supply chain risk management framework

Confidential 1

Supply Chain Risk Management Framework

Supply Chain Risk Leadership Council

4 Oct 2007

Confidential 2

Overview

Scope

Develop a Supply Chain Risk Mgmt Framework that will allow SCLRC members to work from common terms of reference and that will help guide future SCLRC activities

Deliverables

This presentation

Adjustments as they become necessary

Confidential 3

SCRLC Track Definition

Track Title Supply Chain Risk Management Framework

Track ObjectiveDevelop a Supply Chain Risk Mgmt Framework that will allow SCLRC members to work from common terms of reference and that will help guide future SCLRC activities

Track Scope

In Scope: Supply Chain Risk Management Framework which includes the following issues 1) Supplier Reliability 2) Security 3)Regulatory Concerns 4) Risk Management and 5) Incident/Crisis Management

Out of Scope: Broader issues of enterprise risk management will be considered separately from supply chain risk management. For example: Issues not included are 1) Intellectual Property 2) Branding

Next Milestone(s)1. Obtain consensus from the broader SCRLC group

2. Close out track until adjustments are necessary

Confidential 4

Team Members and Sources

Team Members

Ely Kahn and Andrew Cox, TSA

Tim Astley, Zurich

Brent Myers, FedEx

Craig Babcock, P&G

Ravi Anupindi, University of Michigan

Sources

Committee of Sponsoring Organizations of the Treadway Commission (COSO), Enterprise Risk Management - Integrated Framework, 2004

Supply Chain Risks and Risk Sharing Instruments, Robert Lindroth & Andreas Norrman, 2001

Confidential 5

Definition of SCRM

Supply Chain Risk Management (SCRM) is the practice of managing the risk of any factor or event that can materially disrupt a supply chain whether within a single company or spread across multiple companies.

The ultimate purpose of supply chain risk management is to enable cost avoidance, customer service, and market position. Supply chain risks can be grouped into 3 broad categories: physical, process, and institutional risks

Supply Chain Risk Management (SCRM) is the practice of managing the risk of any factor or event that can materially disrupt a supply chain whether within a single company or spread across multiple companies.

The ultimate purpose of supply chain risk management is to enable cost avoidance, customer service, and market position. Supply chain risks can be grouped into 3 broad categories: physical, process, and institutional risks

Confidential 6

Do

wn

stream C

usto

mer

Prim

ary Cu

stom

er

Yo

ur C

om

pan

yF

irst-tier Su

pp

lier

X-T

ier Su

pp

lier

Supply Chain Risk Framework

Internal Environment

Objective Setting

Event Identification

Risk Assessment

Risk Response

Control Activities

Information & Communication

Monitoring

Risk Management is an iterative process

Risk Management is an iterative process

Ris

k m

an

ag

em

en

tc

om

po

ne

nts

Types of risk Types of risk are not mutually exclusiveTypes of risk are not mutually exclusive

Supply Chain

ScopeIncludes links between supplier, your company, and customer

Includes links between supplier, your company, and customer

PHYSICAL

PROCESS

INSTITUTIONAL

Confidential 7

PurposePurposeVisionVisionPrinciplesPrinciplesBreachBreach

ConcentrationConcentrationRisk/SupplyRisk/SupplyChain ResilienceChain Resilience

Product Quality/Product Quality/SafetySafety

Phys. SecurityPhys. SecurityPeople/AssetsPeople/Assets

Company TaxCompany TaxStructureStructure

Acquisition Acquisition IntegrationIntegration

MarketingMarketingStrategyStrategy

Major IT OutageMajor IT Outage

Earnings/Sales Miss CEO/Leadership Succession Plans

Supply Chain Risk Management vs. Enterprise Risk Management

Confidential 8

Key RisksSupply ChainSupply ChainEnterpriseEnterprise

Stock market volatility

Global terrorism

Over-regulation

Currency fluctuations

Reputational risk

Corporate governance issues

Price deflation

Emerging technologies

Increased competition

Loss of key talent

Cost of capital

General availability (cost, quality) of labor

Regulatory concerns

Reliability of suppliers (quality, warranty, yield,…)

Commodity shortage/price fluctuations

Fluctuations of foreign exchange rates

Intellectual property theft

Obsolescence of product inventory or technology

War, terrorism, other geopolitical concerns

Problems with supply chain infrastructure

Plant breakdown, mechanical failures

Natural disasters

Others

Source: McKinsey quarterly global survey of business executives, Sept 2006

Source: PWC : 7th Annual Global CEO Survey – Managing Risk, 2004)

Confidential 9

Risk Management Components

Confidential 10


The components should be looked at as being interrelated.The components should be looked at as being interrelated.

Internal EnvironmentInternal Environment

Objective SettingObjective Setting

Event IdentificationEvent Identification

Risk AssessmentRisk Assessment

Risk ResponseRisk Response

Control ActivitiesControl Activities

Information & CommunicationInformation & Communication

MonitoringMonitoring

Components of SCRM


Objective Setting


Risk Assessment

Risk Response

Control Activities


Monitoring

Confidential 11










Encompasses the tone of an organization

Influences the consciousness and awareness of its people

Basis for all other components

Provides discipline, structure and organization

Establishes a philosophy regarding risk management, including its risk appetite

Oversight by board of directors

Integrity, ethical values, competence

Assigning of authority and responsibility

Confidential 12

Objective Setting









Set at the strategic level, establishing a basis for operations, reporting and compliance

Precondition for event identification, risk assessment and risk response

Aligned with the risk appetite (as defined in internal environment)

Risk tolerance

Confidential 13










Management identifies potential events

Differentiates risks and opportunities.

Events that may have a negative impact represent risks, which require management response

Events that may have a positive impact represent natural offsets (opportunities), which management channels back to strategy setting.

Involves identifying those incidents, occurring internally or externally, that could affect strategy and achievement of objectives.

Addresses how internal and external factors combine and interact to influence the risk profile.

Confidential 14










Possible techniques

Event inventories

Scenario analysis

Internal analysis

Escalation or threshold triggers

Facilitated workshops and interviews

Process flow analysis

Leading event indicators

Loss event data methodologies

Interdependencies

Confidential 15










Categorization of events (with reference to otherframework axes), e.g.

External

- Economic

- Environment

- Political

- Social

- Technological

Internal

- Infrastructure

- Personnel

- Process

- Technology

Confidential 16

Risk Assessment









Allows an entity to understand the extent to which potential events might impact objectives.

Assesses risks from two perspectives:

- Likelihood

- Impact

Employs a combination of both qualitative and quantitative risk assessment methodologies.

Relates time horizons to objective horizons.

Assesses risk on both an inherent and a residual basis.

Impact of events should be assessed individually or by category across the entity

Confidential 17

Risk Assessment









Assessment Techniques

Benchmarking

Probabilistic models

Non-probabilistic models

Confidential 18

Risk Assessment









Identifies and evaluates possible responses to risk.

Possible Responses:

- Avoidance

- Reduction

- Sharing

- Acceptance

Evaluates options in relation to risk appetite, cost vs. benefit of potential risk responses, and degree to which a response will reduce impact and/or likelihood.

Selects and executes response based on evaluation of the portfolio of risks and responses.

Examines, whether residual risk is within risk tolerance

Confidential 19

Control Activities









Policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out.

Occur throughout the organization, at all levels and in all functions.

Include approvals, authorizations, verifications, reconciliations, review of operating performance, security of assets and segregation of duties.

Confidential 20










Management identifies, captures, and communicates pertinent information in a form and timeframe that enables people to carry out their responsibilities.

Communication occurs in a broader sense, flowing down, across, and up the organization.

Personnel receive a clear message from top management

Means for communicating upstream

Communication with external parties

Confidential 21

Monitoring









Monitoring shall assess presence and functioning of ERM over time

Effectiveness of the other ERM components is monitored through:

- Ongoing monitoring activities.

- Separate evaluations.

- A combination of the two.

Serious matters reported to top management and the board

Confidential 22

Issues to be aware of Risk Management is an iterative discipline---Risks must be revisited on a

regular basis Need to balance the audit approach (avoid or mitigate risk) vs. proactive

approach (deal actively with risks) Need to recognise role of risk management in realizing strategic objectives Risk should be seen as a necessary component and factor in

strategic opportunity. There might be an economic benefit in accepting a particular risk, the focus

should be on the risk-return tradeoff Risk quantification needs to be included as well as the focus on

risk mitigation. Need to adequately reflected the external environment even though some

risk-factors are beyond management’s control Need to recognise correlation of risks – often difficult Risk management is a coordinating function Risk management is a dynamic process, not a check list approach Need to recognise risk to reputation

Confidential 23










Where do exposures remain after risk responses (mitigations/ controls) which are still beyond the company’s tolerance level?

Develop plans to respond to these residual exposures should they occur:

- Business Continuity Plans

- Incident Response Plans

- Disaster Recovery Plans

- Crisis Management Plans etc.

Confidential 24

Risk Mitigation Effects

Risk MapBefore Response / Controls

Lik

eli

ho

od

11

2233

44 55

66

77

88

Limit OfRisk Tolerance

Impact

Risk MapAfter Response / Controls

Lik

eli

ho

od

Impact

11

22

33

4455

66

77

88

Limit OfRisk Tolerance

Develop Recovery

Plans

Develop Recovery

Plans

Confidential 25

incident/event

notification

Initial response

Incident brief: ICS 201

Initial UC Meeting

IC/UC develop/Update objectives meeting

Command and General Staff Meeting Briefing

Preparing for the tactics meeting

Tactics Meeting

Preparing for the

Planning Meeting Planning Meeting

IAP Prep & Approval

Execute Plan & Assess Progress

Operations Briefing

http://www.dfg.ca.gov/ospr/organizational/msb/readiness/2006%20IMH.pdf

Incident Management “Planning P”

Confidential 26

Types of Risk

Confidential 27

Types of Risk Physical Disruptions: Destruction of critical infrastructure in the supply chain

- Critical Infrastructure includes the material components or assets necessary for the continuous operation of the transportation system including equipment and personnel

Process Disruptions: Events that involve day-to-day operations of supply chain processes

- Processes include the rules, actions, decisions, and information flows that give life to the physical level and are necessary for efficient and effective operation of the transportation system. Processes are what allow material components to work together—physically or virtually—as a system or supply chain

Institutional Disruptions: Events that involve changes in company or supply-network governance and strategy.

- Institutional considerations include the policies, guidance, and organizations that empower and constrain the operation of the supply chain to meet large-scale company goals. Public sector examples of institutional disruptions include federal legislation, national policies, and state regulations. Private sector examples include company reorganizations, mergers, market shifts, and technology breakthroughs.

PHYSICALPROCESS

INSTITUTIONAL

Confidential 28

Risk Category Examples

Physical Disruptions- Natural Disasters

- Terrorist Attacks

- Accidents

Process Disruptions- Cyber Attacks

- Demand Forecasting Errors (Bullwhip effect)

- Missing or late shipments

Institutional Disruptions- New / Increased Regulations

- Geopolitical Issues / War

- Technology Step-Change

(Supplier Reliability)

PHYSICALPROCESS

INSTITUTIONAL

Confidential 29

Supply Chain Scope

Confidential 30

Do

wn

stream C

usto

mer

Prim

ary Cu

stom

er

Yo

ur C

om

pan

yF

irst-tier Su

pp

lier

X-T

ier Su

pp

lier

Supply Chain Scope

As a company looks beyond its own suppliers and customers, the scope of what is Included in supply chain expands…

Your company: Your company is the center of your supply network. The scope here refers only to in-house supply chain issues

First-tier supplier: Any supplier that directly supplies your company. This scope does not include companies that are 2nd tier or beyond

X-tier supplier: Companies that supply your first-tier suppliers.

Primary customer: Any direct customer of your company

Downstream customer: Any customer of your customers.

Scope includes links between supplier, your

company, and customer

Confidential 31

Financial FlowFinancial Flow

Information FlowInformation Flow

Physical MovementPhysical Movement

Information FlowInformation Flow

Supply Chain Framework Interdependencies

PlanPlan

PlanPlan PlanPlan PlanPlan PlanPlan

SourceSource DeliverDeliver

ReturnReturn ReturnReturn

Your Company Supplier

Internal or ExternalCustomer

Internal or External



DeliverDeliver

ReturnReturn



SourceSource

ReturnReturn

Customer’sCustomer

Supplier’sSupplier

MakeMakeMakeMake MakeMake

Confidential 32

Next Steps

Discussion

- Close out track?

- How do we use this framework?

supply chain risk management framework

Documents