The question of the month from an anonymous reader was posed like this: What is the best way to manage supply chain risk?
We were working with the Chicken Platform team at one of the world’s largest QSR (Quick Service Restaurant) in helping them introduce chicken to their menu. While it may not sound like a big deal, it was a huge undertaking that involved significant complexity. One of the elements we added to their menu strategy was risk management because it became obvious to us that while there was significant risk involved, there was no systemic way of identifying and mitigating that risk. So you can blame us if you don’t like the chicken items at this iconic global QSR.
Here are some of the key lessons we have gathered from the many, many years of dealing with Risk Management (RM).
Unavoidable necessity or desired need? While there are many tools, templates, methodologies, software packages etc. related to risk that you can spend your money on, it’s far more important to address risk at a meta level in the organization first. Let me start with a hypothetical question – does your CEO view risk management as a competitive advantage or a necessary nuisance? If it’s not the former, then that ironically becomes your biggest risk in implementing risk management AND also the first step. A more robust risk management process converts into a competitive advantage leading to more sales, better margins, etc. etc. That takes RM from an unavoidable necessity to a desired need.
2D or 3D risk model? Most of the risk models are two dimensional in nature – they measure impact and likelihood of the event and then allocate resources to manage the risks. Level of control and influence is often ignored. What is the point of dedicating resources to measure and monitor risks that you cannot do anything about? In determining priorities, it is critical that all three dimensions be considered.
Portfolio Risk? Even when we see risk management being deployed, we are always surprised by the lack of aggregating risk across the “portfolio”. Various divisions of an organization are doing an excellent job at managing risk individually but no one is aggregating the risk to understand the total exposure. For example, each division is sourcing from the same geographical region adding significant portfolio risk to the corporation. While optimizing sub-system risk, we end up sub-optimizing “system” risk.
External vs. internal factors? Risk is most often viewed as something external to the corporation (market, industry, supplier etc. etc.). It is fairly obvious that there are a number of internal factors that are never acknowledged or addressed. Inability to make timely decisions, ineffective implementation of decisions, bad information flow (inventory, demand, lead times etc.) are just a few examples.
“Consonants” vs. “Vowels”? Clients who have designed pretty good risk models end up not paying enough attention to the adoption of those processes. Theoretically, they have actually increased their risk exposure by introducing a false sense of security within the organization. A well designed RM process (consonants) does very little unless it is accompanied by an equally well designed and robust adoption process (vowels).
Controlled response? In spite of a RM program, risks will manifest themselves. The question then becomes how does an organization react to it? What we have observed is that organizations that have a credible RM program in place do a far superior job of reacting to those events because they have developed the confidence and the competencies to deal with events. Organizations that don’t have a RM program end up in a much more reactive mode. A greater impact is then caused by their reaction than the original event. We recently had a Fortune 25 client go through a major disruption in their supply chain. Their reaction was to severely tighten up the selection criteria and the decision process to mitigate future risk. Unfortunately, they also ended up “freezing” their own supply chain organization and their supply base. 40% of suppliers that had been acceptable became non-compliant overnight, even though they had absolutely nothing to do with the disruption. It’s been months and months since the original incident but the client is still suffering from their reaction to the event rather than the event itself.
Competencies? The competencies required to effectively roll out a robust RM program are unfortunately in the dreaded soft skills category which are in short supply in most organizations. RM at the end of the day is all about changing behaviors and the functional skills that are in vogue in most companies can’t really help.
While it is critical to understand various risk factors in our supply chain and try to mitigate them, our research has shown that unless RM is addressed at the meta level in the organization, most efforts fail. It is for that reason that we must fundamentally change the definition of RM to a competitive advantage as opposed to a necessary evil. A great place to begin would be for you to start including RM as a decision factor in selecting your suppliers. Have them show you their RM plan for their supply chain. It is the best way to elevate the discussion around RM and you may learn a thing or two about how to manage risk.