The corporate risk management function addresses these enterprise-wide concerns. But when it comes to supply risk management, the corporate organization is still evolving. Figure 6 presents an organizational chart, noting three levels of risk management:
Let's start with level 3, corporate risk management. This function has to manage the universe of risks discussed in the previous figure, including several that often reach the radar screen of CEOs. So when asked about this new area of supply chain risk, most don't have the resources for anything more than a quick audit.
Level 2 is a cross-category supply risk manager. Many companies, knowing that they need to not just audit but mitigate and manage risks, are creating this new position. The supply risk manager has the tools, methodologies and intellectual capital to coordinate risk management across categories, and also to manage high-priority risks.
Level 1 is the category manager. We call this level 1 because as the function evolves, category managers will perform risk management in addition to their other supply-chain responsibilities such as costs, pricing and contracts. After all, the amount of risk management required depends on the category: In some low-risk categories, such as office supplies, the focus should remain on cost reduction. In other categories, such as a single-sourced material for a high-profit product, risk management will be more important than squeezing out an extra 5 percent cost reduction. In other words, risk management is a logical extension of the category manager's responsibilities, and organizational structures will come to reflect that.
For example, Ericsson's new supply risk management organization includes all three levels. A corporate risk management function has overall responsibilities, coordinating activities and developing directives. The company has created a position of supply chain risk manager within its purchasing function, responsible for developing and implementing the work of balancing between risk exposures and protection activities. Individual supply chain (category) managers are responsible for using the risk manager's tools and processes to analyze, assess and manage risk in their categories. The three levels meet together in a Risk Management Council, and have Responsibility Grids to define their roles. However, an executive notes, "the key responsibility lies with the [category managers, who] should run the risk management work in their respective supply chain." (Norman & Jansson, ibid. Jansson is the Ericcson executive.)
Sure, now you tell me. People who have taken risks unnecessarily are always bitter about discovering them, too late. They wish they had not gone out on this limb in the first place.
Such is not the case with the supply chain. The risks are necessary; the rewards are great. Supply chain risk management is not so much about wishing you hadn't come out on this limb. It's about studying the limb's structure, examining the nearby trees, jouncing just a tiny bit to see what it feels like. It's about planning, developing strategies, being quick on your feet. If this limb breaks, it's about seeing that as not a problem, but a gateway to enter a new dimension of the glorious forest.
About the Author: Sanjay Agarwal is a principal at the management consulting firm A.T. Kearney, based in Cambridge, MA. He can be reached at firstname.lastname@example.org or 917-331-9902.