Start with Business Continuity risks.
It does not matter whether implementing risk management in your supply chains is an initiative of the supply chain group or a demand from the board and senior management; it is another requirement placed on the busy schedule of supply chain executives. So, where to start?
Recent blogs have discussed the classification of supply chain risks and then placing those risks in categories. This provides a meaningful structure to assist the analysis stage, which ranks risks by quantifying the likelihood of an event occurring and when it does, the likely consequences. However, structuring the identified supply chain risks is likely to take some time; yet it is always good to get some ‘runs on the board’ for recognition by senior management when a new project is underway.
The risk classification that has visibility is called Business Continuity. Although there are many possible supply chain events that could affect the ongoing continuity of a business, articles and conference presentations discussing Business Continuity appear to focus on the risks associated with cyber attacks and natural events. These risks are critical; high visibility when they occur and the consequences may range between serious and very severe.
A Business Continuity event could happen anywhere within your supply network and the more connected is your network to other networks, the higher the risks. Think multiple suppliers, logistics service providers, port and terminal operators and global trade administration in many countries. An event may occur at a supplier you may not be aware of at tiers 3 or 4 and they could be located in low cost countries. Adding to the network vulnerability could be operational planning and scheduling systems (maybe networked to equipment and instrument sub-systems), also communicating through your supply chains.
The Business Continuity Risk plan needs to identify possible business interruptions that are:
- Contingent – where an event that damages a supplier (like a factory fire or a flood in a region) will also be a cost to your business
- Interdependent – where a disruption in inter-company supply may cause a loss for your business
Cyber attacks
If your business deals with the movement of items, it is likely that more than 70 percent of your corporate data is concerned with the movement and storage of items (and any added value operations performed). The challenge is that while extending and integrating networked information systems through your supply network, should (and can) access be restricted and following an attack which directly affects your supply network, how will the operational activities continue to access and use data and information?
Natural (or nature) events
These should be viewed within two sub-classifications:
- Physical shocks e.g. earthquakes and volcanoes, together with possible associated tsunami
- Adverse weather e.g. droughts, forest fires, storms (cyclones, typhoons and hurricanes)
Physical shocks can be insured, but weather events (and their consequences) may be more severe due to human activity i.e. global warming. Insurance companies will therefore become more reluctant to provide cover for these risks, so organisations will require a risk plan to minimise the consequences.
Approach to Business Continuity risks
Business Continuity actions are those that your business will implement to keep operating. There are four operational areas to be considered when assessing how to keep operating and minimise the consequences of an event:
- Availability of supplies: Increased agility and/or redundancy through the supply chains. Inventory policy by location. Inventory buffers by location based on form and function. Inventory replenishment planning rules and how quickly they can be changed. Sourcing flexibility, product range rationalisation and simplification e.g. common sub-assemblies. Postponement policy
- Access to physical resources: Current and alternative transport assets by mode and storage/distribution facilities, with requirement for emergency power. Even if distribution has been outsourced to a 3PL, what are their plans in the event of a disruption? In a disaster, does the government mandate regulations concerning emergency fuel stocks, or does it take responsibility for the cost of establishing, stocking and distributing emergency fuel supplies?
- Flow of data: how will your Supply Chain group continue to access and use data and information?
- Availability of people: The access of people to your facilities (and maybe accommodating them). How staff such as planners and schedulers can work from home or other remote locations
An objective of risk management is to avoid being unable to recover from an event. So, to ensure Business Continuity, organisations need their Supply Chain strategies to be both flexible and dependable (that is, resilient).
Flexible organisations have the capability to quickly re-structure so that orders of varying volumes, product mix and delivery requirements can be addressed profitably. This requires a flexible business and organisation structure, integrated with a flexible cost and pricing system. Dependable means that systems and processes within the organisation are both predictable and robust. Changes in the wider environment can be addressed with minimal effect on customers.
In addition to being a core capability of the Supply Chains group, a Supply Chain Risk Management plan could become a requirement when applying for business insurance. For these reasons, it is preferable to commence building your risk plan and a recommended area to start is the areas under Business Continuity.