Transcript Before You Begin: Assign Information Classification

Supply Chain
Risk Management
Framework
Supply Chain Risk Leadership Council
Zurich Case Study
30 January 2008
Confidential – Do Not Forward Outside SCRLC
Confidential
1
Zurich Case Study
Types of risk are not
mutually exclusive
Types of risk
Risk Response
Control Activities
Downstream Customer
Risk Assessment
Your Company
First-tier Supplier
Event Identification
X-Tier Supplier
Risk management
components
Risk
Management
is an iterative
process
Objective Setting
Primary Customer
Internal Environment
Information & Communication
Monitoring
Confidential
Includes links (logistics and
electronic transfer of information)
between supplier, your company, and
customer
2
Manufacturer of Business Machines
Confidential
3
Background
 $2.5bn business supplying high security equipment and
software solutions to the worldwide banking industry
 Centralised (European) risk management and audit
 Moved European manufacture out to China 3 - 4 years
ago
 Initial savings of >50% achieved, now around 40%
 Investment in local quality management
 Initially poorly managed extended supply chain
Confidential
4
Risk Management Components I
 Commercial drivers, little focus on risk management
Internal Environment
Cost, cost, cost, quality
Objective setting
Control Activities
Audit
Quality, delivery, EH&S,
insurable risks
Monitoring
 Dimensions: Physical, Tier 1 (China)
Confidential
5
Risk Management Components II
 Corporate (Enterprise) level, belated focus at Supply
Chain level
Event identification
Risk identification ‘deep dive’
Risk Assessment
Supply chain mapping, EHS,
CSR, QA, physical
Risk Response
Risk mitigation and transfer
Control Activities
Verification and audit, BCM
Monitoring
Supply chain metrics, risk
mitigation review
Confidential
6
Risk Assessment
 ‘Fundamental’ requirement to monitor and assess
EH&S and physical risks
 Concern over ‘Hyper-optimisation’ in supply chain
 Growing recognition of reputation vulnerability
 Supply chain mapped – key product lines
 Scenarios evaluated
P
SIC
HY
AL
P
CE
RO
SS
TIO
U
T IT
INS
L
NA
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information & Communication
Monitoring
Confidential
7
Risk Response
 ‘Institutional’ dimension recognised
 Focus on critical supplies (not just geographical)
 Actions defined to mitigate reputation exposure
 Risk transfer options defined
P
SIC
HY
AL
P
CE
RO
SS
TIO
U
TIT
INS
L
NA
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information & Communication
Monitoring
Confidential
8
Control Activities
 Greater focus on BCM in the supply chain
 Push audit focus upstream
 Extending BCM testing assurance to Tiers 1 & 2
P
SIC
HY
AL
P
CE
RO
SS
TIO
U
TIT
INS
L
NA
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information & Communication
Monitoring
Confidential
9
Monitoring
 Tighten internal monitoring
 Establish metrics to evaluate overall supply chain
vulnerability
 Monitor suppliers on this basis
 Maintain focus on competitor activity, customer
response and regional drivers
 Measure effects of risk mitigation(?)
P
SIC
HY
AL
P
CE
RO
SS
TIO
U
TIT
INS
L
NA
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information & Communication
Monitoring
Confidential
10
Conclusions
 Valuable reference / check
 Iterative nature of framework
 Focus on different elements at different times
 Cumulative value
Confidential
11