Supply Chain Risk Management

Best Practices in Supply Chain Risk Management (SCRM)

by Matt Kunkel, co-founder LogicGate

Matt Kunkel, Co-Founder, LogicGate - expert on supply chain risk management
Matt Kunkel, Co-Founder, LogicGate

It’s not something we like to think about, but supply chain disruption and disasters are likely to impact your supply chain sooner or later. Here are the basics and the best practices in supply chain risk management to help plan for and minimize the risk to your business.

In a 2014 study (PDF) by supply chain faculty at the University of Tennessee (UT), 90% of the firms questioned did not quantify risk when outsourcing production and creating a global supply chain. On top of that, 66% of the respondents had risk managers on staff, but “virtually all of those internal functions ignored supply chain risk.”

Surprising numbers, considering how it’s virtually impossible these days to create a product without a significant supply chain that reaches across the globe.

When it comes to supply chain risk management (SCRM) planning, risk can be defined as a wide spectrum of events, from natural disasters, counterfeit products, theft, supplier delay, production interruptions, part shortages, and even cyber security.

Every business will have a different array of potential risks depending on their particular vertical, and each of their products will have a different risk portfolio depending on its components. An incredible number of variables, down to the location of facilities (the country, the climate) can have major effects on a product’s production lifecycle.

Despite the somewhat low numbers from the UT study, many companies are embarking on comprehensive SCRM planning during their product’s conceptual and design phase, to effectively deal with unexpected hiccups and reduce the overall negative impact on the bottom line.

The standard risk planning strategy follows three steps:

1. Identify Risk

A team of supply chain experts should meet regularly to identify as many potential risks as they can, before and after production on the product actually begins.

Ideally, a project manager or risk manager helps generate these ideas in both group and one-on-one settings, and then sets ownership for individual risks to help distribute the workload across the team.

2. Quantify Risk

The supply chain risk management person or team should parse through all the risks identified during brainstorming and apply an agreed-upon method for quantifying risk, such as Failure Mode and Effect Analysis (FMEA).

With every risk quantified, they can identify which need to be addressed most immediately, and with the most attention.

3. Build Contingencies

Now, the owners of individual risks are responsible, alongside the remainder of the team, for developing strategies and actionable plans to navigate around a supplier delay, or a shipment of parts being held up at customs. Plans should be created according to the prioritization that happened in the last step, and should include all the details necessary to actually act on the plan, if need be.

If a contingency involved reaching out to a different third party for replacement parts, that potential business deal should be negotiated and agreed-upon before it can be considered a genuine contingency plan.

What’s the value proposition for businesses with complex supply chains?

According to the UT study, SCRM and mitigation plans can be turned into a highly effective competitive advantage—if only because so few companies have put in the work to create them.

For companies that don’t have SCRM plans, their first priority should be discovering the largest risks and figuring out strategies to deal with them. That said, there are some next-level best practices that can push SCRM plans to another level of consistency and value.

 Best Practices for Supply Chain Risk Management Plans

1. Site Checks are a Necessity

 In-person check-ups can go a long way. Remember when one of Apple’s primary suppliers, Foxconn, found itself at the center of media attention when a number of its employees committed suicide over poor working conditions? These are the kinds of issues that can only be discovered with regular, in-depth personal visits, and an understanding of the culture where production occurs.

At an event for Fortune 1000 procurement executives, an interactive panel agreed that routine site visits are one of the most effective methods of not only identifying supply chain risk, but also helping develop contingency plans. This can be costly and time-consuming in the case of a supply chain that reaches overseas, but the payoff can be enormous.

It’s important not to just meet with the supplier’s executives over dinner—SCRM leaders need to visit the plant and view the work. This ensures that if there are any concerns with quality or unsafe working conditions, the company can immediately begin to revise their risk quantification.

2. Physical Risks are Plentiful but Don’t Forget Cyber Threats

Risks are not just physical—they’re“virtual” too. Many SCRM stakeholders assume that supply chain risks come from physical challenges, such as production delays and shortages, but this is short-sighted.

Supply chains are built on top of IT, whether that’s a bill of materials that is shared between the company and its third-party suppliers, or CAD designs containing proprietary, patented designs. Companies need to roll cyber security risk into the overall road map, and perhaps need to prioritize them higher than many physical risks.

The National Institute of Standards and Technology (NIST) regularly releases reports on the state of supply chain risk in light of cyber security risk, and recommends what companies can do to mitigate potential damage.

According to NIST, companies should assume that they’ll be breached at some point.

On top of that, they need to recognize that cybersecurity issues are also personnel issues—employees at third parties often don’t understand the importance of security, or don’t perform best practices when it comes to securing the company intranet, or even their work email accounts.

To help mitigate some some of the potential issues, NIST recommends that security requirements are built-in to every RFP and contract, and that a “one strike and you’re out” policy be established for any counterfeiting activity.

3. Have a Plan for Disaster Scenarios

Have you thought through disaster scenarios? These might feel like paranoia, but even in recent years, multiple unexpected natural disasters have created monumental damage to global supply chains.

For example, the 2011 flooding in Thailand caused $46.5 billion in economic losses and damages, mostly in manufacturing. Automotive and aerospace supply chains, in particular, suffered as facilities struggled to restart production amid 15 feet of standing water on plant floors.

The first step in disaster planning is map out every critical facility or transportation routes in the supply chain. Based on those locations, risks should be determined based on geography, climate, or even the political situation in the country in question.

For those who operate facilities or supply chains in hurricane-prone, areas, for example, a disruption is only a matter of time.

For other situations, such as an entire distribution center being destroyed in a 100-year flood, more complex plans should be developed, even if the situation seems almost impossible.

In a perfect world, all these prepared-for disasters never come to pass. Even then, that doesn’t mean there isn’t value in the contingency planning—often the same strategy can be used in the case of a major equipment failure that shuts down a third party’s production line for two weeks.

4. Mitigate Supply Chain Risk with Insurance

Have you bought insurance? The UT study found that, among the surveyed companies, insurance was the least-used strategy for dealing with supply chain issues. That said, SCRM experts are starting to understand the potential value in insurance that can recoup some costs involved in a major disruption.

Insurance companies specialize in quantifying risk, and working with one can help companies in their process of putting together proper contingency plans.

Some insurance policies cover the company’s own production, such as an expensive and custom-built piece of equipment that would cost millions and take weeks to replace. In an interview with Forbes, an executive with Travelers, an insurance company that offers these kinds of policies, related the story of a company with a specialized cutting machine that would take 50 weeks to replace.

Insuring the machine would allow the company to recoup many of the costs involved in the event of a critical failure, beyond the cost of the machine itself—lost business was also a major risk. The company failed to insure the machine properly, and it was soon damaged beyond repair, leaving the company to struggle through both replacing the machine and dealing with lost business.

Other insurance policies cover issues upstream, such as delays of parts from overseas suppliers. In either case, insurance can’t make up for damage to a brand, but it can help lessen the sting of a major supply chain disruption, whether in-house or on the other side of the globe.

There are plenty of other best practices, and practical strategies for dealing with supply chain risk management, such as utilizing big data, designing a consistent monitoring system for suppliers, and rewarding high supplier performance, but the difficult truth is that too many organizations simply haven’t started down the road to implementing a proper SCRM solution.

In today’s hyper-competitive marketplace, there is little margin for error—the only outcome worse than a debilitating supply chain disruption, dealt with reactively, is a major competitor taking advantage of a newly-open market and grabbing handfuls of market share.

Save

Save

Save

Save

Matt Kunkel

Co-Founder at LogicGate
Matt Kunkel is a co-founder of LogicGate and has a decade of experience helping some of the largest enterprises overcome challenges in governance, risk, and compliance. LogicGate empowers businesses to automate risk and compliance operations by visually designing their end-to-end workflows and deploying them as highly controlled process applications - reducing compliance violations and eliminating mission critical risks.

Latest posts by Matt Kunkel (see all)