Strategic Risk Scoring for Supply Chain Management

 

Lauren McKinley:

Hello everyone and welcome to our session today, Strategic Risk Scoring for Supply Chain Management. A few notes before we begin the session, all attendee lines are on mute. If you have any questions during the session for our presenter, please add them in the Q&A box in the GoToWebinar panel. We are recording the session, and we’ll share a copy of it after. And if you have any notes or need anything afterwards, you can reach out to us at [email protected]. Now I will introduce our presenter today.

Our presenter today is Ulf Venne. Ulf leads the Global Center of Excellence for Everstream Analytics, and previously served as the regional head of sales for EMEA and APAC. Over the last eight years, Ulf has been instrumental in increasing awareness for supply chain risk management. He has authored several articles and white papers on risk and resilience, including the new white paper Understanding Risk Scoring, and has been published in numerous books and magazines. And with that, I will turn it over to Ulf to lead today’s session.

Ulf Venne:

Hello everybody. Hope you’re having a good day. Beautiful weather today again, and we are going to talk about an exciting and beautiful topic that is risk scoring.

So risk scoring is very fundamental to supply chain risk management, and that comes from our experience as Everstream and working with over 300 clients across all industries for a long time, over 10 years by now. So let’s first start with, what is risk scoring and why is it necessary?

As you know, Everstream Analytics, most of you should know actually, we provide a lot of data from our side that then gets transformed using the customer data, their products and their supplier data, their location data, to then create what we would call unparalleled intelligence. And we’re going to see that live today by the way.

And because of the volume of data that is available, the way that it contextualized, at the end, it seems to be very important to create a certain amount of focus, and that is what risk scoring is here.

So we won’t dwell on this slide very long, but it’s very important to understand that we have as Everstream the market leader when it comes to risk intelligence. We have a unique problem, I would call it, that we have a lot of data to our disposal and available, and we have to make it easy for our customers to make sense out of it. And that’s where risk scoring comes into play.

So what is the benefit of risk scoring? Risk scoring helps to really simplify a very complex topic that is risk management, because a lot of different risks can happen every day. A lot of different things can go wrong. There can be strategic issues, there can be issues right now. So it’s very important to make it easy for users that don’t work every day on risk, and give them something that is relatable, and we believe our number is very relatable.

Then it’s very important because it links severity to specific assets based on the user preferences. So typical situation, there’s a minor earthquake happening in Asia or a moderate one that might be not a problem for a tire manufacturer. But if you have a semiconductor plan and you’re the supplier manager who has to manage these semiconductor suppliers, you might actually run into trouble, because even smaller rattlings of the production plant might actually cause a stop, and that might then lead to production outages for at least a couple of hours to a couple of days. So that’s something you want to monitor. And for you, that is a high risk, although it’s only a small earthquake. But for others, it’s really a small earthquake. So using risk scoring to adapt to the user’s thinking and profiling is very important.

And then it establishes a great baseline for communication. So imagine you’re being part of the central team, and you want to see how your day goes. At the end, if you see, “Hey, my user defined that to be a very high risk for him,” and you can see that based on a number, and you know where to focus, and you prioritize your action. That is important for the whole network at any given day. But it’s especially important for any mass scale events like an earthquake. Because seeing an earthquake happening that is very strong, you might look at, how likely is that going to impact the supplier that the user might have to set that up for you already? And then you can go list by list to every single location and prioritize your actions based on that.

So risk scoring is fundamentally important to make sense out of very complex data. And there are different types of risk scores, and we’re going to look at that today based on the white paper, and then we’re going to show you that in real time in a demo.

So what is important when you look at risk scores? They need to be usable, internally and externally. They need to have a waiting process that makes sense for the topic of supply chain risk management. It needs to create relevancy that is actionable, and it needs to help you with automation.

So if you integrate risk data into another system, it might be more useful to integrate a risk score into that and then say, “Hey, if you want to have more details, jump into Everstream,” because the risk score is a leading indicator that will then help you make sense out of data in a very easy way. And then if you need complex insights to that, you can then go into the core platform.

What is our methodology to do that? We don’t use the specific average that everybody might be using otherwise. So we are using a specific risk management based calculation that helps to identify outliers better. So we’re helping you to identify the deviation from the normal, which obviously in risk management is most important. If something is different than it should be, that’s a problem, that’s a risk. It’s also an opportunity obviously. So building a methodology that goes away from just using a numerical average is very important, and we have figured out a good formula. I’m not going to share it today, but just for you to know, that’s how our risk scoring works.

So we have two different types of risk scoring in our platform. One is tactical risk scoring, and that obviously is together with our platform Everstream Reveal, that essentially looks at disruption risks that are happening right now, might happen in the near future, or maybe even six to seven months away depending on how good we can predict it. But it’s very likely to happen. So six months away a strike, we might announce and reveal. Good.

There are a lot of different topics that can affect your supply chain. For us, it’s important to be really holistic, not only from the topics that we cover, but also that it’s made in a way and made with a logic that helps a supply chain planning team, that helps the sourcing team, that helps your production teams, but also your delivery team. And interestingly enough, we build a risk bill, we try to categorize everything. But in the end, a lot of these risks are also applicable for other categories, which shows the inherent nature of risks needing to be managed across the whole supply chain in a unanimous voice. The risk score makes it very easy, because everybody can look at the risk score. They have a number, they can collaborate based on that. And you need a single platform for that obviously as well. It doesn’t help you to just buy a sourcing platform or something for your logistics. You need to really go end-to-end. You might start somewhere, but your vision should also be the end-to-end nature that is supply chain risk management.

So how does tactical risk scoring work? This is a simplified version. In the white paper, you can find a lot more details on that. But essentially, the user can set preferences on what kind of alert with what kind of severity. So based on alert category, he wants to have which risk score. Then if a disruptive event occurs, or maybe several disruptive events occur, the highest risk score will be displayed.

So here, we have a legal issue, we have a trucker strike, and we have a flooding. The flooding will overrule everything else, because it’s the highest risk on this specific location. And then the 18 will be shown in the UI to show the relevancy of this location to the network and the potential of outage.

So this is the logic of risk scoring. It helps you to make sense out of the data, and to use graphical elements and scores to prioritize. And we will again see that later in the system.

But we also have strategic risk scoring, which then is a long-term view. And we do that with our platform Everstream Reveal. And this really hinges on telling you what will happen in the future. So it’s a probability and severity of something to happen. And we have many different categories, earthquakes, sustainability, social political issues, logistics issues, and also the risk to travelers and individuals. Because sometimes you also have to travel to your suppliers for instance, or you have to be present in your warehouse. And you also want to make sure that if it’s your own asset, that your employees are safe.

So how does that work? We essentially logically build a risk matrix, as you might know it if you ever worked on risk management or supply chain risk management, where you can then rate your suppliers. We have two axes, which is the external risks. External risks are things that might happen outside of your company, like an earthquake, a flooding, and then sustainability breach.

These all are going from one to 25, like it is standard for our platform. And these external risks are automatically delivered by Everstream Analytics. It’s over 30 risk scores and you can get them on the spot. And then we have the internal risks that come from our customers. They will provide input to that for the risk scorecard.

And this helps you then to [inaudible 00:10:57] the importance of the supplier to your network. It helps you to understand if you can mitigate the issue easily or not. So essentially, it helps you understand the impact to a certain degree.

And then you can build essentially this risk matrix. And then the way that we reinvented the risk matrix is that each supplier then gets an overall score. So instead of having to leverage this kind of view that can be cluttered with a lot of information if you have a network with more than 100 suppliers, which most of you probably have. You need a scoring system, and the score would help you way better because you can look at it in a list and just prioritize based on the score.

So scoring is essential for different use cases. In the demo today, we look at a lot of logistics use cases. So I brought this view for procurement professionals, where you essentially use risk scoring throughout the whole supplier life cycle.

First, the strategic risk scoring already in the onboarding process. Because when you onboard a supplier, you want to know the risk of a natural disaster to happen, the risk of a sustainability breach to happen, the risk of logistics capacity being low. So the risk scoring can already help you with that in the onboarding process, and it will help you find another factor to consider, and not only look at price.

Source to contract, you can start already with monitoring the acute risks. And again, we have a threat score there. And then eventually, you might want to jump into sub-tier visibility, which is not the focus of today’s session. But obviously for your network that you have, you want to find stability. And 50% of all events happen in the sub-tier, so it’s also something to consider.

But the core messages, risk scoring is inherent to our system, it’s inherent to our logic. And it also makes sense using risk scoring, especially if you want to connect it to a supplier relationship management system, a transport management system, or a supply chain planning system.

And with that, we have talked a lot about this strategically and in slides. If you want to know more about the topic, we have made a white paper on that that has a lot more details, and very tangible use cases and examples for every single slide that I just presented. But now, we want to put it into practice, live in color. Right here, right now.

So what we do is we go to the Everstream solution and we start with the Everstream map. And this is Everstream Analytics, our platform. And what we do right now is we just look at the assets first. As you can see here, we first start in America, and you see we have donuts here. And within these donuts, you see that we cluster locations, and the locations are displayed as a hexagon as you can see here. You already see some colors in there, and they actually are directly related to the risk scoring.

But before we go to the risk scoring, I just wanted to show you that every day, a lot of stuff is going on in supply chains. Okay? Here you see all the incidents that we are covering right now as we speak. So there’s a lot going on. But obviously, we have a good context engine. It can help you really make sense out of that massive amount of data. So you can combine the filters and now you see all the different… This was a very big and complex network, and now you see only the locations that currently have an impact.

And I wanted to point out two different examples that might be interesting to conceptualize risk scoring more in depth. The first one is here, this minor incident in Sweden. You see it is actually, a runway was closed. So if you use the airport, it’s still doable, but the cargo freight is obviously impacted, right?

So normally for a lot of supply chain professionals, not a big problem, but the user in logistics that we’re looking at right now, he has a lot of volume going to the Stockholm Airport. So for him, if anything happens at the Stockholm Airport, even if it’s a small thing, this can mean massive damages to a supply chain. And that’s why the risk scoring on this specific asset is very high with 17 out of 25. And you can see already it’s red, right?

So you have a green incident. Green incident meaning minor in comparison. But because of the setup of the user, you can see that it’s a very high risk. And actually, it’s valid because the runway was closed now for several months. And now it’s going to be open again, and you can use it in a couple of days. So it’s not new news, but it’s more about conceptualizing risk.

So moving on from that example that I think should make it very clear, you can also see here in the Port of Manila, the other example of tactical risk scoring that I mentioned, which is you might have a risk right here, right now that is very high. One second please. And you see here that this is a port congestion that is going on, but it’s going to end very soon. We know that because we have unique intelligence from, for example our shareholder DHL, but then you can see here that afterwards, there’s a volcano eruption that might still affect the port, but it’s somewhat far away. And a volcano eruption that is in the middle of this, it’s actually far away from Manila. It’s not going to disrupt it so much. So the volcano risk score very low. And that should show you that two can be in parallel, because the volcano is also going on right now, but the risk score defined by the highest risk.

So I showed now a few examples for logistics professionals, and because I also want to have a takeaway for our colleagues in procurement, I just want to show you another thing that more speaks to the breadth of our platform and that is going to be financials.

Financial health. You can see here all of our categories we monitor. It’s a lot. And we look at insolvencies. And because right now we all are looking at maybe going into a recession, I think the filed insolvencies right now related to supply chain management are a good indicator for where currently, we have the biggest challenges, economic challenges. And you can see here, that actually US is doing quite well.

Europe is already struggling quite a bit. You see especially in the center in Germany, a very high amount of insolvencies. But then if you look at China where we have exceptional coverage, it’s not normal to have insolvency filings for China. You can see that we have quite a lot going on right now that is also relevant for supply chain management. Good.

So this should be it for the tactical risk scoring, but then you might say, “Hey, that’s still a lot of information and I’m a very senior guy. I don’t have a lot of time. How do I work with that?” Well, because of risk scoring, it’s very easy.

So risk scoring will help you. By the way, I’m doing everything live to show you the performance of the system as well. So risk scoring will very easily help you look at the complex data you have, and see directly here your health checks. So right now, the average risk that is faced is at a 14, which actually most customers we have might have a risk per day that might be more in the seven range. So the network right now would be actually meaningfully affected, and that would help you to understand that you might have to check in with your central team to make sure they stay on top of everything. And they go and prioritize their actions they take for the day and the way they help other people within the network based on the risk scorings for these specific locations that are user defined. And you see 28 incidents, and 10 of them are of high priority in focus. Good.

So now moving on from that, we go to our strategic portion of risk scoring, which we find at Taiwan today, which I wanted to pick. And that is this supplier here. And we open the scorecard. And let’s move to the risks first.

So these are the strategic risks that can happen. And you can see here different risks. We have the ability to deactivate risks, and we did that for this example. So we normally have 30 automated risk scores, but this user has chosen to have some of them not displayed, because he didn’t want to have them in the overall calculation.

We have the ability to, because every user might have a different preference, and the central team might have a different view as the purchaser, and he has a different as a logistics colleague. So we have the ability to build different scorecards. And here in this example, we have somebody adding internal risks to that as well.

Just to switch around, you see here that the external risks is 11, and with that the overall risk is also 11. And that is the culmination of all of these risks being put into these subcategories as you can see here. And then these are culminating based on a new waiting. So you wait first per subcategory, and then you weigh these together again based on your own profile into the external risk category. And then you can weigh that against internal risk and build the overall score. It’s pretty cool, actually. Pretty sophisticated stuff. It’s not that hard to set up. It’s actually very easy. And then if you add the standard risk scores here where you have… For example, the ESG score is not looking so hot here right now. You will then raise the overall risk to 13. You can directly see the impact of changing up risk scores and adjusting.

And the internal risk, as I said before, they come from customers directly, from partners that we might work with. Or they might come from the supplier if we surveyed them and got risk scores. So different ways of doing that.

So I hope risk scores are clear. You have the external ones for onboarding purposes, general management automatically delivered by us. You can add internal risk scores to that. Anyway, all of this gives you a great start to manage strategic risks properly and decide if you want to off-board a supplier, because maybe too high risk. And you also can decide if you want to onboard a supplier based on his risk exposure, which is great. And if you build a new warehouse, your wallet, don’t build it in a flooding zone. That’s good advice from myself.

And obviously, because we have risk growing, because we have that logic, we can also go and do that not only for your tier ones, for your warehouses, for distribution centers, for your site. No, we can also do that in the sub tiers. And that’s maybe, this is going to be a massive amount of data. So the loading takes a little while, but it’s still worthwhile to show it, to also show you how it works in real time so you understand the enormity of the actions. So let’s go for tier three directly.

This network is built by AI and human experts validating. So this is something we got the tier one supplier, and then built the network based on our intelligence and our data we have at our disposal with a little bit AI magic, and then experts’ opinions.

And then you build something like this, and you can see it’s very complex, right? One supplier, and all of a sudden you have all that behind it. That is a lot. So what you do is you use your risk scoring. And here in this case, we use a proactive risk scoring to see that within this big network strategically, we only have a couple of suppliers that are in very high risk, and that can be defined by the user.

And we now go to Dahua Technologies, which is 19. It’s the first on the list. So let’s just look at that one. And what we can see here is that the risk he’s facing, and these are all based on our strategic risks that we find, is counterfeit threat, workers’ rights, flesh floods, tornado, and tropical storm. And especially important here is the workers’ right, 20. That is very high. And we actually have an ongoing incident here and that is a UFLPA entry. So this company has a tough time importing anything into China, and anything related with this supplier has a tough time as well getting into US. And therefore, it’s a very important and meaningful way of combining strategic risk scores that gives you an indication that there might be a problem. And then now, a real problem has occurred through the technical. And the risk scoring is highlighting all of that very easily, digestively, and helps you make sense out of this data. And with that, we are going to go to the questions.

Lauren McKinley:

Great, thank you Ulf. If anybody has any questions, please feel free to drop them in the chat. We have just a few minutes left, so we will get through as many as we can, and then we will come back with any follow-up after the session that we don’t have time to get to. So thank you. All right, so the first question is, “How does Everstream help prioritize the types of risks for companies in different industries when you set up your scoring models?”

Ulf Venne:

So we do have standard industry profiles that we can suggest. It does help. But more importantly is actually to then from there go. And first of all, we need an educated discussion about the products you have, and maybe the users that will be in scope, and it makes sense to maybe do a faced approach, and start with one user group. Make sure the risk scoring is relevant to them, and then roll that out more broadly in similar user groups, and then find another user group that might be very different in their risk profiling and risk appetite, and then redefine that.

And we suggest to do that over the supply chain risk management center of excellence, which is a group that we think helps customers build an organization to manage risks properly in their supply chain, by a small central team that essentially is an advisor.

So we will help, but you also need internal feedback mechanisms to make sure that it gets crisper over time. And there, we really suggest to use a version of our supply chain risk management center of excellence, which is a blueprint. And we also have a white paper for that. If you want to download that, I think that can be very helpful. If you have more questions, reach out to me.

Lauren McKinley:

Great, thank you so much. The next question is how often should risk scores be re-weighted or reevaluated for a company?

Ulf Venne:

So that is a perfect question at the start, more frequent. So if you just got started, I would definitely suggest to do that every quarter maybe, just for the exercise. Approximately, that will take you a year. So four iterations and you will have very crisp profiles that for you makes sense. And again, we help with that obviously, right? We have a customer success team that will be your advisor for that.

However, in addition to that, later on it might be that your risk appetite is changing. And a good example is Covid, right? I don’t think anybody would’ve seen medical issues as being a high problem for supply chains in the past. We cover them for now more than 10 years. But before, nobody essentially wanted to know about these. Now all of a sudden, this is very important. And we’re covering swine flu outbreaks right now, different areas, and so on and so forth.

So a lot is going on in that topic as well. And with Covid, that got in fashion to monitor. And this needs to be continuously reevaluated, maybe yearly. And it makes sense actually to align that with your enterprise risk management group, because they very likely define the risk appetite for the company. So what are risks that we’re willing to accept and take, versus what are risks we’re not willing to accept and take? And that also gets refreshed yearly.

So that would be a good exercise in addition to not only look at what your supply chain colleagues are giving you as feedback, but also use essentially your company vision on risks as well to adjust risk scores.

Lauren McKinley:

Thank you. It looks like we have time for one more. We do have a number of additional questions that came in. Thank you for the engagement today on the session. We will make sure Ulf reports back out in our follow-up message with the answers to everything that has not been addressed. So the last question, two parts. One, how often is the external risk data refreshed by Everstream? And secondly, how do you then connect the external risks to the supply chain master data?

Ulf Venne:

Good. Let’s start with the second question. It’s easier to answer. So essentially, your supply chain master data has a geolocation. All the external risks are geolocation based. Some are regional scores. Most of them are actually geo point scores. So we tell you exactly on this point on the planet, there is this risk. Sustainability is obviously more regionalized, and then we also have some country-based in there. So depending on where it is in our country, but the country-based scores are very minimal in comparison to the rest.

So it’s essentially about positioning, right? You give us an address, we provide a geocode to that, and then the geocode gets filled through our funnel, and we provide you the risk scoring, easy, done.

Second portion. How often are they getting updated? More complex. So first, natural disasters are getting updated once a year, because it essentially doesn’t change dramatically, and it’s based on what we would call qualitative data. So it looks at the earth, and then weather patterns, and so on and so forth. So this is a very stable system, and that’s why we only update them once a year, because they’re also only getting updated once a year by our data provider.

And with the social political issues, they’re getting updated whenever something is happening. So it could be that for months, nothing is happening in our country on war. And then if on war there’s a lot of tension building up, then all of a sudden you might get an update every day.

So it’s more push mechanism, and it’s based on how data and how this is developing. And also, Everstream is known for being there to also monitor trends. So essentially, you will see the trend development and when scores were updated within our system. I believe we’re the only ones doing that. And it’s very powerful just to make sure that you… Because as soon as a risk score goes from zero to a hero score essentially, which is not good for you, but at least you know there’s a huge development, and that’s where it’s most risky essentially. Because if it’s always risky, then probably you already worked on mitigation measures. But if it’s something net new, then you really have to manage it.

Others are just based on the amount of data we acquire and inputs. We also have some of cores are built by the amount of incidents in the system, and these obviously are refreshed on a very high rate, but they also show a certain stability. So primarily, it’s [inaudible 00:31:30] theft that we do based on incidents. The rest is all more qualitative data, or a hybrid model where we include a little bit of right here, right now, but also always look at the future as well. Social, political, good example.

How is the police working? How is the military involved in fighting terrorism, is probably more important as one terrorist attack you have in a country. Good. And that’s my answer.

Lauren McKinley:

Great. Thank you Ulf. And again, thank you everyone for attending. As I mentioned, we will report out on the additional questions we did not have time to answer in our follow-up, and we will also send a link to the recording. So you will see that within the next 24 hours. Again, if you have any questions, you can again here, sign up to subscribe for additional updates, papers, reports, articles, and webinars. And we will be in touch soon with a new session. So thank you Ulf, and thank you everyone. At this point, we will end today’s webinar. Have a great day.