Quantifying Supply Chain Risk

Today, more businesses around the world depend on efficient and resilient global supply chains to drive performance and achieve ongoing success. By quantifying where and how value is generated along the supply chain and overlaying of the array of risks that might cause the most significant disruptions, risk managers will help their businesses determine how to deploy mitigation resources in ways that will deliver the most return in strengthening the resiliency of their supply chains. At the same time, they will gain needed insights to make critical decisions on risk transfer and insurance solutions to protect their companies against the financial consequences of potential disruptions.

As businesses evaluate their supply chain risk and develop strategies for managing it, they might consider using a quantification framework, which can be adapted to any traditional or emerging risk.

  • Begin with a “bricks and mortar” risk assessment. Start with the traditional property business interruption risk, focusing first on exposures related to your company’s owned physical plants and facilities as well as those of critical trading partners.
  • Understand and analyze your global business model, as well as any changes that have been implemented to create efficiencies or as a result of mergers, acquisitions or divestitures. Determine exactly how and where value is created and use this information to identify and assess potential vulnerabilities.
  • Distinguish between volume and value. You may have significant trade volume in dollar terms with one partner that can be easily replaced while the dollar volume of trade with a supplier of a critical raw material, component or ingredient may be small, but difficult and costly to replace.  In this case, the supplier with the least spend could be the one that has the most impact if disrupted.
  • Tie financial impacts to risk of disruption. This will enable your company to establish priorities and allocate resources in dealing with potential exposures.
  • Beginning with your most significant potential exposures, understand what mitigation options are available and compare them to what you already have in place.
  • Quantify your worst-case exposures in terms of maximum foreseeable losses.
  • Know your company’s ability to respond to events and threats, especially those that might affect the most critical elements of your supply chain. Identify specific emerging risks that are likely to have the greatest potential financial consequences, such as: cyber network interruption; political and expropriation risk; infectious disease and pandemic; product liability and recall, as well as other potential exposures.
  • In evaluating various supply chain exposures, leverage findings from the traditional business interruption study conducted earlier in the process. This can help determine how other risks might affect specific operations and individual trading partners and, in turn, cause disruptions along the supply chain. Remember, all business interruption risk resides on your company’s P&L and within your unique business model, regardless of cause.
  • Revisit your business continuity, incident response and crisis management plans in the context of the wider range of potential risks confronting your supply chain and individual trading partners.
  • Quantify worst-case financial exposures.  This will give you the ability to pinpoint how and where to allocate resources to mitigate exposures as well as to set priorities with respect to your risk transfer decisions, including coverages purchased, limits and optimal program structure.

Reputational Risk Draws Increased Board Awareness, But Not Action

In its fifth annual board of directors survey, “Concerns About Risks Confronting Boards,” EisnerAmper surveyed directors serving on the boards of more than 250 publicly traded, private, not-for-profit, and private equity-owned companies to find out what is being discussed in American boardrooms and, in turn, what those boards are accomplishing as a result.

According to the report, reputation remains the top concern across a range of industries:

Most Important Risks

“The financial cost and damage to reputation from a cyber/privacy breach is growing exponentially,” said Nancy Brady, EisnerAmper’s director of IT risk services. “Directors have recognized the increasing risk companies face related to cyber/data security. Now they need to roll up their sleeves and, with the companies, address these risks.”

While reputational risk remained the top concern of respondents, the survey found that companies are not necessarily translating awareness into action. In fact, only 31% said they were concerned about crisis management.

“There were a surprising amount—close to a quarter of respondents—who had no plans, and others just informally ‘doing their best.’ This lack of formality to address the most significant risk identified existed across all organizations,” the report said. “When plans existed, they included both everyday operations—such as to keep a positive reputation and reduce the risk—and strategies to address a crisis affecting reputation.”

Despite the minimal plans in place, the directors surveyed seem to hold themselves and other company executives primarily responsible for the response to a reputational crisis. When asked who is responsible for executing such a plan, they reported:

responding to reputational risk crises

Respondents also showed improving confidence in the performance of the board, committees, external auditors and accounting departments.

How well is board addressing risks

Click here for the full report from EisnerAmper.

RMORSA Part 5: Risk Reporting & Communication

Having standardized risk assessments and well documented mitigation and monitoring activities will equip your organization with a lot of risk intelligence. The question becomes: how do you report all of this information to your board and communicate it to your commissioner in a way that demonstrates the value of your ERM program? First, risk managers must be able to demonstrate how risks across the organization roll-up to impact the board’s strategic objectives; and second, ERM functions must track key metrics to validate the effectiveness of a formalized risk management approach.

Reporting on Critical Risks

Due to the limitations of spreadsheets, risk managers often have to choose between presenting actionable data that is too granular for the board, or presenting a high level summary, such as a top 10 risk report, which lacks the context of how risk within business process activities relate to the objectives that senior leadership and the board require.  However, a common risk taxonomy allows organizations to gather risk intelligence at the business process level, and aggregate it to a high level for senior leadership.

For the top risks across the organization, often risk managers must provide the more detailed underlying data, such as which business areas are involved, their individual profile of the risk, their mitigation strategy and how the risk is being monitored.

The most commonly used method to determine top key risks is to rank risks based on the score from their assessment. This aggregate will depict which risks pose the most immediate danger to the enterprise, and should be reported on regularly. The second method uses your common language, root cause library to identify systemic risks. These are risks that have been identified by multiple departments, and may be more easily addressed with corporate wide policies or procedures rather than point solutions. And now that you have a complete and transparent mitigation library, you can publish effective controls from one department to another, reducing overlapping activities in your organization and leveraging the practices in departments that are the most effective in managing risk.

The State of ERM

When demonstrating the value of your ERM program, take a step back to evaluate just how many risks have been identified, and how well risks are being evaluated and mitigated. The common standards established by an ERM program will significantly enhance your risk identification process by allowing you to prioritize efforts to the most important risks that have the least assurance of control effectiveness. You might find that over the past several quarters, the gap between the number of risks identified and those that have been addressed has grown. This isn’t a concern, but rather a sign that your organization has a clear path forward and is beginning to understand its entire risk universe.

You can also track your progress with the ERM guidelines outlined in the RIMS Risk Maturity Model. Providing your executives, board or commissioner with a bi-annual report on the maturity of your ERM program will show which areas you’ve improved upon and what areas need focus going forward. The model provides a repeatable process that enables internal audit to validate its quality and effectiveness. This same model also has the benefit of enabling you to benchmark your program against others in your industry, providing a transparent, third party evaluation of where your organization stands.

This concludes Steven’s series on ORSA Compliance. Looking for more ERM best practices and the latest industry trends? Subscribe to Steve’s Blog or visit www.logicmanager.com.