In Part 1 of this series on supply chain risk management, I discussed the fact that a number of supply chain analysts believe that the business sector doesn't walk the talk when it comes to business continuity and disaster recovery (BC/DR) planning and implementation. Blogger Daniel Stengel, a risk management expert, believes that business continuity and disaster recovery are "more narrow disciplines" of Supply Chain Risk Management -- with "Business Continuity on the one end and Supply Chain Crisis Management on the other." ["Supply Chain Crisis Management," Supply Chain Risk Management, 25 October 2010]. Stengel's discussion starts at the latter end of spectrum. He asks, "So how do crises fit into the Supply Chain Risk Management landscape?" To help answer that question, he refers to a study entitled "Managing supply chains in times of crisis: a review of literature and insights," by Malini Natarajarathinam, Ismail Capar, and Arunachalam Narayanan. According the study's abstract: "This paper will serve as a guide to supply chain managers who would like to know how crises, disasters, and disruptions in supply chains have been handled in existing academic literature." Commenting on the study, Stengel writes:
"The authors cite Merriam-Webster on crisis, where it is defined as: 'an unstable or crucial time or state of affairs in which a decisive change is impending; especially: one with the distinct possibility of a highly undesirable outcome.' So in a supply chain context, a crisis is comparable to a disruption where the flow of goods, information or money is interrupted."
Stengel reports that the authors searched "peer-reviewed articles as a basis for their work. For their sample they were using keywords like 'crisis', 'risks', 'disaster', 'uncertainty' and more. This search resulted in 118 relevant articles published between ... 1990 and 2008." More than half of the relevant articles (64) were written in or after 2005 -- demonstrating that the topic of supply chain risk management has taken on a new urgency in recent years. Apparently the authors found "gaps in the literature that can provide ideas for future research in this area." Stengel concluded that the study was clearly written, but he believed "the discussion of the term 'Crisis Management' could have been more elaborate." The fact that relatively little research has been concluded in this area might be one reason that so few companies have adequate business continuity and disaster recovery plans in place. So what can they do? The first thing that Stengel recommends is that business executives should understand how reducing uncertainties across business processes can make a significantly greater difference than reducing uncertainties in a few selected sectors.
Stengel reaches this conclusion from a study that examines "The Supply Chain Uncertainty Circle," [Supply Chain Risk Management, 27 October 2010]. "What," you ask, "is the supply chain uncertainty circle?" Authors of the study, Rachel Mason-Jones and Denis R. Towill, explain that the circle represents the total uncertainty in the product delivery process contained in four "fundamental constituent segments due to manufacturing," namely: demand side, supply side, control systems, and the manufacturing process (Figure 1 -- click to enlarge). ["Shrinking the Supply Chain Uncertainty Circle," by Rachel Mason-Jones and Denis R. Towill, Control, September 1998]
An Uncertainty Circle with equal uncertainty in each segment would then look like this:
Stengel then writes: "With the Uncertainty Circle it is now possible to visualize [the] effect of shrinking one of the risks without the other: Overall risk is only reduced by a (comparatively) small amount. [Figure 2] This furthermore implies the goal for supply chain risk managers: Reduction of risk on all frontiers!"
"This of course does not have to happen at the same time. Companies usually start with improvements in their own manufacturing processes and establish lean thinking to improve lead times and quality. As a next step this concept may be enlarged to the companies' suppliers as well to reduce supply side risks. The authors then argue that much potential is left untouched on the reduction of demand side uncertainties and control systems. Demand side risks can be reduced by improving the information flow from the end-customer throughout the supply chain and companies can tackle control risks by improving their ability to act on this new information with a adequate Decision Support System."
What Stengel is implying is that supply chains need to become demand driven. On that point, he agrees with a number of other supply chain analysts (to learn more, read my post entitled Demand Driven Supply Chains). He concludes, "Even though the article [was] published twelve years ago the concept of the Uncertainty Circle can still be used as a framework to reduce risks within a supply chain." Supply chain analyst Bob Ferrari seems to agree with Stengel that a framework is needed to perform and implement business continuity and disaster recovery successfully ["Supply Chain Matters Business Briefing Series- Supply Chain Risk Management and Mitigation," Supply Chain Matters, 17 January 2011]. He writes:
"Supply chain risk management includes a systemic process to identify, evaluate, monitor, control and/or respond to perceived risk conditions. It refers to uncertain and/or unpredictable events affecting one or more organizations, companies or supply networks which have costly results to a business or to a brand. There are many perceived reasons for these occurrences which can stem from operational, individual product, natural disaster or political and regulatory risk factors. In many cases the companies, organizations or teams impacted may have felt that they had adequate plans in place to either avoid or mitigate these occurrences. Then again, firms may be in an unprecedented era of many so-called 'black swan' events and subsequent impacts."
What I most appreciated about Ferrari's post was that he offered a series of questions that companies can use to help develop their risk management systems. Those questions include:
- "What are the various aspects of risk and where in the organization does the accountability for value chain risk reside?
- "What are the most important components to a risk mitigation plan?
- "How should organizations respond to a risk incident, and what roles do various supply chain functional teams play in a response and mitigation plan?
- "How will social-media based communications impact a risk response strategy?
- "What role can technology play in identifying and mitigating supply and value-chain risk?"
The good news, according to Steve Banker, is that the field of supply chain risk management is advancing at a rapid rate ["The Advancing Field of Supply Chain Risk Management," Logistics Viewpoints, 8 November 2010]. That supports the finding of the study with which I began this column that showed that activity in this field started to increase around five years ago. Banker writes:
"The Supply Chain Risk Leadership Council (SCRLC) ... has developed a very nice way of categorizing supply chain risk management (SCRM). They view it as being composed of five distinct disciplines:
- "Preparedness, Continuity, and Recovery Planning;
- "Regulatory & Security;
- "Supply Chain Resiliency;
- "Risk Assessment and Monitoring;
- "Supply Chain Incident Detection and Crisis Management."
I'm always in favor of frameworks that offer improved ways of looking at complex challenges. In this case, I'm pleased that the SCRLC includes resiliency among their categories. Banker indicates that the Council is "compiling a 'lexicon' of terms." He writes:
"I found the definitions interesting because they show how deeply the organization is thinking about this topic. Here are a couple of examples. SCRLC prefers the term 'risk management' to 'crisis management' because the latter implies an after-the-fact response to a crisis, while risk management is more proactive. The term 'Risk Appetite,' however, is more difficult and elusive to define. 'It's a concept you can resonate to at fifty thousand feet, but when you try to implement it on the ground as a practical application, it's very tough,' says John Brown, Director, Risk Management, Supply Chain Development, Coca-Cola Company, and a member of the track. 'It's important to have a measure so individuals within a company don't take more down-side uncertainty than a company can reasonably bear or less than is optimal for a company to tolerate. But with the exception of financial services, it's very cutting edge to develop a metric that puts numbers on risk appetite. There are so many functions within a company, how can you say concisely what is acceptable risk? Most risk levels at the enterprise level are more qualitative than quantitative.' 'Risk Tolerance' is equally difficult to define. As Brown notes in the newsletter, 'ISO defines it as an organization's readiness to bear risk, which can be interpreted as an absolute boundary that the company can accept and still survive. But some companies would say just the opposite—that Appetite is the total picture and Tolerance falls within that.'"
What I gather from Banker's comments is that supply chain risk management is still in its infancy, but quickly maturing. That should make it an exciting field in which to work over the next few decades. Banker says some companies, like Cisco, are more mature than others. When he was briefed a couple of years ago by Cisco on its approach to SCRM" he "was blown away." He concludes:
"I was fascinated by the council's list of resources, websites that could provide very useful information to a SCRM team. These resources include CNN; the Emergency Email and Wireless Network (breaking news and emergency email notifications of natural disasters or other emergencies in a particular locale); the World Health Organization; Centers for Disease Control (tracking of pandemics and acute disease outbreaks); the World Metrologic Organization; the US Geological Survey/Earthquake Information (earthquakes, hurricanes, cyclones, and severe weather); and Maplecroft Maps (portfolio of risk indices displayed in interactive maps; I plan to get briefed by them soon). In conclusion, although the field of supply chain risk management is advancing, it is still in its infancy, and most companies still only focus on business continuity and recovery planning and not the broader approach to SCRM put forward by this council."
I agree with Banker that the more comprehensive a company's approach to risk management the better off it is going to be. The fact that the Supply Chain Risk Leadership Council has provided some resources for companies to use is a good step forward. It helps companies understand just how complex the field of risk management really is. In the next post of this series, I'll look at some recommendations that have been offered by risk management experts.