Ebook 2nd Edition SCRM For Dummies

These materials are © 2022 John Wiley & Sons, Inc.
Any dissemination, distribution, or unauthorized use is strictly prohibited.

Supply Chain Risk
Management
riskmethods 2nd Special Edition
by Daniel Stanton
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Supply Chain Risk Management For Dummies®,
riskmethods 2nd Special Edition
Published by
John Wiley & Sons, Inc.
111 River St.
Hoboken, NJ 07030-5774
www.wiley.com
Copyright © 2022 by John Wiley & Sons, Inc., Hoboken, New Jersey
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any
form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise,
except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without
the prior written permission of the Publisher. Requests to the Publisher for permission should be
addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ
07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Trademarks: Wiley, For Dummies, the Dummies Man logo, The Dummies Way, Dummies.com,
Making Everything Easier, and related trade dress are trademarks or registered trademarks of John
Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be
used without written permission. All other trademarks are the property of their respective owners.
John Wiley & Sons, Inc., is not associated with any product or vendor mentioned in this book.
LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: WHILE THE PUBLISHER AND AUTHORS HAVE

USED THEIR BEST EFFORTS IN PREPARING THIS WORK, THEY MAKE NO REPRESENTATIONS
OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF
THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION
ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES REPRESENTATIVES, WRITTEN
SALES MATERIALS OR PROMOTIONAL STATEMENTS FOR THIS WORK. THE FACT THAT AN
ORGANIZATION, WEBSITE, OR PRODUCT IS REFERRED TO IN THIS WORK AS A CITATION AND/
OR POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE PUBLISHER
AND AUTHORS ENDORSE THE INFORMATION OR SERVICES THE ORGANIZATION, WEBSITE, OR
PRODUCT MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. THIS WORK IS SOLD WITH
THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING PROFESSIONAL
SERVICES. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR
YOUR SITUATION. YOU SHOULD CONSULT WITH A SPECIALIST WHERE APPROPRIATE. FURTHER,
READERS SHOULD BE AWARE THAT WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED
OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.
NEITHER THE PUBLISHER NOR AUTHORS SHALL BE LIABLE FOR ANY LOSS OF PROFIT OR ANY
OTHER COMMERCIAL DAMAGES, INCLUDING BUT NOT LIMITED TO SPECIAL, INCIDENTAL,
CONSEQUENTIAL, OR OTHER DAMAGES.
For general information on our other products and services, or how to create a custom For Dummies
book for your business or organization, please contact our Business Development Department
in the U.S. at 877-409-4177, contact [email protected], or visit www.wiley.com/go/custompub.
For information about licensing the For Dummies brand for products or services, contact
BrandedRights&[email protected].
ISBN 978-1-119-91102-9 (pbk); ISBN 978-1-119-91103-6 (ebk)
Publisher’s Acknowledgments
Development Editor: Acquisitions Editor: Ashley Coffey

Rachael Chilvers Editorial Manager: Rev Mengle
Project Editor: Business Development
Tamilmani Varadharaj Representative: Jeremith Coward
Table of Contents
FOREWORD...........................................................................................................v
INTRODUCTION................................................................................................ 1
About This Book.................................................................................... 1
Icons Used in This Book........................................................................ 2
Where to Go from Here........................................................................ 2
CHAPTER 1: Managing Risk in the Supply Chain................................ 3

Getting Started with Supply Chain Risk Management...................... 3
Avoiding Common Mistakes................................................................ 5
Focusing risk efforts solely on top suppliers................................ 5
Assessing new suppliers only during onboarding....................... 6
Relying on strong supplier relationships for insights.................. 6
Relying on past experience............................................................. 6
Knowing only first-tier suppliers.................................................... 6
Responding to the Growth of Supply Chain Risk............................... 7
Aligning Demand with Supply Management..................................... 8
CHAPTER 2: Building a Supply Chain Risk

Management Process................................................................ 9
Establishing Your Priorities.................................................................. 9
Mapping Your Supply Chain............................................................... 11
Identifying Your Risks......................................................................... 12
Assessing Your Risks........................................................................... 13
Mitigating Your Risks........................................................................... 14
Visualizing Threat and Impact........................................................... 16
CHAPTER 3: Deciding Which Risks to Monitor................................... 17

Improving Supply Chain Visibility...................................................... 17
Selecting Key Performance Indicators.............................................. 19
Tailoring Your Risk Responses........................................................... 20
CHAPTER 4: Automating Supply Chain

Risk Management...................................................................... 21
Monitoring Dynamic Supply Chains.................................................. 21
Using Technology to Collect Risk Data.............................................. 22
Choosing a Digital Solution................................................................ 24
Table of Contents iii
Optimizing Risk Assessment.............................................................. 24
Understanding Your Sub-Tiers.......................................................... 25
Using Collaboration to Manage Risk................................................. 26
CHAPTER 5: Creating the Business Case for Supply

Chain Risk Management....................................................... 27
Understanding the Challenge of Building a Business Case........... 27
Demonstrating the Benefits of Supply Chain
Risk Management................................................................................ 28
Structuring the Business Case for Supply Chain
Risk Management................................................................................ 29
Managing Compliance Risk................................................................ 32
CHAPTER 6: Ten Keys to Creating a Risk-Aware

Enterprise......................................................................................... 33
Selecting Relevant Supply Chains...................................................... 33
Coverage Across all Risk Areas.......................................................... 34
Monitoring Risks.................................................................................. 35
Assessing Impact and Criticality........................................................ 35
Creating Action Plans.......................................................................... 36
Integrating Processes......................................................................... 37
Managing Change............................................................................... 37
Securing Supply................................................................................... 38
Evolving the Sourcing Paradigm........................................................ 38
Enhancing Supply Network Management........................................ 39
GLOSSARY........................................................................................................... 41
iv Supply Chain Risk Management For Dummies, riskmethods 2nd Special Edition
Foreword
A
s supply chains have become front-page news, at no other
time in recent history have consumers and businesses
alike experienced the importance supply chains play in
their daily lives.
From commodity and mineral shortages resulting from war in

Ukraine, to the bullwhip effect of the no-COVID policy in China,
as well as the emergence of inflation at 40-year highs, supply
chains remain fragile now and into the foreseeable future. Yet
beyond these challenges, organizations and governments con-
tinue to push for visibility and accountability in supply chains in
the form of new regulations demanding ethical standards, such
as the Uyghur Forced Labor Prevention Act in the United States,
Germany’s Supply Chain Act, and the EU Corporate Sustainability
Due Diligence Directive.
Due to such increased pressures, procurement and supply chain

professionals have become inundated and at times overwhelmed
with unforeseeable disruptions that have created new challenges
for meeting supply chain demand and financial targets.
While our first edition of Supply Chain Risk Management For

Dummies remains as relevant as ever, this next edition two years
later gives more attention to supply chain issues and trends that
have increased in importance relative to emerging supply chain
risks and the rapidly changing business environment. Based on
these challenges, this latest edition contains modified sections to
update some of these topics addressed throughout the book. Some
of the areas highlighted include:
»» An increased focus on aligning demand with supply

management
»» The emergence of environmental, social, and governance
(ESG) regulations and the attention given to these by
investors and consumers
»» Addressing advanced technologies to collect and increase
intelligence from supply chain risk data
»» The ability to go beyond Tier 1 suppliers through active
collaboration with suppliers
Foreword v
Of course, without proper planning and the use of technology to
monitor, identify, assess, and mitigate risks, companies of all
sizes leave themselves exposed to the ongoing chaos that takes
shape in the variety of risks that remain in our supply chains.
Since establishing world-class supply chain risk management
will remain a key success driver in the new normal, more organi-
zations will need to redouble their efforts of dedicating the proper
mix of people, processes, and technology.
We hope this new edition will become a functional guide to help

spearhead new supply chain risk management (SCRM) efforts or
improve existing ones in the future.
Sincerely,
Snr. Director of Product & Solutions Marketing, riskmethods
Constantine Limberakis
vi Supply Chain Risk Management For Dummies, riskmethods 2nd Special Edition
Introduction
E
very product has a supply chain. These supply chains are
complex networks of companies from around the world that
depend on one another to efficiently create the things that
we value, and deliver them when and where those things are
needed. You depend on your suppliers. And your customers
depend on you!
Unfortunately, the world is full of risks and uncertainty. From

natural disasters to pandemics, and from financial crises to
cyberattacks, every one of the companies in your supply chain
faces a constant threat of disruption. Clearly, a supply chain is
only as strong as its weakest link. But how do you find the weak
links in your supply chain, and how can you tell when they are in
danger of breaking?
A supply chain risk management (SCRM) system provides visibil-

ity to the people, products, partners, and places that you depend
on to keep your supply chain working smoothly. An SCRM system
can help you avoid preventable risks not only by carefully screen-
ing and monitoring suppliers but also by identifying all threats
along the supply chain and providing the means to collaborate
with your business partners to mitigate risk. And an automated
SCRM system can help you respond quickly to unavoidable threats
such as natural disasters by giving you instant access to the data
and information you need to make good decisions.
In this book, you learn the basics of supply chain risk manage-
ment, and how companies are using SCRM systems to create more
resilient supply networks.
About This Book

Supply Chain Risk Management For Dummies, riskmethods 2nd Spe-
cial Edition, consists of six chapters that explore
»» Managing risk in the supply chain (Chapter 1)

»» Building a supply chain risk management process (Chapter 2)
»» Deciding which risks to monitor (Chapter 3)
Introduction 1
»» Automating supply chain risk management (Chapter 4)
»» Making the business case for supply chain risk management
(Chapter 5)
»» Ten keys to creating a risk-aware enterprise (Chapter 6)
Icons Used in This Book

Icons emphasize a point to remember, or information that you
may find helpful.
The Tip icon marks tips (duh!) and shortcuts that you can use to
make SCRM implementations easier.
The knotted string highlights information that’s especially

important to know. To siphon off the most important information
in each chapter, skim the paragraphs that have these icons.
Where to Go from Here

You can read this book in different ways, depending on why you’re
reading it. You can certainly start at the beginning and skip the
things you already know, but I’ve written the book so that you can
start reading anywhere that catches your eye and then hunt for
additional bits that look interesting.
No matter how you go through the book, you’ll eventually want

to read all the chapters. Each chapter is useful on its own, but the
whole book helps you understand why supply chain risk manage-
ment is important, as well as how to implement your own SCRM
system successfully.
2 Supply Chain Risk Management For Dummies, riskmethods 2nd Special Edition
IN THIS CHAPTER
»» Addressing the growing frequency of
supply chain disruption
»» Defining the role of supply chain risk

management
»» Recognizing gaps in supply chain visibility
Chapter 1
Managing Risk in the
Supply Chain
S
upply chains are complex systems made up of people,
processes, and technology that deliver something of value to
a customer. You depend on your suppliers to deliver the
products and services you need when you need them. And your
customers are counting on you to meet their needs, too.
Throughout the supply chain, risk management helps to ensure
that each company can deliver valuable products and services to
their customers, even when things don’t go as planned.
Getting Started with Supply Chain

Risk Management
Supply chain disruptions are becoming more common in virtu-
ally every industry. There are many reasons for this, but here are
some of the primary issues:
»» Globalization. Companies choose to do business with

partners around the world, taking advantage of differences
in price, access to expertise, and availability of resources.
CHAPTER 1 Managing Risk in the Supply Chain 3
Continuous improvements in logistics and high-speed
communications have made it easier than ever to do
business globally. This also exposes companies to risks
all around the world.
»» Outsourcing. Companies often choose to focus resources
on their areas of core competency and outsource other
business functions to suppliers who specialize in those
areas. As a result, companies become extremely reliant
on their suppliers for all of their non-core functions.
»» Lean. Companies aim to streamline their supply chain
operations by increasing the speed of their processes and
reducing inventory. Examples of this include JIT (just-in-time)
inventory strategies that deliver products exactly when
they’re needed. A disadvantage of Lean is that less inventory
is available to act as a buffer against disruption.
»» Customer expectations. Customers are becoming accus-
tomed to the convenience of making online purchases, and
having products delivered to them quickly and cheaply.
When companies fail to meet customer expectations, they’re
at risk of suffering reputational damage from negative online
reviews and posts on social media sites.
»» Climate change. Changes in the earth’s climate are leading
to an increased frequency and intensity of storms, floods,
and wildfires. It also means the emergence of new supply
chain regulations around the world, and new ways of
assessing how businesses are managing risks from an
operational perspective; for instance, the emergence of
carbon footprint management.
Threats to supply chains are evolving all the time. Pandemics,

geopolitical risks, natural disasters, strikes, sanctions, fires, or
insolvencies are all examples of risks that can cause disruption.
Such disruptions can trigger contractual penalties, production
standstills, drops in sales, and reputational damage. In a world of
increasing pressures and threats, supply chain risk management
(SCRM) is clearly becoming more important.
SCRM is not just about avoiding problems. It can drive direct and
measurable value for procurement and supply chain organiza-
tions by improving business continuity, supply chain visibility,
corporate social responsibility (CSR), environmental, social, and
governance (ESG) performance, regulatory compliance, and sup-
plier relationship management.
A comprehensive approach to supply chain risk management

involves visibility into all types of risk, for all tiers of supply, and
for all members and nodes of the supply network (more about
these “risk objects” in the next chapter). When done well, SCRM
can protect a business from harm and enable higher levels of
performance.
Supply chain risk management is the process of monitoring, iden-

tifying, assessing, and mitigating risk in your company’s supply
network — in collaboration with your supply base.
Avoiding Common Mistakes

Most procurement and supply chain organizations understand the
principles of risk management and have plans in place to address
risk. But their approach to risk management is often based on
unreliable assumptions. Here are five common mistakes that can
lead to expensive problems.
Focusing risk efforts solely

on top suppliers
Some companies look at their top suppliers by value, or perhaps
the suppliers that make up 80 percent of their spend and focus
risk efforts on those. Such risk management efforts focus on the
suppliers where the chance of a disruption is greatest, and where
the revenue impact would be most severe. However, risk man-
agement really needs to consider all your active suppliers. It is
through this process that you determine the likelihood of disrup-
tion and impact. A major vulnerability in many supply chains are
suppliers who provide a small amount of specialized materials or
number of components. Even though the purchase volumes are
small, disruption of these supplies can result in major manufac-
turing delays or even plant shutdowns.
Assessing new suppliers only
during onboarding
Evaluating suppliers during onboarding is great, but things
change. Suppliers can get into financial trouble, and labor dis-
putes can arise from seemingly trivial issues. Even the likelihood
of a natural disaster affecting a plant might increase because
of changing weather conditions. Or the supplier’s own internal
strategy might increase the risk for the buyer.
Relying on strong supplier

relationships for insights
Every supplier has a responsibility to do what is in their
company’s best interest, and this sometimes prevents them
from sharing important information about risk. Or your contact,
such as the supplier’s salesperson, may not even be aware of sig-
nificant risks. Too many buyers have been unpleasantly surprised
by receiving a bankruptcy notice from one of their suppliers.
Relying on past experience

Long-term supplier relationships may have a lower risk, but
they’re not risk-free. If the chance of a major risk event is 1 in
20 in any given year, then you might go 20 years without any-
thing happening. Yet the risk is there, even if you haven’t expe-
rienced it. It’s also important to realize that suppliers open new
factories, move their distribution centers, and negotiate new con-
tracts over time. Every change to a supplier’s business introduces
new risks to your supply chain.
Knowing only first-tier suppliers

Companies may know who delivers directly to them, their Tier 1
suppliers, but they often don’t know their Tier 2 — their suppliers’
suppliers. Or the Tier 3 suppliers who deliver to the Tier 2s. In
some cases, multiple Tier 1 suppliers all buy from the same Tier
2 company. Should a disruption occur in this second tier, then all
of the Tier 1 suppliers will be affected. Changing suppliers can
be complex, time-consuming, and expensive. Even finding other
supply sources doesn’t mean that those suppliers have enough
capacity to meet your demand. Timing and capacity are critical
when you’re counting on a backup supplier to protect your supply
chain from disruption.
Responding to the Growth

of Supply Chain Risk
Supply chain risks are a serious problem. That’s why companies
need to implement a comprehensive supply chain risk manage-
ment program to secure supplier relationships, prevent supply
bottlenecks, and ensure that supply chains are operating both
legally and ethically.
Many large companies have already invested in custom-built

supply chain risk management programs. These systems can be
complex and expensive, and often require teams of experts to
maintain. But emerging technologies such as artificial intelli-
gence, machine learning, and easy-to-use flexible modern inter-
faces are quickly changing the way that companies think about
supply chain risk management. Such solutions combine analytics
with early warning signals so you can react faster to threats. With
the right technology solution, a comprehensive SCRM program is
now available to meet the needs of organizations of any size.
MANAGING RISK DURING THE

CORONAVIRUS CRISIS
The outbreak of a new coronavirus originating in China has had an
enormous global impact. As factories shut down and entire regions
were locked down in China in early 2020, the pandemic had already
begun spreading to countries around the world. Companies that used
automated supply chain risk management were able to quickly identify
the effects that the virus was having on their suppliers, as well as the
potential impacts on the transportation industry. By monitoring key
performance indicators (KPIs) and evaluating risks as they emerged,
these companies were able to anticipate disruptions, implement risk
responses, and minimize the negative financial impacts. Some compa-
nies even used this information to identify market opportunities and
gain a competitive advantage.
Aligning Demand with
Supply Management
Supply chain risk management is useful for any business that
relies on external resources for value creation, because their sup-
pliers and vendors also face risks. One example is the microchip
shortage and its impact on upstream supply chains. The global
microchip shortage in 2021 has continued to wreak havoc on car
manufacturing in 2022. Dealer lots are seemingly empty due to
supply chain issues where millions of cars have never gone into
production.
To be truly valuable, an SCRM solution needs to identify and

highlight the specific risks that are most important to the suppli-
ers and the categories that are most relevant to a particular sup-
ply chain. By providing relevant insights and early warnings to
the correct decision-makers, SCRM makes it possible to respond
more quickly and minimize the impact of disruptions that affect
downstream decisions for production and delivery.
IN THIS CHAPTER
»» Exploring the structure of your supply
chain
»» Defining and analyzing supply chain risk
»» Developing action plans to respond

to risk
Chapter 2
Building a Supply Chain
Risk Management
Process
S
upply chain risk management involves monitoring complex
global business relationships. Companies rely on a smooth
flow of money, products, and information through factories,
distribution centers, ports, and vehicles on every continent. If any
of these flows are interrupted, the result is a cascading series of
expensive problems. To effectively protect your supply chain from
disruption, you need to identify the points of vulnerability, ana-
lyze the risks that could occur, and develop action plans.
Establishing Your Priorities

The first step in building a risk management process is to deter-
mine which parts of your supply chain will be included. Ideally,
your supply chain risk management process should cover all the
products and services that your company purchases, and all of the
suppliers from which you buy them. This gives you a more com-
plete view of potential disruption and impact. But to get started,
CHAPTER 2 Building a Supply Chain Risk Management Process 9
many companies initially prioritize a subset of their total supply
base, and then add the rest of their suppliers to the risk manage-
ment system as quickly as possible and feasible.
You can prioritize which suppliers to start with by evaluating sev-

eral factors, such as:
»» Purchasing volume. Many companies use the Pareto

Principle to identify the 20 percent of suppliers that make up
most (80 percent) of their purchasing volume. This approach
ensures that the suppliers from which you buy the most will
be included.
»» Geography. Supply chain risk management is often needed
in regions that are unstable because of infrastructure,
economic, or political threats.
»» Impact on sales. Evaluating impact on sales can help you
identify suppliers that may have low purchasing volumes
yet have a substantial influence on whether one of your
products or services can be delivered.
»» Customer specifications. Suppliers that are chosen based
on customer specifications may have a higher risk for
insolvency, performance risks, and quality issues.
»» Indirect materials and services. Lack of availability of
indirect materials and services, such as logistics services,
machinery, sales materials, or IT can disrupt critical supply
chain processes.
»» Technology and patents. Dependency on technological
expertise and patents can lead to risky single-source
procurement relationships.
»» Ownership structures. Companies are sometimes an
owner of a supplier because of a joint venture or acquisition.
These supplier relationships may require a higher level of
risk monitoring.
All of these factors can be useful in determining which supply

chain relationships to monitor first. Many companies use a com-
bination of these factors when deciding which suppliers to include
as they start to develop a supply chain risk management process.
Yet only by including the entire supply base and further elements
such as logistics hubs, can companies get a total view of risk.
Mapping Your Supply Chain
Supply chain risk management begins with defining and mapping
out what your supply chain really looks like. A good place to start
is by creating a list of risk objects. For example, your company’s
offices, factories, and distribution centers are all supply chain risk
objects. You can also build a list of your suppliers along with their
physical locations. Other common risk objects, or nodes, include
transportation infrastructure such as highways, ports, canals,
and airports.
The companies from which you purchase materials and services

are your Tier 1 suppliers. About half of all supply chain disruptions
directly affect a company facility, or affect a Tier 1 supplier. The
other half of supply chain disruptions occur beyond, or “below,”
the Tier 1 suppliers. In other words, those disruptions affect the
suppliers’ suppliers. Ideally, an effective supply chain risk man-
agement process should identify risks objects at all of the tiers in
a supply chain.
There are two ways to gather information about the companies

in a supply chain. The first approach is collaborative supply chain
mapping, where each company shares their own information vol-
untarily. The second approach is synthetic supply chain mapping,
where information about companies is collected by scanning
internet databases using artificial intelligence. Here are some of
the most common techniques used for collaborative supply chain
mapping:
»» Survey your Tier 1 suppliers

»» Request a list of risk objects in RFIs (requests for informa-
tion) and RFQs (requests for quotation)
»» Request a list of risk objects during supplier evaluation
»» Request information on risk objects during supplier reviews
»» Request information on risk objects during supplier audits
In many cases, suppliers may be reluctant to share information
about their own supply chains. One way to overcome this resis-
tance is to be transparent about why you need the information
and how it will be used. Another approach is to share risk infor-
mation with your suppliers, helping them get early warnings of
potential threats. In other words, by sharing information, you’re
able to help suppliers do a better job of managing their own sup-
ply chain risks.
Identifying Your Risks

When you have listed the risk objects that you need to monitor in
your supply chain, the next step is to identify the risks that could
impact each one by creating a risk profile.
Risk identification involves research, creativity, and judgment.

Some of the risks that you need to consider are common sense.
For example, suppliers around the Gulf of Mexico are at risk of
hurricanes, and suppliers in Japan may be vulnerable to earth-
quakes. Other risks may not be as obvious, such as whether a
supplier has a good record for worker safety or compliance with
environmental regulations.
Creating a cross-functional team to identify items that should be

added to the risk profile is useful. Buyers, transportation manag-
ers, engineers, supply chain managers, finance specialists, law-
yers, IT managers, and corporate security professionals can all
provide inputs about risks that could cause problems in your sup-
ply chain.
In many cases, it helps to start with a list of risk categories, and

then identify how those categories apply to each supplier’s risk
profile. A few of the common risk categories include:
»» Natural disasters
»» Accidents or explosions
»» Sabotage, terrorism, crime, or cyberattacks
»» Civil unrest, political uncertainty, and wars
»» Labor unavailability and shortage of skills
»» Sustainability, compliance issues
Consider all types of risk, whether external, internal enterprise,
supplier, or distribution risks. High-level categories include
financial, reputational, natural hazard, geopolitical, cyber, and
man-made risks.
Assessing Your Risks
The simplest way to determine how important a risk is to your
supply chain is to look at two factors:
»» Probability: How likely is it that the risk will occur?

»» Impact: How severely would the risk event affect your
supply chain?
No one can predict the future, so it is impossible to calculate pre-

cise values for either. But you can develop a logical process for
estimating each value, and then use this process consistently
when evaluating every risk.
Probabilities can often be estimated using historical data. For

example, the probability of a flood occurring in a particular loca-
tion can be determined by analyzing floods from the past.
Impacts can be estimated in many different ways. In most cases, a

small number of parameters can provide a good overview of criti-
cal dependencies in the supply chain. For example, you can esti-
mate the impact of a risk using the following parameters:
»» Total time to recover (TTR)

»» Degree of substitutability or relocation time
»» Impact on corporate image
»» Availability of qualified alternative suppliers
»» Number of customers affected
»» Costs for corrective marketing and sales activities
»» Impact on sales, margins, or earnings
There may not be a correlation between the level of purchasing
volume and the level of damage that would be caused by the dis-
ruption of a single supplier. That’s why it’s helpful to use lost
sales or lost profit estimates for assessing the financial impact,
instead of just relying on purchasing volume. Putting a value on
such losses is key to establishing the cost of risk. Yet you needn’t
get lost worrying about precision. Calculating the exact number is
not what’s important: it’s the magnitude that matters.
Risk assessment data can be used to create risk scorecards. Put
simply, scorecards assign values for each risk area based on the
likelihood that such events will happen. Scorecards are useful for
integrating risk assessments into other business processes. For
example, a risk scorecard can be used in procurement processes
such as contract award decisions or supplier onboarding. You can
read more about risk scorecards in Chapter 4.
Impact assessment is quite complicated, but supply chain risk

management software automates the process and makes it
much easier to understand where your supply network is most
vulnerable.
Mitigating Your Risks

Monitoring and assessing supply chain risks gives you the visi-
bility you need to develop action plans. When you take action to
reduce the probability or impact of a risk, it is called risk mitiga-
tion. Risk mitigation is the key to becoming proactive about risk
management.
A key component of proactive risk management is collaboration

between your supply chain managers and your suppliers. Ideally,
you’re also connected to their supply base. In this way, you’re
more likely to find out when trouble is brewing within your sup-
ply network.
Action plans are generally constructed around preventive or

reactive measures. Both types should have an owner: a person
responsible for executing the plan. A preventive plan aims to keep
events from happening. Reactive plans ensure fast response in
case of a risk event. Each action plan should describe the pro-
cedure to be followed for each type of event. Many action plans
include information for the people to contact in a crisis situation.
When a risk event occurs, action plans allow your whole team to
respond more quickly, and more effectively.
CASE STUDY: AN EARTHQUAKE
ACTION PLAN
While implementing a supply chain risk management process, a
global telecommunications provider discovered that a key supplier’s
production plant was located in an area with a high earthquake risk.
The enterprise’s executives decided to mitigate the risk of disruption
by establishing an alternative source and taking out contingent busi-
ness interruption insurance. The company also developed an action
plan that would be implemented by the lead buyer if an earthquake
occurred. The plan included the names and phone numbers of the
people who should be contacted to assess any damage and who
would determine how the situation would impact the supplier’s ability
to continue operating. The plan also provided contact information for
the alternative supplier, and, if needed, the buyer could secure capac-
ity and place substitute orders.
Many companies create a catalog of proactive and reactive action

plans, grouped according to risk factors. Some of the common
categories for action plans include:
»» Natural hazards
»» Political situations
»» Sanctions
»» Labor disputes and strikes
Mitigating supply chain risks generally requires investment and
integration with other business processes, so it is important to
have the support of top-level management. Many companies
benefit from integrating risk-reduction practices into their sup-
plier evaluation and development programs. As a result, they’re
able to automate user workflows, assign tasks, and keep a record
of activities for compliance authorities.
Visualizing Threat and Impact
A useful tool in supply chain risk management is to visualize or
plot data on an easy-to-understand graph or chart. Figure 2-1
shows risks plotted based on their potential impact (the vertical
axis) and the probability that they will occur (the horizontal axis).
FIGURE 2-1: Risk management graph.
Add colors to represent the level of risk and impact. In the graph
in Figure 2-1, the risks in the darker area will be given priority.
Symbols add even more data to the visualization. For example,
different shapes represent risks to different parts of the supply
chain, and you can change the size of an object to illustrate the
potential cost of a disruption.
A graph makes it easy to pinpoint the critical risks that have both
a high probability and a high potential impact. Such graphs sum-
marize the risks associated with one part of a supply chain, such
as a supplier or category. Or combine that data to create a risk
visualization for your entire supply chain.
IN THIS CHAPTER
»» Understanding the need for supply chain
visibility
»» Prioritizing supply chain risks
»» Planning your responses to supply chain

risks
Chapter 3
Deciding Which Risks
to Monitor
Y
ou can’t fix a problem if you can’t see the problem. To be
able to determine whether your supply chain is safe or at
risk, you need current, accurate information about what’s
happening at your own facilities, and at your suppliers’ locations.
Having data about key points along the supply chain is also help-
ful, such as highways, ports, and airports. Beyond monitoring
physical sites, you also need to track the status of information
systems, and watch for threats that could affect people, too.
Supply chain visibility helps you respond to threats quickly, and
makes your supply chain more resilient.
Improving Supply Chain Visibility

Supply chain visibility comes from having real-time informa-
tion about the condition of a supply chain, including the people,
equipment, facilities, information systems, orders, and inven-
tory. Before you can manage risks effectively, you need to have a
structured approach to collecting, analyzing, and communicating
information about what’s happening in your supply chain.
CHAPTER 3 Deciding Which Risks to Monitor 17
Rather than jumping straight into data collection, it often helps to
start by creating categories that describe how a risk could affect
your supply chain. For example, here’s a list of risk categories
that many companies monitor:
»» Financial risk. The possibility that suppliers will experience

a business scenario that threatens their financial health.
»» Operational risk. The risk of a supplier not having the
capacity or capability to meet your requirements.
»» Reputational risk. A supplier might engage in an activity
that negatively affects your brand perception.
»» Market risk. The possibility that changes in market dynam-
ics or economics could disrupt your supply chain
relationships.
»» Natural disaster risk. Your supply chain might be disrupted
by a hurricane, earthquake, or other natural hazard.
»» Man-made risk. Your supply chain could be disrupted by
events including oil spills, fires, or explosions.
»» Logistical risk. Shipments could be delayed, lost, or
damaged while being transported to your facility.
»» Geopolitical risk. Global political events such as wars, trade
barriers, sanctions, or civil unrest might disrupt your supply
chain.
»» Cyber risk. Your suppliers could be harmed by a breach of
their information technology systems.
Under these high-level risk categories, you can add more detailed
risk subcategories. For example, the operational risk category
could include subcategories for supplier performance and quality
risks. The decision as to which risks should be included in a risk
scorecard is based on criteria such as:
»» Corporate and procurement strategy

»» Relevance and criticality of risks
»» Availability of risk data
Supply chain visibility should extend beyond monitoring the per-
formance of your Tier 1 suppliers. Disruptions such as natural
disasters, strikes, and accidents can affect critical supply chain
infrastructure, and might affect several suppliers at once. Addi-
tionally, risks such as wars and economic disruptions can affect
entire regions. As the coronavirus demonstrated, disruption
caused by pandemics can also spread across several risk catego-
ries, and disrupt global markets over a long period of time.
Selecting Key Performance Indicators

Once the risks are categorized, the next step is to select the key
performance indicators (KPIs) that allow you to monitor those
risks. KPIs can be quantitative (such as a “current ratio”) or qual-
itative (such as “labor issues”). In many cases, it is more impor-
tant to track changes and trends in a KPI than it is to measure the
KPI value precisely. For example, if the current ratio (a company’s
current assets divided by their liabilities) trends lower for several
months in a row, it could indicate that a supplier is approach-
ing bankruptcy. Following are some KPIs that companies might
include in their risk scorecards:
»» Financial risk
• Ownership structure
• Current ratio
• Credit rating
• Bankruptcy
• Key employee stability
»» Operational risk
• Delivery reliability
• Disasters at supplier site
• Labor negotiations and disputes
• Quality
• Health and safety
»» Market risk
• Patents and intellectual property rights
• Low-cost supplier threat
• Currency exchange rates
CHAPTER 3 Deciding Which Risks to Monitor 19
»» Image and compliance risk
• Labor practices
• Environmental sustainability
• Hazardous substances
• Supplier corruption or bribery
• Cyberattacks
Selecting the right KPIs can provide visibility about whether
a supply chain is adhering to chosen metrics, and ensure that
people are quickly alerted to risks that could lead to a supply chain
disruption.
Tailoring Your Risk Responses

Once the KPIs are selected, the next step is to decide how to use
them to trigger action. Start by defining a range of values that are
considered normal for each KPI. The upper and lower acceptable
values for a KPI are called the control limits or tolerances. If a KPI
changes, but the value is still within this normal range, then no
action is required. But if the KPI falls above or below this range,
then there should be a response to the risk. For example, if a
supplier’s credit score drops below a certain tolerance level, the
response may be to build up safety stock inventory or identify an
alternative supplier.
Sometimes it is useful to set several triggers for a KPI so that

actions can be tailored to occur at different levels. For example,
a small drop in a supplier’s credit score might trigger a small
increase in safety stock inventory. But a large drop in that suppli-
er’s credit score could trigger a complete review of their contracts
and a requirement to source backup suppliers. Setting multiple
triggers ensures that responses are proportional to the severity
of a risk.
Control limits can be used to automate parts of the risk response

process. For example, when a KPI moves out of its tolerances, this
can automatically trigger a response and send a message to the
employees responsible. A major benefit to this approach is that
thresholds and responses are established in advance, so everyone
understands what to do when problems appear. These automated
notifications can increase supply chain resilience by allowing
companies to respond to risks more quickly, and more efficiently.
IN THIS CHAPTER
»» Defining your risk management data
requirements
»» Understanding the need for technology

and automation
»» Communicating risk information with

scorecards
Chapter 4
Automating Supply
Chain Risk Management
S
upply chain risk management involves collecting and ana-
lyzing data efficiently and accurately so that the people
involved can understand the potential impacts and respond
quickly. Monitoring all the risks that have been identified requires
the analysis of such large quantities of data that it would be
impossible to perform manually. Automating this process using
artificial intelligence helps connect the right people with the
information they need, when they need it, so that they can work
together to protect your supply chain.
Monitoring Dynamic Supply Chains

Once you understand the risks that could affect your supply chain,
you need to implement an active monitoring process to keep
the risk profiles up to date. And, of course, you need a way to
detect risks quickly and accurately. Three main challenges exist
when it comes to capturing risk data: volume, relevance, and
standardization.
CHAPTER 4 Automating Supply Chain Risk Management 21
Supply chain risk information includes numerous third-party
sources, such as government lists, social media, and news outlets.
This data needs to be analyzed for relevance by using logic to filter
“noise” from true risk signals. It must be standardized so that it
is easier to interpret, communicate, and integrate into other sup-
ply chain processes. Examples of important risk data from various
sources, along with their ranking formats include:
»» Credit ratings are reported as AAA, AA, BB, and so on

»» Earthquake data is often based on the Mercalli scale of MM I
(hardly felt) to XII (total destruction)
»» Conflict and security are reported on a Global Peace Index
Score on a scale from 1 to 5 (most to least peaceful)
Data can be standardized by converting the reported values to

categories such as no risk, low, medium, or high risk.
Automating data collection, filtering data using logic, and

standardizing formats make it easier to create a comprehensive
risk scorecard that gives a clear, easy-to-understand picture of all
of the risks that are being monitored in a supply chain.
One of the clearest ways to communicate critical information

is with a risk scorecard. Scorecards are designed to summarize
information on an established numerical scale, and that makes it
easier to interpret the data.
riskmethods solves the three key data capture challenges —

volume, relevance, and standardization — with a technology-
driven service called Risk Intelligence that uses big data
monitoring and artificial intelligence to create scorecards
automatically. Risk Intelligence also automates the inclusion and
normalization of third-party data sources, internal data sources,
and supplier-provided data.
Using Technology to Collect Risk Data

Many companies start their supply chain risk management pro-
cess by recording risk information in a spreadsheet. This approach
is labor-intensive and time-consuming because it may be nec-
essary to monitor up to 100 data points for every risk object in
a supply chain. Many of those data points need to be tracked in
real time.
Technology offers many ways to automate the collection of supply

chain risk data. So, you might try internet-based services such as
Google Alerts that provide notification of news stories affecting
your suppliers and facilities. Credit agencies can provide updated
information about suppliers’ financial status. However, many
enterprises start their security chain risk management journey
using such sub-optimal approaches. They quickly learn that if
they want to scale their programs, they need to collect risk data
better, faster, and more efficiently. This helps get buy-in from a
community that may be reluctant to change their ways and adopt
a risk-aware approach to their decision-making and supplier
management practices.
Automating supply chain risk management accelerates the col-

lection of risk data, and helps ensure that information is current,
complete, and accurate.
Because of the volume of data and the speed with which this data
needs to be processed, it makes sense to automate as much of
the supply chain risk process as possible. Automation can reduce
the cost of risk monitoring and alerting, while also increasing the
speed at which critical information is received and processed.
Implemented properly, automation can help ensure that you use

a consistent process for collecting large volumes of data, analyz-
ing relevance, and monitoring risk at a scale and in real time.
Advanced systems combine analytics, artificial intelligence, and
machine learning that can inform you of risk events before they
hit or the relevancy of a supply chain disruption to your supply
chain.
Some companies start by monitoring risks for their most critical

suppliers, or in a specific segment of their supply chain. However,
most quickly find this approach unsatisfactory, because it can’t be
scaled to address all of the important risks that a large company
needs to monitor to protect its supply chain.
Because supplier risk data comes from a variety of sources, it is

fragmented. To see the big picture, companies need a central-
ized, master view of suppliers, supply, and supply chain risk.
This requires flexible solutions that can push or pull dozens of
potential data sources across different risk types into existing
enterprise IT-systems. Such solutions standardize data and inte-
grate it into risk profiles.
Choosing a Digital Solution

Companies that begin their SCRM journey with spreadsheets or a
homegrown database often recognize that such approaches have
limited functionality and can actually introduce new risks. For
example, who is responsible for documenting the system, train-
ing users, and keeping the software up to date?
The better option for companies that need a robust SCRM solution
is to purchase commercial software that has the required features,
and will be supported by a dedicated vendor. Some of the ques-
tions to ask when evaluating SCRM solutions include:
»» Does it use artificial intelligence such as machine learning to

automate risk monitoring, data collection, and relevance?
»» Are risk objects monitored in real time across a broad set of
risk topics at the site level?
»» Does it include tools for creating impact assessments and
planning mitigation activities?
»» Does it include supplier data collection tools such as
automated surveys?
»» Does it provide visibility to multiple tiers in the supply chain?
»» Does it integrate with your current supply chain information
systems and external data providers?
»» Is it hosted in a secure cloud environment and accessible
remotely including on mobile devices?
Optimizing Risk Assessment

Much of the information that’s required for supply chain risk man-
agement is collected directly from suppliers. This could include
information about facility locations, financial performance, and
regulatory compliance. Collecting this risk data manually is time
consuming and labor intensive. Adopting automated risk surveys
can improve the efficiency of this process.
Automated surveys make it easier to collect risk information at

scale. Surveys can be sent to as many suppliers as needed, as often
as needed, to provide an accurate assessment of the current risks
in the supply chain. A well-designed survey is easy for suppli-
ers to complete, which means they’re more likely to provide the
data requested. In many cases, surveys help to standardize the
risk information that’s collected.
Surveys can also be flexible and customized, which makes it pos-

sible to gather different kinds of information from each supplier.
During normal periods, supply chain risk data might only require
annual updates. But during a crisis, surveys can be used to collect
daily or weekly updates. When survey responses are integrated
into an SCRM solution, they can provide a detailed picture of the
risks throughout the supply chain.
Understanding Your Sub-Tiers

A company depends on its suppliers to deliver the products it
needs, when and where they’re needed. Likewise, those suppliers
depend on their suppliers, and so on. While it’s important to have
visibility to the first-tier suppliers, this is still an incomplete pic-
ture. The companies that supply the Tier 1 suppliers are called Tier
2 suppliers, and so on. In some cases, analyzing suppliers at Tier
2 (or beyond) will reveal critical component suppliers. Multi-tier
analysis can also reveal situations where two or more Tier 1 sup-
pliers rely on the same Tier 2 supplier for components. The Tier 1
suppliers are often not aware that they share common customers
and suppliers, so finding and managing these risks requires col-
laboration between many different companies.
Supply chain relationships can be very complex. For example, a

Tier 1 supplier might also sell materials to a Tier 2 supplier. It’s
sometimes easier to talk about Tier-N suppliers when referring to
all the layers in a supply chain.
Using Collaboration to Manage Risk
In a perfect SCRM world, every company would voluntarily share
risk information with their customers and suppliers. In reality,
there are significant barriers to information sharing:
»» Lack of trust, as well as fear that information will be misused

»» Legal concerns about confidentiality and/or anti-trust
practices
»» Lack of data exchange standards or interfaces
»» Difficulty or cost of sharing and updating data
Overcoming these barriers is important, but for suppliers to
actively participate in an SCRM process, they also need to under-
stand how it will benefit them. One way to provide an incentive
for suppliers to share SCRM information is to create a supply risk
network. A supply risk network is a group of companies that col-
laborate on understanding and responding to supply chain risks.
When the companies adopt a common system and processes for
updating and retrieving their risk information, it strengthens the
risk awareness and resilience of all members in the network.
IN THIS CHAPTER
»» Estimating the potential cost of a supply
chain disruption
»» Exploring ways that supply chain risk

management can create value
»» Developing a supply chain risk

management investment strategy
Chapter 5
Creating the Business
Case for Supply Chain
Risk Management
I
mplementing a technology-based solution for supply chain risk
management is a business decision that needs to be framed in
terms of costs and benefits. This chapter will help you deter-
mine the value that effective risk management can provide to
your organization’s stakeholders, as well as to your customers
and suppliers.
Understanding the Challenge

of Building a Business Case
Making a business case for a project that will increase sales or
generate new products by performing a return-on-investment
calculation is a straightforward way to convince stakeholders. But
risk management is different because it is usually about handling
bad things that might happen. In some ways, it’s a lot like decid-
ing whether to buy insurance. That’s why creating a compelling
CHAPTER 5 Creating the Business Case for Supply Chain Risk Management 27
business case for automating your SCRM system requires a differ-
ent approach than most other business decisions.
1. Start by highlighting any weaknesses in the current situation

and identifying the potential implications of supply chain risk
events.
2. Then lay out the vision for an improved situation.
3. Finally, propose a plan, and analyze the costs and benefits.
Once the benefits of a high-performance SCRM program are laid

out, it becomes clear that they are wide-ranging, varied, and sub-
stantial. A business case that combines as much rigor and as many
hard numbers as possible, along with examples from real-world
experiences, can easily justify the needed investment.
You can download a free supply chain risk management brain-

storming template from riskmethods at www.riskmethods.net/
resources/brainstorming-template.
Demonstrating the Benefits of

Supply Chain Risk Management
In terms of procurement and how an organization looks at its
suppliers and supply chain, value comes from capitalizing on
opportunities while minimizing risks.
There are many opportunities for suppliers to help generate value

that ultimately leads to competitive advantage. For example, sup-
pliers can contribute to cost reduction strategies, such as cost
avoidance and efficiency improvements. Suppliers can also sup-
port revenue growth by offering new, innovative products and
services.
The other side of the value equation is risk management. Oppor-

tunities are important, but so is managing the risk that comes
with any supply chain. What happens if a supplier cannot deliver
an order, or if a shipment is significantly delayed? Both risk and
opportunity management are critical to sustainable success.
When companies embrace opportunities such as an acquisition, a
new product, or a technical innovation, they also need to consider
supply chain risks.
Many companies choose to initially focus on three categories
when assessing the benefits of supply chain risk management:
»» Supply chain visibility. Having an SCRM program in place

makes understanding suppliers’ risk exposure easier, and
shortens the time it takes to react to disruptions.
»» Corporate social responsibility and compliance. To
protect a company’s brand, it’s vital that everyone associated
with the brand adheres to standards and regulations. An
SCRM solution can provide alerts about compliance issues
for all suppliers, including the long tail.
»» Supplier relationship management. Incorporating SCRM
into supplier relationships allows for better, risk-aware
decisions.
Structuring the Business Case for

Supply Chain Risk Management
Creating the business case for a technology-based supply chain
risk management solution is a five-step process:
1. Point out the supply chain risks facing an organization.

The goal of this step is to make sure that stakeholders
understand exactly what supply chain risk is. This involves
asking some key questions to highlight where the risks are.
Many companies experienced risk incidents during the
Coronavirus pandemic that can be used as examples.
2. Explain the implications and the cost of supply chain
risks facing the organization. The goal of this step is to
make sure that stakeholders understand the need for supply
chain risk management. This creates the burning platform
that justifies the investment.
3. Describe what automated supply chain risk management
should look like. The goal of this step is to describe the
potential of supply chain risk understanding: up-to-date
market knowledge, rapid information and alerts, and
planned preventive actions.
4. Present the plan. Describe how to achieve the supply chain
risk management vision. The goal of this step is to explain the
proposed solution and what is required to establish it (a
high-level adoption plan).
5. Clarify the costs and benefits. The goal of this step is to
explain the investment and the return on investment, with
financial and non-financial costs and benefits included, along
with a plan for tracking those benefits.
Quantifying the benefits of supply chain risk management often

involves looking across many different functions in a company.
The value of the benefits varies from one organization to another,
and can change over time. Here are some of the important catego-
ries to consider when assessing the benefits:
»» Lowering inventory costs. Supply chain risk management

can enable companies to lower inventory levels, which
translates into working capital and return on capital
improvements.
»» Reducing insurance costs. Insurance firms often offer
reduced premiums to clients with effective SCRM programs.
»» Saving on labor costs. A technology-based SCRM solution
can save time spent gathering information, contacting
suppliers, and managing data.
»» Improving efficiency. Better risk management means more
factory up-time and productivity, and lowers the chances of
stoppages or slowdowns.
»» Accelerating response time. Through early warnings, an
automated SCRM system enables proactive action, and can
ensure a coordinated response to a risk event. This can
reduce costs for overtime and expedited transportation.
»» Getting ahead of price increases. Early knowledge of a risk
event enables faster action, allowing buyers to get ahead of
price increases in the market.
»» Providing first-mover advantage. Companies that have
advanced SCRM monitoring and mitigation can move faster
than competitors to secure critical supplies/inventory or save
capital equipment following a natural disaster or supplier
insolvency.
»» Growing market share. Customers are more likely to buy
from companies that have products available. During a
supply chain disruption, companies with a resilient supply
are able to draw customers away from less resilient
competitors.
»» Advancing brand reputation. Supply chain risk manage-
ment can reduce the risk of reputational damage caused by
product shortages. It can also reduce the cost of product
recalls or advertising aimed at reassuring customers.
For help with measuring the return on investment of a

supply chain risk management program, check out the SCRM
ROI calculator at https://go.riskmethods.net/resources/
scrm-roi-calculator.
In addition to describing what the benefits are, explaining how to

track them is also important. The business case should identify
the key performance indicators (KPIs) or metrics that will help
to identify the outcome from the investment and track whether it
has met its goals.
When calculating the cost of risk, use hard numbers when possi-
ble. In some areas (such as avoidance of catastrophic risk events
or consequences), estimating the value of something that did not
happen is common. In other cases, there will be numbers availa-
ble to support both specific and ongoing investment in risk man-
agement capability and tools.
RECENT CHANGES IN SUPPLY

CHAIN LAWS
In 2022, the US implemented the “Uyghur Forced Labor Prevention
Act” which requires companies to prove that goods they import from
China were not made using slave labor. Starting in 2023, Germany’s
“Act on Corporate Due Diligence in Supply Chains” requires busi-
nesses operating in Germany to provide evidence of ethical standards
of conduct. Companies must implement supply chain risk manage-
ment and document their efforts to minimize or prevent human
rights violations in their direct and indirect supply chains. Under the
EU Supply Chain Law, mid- to large-sized companies that do business
within the European Union will be required to audit suppliers all along
their global supply chains for violations of human rights and environ-
mental conventions.
Managing Compliance Risk
Governments around the world are implementing new regula-
tions that affect the supply chains. Increasingly, regulations in
the areas of environmental, social, and governance (ESG) prohibit
violations of human rights, health and safety, and labor laws.
Violating these regulations can result in costly fines, and worse.
Some compliance risks are unique to specific industries. For exam-

ple, electric vehicles (EVs) are growing in popularity because they
don’t emit harmful gases into the atmosphere. As the technology
develops, automotive manufacturers may need to find whole new
sets of suppliers. Enterprises must make sure that these busi-
nesses also comply to existing and evolving regulations.
To manage compliance risk, every company must do three things.

First, the company needs to have a complete picture of its supply
chain, including what materials are bought, where those materi-
als come from, and how they’re used. Second, the company needs
to be aware of the current and future regulations in each market,
and how those regulations apply to all products in the company’s
supply chain. Once these steps have been completed, the company
can proceed to the third step: evaluating options and develop-
ing an effective compliance strategy. Throughout these steps, it’s
important for the company to document its processes and main-
tain a record of the results. Here, automating compliance report-
ing reduces the time and effort needed.
IN THIS CHAPTER
»» Deciding which supply chain risks to
monitor
»» Implementing an effective supply chain

risk management solution
»» Ensuring that an enterprise is truly risk

aware
Chapter 6
Ten Keys to Creating a
Risk-Aware Enterprise
E
very company depends on having a reliable supply chain. To
survive and thrive in the current environment, businesses
need to collaborate with customers and suppliers to imple-
ment effective supply chain risk management. Automated SCRM
systems can help an organization turn risk into a competitive
advantage, gain customer trust and market share, and protect its
brand. This chapter explains ten keys to assessing a company’s
approach to SCRM and determining which actions to take next to
become a proactive risk-aware enterprise.
Selecting Relevant Supply Chains

To make sure they have an accurate understanding of risk impact
on their organization, some companies monitor their entire sup-
ply chain. Others begin their supply chain risk management
efforts by focusing on specific segments, such as:
»» Direct or indirect material suppliers

»» Suppliers with a high purchasing volume
CHAPTER 6 Ten Keys to Creating a Risk-Aware Enterprise 33
»» Suppliers with a large impact on revenue
»» Suppliers with unique technology and patents
»» Suppliers with specific ownership structures
»» Suppliers tied to customer specifications
»» Suppliers in specific regions
Ideally, companies quickly expand monitoring to include all seg-
ments. For a total view of risk, also consider other supply chain
elements:
»» Direct suppliers
»» Sub-tier suppliers
»» Your own facilities
»» Logistic hubs
»» Customers
»» Countries
Chapter 2 explores how to map your supply chain.
Coverage Across all Risk Areas

Be clear about which risks are being monitored and which metrics
are used to measure them. Some of the risks that might need to
be monitored include:
»» Company risk (financial stability, key employee stability)

»» Supply disruption risk
»» Market and cost risk
»» Environmental, social, and governance (ESG), as welll as
compliance risk
»» Performance and quality risk
»» Individual and industry-specific risk
»» Location risk (natural hazards, strikes, fires, explosions)
»» Country risk (political unrest, sanctions, corruption)
Chapter 4 delves deeper into creating risk graphs and scorecards.
Monitoring Risks
Risk monitoring provides the information you need to make good
decisions more quickly. An early warning system is important
because the sooner you identify risk, the more options you have to
respond to it. A proactive approach to risk identification will also
include structured contingency planning, along with notifications
and updates. You need to evaluate the risk information required
against what is available, along with its importance. Some of the
aspects to consider when evaluating a risk identification process
include:
»» Automating data capture to reduce manual effort

»» Adopting artificial intelligence technologies to analyze
big data
»» Ensuring timeliness for acute risk response
»» Filtering out irrelevant data or “noise”
»» Ensuring that data is accurate and avoiding unvalidated
commentary
»» Building a risk taxonomy and scoring system for immediate
understanding of high, medium, and low risk
»» Providing easy data access, ideally via mobile apps for
employees
»» Utilizing credible, trusted data sources
Read Chapter 3 for much more on monitoring risks.
Assessing Impact and Criticality

There are many ways you can determine the impact that a disrup-
tion could have on a supply chain. A good place to start is to assess
suppliers using the following parameters:
»» Total time to recovery (TTR)

»» Degree of substitutability
»» Time required to switch to an alternative source
Other parameters that can be useful when evaluating how to
respond to a supply chain disruption include:
»» Number of affected customers

»» Technical complexity of material procured
»» Amount of inventory in stock and in transit
To learn more about how to predict the impact of a disruption
using graphs and scorecards, head to Chapter 2.
Creating Action Plans

Having action plans in place makes it easier to respond quickly
when a threat is identified. Some action plans are proactive,
anticipating or preparing for a situation, and others are reactive,
with specific tasks for responding to adverse events. Ideally, risk
action plans will be tailored to situations or conditions that are
based on different risk indicators. Some of the things to consider
when creating an action plan include:
»» Mapping the action plan process, including status and

notifications
»» Assigning responsibilities for each action plan
»» Integrating cross-functional responsibilities
»» Determining how the risk will be treated: avoidance, transfer,
mitigation, or acceptance
»» Using technology to automate action steps
»» Setting up reporting that includes changes in risk profile, risk
events, and actions taken
Chapter 2 has more about mitigating risk with action plans.
Integrating Processes
Supply chain decisions are often spread throughout an organi-
zation. When you integrate supply chain risk management into
other organizational processes, you maximize the value it can
provide. Processes that can be integrated with SCRM include:
»» Spend analytics
»» Sourcing
»» Supplier evaluation qualification / management
»» Purchasing dashboards and reporting
»» Category / commodity management
»» Compliance and corporate social responsibility
»» Supply chain planning
»» Enterprise risk management
»» Transportation management
Chapter 2 has the lowdown on building a supply chain risk man-
agement process.
Managing Change
Incorporating supply chain risk management into an enterprise
usually involves making significant changes to how a business
operates and how important decisions are made. To implement
these changes successfully, you need to address issues such as:
»» Ensuring management and executive level awareness

»» Involving cross-functional partners such as logistics, compli-
ance, insurance, and sales
»» Including risk management in performance goals
»» Resolving conflicting goals
»» Identifying success factors such as training, FAQ-sessions,
process documentation, videos, webinars, and workshops
Read Chapter 5 for more tips on getting executive buy-in for sup-
ply chain risk management.
Securing Supply
One of the keys to building a resilient enterprise is to ensure that
the supply chain does not interfere with a company’s ability to
meet customer commitments. A proactive strategy can be used to
prepare for risks by securing supply based on predictive insight.
For example, if a company can anticipate what its customers are
going to buy, then procurement and supply chain managers can
purchase safety stock inventory to provide a buffer against pos-
sible shortages, or secure capacity from suppliers in advance.
Such preparedness is a requirement for ensuring the continuity of
business operations despite supply chain disruption.
Evolving the Sourcing Paradigm

Supply chain risk management can allow a sourcing program to
expand and better manage supplier relationships. All aspects of
supplier relationship management should prioritize risk, espe-
cially when awarding business to new suppliers.
As companies evolve, the supply base tends to grow and the com-
position changes. As new threats emerge and pressures evolve,
the sourcing process must continue to seek approaches to proac-
tively master supply risks in areas including:
»» Sourcing. Based on price, quality, prequalification scoring,

and risk assessment
»» Financial stability. Based on company reports, credit
ratings, and media stories that provide insights about how a
supplier is performing
»» Logistics. Based on a supplier’s location and the likelihood
of natural disasters, trade disruptions, and delivery
performance
»» Costs. Based on actual or projected changes in materials
prices, labor costs, and currency exchange rates
»» Image/Compliance. Based on violations of environmental
regulations, labor laws, or anti-corruption rules
»» Quality. Based on the process maturity and product quality
of a supplier
Enhancing Supply Network Management

A risk-aware enterprise is able to understand vulnerabilities
while collaborating with supply chain partners. In other words,
the goal is end-to-end visibility and flexibility across all the tiers
in a supply network.
Enhanced supply network management includes having easy

access to current, accurate information about suppliers. This
requires having a master file covering all suppliers, including key
data, that’s regularly updated and verified.
When integrated into a supplier relationship management pro-

cess, these tools can be valuable for sourcing new suppliers. They
can also help to develop better relationships with strategic sup-
pliers, which is especially important during a disruption or when
capacities are limited.
For more on the business case for automating supply chain risk
management, head to Chapter 5.
Risk awareness and effective supply chain risk management rest

on having supply chain visibility. When companies can iden-
tify potential threats, they can proactively assess the impact of
disruption, then apply prepared risk mitigation plans to begin
immediate recovery. Automated systems accelerate threat detec-
tion and warning. And not all supply chain risk management is
enlisted to avoid disruption. Such programs also serve to ensure
compliance or avoid brand damage. These factors, taken together,
result in greater supply chain resilience and business continuity.
WHY MANAGING RISK IS
ESSENTIAL FOR SUPPLY
CHAIN RESILIENCE
Supply chain resilience is the ability of a supply chain to withstand
negative impacts and recover quickly from disruptions. Now, more
than ever, companies are realizing the need for resilient supply
chains, and are acting on this demand.
Traditional approaches to supply chain design focus on efficiency and

cost savings, and rely on forecasts and assumptions about the future.
Such supply chains may be efficient under a narrow set of circum-
stances, but are often fragile and vulnerable to disruptions.
Today, efficiency is not the only metric that matters for success.
Supply chains also need to be resilient, so that they can continue to
function even when surprises occur. Lots of strategies can make sup-
ply chains more resilient, such as reducing single points of failure,
holding buffer inventory, and shortening lead times. While some of
these strategies might add cost to the supply chain, they create value
by reducing the probability or impact of disruptions.
One essential step in any SCRM program is implementing processes

to identify and respond to risks quickly and effectively. Considering
the number of risk objects in a global supply chain, and the various
types of risk that could affect each one, this part of SCRM can seem
overwhelming. Artificial intelligence is playing an increasingly impor-
tant role in SCRM because it can monitor risk across the supply
network in real time, process data faster than humans, and enable
proactive risk management. This means that procurement and supply
chain professionals can react to threats before these become critical,
which serves to strengthen resilience.
The world has clearly become more unpredictable in the past few
years, and this has created unprecedented challenges for supply
chains. Fortunately, advances in SCRM technology are providing us
with better tools so that we can manage all of our current and future
risks more effectively.
Glossary
Active monitoring: A process that constantly assesses the status of a
supply chain, watching for risk and disruption.
Artificial intelligence: The ability of a computer to collect data, analyze

patterns, and make decisions.
Big data: Refers to huge volumes of information that are challenging to

store, process, and analyze.
Collaborative supply chain mapping: Creating a supply chain map

using information that suppliers have shared with you.
Corporate social responsibility (CSR): The expectation that a business

will behave ethically and try to make a positive impact.
Digital transformation: Making major changes to a supply chain to

take advantage of digital technologies.
Disruption: An event that interrupts the flow of money, products, or

information in a supply chain.
Environment, social, and governance (ESG): Three non-financial ways

that supply chains impact people and the planet.
Just in time (JIT): A supply chain management strategy that minimizes

inventory by delivering products exactly when they are needed.
Key performance indicator (KPI): A metric that tracks the results of a

business process.
Lean: A supply chain management strategy created by Toyota that

minimizes inventory and reduces waste.
Machine learning: A branch of artificial intelligence (AI) and computer

science that focuses on the use of data and algorithms to imitate the
way humans learn, and to gradually improve accuracy.
Glossary 41
Qualitative metrics: Measurements of the opinions or perceptions of
supply chain stakeholders.
Quantitative metrics: Measurements of supply chain performance

characteristics such as time, speed, or cost.
Resilience: The ability of a supply chain to function properly during and

after a disruption.
Risk: The potential for an unwanted outcome resulting from an event.
Risk-aware enterprise: A company that has an effective supply chain

risk management solution in place.
Risk identification: Determining events or objects that could disrupt

part of a supply chain, and result in losses.
Risk mitigation: Actions that reduce the probability or impact of risk.
Risk object: Any location in a supply chain, such as a factory or

warehouse, that could be affected by a risk.
Risk profile: A prioritized list of the risks that could disrupt part of a
supply chain.
Scorecard: A document that provides a summary of business informa-

tion at a specific point in time to simplify analysis and communication.
Supply chain: A complex system made up of people, processes, and

technology that is engineered and managed to deliver something of
value to a customer.
Supply chain risk management (SCRM): The process of identifying,

assessing, mitigating, monitoring, and responding to the risks that could
disrupt a company’s supply chain.
Synthetic supply chain mapping: Creating a supply chain map using

information that has been gathered on the internet and collected using
artificial intelligence.
Threat: Natural or man-made event that has the potential to cause

negative outcomes.
Tier: A company’s position in a supply chain. Tier 1 suppliers sell

products directly to your company. Tier 2 suppliers sell products to Tier
1 suppliers. Tier-N refers to all of the suppliers in a supply chain.
Transparency: Sharing visibility information with supply chain partners.
Visibility: Real-time data about the condition of a supply chain, ideally

across all sub-tiers, or Tier-N.
WILEY END USER LICENSE AGREEMENT
Go to www.wiley.com/go/eula to access Wiley’s ebook EULA.

Ebook 2nd Edition SCRM For Dummies

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ebook 2nd Edition SCRM For Dummies

Uploaded by

Copyright:

Available Formats

These materials are © 2022 John Wiley & Sons, Inc.

Any dissemination, distribution, or unauthorized use is strictly prohibited.

riskmethods 2nd Special Edition

LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: WHILE THE PUBLISHER AND AUTHORS HAVE

Development Editor: Acquisitions Editor: Ashley Coffey

CHAPTER 1: Managing Risk in the Supply Chain................................ 3

CHAPTER 2: Building a Supply Chain Risk

CHAPTER 3: Deciding Which Risks to Monitor................................... 17

CHAPTER 4: Automating Supply Chain

Table of Contents iii

CHAPTER 5: Creating the Business Case for Supply

CHAPTER 6: Ten Keys to Creating a Risk-Aware

From commodity and mineral shortages resulting from war in

Due to such increased pressures, procurement and supply chain

While our first edition of Supply Chain Risk Management For

»» An increased focus on aligning demand with supply

We hope this new edition will become a functional guide to help

Snr. Director of Product & Solutions Marketing, riskmethods

Unfortunately, the world is full of risks and uncertainty. From

A supply chain risk management (SCRM) system provides visibil-

About This Book

»» Managing risk in the supply chain (Chapter 1)

Icons Used in This Book

The knotted string highlights information that’s especially

Where to Go from Here

No matter how you go through the book, you’ll eventually want

»» Defining the role of supply chain risk

»» Recognizing gaps in supply chain visibility

Getting Started with Supply Chain

»» Globalization. Companies choose to do business with

CHAPTER 1 Managing Risk in the Supply Chain 3

Threats to supply chains are evolving all the time. Pandemics,

A comprehensive approach to supply chain risk management

Supply chain risk management is the process of monitoring, iden-

Avoiding Common Mistakes

Focusing risk efforts solely

CHAPTER 1 Managing Risk in the Supply Chain 5

Relying on strong supplier

Relying on past experience

Knowing only first-tier suppliers

Responding to the Growth

Many large companies have already invested in custom-built

MANAGING RISK DURING THE

CHAPTER 1 Managing Risk in the Supply Chain 7

To be truly valuable, an SCRM solution needs to identify and

»» Defining and analyzing supply chain risk

»» Developing action plans to respond

Establishing Your Priorities

CHAPTER 2 Building a Supply Chain Risk Management Process 9

You can prioritize which suppliers to start with by evaluating sev-

»» Purchasing volume. Many companies use the Pareto

All of these factors can be useful in determining which supply

The companies from which you purchase materials and services

There are two ways to gather information about the companies

»» Survey your Tier 1 suppliers

CHAPTER 2 Building a Supply Chain Risk Management Process 11

Identifying Your Risks

Risk identification involves research, creativity, and judgment.

Creating a cross-functional team to identify items that should be

In many cases, it helps to start with a list of risk categories, and

»» Probability: How likely is it that the risk will occur?

No one can predict the future, so it is impossible to calculate pre-

Probabilities can often be estimated using historical data. For