (flooding, hurricanes, or earthquakes) or human-centered issues (fraud or terrorism). Exogenous risk is classified into two main sections. The first is long-term uncertainties, which can be in the form of seasonal demand variations or raw material unit price fluctuations. On the other hand, risk could cause short-term uncertainties, such as cancelled/rushed orders or equipment failure.
There are a plethora of issues present when trying to manage exogenous risk. This is mainly in the form of company’s unwillingness to plan for large-scale disruptions. Although organizations generally aim to protect themselves from small, recurrent exogenous risks, they ignore the high-impact, low probability ones.
One of the most prominent strategies for mitigating the impact of exogenous risk events, is through the use of ‘hedging’. Hedging is a supply side risk management strategy. In a global supply-chain context, hedging is undertaken by having a globally dispersed portfolio of suppliers and facilities such that a single event. This is a particularly strong strategy at mitigating exogenous risk, especially high-impact ones, because it reduces the amount of operations that a potential natural disaster will hit. Furthermore, there are a variety of ways in which an organization can ‘hedge’ against exogenous risk. One of the most prominent ways is through the use of dual sourcing, which protects the quality, quantity, price and performance of products by sourcing from more than one supplier. Furthermore, these suppliers must be far enough apart to ensure that a natural disaster wouldn’t affect both of them. Although a strong strategy, it is incredibly expensive for a company to do, as dual-sourcing is much more costly then single-sourcing. Hedging is the best technique to use if a company has the available investment resources, faces high levels of exogenous risk, and produces goods where strong quality and process controls are in place.
Furthermore, an organization can use the Supply Chain Operations Reference (SCOR) framework. This model comprised of four factors; source, make, deliver and plan. The SCOR framework can be used to improve alignment between marketplace and the strategic response of a supply chain, on the premise that the better the alignment, the better the bottom line performance. Although it doesn’t identity risks, it acts as model to increase the performance of the supply chain and make it more resilient against potential risk events. A resilient supply chain has the ability to return to its original or desired state after being disturbed by a risk event. It also allows firms to conduct thorough, fact based analysis of their supply chain, thus providing them with informed knowledge to make strategic decisions involving the supply chain.
2. Data Integrity/ Information Security Threats
Data and information security risks can largely be managed by the organization by implemented thorough security checks throughout their data management software. However, in 2001, Ernst & Young conducted a survey to investigate how many companies had suffered data loss of failure. From interviewing over 250 chief information officers, over 70% of them stated that they had suffered some form of disruption to a critical IT service. This highlights the issues that data integration is causing many companies across the globe.
To prevent these issues, all organizations should be implementing a variety of security checks and protection systems on their IT systems. Four key systems that all organizations should implement in order to ensure their IT and data integrity. These are;
- Virus detection: All companies should have virus detection software to stop incoming threats from effecting critical IT systems. Furthermore, if this is coupled with a strong firewall, it can block the majority of malicious threats.
- Firewall: A firewall is fundamental to a networks security. Although many companies install a solid firewall on their network systems, they forget that it needs to be managed. This is because the firewall must be updated with security policies, and log files regularly scanned for potential threats.
- Backups: The majority of larger companies will have various backup systems in place to maintain the integrity of data even if a threat occurs. Furthermore, these backups should usually be stored off-site to increase protection. On the other hand, many smaller companies did not recognize the value that back-ups provide.
- User accounts/passwords: Although user accounts and passwords are prominent across the majority of organizations, they must also be constantly managed. This means updated employees access rights, and deleted ex-employees from the system.
Although these systems seem like common knowledge for an organization to install and implement, it is the careful monitoring and management of the systems that is imperative. Letting a security system become outdated will render it useless, as modern threats will be able to effect critical IT systems. Although risk sources related to data integrity cannot be mitigated entirely, they can be successfully managed through the thorough implementation of numerous security checks.
3. Internal Resource Risks
Internal resource risks has some similarities to data integrity risks, as it involves protecting all the internal resources that are connected within the supply chain. This can include things such as; labor strikes, production failure, IT system failure or insufficient interaction between organizations within the supply chain. Furthermore, similar to the other two risk categories, an organization must conduct careful planning and preparation to help completely mitigate internal resource risks from occurring. There are a variety of methods in which a company can do, including probability reduction, transferring or sharing risks.
Reducing the probability of a risk event is often preferred by many organizations, and could be reduced by by improving risky operational processes, both internally and in cooperation with suppliers, and to improve related processes, e.g. supplier selection. Fundamentally, if a company wishes to reduce the probability of a risk event occurring then they will attempt to integrate all processes with the supply chain. However, although this reduces the probability of a risk event occurring, it is still likely that one will eventually occur, and with full impact.
Another method of reducing internal resource risks is by transferring risk to insurance companies, or supply chain partners. This could be in the form of changing delivery times or suppliers (just-in-time deliveries) or customers (made-to-order manufacturing), or by outsourcing activities. Although this is a beneficial method for one company, it could be extremely damaging to the organization or customer who ends up dealing with the potential risk event. This could fracture supplier and customer relationships, relating in short-term and long-term financial losses for a company.
The final method of reducing internal resource risk is through sharing them. This is usually through the use of contracts, as commercial risks can be shared via these. Furthermore, the internal resource risk could also be minimized through more collaboration throughout the supply chain, as many different departments of the supply chain could absorb the risk effect, thus mitigating it substantially if it were to just impact one process.
On top of these methods, organizations should also be conducting successful supplier relationship management (SRM). SRM can be defined as a process involved in managing preferred suppliers and finding new ones whilst reducing costs, making procurement predictable and repeatable, pooling buyer experience and extracting the benefits of supplier partnerships. Although this isn’t specifically targeted at managing risk, it has a natural impact to reduce the probability and mitigate the impact of risk. It is similar to the sharing strategy, as it focuses on integrating and collaborating all aspects of the supply chain, to protect internal resource from potential threats. Furthermore, SRM can reap even greater benefits for an organisation if it is coupled with Customer Relationship Management (CRM). The collaboration of SRM and CRM had many benefits, as suppliers were more aware of what customers had ordered, and could tailor and increase the quality of products accordingly.
There are many different methods for managing risk, and even though risk events can come in many forms, they all follow similar patterns. An organization should attempt to mitigate all risk events of occurring by driving the probability of the risk event down to zero, or as close to zero as possible. This can be done through the use of a variety of systems, such as the SCOR framework, which aims to increase the resilience of an organizations supply chain. Furthermore, collaborating and integrating the supply chain has many benefits at mitigating exogenous risk and internal resource risk. This is because it spreads the risk over many different processes, thus reducing the impact on one single function.
As risks can cause significant distress to an organization and its operations, they must ensure that all the relevant frameworks and theories are being utilized. The type of risk that is going to affect the company is completely dependent on the geographical location of the company and the industry they operate in. This means that one risk management strategy does not work for everyone, and an organization must ensure they are implementing the correct risk management strategy to ensure the risk event is mitigated and its effects negated as much as possible.