Components of Supply Chain Risk Management Risk Handling
Download
Report
Transcript Components of Supply Chain Risk Management Risk Handling
Supply Chain Risk Management
Framework
Supply Chain Risk Leadership Council
6 June 2007
1
Overview
• Scope
– Develop a Supply Chain Risk Mgmt
Framework that will allow SCLRC members to
work from common terms of reference and
that will help guide future SCLRC activities
• Deliverables
– This presentation
– Others TBD
2
Team Members and Sources
• Team Members
–
–
–
–
Ely Kahn and Andrew Cox, TSA
Tim Astley, Zurich
Brent Myers, FedEx
Craig Babcock, P&G
• Sources
– Committee of Sponsoring Organizations of the
Treadway Commission (COSO), Enterprise Risk
Management - Integrated Framework, 2004
– Supply Chain Risks and Risk Sharing Instruments,
Robert Lindroth & Andreas Norrman, 2001
3
Definition of SCRM
• Supply Chain Risk Management (SCRM) is the
practice of managing the risk of any factor or
event that can materially disrupt a supply chain
whether within a single company or spread
across multiple companies. The ultimate
purpose of supply chain risk management is to
enable cost avoidance, customer service, and
market position. Supply chain risks can be
grouped into 3 broad categories: physical,
process, and institutional risks
4
Supply Chain Risk Framework
Types of risk
Risk response
Control activities
GLOBAL SUPPLY CHAIN
Risk assessment
EXTERNAL SUPPLY CHAIN
Event identification
UNIT/SITE OPERATIONS
Risk management
components
Objective setting
INTERNAL SUPPLY CHAIN
Internal environment
Information & communication
Monitoring
5
Risk Mgmt Components
6
Risk Management Components
Components of SCRM
– Internal Environment
– Objective Setting
– Event Identification
– Risk Assessment
– Risk Response
– Control Activities
– Information & Communication
– Monitoring
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
The components should be looked at as
being interrelated.
Information & Communication
Monitoring
7
Internal Environment
•
•
•
•
•
•
•
•
Encompasses the tone of an
organization
Influences the consciousness and
awareness of its people
Basis for all other components
Provides discipline, structure and
organization
Establishes a philosophy regarding
risk management, including its risk
appetite
Oversight by board of directors
Integrity, ethical values, competence
Assigning of authority and
responsibility
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information & Communication
Monitoring
8
Objective Setting
•
•
•
•
Set at the strategic level, establishing
a basis for operations, reporting and
compliance
Precondition for event identification,
risk assessment and risk response
Aligned with the risk appetite (as
defined in internal environment)
Risk tolerance
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information & Communication
Monitoring
9
Event Identification
•
•
•
•
•
•
Management identifies potential
events
Differentiates risks and opportunities.
Events that may have a negative
impact represent risks, which require
management response
Events that may have a positive
impact represent natural offsets
(opportunities), which management
channels back to strategy setting.
Involves identifying those incidents,
occurring internally or externally, that
could affect strategy and achievement
of objectives.
Addresses how internal and external
factors combine and interact to
influence the risk profile.
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information & Communication
Monitoring
10
Event Identification
Possible techniques
– Event inventories
– Scenario analysis
– Internal analysis
– Escalation or threshold triggers
– Facilitated workshops and
interviews
– Process flow analysis
– Leading event indicators
– Loss event data methodologies
– Interdependencies
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information & Communication
Monitoring
11
Event Identification
Categorization of events (with reference to
other framework axes), e.g.
– External
• Economic
• Environment
• Political
• Social
• Technological
– Internal
• Infrastructure
• Personnel
• Process
• Technology
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information & Communication
Monitoring
12
Risk Assessment
•
•
•
•
•
•
Allows an entity to understand the
extent to which potential events might
impact objectives.
Assesses risks from two perspectives:
– Likelihood
– Impact
Employs a combination of both
qualitative and quantitative risk
assessment methodologies.
Relates time horizons to objective
horizons.
Assesses risk on both an inherent and
a residual basis.
Impact of events should be assessed
individually or by category across the
entity
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information & Communication
Monitoring
13
Risk Assessment
•
Assessment Techniques
– Benchmarking
– Probabilistic models
– Non-probabilistic models
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information & Communication
Monitoring
14
Risk Response
•
•
•
•
•
Identifies and evaluates possible
responses to risk.
Possible Responses:
– Avoidance
– Reduction
– Sharing
– Acceptance
Evaluates options in relation to risk
appetite, cost vs. benefit of potential
risk responses, and degree to which a
response will reduce impact and/or
likelihood.
Selects and executes response based
on evaluation of the portfolio of risks
and responses.
Examines, whether residual risk is
within risk tolerance
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information & Communication
Monitoring
15
Control Activities
•
•
•
Policies and procedures that help
ensure that the risk responses, as well
as other entity directives, are carried
out.
Occur throughout the organization, at
all levels and in all functions.
Include approvals, authorizations,
verifications, reconciliations, review of
operating performance, security of
assets and segregation of duties.
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information & Communication
Monitoring
16
Information & Communication
•
•
•
•
•
Management identifies, captures, and
communicates pertinent information in
a form and timeframe that enables
people to carry out their
responsibilities.
Communication occurs in a broader
sense, flowing down, across, and up
the organization.
Personnel receive a clear message
from top management
Means for communicating upstream
Communication with external parties
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information & Communication
Monitoring
17
Monitoring
•
•
Monitoring shall assess presence and
functioning of ERM over time
Effectiveness of the other ERM
components is monitored through:
- Ongoing monitoring activities.
- Separate evaluations.
- A combination of the two.
Serious matters reported to top
management and the board
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information & Communication
Monitoring
18
Issues to be aware of
•
Need to balance the audit approach (avoid or mitigate risk) vs. proactive approach
(deal actively with risks)
•
Need to recognise role of risk management in realizing strategic objectives
•
Risk should be seen as a necessary component and factor in strategic opportunity.
•
There might be an economic benefit in accepting a particular risk, the focus should be
on the risk-return tradeoff
•
Risk quantification needs to be included as well as the focus on risk mitigation.
•
Need to adequately reflected the external environment even though some risk-factors
are beyond management’s control
•
Need to recognise correlation of risks – often difficult
•
Risk management is a coordinating function
•
Risk management is a dynamic process, not a check list approach
•
Need to recognise risk to reputation
19
Types of Risk
20
Types of Risk
•
Physical Disruptions: Destruction of critical
infrastructure in the supply chain
–
•
Process Disruptions: Events that involve dayto-day operations of supply chain processes
–
•
Critical Infrastructure includes the material components or
assets necessary for the continuous operation of the
transportation system including equipment and personnel
Processes include the rules, actions, decisions, and
information flows that give life to the physical level and are
necessary for efficient and effective operation of the
transportation system. Processes are what allow material
components to work together—physically or virtually—as a
system or supply chain
Institutional Disruptions: Events that involve
changes in company or supply-network
governance and strategy.
–
Institutional considerations include the policies, guidance,
and organizations that empower and constrain the operation
of the supply chain to meet large-scale company goals.
Public sector examples of institutional disruptions include
federal legislation, national policies, and state regulations.
Private sector examples include company reorganizations,
mergers, market shifts, and technology breakthroughs.
21
Risk Categories
• Physical Disruptions
– Natural Disasters
– Terrorist Attacks
– Accidents
• Process Disruptions
–
–
–
–
Cyber Attacks
Demand Forecasting Errors (Bullwhip effect)
Supplier Reliability
Missing or late shipments
• Institutional Disruptions
– New / Increased Regulations
– Geopolitical Issues / War
– Technology Step-Change
22
Supply Chain Scope
23
Supply Chain Scope
•
External Supply Chain: Source,
make, deliver and return activities that
include external customers and
suppliers at a local or regional level
•
Global Supply Chain: Highly complex
supply chains that span national
boundaries and involve second and
third order suppliers and customers
Global Supply Chain
Internal Supply Chain: Source,
make, deliver and return activities that
are confined to internal customers and
suppliers at a local or regional level
External Supply Chain
•
Internal Supply Chain
Unit/Site Operations: Source, make,
deliver and return activities that are
confined to a specific company unit or
site
Unit Operations
•
24
Supply Chain Framework Interdependencies
Physical Movement
Information Flow
Information Flow
Financial Flow
25
Supply Chain Scope Overlaid onto the Supply Chain Framework
Unit/Site Operations
Internal Supply Chain
External Supply Chain
Global Supply Chain
26
Next Steps
• Discussion
– Close out track?
– How do we use this framework?
27