A recurrent theme of the World Economic Forum’s Global Risks 2015 report is global events that impact upon businesses of all sizes. From natural catastrophes such as earthquakes and floods to man-made mayhem in financial markets or cyberspace, in our globalised economy these incidents often have repercussions for global supply chains that can be felt on the other side of the world.
Four years on from the devastating natural catastrophes in Japan, Thailand and New Zealand, the effects are still rippling through global supply networks.
As a consequence, companies are investing large amounts of money into trying to improve their understanding of supply chain risk, as they seek to build resilience into their business and gain competitive advantage over rivals. However, as supply chains have become longer and more complex, the opportunity for failure at any critical point is greater than ever before.
Making assumptions
To date, much of the work undertaken by companies in addressing supply chain risk has been to improve understanding of their supply and value chains.
Detailed information is not always available in these areas, in part because of the complexity and length of supply chains; also traditional insurance policies often only pay out in the event of property damage suffered by first-tier suppliers, and therefore do not require risk managers to provide details of suppliers further down the chain.
Through what amounts to a “trust but don’t verify” approach, many organisations make broad assumptions about the risk management activities of their business partners—opening the door to disruptions and losses.
Interestingly, many organisations expect their suppliers to manage risk to the same degree as their customers. Quite often organisations do not think it is their responsibility to “manage down the line”, even though a disruption further along the supply streams can have a substantial impact.
This is where the role of the board member responsible for risk, the risk committee or the chief risk officer is vital in bringing together the necessary business functions—procurement, business continuity, finance and operations—to establish a strategic plan that not only ensures business resilience in the event of an incident, but also proactively instils it throughout the organisation.
Building resilience
Resilience goes further than the typical approach to business continuity planning, and requires taking a broader view where there is fluidity around key processes and assets. It involves understanding that the risk profile around the most critical production streams moves all the time, and that the response of the business has to be more than just a business recovery response.
Resilience involves ensuring that some of the business’s intangible assets, like reputation, are protected, and is as much about understanding the risk profile as the key business processes. It should focus on the immediate response and behaviour of senior management, just as much as sourcing suppliers and production facilities.
Being nimble, with the ability to react quickly to any interruption, can be more useful than a business continuity plan. But flexibility comes from in-depth knowledge of the organisation’s operations and interaction with others. It is about knowing your risks and your options.
The strategies for providing greater resilience can be divided into four broad categories:
- Insurance-driven/asset-based programmes.
- Compliance-driven/functional-based programmes.
- Threat-driven/event-based programmes.
- Value-driven/flow-based programmes.
The first three categories, which represent most organisations’ current strategies, are not comprehensive. They take into consideration only a small portion of an organisation’s total exposures and result in risk investments that are aligned to physical resources. What they leave out are non-physical risks, such as the failure of a supplier or the lack of public infrastructure, such as roads and ports.
The value-driven or flow-based programme can deliver a complete, integrated approach to supply network risk management.
Aligned with the organisation’s business, this approach extends the view of the supply network beyond the organisation’s physical boundaries. Risk is viewed in the context of the value delivered to all stakeholders by a given product, product category, product family or service.
Industries that use this value-based strategy include those with the most highly complex and advanced supply networks, including automotive and high-tech manufacturing.
The value-based approach begins with a clear articulation of what is of greatest organisational value. If all of an organisation’s capabilities were destroyed and it had to start from scratch, which market and product or service would it focus on first?
Once this priority is defined, the value and supply network to support it can be shaped. Single points of failure can be analysed to determine the impacts at various “pinch points”, such as the number of weeks and financial impact of production being halted. These can then be quantified and prioritised to determine the level of investment needed to manage risk at a detailed level.
Quantifying exposure
Once identified, supply chain exposures need to be quantified in terms of the financial impact arising from defined risks.
This relies on having an informed, detailed understanding of how the business generates revenue and how much of that is exposed, and the key suppliers, processes, people and physical assets that underpin this.
Detailed maximum and normal (mitigated) loss estimates can then be calculated, and these are essential to help convince the board that the level of risk requires investment, either by building in redundancy, improving risk management, and/or transfer.
The contrast provides a way to place a value on business continuity efforts. Also, as insurers place greater scrutiny on clients’ quality and level of supply chain data to safeguard against high loss ratios and aggregated risk, in-depth quantifiable data will go a long way towards securing the limits required at a reasonable price.
The limitations of traditional business interruption and contingent business interruption cover are well documented. Work is being done within the insurance market to develop existing, and promote new, business interruption products to provide cover for disruption to suppliers and service providers resulting from incidents that are unrelated to property damage, such as a pandemic or strike.
However, many insured businesses often lack the data on contingent risks and information on second and third-tier suppliers, making the decision of whether such insurance is value for money.
Beyond insurance
Cover or no cover, building resilience is key in today’s “just in time” global supply chain. The businesses that are best able to do this will be those capable of generating the greatest quality of risk management information to help understand where critical points of failure sit, allowing informed decisions on the risks they are prepared to take, as well as those they know they must face.
Collaboration between all stakeholders is key, and bringing together the different divisions within your own organisation helps, but getting your own risk manager to meet with the risk managers of your suppliers completes the circle.
In summary:
- Identify: Bring together the various business functions—procurement, business continuity, finance and operations—to identify exposures and map the full value chain from remote suppliers through to the final customers.
- Improve: Seek to mitigate existing exposures by improving business continuity plans, and those of suppliers. Find alternative suppliers that can be used in the event of an incident, and establish an iterative strategic plan to proactively instil resilience throughout the organisation.
- Measure: Quantify supply chain exposures in terms of the financial impact arising from defined risks. Calculate maximum and normal loss estimates, and evaluate any non-financial impacts.
- Treat: Use in-depth quantifiable data to secure investment from the board to mitigate supply chain risk, and/or secure appropriate levels of insurance at a reasonable price. How would you know if this is value for money if you have not quantified your exposures?
Caroline Woolley is global leader of Marsh’s Business Interruption Centre of Excellence. To contact Caroline, please email: [email protected]