Supply management traditionally has been most concerned about gaining access to material sources and moving that material from its origin to the factory floor for production. For this reason, this article will primarily focus on supply-side drivers in addressing external risks.

Internal risks provide better opportunities for mitigation because they operate within the control of the purchasing company. They generally fall into the following categories:

• Manufacturing risks caused by disruptions of internal operations or processes.
• Business risks caused by changes in key personnel, management, reporting structures, or business processes, such as the way purchasers communicate to suppliers and customers.
• Planning and control risks caused by inadequate assessment and planning, which amount to ineffective management.
• Mitigation and contingency risks caused by not putting in place contingencies.

Of course, risk areas overlap and disasters often occur because of a combination of factors. For example, we have a client that imports craft products from China and supplies them to large retailers. His customers created a demand risk by threatening large fines if he did not produce fill rates of 100 percent for the products they purchased. At the same time, he was also being squeezed by supply-side risks. Our client had not allowed for the time it took for his manufacturers in China to retool and build his products nor had he factored in time to cover weather or other delays transporting them to U.S. ports. To top it all off, he also had an internal source of risk: the lack of a proper planning process that would have identified those external drivers.

The sum of all the overlapping risk factors—both internal and external—is the "total risk" for a given supply chain (see Exhibit 1). By assessing the total risk, managers can analyze their situations and assign resources to improve their risk mitigation efforts. To arrive at that total risk, however, they must undertake a risk management process to identify the vulnerabilities in each of the risk areas, the circumstances that create the vulnerability, the probability of occurrence, and a process to mitigate the risk.

Employing a process methodology for risk management will help a business stay ahead of any market changes and plan for cause/effect risk contingencies. The following six-step process can help your company begin to plan a risk management program. Start by forming a multidiscipline team to define and rank the risks in your supply chain. Then put them to work.

Step One: Profile Supply Base

To identify potential risks, start by making sure you have a thorough understanding of your entire supply stream.

Identify each raw material. Begin by building a flow chart for all the raw material inputs. Work backward from the actual material you are purchasing to the origin material sources. Delve deep into each material to understand and capture the processes used by each supply source. These might be the supplier's processes for acquiring raw materials or manufacturing the product. Expand the chart to include potential as well as existing suppliers to gain an assessment of competition and backup sources. Identify the value-added steps in the flow of materials to assess the possibility of buying materials closer to origin to improve competitiveness as well as reduce potential supply risks.

Unless your supply chain management team is aware of the complete supply stream from raw materials to your supplier's actual product, a disruption could threaten your product long before you become aware of it. For example, consider a company that purchases a specialty chemical manufactured in a sole-sourced plant in Europe. The chemical is a vital ingredient in a perfume formula for a consumer product that the company produces and markets in the USA. Unless this specialty chemical is identified as an external risk, there will be no contingency plans to cover a possible supply disruption. If the plant suffers an accidental explosion or labor stoppage, supplies could be cut off immediately. The chemical may be one of the least costly ingredients in the perfume formula, but it may also be the most critical because of the limited supply base and long pipeline. Potential mitigations against that risk could include carrying an emergency inventory or having a backup manufacturing location in another part of the world.

Identify strategic materials. From the flow chart, determine which materials are strategic to the business. This determination may be based on such factors as whether it is a high spend product, whether you require the material to meet in-depth specifications, how many suppliers there are for the material, and what the effect would be on your business if the material flow was interrupted. Then compile data for these key purchased materials and build a summary table for all the inputs. This data might include cost and usage data for materials, approved suppliers, information about manufacturing plants, the supplier's financial status, manufacturing and procurement processes, physical condition of the supplier's facilities, any areas of environmental vulnerability (for example whether the supplier's facility is in a flood plain or on a earthquake fault), supplier's own risk management efforts (such as fire readiness or disaster plans), freight routing, and recommended inventory levels at each stage in the chain.

Your team should carefully consider what makes an item strategic. Sometimes a small change can knock a "strategic" item off the list and reduce your risk. For instance, say a company started testing the resin it uses in a process to reline old pipes. It had been specifying a "special" resin that was supposed to seal better before liquid chemicals are applied. Several suppliers offered it, but it was priced at a premium. Testing revealed no difference in performance when off-the-shelf resin was used instead of the preferred one. At that point, the material became a commodity, and the company had much better control of price and supply risks.

Understand supplier's organization. For each strategic material, penetrate the organization of each supplier to know its divisions, plant locations, and the operating units that will be interacting with your company. An efficient way of gathering information on your supplier's operations is by making a structured supplier visit. Take the time with a group of internal stakeholders to plan who you are going to speak with and what things you would like to discuss. Before you go, draw up the right questions that will draw out the critical information you need to make a detailed assessment. Ask about cost control, systems compliance, operational processes, use of price control contracts, financial controls, and robust supply management techniques.

Better understanding its suppliers' processes could have helped a Midwest manufacturer of specialty refrigeration equipment stave off increases in product prices. For years this company had bought pre-cut, pre-formed, and annealed tubing from a strategic supplier. It wasn't until steel prices skyrocketed that the company realized its supplier did not have hedged contracts or other mechanisms to control the costs of basic rolled steel tubes. Over a reasonable period of time, the company essentially began buying the tube itself and turning it over to the supplier for processing. Steel prices could change, but the company will take its own actions to mitigate the effects of those price swings.

The information gained from the supplier visit will form the basis of the supplier summary that the team will create. Developing supplier information is an ongoing process and must include:

• Analyzing all potential suppliers' technology bases and attributes.
• Ranking suppliers in each material category from strongest to weakest.
• Understanding each supplier's competitive position.
• Knowing each supplier's long-range business goals.

This analysis should also include a profit impact by item by supplier. A profit impact analysis is a critical component of the calculation of the total financial risk. The supplier summary that the team creates will provide vital information for identifying potential supply chain issues.

Step Two: Assess Vulnerability

Outlining the assessment process for all of the risk factors would be beyond the scope of this article. Instead we will focus on those that are most important to the supply manager.

Supply risks. Evaluate the supply risks for each identified strategic material throughout its entire supply chain. What are the potential vulnerabilities or events that create the risk? Work stoppage, raw material outage, unreliable material supply at origin—these are all potential risks to consider.

For each potential risk event, assess its impact on your company's production:

• Are there alternate material suppliers or is material single sourced?
• How much time is required to obtain alternate materials or qualify another supply source?
• Are inventories of materials adequate to protect from an event?
• Is another technology available to provide a backup in case an event occurs?
• Are suppliers financially stable?
• Are regulatory issues likely to negatively affect or impede a new supplier or raw material?
• Is there a disaster recovery plan?

Demand risks. It's also important to determine the demand risks for your company's finished goods. These risks typically center on the following: number and size of customers, stability of demand, frequency of new product introductions, and the financial condition of customers and industry. Are there emerging technologies that could make your product and company obsolete? Are there barriers to new competition such as high capital or patented technology? Assess your company's position relative to the risk factors to understand demand risk.

Environmental risks. To assess environmental risks, look at key elements such as political stability in the supply country, natural disaster risk (such as earthquakes and hurricanes), currency risk, and any other potential hazards that can be measured. Also evaluate the possibility of local or foreign governments imposing legislation or regulations that could affect the supply (production) as well as the market price of the materials being purchased because of environment or other concerns.

Process and plant risks. Develop a thorough understanding of the process(es) involved at each stage in the supply chain and the risks that should be mitigated. Are there opportunities for a chemical reaction or release, explosion, fatalities, or property damage? Are there agricultural crops involved that could require a year or more to recover from a crop failure? How long would be required to resume production after an event has occurred? Ask the questions and look for alternative sources or processes to mitigate risk.

Business risks. It can sometimes be difficult to gain a true sense of your suppliers' financial stability. Faced with obstacles in this area, you need to look at measures of financial health that are both hard and soft. Hard qualifiers are measurements directly related to profit and loss, such as increases in the cost of goods, inventory turnovers, and asset-to-debt ratios. Soft qualifiers are slow bill payment cycles, operational bottle necks, price increases out of the norm, workforce reductions, poor morale of personnel, or shortages of raw materials and parts. Without a process in place to measure and monitor these signs of distress, it's difficult to implement an effective mitigation plan. (For more on the nuances of supplier business risks, see the sidebar "Assessing Supplier Business Risk" below.)

Internal Planning and Control Risks. Also know what your internal financial risks are and the controls in place to manage those risks. There may be other planning risks to review including the cost and time needed to add production or sales capacity, qualify alternate supply sources, obtain government regulatory approval, and make decisions.

For example, the requirements of Sarbanes-Oxley and other regulations may pose internal risks if your controls are not robust. Buyers must properly manage, control, and reconcile purchase orders with deliveries, payments, and inventory. Contracts must exist for purchasing transactions. Supply, legal, operations, finance, and executive managers must all review the types of contracts in place to understand whether or not the Sarbanes-Oxley requirements have been met.

Step Three: Evaluate Implications

Take into account all the identified risks and prioritize them. Using some sort of risk template, rank the risks in order by assigning a risk score. This template could be a risk spreadsheet, a Monte Carlo simulation, or your own internal system based on scenario planning. To establish the risk score, estimate the probable duration of the disruption and costs to recover. Include a "worst possible scenario" to assess the effects of a long period of supply disruption. Then evaluate if other options will provide a measure of protection and what the cost would be for that protection. Defining the probability of disruption occurrence along with risk costs will lead to a "probabilized" total cost of the risk. A Monte Carlo simulation of the occurrence based on random games of chance will assist in developing variable values at random to simulate a model and can be placed into a computer spreadsheet to simulate the risk.

Step Four: Identify Mitigation and Contingency Actions

Risk mitigation encompasses loss prevention and developing acceptable alternatives and plans to reduce the probability that a risk event will occur. Mitigation plans must include contingency actions for all high-probability risk events. There should be precise signals or triggers that touch off the action that will commence efforts to mitigate the risk. The action step and timing should be clearly spelled out. Example: Within 24 hours of a supply disruption of material X, purchase orders will be placed with the alternate supply source to assure there will be no disruption in the supply of X.

The best way to drive down the cost of risk management is to develop a thorough risk mitigation plan that considers all the cost drivers associated with the risk. Use the risk template and information developed in step three to rate or quantify the identified risks after mitigation. By describing action steps and estimating costs for these actions, a total mitigation cost can be estimated after factoring in the probability of an occurrence. In business, it is essential to present the risk assessment in financial terms.

Step Five: Complete Cost/Benefit Analysis

After completing step four, it is time to evaluate the cost-benefits of each mitigation action. To do this, take a "net present value" (NPV) approach that compares the investment required for the mitigation action against the expected cash-flow benefits to be realized down the road. For example, say that a critical material is being manufactured in an area with a high risk of earthquakes and political instability. What are the costs and benefits of possible mitigating actions, such as requiring a second manufacturing site? What is the NPV of requiring the supplier to prepare a second manufacturing operation in another location? What is the NPV of qualifying a competitive supply source in another geographic location?

The investment of resources (cash) today prevents or reduces the probability of lost revenue (cash) in the future. By comparing resource investments today to the probability of lost revenue tomorrow, managers can decide whether or not to make an investment. This comparison can be charted (see Exhibit 2). A cross-functional risk management team can be commissioned to generate the analysis of whether the action should be taken and to develop a detailed implementation plan. Once the plan has been finalized, communicate clearly to executive management what you are asking them to do.

Step Six: Gain Management Support and Implement Plan

With the risk analysis data developed, build a professional business case presentation and present the information to executive management. This effort should be led by the head of supply chain management or purchasing. Be specific on the risks identified and clear on the action steps and commitments needed. Schedule periodic progress reviews with an executive management steering committee. It is critical to have executive management support when developing and implementing a risk management strategy to the organization. They provide a strong voice and commitment to the goals being outlined and eventually executed. Management will usher in support from different departments, which will lend commercial insights and technical expertise to the risk plan.

Once the strategy and plan have been approved, stay the course and hold periodic team reviews to ensure the strategy remains effective and sound. When circumstances demand changes, be ready to recommend and implement those changes to the plan with executive management.

Risk management planning should also include a process for encouraging suppliers to provide risk management to the greatest extent possible. This could be in the form of back-up manufacturing facilities, stockpiles of raw materials, or even assumption of purchasing materials from their competitors in the event of a supply issue. The point is, do not overlook an opportunity to have a supply source assume a role in managing a risk factor.

Before reaching out to your suppliers, however, you need to clarify internally who is responsible for:

• Identifying the needs that suppliers must meet.
• Identifying and qualifying potential supply sources.
• Establishing sound commercial relationships.
• Integrating suppliers with your company.
• Managing supplier performance.

The partnership can provide mutual benefits that will enhance the overall performance of the two companies while managing the appropriate areas of risk in an open way. Collaborating on information sharing can help identify potential areas of vulnerability and lead to stronger emergency plans. Your suppliers must understand the performance expectations they have to meet. Continual, documented feedback is essential, and both companies might benefit from formal performance review meetings. (For more on the importance of communication, see the sidebar on "Don't Overlook Communications.")

For your risk management to be effective, it must be fully integrated into your company's business processes. The process of identifying risks, analyzing them, and planning mitigation strategies must be documented and reported throughout the organization. To effectively evaluate risk strategy, management must balance the cost of mitigation with available resources and optimum cost management objectives. The risk management strategy should apply to everyone at all levels in the organization and focus on achieving the company's business objectives. When this happens, supply chain risk management will be a more viable and sustaining long-range corporate business plan. Remember that effectively managing risk is an on-going process and requires continuing attention and priority.