Rate supply chain risk by scoring

by Ulf Venne

What could go wrong in your supply chain? Natural disasters, material shortages, port congestion, supplier bankruptcies, strikes, fires, child-labor scandals—the list is long. And the sheer number of risks is only part of the problem. 

As companies seek to take a more proactive approach to supply chain risk management, risk diversity presents a major challenge. Effective management requires an organization to determine how much risk it is willing to tolerate in its operations and where it will deploy its resources to monitor and mitigate those risks. That’s difficult to do when the probability, scale, duration, and impact of risk effects are so different. 

Supply chain risk scoring principles 

The quest for a common language to describe multidimensional risks has driven the development of sophisticated risk-scoring systems. This is an emerging field in supply chain risk management, and there is yet no standard approach. Nevertheless, the principles of risk scoring are relatively straightforward. 

  • Risks of all types are rated on a common numerical scale, with zero representing no known incidence of risk and the highest number on the scale representing the highest known severity of that risk. 
  • The scale is chosen so that it permits sufficient granularity to track subtle changes in risk profile over time and between locations. Since risk scores can only ever be estimates, however, scoring systems should not pretend to offer an excessively high degree of precision. At Everstream Analytics, we rate risks on a 0 to 25 scale. 
  • Risk scores are calculated at an appropriate level to support strategic and tactical supply chain decision-making. That could vary from the level of individual production sites and supply chain nodes all the way to whole-country or region risks. 

Click here to download the PDF 

Supply chain risk scoring applications 

Risk scoring transforms an organization’s ability to visualize risks across its network and simplifies the challenge of evaluating the cumulative effect of multiple risks. Everstream customers use a range of visualization and analysis tools to derive rapid insights from risk scores: 

  • Risk scores can be assigned to specific events, such as forthcoming strike action at a port, a forecast storm, or a sudden increase in border wait times. Linked to an effective alerting system, scores help supply chain and logistics teams prioritize their responses, especially in big, complex supply networks. 
  • Risk heat maps indicate potential trouble spots for specific risk types. 
  • Weighted composite scores provide an at-a-glance estimate of current risk levels across the network. That helps supply chain management teams focus their attention on where it matters most, and shows supply chain leaders where their teams may be coming under pressure. 
  • By setting thresholds and alerts for individual and aggregate risk scores, teams can take proactive action to prevent problems by increased monitoring or adapting their planning. 

Benefits of quantifying supply chain risk 

With risk-scoring mechanisms in place, operations can begin to realize benefits almost immediately. From tactical wins to strategic support, risk scoring can help leaders prioritize action, deploy resources, and smooth communications.    

Links supply chain risk to specific assets  

A severe earthquake might not be an issue for a supplier with a building constructed for earthquake resilience. It will be an issue for any semiconductor plant, where even minor tremors disrupt the nanometer-focused production process. 

Establishes a baseline for communications 

Hurricanes might be perceived differently for people living in different regions. If you are in the region and have experienced hurricanes in the past, you might underreact to the situation. But a person seeing a hurricane unfold for the first time might overreact. Scoring provides a realistic baseline across teams and cultures. 

Can be tailored to different users 

By adding individualized weighting users can create their perfect risk setup for their specific supplier group. Maybe you want a record of heavy rain, but it should not raise your risk score. You won’t be overloaded with alerts, but you can reference the record if faulty electronic parts arrive that are wet due to bad handling in logistics. 

Helps managers prioritize action 

In the event of an alert for a massive disruption, (e.g. volcano eruption) many suppliers may be affected at the same time. Which one should you call first? Risk scores reveal the potential impact, which helps establish priority. 

Simplifies a complicated topic 

There are many risks out there, and it can be difficult to weigh port congestion compared to a pandemic outbreak. Risk scoring can establish a standard which enables sophisticated dashboarding. For example, once risk scoring is implemented, a dashboard can generate a single number encompassing network supply chain health at any given moment. That simplicity can help contextualize the situation for supply chain professionals not working on risks daily. 

In addition to these tactical applications and benefits of risk scores, companies can also use risk scoring to inform their strategic planning. That might include supplier evaluation during procurement, the selection of locations for new production or distribution facilities, or the choice of transport modes and routes. 

supply chain risk management infographic across five stages of the supplier lifecycle 

Figure 1: Supply chain risk scoring informs all stages of the supplier lifecycle, from research and onboarding to ending the relationship. 

Tactical supply chain risk scoring elements 

Tactical risk scores are built using a wide range of data sources. That can include historical data on weather patterns, natural disasters, and geopolitical events. It can include public and proprietary data sets on supply-chain-related events such as transport disruptions, customs delays, or cargo theft. And it can include real-time monitoring of media reports, on-ground information provided by analysts, researchers, and social media content. 

Contextualizing acute supply chain risks  

Supply chain teams have specific needs from risk data. While a government department or aid agency might be interested in the overall risk that a region will be affected by a natural disaster or social unrest, companies want to understand the exposure of specific sites in their networks. 

To ensure that risk scores are relevant for supply chain management, the underlying data must be sufficiently granular. That means that flood risk data, for example, should be able to differentiate risks at the level of individual location addresses. 

Click here to download the PDF 

Where risks might affect suppliers, sub-tier suppliers, transport lanes, or large areas such as ports or industrial developments, accurate geofencing algorithms are needed to ensure that only relevant data is incorporated into the score. 

Risk scores must also be timely. An unexpected event, such as a flood or terrorist attack, can suddenly convert a low-risk region into a high-risk one. The best supply chain risk management systems continually scan for such events. The system then updates the tactical risk scores based on pre-programmed user preferences, which triggers alerts for relevant stakeholders. And of course it updates in near-real-time when situations change. 

Tailoring risks to user preferences  

Supply chain risks are everywhere and can come in many different forms. They might be relevant to many types of users, like a professional working in procurement or in logistics, a supply chain planner, or an executive-level manager.   

supply chain risk alerts covering the four operational stages of plan, make, source, and deliver 

Figure 2: A wide range of supply chain risk alerts can be aligned with planning, sourcing, manufacturing, and delivery objectives.  

The interesting thing is that each of these users might see a risk in a different light. A five-day port congestion is a major threat to a logistics professional. But it is only indicative news for a supply chain planner who will simply readjust plans for even larger delays. Risk scoring helps put the news into context for specific users. Each can adjust risk-scoring models to their specific preference, which provides a more seamless experience in terms of user interface and further actionability. 

Tactical supply chain risk scoring and relevance 

Instead of relying on location-based or media-monitoring systems, today’s SCRM leaders work with more sophisticated context engines to avoid alert fatigue. A state-of-the-art context engine understands the type of alert, how to filter it, and the best manner of delivery, which all combine to create user-based relevance. This is a fundamental basis for any effective tactical SCRM program and effective risk scoring. 

However, risk scoring is also part of the solution. To go back to the five-day port congestion example, past solutions would filter alerts for users who have selected the port name and then automatically send an alert. That means the logistic professional who has selected that port name would receive the alert, but the supply chain planner who isn’t monitoring that port would have limited visibility to avoid too many alerts in his mailbox.  

With further refined risk scoring, the supply chain planner can instead choose to slightly increase the risk score of an individual port and thus not get the alert. He still can draw the alert into his dashboard and monitor it in the solution through a well-thought-through UI catered to risk scores. But he avoids alert fatigue while still maintaining full visibility of a potentially escalating situation. 

Strategic supply chain risk scoring elements 

Providers of risk analytics data and analysis platforms will divide strategic risk scores into two broad types. The first, “external scores,” are derived independently of a company’s operations. They will be based on public and third-party data sources but may be adapted or weighted differently for each supply chain based on the characteristics of that company’s operations. The risk of cargo crime, for example, may be heightened for an organization that ships medicines or high-value consumer goods. 

Click here to download the PDF 

The second category of risk scores is “internal scores.” These scores are derived, at least in part, from an organization’s integral operations data. Such scores can include assessments of supplier late delivery or quality risks. The weightings that companies choose to give different risks can also be considered internal data since they depend on the end-user’s internal policies, operating model, and business objectives. 

Supply chain risk complexity  

Translating diverse risk data into a common set of risk scores requires a combination of science and art. For some risk types, it is possible to use an algorithm or mapping scheme to derive a score directly from the underlying data. That works for cargo theft, for example, where the frequency and severity of past events act as a good guide for the risk of future ones. 

Historical data doesn’t always provide the full picture, however. In the case of climate-related risks—such as wildfires, extreme heat events, severe storms, or flooding—the impact of global warming means that many regions are departing from long-term trends. Creating realistic scores for these types of risks may require the use of climate-forecasting models and the input of experts in the field. 

Other risk types can change very quickly as the result of actions by governments or businesses. For example, changes to border control policies can introduce significant delays where vehicles were once free flowing. Action by law enforcement agencies can force human trafficking gangs or other criminal groups to abruptly alter their behavior. Wars can break out. Keeping risk scores up to date in this environment requires close monitoring of the situation on the ground by people with good local knowledge. 

At Everstream, we primarily work with a hybrid approach to risk scoring. This combines the best available objective data on each risk with inputs from risk analysis specialists. They have deep knowledge of specific regions, risk domains, and the user-specific sensitivity to shape our risk scores. 

Supply chain risk categorization 

Which risks should your organization track in its scoring system? The answer will depend on your sector and the scope of your supply chain. At Everstream, we track a basic set of more than 30 external risks worldwide. Our customers may add to those risks with their own internal risk categories or with extra categories that focus on specific issues. 

Those 30+ risks can be divided into six broad categories: 

  • Natural disasters: Includes earthquakes, volcanoes, tsunamis, cyclones, hail, tornadoes, lightning, wildfires, and floods. These categories are usually scored based on the most severe event expected in a 50- or 100-year period. Flood and tsunami risks use detailed topographical data and simulations with multiple wave or water heights to give good risk estimates for specific locations. 
  • Operational risk: Includes storms and other weather issues, cargo theft, customs delays, and risks to aviation, ground, and marine transport. Delays and disruptions are scored based on the frequency of disruptive events, their duration, and severity. 
  • Political violence: Includes civil unrest, war, and terrorism. Risk is scored based on the probability of violent events and their likely extent. 
  • Socio-political risk: Includes corruption by local businesses, government, and law enforcement agencies, strikes, and counterfeit threats. Risks are scored based on international corruption indices, labor relations records, and the status of ongoing labor disputes. 
  • Sustainability risk: Includes child labor, labor rights violations, environmental damage, and limitations on human freedom. These risks are scored based on international indices for the region’s sustainability performance. The performance of individual suppliers may differ significantly from regional averages. 
  • Risk to individuals: Includes the risk that local or visiting employees will suffer violence, detention and discrimination, or kidnapping. These risks are rated based on the travel recommendations of governments and security analysts. 

These risks can be tracked from a tactical perspective—evaluating how they affect a particular shipment or manufacturing facility, for example. Or they can contribute to an overall strategic view, providing valuable insights into long-term risk for supplier selection, lane choices, or choosing manufacturing locations. 

Score weighting and aggregation 

The ability to aggregate multiple risks into a single number is a key strength of the risk-scoring approach. The way that aggregation is done matters. 

Companies often use multiple levels of aggregation to provide different perspectives on supply chain risks. That might involve the creation of composite scores for each of the six broad risk categories, for example, or the creation of composite scores designed to assess risks to production activities, logistics, or other key supply chain tasks. Composite scores can be combined to give a single overall risk score for each node in the supply chain. 

In addition, the weighting of individual risks within these composites will change according to the characteristics of the company’s supply chain. A supply chain that relies on a combination of road and marine transport might place much less weight on aviation-related risks, for example. 

Finally, the mathematics used to create composite scores need to be well thought out. A simple sum or arithmetic mean can disguise the presence of one or two very severe risks if others are low, for example. To avoid this, companies usually use an exponentially weighted averaging technique that ensures high individual scores have more impact on the composite number. 

graphic shows supply chain risk scored by means is better than by averages 

Figure 3: An exponentially weighted averaging technique ensures that individual supply chain risk scores are evenly incorporated into overall scores. 

Supply chain risk scoring for your operation 

Simply identifying all possible risks isn’t enough for today’s complex supply networks. An operation must triage both internal and external risks according to their potential impact. Scoring creates the necessary level of personalization to separate relevant risks from the noise. Whether you’re eying daily tactical disruption or planning to avoid long-term strategic risk, scoring highlights which threats deserve consideration. 

Risk scoring is the support for a truly resilient supply chain incorporating skilled network design, smart planning, effective monitoring, and agile, responsive supply chain management. The real power of risk scoring lies in the way it supports these critical activities, helping companies to cut through large volumes of complex data, identify the key issues, and focus their risk management efforts on the places it matters most. 

Download the full PDF 

Ulf Venne leads the global Center of Excellence for Everstream Analytics. For over 10 years he has helped companies improve supply chain risk management, publishing articles and white papers on tools and methodologies for supply chain resilience, agility, and sustainability. 

Share this post

Up Next

Everstream Analytics semiconductor investment tracker

September 19

Everstream Analytics tracks all global investments into existing or new semiconductor facilities to analyze the significant change taking place in global supply chains.

Read more