Guide For Supply Chain Risk Management

How to Identify, Validate, and Assess it. Supply chain risk gets global attention. The World Bank and World Economic Forum comprehend the issue and its importance.


The term covers broad issues and narrow topics.  Insurance companies talk about supply chain risk in terms of assets.  Others talk about sources for particular products.  Some take a near-apocalyptic view.  These diverse interpretations make identify risks more challenging. 

Surprisingly, many supply chain risk discussions exclude the actual supply chain.  They do not recognize logistics infrastructure, logistics service providers, and how products move through supply chains.  Many times, a picture, such as a ship, is used to show the “supply chain”.  As a result, they overlook risks.  

These also do not present the information supply chain and how it affects movement of goods.  Nor are Incoterms mentioned and what they mean to buyers versus sellers controlling the passage of goods.  Yet, such details can cause risk.  

Supply Chains.  Three key components of supply chains are:

  • Product / material / commodity / component sources
  • Logistics infrastructure
  • Logistics service providers

Supply chains originate at their sources; those are often factories.  For commodities, such as food, there are multiple sources, the actual farms and the locations where the food is processed, chilled, frozen, or however treated.  In those cases, both places should be included in the supply chain scope.  Also, the review should continue through to destination delivery.  

Causes.  There are many kinds of risk-- organizational, operations, strategic, and commercial.  Causes can be pervasive.  These disrupt the availability of products or their flows.  They vary by products and industries and include:

  • Weather
  • Geopolitical
  • Terrorism
  • Natural disasters
  • Inadequate logistics infrastructure
  • Logistics service providers bankruptcies, mergers, or other actions that impact the supply of and ability to provided needed services
  • Infrastructure breakdowns
  • Suppliers
  • Markets                                             
  • Prices
  • Company management
  • Logistic service providers that do not operate and perform as needed
  • Improper or unmanaged outsourcing
  • Regulatory
  • Bottlenecks / Congestion
  • Strikes
  • Combinations of the above

Risk is also caused by the trade parties.  Buyers and sellers in their pursuit of best prices or their lack of understanding supply chains create risk.  

Model. The supply chain risk model blends principals of supply chain management.


The model reflects:

1) Security.  Supply chains should be protected from loss, deterioration, contamination, theft, and other vulnerability issues.

2) Accountability. This goes beyond sales agreements and Incoterms. It is the responsibility for the safe flow through the supply chain and encompasses many stakeholders.

3) Visibility. Knowing where items are throughout the entire movement is critical.  Technology plays a vital role to facilitate traceability, trackability, and chain of custody.   It is also important if there is a recall or safety issue, and the cause must be traced back.

4) Product / Logistics Specifics.  Products may require special handling for logistics infrastructure and service providers.  The necessary temperature, humidity, cleanliness/sanitation, weight, heavy lift and other factors must be properly utilized.

5) Sourcing   This is more than buying or many suppliers in a region.  It includes multiple sources and risk diversification.  

6) Supply Chain Best Practices. Supply chains involve more than managing freight and logistics components.  Best practices manage flows for protection, including integrated process, supplier performance, segmentation, and time compression.


Methodology.  Risk detection has three steps—analysis, validation and assessment.  Deliverables are mapping, macro and granular determinations, and priorities.  This approach combines data analytics, supply chain expertise, and confirmation.  It elevates results from conceptual to actionable.


Step 1) Analysis

Analysis has two parts:

A) Data analytics.  Internal data is not enough.  With the geographical scope, complexity, and stakeholders of supply chains, data from multiple sources and in different formats is needed.  No other part of a company has as many stakeholders, both internal and external as the supply chain.

Analytics should investigate supply chains and risks by:

  • product / commodity
  • supplier
  • country
  • logistics infrastructure
  • logistics service provider

B) Logistics / supply chain domain expertise.  Real-world supply chain, logistics, and international trade experience are required to complement analytics.  

The examinations should aggregate and segregate across trade lanes and products.  Doing these provide important insights into exposure scope.


Step 2) Validation

Analytics presents macro views that can have gaps.  It does not provide needed granular information.   Validating actual supply chains-- sources, logistics infrastructure, and logistics providers-- is needed. This provides acumen that analytics alone does not.

The best way to attest to key supply chains and possible disruption issues is to verify them. This involves walking through select purchase orders as to the actual locations and steps of each order.  Inspect origin facilities.  Verify how well orders transit the product and information supply chains.  Evaluate how the logistics infrastructure meets requirements. Confirm how logistics service providers perform.  Determine if there are hidden issues.  These are beyond business intelligence questions and require on-site reviews.


Step 3) Assessment

With analysis and validation, potential risks are recognized.  More must be done as to the various risks.  It should be determined what each one means.  This is what assessment does.

Assessments alone can be too subjective.  Thanks to the two prior two steps, both quantitative and qualitative information is available to appraise vulnerabilities.

Each risk is evaluated as to probability of occurrence and impact.  A Risk Index is developed with axes of impact and likelihood.  The impact of a disruption is the financial effect and the time to recover.  Likelihood reflects the probability of an event happening.  

Plot each risk on the index.  This prioritizes and focuses on high impact and high probability risks for mitigation.    


What Next.  Hazards have been analyzed, including inherent ones, along with interdependencies of components, critical paths along supply chains, and more.  Practicable items are found, and there is now a solid foundation for mitigation. Root causes should be determined.  This may necessitate going deeper into certain supply chains for threat reduction.

The risk project is not a one-time effort and should be done every two or three years.


comments powered by Disqus