Placing risks into categories.
To identify the resources and time required to address the critical and operational Supply Chain Risks in your organisation, the initial step is to structure the current assortment of uncertainties into an understandable matrix of risks.
The previous blog discussed potential risks within four classifications: external; value network; internal and supply chain processes. Each risk must then be placed into a category, which can then be extended into an action plan. The process is illustrated in the diagram:
Categories of risk extend from the extremes of certainty (which rarely occurs) through to ignorance. Ignorance infers that you recognise a risk associated with an event, but do nothing to identify the likelihood of occurrence or the possible consequences. This lack of action contains a risk in itself, together with an unknown cost.
Between the two extremes are three categories of risk:
- Known risks: Includes supply chain events, such as late deliveries and changes in material costs. Events at risk are those that lie outside the limit lines of control charts, used to measure variabilities in your supply chains.
- Known – unknown risks: Only the probability of an occurrence for an event or its likely consequences is known. An example is the risk of an ocean shipment being delayed due to inbound customs intervention. The probability of this occurring by country and port can be identified from records of previous shipments and custom broker knowledge. However, the consequences (delays, additional payments, rejection) are unknown, requiring actions to reduce the effect. Likewise, natural disasters may also be classified as Known-unknown risks, because, while the likelihood of an event is known, the consequences for your organisation will be varied.
- Unknown – unknown risks: The probability of occurrence and possible consequences of an event cannot be foreseen, even by experienced supply chain professionals. To better allocate Unknown-unknown risks, they are viewed within two sub-categories:
- Unknown but knowable unknown risks (also called ‘knowable unknowns’): the likelihood and consequences of possible events can be known if sufficient time is allowed to identify them in the strategy or plan. Even if an event has a very low probability of occurring and a very high impact if it does occur, it is a known risk, which can be addressed through the risk management process. Knowable unknowns’ are therefore not what are called ‘Black Swan’ events
- Unknown and unknowable unknowns: events that can never be discovered until they happen. These are called Black Swans and cannot be addressed using risk management planning and mitigation techniques
Unknown – unknown risks are recognised as ‘force majeure’ – a French term meaning ‘greater force’, which is used in supply contracts. The objective of the term is to free one or both parties from liability or obligation when an extraordinary event or circumstances occur that is beyond the control of the parties and which stops the contract being fulfilled. It is not intended to protect either party to the contract from negligence.
The term Black Swans was discussed by Nassim Nichollas Taleb in his book The Black Swan – the impact of the highly improbable Penguin, 2008. Taleb states that we cannot predict Black Swan events because they have three characteristics:
- They are unexpected and unpredictable
- They have extreme impacts
- They appear obvious after the event has happened
The term Black Swan comes from the 17th century belief in the northern hemisphere that all swans were white. If a bird was another colour, it was not a swan. When explorers came to Australia they found true swans that were black. Therefore the known rules had to be changed. In the 21st century, Black Swans are events that change the rules and create a new paradigm.
A Black Swan event is usually seen as a negative, but it can also be positive, such as inventing a new technology. Taleb identifies “…the computer, the Internet and the laser as three technological black swans which came out of nowhere. We didn’t know what they were and when we had them right before our eyes we didn’t know what to do with them. The Internet was not built as something to help people communicate in chat rooms; it was a military application and it evolved”.
However, disruptive technologies are rarely Black Swans. In an industry, established organisations are often so entrenched in the current way of doing things, they cannot envisage a different way of providing the product or service. They ignore, or do not sufficiently investigate, the risks to their business (which is ignorance).
Developing the risk matrix
The three categories (known; known-unknown and knowable unknowns) applied to risks identified in the four classifications discussed in the previous blog, provides a 12 segment matrix. Completing this step is a structured process to identify the scope of work (SOW) required to establish the Supply Chain Risk Management Plan.
For each category, the amount and complexity of work increases:
- Known risks: a process must be established that enables a response to particular risks. This includes implementing a measurement process (control charts) so that ‘outlier’ events are quickly identified
- Known-unknown risks: work is required to formalise both the likelihood and consequences of each event
- Knowable-unknown risks have an additional investigation step (prior to establishing the likelihood and consequences), to identify the Knowable (but currently not known) risks in the Supply Chain Strategy and supply plans (which could also extend to sales plans)
Using the outputs from the risk matrix enables the Supply Chain group to submit a structured proposal for senior management to approve the allocation of resources. Following approval, analysis can commence to develop the Supply Chain Risk Management Plan.