Managing Risk and Resilience in the Supply Chain David Kaye www.bsigroup.com/bip2149 www.riskreality.co.uk Risk managers, of course, understand that the consequences of damage by an unexpected incident may not only be measurable in terms of purely financial cost. There are more ways, and potentially much more destructive ways, of a risk incident harming an organisation and its people than the loss of assets, revenues, cash flows, or the financial cost of litigation. The most destructive of impacts from a risk incident can be to render the organisation unable to deliver on current contracts or continue to meet its responsibilities to stakeholders. It can also destroy its ability to manage and to retain effective control, to retain its marketplace positioning, and remain legal and compliant. Within earlier business models, the organisation managed most, if not all, aspects of its supply chain from within its own factory, office, warehouse and workforce. It had more than one way of interfacing with its consumers, and maintained stocks of finished goods and raw materials on site to keep them going for days or weeks in the event of a failure or slow down in supply. It employed the workforce directly and thus had day by day control. They could instantly redirect that workforce to meet any new urgencies that emerge. The modern business model, with its just-in-time supply chain, tight compression of margins, direct communication via the web simultaneously to millions of customers at home and abroad, is much more brittle and has never been more susceptible to one single point of catastrophic failure. Furthermore, much of its workforce is now employed by a third party to deliver both intellectual and physical resources, activity, but only and precisely as agreed in a contract that had been negotiated at a time when the potentially destructive incident may not have been anticipated. This challenge is to organisations large and small, profit making and public service. Outsourcing is now often integral to the very heart of the business model. Outsourcing is so much more than subcontracting, and is much more than cost-saving. It positions core divisions of the organisation into the hands of third parties and has enabled entirely new business models, that embrace instant and differentiated services to entirely new customers. These promises of instancy, customer differentiation and multinationalism become high risk expectations of course on which the entire business model depends and on which group brand values depend. In a nutshell, the modern business model is much leaner and has much less margin for error. Its ability to absorb surprises is gone for ever, and thus understanding and managing its risks has never been more critical. The impact of failure may enforce a period of time when it cannot remain an effective player in its market place. It doesn t take long for that displacement 1
to destroy brand values and other confidences, and before competitors rush in and wreak long term damage to the organisation s customer base and other important stakeholder dependencies. Even when the organisation is a monopoly or public service supplier, the way stakeholders and customers react to a real or perceived fall in service levels can turn a hiccup into a disaster. The risk managers worry beads therefore include the need that all of the operational dependencies and tools that are necessary for the organisation s survival remain accessible, and quickly enough to stay alive. These dependencies are much more than money and assets. They include, crucially, a wide range of intellectual assets, effective business controls, regulatory approvals, legality, regulatory compliance, the confidence of its various stakeholders, its brand values and its wider reputation. It includes of course whatever assets, tools and skills wherever they are positioned in the value chain that it needs to be able to continue to retain trust and deliver urgent, contracted, products and services, on time and of the expected quality. Extreme financial damage from an unpleasant surprise may indeed be sufficient to divert the financial business model sufficiently to render the organisation no longer viable. The non-financial impacts, however, are equally, if not more likely, to bring greater damage or even corporate death. These are just the dependencies that are often handed over to the third party members of an outsourced supply chain. The cause of that corporate death may be a sudden accident or indeed be a gradually evolving disease any where in the value chain. The end result is the same and both are of equal concern to the most senior management, their risk advisors, and of course their stakeholders. A gradually developing disease, for example a supplier s quality problems beginning to affect the brand value, is no less destructive and can be more difficult to manage than a sudden loss. It raises difficult questions of precisely when to react. It is a difficult judgement between the hope that the problems can be resolved or whether the disaster reaction plan, with its own costs and challenges, needs to be triggered. Customers can move away so much faster perhaps with just a click of the mouse. Aggressive competitors, with the same business models available to them, longer need to raise capital, design and construct factories or office blocks and then recruit staff before they can upsize and attack an organisation weakened by a risk incident. They simply sign a few new outsourcing contracts; maybe even with the damaged organisation s erstwhile suppliers. Risk and opportunity are however two sides of the same coin. These business models enable the organisation to upscale and downsize much easier and more quickly than before, and offers opportunities to spread risk and to react to a crisis. A diverse supply chain can therefore be a useful riskspreading tool once the downside risks are understood and are within the organisation s own risk tolerance levels. 2
This potential for damage, loss of detail control, and the lack of ability to react now lies at the very core of business models. It takes the risk manager and the most senior strategic managers of the organisation way beyond the range of their traditional risk management comfort zones. It takes them into the much more amorphous and difficult arena that combines strategic risk and operational risk; and especially into measuring low frequency but very high impact risks. It needs them to understand and respond to the fact that they are simultaneously shedding the ability to micro-control; shedding the very tools that they will need urgently, and are into areas where second-hand risks, impacts and frequencies are so much more difficult to evaluate, communicate and manage. Thus proactive relationship management also is equally a crucial part of early warnings, disaster avoidance and of the the organisation s important corporate life support machines. Risk management has moved on from being simply the purchase of insurance products. Business continuity management is emerging from its own historical silo of technology and workstation replacement. Critical relationships need proactive management, regulators are increasingly pulling operational risk concerns into compliance management; and even credit risk management considers operational risks that could take away a debtor s ability to pay. Indeed there are single points of infrastructure supply failure that could affect separate debtors simultaneously. The realities of modern business models and their risks therefore cut right across these and other erstwhile silos of risk management that were, on the whole, previously able to deliver their values in isolation. The outsourced value chain both supply and delivery of course - is clearly at the very heart of the resilience of modern day organisations, whether they be profit-making, public service or indeed charity. It brings real challenges in gaining an understanding what those risks are, and indeed it brings a whole new range of risks and potential impact. The chief officer can delegate risk processes to third parties, but cannot delegate the responsibility for risk. Suppliers may be from different legal environments, languages, have different cultures and especially have entirely different tolerances to risk and levels of impact. They are charged to put interests of their own employers and stakeholders first. Simply demanding that the organisation is compliant, with a standard or regulation such as BS25999 or Sarbanes Oxley is a massive minefield. They may indeed be compliant and thus made themselves possibly resilient as an organisation; but do their plans embrace all individual customers own survival -level pressures, urgencies, quality standards, consistencies and volumes? There are further minefields within the assurances of lawyers, due diligence reports, insurance, contingency plans, exercising, exit strategies, and contract wordings that will not only damage the unwary, but could destroy them. So much so they take up a whole chapter in the book 3
The supplier sees itself as a dependency too of the customer, who can be damaged or destroyed by the failure of the recipient s ability to receive the goods or services as contracted, or indeed to retain the supplier s confidence that they are going to get paid for them. The supplier s reaction as a stakeholder to a perceived weakened customer can turn a problem into a disaster. Summary In summary, the responsibilities and demands of the strategic management of an organisation do not change when a part of the core activity is repositioned with a third party. Understanding and retaining control over the risks of those activities, and retaining at the same time their freedom to fully exploit their commercial value, does however bring very different problems, balancing acts and challenges. David Kaye FCII FBCI FRSA MIRM Risk Reality United Kingdom and Barbados davidjkaye@aol.com Reference: 1. Managing Risk and Resilience in the Supply Chain. David Kaye. British Standards Instition. May 2008. ISBN: 978 0 580 60726 4 2. www.riskreality.co.uk 3. www.bsigroup.com/bip2149 4