How to handle a supply chain disruption?

one of the ideas from this article that I like very much are the different alternatives for handling a supply chain, basically only two: to act or not to act, that is the question.

These two options start from the very first signs of disruption: To act: close down the supply chain, or not to act: keep the supply chain running.

The same goes for pre-event measures, or mitigative measures as I like to call them. Here, to act means trying to prevent disruptions from happening, while not to act mens either to accept the disruption and its consequences despite possible actions that could be taken, or to accept the disruption because it can neither be influenced as to probability nor as to consequence.

Similarly, when it comes to post-event measures, or contingent measures as I would call them, there is again the option of acting or handling internally or not acting or passing on the event and it s consequences.

Going with the flow

Another interesting though from this paper is the supply chain flow, and where the purpose of handling supply chain disruptions is to regain a stable flow in both incoming, outgoing and internal flows.

Furthermore,  regaining a stable flow after a supply chain disruption also implies short-term stability or market patience while the disruption is handled and long-term stability or market confidence after an event has been handled.

Total expected result impact

Combining the disruption handling options, the types of flows and the chain of events creates twelve possible combinations of impacts which must be added in order to obtain the total expected result impact:

This splits the disruption impacts into individual units while at the same time keeping the full picture intact.

Conclusion

What I like about the model developed in this paper is that addresses the entire supply chain from supplier until end customer. It is a holistic and generic model for estimating disruption risks in the supply chain flow in a systematic and structured manner. The model presents, as far as I can see, the most complete estimation of disruption risks, it includes incoming and outgoing flows and it separates between mitigative and contingent handling of disruptions, thus balanacing proactive and reactive risk management.

Reference

Paulsson, U., Nilsson, C., & Wandel, S. (2011). Estimation of disruption risk exposure in supply chains International Journal of Business Continuity and Risk Management, 2 (1) DOI: 10.1504/IJBCRM.2011.040011

Author links

• lu.se: Ulf Paulsson
• linkedin.com: Carl-Henric Nilsson
• linkedin.com: Sten Wandel

Related posts

• husdal.com: Ulf Paulsson’s DRISC model
• husdal.com: Inbound and outbound vulnerability

Business Dis-Continuity

The now classic textbook example of supply chain continuity, or rather “dis-”continuity, is the difference in how Ericsson and Nokia handled a fire in the chip manufacturing plant that supplied both companies. A well-handled supply chain disruption can result in business continuity, i.e. Nokia, while an ill-handled supply chain disruption can result in business dis-continuity, i.e. Ericsson. Building on this as one of the examples in the early pages of the book, Kildow goes on to explain in detail why and how she thinks that business continuity thinking should be part of supply chain management.

BCM+SCM=SCCM

As far as I can see, this is the first book that successfully marries Business Continuity Management with Supply Chain Management, thus creating Supply Chain Continuity Management, although this term is never used in the book anywhere, but that’s what it is; instead, she uses Supply Chain Business Continuity. Personally, I consider straightforward supply chain continuity the better terminology.

Familiar, but better

In its structure, the book more or less follows the same and familiar steps that Steve Cartland used in his book chapter on business continuity in global supply chains:

• Assess the risk
• Analyze the business impact
• Develop business continuity strategies

However, unlike Cartland’s book chapter, Kildow focuses exclusively on supply chains. As such, she is perhaps closer to the Swedish book on How to secure your supply chain that I have reviewed earlier.

Business Impact Analysis

Every enterprise has a supply chain, so Kildow, and within it there are products and services where disruptions could have a huge impact on business continuity. For each of these there are critical business functions that depend on each other, and mapping these functions is important in establishing their level of criticality. Here is Kildow’s suggested evaluation criteria:

• Function involves direct contact with customers
• Function involves direct contact with suppliers, contractors or shippers

Loss of function would

• Directly result in a loss of revenue and profit
• Potentially result in a loss of customers
• Directly result in increased operating costs
• Result in accounts receivable delays
• Delay distribution of products or service delivery
• Delay shipment or receipt of products
• Delay receipt of materials, parts or components
• Negatively impact the company’s current public image
• Result in significant liability exposure or other legal ramifications
• Prevent the company from meeting regulatory requirements
• Lead to imposition of fines or other penalties for failure to fulfill delivery clauses or meet service level agreements
• Result in financial penalties for late payment of accounts payable.

Considering this exhaustive list, there is maybe not much left that is non-critical, but more important than the assessment of everything important is to develop strategies for ensuring continuity, and in the book, Kildow lays out the steps for doing so.

Developing Business Continuity Strategies

When developing strategies, Kildow says, it is important to remember that business continuity is not business as usual, rather it is best possible business under certain scenarios.  Thus, all strategies must consider two dimensions:

• when a disaster directly impacts the organization
• when a link in the supply chain experiences a disruption that creates a disaster ripple effect

Once basic strategies are identified, it is necessary to dig into all related requirements for for ensuring continuous business flows such as inventory levels, restocking plans, and the movement of materials, components, parts and products.

Why business continuity?

As an argument for the importance of business continuity, Kildow puts forward the 80-20 rule

• 20% of a company’s stock takes up 80% of its warehouse space
• 80% of sales come from 20% of the sales force
• 20% of an organization’s staff causes 80% of its problems
• 20% of an organization’s staff provides 80% of its production
• 20% of the risks to an organization result in 80% of its disasters

Practical and hands-on

Not only does Kildow go into details about risks and strategies specific to supply chains, her book also includes a detailed appendix on

• how to assess your own business continuity readiness,
• what specific hazards a supply chain continuity plan should include,
• how to deal with pandemic issues,
• how to set up your continuity team,
• three continuity plan samples, and
• a supply chain/business continuity glossary.

Reference

Kildow, B. A. (2011) A Supply Chain Management Guide to Business Continuity. New York: AMACOM.

Author link

• linkedin.com: Betty A Kildow

Buy this book

• amazon.com: A Supply Chain Management Guide to Business Continuity

Related posts

• husdal.com: Supply Chain Risk versus Business Continuity
• husdal.com: Business Continuity in Global Supply Chains
• husdal.com: How to secure your supply chain

Future worries

The results of the 400-respondent survey, undertaken as phone interviews between April and June this year, were published yesterday, in “Dagens Næringsliv”, the Norwegian equivalent to the “Wall Street Journal”, and that is where they caught my attention. Being this recent, the survey also shows what the most pressing future worries are for business in the Scandinavian countries.

Don’t worry – Be happy

Many of you may remember “Don’t Worry Be Happy“, Bobby McFerrin’s famous song from 1988, and in some areas this is perhaps the case when considering how vastly different the answers are, depending on which country you look at. That is perhaps more frightening than the answer itself.

You would think that businesses, albeit they may be different in scope and geographical location, would have more or less the same fears when averaged out across the board, but that is definitively not the case here.

What keeps managers awake at night?

In Norway, it is loss of key personnel, perhaps like it is described in a cartoon I used in a post on how the wrong people can ruin the best supply chain. The loss of key personnel does not seem to matter at all to leaders the other countries. The explanation may be simple: With the unemployment rate at 3% and generally falling it is harder to find qualified employees in Norway compared to many other European countries, thus making losing them a frightening scenario.

In Denmark,  disasters, terror attacks and political upheaval are concerns that keep managers awake at night. Obviously the drama that ensued in Denmark after the publication of the Mohammad cartoons plays a role here. Not to mention the more recent unrest in the Middle East, adding political risk to the list of factors any business must consider.

In Sweden, they too fear the same. After all, Sweden has had its share of assassinations and car bombs, while Norway and Finland have peacefully escaped such calamities…so far.

In Finland, very noteworthy, nobody seems to fear anything at all. If anything matters to the Finns, it would be loss of IT, electricity or or telecommunications. Maybe it’s their “sisu” making its mark here? Or a little bit of “Don’t Worry Be Happy”? Or maybe, their real fears aren’t even on this list?

Social media worries

Norway also ranks bad media coverage as one of their major fears. Interestingly, bad media coverage is only a concern to Norwegians. Perhaps because Norwegian managers have realized the potential impact that social media can have on reputation risk?

Supply chain risks?

Problems with partners or suppliers (implicitly: supply chain risks) are on some managers minds especially in Sweden and Denmark, but not in the other countries. This is the only fear that directly links supply chains to manager’s concerns. Perhaps they should be pushed further up? I think so.

Incoherent but perhaps true?

Well, the picture of what the biggest fears in business are is very distinct, but not coherent. Different countries have different worries, at least as far as Scandinavia is concerned. And maybe that is the case throughout Europe and the rest of the world as well?

What about you?

What would be your biggest fear on the list above? Or are there other items on your agenda?

Related link

• husdal.com: Dette frykter sjefene mest
  (A pdf-version of the newspaper article, in Norwegian only)

Related posts

• husdal.com: Book Review – Political Risk
• husdal.com: Book Review – Reputation Risk
• husdal.com: 7 out of 10 businesses in Norway without a continuity plan
• husdal.com: The decade of living dangerously

Resilience redefined

The need to manage uncertainty in modern societies and economies that are complex and vastly interconnected, and that have created what many call a “risk society”, has lead to an increasing popularity of the concept of “resilience” and what resilience entails. In recent years, Yossi Sheffi and his Resilient Enterprise have emerged as one of the proponents of resilience, but he is undoubtedly not the only one, as Martin Christopher and the University of Cranfield were among the first to investigate resilience in supply chains. Now Australia has joined the ranks.

Four approaches

While applying the concept of resilience to the fundamental elements of infrastructure on which our society and economy depends is obviously imperative, the nature of the challenges critical infrastructure organisations encounter means that applying the concept of resilience is not simple and straightforward. Resilience, so the paper, is not just sound risk management, effective emergency response and crisis management, or business continuity management. Resilience expresses itself in one of four ways of how an organization approaches adversity:

• Decline
  • An organisation accepts that adversity may cause it to cease operating
• Survive
  • An organisation’s resilience objective is to exist in a reduced form after adversity
• Bounce Back
  • An organisation’s resilience objective is to regain pre-adversity position quickly and effectively
• Bounce Forward
  • An organisation’s resilience objective is to improve aspects of the organisation’s functioning  so that in adversity it not only survives but possibly gains from the situation

I find this a highly interesting perspective, and particularly the latter reflects much of what I wrote in an earlier post on Organizing Resilience, where

Resilience is the capacity to rebound from adversity strengthened and more resourceful.

It is also interesting to compare these approaches with the New Zealand Resilient Organisations project, where

Resilience is a 3-fold construct, working in a complex, dynamic and interconnected fashion depending on 1) keystone vulnerabilities, criticality and preparedness, 2) situation awareness, stemming from an assessment of the keystone vulnerabilities, and 3) adaptive capacity.

I should also not forget Asbjørnslett and his 1997 report on how to assess the vulnerability of production systems, where

A robust or resilient system is able to withstand or absorb disturbances without catastrophic failure and still persist. Robust means being able to resist an accidental event and return to the same stable situation than before the event. Resilient means being able to return to a new (often “lower”) stable situation than  before the event.

There is a distinct notion of severity in these definitions. In a business setting, the ability to survive (resilience) is much more important than the ability to quickly regain stability (robustness), something that lead me towards my own definitions of resilience, robustness, flexibility and agility.

What then does Australia view as the essential ingredients of resilience?

Resilience is frequently defined as an ability to bounce back from adversity. While this is a useful definition in many cases, and is an often-desired outcome in a critical infrastructure context, it does have limitations. This is because organisations can use times of adversity to achieve positive change – so they should be open to both the possibility for bouncing back, but also taking opportunities to bounce forward.

That is a definition that I like, and very much like resilience as adaptive transformation.

Three attributes

The REAG has also identified the behavioral attributes of resilience that fall into three categories, as they relate to:

• Leadership and Culture
• Networks
• Change Ready

Leadership and culture refers to an organization that, among other things,

• develops an organizational mindset/culture of enthusiasm for challenge, agility, flexibility, adaptive capacity, innovation and taking opportunity
• fosters an environment that supports agility, flexibility and initiative in decision making through trust, clear purpose and empowerment of employees

A lot of nice keywords here (agility, flexibility, adaptive capacity…), but not really much substance.

The next attribute, Networks, is  slight better described, and “adds some meat to the bone”, as we say in Norway. This attribute refers to organizations that, among other things,

• establishes relationships, mutual aid arrangements and regulatory partnerships
• understands its community interconnectedness and its vulnerabilities across all aspects of supply chains and distribution networks

I’m not sure how “Networks” is a behavioral attribute, since the word “Networks”isn’t even an adjevtive, but anyway…

Finally, the last attribute, Change Ready, is the attribute that fully embodies what organizational resilience really means. A change-ready organization

• promotes proactive anticipation and preparation for future challenges
• develops a forewarning of disruption threats and their effects through sourcing a diversity of views, increasing sensitivity and alertness, and understanding social vulnerability
• promotes empowered and broadly embraced organisational and individual self-efficacy, as well as enthusiasm for finding effective solutions to complex challenges
• promotes requisite decision making using both rational and intuitive abilities, and
• promotes critical reflective learning, lesson retention, knowledge sharing and continuous improvement.

These attributes, so the paper says,  can be applied to any aspect of organizational capability development, similar to the above mentioned post on Organizing Resilience.

Case studies

The second half of the paper is devoted to seven case studies and the resilience lessons these companies made:

• Case 1: the lawyers and the accountants
• Case 2: the hi-tech laboratory instrumentation company
• Case 3: the wholesaler/retailer of household products
• Case 4: the freight company
• Case 5: the communications company
• Case 6: the power station project
• Case 7: the electronic design and manufacturing company

All in all, highly interesting cases that truly showcase resilience and non-resilience.

Conclusion

There isn’t much more to say about this paper. In my opinion the Australians have hit the nail on the head here. What do you think?

Reference

REAG (2011) Organisational Resilience: A position paper for critical infrastructure. Australian Case studies. The Australian Government Resilience Expert Advisory Group.

Download

• tisn.gov.au: Organisational Resilience

Related links

• tisn.gov.au: Critical Infrastructure Resilience
• blog.vrg.net.au: Australian government position on resilience

Related posts

• husdal.com: Organizing Resilience
• husdal.com: Resilient Organisations
• husdal.com: Resilience – adaptation or transformation?

From a PhD…

The book is based on the research and the survey of German SMEs that Thomas Henschel undertook for his PhD thesis, and it is a book not only for SMEs, but also for banks, government agencies and management consultants to rate and evaluate risk management systems on a common basis. The book presents a scoring approach, which looks at how the SMEs use (or not use) the following components:

• business planning
• balanced scorecards and similar instruments
• risk management process
• risk management organization
• project risk management

Based on the survey, and based on the typology developed by Miles and Snow (1978),  companies were classified as

• reactors
  • a company that simply reacts to whatever occurs, without a clear strategy
• defenders
  • a company that competes on price and only slowly gives in to change
• prospectors
  • a company that competes on product and is open to innovation and rapid change
• analyzers
  • a company in between the two above

This is a very interesting framework and reminds me of the fact that I have yet to read Miles and Snow (1978), a classic I seem to have missed in my own literature searches on risk management.

…to a research project

Thomas Henschel has written several papers on risk management in SMEs:

• Henschel, T. (2006). Risk management practices in German SMEs: an empirical investigation. International Journal of Entrepreneurship and Small Business,  3 (5 ), 554-571
• Henschel, T. (2010). Typology of risk management practices: an empirical investigation into German SMEs. International Journal of Entrepreneurship and Small Business,  9 (3 ), 294-294

He is also a leading researcher in the SME at risk research project, based at Napier University, UK.

Risk Categories

In the book, Henschel uses the following classification of risks in direct and indirect risks:

This is slightly different from, but very similar to the SCOR supply chain risk framework.

Do SMEs increase risk?

In a paper from 2004, previously reviewed on this blog, Peter Finch looked at SMEs and supply chain risk and asked the question “Does having SMEs in your supply chain constitute an increased exposure to supply chain risk?”. The answer:

Many SMEs are not used to or trained in wide-ranging risk assessments to the same degree as large corporations are, and corporate supply chains my thus increase their exposure to risk by taking in SMEs, who in turn increase their own risk exposure to risks that are essentially outside of their control. However, all SMEs are capable of understanding and appreciating their own set of risks, and the risks they bring into the supply chain, as well as the overall corporate risks and the role they play in the wider perspective, if this is communicated clearly enough.

That is perhaps somewhat ambiguous at best and Thomas Henschel has taken the matter further. If you would like to know more about logistics challenges and supply chain risk in Germany in general, I suggest reading this book chapter about Risikomanagement in der Supply Chain – Status Quo und Herausforderungen aus Industrie-, Handels- und Dienstleisterperspektive.

Conclusion

The book is a PhD thesis, relies heavily on theory, and is not a handbook for risk management, unlike say, Risk Management Simplified by Andy Osborne, which is a dive straight into it recipe book for risk management in SMEs. That said, what fascinates me about Thomas Henschel’s approach is nonetheless his solid theoretical foundation.

Reference

Henschel, T. (2008). Risk Management Practices of SMEs: Evaluating and Implementing Effective Risk Management Practices. Berlin: Erich Schmidt Verlag.

Author links

• napier.ac.uk: Thomas Henschel

Publisher link

• esv.info: Risk Management Practices of SMEs

Buy this book

• amazon.com: Risk Management Practices of SMEs

Related links

• sme-at-risk.org: SME at Risk Research Group

Related posts

• husdal.com: Are SMEs a supply chain risk?
• husdal.com: Risk Management Simplified
• husdal.com: SCOR Risk Management

Read online

• books.google.com: SME Risk Management Practices

The risk management cycle

Chapter one dives straight into the matter and Andy Osborne comes up with a long and dismal list of all the things that can go wrong in business. At the core of the book, and introduced here, is the risk management cycle, which provides the outline for the individual chapters of the book. This cycle is similar to the risk management cycle used in ISO 31000 Risk Management and ISO 28002 Supply Chain Security, which I have posted about before, and it follows the traditional Plan-Do-Check-Act principle.

Identify risks > Quantify risks > Identify countermeasures > Implement countermeasures > Monitor and review > Identify (new/changed) risks > …

Each chapter deals with one of the above stages, and first off, Osborne illustrates how risk management pervades practically almost every business activity one can think of:

This is very similar to what can be seen in Hamilton’s circle of risk.

Identify risks

Chapter two takes a closer look at risks and Osborne separates risks into 8 categories, partially derived from the figure above:

• Strategic risks
  • e.g. business growth and future direction
• Operational risks
  • e.g. supply chain issues
• Financial/commercial risks
  • e.g. cash flow problems
• Regulatory/compliance risks
  • e.g. failure to meet legal or contractual requirements
• Health and safety risks
  • e.g. workplace accidents
• Personnel risks
  • e.g. loss or unavailability of key staff
• Technology risks
  • e.g. IT failure
• Project risks
  • e.g. failure to meet timescales

While this is a list that has to be adjusted to the individual business of course, I think that these categories fully capture the entire internal and external environment a business operates in. You may also want to look at Kiser and Cantrell (2006) or Manuj and Mentzer (2008) for comparison.

Quantify risks

In chapter three Osborne describes how to quantify risks. Here, Osborne applies the traditional risk matrix, with a 1 to 4 scale for likelihood and impact. Osborne prefers to keep it simple and argues that for most risk management purposes it is sufficient to rank likelihoods on a low-medium-high scale rather than using exact probability estimates. I would agree with that.  When determining impact then, Osborne advocates to distinguish between financial and non-financial impacts, as non-financial impacts, e.g. loss of credibility or damage to reputation could be just as devastating as an economic loss. By the way, Garry Honey has written a whole book on reputation risk.

Identify countermeasures

After identifying the risks and the impacts the company is now left with four types of risks it needs to address:

• Risks that must be mitigated
• Risks that should be mitigated
• Risks that could be mitigated
• Risks that do not need any action

This is what the fourth chapter is about, namely applying the four responses below. Note that the “Avoid” category, as seen in Deloach (2003) “Enterprise-wide risk Management” is not seen here, and I am inclined to agree with Osborne. Reducing is better than avoiding.

• Accept risks
• Manage risk
• Reduce/Transfer risks
• Insure/Planning for risks

Accept risks: If the likelihood is low and the impact is low, it may be a perfectly reasonable decision to do nothing and to accept certain risks. There may also be occasions when, although there is a higher likelihood or impact, it is either uneconomic or even impossible to implement countermeasures, for instance where the cost of addressing the risk outweighs the potential loss.

Manage risks: For risks with a higher likelihood but a low impact (such as pilfering of low value items, minor operator errors or other “glitches” which cause inconvenience as opposed to significant problems), a sensible approach might be to manage and control them, for instance by improving and documenting processes, by providing adequate training and education and by implementing controls and procedures to regularly monitor and review the situation.

Reduce/transfer risks: For risks with a high likelihood and a high impact, risk reduction measures are absolutely essential. For instance, hazardous or dangerous procedures should be modified, stringently controlled and monitored or outsourced to someone more qualified or better equipped to carry them out safely.

Contingency planning: If the likelihood is low but the impact is high – such as loss of operational capability, serious damage to  reputation, large financial losses or even failure of the business – contingency plans should be developed.  This often referred to as business continuity (or in some cases disaster recovery) plans.

Insurance: Insurance is a common, and extremely important, form of risk management. Insurance may provide a safety net for business if things go horribly wrong, but it should be borne in mind that insurance only addresses (some of) the financial impacts of some of the risks: It merely provides a pre-defined sum of money in the event that certain pre-defined risks occur. The appropriate use of insurance is an important weapon in your risk management armoury, but it’s a big mistake to view it as the only weapon.

Implementing countermeasures

Chapter five considers the implementation of countermeasures. A helpful tool that Osborne suggests and exemplifies is a risk register. A risk register is a document which summarises the risks identified, along with the likelihood, impact and the resulting risk rating and the appropriate countermeasures for each, plus the actions decided to take for each risk and the current status of them. This may perhaps seem like an overly simple tool, but it is definitely a technique that helps keeping track of what should be done, what has been done and what has not been done.

Monitor and review

Chapter six looks at the finals stage of the risk management process, ongoing monitoring and reviewing. Actually, monitoring and reviewing is not that difficult, Osborne says, because it is all about considering for each countermeasure, whether

• it does the job it’s intended to do?
• it reduces the overall exposure to risk?
• it improves efficiency?
• it continues to be cost-effective?
• the level of residual (remaining) risk is acceptable?
• it is being adhered to?

“What gets measured gets done”, Osborne says, so in order to assess the above some metrics must be used,

• financial measurements, such as cash flow
• operational measurements, such as service delivery or downtime
• commercial measurements, such as increased or lost sales
• customer feedback, such as complaints and product returns

Osborne also spends some time discussing the necessity of building a culture of risk awareness and setting the appropriate level of risk appetite. After all, while many risks do have a downside loss, in most cases there could be a potential upside opportunity as well, and Osborne suggests that this level is set individually for all risk categories mentioned in chapter two above.

Tools and techniques

Chapter seven discusses some of the tools a company can apply to assess and manage risks, such as

• Brainstorming
• Dependency modelling
• Process mapping
• SWOT analysis

I guess there could have been a lot more, but as Osborne rightly says,

Because the purpose of this book is to simplify and demystify the risk management process and make it more relevant to those who feel it’s important but for whom it isn’t necessarily a full-time occupation, there’s no room for most of them here.

Nonetheless, for the small business owner, there’s still more than enough to read and ponder in this book.

Examples of risks and countermeasures

The best part of the book is perhaps the 10-page appendix, where Osborne systematically lists risks and countermeasures, according to what has been said above. Even if you do not read the whole book, these 10 pages should be required reading. Every day in fact, just to remind yourself of all that can go wrong, and what you can do about it, which in fact is quite a lot, so there is no reason to ignore risk, pretending to see no evil and hear no evil.

Conclusion

This is a book that is very easy to follow. Each chapter provides hints and tips highlighting particular issues, and a couple of case studies to illustrate the points that are made, including self-assessment worksheets.  The back end of the book is made up of a step-by-step guide with risk examples and possible countermeasures. This makes the book perfect for small and medium sized firms who want to tackle their risk environment themselves rather than hiring some consultant to do the job for them. That said, in my opinion, risk assessments should always be carried out by the company and not the consultant, in any case. Even in all it’s simplicity, this book is far from superficial as far as risk management goes. Osborne has managed to scoop up the essentials and presents them in an elegant and completely non-academic approach, and therein lies its greatest value.

Reference

Osborne, A. (2010) Risk Management Simplified. Hothive Books.

Author link

• acumen-bcp.co.uk: Andy Osborne

Buy this book

• riskmanagementsimplified.co.uk: Risk Management Simplified

Related

• riskmanagementsimplified.co.uk: Risk Management Simplified
  (Official book website)
• acumen-bcp.co.uk: Acumen
  (Andy Osborne’s consulting practice)
• acumen-bcp.co.uk/blog/: Oz’s Business Continuity Blog
  (Andy Osborne’s blog. By the way, on Andy’s blog you can read what Andy says about his moment of fame when a crew came to make an e-book version of his book.)

Business Risks

This book  is of part of the Gower Short Guides to Business Risk series, so far covering topics such as reputation risk, political risk, fraud risk, ethical risk and customs risk, and with more topics on the bedding: operational risk, compliance risk, kidnap and ransom risk, corruption risk, equality risk and how to facilitate risk management. I guess this list could go on forever, and A Short Guide to Procurement Risk is my first review of the books in this series, and it will probably not be the last, as most of them, if not all, tie in nicely with supply chain risk.

The “Risk Catcher”

The book’s structure and individual chapters are built around a “risk catcher” figure, a pentagon where each corner represents the five different risk landscapes where business risk are lurking:

• External dependencies
• Market Conditions and Behavior
• Procurement Process
• Management Control
• Handling the Unexpected

Using the risk catcher figure, it is possible to identify which risk landscape that needs particular attention, and each chapter provides examples of potential risks and what the remedies look like. This figure is at the heart of the procurement risk management process.

None of the five risk landscapes is more important than the other. They must be viewed together, not separately, especially so because they are likely to the  separate responsibility of different persons in your organization, but it is only by crossing each other’s territory that comprehensive risk management is possible.

External Dependencies concerns the reliance on supply companies; their values and viability; performance, and the durability of supply chains. Market Conditions and Behaviours concerns the competitiveness or otherwise of supply markets; supply availability; price trends and the regulatory context. Procurement Process covers the way different people work together in all decision-making and behaviours which affect the customer’s dealings with suppliers. Management Controls refers to the proper use of authority in the company; the framework whereby it is delegated and the principles expected to be employed. In effect this is the DNA of the procurement process. And the Ability to Handle the Unexpected means just what it says.

Each risk landscape is covered in detail in the five chapters following the introduction, before chapter seven provides a step-by-step guide showing the procurement risk management process in action.

Self-Assessment

At the end of the first chapter, before diving into the risk landscapes, is a self assessment questionnaire, listing five statements for each of the five elements, meaning that you will receive a full score between 5 and 25, depending on the degree of procurement risk management that your company subscribes to. The score for each landscape can be transferred to the risk catcher, clearly displaying areas that need further attention. For the fun of it, here are the five statements with the lowest score:

• Procurement is non-existing as an identifiable defined process in the company.
• Orders and contracts are casual or ad hoc and are usually on suppliers’ terms and conditions.
• Nothing is codified…all decisions and actions are intuitive and/or require top level approval.
• The customer generally feels helpless and is glad to get what they can.
• We know that the unexpected can happen, but we hope that it won’t.

If you answered yes to all these statements, then yes, you really do need help.

The Risk List

When going over the chapters and counting the risks listed, I ended up with only 68 risks, not over seventy, but I may have missed some hidden in the text and not listed as bullet points. Some bullet points did actually list multiple risks, so the previous statement holds. Well, I guess I will not be revealing too much from the book if I list these 68 risks. After all, my book reviews are always a mixture of review and summary anyway. Besides, to remedy these risks you will still have to buy the book and read the how-to.

External dependencies

• poor supplier performance
• supplier pre-occupation with major projects (not you’rs)
• weak links in the physical supply chain, losses and misdirections
• damage to, and losses of, items still in the supply chain
• false sense of security created by long-term agreements
• contract claims and penalties; under-compensation for losses
• hostile supplier action and exploitative behavior
• over-assessment of importance of one’s business to the supplier
• over-dependence on too few sources
• pushing suppliers to far
• failure of outsourcing strategy
• supplier bankruptcy

Market conditions and behaviors

• price and supply volatility
• upward price pressures
• lack of early warning of price and capacity changes
• supply shortages due to competitor demands, global events or natural disasters
• loss of competitive source because of mergers and acquisitions
• over-eagerness to source in low-cost countries
• unexpected changes to regulations
• unfavorable currency movements
• being held hostage to monopolies
• being targeted by supplier cartels
• invoicing scams
• information brokering
• disrupted  e-auctions

Procurement process

• release of information which reduces negotiating power
• commercially unaware behavior (buying signals, sales tactics)
• poor specifications
• insufficient standardization
• no early procurement involvement (specifications, alternatives, funding)
• make versus buy not considered
• wrong assessment of potential suppliers suitability
• flawed contract strategy with potential contract loopholes
• inappropriate market approach tactics
• corrupted bid responses and tender evaluation
• insufficient use of negotiating power
• over-focus on price and inadequate assessment of total cost of ownership
• ‘soft money’ ignored
• inappropriate or poor supplier relationship management
• asset disposal mishandled
• insufficient market analysis of competitive dynamics, capacities, cost drivers
• under-trained personnel

Management control

• unworkable or inappropriate procedures
• biased selection of ‘three-bid invites’ and over-reliance on favored suppliers
• unofficial or unauthorized commitments to contract
• breach of confidentiality
• internal fraud and ‘backhanders’
• corrupted tender evaluation
• abuse of commitment authority and call-off agreements
• invoices paid twice or not at all; payment for goods not received
• unchecked price increases
• failure to benefit from volume price-breaks
• failure to control the letting of leases
• over-control
• speculative buying
• flawed authorization of contract changes and claims

Handling the unexpected

• failure to anticipate potential events
• over-reliance on predictive tools
• no strategy or master plan to provide frame of reference for dealing with unexpected events when they occur
• ad hoc reactions to events which diminish public confidence in the company’s ability to manage a crisis
• delayed or deficient responses which allow better-prepared companies to secure their competitive advantage
• rigid autocratic management styles which paralyze company personnel and prevent people from using personal initiative and expertise at ground level
• a helpless mindset

Each of the risks above is covered in detail, alongside possible consequences of not taking action against it, and possible options for mitigating it. I’m not sure I could come up with more risks, and I’m genuinely amazed at the breath of risks that this little book covers, as it is pocketbook size and has mere 132 pages. Perhaps not as organized as the risk classification in Harland (2003), but more hands-on. And although not explicitly mentioned as such, the pitfalls of single, sole, dual or multiple sourcing are well covered in the above list.

Procurement Risk Management

The last chapter is  a short step-by-step guide on how to manage procurement risk, based on the author’s own definition of what ‘being at risk entails:

Being ‘At Risk’ = Impact × Probability × No Mitigation
where Impact = Exposure ×Event

Effective Procurement Risk Management does include accepting some risks, with these situations being monitored to avoid being caught out if things change. Other situations can be left ‘at risk’ but contingency plans are ready should risks materialise. And where real trouble lurks, urgent action is required followed by regular audit.

The steps are as follows:

1. Gather data
2. Decide which supply categories to examine first (using Kraljic’s famous four boxes)
3. Identify potential disruptive events
4. Assess impact and probability
5. Focus on events requiring action to remove ‘at risk’ situations
6. Put risk-reduction strategies in place
7. Regularly monitor internal and external events to signal risk alerts

Using these steps, along with the risk catcher diagram, so the author says, a company’s procurement risk management transforms from initial Ignorance via Awareness and Evaluation to Management. After reading the book I am quite sure that he is right. All it takes is dedication and effort.

Conclusion

This book calls itself  ’a short guide’. It is not. It may be small on the outside but it is big on the inside. It is packed with useful information, for the procurement professional, for the supply chain manager, for the CEO, for any business owner.  Even for the supply chain risk researcher, who is likely to find he exhaustive list of risks particularly useful. Truly, this book is about so much more than procurement, it is about so much more than the supply-side risks in the supply chain, it is about any kind of business and how to do your business well.

Reference

Russill, R. (2010) A Short Guide to Procurement Risk. Farnham: Gower Publishing

Author link

• russill.com: Richard Russill

Publisher link

• gowerpublishing.com: A Short Guide to Procurement Risk
• gowerpublishing.com: A Short Guide to Procurement Risk (Chapter 1)

Buy this book

• amazon.com: A Short Guide to Procurement Risk

Related posts

• husdal.com: Book Review – Political Risk
• husdal.com: Book Review – Customs Risk
• husdal.com: Book Review – Reputation Risk

Surprising? Perhaps No.

I was living and working in Salt Lake City during the 2002 Winter Olympics myself, and while for a large portion of the city it appeared to be business as usual, for other parts the the impacts were severe. Back home in Norway, without an Olympic even to spur continuity efforts,  as many as seven out of ten businesses are without a continuity plan.

Major challenges

According to Heather Hancock, London 2012 Partner at Deloitte,

An event of this scale, with sites across London and throughout the country, will present some serious challenges to those companies who operate in and around venues for the Games if they fail to understand and plan ahead. This makes some of our findings really surprising.

Rick Cudworth, Head of the Business Continuity & Resilience team at Deloitte, follows up by saying

Many of these businesses need a wake-up call. They operate in service industries where people are vital, where the supply chain is time critical and where having products on the shelf or food to serve in restaurants is essential to their daily business. Thinking through the impacts that an Olympic-scale event could have on logistics, the supply of goods and the movement of staff is essential. We believe that – with insight and planning – businesses can maximise the opportunities to benefit commercially from London 2012. The clock is ticking and the planning needs to start now.

Well spoken.

Should you be concerned?

Key findings from the report include

• 12% of companies (15% in London) admit their preparations for London 2012 aren’t on track;
• 36% of UK companies think transport will present most disruption to their business; 23% are concerned about the potential for staff to be unavailable;
• Very few businesses are concerned about the potential risks from supply disruption (8%), resource scarcity, such as hotel availability (7%) or security incidents (6%).

Cudworth adds

The responses from our survey suggest that many companies are either underestimating the impact the Games will have on their business or they haven’t conducted accurate assessments. Most businesses will have business continuity plans in place, but they will typically plan for short-term disruption. The Olympic and Paralympic Games last for a combined 29 days over a six week period and complacency around planning assumptions could have repercussions at Games-time.

Perhaps it’s time to consider the Business Continuity Standard BS 25999?

Links

• deloitte.com: UK business overlooking Olympic opportunities and risks

Related

• husdal.com: The decade of living dangerously

A brief encounter

Actually, David found me before I found him. After finding my blog he contacted me last Spring me and offered me a copy of his book for review, which I gladly accepted. He must have enjoyed my review of Managing Risk and Resilience in the Supply Chain very much, because the publisher decided to link to it from the official book page. We exchanged a couple of e-mails over my review, but then it all went quiet. Now I know why.

Public sector supply chain

In one of his e-mails he said that he was working  on a paper on supply chain exposures within the public service and local authorities in particular, with Zurich Financial Services sponsorship, and it was on Zurich Financial’s website that I learned of David’s passing. I had a link to his homepage from my book review, and today I noticed that the link wasn’t working. Using Google I found David Kaye’s biography at the Zurich website, telling me of his much too early death. He must have had time to finish the paper, though, because it can be found at the Zurich website, and it is a paper well worth reading.

The wine we never drank

In his last e-mail David said that

I look forward to meeting you one day and putting the world of supply chain risk to rights over a coffee or a glass of wine!!”

It’s a pity we never got around to doing that, but I will think of David the next time I sit down to enjoy a glass of wine.

Links

• husdal.com: Managing Risk and resilience in the Supply Chain
• bsigroup.com: Managing Risk and Resilience in the Supply Chain
• zurich.com: Public sector supply chain: risks, myths and opportunities

CPM 2010 East

Since I devoted myself to literature reviews, conference announcements have become a rare event on my blog, but this one seemed particular interesting. The CPM 2010 EAST is a two-day event that will bring together experts in risk management for advanced-level education on today’s hot topics. All in all I counted 29 sessions across these tracks:

• Business Continuity
• Security & Emergency Management
• Risk Management
• Leadership & Professional Development

The sessions are designed as either Lecture, Case Study, Panel Discussion or Workshop, and range from Beginner to Intermediate to the Advanced level, so there should be something for everybody here. With 4 sessions per day that makes a maximum of 8 sessions you can possibly attend, so I guess you will have to chose your sessions wisely. Each session is described in detail in the conference brochure which you can download below.

To me, some of the more interesting sessions are (follow the link to read the program details):

• Chief Risk Officer: A Career Path Strategy
  • How to develop and execute a comprehensive career path strategy
• Teaming Enterprise Risk Management and Business Continuity
  • Identify synergies and ways to optimize ERM and BC methodologies
• Crisis-Decision Making
  • How to make important decisions when (1) information is scarce; (2) time is limited; and (3) the future is uncertain
• Looking For Risk Up and Down the Supply Chain
  • How “For want of a nail, the war can be lost.”

and let’s not forget

• Breaking the Spin Cycle: Managing Crisis Communications with Credibility
  • The three things that make the difference between brand protection and destruction

As I said, I counted 28 sessions, and while some are obviously more interesting than others, I wish I could attend them all.

Conference website

• contingencyplanning.com: CPM 2010 East

Download

• contingencyplanning.com: Conference Brochure

Save $100

If you’ve never attended before and are interested in attending, I am pleased to offer a special registration code to share that will save $100 off the full conference rate when you use this link to register for the CPM 2010 East with the promotion code NX1C79.