CSCMP's Supply Chain Quarterly
January 20, 2020

How to recognize and reduce risk

Three techniques—segmentation, quantitative risk assessment, and scenario planning—can help managers identify, assess, and mitigate supply chain risk.

In modern networked supply chains, the increasing number and frequency of severe supply chain disruptions means that "business as unusual" has become business as usual. According to a survey conducted last year, more than eight out of 10 surveyed companies have been hit by a supply or demand disruption during the past two years, with almost half of those firms suffering a loss of sales or revenue, and more than one-third having experienced lower profits as a result of a disruption. 1 While the reporting of natural disasters over ubiquitous social media channels tends to skew trends toward modern times, occurrences of large-scale natural disasters, such as the Thai floods, the Icelandic volcanic eruption, the Japanese tsunami, and more have in fact increased over the last century, as is evident in Figure 1. It is no secret that disasters are on the rise and are a reality of a globalized world.

Although the exact consequences of disruptions are hard to measure, the financial impact of such disruptions—both natural and man-made—can be indirectly estimated at both the macro and the micro level. One way to assess the impact of large-scale disruptions is to follow the trends in the stock indices that are specific to the country that has been most directly affected. For example, the Japanese earthquake and tsunami resulted in the Nikkei Index dropping by over 17 percent in the three days following the disaster; the September 11, 2001, terrorist attacks caused the Standard & Poor's index to lose nearly 12 percent over four days after the stock markets reopened following the incident. Supply chain disruptions can have a drastic impact at the organizational level too. A study by Singhal and Hendricks identified a considerable impact on revenue following a disruption, with 30 percent of surveyed firms estimating losses of at least 5 percent of annual revenue as a result of supply chain disruptions.2

Article Figures
[Figure 1] Natural disasters reported 1900-2010
[Figure 1] Natural disasters reported 1900-2010 Enlarge this image
[Figure 2] Risks across the extended supply chain
[Figure 2] Risks across the extended supply chain Enlarge this image
[Figure 3] Supply chain segmentation
[Figure 3] Supply chain segmentation Enlarge this image
[Figure 4] Supply chain priority matrix
[Figure 4] Supply chain priority matrix Enlarge this image
[Figure 5] Risk quantification definition
[Figure 5] Risk quantification definition Enlarge this image
[Figure 6] Risk quantification
[Figure 6] Risk quantification Enlarge this image
[Figure 7] Scenario planning
[Figure 7] Scenario planning Enlarge this image

Clearly, supply chain disruptions can have a domino effect on organizations and on global commerce. Natural disasters first cause disruption at the macro level. That can then affect an organization's supply chain as disruptions first impact the organization itself, and then cause a chain reaction spreading across suppliers, customers, partners, and the shared value chain. (See Figure 2.) In addition to a direct bottom-line cost impact, supply chain disruptions can also result in unhappy customers, loss of reputation, civil and criminal penalties, and even bankruptcy.

Supply chain disruptions are no doubt hard to predict, but organizations can control the extent to which these disruptions could impact their companies. Toward that end, it is increasingly important for organizations to develop mature risk assessment capabilities and techniques such as supply chain segmentation, quantitative risk assessment, and scenario planning. These tools allow supply chain executives to better understand supply chain risks and develop appropriate risk mitigation strategies.

Supply chain segmentation
Supply chain segmentation is both a strategic and an operational exercise. For the purposes of this article, it is defined as a SCOR (Supply Chain Operations Reference model) methodology that identifies distinct supply chains within an organization based on geography/market channel and product offerings. It can be used to identify unique supply chains and develop risk assessment and mitigation strategies for each of them.

As a precursor to assessing risks in the supply chain, it is important to first understand the unique supply chains within the organization. This is especially important in large organizations that have multiple product offerings that are managed via multiple distribution channels. While high-level risks can be assessed at the organization level, it is ideal to first segment the supply chain and then develop risk assessment programs for each unique supply chain.

One way to segment the supply chain is to use the SCOR framework, specifically the SCOR supply chain definition matrix. The supply chain definition matrix helps define the number of supply chains in relation to a company's customers and products or services. The columns in the matrix are focused on demand—markets, channels, and customers, while the rows in the matrix are focused on supply—business lines, products, locations, and suppliers.

Consider the example shown in Figure 3. A hypothetical company has three main product lines: food products, technology products, and durable products. Food products are distributed across five channels (U.S. retail, U.S. distributor, U.S. direct, U.S. government, and international). Tech products are distributed across three channels (U.S. retail, U.S. original equipment manufacturers [OEM], and international), and durables are distributed across two channels (U.S. direct and U.S. home). In effect, this organization has 10 unique supply chains, each with its own inherent supply chain risks.

It may not be practical for organizations to conduct a risk assessment on all of their supply chains, hence it is important to identify the most important ones using a "Supply Chain Priority Matrix" like the example shown in Figure 4. To set up this matrix:

  • List all of your company's unique supply chains as identified in the previous step, and then identify key performance indicators (KPIs) that are most important to your organization. In this example, the organization cares most about rank in terms of revenue, gross margin percentage, number of stock-keeping units (SKUs), unit volume, and strategic importance. Weights can be assigned to each of these KPIs to reflect its importance to the organization.
  • For each KPI, assign a rank to each product-channel group based on how well (or not) that group contributed to the KPI. The highest-ranking supply chain receives a high number, and the lowest-ranking supply chain receives a "1." In this example, food products that were distributed to U.S. government agencies had a revenue rank of 1 (worst), while tech products distributed to U.S retail had a revenue rank of 6 (best).
  • Finally, complete this exercise for all product-channel and KPI combinations. The end result will be a listing of overall ratings for each of the organization's supply chains. In this example, food products-U.S. retail and tech products-U.S. retail scored the highest ratings, implying that these two supply chains were the most important for this organization.

This exercise can be conducted individually, but subject-matter expertise may be required from different departments. For that reason, it is recommended that it be done in a group composed of key personnel from the different product groups and operations teams. Moreover, since supply chain risks can impact different functions within an organization, it is important to engage cross-functional teams early on to make them aware of the supply chain risk management program and to seek their insight on strategic issues that may need to be considered in developing such a program.

Risk quantification
Risk quantification is an operational matter. It consists of quantification of supply chain risks across nine categories, and the creation of functional risk profiles. Its purpose is to identify, segment, and prioritize different external and internal supply chain risks.

Once organizations have segmented and identified their most important, unique supply chains, they can then start to identify risks that are specific to their operations and quantify the risk elements. The following categories form a comprehensive base covering almost all aspects of an organization:

Internal risks: financial, production and inventory, transportation, labor, information technology (IT)
External risks: supply, demand, natural hazard, political

Organizations may choose to quantify the risks embedded in each category as listed above, or choose only a subset of categories, depending on what applies to their particular supply chain environment and business strategies.

The basis for quantifying risks starts with the fundamental formula:

Risk = Probability of risk occurring * Impact of that occurrence

To use this formula:

  • Create a scale. First, create a 1-to-5 scale to measure both probability and impact, with 1 being the lowest and 5 being the highest.
  • Determine the "risk boundaries." Since the ranges for both P (probability) and I (impact) are from 1 to 5, risk is now measured on a scale of 1 to 25, because Risk=P*I. Hence the lower boundary for risk is 1*1=1 (when P and I both have the minimum value of 1), and the upper boundary is 5*5=25 (where P and I both have the maximum value of 5).
  • Define risk levels. Given that the risk profile can vary anywhere from 1 to 25, the next step is to define levels of risk using the value ranges. For example, risk levels can be defined as:
    Lower boundary Upper boundary
    Low risk 1.00 8.50
    Medium risk 8.50 16.50
    High risk 16.51 25.00

    Once the boundaries of risk levels have been defined, a matrix for easy reference, like the one shown in Figure 5, can be created.
  • Assign risk levels to categories. As a next step, each risk category, including both internal and external risks, should be assessed individually against the risk boundaries created. Each risk category will score a risk rating in the range of 1 to 25 and should be categorized as high, medium, or low risk based on the risk boundaries created earlier.
  • Calculate the organizational supply chain risk score. As a final step, assign a weight to each risk category based on its strategic impact on the organization's supply chain. The weights should be in the range of 0 to 100 percent, and the cumulative weight of all risk categories should total 100 percent. A simple dashboard can be created in a program such as Excel listing the risk categories, the weights, and the final risk score, as shown in Figure 6. For this particular example, the weighted average risk calculates out to 9.56, which represents a "medium" risk level based on the risk boundaries created earlier.

Scenario planning
Scenario planning is a hypothesis-driven, strategic planning method that involves developing "informed predictions"—that is, "future state" scenarios—and building response strategies for operating under each scenario. Its purpose is to prepare an organization for most plausible eventualities, and to enable it to steer through disruptions in such a way that there will be no substantial impact on its supply chains.

Scenario planning was originally conceived in the 1940s for military applications. But the roots of modern-day scenario planning were developed in the early 1970s by the petroleum company Royal Dutch Shell. Back then, Shell developed a set of possible future scenarios and built response strategies around the price of oil for each scenario. As a result, Shell was better prepared than its competition in reacting to risk and volatility, and consequently made better headway than the rest of the industry.

At a high level, the process of developing scenarios is as follows:

  • Identify the "focal question." The first step in building scenarios is to identify the focal question—the problem or opportunity—that is to be explored. There are hundreds of scenarios that could be developed about the future, but the objective is to address that one key issue that would have the biggest impact on the organization. The focal question can be broad; for example, "Should we expand into China and open X number of additional distribution centers?" Or it can be very specific; for example, "Should we invest in a multimillion-dollar enterprise resource planning (ERP) system?"
  • Identify the "driving forces." Driving forces are internal or external factors that will shape future supply chain dynamics and consequently impact the business environment in which the organization operates. Driving forces can include such issues as literacy rate, aging population, gross domestic product (GDP) growth, political stability, government regulations, technological innovations, and so forth.
  • Develop scenarios. Once a comprehensive list of driving forces has been identified, the next step is to prune the list down to the two sets that are most relevant to the focal question, along axes of uncertainties. By combining the two driving forces along horizontal and vertical axes, we end up with four quadrants, each of which represents a unique future-state scenario that needs to be explored. For example, let's assume that for the focal question "Should we expand into China and open X number of additional distribution centers?" the two driving forces identified are "strength of China's economy" and "government regulations." By assuming the extreme possible outcome of each driving force, and then combining these two driving forces along the X and Y axes, four quadrants are created, each of which houses a unique future-state scenario. Each scenario is identified by a unique name, and the predicted resulting environment is described in as much detail as possible.
    For example, for the scenario titled "Accelerated Growth," you might write a short narrative that paints a picture of a booming economy, double-digit business growth, productive labor force, and so forth. The core objective here is to identify the conditions under which your organization would have to operate if the said scenario were to materialize. (See Figure 7 for an example.)
  • Identify scenario implications. The final step in scenario planning is to capture insights into how the organization would fare and what decisions it should make under each scenario. For each scenario, the potential impact of organizational and decisional behavior can be assessed by setting up simulation models or by simple brainstorming exercises.

The deployment of scenario planning by organizations and its continued use validates the method as a key aspect in strategic planning and in risk assessment. At a recent Council of Supply Chain Management Professionals (CSCMP) conference, a speaker highlighted a video that was shot in the 1960s, in which the narrator predicts how the world will look in the year 1999. It is quite remarkable how accurately future inventions were predicted and future-state scenarios painted. (By the way, this video is available on YouTube by searching for "Year 1999 A.D.")

The benefits of implementing scenario planning are summed up by one of its pioneers, Arie de Geus: "Scenarios are stories. They are works of art, rather than scientific analyses. The reliability of (their content) is less important than the types of conversations and decisions they spark."

Art and science
Accurately predicting disruptions and completely mitigating risks remains improbable, but by implementing the risk management practices described above, practitioners can be better prepared to manage risks and mitigate some of their impact. In addition, the above techniques can help practitioners: segment the supply chain based on product groups and marketing channels and identify risks specific to each segment; identify risk categories and quantify each risk item based on probability and impact; and plan strategically and develop risk mitigation strategies for different future-state scenarios.

Supply chain risk management is both an art and a science. The art aspect comes from years of experience and sometimes reflects "gut feelings," and the science aspect comes from developing and implementing risk management capabilities in the organization. While three risk management practices were highlighted in this article, it is also worth exploring the newer methods that continue to be developed as organizations search for improved ways of managing supply chain risk and developing competitive advantages in increasingly globalized and complex supply chain networks.

1. The Chief Supply Chain Officer Report 2012, SCM World (September 2012).
2. Kevin B. Hendricks and Vinod R. Singhal, "An Empirical Analysis of the Effect of Supply Chain Disruptions on Long-Run Stock Price Performance and Equity Risk of the Firm," Production and Operations Management 14.1 (March 2005): 35-52.

Mudasar Mohamed is Senior Consultant, Supply Chain Design & Innovation for the global supply chain management company UTi.

Join the Discussion

After you comment, click Post. If you're not already logged in, you will be asked to log in or register.

Want more articles like this? Sign up for a free subscription to Supply Chain Executive Insight, a monthly e-newsletter that provides insights and commentary on supply chain trends and developments. Click here to subscribe.

We Want to Hear From You! We invite you to share your thoughts and opinions about this article by sending an e-mail to ?Subject=Letter to the Editor: Quarter 2013: How to recognize and reduce risk"> . We will publish selected readers' comments in future issues of CSCMP's Supply Chain Quarterly. Correspondence may be edited for clarity or for length.

Want more articles like this? Subscribe to CSCMP's Supply Chain Quarterly.