Why bother with risk management? Dr Richard Gibson and Chris Savage share some cautionary tales
If you collect any group of managers and ask them to discuss risk in the supply chain, they rarely agree about the meaning of either risk or the supply chain, as Waters eloquently states. So why is risk important? We automatically assess risk in our everyday lives, whether crossing a road, driving a car, using a sharp knife or handling a prized possession. A similar set of thought processes should impact upon the management of the supply chain, whether we are conscious of it or not.
Recognising the assessment and mitigation of risk in the supply chain is a discipline in itself. ‘Resilience’ and ‘robustness’ are often interchanged, but in supply chain terms they can acquire different connotations as Christopher and Peck observe. Robustness relies on inbuilt strength or sturdiness during execution and covers more than the typical workplace risk assessments for, say, working at height or the once-in-a-lifetime disruptive events.
Alternately, and as Christopher and Peck suggest, supply chain resilience may be defined as the ability of a system to return to its original state or move to a new, more desirable state after being disturbed. This quality is reliant upon flexibility and agility within the supply chain. Understanding robustness, resilience and our capacity for risk-taking is critical for our organisational and supply chain success.
What is the problem?
In a recent international survey of global supply chain officers, risk management was seen as the second most important challenge after supply chain visibility. In a 2010 international survey, 45% of the respondents said they experienced supply chain disruption within the past year, and of these more than 50% experienced a loss of over $1 million. As most logisticians are aware, there are factors that counteract the benefits of globalisation, so trade-offs have to be made to optimise returns.
Supply chains operating across borders become more prone to influence from econo-political factors where global activity benefiting the perpetrator disadvantages others in a disproportionate manner and/or leads to their disenfranchisement and encourages further risk into the supply chain.
The interdependencies between organisations and their supply chains mean that a supply chain can be at risk from a business just as a business can be at risk from its supply chain. Risks may be further categorised as internal to the firm such as their processes and degree of control, external to the firm but internal to the supply chain network in the areas of demand and supply and risks entirely external to the network such as the wider environment. Based on the work by Simchi-Levi.
Risk appetite and tolerance
The BS 31100 definition for risk appetite is: ‘the amount and type of risk that an organisation is prepared to seek, tolerate or accept’. Defining an organisation’s risk appetite can help in several ways. It helps to:
• Ensure the organisation is only taking a level and type of risks with which it is comfortable
• Ensure the risks you are exposed to are commensurate to the opportunity or reward to be gained
• Provide decision-making framework where the acceptability risk level is considered
• Enable staff to make judgements about risk acceptability
• Ensure response to risks is proportionate – neither over the top nor lax
• Report and escalate risk limit where your appetite is reached
There is no perfect answer to what your risk appetite should be. No organisation can make a sustainable profit without taking risks and the control culture of the organisation is linked with its propensity to take risk.Figure 1 below.
An organisation’s appetite for risk may be seen as what it wants to do and how it goes about it, incorporating quantitative and qualitative measures such as financial targets and reputational impact. Risk tolerance is about bearing risk and can be expressed in absolutes – for example, the organisation may refuse to deal with certain customers or market segments.
What approach should we adopt?
The practice of supply chain risk management (SCRM) has three principal research gaps. Firstly, a gap in definition with no clear consensus of what the focus should be. Should it be on large one-off supply chain events or on demand-supply uncertainty? Secondly, there is a process gap with a lack of research on the way we should respond to supply chain risk incidents; and finally a methodology gap with a shortage of empirical research in the area of SCRM.
Existing SCRM literature is concerned with risk identification, risk assessment and risk mitigation with responsiveness described in terms of operational or catastrophic risks. When we have a disaster, each event will impact the supply chain in a unique way and our mitigation strategies should be flexible to minimise the time taken to recover and the financial impact. These events allow us to manage and mitigate our risk appetite and tolerance for the benefit of the supply chain and organisation.
Any approach to assessing and managing supply chain risk should recognise that the greater the complexity, the greater the opportunity for being ineffective. Simple is best and some straightforward questions can initiate this process:
What could go wrong?
Can it be detected or predicted?
What could be the effect of failure?
What could be the cause of failure?
What could trigger the failure?
This basic approach may be summarised with the acronym SOD – that is, severity of effect, the likelihood of occurrence and the likelihood of detection.
As an example: applying this approach to supply disruption of a single source product could give a high level of severity as operational service levels cease (S=5). However, the probability of this occurring may only be once in many years (O=1). The detectability could be high for a factory destroyed by fire (D=5) or low for activity such as a change in technology (D=1).The overall score for this event would be S x O x D, giving a value of 25 for service levels stopping due to a factory fire.
Why bother with risk management?
As an industry we naturally do not like publicising our failings, but the documented casualties of poor supply chain risk management are numerous and include:
• Toyota No 1: In February 1997, a fire started in a supplier’s plant destroying its production lines within four hours. Within three days, some two-thirds of Toyota production lines had stopped and by day four, all piece-part suppliers had shut down. A day later, all suppliers had closed. It took Toyota nearly two months to restore full capacity to its plants.
• Toyota No 2: In March 2011 an earthquake and subsequent tsunami caused significant loss of life in Japan and had a debilitating effect upon the country’s infrastructure. The same disaster caused many of Toyota’s parts suppliers, often single sourced, to be unable to deliver products at expected volumes, if at all, for long periods. The impact upon the Toyota supply chain lasted for six months.
• Primark: An estimated £50 million of clothes were destroyed in a warehouse blaze at the 440,000ft2 facility at Magna Park, near Lutterworth, in November 2005. As this was during the run-up to the Christmas sales season, a critical period for retailers, it posed a risk to the group’s continued success.
• McDonald’s: They experienced a problem in 1999 when it ran a week-long two-for-one voucher offer on Big Macs to celebrate its silver anniversary in the UK. In the first two days, it sold four million Big Macs, twice the number it expected and eight times the normal number.
• Sainsbury’s: In 2006, the supermarket chain Sainsbury’s reported its first ever loss after a failing supply chain optimisation project left its shelves bare: the retailer had tried to implement an overly ambitious technological supply chain solution too quickly. Stock availability declined and had a negative impact upon sales and on share price at a critical time when competitor were gaining market share.
What should we do?
It should be clear that supply chain risk is not something that only happens to other people. Increasing integration and co-operation along the supply chain help us to understand the risks and develop mitigation approaches Risks are not insular, so a holistic, fully integrated approach is required. Traditional approaches to risk modelling may find it difficult to estimate the impact upon the wider value chain. At a strategic level, we should understand the risk appetite within the organisation. Factors such as the organisation’s financial strength, management capacity, competitive dynamic, operational flexibility and risk management systems will illustrate the capacity for managing this area.
Developing these factors into a multidimensional risk bearing capacity analysis further allows the organisation to prepare for both minor and major risk events.
Ultimately, misalignments occur when risk appetite becomes greater than the capacity for bearing risk, a rapid increase in scale, perhaps from merger activity, a substantial increase in leverage or a significant commitment to new markets, new offerings or both, are signals. Less obvious signs include justifiable caution turning into unjustifiable tentativeness. Finally, unnecessarily high dividends may also be a sign of an appetite too modest for a company’s risk bearing capacity.
We must consider that supply chains are complex systems of interlocking networks and that concepts of risk may vary from one country to the next, which has implications for global supply chains.
As a commercial system, Peck identifies four levels: the basic processes reside at level 1, the dependencies of assets and infrastructure at level 2 and level 3 caters for organisations at the strategic level. The final level 4 represents the macro environment, typically assessed with a PESTLE analysis. Looking at the supply chain in these terms, it is evident that organisations can minimise risk whilst optimising performance at the same time. Compromises may have to be made – that is, resilience requires redundancy or slack time, spare capacity and capability and so on.
Formal risk management in the supply chain is at an immature state of development so why bother to develop this area? Causes of supply chain disruption range from the unknown-unknown to the known-unknown, from incidents affecting personal safety to minor events disrupting the ebb and flow of office life to once in a career major events By integrating risk into operations and business decisions, we can be more responsive and agile in optimising our performance within the supply chain and mitigate the impact from events in the world around us.
Supply chain costs will flatten in a risk-informed environment as disruption costs reduce and organisational agility allows for different approaches and solutions to emerging issues. Building the resilient supply chain becomes an important strategic goal. Clearly stated, it aligns design and management culture through collaborative and agile working practices. Transparency of a well-controlled and monitored supply chain yields an enhanced organisational approach to risk.
The question to pose at the next management meeting is: how much risk can you bear in the day-to-day operation and how would you cope with that medium level, infrequent but likely impactful event?
By Dr Richard Gibson & Chris Savage
About the authors
Dr Richard Gibson is a seasoned operator currently working within global supply chains. His research interests include logistics service provision, supply chain risk management and, latterly, the deployment of inventory management tools within oil and gas supply chains.
Chris Savage is the current Academic Director, Namibian German Centre for Logistics. Before joining the University of Huddersfield in 2002, he worked for 15 years in process industries, followed by another 15 years in logistics consulting in the UK, Hong Kong, Europe and Australia. Published research has included: pharmaceutical supply chains, routing and scheduling, third-party logistics, transport geography, global logistics, depot and node location, supply chain relationships, high capacity vehicle impact and Namibian logistics.