Developing a resilient supply chain risk management policy

by Ulf Venne

A supply chain risk management policy acts like a compass for supply chain risk management decisions. Its role is to ensure that the actions taken by each stakeholder in the supply chain are aligned with the wider strategic and tactical objectives of the organization. Without an effective and clearly communicated policy, those stakeholders could end up pulling in different directions. 

A well-designed supply chain risk management policy has two core elements: First, it defines a catalogue of risks, and the organization’s willingness to tolerate those risks. Second, it describes how responsibility for risk monitoring and mitigation actions will be allocated across the business.  

Supply Chain Risk Management policy

Figure 1: Supply chain risk management policy defines risks and organizational responsibilities

Step 1 in a supply chain risk management policy: Defining risk appetite

Setting supply chain risk management policy is a balancing act. Businesses know (many from painful first-hand experience) that supply chain problems have costly and long-lasting consequences. That’s why leaders across sectors are making strenuous efforts to get those risks under control 

infographic of multiple business results from creating a supply chain risk management policy

Figure 2: A comprehensive supply chain risk management policy supports financial and operational business growth.

But risk mitigation efforts come with their own costs: changes to procurement strategies, network footprint, or operational processes can each have an impact on the organization’s cost base, and on its ability to achieve wider strategic objectives. 

And because supply chains are complex and tightly integrated with many parts of the business, the trade-offs between cost, risk and resilience are determined by hundreds or thousands of decisions made at every level in the organization. 

The foundation of a supply chain risk management policy is a clear definition of where your operation lands between risk mitigation and its costs, your “risk appetite” so to speak. That’s the amount of risk that your organization is willing to take in pursuit of objectives that it deems to have value. Put another way, risk appetite is the maximum amount of residual risk that the business will accept after controls and mitigation measures have been put in place. 

Identifying risk appetite tolerances 

Risk appetite depends upon the culture of an organization, its industry sector, and ownership structure, among many other things. It will also vary depending on the type of risk involved, and the parts of the business affected. Companies will have zero tolerance for certain risk types, such as child labor in the supply chain. Other risks may be a normal part of business. Oil and gas companies know that remote production facilities will suffer occasional unplanned shutdowns, for example. 

Your organization’s supply chain risk appetite depends upon its overall risk appetite, and is usually defined in collaboration with senior management and the corporate risk management function. If your business doesn’t yet have clear top-level risk policies in place, its supply chain leaders may want to define their own risk appetite in the interim. 

Automated risk scoring   

Because supply chains are exposed to many different types of risks, leading organizations often use a harmonized scale to allow the evaluation of multiple risk types. Everstream Analytics uses a 25-point scale for example. Using that scale, companies might define risks up to certain threshold as acceptable, with an additional “tolerance” for higher risks in certain circumstances, such as smaller projects or activities with high potential rewards. 

For example, a beverage manufacturer may decide that weather risk at their manufacturing site and along delivery routes is mission critical due to the potential for product spoilage if deliveries are delayed due to storm, heat, or freeze. But hurricanes heading toward the U.S. Gulf coast wouldn’t worry this beverage company since they have no suppliers or facilities there. 

With those parameters set into the system, along with a digital twin of the company’s supply network, the risk management software would send appropriately scored risk alerts. A pending freeze in the Midwest would carry a higher risk score than a tropical depression forming in the Caribbean.  

Step 2 in a supply chain risk management policy: Allocating responsibilities

The second crucial role of an effective supply chain risk management policy is to establish a framework for the organization to coordinate the actions to ensure that supply chain risks don’t exceed their agreed thresholds. That SCRM framework, or template, should determine where in the organization SCRM activities take place, who is responsible for their design and execution, and how risk management is done. 

The “where” part of the policy will include all functions and activities that affect the supply chain. Those typically include strategic sourcing and commodity management activities, supply and demand planning, continuity planning in manufacturing, and logistics functions such as transportation planning and execution.  

The “who” element will define individual responsibilities for the leaders of those activities. It will also include the provision of appropriate support, such as a Supply Chain Center of Excellence, and formal collaboration mechanisms to ensure different business functions work together to meet their SCRM goals. 

Finally, the “how” part of the policy provides a top-level definition of the actions the organization wants to take, and the tools and technologies it needs to manage supply chain risks. That might include a comprehensive baseline review of current supply chain performance and risk exposure; guidance for the use of digital risk management platforms such as Everstream AI; and best practice templates for the evaluation of risk in sourcing, planning, continuity management and supply chain execution tasks. 

A supply chain risk management policy is a moving target

Critically, setting supply chain risk management policy isn’t a one-off exercise. An organization’s policy must be dynamic. The risk landscape is constantly changing, supply chains evolve, and risk appetite shifts over time. Companies should make plans to periodically review and adapt their SCRM policy to reflect these changes, and to continually update guidance around processes and tools as new technologies and best practices emerge. 

Get the white paper to learn more about creating a Supply Chain Center of Excellence 

Share this post