supply chain risk management framework
DESCRIPTION
Supply Chain Risk Management Framework. Supply Chain Risk Leadership Council 4 Oct 2007. Overview. Scope Develop a Supply Chain Risk Mgmt Framework that will allow SCLRC members to work from common terms of reference and that will help guide future SCLRC activities Deliverables - PowerPoint PPT PresentationTRANSCRIPT
Confidential 1
Supply Chain Risk Management Framework
Supply Chain Risk Leadership Council
4 Oct 2007
Confidential 2
Overview
Scope
Develop a Supply Chain Risk Mgmt Framework that will allow SCLRC members to work from common terms of reference and that will help guide future SCLRC activities
Deliverables
This presentation
Adjustments as they become necessary
Confidential 3
SCRLC Track Definition
Track Title Supply Chain Risk Management Framework
Track ObjectiveDevelop a Supply Chain Risk Mgmt Framework that will allow SCLRC members to work from common terms of reference and that will help guide future SCLRC activities
Track Scope
In Scope: Supply Chain Risk Management Framework which includes the following issues 1) Supplier Reliability 2) Security 3)Regulatory Concerns 4) Risk Management and 5) Incident/Crisis Management
Out of Scope: Broader issues of enterprise risk management will be considered separately from supply chain risk management. For example: Issues not included are 1) Intellectual Property 2) Branding
Next Milestone(s)1. Obtain consensus from the broader SCRLC group
2. Close out track until adjustments are necessary
Confidential 4
Team Members and Sources
Team Members
Ely Kahn and Andrew Cox, TSA
Tim Astley, Zurich
Brent Myers, FedEx
Craig Babcock, P&G
Ravi Anupindi, University of Michigan
Sources
Committee of Sponsoring Organizations of the Treadway Commission (COSO), Enterprise Risk Management - Integrated Framework, 2004
Supply Chain Risks and Risk Sharing Instruments, Robert Lindroth & Andreas Norrman, 2001
Confidential 5
Definition of SCRM
Supply Chain Risk Management (SCRM) is the practice of managing the risk of any factor or event that can materially disrupt a supply chain whether within a single company or spread across multiple companies.
The ultimate purpose of supply chain risk management is to enable cost avoidance, customer service, and market position. Supply chain risks can be grouped into 3 broad categories: physical, process, and institutional risks
Supply Chain Risk Management (SCRM) is the practice of managing the risk of any factor or event that can materially disrupt a supply chain whether within a single company or spread across multiple companies.
The ultimate purpose of supply chain risk management is to enable cost avoidance, customer service, and market position. Supply chain risks can be grouped into 3 broad categories: physical, process, and institutional risks
Confidential 6
Do
wn
stream C
usto
mer
Prim
ary Cu
stom
er
Yo
ur C
om
pan
yF
irst-tier Su
pp
lier
X-T
ier Su
pp
lier
Supply Chain Risk Framework
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information & Communication
Monitoring
Risk Management is an iterative process
Risk Management is an iterative process
Ris
k m
an
ag
em
en
tc
om
po
ne
nts
Types of risk Types of risk are not mutually exclusiveTypes of risk are not mutually exclusive
Supply Chain
ScopeIncludes links between supplier, your company, and customer
Includes links between supplier, your company, and customer
PHYSICAL
PROCESS
INSTITUTIONAL
Confidential 7
PurposePurposeVisionVisionPrinciplesPrinciplesBreachBreach
ConcentrationConcentrationRisk/SupplyRisk/SupplyChain ResilienceChain Resilience
Product Quality/Product Quality/SafetySafety
Phys. SecurityPhys. SecurityPeople/AssetsPeople/Assets
Company TaxCompany TaxStructureStructure
Acquisition Acquisition IntegrationIntegration
MarketingMarketingStrategyStrategy
Major IT OutageMajor IT Outage
Earnings/Sales Miss CEO/Leadership Succession Plans
Supply Chain Risk Management vs. Enterprise Risk Management
Confidential 8
Key RisksSupply ChainSupply ChainEnterpriseEnterprise
Stock market volatility
Global terrorism
Over-regulation
Currency fluctuations
Reputational risk
Corporate governance issues
Price deflation
Emerging technologies
Increased competition
Loss of key talent
Cost of capital
General availability (cost, quality) of labor
Regulatory concerns
Reliability of suppliers (quality, warranty, yield,…)
Commodity shortage/price fluctuations
Fluctuations of foreign exchange rates
Intellectual property theft
Obsolescence of product inventory or technology
War, terrorism, other geopolitical concerns
Problems with supply chain infrastructure
Plant breakdown, mechanical failures
Natural disasters
Others
Source: McKinsey quarterly global survey of business executives, Sept 2006
Source: PWC : 7th Annual Global CEO Survey – Managing Risk, 2004)
Confidential 9
Risk Management Components
Confidential 10
Risk Management Components
The components should be looked at as being interrelated.The components should be looked at as being interrelated.
Internal EnvironmentInternal Environment
Objective SettingObjective Setting
Event IdentificationEvent Identification
Risk AssessmentRisk Assessment
Risk ResponseRisk Response
Control ActivitiesControl Activities
Information & CommunicationInformation & Communication
MonitoringMonitoring
Components of SCRM
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information & Communication
Monitoring
Confidential 11
Internal Environment
Internal EnvironmentInternal Environment
Objective SettingObjective Setting
Event IdentificationEvent Identification
Risk AssessmentRisk Assessment
Risk ResponseRisk Response
Control ActivitiesControl Activities
Information & CommunicationInformation & Communication
MonitoringMonitoring
Encompasses the tone of an organization
Influences the consciousness and awareness of its people
Basis for all other components
Provides discipline, structure and organization
Establishes a philosophy regarding risk management, including its risk appetite
Oversight by board of directors
Integrity, ethical values, competence
Assigning of authority and responsibility
Confidential 12
Objective Setting
Internal EnvironmentInternal Environment
Objective SettingObjective Setting
Event IdentificationEvent Identification
Risk AssessmentRisk Assessment
Risk ResponseRisk Response
Control ActivitiesControl Activities
Information & CommunicationInformation & Communication
MonitoringMonitoring
Set at the strategic level, establishing a basis for operations, reporting and compliance
Precondition for event identification, risk assessment and risk response
Aligned with the risk appetite (as defined in internal environment)
Risk tolerance
Confidential 13
Event Identification
Internal EnvironmentInternal Environment
Objective SettingObjective Setting
Event IdentificationEvent Identification
Risk AssessmentRisk Assessment
Risk ResponseRisk Response
Control ActivitiesControl Activities
Information & CommunicationInformation & Communication
MonitoringMonitoring
Management identifies potential events
Differentiates risks and opportunities.
Events that may have a negative impact represent risks, which require management response
Events that may have a positive impact represent natural offsets (opportunities), which management channels back to strategy setting.
Involves identifying those incidents, occurring internally or externally, that could affect strategy and achievement of objectives.
Addresses how internal and external factors combine and interact to influence the risk profile.
Confidential 14
Event Identification
Internal EnvironmentInternal Environment
Objective SettingObjective Setting
Event IdentificationEvent Identification
Risk AssessmentRisk Assessment
Risk ResponseRisk Response
Control ActivitiesControl Activities
Information & CommunicationInformation & Communication
MonitoringMonitoring
Possible techniques
Event inventories
Scenario analysis
Internal analysis
Escalation or threshold triggers
Facilitated workshops and interviews
Process flow analysis
Leading event indicators
Loss event data methodologies
Interdependencies
Confidential 15
Event Identification
Internal EnvironmentInternal Environment
Objective SettingObjective Setting
Event IdentificationEvent Identification
Risk AssessmentRisk Assessment
Risk ResponseRisk Response
Control ActivitiesControl Activities
Information & CommunicationInformation & Communication
MonitoringMonitoring
Categorization of events (with reference to otherframework axes), e.g.
External
- Economic
- Environment
- Political
- Social
- Technological
Internal
- Infrastructure
- Personnel
- Process
- Technology
Confidential 16
Risk Assessment
Internal EnvironmentInternal Environment
Objective SettingObjective Setting
Event IdentificationEvent Identification
Risk AssessmentRisk Assessment
Risk ResponseRisk Response
Control ActivitiesControl Activities
Information & CommunicationInformation & Communication
MonitoringMonitoring
Allows an entity to understand the extent to which potential events might impact objectives.
Assesses risks from two perspectives:
- Likelihood
- Impact
Employs a combination of both qualitative and quantitative risk assessment methodologies.
Relates time horizons to objective horizons.
Assesses risk on both an inherent and a residual basis.
Impact of events should be assessed individually or by category across the entity
Confidential 17
Risk Assessment
Internal EnvironmentInternal Environment
Objective SettingObjective Setting
Event IdentificationEvent Identification
Risk AssessmentRisk Assessment
Risk ResponseRisk Response
Control ActivitiesControl Activities
Information & CommunicationInformation & Communication
MonitoringMonitoring
Assessment Techniques
Benchmarking
Probabilistic models
Non-probabilistic models
Confidential 18
Risk Assessment
Internal EnvironmentInternal Environment
Objective SettingObjective Setting
Event IdentificationEvent Identification
Risk AssessmentRisk Assessment
Risk ResponseRisk Response
Control ActivitiesControl Activities
Information & CommunicationInformation & Communication
MonitoringMonitoring
Identifies and evaluates possible responses to risk.
Possible Responses:
- Avoidance
- Reduction
- Sharing
- Acceptance
Evaluates options in relation to risk appetite, cost vs. benefit of potential risk responses, and degree to which a response will reduce impact and/or likelihood.
Selects and executes response based on evaluation of the portfolio of risks and responses.
Examines, whether residual risk is within risk tolerance
Confidential 19
Control Activities
Internal EnvironmentInternal Environment
Objective SettingObjective Setting
Event IdentificationEvent Identification
Risk AssessmentRisk Assessment
Risk ResponseRisk Response
Control ActivitiesControl Activities
Information & CommunicationInformation & Communication
MonitoringMonitoring
Policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out.
Occur throughout the organization, at all levels and in all functions.
Include approvals, authorizations, verifications, reconciliations, review of operating performance, security of assets and segregation of duties.
Confidential 20
Information & Communication
Internal EnvironmentInternal Environment
Objective SettingObjective Setting
Event IdentificationEvent Identification
Risk AssessmentRisk Assessment
Risk ResponseRisk Response
Control ActivitiesControl Activities
Information & CommunicationInformation & Communication
MonitoringMonitoring
Management identifies, captures, and communicates pertinent information in a form and timeframe that enables people to carry out their responsibilities.
Communication occurs in a broader sense, flowing down, across, and up the organization.
Personnel receive a clear message from top management
Means for communicating upstream
Communication with external parties
Confidential 21
Monitoring
Internal EnvironmentInternal Environment
Objective SettingObjective Setting
Event IdentificationEvent Identification
Risk AssessmentRisk Assessment
Risk ResponseRisk Response
Control ActivitiesControl Activities
Information & CommunicationInformation & Communication
MonitoringMonitoring
Monitoring shall assess presence and functioning of ERM over time
Effectiveness of the other ERM components is monitored through:
- Ongoing monitoring activities.
- Separate evaluations.
- A combination of the two.
Serious matters reported to top management and the board
Confidential 22
Issues to be aware of Risk Management is an iterative discipline---Risks must be revisited on a
regular basis Need to balance the audit approach (avoid or mitigate risk) vs. proactive
approach (deal actively with risks) Need to recognise role of risk management in realizing strategic objectives Risk should be seen as a necessary component and factor in
strategic opportunity. There might be an economic benefit in accepting a particular risk, the focus
should be on the risk-return tradeoff Risk quantification needs to be included as well as the focus on
risk mitigation. Need to adequately reflected the external environment even though some
risk-factors are beyond management’s control Need to recognise correlation of risks – often difficult Risk management is a coordinating function Risk management is a dynamic process, not a check list approach Need to recognise risk to reputation
Confidential 23
Internal EnvironmentInternal Environment
Objective SettingObjective Setting
Event IdentificationEvent Identification
Risk AssessmentRisk Assessment
Risk ResponseRisk Response
Control ActivitiesControl Activities
Information & CommunicationInformation & Communication
MonitoringMonitoring
Risk Management Components
Where do exposures remain after risk responses (mitigations/ controls) which are still beyond the company’s tolerance level?
Develop plans to respond to these residual exposures should they occur:
- Business Continuity Plans
- Incident Response Plans
- Disaster Recovery Plans
- Crisis Management Plans etc.
Confidential 24
Risk Mitigation Effects
Risk MapBefore Response / Controls
Lik
eli
ho
od
11
2233
44 55
66
77
88
Limit OfRisk Tolerance
Impact
Risk MapAfter Response / Controls
Lik
eli
ho
od
Impact
11
22
33
4455
66
77
88
Limit OfRisk Tolerance
Develop Recovery
Plans
Develop Recovery
Plans
Confidential 25
incident/event
notification
Initial response
Incident brief: ICS 201
Initial UC Meeting
IC/UC develop/Update objectives meeting
Command and General Staff Meeting Briefing
Preparing for the tactics meeting
Tactics Meeting
Preparing for the
Planning Meeting Planning Meeting
IAP Prep & Approval
Execute Plan & Assess Progress
Operations Briefing
http://www.dfg.ca.gov/ospr/organizational/msb/readiness/2006%20IMH.pdf
Incident Management “Planning P”
Confidential 26
Types of Risk
Confidential 27
Types of Risk Physical Disruptions: Destruction of critical infrastructure in the supply chain
- Critical Infrastructure includes the material components or assets necessary for the continuous operation of the transportation system including equipment and personnel
Process Disruptions: Events that involve day-to-day operations of supply chain processes
- Processes include the rules, actions, decisions, and information flows that give life to the physical level and are necessary for efficient and effective operation of the transportation system. Processes are what allow material components to work together—physically or virtually—as a system or supply chain
Institutional Disruptions: Events that involve changes in company or supply-network governance and strategy.
- Institutional considerations include the policies, guidance, and organizations that empower and constrain the operation of the supply chain to meet large-scale company goals. Public sector examples of institutional disruptions include federal legislation, national policies, and state regulations. Private sector examples include company reorganizations, mergers, market shifts, and technology breakthroughs.
PHYSICALPROCESS
INSTITUTIONAL
Confidential 28
Risk Category Examples
Physical Disruptions- Natural Disasters
- Terrorist Attacks
- Accidents
Process Disruptions- Cyber Attacks
- Demand Forecasting Errors (Bullwhip effect)
- Missing or late shipments
Institutional Disruptions- New / Increased Regulations
- Geopolitical Issues / War
- Technology Step-Change
(Supplier Reliability)
PHYSICALPROCESS
INSTITUTIONAL
Confidential 29
Supply Chain Scope
Confidential 30
Do
wn
stream C
usto
mer
Prim
ary Cu
stom
er
Yo
ur C
om
pan
yF
irst-tier Su
pp
lier
X-T
ier Su
pp
lier
Supply Chain Scope
As a company looks beyond its own suppliers and customers, the scope of what is Included in supply chain expands…
Your company: Your company is the center of your supply network. The scope here refers only to in-house supply chain issues
First-tier supplier: Any supplier that directly supplies your company. This scope does not include companies that are 2nd tier or beyond
X-tier supplier: Companies that supply your first-tier suppliers.
Primary customer: Any direct customer of your company
Downstream customer: Any customer of your customers.
Scope includes links between supplier, your
company, and customer
Confidential 31
Financial FlowFinancial Flow
Information FlowInformation Flow
Physical MovementPhysical Movement
Information FlowInformation Flow
Supply Chain Framework Interdependencies
PlanPlan
PlanPlan PlanPlan PlanPlan PlanPlan
SourceSource DeliverDeliver
ReturnReturn ReturnReturn
Your Company Supplier
Internal or ExternalCustomer
Internal or External
SourceSource DeliverDeliver
ReturnReturn ReturnReturn
DeliverDeliver
ReturnReturn
SourceSource DeliverDeliver
ReturnReturn ReturnReturn
SourceSource
ReturnReturn
Customer’sCustomer
Supplier’sSupplier
MakeMakeMakeMake MakeMake
Confidential 32
Next Steps
Discussion
- Close out track?
- How do we use this framework?