Supply Chain Risk Management in six steps

Supply management is not just about acquiring goods and services at the best possible price. It’s also about identifying possible disruptions to the supply chain and taking steps to mitigate them. So said James Kiser and George Cantrell in their 2006 article Six Steps to Managing Risk, where they discussed six steps that a company can take to build a plan for dealing with potential supply disruptions. While the article may be lacking in academic depth, it makes up for it in its hands-on managerial approach.

The starting point

According to Kiser and Cantrell, a good risk management strategy has several key components.

It must identify risks for the entire life cycle of every product or service the company provides. It must be able to predict the financial impact that a supply disruption can cause. It must offer strategies that can mitigate the effects of any disruption of supplies.  It must delve deeper into the supply chain than the first tier.

The key strategy is the holistic perspective and the focus on the actual impacts.

What are supply chain risks?

Modeled along the lines of Martin Christopher’s book chapter on Managing Risk in the Supply Chain, Kiser and Kitrell define  risks outside and inside the supply chain:

External risks can be driven by events either upstream or downstream in the supply chain:

  • Demand risks related to unpredictable or misunderstood customer or end-customer demand.
  • Supply risks related to any disturbances to the flow of product within your supply chain.
  • Environment risks that originate from shocks outside the supply chain.
  • Business risks related to factors such as suppliers’ financial or management stability.
  • Physical risks related to the condition of a supplier’s physical facilities.

Internal risks are driven by events within company control:

  • Manufacturing risks caused by disruptions of internal operations or processes.
  • Business risks caused by changes in key personnel, management, reporting structures, or business processes.
  • Planning and control risks caused by inadequate assessment and planning, and ineffective management.
  • Mitigation and contingency risks caused by not putting in place contingencies.

No suprises here, except for the last internal risk, which seems somewhat redundant, given the already mentioned planning and control risks. The same risk can also be found in the SCOR Risk Management Framework.

The six steps

Again, very similar to Martin Christopher, understanding and managing supply chain risks involves these steps:

  • Profiling the supplier base
  • Assessing the supply chain vulnerability
  • Evaluating implications
  • Identifying mitigation and contingency actions
  • Analyzing costs and benefits
  • Implementing actions and measures

In describing each step, the level of detail Kiser and Cantrell provide is anything from several long paragraphs to just a few short lines.

Step 1: Supplier base

This is an important task, particularly identifying what is essential for the company to be in control of, and what does not matter so much:

  • Identify each raw material
  • Identify strategic materials
  • Understand the strategic suppliers’ organization

Step 2: Vulnerability

For each of the risks listed, the company must identify what scenarios that are likely to happen, why they happen, and how the company is able or unable to cope with them.

Step 3 : Implications

This is one of the sections where the article falls short of mentioning anything substantially useful besides promoting the Monte Carlo simulation technique.

Step 4: Mitigation

This is where the company needs to set goals and targets and how to achieve them, e.g.:

Within 24 hours of a supply disruption of material X, purchase orders will be placed with the alternate supply source to assure there will be no disruption in the supply of X.

This is in fact very similar to business continuity planning and evaluating how soon the the company can get back to ‘business as usual’.

Step 5: Costs and benefits

Any cost in mitigation actions and measures brings with it the benefit of risk reductions and possible cost savings in case of a disruption. But how much, and is it really worth it?

The figure above, taken from one of my previous articles on this blog, is a good illustration of the relationship of cost-benefit and vulnerability versus reliability: The disruptions costs, and thus vulnerability, increase from right to left (solid line), the cost of countermeasures to overcome potential disruptions, and hence the assumed reliability, increase from left to right (dotted line). At point A, with no measures in place, the cost of disruptions is high, at point B, with (expensive) measures in place, the cost is low, but the benefit/cost ratio is negative. At point C the benefit/cost ratio is positive, but there is still room for improvement. Optimum is reached at point D. An example of how to actually calculate the costs and benefits can be found here: How to calculate the Value at Risk

Step 6: Measures and actions

The most important part of implementing supply chain risk management is the clarification of roles and responsibilities, including involving or partnering with the suppliers to in securing the supply chain, but not only that.

For risk management to be effective, it must be fully integrated into the company’s business processes. The process of identifying risks, analyzing them, and planning mitigation strategies must be documented and reported throughout the organization. To effectively evaluate risk strategy, management must balance the cost of mitigation with available resources and optimum cost management objectives. The risk management strategy should apply to everyone at all levels in the organization and focus on achieving the company’s business objectives.


The final paragraph is what strikes me most here, clearly acknowledging that supply chain risk management is more than just supply chain, it is the business itself. As with Ericsson versus Nokia in the classic case of how not to deal with supply chain disruptions,

A well-handled supply disruption
can turn into business continuity, while
an ill-handled supply disruption
can turn into business dis-continuity.

While the article may be lacking in academic depth, it makes up for it in its hands-on managerial approach. Some parts are (deliberately ?) cursory treated, while other parts are given with much detail. Nonetheless, it is an article that fully supplements the research literature on suply chain risk and risk management, e.g. Martin Christopher’s book chapter on Managing Risk in the Supply Chain.


Kiser, J., & Cantrell, G. (2006). Six Steps to Managing Risk. Supply Chain Management Review, 10(3), 12-17.

Author links

James Kiser and George Cantrell are working with ADR International,  a global consultancy specialising in procurement.

Related links

Related posts on this blog

Jan Husdal is an engineer turned researcher turned engineer again and he is now a Resilience Adviser with the Southern Region office of the Norwegian Public Roads Administration (Statens vegvesen Region sør) in Arendal, Norway,

Tags: , , , , ,
  • Pavan

    Hi Husdal,

    I was going through your amazing social library, the above topic says flow of materials is an external risk, in what perspective..?

    Is it not a core business process to make the product available to customers…?

    What if the distributor maintains everything like retail outlets as well..?

    • Jan Husdal

      Hi Pavan and thank you for your compliments.

      As to your question, as far as I am able to tell, article above uses the focal company perspective, looking at at ingoing and outgoing external flows. “Raw” materials in, “finished” products out.

      While you may be right in saying that it is “a core business process to make the product available to customers”, very few companies really own their distribution channels, but of course, if a manufacturer owns the entire supply chain, or if the distributor owns the retail outlets and the trucks distributing the goods, that could be viewed as an internal flow.

      That perspective is then perhaps more similar to the one seen in Jüttner et al.(2003), which has the organization, the network, and the environment as risk sources.

  • pavan

    Hi husdal,

    You are helping me out very much in all the ways, however I am gonna start my master’s dissertation. I am confused with the topic selection under supply chain risks.

    Basically, I want to find out how many types of risks are there and their appropriate strategies, I tried a lot searching for that but ended up with nothing.

    If you can please tell me any previous research done in this area with respect to my question then please do reply me. thanks

    • Jan Husdal

      Hi Pavan,

      Thank you for you comment and for your question. I wish I could help you, but frankly, there are about as many risks as there are supply chains.

      That said, I believe that you might find the SCOR supply chain risk management framework quite useful for your dissertation.


    It is learning for the student to see the slides and many information for the students.

    • Jan Husdal

      Dear Muhammad,

      Thank you for your comment. I’m glad that my site is of help to you. That is exactly what it is meant to be. Good luck with your research!

The Final Frontier: The Northern Sea Route
Sought after by polar explorers and long awaited by the shipping community: The Northern Sea Route. [...]
Avoid Supply Chain Breakdown - Tailored Risk Management
In my previous post on Ericsson versus Nokia - the now classic case of supply chain disruption I men[...]
A Future Research Agenda for Supply Chain Risk
When Manuj and Mentzer (2008) wrote their article titled Global Supply Chain Risk Management, they [...]
Is Dynamic Supply Chain Alignment the way of the future?
Dynamic Supply Chain Alignment. That is the magic formula that runs like a red thread through John G[...]
Book Review: Operations Rules
Operations Rules by David Simchi-Levi comes with an ambiguous title. You can read this two ways: 1) [...]
Risk Management in Global Supply Chain Networks
Supply Chain Risks can be classified as either one of these three, Deviation, Disruption or Disaster[...]
When disaster strikes...
bridge-collapse does the transportation network recover? And why are transportation networks so essential to [...]
Transport infrastructure resilience
Is it possible to devise a simple framework for assessing the resilience of the transport infrastruc[...]
ISO 28002 – Supply Chain Resilience
Have you heard of ISO 28002?  No? You should take note of this standard, because the ISO 28000 serie[...]