I received a newsletter from the Supply Chain Risk Leadership Council (SCRLC) and it made me realize how much this field is starting to advance. SCRLC has developed a very nice way of categorizing supply chain risk management (SCRM). They view it as being composed of five distinct disciplines:
- Preparedness, Continuity, and Recovery Planning;
- Regulatory & Security;
- Supply Chain Resiliency;
- Risk Assessment and Monitoring;
- Supply Chain Incident Detection and Crisis Management.
The council’s goal is to generate “a thick 3-ring notebook filled with Best Practices” for each discipline.
In preparation for that task, the Risk Assessment and Monitoring track is starting by defining terms (i.e., compiling a ‘lexicon’ of terms). I found the definitions interesting because they show how deeply the organization is thinking about this topic. Here are a couple of examples.
SCRLC prefers the term “risk management” to “crisis management” because the latter implies an after-the-fact response to a crisis, while risk management is more proactive.
The term “Risk Appetite,” however, is more difficult and elusive to define. “It’s a concept you can resonate to at fifty thousand feet, but when you try to implement it on the ground as a practical application, it’s very tough,” says John Brown, Director, Risk Management, Supply Chain Development, Coca-Cola Company, and a member of the track. “It’s important to have a measure so individuals within a company don’t take more down-side uncertainty than a company can reasonably bear or less than is optimal for a company to tolerate. But with the exception of financial services, it’s very cutting edge to develop a metric that puts numbers on risk appetite. There are so many functions within a company, how can you say concisely what is acceptable risk? Most risk levels at the enterprise level are more qualitative than quantitative.”
“Risk Tolerance” is equally difficult to define. As Brown notes in the newsletter, “ISO defines it as an organization’s readiness to bear risk, which can be interpreted as an absolute boundary that the company can accept and still survive. But some companies would say just the opposite—that Appetite is the total picture and Tolerance falls within that.”
The council has an interesting set of members, including Cisco. I was briefed by Cisco on its approach to SCRM a couple of years ago and was blown away. Cisco has to be one of the best companies in the world when it comes to SCRM.
Finally, I was fascinated by the council’s list of resources, websites that could provide very useful information to a SCRM team. These resources include CNN; the Emergency Email and Wireless Network (breaking news and emergency email notifications of natural disasters or other emergencies in a particular locale); the World Health Organization; Centers for Disease Control (tracking of pandemics and acute disease outbreaks); the World Metrologic Organization; the US Geological Survey/Earthquake Information (earthquakes, hurricanes, cyclones, and severe weather); and Maplecroft Maps (portfolio of risk indices displayed in interactive maps; I plan to get briefed by them soon).
In conclusion, although the field of supply chain risk management is advancing, it is still in its infancy, and most companies still only focus on business continuity and recovery planning and not the broader approach to SCRM put forward by this council.