Supply chain leaders need to look over the horizon and anticipate. Sometimes what's over the horizon is a rainbow. Sometimes it's a tsunami. In either case, we need to be ready.
We call that process, supply chain risk management.
The U.S. Government Accountability Office (GAO) has a good way to structure the process. Late in 2016, the agency issued a publication with a holistic approach to risk management.1 This government-sponsored research laid out simple framework to address the broad issue of risk at the organizational level. Although GAO framed this as a six-step process for overall enterprise risk management, it can be cascaded seamlessly to supply chain risk management.
By looking into the risk management practices found in different government agencies, GAO identified six key practices that, when joined together, create an effective risk management process.
While GAO presents these ideas as a step-by-step sequence, the recommendations really describe an integrated and anticipatory oversight process. Good supply chain risk management strategies forecast, rather than react. Once upon a time, risk management was about "rolling with the punches." Today, risk management means anticipating events before they happen and avoiding the issue rather than reacting to it.
Forecasting means moving beyond reacting to traditional disruptions. Traditional supply chain disruptors include problems like missing shipments, hurricanes, strikes, and equipment failure. But to be more fully in control, we need to think about larger issues that might create vulnerabilities. Let the imagination roam. Tariffs? China taking over the South China Sea? North Korea meddling in communications or the Internet? All of these could happen, with a profound ripple effect.
This means that we all need to develop the ability to look over the horizon. That capability needs to be cascaded through all the layers of the supply chain and be held by everyone.
Alternatively, we may want to reduce the complexity of the supply chain by eliminating layers or pulling sources of supply closer. The word that supply chain risk managers need to apply is simplicity.
The danger of "silo thinking"
Today, when considering operations, supply chain experts think end-to-end, not in silos. Supply chain risk management should not be any different. But that's sometimes not the case.
Let's consider the approach taken by the National Institute of Standards and Technology (NIST), formerly known as the Bureau of Standards. Around the same timeframe as the GAO report, NIST published a bulletin called, "Supply Chain Risk Management Practices for Federal Information Systems and Organizations."2 The abstract for the bulletin says, "Federal agencies are concerned about the risks associated with information and communications technology (ICT) products and services that may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the ICT supply chain."
While NIST's report asserts that it is about supply chain risk management, it isn't. Like the approach found in many government offices, the NIST policy treats supply chain risk as a cybersecurity issue. There is a cyber element in supply chain risk management, to be sure, but the topic of supply chain risk is broader than cybersecurity. Supply chain risk management extends beyond the cyber world and includes the physical.
Somewhere between the GAO high-level approach and NIST's narrow view lies the challenge for all of us: Understandthe layers of your supply chain, gather the data, analyze, characterize the processes, prioritize, and get to work.
1. "Selected Agencies' Experiences Illustrate Good Practices in Managing Risk," GAO-17-63, a report to the Committee on Oversight and Government Reform, House of Representatives, https://www.gao.gov/products/GAO-17-63
2. "Supply Chain Risk Management Practices for Federal Information Systems and Organizations," NIST Special Publication 800-161, https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-161.pdf
Steve Geary is adjunct faculty at the University of Tennessee's Haaslam College of Business and is a lecturer at The Gordon Institute at Tufts University. He is the President of the Supply Chain Visions family of companies, consultancies that work across the government sector. Steve is a contributing editor at DC Velocity, and editor-at-large for CSCMP's Supply Chain Quarterly.