•   Exclusive

Managing Risk: An Interview with Gary Lynch

Gary Lynch is managing director of the Supply Chain Risk Management Practice at Marsh, Inc. He also leads Marsh's Global Pandemic Response Center. Prior to Marsh, Lynch has held operational and IT risk positions at Booz Allen Hamilton, Chase, Prudential, and Ernst & Young. His latest book, Single Point of Failure: The Ten Essential Laws of Supply Chain Risk Management, discusses what supply chain managers need to know about risk in the current economy. Here, he talks with Supply Chain Management Review Associate Editor Sean Murphy about the book and risk management best practices.

Subscriber: Log Out

Sorry, but your login has failed. Please recheck your login information and resubmit. If your subscription has expired, renew here.

This is an excerpt of the original article. It was written for the March-April 2010 edition of Supply Chain Management Review. The full article is available to current subscribers.

March-April 2010

Business today is unrelenting. Just as you’ve finished up a dynamite promotion campaign or launched a superefficient distribution center, the market has a tendency of saying, “Not bad, but what have you done for me lately?” That’s cold! It’s exactly because of that competitive reality that companies today need to constantly fine tune and update every aspect of their performance. Naturally, we’re particularly concerned about that part of the business called supply chain management.
Browse this issue archive.
Already a subscriber? Access full edition now.

Need Help?
Contact customer service
847-559-7581   More options
Not a subscriber? Start your magazine subscription.

Gary Lynch is managing director of the Supply Chain Risk Management Practice at Marsh, Inc. He also leads Marsh's Global Pandemic Response Center. Prior to Marsh, Lynch has held operational and IT risk positions at Booz Allen Hamilton, Chase, Prudential, and Ernst & Young. His latest book, Single Point of Failure: The Ten Essential Laws of Supply Chain Risk Management, discusses what supply chain managers need to know about risk in the current economy. Here, he talks with Supply Chain Management Review Associate Editor Sean Murphy about the book and risk management best practices.

Q: Why is supply chain risk management so important today?

A: Along the supply chain (the flow of goods, cash and information), threats are more pervasive and impacts more extreme and vulnerabilities are more relevant to organizations that operate global and are interdependent on others to create and deliver value to the markets they serve.Many of these vulnerabilities exist outside the scope of control of the organization, many layers removed (beyond wholesalers, distributors, 1st tier suppliers) up or downstream in the supply chain.

Supply chain risk and supply chains mirror what role supply chain has taken on in business—and in many cases, in the role of commerce in a country and the success of the country. You look at the way supply chain has morphed from that of an operational issue of things that we had to do in order to bring value to our customers, to now being a strategic issue, and a political issue in many cases. Now introduce this whole concept of global interdependency as well.

The reality is that threats are more pervasive, and they seem to be more impactful these days—whether it's larger hurricanes or typhoons or earthquakes as we've seen. And because the supply chains are spread around the globe, and they're constantly changing, the unknown is more common, so vulnerabilities are absolutely more relevant. So, I think that's the biggest challenge and what's really promoting risk to be a top issue right now.

Q: How is risk management different for a company that runs a mostly domestic operation, as opposed to a company that has many partners around the globe?

A:  The first question I would have is, are you really domestic? You believe that you're contained, even if you're a local coffee shop, and then you start to dissect your so-called business chain, your supply chain. And you realize, okay, well the coffee lids are coming from here, the cups are coming from there. Even the utilities I rely on. Look at energy as an example, which is necessary to keep my business going. It is something that no longer exists in my so-called “small, domestic environment.” It's something I've contracted and is being sourced from elsewhere, and I need to understand what are my key external dependencies.

So, the first question we'd have to tackle is, are you truly domestic? And if you are domestic, the way that it's different goes back to that definition of how to look at risk, or measure risk, and that is, can you identify uncertainty? If you're domestic and truly very, very local, you probably better understand what drives uncertainty and you can probably better measure your exposure to uncertainty. You have more predictability, so to speak, on the uncertainty piece. And you certainly would have a much better handle on the exposure to uncertainty, which represents vulnerabilities in your supply chain. So, smaller number of elements, less complex, more familiar, less unknown… these obviously translate into an easier time at managing risk.

Q: You talk in your book about people needing to embrace change. We had an article in
SCMR recently which very bluntly said that companies that don't change, like Digital Equipment Corporation or Circuit City or Chrysler, become companies that are unfortunately famous for another reason. Is change a key part of risk management?

A:  Change is probably the number one or two most important issue in risk management. And that puts such a burden on the organization to ensure that they develop the systems and the standards from a risk management standpoint to deal with change. So embracing change, building the systems and standards, are even more important and more relevant today. And change happens at so many levels, all too often I hear that an organization has acquired other organizations and that years later the systems that support the flow of information and goods have not been integrated. Information is rekeyed, intermediary systems are put in place (adding yet another layer of complexity and cost) to handle the transition of information between two disparate ERP systems. And at a macro level, the change and risk associated with the strategic footprint of the placement of suppliers, manufacturing and distribution centers must be considered.

Q: If, in fact, change management is the way to survive economic problems like the recession, and smart companies have accepted that idea, does that make the concept of risk management easier or harder for them?

A: I think it makes it harder. When we look at the reality of today's situation, everyone is so tuned into their own function, their own incentives, their own boundaries. Quite frankly, that's not the way clients or customers look at the products they get. They don't care whether the transportation failed or the warehousing was a problem. They just want the products when they want them and where they want them. The big challenge now, from a risk management perspective, is how do you get people to look beyond their functions and at what's needed to create, deliver and service value? You're asking for a cultural change, a behavioral change. How do you get them to look beyond their functional roles at a time when, quite frankly, many of them are worried about either their jobs or their company surviving through the economic crisis.

Q: In your book, you talk about the concept of supply chain management touching everything and everybody in the company. Yet siloing can be a problem in some companies. What's your key to getting through the silos so that people can understand that everybody is at risk?

A:  Well, depending on whether your audience is internal or external partners, obviously you want to put the pressure on in different ways. I think those who have succeeded have really done a good job of putting a system in place to measure the risk, both from an impact standpoint, and also from an investment standpoint. Where they had the greatest success is trying to measure the impact to a particular revenue stream, cash flow, product, set of SKUs. In building their impact and investment argument, they started to look at something that was a lot more tangible than the so-called organization. Just as I said in the book, everybody is part of the chain. You have to articulate that through getting the product managers on board first, and getting them to acknowledge that their revenue is potentially being threatened.

Q: It seems that any major initiative like this should come from the top down, but what happens when you run into an obstinate CEO who just doesn't want to embrace risk management?

A:  I'm going to give you actually two thoughts on this. The reality is, I think in some cases, it's a hopeless cause, meaning that you will just have some individuals who will just be totally unconscious, or ignorant, to risk and ultimately lead organizations into destruction. And actually, when I was working at one organization my boss, a senior executive, decided to categorize our executive managers as it relates to risk into three categories: They were either considered risk-takers, which was the majority; the enlightened, which were the ones that considered risk early in their business decisions; or the ignorant or brain-dead. The reality is you can do a lot to try to change those that are brain-dead. But at the end of the day, if those are the people that are leading your organization, you might want to think about working for another organization.

Now, that's said in extreme. The other option is to really understand the motivations for why they are ignoring the risk. And if it truly is pressures around margins or survivability at the company, or because they haven't felt the pain, I think that's where and when you're managing supply chain risk. You need to prioritize risk management activities around those things of greatest value and the greatest pain points. This is really where you need to spend the time and allocate the dollars. If I were to use a large beverage manufacturer as an example, and I tried to tackle this at the functional level, that's probably not the right place to go to get some of the confidence you need in the executive management team. You really do need to go to that leading product, whatever it might be, to get them to acknowledge that yes, this is the real thing of value here and it can be measured. You also need to translate that into real dollars, from an impact standpoint. And it's not always revenue that's threatened. Sometimes it's liquidity that's threatened, and as we know, it's the strategic value of the organization, the brand, or ability to comply with certain standards. So, all those have to be articulated, and depending on where you are in the marketplace, it's the risk manager's job to put more emphasis on one versus the other.

Q: You book describes ten different laws of risk management (see accompanying sidebar). Which are the most important?

A: Two stand out. One we've already talked about, which is the change law: if you don't manage and lead change, you're going to have to surrender to it. The other one was the “laws of the law,” which we talk about in the book's preface, when you look at the precepts about everyone being part of the supply chain. No risk strategy is a substitute for bad decisions. It's all in the details, and people operate from their self-interest. That really represents the behavioral and the management aspects of the problem. If we don't tackle those things, or we don't understand and acknowledge and address those issues, then it doesn't really matter what we do from a mechanical standpoint in any of the other laws.

Q: You've suggested that stakeholders, which you defined as including investors (shareholders), business partners, governmental organizations, and customers, should be setting the risk-management priorities and the paradigms. Doesn't it seem a little counterintuitive to have people who seem to be basically outside of the organization setting these priorities?

A: It's more like a partnership with the stakeholders that are leading in the dance. However, they're often not even brought to the dance, and here's where it becomes important. Here's a particular example: Let's say you're working on trying to manage a number of risks across the supply chain, whether it's in transportation logistics, sourcing, third-party sourcing, whatever it might be.

So you're trying to manage or address some of these risks, and at the end of the day there has to be an investment made against that. Well, somebody has to pass judgment as to what's the threshold for pain and then, of course, how much investment needs to be made against that threshold of pain. What am I willing to accept in the supply chain as far as variability or volatility—and then if it's not met, it's going to cause me pain? Well, it gets back to that question of who's going to feel the pain? Certainly management is going to feel the pain, and the executives are going to feel the pain. But ultimately, the people who are going to really feel the pain are the investors, business partners, clients or customers, and what we've experienced most recently during the financial meltdown is governments who rely on these huge organizations for economic stability or tax revenues. So when we get to these really tough investment decisions, I always ask the management team what are the expectations of those that you're providing your product to, and have you ever had a conversation with them as to what are they willing to accept?

Q: It sounds like the key takeaway here is not so much that you need to be putting the stakeholders in charge, but don't forget they're there either.

A: Yes. Well, that's another way to say it. As long as we ask them the question and empower them. If the stakeholders don't do a good job at defining it, then the burden is on you to define, and have you met the expectation? And that's always the challenging question.

Q: Now, once the stakeholder paradigm is in place, how do you take it to your partner organizations, and make it work?

A: You need to clearly articulate what you want from your clients in a very, very consistent way, whether they're large or small and you need to understand what it might cost or what tradeoffs to service or quality need to be made to achieve it. I brought out examples in the book of some companies that do it in an automated way, and put the expectations on websites. The companies are constantly out with the clients, the providers, the suppliers. They're working with them, and I think that's extremely important.

But you may not have the resources, the time, the management attention or the capital to address all these risks. So if you're going to look at third-party risk, and some large multi-national organizations have 30,000 suppliers, you have to do it within the context of the thing of greatest value in your organization that you're creating. You've got to turn the argument away from the totality of the company and the totality of the supply chain network. You have to begin with what's the greatest value to the company in the marketplace. Is it a particular product, is it a future product, is it a combination of those things? You know, Nike and WalMart and others have a consolidated set of suppliers, a much greater influence. But of course, that's only good for the guys that have tremendous leverage in the market. If you don't have the leverage that a Toyota or a WalMart, then you're forced to really start to be creative.

In nine out of 10 cases that I've been exposed to, I'd have the conversation with the suppliers about expectations, or asking them how they define risk, what are the business risk objectives and their approach to managing risk such as continuity planning. Just that conversation alone seems to have more effect than almost anything else and gets them moving in the right direction, and putting them on notice—just by asking the questions, it forced the upstream suppliers to do a lot.

Q: And if worst comes to worst, you find a new partner.

A: Exactly. And I think the recent financial crisis with the drying up of trade credit and trade finance over the last year-and-a-half, two years, has really cleaned out some of the bad players. It's also put the big players on notice. You know, many of them have gone and consolidated their list of acceptable suppliers, and they've added a broader set of risk evaluation criteria such as continuity and crisis preparedness. So I think those are all good.

The last thing is being able to put some real-time monitoring in place where you're actually monitoring issues, particular risk issues or risk events, and you're able to understand the impacts of those events at different points in your supply chain. Even though you don't have ownership of them or you're relying on a third party, you make the assumption that they're going to fail, and when you're monitoring their environment and you perceive there's any potential failure, that's when your process really is triggered for trade disruption, and that's when you start to execute your response strategy. You're not waiting for your partners to respond. You're basically doing things independently of them, “trust but verify and monitor” and the real-time monitoring gives you that ability to do that.

Q: Talk about the technology that is leading the way these days when it comes to risk management.

A: One significant trend is an expansion of the tracking systems that are in place, whether they're specific technologies, whether it's GPS or RFID, which is used to obviously track the efficiency. It's also taking things that are used in the logistics industry, expanding that to incorporate some of those risk factors beyond what is perceived as the daily tolerance for problems.Predictive analysis tools are then used to better forecast risk, such as security and shrinkage. So those types of systems and the expanded use of those systems or other applications to track and to be part of a trade-recovery or a commerce-recovery process if you have failure.

Q: So it is possible to take an existing system and maybe add modules to it rather than having to rip everything out and start from scratch?

A: Absolutely. And some of the architecture really has to be challenged. So if you've got an ERP system that's looking at things in a modular fashion, then instead of designing the risk elements into each of the modules, you need the capability to look across multiple modules. You need to be able to look at the flow of the product, the information, and the cash to see again where you are going to have the greatest risk.

Q: You also believe demand should trump supply when it comes to risk management. Your book talks about healthcare and vaccinations for H1N1. But demand is so volatile, especially with something like that. You can go for months without needing anything and then all of a sudden you need millions of doses right now. How do you handle that kind of volatility without building up massive inventory?

A: I think it starts with the fundamentals; as we've seen before, we need systems. The tendency when looking at the demand side, especially through a risk lens, is to look at the threats to the demand. In other words, threats as they relate to the buyers, threats as they relate to the market itself. Now, that's OK, but there are just too many variables there. So from the demand side, that means understanding the impact of demand significantly changing or being volatile, and translating that into looking at failure of demand or looking at a huge uptick in demand, and then starting to understand what each inflection point translates into from a risk standpoint. What is your threshold or tolerance before the risk becomes a real concern? Doing all that requires you to understand all the variables in the supply chain that supports that product.

So for, say, a bottle of water. If the demand at a particular threshold is going to tax your ability to get a hold of certain resins, it really starts to change the decision about how you manage risk, how you manage the supply chain for that particular bottle of water. But when you do the analysis and you start to say, well, I've now been able to look at these thresholds, plot all these different impacts that you have at different levels. As you plot these things on a chart, you can see what parts of the product are going to cause you more pain or less pain. It could be products that are used in the production process, such as certain gases, or it could be availability of materials that are actually part of the product.

The tendency is to just make the assumption that it's the whole, when in fact you have to dissect the part, measure all the individual pieces, and then really start to plot all these things on a common axis so you can see which ones of these parts with rapid demand is going to cause you the greatest pain. That's where you need to focus your strategies.

Q: Is it possible to go overboard with risk management and, if so, where do you draw that line?

A: It's absolutely possible to go over the top from a risk-management standpoint where you find out that the risk management has slowed your speed or slowed your service or impacted your ability to innovate. That's why I think it certainly needs to be layered in and integrated, and most importantly measured. The challenge is doing that, trying to get to the point of the balance.

But in answer to your question, yes, I think we can over-control the risk. That happens when the measures and the metrics aren't in place where you're not measuring impacts, where you're trying to chase different threads and you believe a particular thread is more important than another thread. When you take the shortcuts on the measurement side from an impact and investment standpoint, I think that's where you really start to get in trouble and you get out of whack with the ultimate decision process. And when you do that and you measure it, the person that's conducting the analysis is not the decision-maker, and they have to bring that data forward so that the real decision-makers can do what they do every day in business.

Q: So talking about the leaders in supply chain and risk management, who's leading the pack? What industries?

A: The ones that really jump out are some of the larger high-tech manufacturing companies, especially those that are in the hardware manufacturing business. Certainly, some of the global energy and mining companies who have been almost perfectionists at trying to measure and manage the financial risks are now spending a lot more time on managing the product risks, and certainly the cash risks as well. So I'd say the energy industry, oil and gas in particular. However, on the refinery side, it doesn't seem to be as strong as those companies, so I want to be careful there.

Public utilities, but they have a different set of criteria. They certainly have a supply chain and they tend to be very good at managing up-time, but there are other issues on the security side that that they're challenged with. A few of the larger mining companies that I've worked with certainly have a good system for managing the broad set of risks—labor, environmental, all part of their supply chain. There are some companies that are very good in managing the innovation risk, their innovation chain. Those are some of the more visible consumer-based electronics companies, high-tech companies. And then believe it or not, there's one or two automakers. They do a really good job in managing the third parties, not just from a quality standpoint, but a broader set of risk criteria, and there are so many companies that are trying to do a better job at managing third-party or supplier risk, depending on how you want to define it, they are just struggling. That, to me, is the number one issue that these companies are really trying to address: figuring out better ways to manage the supply area risk.

Q: For companies seeking to get on the path to sound risk management, what are the initial steps they should take?

A: Well, with supply chain risk management more than anything else, you need a hook and/or a success story. My suggestion would be to, as your target, use what is significantly going to change in the next few months—whether it's a major platform change on the technology side, whether it's a new product offering, a new product line, whether it's an acquisition, an integration of that company.

If you start with that as your target, something that's already changing, then you start to defuse that first bomb that's going to hit you, which is the corporate political bomb of “We're doing everything right, why are you challenging us?” Use change as your hook and then, as you look to manage the risk, you look to the fundamental elements of prevention and response. In order to do prevention, you need to identify it, you need to assess it, you need to assess the impacts to it, you need to measure it.

Then you could look at solutions, whether they're solutions to mitigate the risk, insure or finance the risk, or monitor the risk, realizing there's not much you can do. But you can respond quickly if something goes wrong. Or if it's a systemic failure at a particular port, shipping lane, cargo facility, make sure you have already thought through that scenario and can move quickly on it. I think those are the places to start to build that capability on the reaction and response side as well.

This complete article is available to subscribers only.
Click on Log In Now at the top of this article for full access.
Or, Start your PLUS+ subscription for instant access.

SC
MR

Sorry, but your login has failed. Please recheck your login information and resubmit. If your subscription has expired, renew here.

From the March-April 2010 edition of Supply Chain Management Review.

March-April 2010

Business today is unrelenting. Just as you’ve finished up a dynamite promotion campaign or launched a superefficient distribution center, the market has a tendency of saying, “Not bad, but what have you done for…
Browse this issue archive.
Download a PDF file of the March-April 2010 issue.

Download Article PDF

Gary Lynch is managing director of the Supply Chain Risk Management Practice at Marsh, Inc. He also leads Marsh's Global Pandemic Response Center. Prior to Marsh, Lynch has held operational and IT risk positions at Booz Allen Hamilton, Chase, Prudential, and Ernst & Young. His latest book, Single Point of Failure: The Ten Essential Laws of Supply Chain Risk Management, discusses what supply chain managers need to know about risk in the current economy. Here, he talks with Supply Chain Management Review Associate Editor Sean Murphy about the book and risk management best practices.

Q: Why is supply chain risk management so important today?

A: Along the supply chain (the flow of goods, cash and information), threats are more pervasive and impacts more extreme and vulnerabilities are more relevant to organizations that operate global and are interdependent on others to create and deliver value to the markets they serve.Many of these vulnerabilities exist outside the scope of control of the organization, many layers removed (beyond wholesalers, distributors, 1st tier suppliers) up or downstream in the supply chain.

Supply chain risk and supply chains mirror what role supply chain has taken on in business—and in many cases, in the role of commerce in a country and the success of the country. You look at the way supply chain has morphed from that of an operational issue of things that we had to do in order to bring value to our customers, to now being a strategic issue, and a political issue in many cases. Now introduce this whole concept of global interdependency as well.

The reality is that threats are more pervasive, and they seem to be more impactful these days—whether it's larger hurricanes or typhoons or earthquakes as we've seen. And because the supply chains are spread around the globe, and they're constantly changing, the unknown is more common, so vulnerabilities are absolutely more relevant. So, I think that's the biggest challenge and what's really promoting risk to be a top issue right now.

Q: How is risk management different for a company that runs a mostly domestic operation, as opposed to a company that has many partners around the globe?

A:  The first question I would have is, are you really domestic? You believe that you're contained, even if you're a local coffee shop, and then you start to dissect your so-called business chain, your supply chain. And you realize, okay, well the coffee lids are coming from here, the cups are coming from there. Even the utilities I rely on. Look at energy as an example, which is necessary to keep my business going. It is something that no longer exists in my so-called “small, domestic environment.” It's something I've contracted and is being sourced from elsewhere, and I need to understand what are my key external dependencies.

So, the first question we'd have to tackle is, are you truly domestic? And if you are domestic, the way that it's different goes back to that definition of how to look at risk, or measure risk, and that is, can you identify uncertainty? If you're domestic and truly very, very local, you probably better understand what drives uncertainty and you can probably better measure your exposure to uncertainty. You have more predictability, so to speak, on the uncertainty piece. And you certainly would have a much better handle on the exposure to uncertainty, which represents vulnerabilities in your supply chain. So, smaller number of elements, less complex, more familiar, less unknown… these obviously translate into an easier time at managing risk.

Q: You talk in your book about people needing to embrace change. We had an article in
SCMR recently which very bluntly said that companies that don't change, like Digital Equipment Corporation or Circuit City or Chrysler, become companies that are unfortunately famous for another reason. Is change a key part of risk management?

A:  Change is probably the number one or two most important issue in risk management. And that puts such a burden on the organization to ensure that they develop the systems and the standards from a risk management standpoint to deal with change. So embracing change, building the systems and standards, are even more important and more relevant today. And change happens at so many levels, all too often I hear that an organization has acquired other organizations and that years later the systems that support the flow of information and goods have not been integrated. Information is rekeyed, intermediary systems are put in place (adding yet another layer of complexity and cost) to handle the transition of information between two disparate ERP systems. And at a macro level, the change and risk associated with the strategic footprint of the placement of suppliers, manufacturing and distribution centers must be considered.

Q: If, in fact, change management is the way to survive economic problems like the recession, and smart companies have accepted that idea, does that make the concept of risk management easier or harder for them?

A: I think it makes it harder. When we look at the reality of today's situation, everyone is so tuned into their own function, their own incentives, their own boundaries. Quite frankly, that's not the way clients or customers look at the products they get. They don't care whether the transportation failed or the warehousing was a problem. They just want the products when they want them and where they want them. The big challenge now, from a risk management perspective, is how do you get people to look beyond their functions and at what's needed to create, deliver and service value? You're asking for a cultural change, a behavioral change. How do you get them to look beyond their functional roles at a time when, quite frankly, many of them are worried about either their jobs or their company surviving through the economic crisis.

Q: In your book, you talk about the concept of supply chain management touching everything and everybody in the company. Yet siloing can be a problem in some companies. What's your key to getting through the silos so that people can understand that everybody is at risk?

A:  Well, depending on whether your audience is internal or external partners, obviously you want to put the pressure on in different ways. I think those who have succeeded have really done a good job of putting a system in place to measure the risk, both from an impact standpoint, and also from an investment standpoint. Where they had the greatest success is trying to measure the impact to a particular revenue stream, cash flow, product, set of SKUs. In building their impact and investment argument, they started to look at something that was a lot more tangible than the so-called organization. Just as I said in the book, everybody is part of the chain. You have to articulate that through getting the product managers on board first, and getting them to acknowledge that their revenue is potentially being threatened.

Q: It seems that any major initiative like this should come from the top down, but what happens when you run into an obstinate CEO who just doesn't want to embrace risk management?

A:  I'm going to give you actually two thoughts on this. The reality is, I think in some cases, it's a hopeless cause, meaning that you will just have some individuals who will just be totally unconscious, or ignorant, to risk and ultimately lead organizations into destruction. And actually, when I was working at one organization my boss, a senior executive, decided to categorize our executive managers as it relates to risk into three categories: They were either considered risk-takers, which was the majority; the enlightened, which were the ones that considered risk early in their business decisions; or the ignorant or brain-dead. The reality is you can do a lot to try to change those that are brain-dead. But at the end of the day, if those are the people that are leading your organization, you might want to think about working for another organization.

Now, that's said in extreme. The other option is to really understand the motivations for why they are ignoring the risk. And if it truly is pressures around margins or survivability at the company, or because they haven't felt the pain, I think that's where and when you're managing supply chain risk. You need to prioritize risk management activities around those things of greatest value and the greatest pain points. This is really where you need to spend the time and allocate the dollars. If I were to use a large beverage manufacturer as an example, and I tried to tackle this at the functional level, that's probably not the right place to go to get some of the confidence you need in the executive management team. You really do need to go to that leading product, whatever it might be, to get them to acknowledge that yes, this is the real thing of value here and it can be measured. You also need to translate that into real dollars, from an impact standpoint. And it's not always revenue that's threatened. Sometimes it's liquidity that's threatened, and as we know, it's the strategic value of the organization, the brand, or ability to comply with certain standards. So, all those have to be articulated, and depending on where you are in the marketplace, it's the risk manager's job to put more emphasis on one versus the other.

Q: You book describes ten different laws of risk management (see accompanying sidebar). Which are the most important?

A: Two stand out. One we've already talked about, which is the change law: if you don't manage and lead change, you're going to have to surrender to it. The other one was the “laws of the law,” which we talk about in the book's preface, when you look at the precepts about everyone being part of the supply chain. No risk strategy is a substitute for bad decisions. It's all in the details, and people operate from their self-interest. That really represents the behavioral and the management aspects of the problem. If we don't tackle those things, or we don't understand and acknowledge and address those issues, then it doesn't really matter what we do from a mechanical standpoint in any of the other laws.

Q: You've suggested that stakeholders, which you defined as including investors (shareholders), business partners, governmental organizations, and customers, should be setting the risk-management priorities and the paradigms. Doesn't it seem a little counterintuitive to have people who seem to be basically outside of the organization setting these priorities?

A: It's more like a partnership with the stakeholders that are leading in the dance. However, they're often not even brought to the dance, and here's where it becomes important. Here's a particular example: Let's say you're working on trying to manage a number of risks across the supply chain, whether it's in transportation logistics, sourcing, third-party sourcing, whatever it might be.

So you're trying to manage or address some of these risks, and at the end of the day there has to be an investment made against that. Well, somebody has to pass judgment as to what's the threshold for pain and then, of course, how much investment needs to be made against that threshold of pain. What am I willing to accept in the supply chain as far as variability or volatility—and then if it's not met, it's going to cause me pain? Well, it gets back to that question of who's going to feel the pain? Certainly management is going to feel the pain, and the executives are going to feel the pain. But ultimately, the people who are going to really feel the pain are the investors, business partners, clients or customers, and what we've experienced most recently during the financial meltdown is governments who rely on these huge organizations for economic stability or tax revenues. So when we get to these really tough investment decisions, I always ask the management team what are the expectations of those that you're providing your product to, and have you ever had a conversation with them as to what are they willing to accept?

Q: It sounds like the key takeaway here is not so much that you need to be putting the stakeholders in charge, but don't forget they're there either.

A: Yes. Well, that's another way to say it. As long as we ask them the question and empower them. If the stakeholders don't do a good job at defining it, then the burden is on you to define, and have you met the expectation? And that's always the challenging question.

Q: Now, once the stakeholder paradigm is in place, how do you take it to your partner organizations, and make it work?

A: You need to clearly articulate what you want from your clients in a very, very consistent way, whether they're large or small and you need to understand what it might cost or what tradeoffs to service or quality need to be made to achieve it. I brought out examples in the book of some companies that do it in an automated way, and put the expectations on websites. The companies are constantly out with the clients, the providers, the suppliers. They're working with them, and I think that's extremely important.

But you may not have the resources, the time, the management attention or the capital to address all these risks. So if you're going to look at third-party risk, and some large multi-national organizations have 30,000 suppliers, you have to do it within the context of the thing of greatest value in your organization that you're creating. You've got to turn the argument away from the totality of the company and the totality of the supply chain network. You have to begin with what's the greatest value to the company in the marketplace. Is it a particular product, is it a future product, is it a combination of those things? You know, Nike and WalMart and others have a consolidated set of suppliers, a much greater influence. But of course, that's only good for the guys that have tremendous leverage in the market. If you don't have the leverage that a Toyota or a WalMart, then you're forced to really start to be creative.

In nine out of 10 cases that I've been exposed to, I'd have the conversation with the suppliers about expectations, or asking them how they define risk, what are the business risk objectives and their approach to managing risk such as continuity planning. Just that conversation alone seems to have more effect than almost anything else and gets them moving in the right direction, and putting them on notice—just by asking the questions, it forced the upstream suppliers to do a lot.

Q: And if worst comes to worst, you find a new partner.

A: Exactly. And I think the recent financial crisis with the drying up of trade credit and trade finance over the last year-and-a-half, two years, has really cleaned out some of the bad players. It's also put the big players on notice. You know, many of them have gone and consolidated their list of acceptable suppliers, and they've added a broader set of risk evaluation criteria such as continuity and crisis preparedness. So I think those are all good.

The last thing is being able to put some real-time monitoring in place where you're actually monitoring issues, particular risk issues or risk events, and you're able to understand the impacts of those events at different points in your supply chain. Even though you don't have ownership of them or you're relying on a third party, you make the assumption that they're going to fail, and when you're monitoring their environment and you perceive there's any potential failure, that's when your process really is triggered for trade disruption, and that's when you start to execute your response strategy. You're not waiting for your partners to respond. You're basically doing things independently of them, “trust but verify and monitor” and the real-time monitoring gives you that ability to do that.

Q: Talk about the technology that is leading the way these days when it comes to risk management.

A: One significant trend is an expansion of the tracking systems that are in place, whether they're specific technologies, whether it's GPS or RFID, which is used to obviously track the efficiency. It's also taking things that are used in the logistics industry, expanding that to incorporate some of those risk factors beyond what is perceived as the daily tolerance for problems.Predictive analysis tools are then used to better forecast risk, such as security and shrinkage. So those types of systems and the expanded use of those systems or other applications to track and to be part of a trade-recovery or a commerce-recovery process if you have failure.

Q: So it is possible to take an existing system and maybe add modules to it rather than having to rip everything out and start from scratch?

A: Absolutely. And some of the architecture really has to be challenged. So if you've got an ERP system that's looking at things in a modular fashion, then instead of designing the risk elements into each of the modules, you need the capability to look across multiple modules. You need to be able to look at the flow of the product, the information, and the cash to see again where you are going to have the greatest risk.

Q: You also believe demand should trump supply when it comes to risk management. Your book talks about healthcare and vaccinations for H1N1. But demand is so volatile, especially with something like that. You can go for months without needing anything and then all of a sudden you need millions of doses right now. How do you handle that kind of volatility without building up massive inventory?

A: I think it starts with the fundamentals; as we've seen before, we need systems. The tendency when looking at the demand side, especially through a risk lens, is to look at the threats to the demand. In other words, threats as they relate to the buyers, threats as they relate to the market itself. Now, that's OK, but there are just too many variables there. So from the demand side, that means understanding the impact of demand significantly changing or being volatile, and translating that into looking at failure of demand or looking at a huge uptick in demand, and then starting to understand what each inflection point translates into from a risk standpoint. What is your threshold or tolerance before the risk becomes a real concern? Doing all that requires you to understand all the variables in the supply chain that supports that product.

So for, say, a bottle of water. If the demand at a particular threshold is going to tax your ability to get a hold of certain resins, it really starts to change the decision about how you manage risk, how you manage the supply chain for that particular bottle of water. But when you do the analysis and you start to say, well, I've now been able to look at these thresholds, plot all these different impacts that you have at different levels. As you plot these things on a chart, you can see what parts of the product are going to cause you more pain or less pain. It could be products that are used in the production process, such as certain gases, or it could be availability of materials that are actually part of the product.

The tendency is to just make the assumption that it's the whole, when in fact you have to dissect the part, measure all the individual pieces, and then really start to plot all these things on a common axis so you can see which ones of these parts with rapid demand is going to cause you the greatest pain. That's where you need to focus your strategies.

Q: Is it possible to go overboard with risk management and, if so, where do you draw that line?

A: It's absolutely possible to go over the top from a risk-management standpoint where you find out that the risk management has slowed your speed or slowed your service or impacted your ability to innovate. That's why I think it certainly needs to be layered in and integrated, and most importantly measured. The challenge is doing that, trying to get to the point of the balance.

But in answer to your question, yes, I think we can over-control the risk. That happens when the measures and the metrics aren't in place where you're not measuring impacts, where you're trying to chase different threads and you believe a particular thread is more important than another thread. When you take the shortcuts on the measurement side from an impact and investment standpoint, I think that's where you really start to get in trouble and you get out of whack with the ultimate decision process. And when you do that and you measure it, the person that's conducting the analysis is not the decision-maker, and they have to bring that data forward so that the real decision-makers can do what they do every day in business.

Q: So talking about the leaders in supply chain and risk management, who's leading the pack? What industries?

A: The ones that really jump out are some of the larger high-tech manufacturing companies, especially those that are in the hardware manufacturing business. Certainly, some of the global energy and mining companies who have been almost perfectionists at trying to measure and manage the financial risks are now spending a lot more time on managing the product risks, and certainly the cash risks as well. So I'd say the energy industry, oil and gas in particular. However, on the refinery side, it doesn't seem to be as strong as those companies, so I want to be careful there.

Public utilities, but they have a different set of criteria. They certainly have a supply chain and they tend to be very good at managing up-time, but there are other issues on the security side that that they're challenged with. A few of the larger mining companies that I've worked with certainly have a good system for managing the broad set of risks—labor, environmental, all part of their supply chain. There are some companies that are very good in managing the innovation risk, their innovation chain. Those are some of the more visible consumer-based electronics companies, high-tech companies. And then believe it or not, there's one or two automakers. They do a really good job in managing the third parties, not just from a quality standpoint, but a broader set of risk criteria, and there are so many companies that are trying to do a better job at managing third-party or supplier risk, depending on how you want to define it, they are just struggling. That, to me, is the number one issue that these companies are really trying to address: figuring out better ways to manage the supply area risk.

Q: For companies seeking to get on the path to sound risk management, what are the initial steps they should take?

A: Well, with supply chain risk management more than anything else, you need a hook and/or a success story. My suggestion would be to, as your target, use what is significantly going to change in the next few months—whether it's a major platform change on the technology side, whether it's a new product offering, a new product line, whether it's an acquisition, an integration of that company.

If you start with that as your target, something that's already changing, then you start to defuse that first bomb that's going to hit you, which is the corporate political bomb of “We're doing everything right, why are you challenging us?” Use change as your hook and then, as you look to manage the risk, you look to the fundamental elements of prevention and response. In order to do prevention, you need to identify it, you need to assess it, you need to assess the impacts to it, you need to measure it.

Then you could look at solutions, whether they're solutions to mitigate the risk, insure or finance the risk, or monitor the risk, realizing there's not much you can do. But you can respond quickly if something goes wrong. Or if it's a systemic failure at a particular port, shipping lane, cargo facility, make sure you have already thought through that scenario and can move quickly on it. I think those are the places to start to build that capability on the reaction and response side as well.

SUBSCRIBERS: Click here to download PDF of the full article.

SC
MR

Latest Podcast
Talking Supply Chain: 2025 trends with Abe Eshkenazi
ASCM CEO Abe Eshkenazi joins the Talking Supply Chain podcast to talk which trends will continue in 2025, and what they mean for supply chain…
Listen in

Subscribe

Supply Chain Management Review delivers the best industry content.
Subscribe today and get full access to all of Supply Chain Management Review’s exclusive content, email newsletters, premium resources and in-depth, comprehensive feature articles written by the industry's top experts on the subjects that matter most to supply chain professionals.
×

Search

Search

Sourcing & Procurement

Inventory Management Risk Management Global Trade Ports & Shipping

Business Management

Supply Chain TMS WMS 3PL Government & Regulation Sustainability Finance

Software & Technology

Artificial Intelligence Automation Cloud IoT Robotics Software

The Academy

Executive Education Associations Institutions Universities & Colleges

Resources

Podcasts Webcasts Companies Visionaries White Papers Special Reports Premiums Magazine Archive

Subscribe

SCMR Magazine Newsletters Magazine Archives Customer Service

Press Releases

Press Releases Submit Press Release