New Software Tools to Manage Risk and Disruptions

Editor’s note: This is the first of a three-part feature on the current framework for classifying risks and the ongoing efforts to mitigate them.

The Meriam Webster dictionary defines risk as the possibility of a loss. We adopt this definition here in order to clearly distinguish it from the concept of resilience. Resilience is a term rooted in material science – it is the ability of a material to retain its shape following a deformation. In a corporate context it is defined as the ability of an organization to get back to its normal level of production or service (whatever the relevant metric is) following a disruption.

The first step that many organizations take in trying to manage risk and develop resilience is to classify possible future disruptions in order to prioritize the effort require to mitigate and respond to such events.

Most corporate planning activities are focused on highly severe events. These are events that likely took place in the past or take place on a relatively regular basis. Consequently, such events can be identified and specific preparations can take place. For example, oil companies suffer substantial losses every time a hurricane moves through the Gulf of Mexico. Deep-water platforms have to be buttoned down and evacuated, and platforms are often damaged and have to be repaired at very high cost. However, because hurricanes in the Gulf of Mexico are an annual phenomenon, these companies have well developed processes for dealing with them. Thus, while highly severe events are likely to require (sometimes expensive) preparations and responses these phenomena should not be of particular concern.

Low-probability/high-impact events, such as the 1986 Chernobyl meltdown, Hurricane Katrina in 2005, the 2010 BP Horizon platform disaster, the 2002 West Coast Port Lockout, the 2011 Japanese tsunami, and similar others, are qualitatively different. These are events that companies, or governments, have not experienced before and consequently, are not prepared for and can therefore have devastating consequences. For example, in September and October 2011 the worst flooding in Thailand in 50 years shut down over 1,000 factories across six industrial estates and created widespread havoc within the supply chain for the high tech and automotive industries.

Note that the expected damage (which is the product of probability and consequences) is not a good measure of risk! Frequent small disruptions have little in common with rare, high-impact disruptions, even though their expected values may be similar. The former are dealt with by operations managers in the course of their jobs, while the latter can devastate an enterprise.

When trying to anticipate disruptions, managers should identify all high-probability, high consequences events regardless of their detectability. The detectability of these events is simply one of their characteristics and it impacts the processes put in motion for dealing with them.

This, however, is not the case with low-probability, high consequences events. While such events can be dealt with if they are detectable well in advance, the most dangerous events are low-probability/high-impact events with low detectability. These are events that not only the organization is not likely to have experience in the past, but other companies have not experienced it. With such events there will be little warning before the disruption takes place, and even after it occurs, the fact that it happened and its seriousness, are not immediately apparent. Consequently, corrective actions are not immediately taken, while the disruption propagates, and options for recovery narrow down. For example, more nimble competitors can lock up supplies, suppliers, customers and markets, closing the opportunity for quick recovery.

As a result, the focus in managing the risk associated with these events is on operational resilience, rather than planning. In other words, when a disruption affects several supply chain elements, the focus should be on quick identification, assessment of the significance of the disruption and prioritization of the response. This is in contrast with planning activities which are geared to specific high-probability/high-consequences disruptions

SC
MR