When Gerardus Mercator published the first atlas of the world in the 16th century, many of his maps included white areas with the words Terra Incognita—Latin for "unknown territory." Most companies that map out their end-to-end supply chains today could use similar terminology, because they do not know all of the players in their supply chains.
Just as it was risky to venture into the white spaces on Mercator's maps hundreds of years ago, it can be risky to work with unfamiliar parties today. In fact, many companies have already discovered the consequences of failing to plan for problems that can happen when there are unknown partners in their value chains.
Such problems are intensifying as supply chains become leaner and inventory buffers that absorbed the shock when something unplanned happened disappear. Companies are left exposed to crisis, they miss sales opportunities, and they are unable to meet agreed-upon service levels.
That is why it is becoming increasingly important to take a proactive approach to identifying the unknown and planning how to react to unexpected events. However, it is no longer enough to look only within the company for that purpose; the end-to-end supply chain also needs to be taken into account.
Although these principles are becoming more widely understood, many companies still do not pay much attention to managing risk. A survey conducted by Aberdeen Group in 2007, for example, showed that more than 50 percent of enterprises either are not concerned about risk or have no formal process to address it. Only 11 percent of companies actively manage risk (see Figure 1).
This article aims to help companies start formulating a risk management strategy by explaining how to recognize, evaluate, define the acceptability of, and respond to some of the supply chain risks that are inherent in doing business globally. Among the questions we will address: Could companies share those risks with partners? Is it possible for them to identify the risks earlier? Can they plan appropriate responses in advance?
Before a company can address the issue of risk with its trading partners, it has to identify the specific risks it might face. Recognizing potential risks is one way of understanding what could happen and how it might affect the supply chain.
Fundamentally, there are two types of risk: operational and structural. Operational risk includes things that happen to actual supply chain operations —for example, when suppliers are unable to deliver goods at the appointed time, or a supplier does not meet required quality levels. Although such events disrupt operations, they can often be addressed through appropriate operational changes (such as using alternate sources of supply) and do not require a fundamental change in the way business is conducted.
Structural risk requires companies to change the way they operate. Having a country of origin essentially shut down due to disease or political unrest, for example, forces a company to rethink its supply chain network. In other words, structural risk requires a supply chain network to have enough flexibility to quickly transform itself.
Figure 2 includes a partial list of potential risks. As this figure shows, there are many different types of operational and structural risks. It is important to evaluate them, identifying which ones could impact the company and what needs to be done to mitigate and manage them.
Note that the list includes many internal risks. Shouldn't companies know about these internal risks in advance and therefore be able to eliminate them? In theory, yes, but the confidential nature of those activities limits a company's ability to anticipate the implications of the associated risks. Mergers and acquisitions, divestitures, and even new product introductions often are kept very quiet within the company, and they may surprise other business units or teams. In that sense, they represent a risk in the same way that any external risk does.
Once it's understood that different types of risks exist, it is important to evaluate the implications of those risks for operations. As shown in Figure 3, three elements play an important role in the evaluation of specific risks:
Let's look at each of these in more detail, starting with the likelihood of occurrence.
Some risks may have a high potential impact but an extremely low likelihood of occurrence. A good example is the one mentioned earlier, of a country's being struck by a disease. What is the likelihood of an epidemic's shutting down an entire country, leaving its people unable to work? And if it ever did happen, would it not affect competitors' operations, too?
This brings us to the second element, the implications for competitors. When evaluating risk, it is important to look at how the competition would be affected by it. If yours is the only company that is subject to a particular risk and then that problem actually occurs, your competition has an opportunity to take market share away from you. But what if your competitor is struggling with exactly the same problem? If you have recognized the risk and have planned how to react to it, you may be in a position to take market share away from your competition. In short, your company may be able to grow despite the difficulties it must address.
The third element is the importance of the changes that are required. That means not only the importance of the risk itself but also what has to happen if a company is to avoid or respond to that risk.
Suppose a company identifies a supplier's inability to deliver critical raw material on time as a major risk. One obvious way to limit this risk is to find a second source of supply. This decision comes at a cost, however, because the company probably will have to pay more to source smaller quantities from multiple suppliers. The company then has to assess which is more important: the lower price or the greater assurance of supply. Another consideration may affect this decision: whether or not the competition uses different suppliers and therefore might not be affected by a similar problem. If the likelihood of a supply interruption is somewhat high and the competition is not likely to suffer a supply problem, then the company probably would be wise to use multiple sources or find other ways to guarantee its supply.
Defining acceptable risk
The next step in dealing with risk involves determining whether the risk is acceptable or if some action must be taken to ensure that the risk is fully mitigated. We have already said that it is important to look at whether a particular risk also affects the competition. The other factor to consider is how much the company's business will be affected if a potential riskrelated event does occur.
This issue is on many minds these days. Over the last year, problems with exploding batteries and lead paints in children's toys have demonstrated what can happen when an unexpected event puts a company on the front page of the newspaper.
It's not hard to find examples of disastrous responses to such problems. Union Carbide's behavior following the deadly release of toxic gas in Bhopal, India; Total's response to the sinking of the oil tanker Prestige; and the Ford Explorer/Bridgestone tire problems all hurt those companies and their brands. As these companies learned, the speed at which companies react, the way they react, and the importance they place on providing the facts to the public greatly influence the way the media and consumers will view a company in the future. This should remind us that small things can indeed have big implications.
Those examples reinforce the idea that it is important to carefully think through not only what could happen but also how best to react if something does occur. This should be worked out beforehand. In the midst of a crisis, there is very little time to define strategies and agree upon how to react.
Reacting to risk
Let's now look at how to speed up reaction time when a risk event occurs and gain a competitive advantage.
An easy way to describe what happens when something unexpected occurs is to represent the event as a step-change function, in which a value suddenly changes to a higher function as a result of an event or a transaction (see Figure 4). The question now is, how should the company react?
First, the company has to realize that something happened and that it is serious enough to warrant a response. This period is called the decision latency. Once the company has noticed the problem, it must decide how to address the issue. This step is called the change design latency. The next step, the change implementation latency, is to implement that response.
Last but not least is the validation latency, when the company assesses the quality of the response. In other words, the company determines whether the change that was implemented really does respond to the initial events. As shown in the diagram, the response may not fully overlap with the initial event signal. The yellow area corresponds to the business opportunities that were lost due to the time it took to respond to the event. Now the question is, what can be done to reduce the latency time to a minimum? This is where supply chain partners play an important role.
Sharing risk with partners
The beginning of this article mentioned that supply chains may include both known partners and participants (such as subcontractors to the main supplier) that are unfamiliar to the "owner" of the supply chain. An important question is whether it is possible to share risk with them and thereby reduce our own risk.
That is indeed possible, but only if there are good relationships with those partners. Unfortunately, in their desire to reduce prices to a minimum, many procurement organizations take an adversarial approach toward their suppliers. In doing so, they unintentionally increase the risk for their companies.
A supplier—or any business partner, for that matter—is much keener to help a company with which it has a good relationship. Building cooperative relationships early on, then, is truly a valuable investment of time and effort because it plays an important role in reducing risk in the end-to-end supply chain. Because sharing risk with partners does not come naturally for many companies, it's helpful to look at how this can be done. The experience of Hewlett-Packard (HP) provides a good example.
Over the last five years, HP has taken an innovative approach, which it calls "procurement risk management," to addressing this area. Based on techniques that are used in the stock and commodity markets, the company's approach takes into account the uncertainties associated with introducing new products in the marketplace.
For HP this is important, because uncertainty is a daily concern in the electronics industry. Product lifecycles are short, and new products are introduced several times a year. It is always a challenge to know how much will be sold, so it is difficult to establish the amount of materials that should be ordered. On top of that, component prices fluctuate, and availability is sometimes limited due to a lack of capacity at the supplier level. Most companies sign "not to exceed quantity" contracts with their suppliers. In this type of contract, the buyer agrees to purchase between 0 and a given quantity of items but does not guarantee the actual number it will purchase. In such cases, the supplier takes all the risk. It's no surprise, therefore, that in one way or another, the supplier will include that risk in the price it charges to the customer.
Using econometric modeling techniques, HP tries to get a better understanding of what can happen over the lifecycle of the product. The model HP developed includes such factors as quantities of products sold, evolution of the price of the commodities (typically items such as components that are manufactured by multiple producers), availability, and shortage of supply to figure out what kinds of scenarios could possibly happen. Once the model has identified those scenarios, HP can go back to its suppliers and propose structured contracts in which a fixed-quantity order is placed for a certain threshold, and a not-to-exceedquantity order is placed for the remainder. Different prices will apply, of course, depending on whether or not the supplier can guarantee delivery.
HP's experience is that, although there might be multiple prices under this system, the average price ends up being lower than it would be with flexible contracts. One reason is that HP is actually sharing the risk with its supplier. And if the product is even more successful than expected, HP can still turn to either the supplier or the spot market to source the additional quantities required. In doing so, the company not only fosters a collaborative relationship with its supplier but also improves its availability of supply.
How to address risk
As pointed out earlier, the potential impact of risk needs to be assessed. Once that assessment has been completed, it is possible to graphically map the risks to the strategies to be implemented. Figure 5 shows how Hewlett-Packard actually looks at risks. Obviously, the high-impact areas are the ones that will be considered first. Exposure and impact on the bottom line are the key criteria being used to rank the high-impact areas. Information from supply chain business managers, external sources, and actual supply chain data models is put in place to assess the risk's potential impact. The company uses sensitivity analyses, which examine the supply chain's sensitivity to minor disturbances, and stress testing, which identifies the likely point of breakdown if the supply chain should be subject to major disruptions, to identify its exposure and determine how the risk could be mitigated.
The question is now how to be prepared in case an event actually occurs, and then how to respond to an occurrence. Toward that end, a company needs to put in place the four programs shown in Figure 6.
First, enterprises should review potential risks. This serves a double purpose: to identify the biggest risks (and thus what should be the key focus areas) and to evaluate the company's exposure and vulnerability.
Second, they should focus on continuity of operations. The objective here is to design businesses and functions with critical operations in mind, addressing vulnerabilities and developing negation and recovery strategies. A technique called scenario planning, which is discussed in the next section of this article, can help companies better understand how to do that.
Third, companies should engage in emergency preparedness. This consists of putting plans in place to ensure employee safety, property preservation, and the prompt resumption of site operations.
The last program is crisis management. Although this may seem to be of secondary importance, it is vital to protect the image the company presents to the outside world. Putting both a process in place and establishing response plans is critical if a company is to continue operations during a crisis. Effective communication with employees, local authorities, and the press is needed to demonstrate that the company cares for its employees, its environment, and its customers.
By putting these four programs in place, companies ensure that they will be appropriately vigilant, that they are prepared to tackle events that adversely affect their employees or their ability to meet customer and shareholder expectations, and that they are sensitive to the event's impact on their environment. These four programs form the basis of company preparedness and resilience (CPR).
To thoroughly examine risks, companies should take advantage of scenario planning, an approach that has been used successfully in the military. As its name suggests, scenario planning involves describing a situation that could potentially develop and identifying how the company should react to that particular scenario. Typically, the scenarios that are identified are extreme cases, but that is valuable because their extreme nature forces companies to think through their contingency plans.
Scenario planning consists of a five-step process:
Obviously, one hopes never to have to put into action any of the scenarios that have been developed during this type of exercise. However, strange and unexpected things do happen, and the ability to intervene quickly and effectively will provide a tremendous return on the time and effort spent on scenario planning. Preparedness coupled with a swift response will not only limit disruptions but will also open up new business opportunities if the competition struggles to respond to the same event.
Building a risk infrastructure
Early identification of a problem is necessary if a company is to mount a fast response. Spotting problems quickly requires understanding what happens in the supply chain, and that, in turn, requires day-by-day — or even hour-by-hour —visibility of supply chain developments. To achieve this, companies must build an integrated infrastructure for collecting data throughout the supply chain. Once the data have been collected, companies then can establish alarms that will trigger the responses outlined in their contingency plans. This type of infrastructure requires three key components.
The first is a data-gathering hub, which allows participants in the supply chain to provide information about what is going on. That information can be entered either manually through web sites or automatically by integrating the participants' information systems. Data from these disparate sources may have to be manipulated or defined in some way to ensure that the information has meaning to the receiving company. Moreover, data security is vital, as partners in one supply chain may be competitors in other environments.
The second part of this infrastructure is an operational data store (ODS), a database that contains discrete data from multiple sources. This usually is shortterm, real-time information that has been "cleaned" and verified. Using event management software, a company can use these data to quickly identify when a problem occurs and trigger the appropriate response.
An ODS typically contains detailed, short-term data about single events. But it's also important for companies to be able to examine trends, and for this reason the risk management infrastructure requires a third element, a data warehouse. The data warehouse contains summary information for long periods of time. By using analysis tools, a supply chain manager can identify trends and understand how occurrences evolve over time. This information will help the company understand how the supply chain "ecosystem" actually works and how to improve the reliability and resilience of its supply chain.
This type of infrastructure is an important basis for improving the enterprise and its supply chain's response to risk. It cannot be built in one step, of course. Rather, it requires integrating partners one at a time, starting with the most important ones and moving up and down the supply chain over time.
Always ready to respond
As companies become increasingly global, their exposure to risk increases. Despite this fact, many companies are not yet prepared to identify and address supply chain risks. These companies thus make themselves more vulnerable to business disruptions.
Yet, as this article has shown, simple techniques and methodologies can go a long way toward minimizing those risks. In fact, a company can build a strong base for risk management by gaining a better understanding of how its supply chain ecosystem operates, analyzing what is actually happening, and planning how it could react before a disruptive event occurs. Although the hope is never to have to use the scenarios that are actually built, every company will benefit from being ready to act in the unlikely event that a potential risk becomes a reality.