Supply%20Chain%20Risk%20Management%20Framework%20%20Supply%20Chain%20Risk%20Leadership%20Council%206%20June%202007

1
Supply Chain Risk Management FrameworkSupply
Chain Risk Leadership Council6 June 2007
2
Overview

• Scope
• Develop a Supply Chain Risk Mgmt Framework that
  will allow SCLRC members to work from common
  terms of reference and that will help guide
  future SCLRC activities
• Deliverables
• This presentation
• Others TBD

3
Team Members and Sources

• Team Members
• Ely Kahn and Andrew Cox, TSA
• Tim Astley, Zurich
• Brent Myers, FedEx
• Craig Babcock, PG
• Sources
• Committee of Sponsoring Organizations of the
  Treadway Commission (COSO), Enterprise Risk
  Management - Integrated Framework, 2004
• Supply Chain Risks and Risk Sharing Instruments,
  Robert Lindroth Andreas Norrman, 2001

4
Definition of SCRM

• Supply Chain Risk Management (SCRM) is the
  practice of managing the risk of any factor or
  event that can materially disrupt a supply chain
  whether within a single company or spread across
  multiple companies. The ultimate purpose of
  supply chain risk management is to enable cost
  avoidance, customer service, and market position.
  Supply chain risks can be grouped into 3 broad
  categories physical, process, and institutional
  risks

5
Supply Chain Risk Framework
PHYSICAL
PROCESS
INSTITUTIONAL
Internal environment
Objective setting
GLOBAL SUPPLY CHAIN
EXTERNAL SUPPLY CHAIN
Event identification
INTERNAL SUPPLY CHAIN
Risk assessment
UNIT/SITE OPERATIONS
Risk response
Control activities
Information communication
Supply Chain Scope
Monitoring
6
Risk Mgmt Components
7
Risk Management Components

• Components of SCRM
• Internal Environment
• Objective Setting
• Event Identification
• Risk Assessment
• Risk Response
• Control Activities
• Information Communication
• Monitoring
• The components should be looked at as being
  interrelated.

8
Internal Environment

• Encompasses the tone of an organization
• Influences the consciousness and awareness of its
  people
• Basis for all other components
• Provides discipline, structure and organization
• Establishes a philosophy regarding risk
  management, including its risk appetite
• Oversight by board of directors
• Integrity, ethical values, competence
• Assigning of authority and responsibility

Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information Communication
Monitoring
9
Objective Setting

• Set at the strategic level, establishing a basis
  for operations, reporting and compliance
• Precondition for event identification, risk
  assessment and risk response
• Aligned with the risk appetite (as defined in
  internal environment)
• Risk tolerance

10
Event Identification

• Management identifies potential events
• Differentiates risks and opportunities.
• Events that may have a negative impact represent
  risks, which require management response
• Events that may have a positive impact represent
  natural offsets (opportunities), which management
  channels back to strategy setting.
• Involves identifying those incidents, occurring
  internally or externally, that could affect
  strategy and achievement of objectives.
• Addresses how internal and external factors
  combine and interact to influence the risk
  profile.

11
Event Identification

• Possible techniques
• Event inventories
• Scenario analysis
• Internal analysis
• Escalation or threshold triggers
• Facilitated workshops and interviews
• Process flow analysis
• Leading event indicators
• Loss event data methodologies
• Interdependencies

12
Event Identification

• Categorization of events (with reference to other
  framework axes), e.g.
• External
• Economic
• Environment
• Political
• Social
• Technological
• Internal
• Infrastructure
• Personnel
• Process
• Technology

13
Risk Assessment

• Allows an entity to understand the extent to
  which potential events might impact objectives.
• Assesses risks from two perspectives
• Likelihood
• Impact
• Employs a combination of both qualitative and
  quantitative risk assessment methodologies.
• Relates time horizons to objective horizons.
• Assesses risk on both an inherent and a residual
  basis.
• Impact of events should be assessed individually
  or by category across the entity

14
Risk Assessment

• Assessment Techniques
• Benchmarking
• Probabilistic models
• Non-probabilistic models

15
Risk Response

• Identifies and evaluates possible responses to
  risk.
• Possible Responses
• Avoidance
• Reduction
• Sharing
• Acceptance
• Evaluates options in relation to risk appetite,
  cost vs. benefit of potential risk responses, and
  degree to which a response will reduce impact
  and/or likelihood.
• Selects and executes response based on evaluation
  of the portfolio of risks and responses.
• Examines, whether residual risk is within risk
  tolerance

16
Control Activities

• Policies and procedures that help ensure that the
  risk responses, as well as other entity
  directives, are carried out.
• Occur throughout the organization, at all levels
  and in all functions.
• Include approvals, authorizations, verifications,
  reconciliations, review of operating performance,
  security of assets and segregation of duties.

17
Information Communication

• Management identifies, captures, and communicates
  pertinent information in a form and timeframe
  that enables people to carry out their
  responsibilities.
• Communication occurs in a broader sense, flowing
  down, across, and up the organization.
• Personnel receive a clear message from top
  management
• Means for communicating upstream
• Communication with external parties

18
Monitoring

• Monitoring shall assess presence and functioning
  of ERM over time
• Effectiveness of the other ERM components is
  monitored through
• Ongoing monitoring activities.
• Separate evaluations.
• A combination of the two.
• Serious matters reported to top management and
  the board

19
Issues to be aware of

• Need to balance the audit approach (avoid or
  mitigate risk) vs. proactive approach (deal
  actively with risks)
• Need to recognise role of risk management in
  realizing strategic objectives
• Risk should be seen as a necessary component and
  factor in strategic opportunity.
• There might be an economic benefit in accepting a
  particular risk, the focus should be on the
  risk-return tradeoff
• Risk quantification needs to be included as well
  as the focus on risk mitigation.
• Need to adequately reflected the external
  environment even though some risk-factors are
  beyond managements control
• Need to recognise correlation of risks often
  difficult
• Risk management is a coordinating function
• Risk management is a dynamic process, not a check
  list approach
• Need to recognise risk to reputation

20
Types of Risk
21
Types of Risk

• Physical Disruptions Destruction of critical
  infrastructure in the supply chain
• Critical Infrastructure includes the material
  components or assets necessary for the continuous
  operation of the transportation system including
  equipment and personnel
• Process Disruptions Events that involve
  day-to-day operations of supply chain processes
• Processes include the rules, actions, decisions,
  and information flows that give life to the
  physical level and are necessary for efficient
  and effective operation of the transportation
  system. Processes are what allow material
  components to work togetherphysically or
  virtuallyas a system or supply chain
• Institutional Disruptions Events that involve
  changes in company or supply-network governance
  and strategy.
• Institutional considerations include the
  policies, guidance, and organizations that
  empower and constrain the operation of the supply
  chain to meet large-scale company goals. Public
  sector examples of institutional disruptions
  include federal legislation, national policies,
  and state regulations. Private sector examples
  include company reorganizations, mergers, market
  shifts, and technology breakthroughs.

Physical
Process
Institutional
22
Risk Categories

• Physical Disruptions
• Natural Disasters
• Terrorist Attacks
• Accidents
• Process Disruptions
• Cyber Attacks
• Demand Forecasting Errors (Bullwhip effect)
• Supplier Reliability
• Missing or late shipments
• Institutional Disruptions
• New / Increased Regulations
• Geopolitical Issues / War
• Technology Step-Change

23
Supply Chain Scope
24
Supply Chain Scope

• Unit/Site Operations Source, make, deliver and
  return activities that are confined to a specific
  company unit or site
• Internal Supply Chain Source, make, deliver and
  return activities that are confined to internal
  customers and suppliers at a local or regional
  level
• External Supply Chain Source, make, deliver and
  return activities that include external customers
  and suppliers at a local or regional level
• Global Supply Chain Highly complex supply chains
  that span national boundaries and involve second
  and third order suppliers and customers

Internal Supply Chain
External Supply Chain
Global Supply Chain
Unit Operations
25
Supply Chain Framework Interdependencies
Physical Movement
Information Flow
Information Flow
Financial Flow
26
Supply Chain Scope Overlaid onto the Supply Chain
Framework
Unit/Site Operations
Internal Supply Chain
External Supply Chain
Global Supply Chain
27
Next Steps

• Discussion
• Close out track?
• How do we use this framework?