The Infosys global supply chain management blog enables leaner supply chains through process and IT related interventions. Discuss the latest trends and solutions across the supply chain management landscape.

Main | Considering Warehouse as Profit Center »

Supply Chain Risk Management

Attended two interesting conference last month. “Next Generation Manufacturing Supply Chain and Digital Economy Research Collaboration” – organized by by Engineering and Physical Sciences Research Council, UK and European Union. Another one was “Supply Chain World – Asia Pacific Conference” organized by Supply Chain Council. Following were the ‘hot’ topics among supply chain practitioners and academicians.

• Supply Chain Risk Management (SCRM)
• Green Supply Chain
• Skill shortage in Supply Chain

The EU Conference was inaugurated with a mind boggling fact thrown at the participants by a professor. According to his research, major supply chain metrics across the world have remained same over last 15 years!!! There may have been an improvement by an individual organization or an industry, but when you take an average of more than 800 organizations across industry & across continents for last 15 years – the numbers do no change. However, the risks today’s supply chains are posed with, have grown by 3-4 times!

Plethora of research is available on Risk Management, supply chain managers are still grappling with how to bring this practice in their day-to-day operations. To say that it’s not done at all, would not be correct. In my opinion, implicit Supply Chain Risk Management practices exist in supply chain operations. Quality checks on manufacturing floor, inventories at various levels in supply chains, use of derivatives in procuring commodity raw materials, forecasting, S&OP – this are all classic examples of such implicit practices. Then why such a huge cry about Supply Chain Risk Management! Below are few reasons for this.

• Many of the above mentioned supply chain processes (and others) are not executed with the end objective of doing Risk Management.

• Although, such supply chain processes may end up doing Risk Management implicitly, they do not mitigate all potential risks supply chains are posed with. 

• All SCRM practices come with the cost. There is a need to uniformly carry out risk management across all the supply chain functions with a consistent view of organization’s risk appetite and cost of hedging.

• Risk events affecting supply chain processes may not necessarily happen at an operational level only. Some of the geo-political, natural, man-made risks can challenge strategic direction of the organization. Some of these
events can happen without any precedence. Day-to-day supply chain processes will not be capable of withstanding such events.

• With globalization, CEOs/CFOs have felt the need of having single view of supply chain risk across all products, markets and operations.

I will continue to discuss the need of SCRM in next posts. Below are the 6 essential steps in carrying out SCRM Program at organizational level as defined by Supply Chain Operations Reference Model - SCOR 9.0.

1. Build: Who is the sponsor?
Attain organizational support and executive sponsorship for SCRM Program.

2. Discover: What will the program cover?
Define Pilot & Supply  Chains. Set the objectives SCRM program will achieve. Define Project charter, Team members, timelines, interim goals, budget etc.

3. Analyze: What are the risk management goals of your each supply chain?
Look at the existing supply chain from various perspectives through benchmarking, suppliers and customer requirements, competition, business strategy etc. <strong>

4. Assess: Where and how big are the risks?
Identify all potential risks – operational and strategic, repetitive and without precedence, low and high probability/ impact, in suppliers and customers environment. Categorize them into a quadrant of high-low probability vs high-low impact. Arrive at monetized value of each risk component.

5. Mitigate: How the risks will be mitigated?
Define mitigation strategies and costs associated with them for each of the risk events.

6. Sustain: How the risk mitigation strategies will be sustained in day-to-day supply chain operations?
Define processes, process owners, metrics & reports for ongoing SCRM across various functions.

Each of these phases can be an interesting discussion topic in itself. I will try and throw my thoughts on each of them in next posts. Let me have your views/comments.


First, let me share a simple fact. Last year, at CSCMP, Beth Enslow, who then worked at Aberdeen, shared a study pointing out that only 11% of companies interviewed manage risk actively, while 82% are concerned. That leaves quite some room for improvement. Second, not all risks can be approached in the same way. Some operational risks are part of the day to day management and should be handled that way. They are part of the variance inherent in global organizations. Others require pro-active approaches. When an event occurs, whether it is a tsunami, or the bankruptcy of a supplier, what is key is the relative speed at which a company reacts compared to its competitors. Curstomers are not waiting for their goods, we should never forget that.

Christian, I agree with your numbers as many other research reports also indicating that >80% companies do not carry out SCRM as a day-to-day practice. I am yet to see a company which reports Supply Chain Risk (quantified) to its share holders along with other well-reported risks (commodity, currency, customer etc.).
To your point on differentiating operational (day-to-day) risks to strategic risks, I would add that almost all day-to-day operational risks are within organization's control. Where in, strategic risks are mostly in the business enviornment, outside organization's control. However, we can quantify them using common methodology. When time permits, I will elaborate on this line. Appreciate your comments.

There has been quite a lot of research towards the quantitative part of supply risks. Methodologies for quantifying risks inside a supply chain are not really the focus of today's research towards less vulnerable networks.
Researchers claim that the lack of tools, the understanding of risks, the transparency and less communication among supply chain partners are major key issues why today's supply chain has not really established risk management.
Traditionally, complex systems have been analyzed by the help of Failure Mode and Effect Analysis (FMEA) (for example in the risk assessment for airplanes). Here all risks are identified (low severity high likelihood (forecast failure) and high severity and low likelihood (hurricanes …).
Supply chains often fail due to casual scenarios, where every failure event is a part of the overall risk A famous example is the “Albuquerque accident”, where Ericsson lost millions of sales due to a fire in one of its single suppliers. The casual connection between failures which leads to risks has to be considered when a comprehensive overview about the risks is needed.
In order to communicate the major vulnerabilities, I established a web-based tool to start to quantify the supply chain vulnerabilities.

Not all risks can be approached in the same way. Some operational risks are part of the day to day management and should be handled that way. They are part of the variance inherent in global organizations. Others require pro-active approaches.


In line with your second post, we should also know that a firm needs to be flexible in all aspects to tackle risks. As we know, risks can not be avoided, but only controlled. In ericcsons case, their inability to react caused them losses. On the other hand Nokia was flexible enough to alter design and procure chips from a different location.

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Please key in the two words you see in the box to validate your identity as an authentic user and reduce spam.

Subscribe to this blog's feed

Follow us on

Blogger Profiles

Infosys on Twitter