Managing Risk in the Supply Chain

Learn how leading companies go beyond cost-cutting to ensure continuing profitability

Learn how leading companies go beyond cost-cutting to ensure continuing profitability.

For a moment last fall, a supply chain mishap threatened to spark a United States public-health disaster of gigantic proportions. Contamination at an overseas supplier held up 48 million flu shots  half of the nation's expected supply  and speculation briefly ran rampant. Would the flu season be as bad as last year's? How many people would get sick? How many would die? Would this alter the outcome of the presidential election? Because the media ended up primarily focusing on the political story  which never came to pass  it nearly lost the basic management lesson: When it comes to impacts on the market, your suppliers' missteps can be as dangerous as your own. Indeed, the story highlights a question many businesspeople should be asking: Isn't it time to pay attention to risk management in the supply chain?

For over a decade, companies have been gaining huge cost savings by streamlining their supply chains. While successful, and thus worthwhile, these trends have also exposed organizations to new sets of risk. Some rely too heavily on a too-small set of suppliers, as in the U.S. flu-vaccine case. (Great Britain, relying on the contaminated supplier for just 10 percent of its supply, faced no shortages.) Many, in finding global suppliers, have also found global risk sources: political instability, terror and other security threats, and shipping disturbances. Most, in reducing their inventories, have increased the potential negative effects of even the tiniest supply interruptions.

Risk management is nothing new, of course. Smart companies have always defined, prioritized, mitigated and audited all sorts of risks. As the supply chain has evolved new philosophies, procedures and relationship structures have evolved as well  along with new risks. We might well ask: What is the best way to manage supply chain risk? How do leading companies approach this task? How do they differentiate it from other risk management functions?

The Impact of Supply Risks

March, 2000: A lightning bolt struck a power line in New Mexico, causing power fluctuations throughout the state. The strike also caused a fire in a production room at a Philips Electronics semiconductor manufacturing plant. It was a small fire  easily put out by employees. But it stranded eight trays of valuable silicon wafers in a furnace, where they were ruined. It also set off sprinklers throughout the plant, causing water damage, and allowed smoke to infiltrate a sterile room and contaminate millions of silicon chips. The factory initially figured it would lose a week of production, but in fact it lost months.

The radio-frequency chips were a component in mobile phones, part of the supply chain of both Nokia and Ericsson, the Scandinavian phone companies. Within days, Nokia deployed a team of 30 officials to get more information, redesign chips, fast-track a production-boosting project, and pressure Philips and its other chip suppliers to make up the difference. Ericsson, dependent on the same chips for the same product, hadn't yet thought about its supply chain beyond the imperative to cut costs. In the mid-1990s it had simplified its supply lines by eliminating backup suppliers for many parts. With no other supplier and no detailed risk management plan (We did not have a Plan B, one executive told the Wall Street Journal), Ericsson missed out on months of production during a critical market period. Ericsson's losses totaled US$400 million; when they were announced its stock fell 14 percent in a few hours. Although Ericsson now has a proactive supply chain risk management approach, it has also withdrawn completely from the mobile phone handset production business. (Almar Latour, Trial by Fire: A Blaze in Albuquerque Sets Off Major Crisis for Cell-Phone Giants, Wall Street Journal, January 29, 2001. Also Andreas Norrman & Ulf Jansson, Ericsson's proactive supply chain risk management approach after a serious sub-supplier accident, International Journal of Physical Distribution and Logistics Management, Vol. 34 No. 5, 2004.)

That story clarifies the irony of the cost management focus. Companies rejoice when they save US$10 to $20 million from the supply chain; they rejoice even more if efforts promise those savings year-over-year. But the downside of failing to manage risks can result in losses many times greater than the potential savings. If a supply disruption stops production on a single line, sales can easily be damaged to the tune of US$100 to $200 million a month. And lost sales can, as they did for Ericsson, threaten your entire position in a market.

The risks are especially great in high-margin industries such as pharmaceuticals where not meeting customer demand have far reaching consequences.

Where do the risks come from? Figure 1 summarizes some of the key supply-chain initiatives of recent years that have brought valuable benefits, but also increased risks. Our examples so far have covered the first line, the single-source risk. But there are additional risks. For example, though sourcing from Asia provides great cost benefits, Asian parts have to be shipped. The California dockworkers strike of 2002 held up shipments to the United States from Asia; just four days later a Fremont, Calif., truck-making plant ran out of parts and had to shut down. Many globally-sourced goods pass through numerous middlemen, and each step poses additional risk: labor strikes; fires, earthquakes, or tsunamis; economic and political instability.

Globalization represents just one facet of risk; another is outsourcing. Regardless of geographic location, many companies have chosen to let suppliers manage key operations. When this strategy works, which is often, it's efficient, inexpensive and reliable. But if it doesn't work? Poor quality, poor yield, theft of intellectual property  outsourcing production doesn't mean you've outsourced these nightmares. They're still your problem.

The Growing Field of Supply Risk Management

Understanding these risks, many leading companies are beginning to focus on managing them. As Figure 2 shows, risk management lags behind cost reduction as a component of their procurement strategies. Although less than 25 percent of companies have plans in place that are yielding benefits, the majority have identified risk management as part of their strategy, and are developing or implementing plans.

What do these plans look like? Many companies are moving from single-sourcing to dual-sourcing to minimize risk. For example, one pharmaceutical executive says, Ten years ago, approximately 60 percent of [a certain type] of item was single sourced. Today, through sourcing initiatives, that percentage is about 45 percent. Another notes the same trend toward dual-sourcing, commenting, The exception is in cases where companies have product lines that they buy from proven alliances and therefore conduct single sourcing as much as possible for those goods in particular.

Many companies today are leveraging their supply base. They review suppliers annually based on quality, delivery, cost and competency. When they find supplier performance issues, they manage them intensively, developing a recovery plan and monitoring the supplier against it. They seek to help their suppliers implement Six Sigma quality efforts and ISO (International Standards Organization) certification. Finally, they encourage their Tier 1 suppliers to perform similar exercises with their own supply chain.

Philosophies of Supply Risk Management

Of course the specifics of any risk management plan will vary  because the risks do. However, leading companies clearly follow basic philosophies, which are outlined in Figure 3. The first step is to identify risks. Most executives find that supply continuation far outranks other risks in importance, for the reasons outlined above. But other risks can fall into categories such as quality, inventory and systems.

For each category, there are risk drivers (such as single-source dependency or supplier bargaining power) and the potential impact of the risk (lost production and reduced customer satisfaction, are two). Again, the categories, drivers and the impact will vary by industry and supply chain organization. With risks spread across dozens of suppliers and hundreds or thousands of stock-keeping units (SKUs), the prospect can seem a little daunting. Everything does not have to be examined at once. Your supply chain risk management strategy can target issues such as impact and frequency:

  • Risks with high impact deserve attention because of their potential effect on revenues, margins and competitive advantage.

  • Risks with high frequency deserve attention because risks by definition are not supposed to be certainties.

Figure 4 charts these two factors against each other, suggesting where and how to focus your efforts. Clearly the most important risks are those in the upper-right quadrant: high impact, high frequency. These SKUs should be your starting points for re-sourcing efforts. When addressing the upper left quadrant (high impact, low frequency), these risks can be mitigated through a joint process improvement with the supplier or other techniques with minimal effort.

For example, since the New Mexico fire, Ericsson has implemented a risk assessment process that classifies each of its components based on the number of suppliers and the business recovery time to find an alternative source or redesign the product. For critical components, Ericsson then evaluates many risk drivers, selects risk mitigation strategies and develops templates for incident handling and business continuity planning to reduce potential consequences.

Ericsson's philosophy of risk management now has the rigor of its competitor Nokia. Nokia, whose monitoring processes had identified a potential concern in New Mexico even before Philips officials notified them of the fire, also relied on philosophies that encouraged communication of such news and that gave executives addressing such supply risk problems authority to make on-the-ground decisions.

As they implement risk management, many companies perform their monitoring by developing key risk indicators (KRIs)  metrics that evaluate changes in the likelihood of a supply disruption. For example, a KRI may be a tolerance level for the number of defects in a shipment or its potential delay. What happens when the KRI changes? For one thing, you might choose to alter your inventory levels. For example, hearing about the coming dockworkers' strike in California in 2002, several smart retailers increased their inventories of key products ahead of time.

Indeed, attention paid to amounts of inventory may divert attention away from the ways to reduce costs and risks by changing the types of inventory. Consider the paint industry: inventories were formerly kept in a wide variety of colors. But now salespeople can mix color specifications after the customer places an order  this innovation means paint manufacturers can dramatically reduce inventories, while actually reducing the risks of out-of-stocks.

But mitigating risk is not merely about more carefully watching the supply chain. It can also be about making that supply chain more flexible, or even altering it. Where are parts pooled across products? Are there ways to engage redundant suppliers while maintaining economies of scale? Are there points in your value chain where the risk and cost equation suggests that excess capacity may be okay?

Such questions, of course, go to the heart of procurement strategy. But they have a risk dimension as well. That interplay may be a factor in leading companies' decisions about organizational responsibility in risk management.

Techniques of Supply Risk Management

Ideas and philosophies of risk management are not new to large corporations. They've been dealing with risks in events, prices, currencies, interest rates and other factors for years. As Figure 5 shows, supply risks are merely one component of a larger enterprise risk management strategy. Sometimes supply risks overlap the other categories, as when the risks of political events now have to be evaluated not just within the company but across the supply chain. Sometimes they represent an additional level of complexity, as when foreign exchange risks have to be factored into multiple global supply environments.

The corporate risk management function addresses these enterprise-wide concerns. But when it comes to supply risk management, the corporate organization is still evolving. Figure 6 presents an organizational chart, noting three levels of risk management:

Let's start with level 3, corporate risk management. This function has to manage the universe of risks discussed in the previous figure, including several that often reach the radar screen of CEOs. So when asked about this new area of supply chain risk, most don't have the resources for anything more than a quick audit.

Level 2 is a cross-category supply risk manager. Many companies, knowing that they need to not just audit but mitigate and manage risks, are creating this new position. The supply risk manager has the tools, methodologies and intellectual capital to coordinate risk management across categories, and also to manage high-priority risks.

Level 1 is the category manager. We call this level 1 because as the function evolves, category managers will perform risk management in addition to their other supply-chain responsibilities such as costs, pricing and contracts. After all, the amount of risk management required depends on the category: In some low-risk categories, such as office supplies, the focus should remain on cost reduction. In other categories, such as a single-sourced material for a high-profit product, risk management will be more important than squeezing out an extra 5 percent cost reduction. In other words, risk management is a logical extension of the category manager's responsibilities, and organizational structures will come to reflect that.

For example, Ericsson's new supply risk management organization includes all three levels. A corporate risk management function has overall responsibilities, coordinating activities and developing directives. The company has created a position of supply chain risk manager within its purchasing function, responsible for developing and implementing the work of balancing between risk exposures and protection activities. Individual supply chain (category) managers are responsible for using the risk manager's tools and processes to analyze, assess and manage risk in their categories. The three levels meet together in a Risk Management Council, and have Responsibility Grids to define their roles. However, an executive notes, "the key responsibility lies with the [category managers, who] should run the risk management work in their respective supply chain." (Norman & Jansson, ibid. Jansson is the Ericcson executive.)


Sure, now you tell me. People who have taken risks unnecessarily are always bitter about discovering them, too late. They wish they had not gone out on this limb in the first place.

Such is not the case with the supply chain. The risks are necessary; the rewards are great. Supply chain risk management is not so much about wishing you hadn't come out on this limb. It's about studying the limb's structure, examining the nearby trees, jouncing just a tiny bit to see what it feels like. It's about planning, developing strategies, being quick on your feet. If this limb breaks, it's about seeing that as not a problem, but a gateway to enter a new dimension of the glorious forest.