Basis for our approach to Supply Chain Risk Management
The described approach to Risk Management is based on the ISO 31000 Standard 3.
For an overview of ISO 31000 please refer to our Standard's Overview.
For access to the ISO 31000 Standard please refer to the International Organization for Standardization.
ISO 31000 Standard in 6 Steps
The ISO 31000 defines Risk Management as a six step process 3. The phases, their descriptions and guides on how to execute each phase are listed below.
Identification
Organizations should identify and be aware of all all risks and their potential consequences connected with an endeavour. 3
Analysis
Risk Analysis means to develop an understanding of the risk and is the input for Evaluation and Treatment. 3
Evaluation
Risk Evaluation is the priotization of risks to be treated first on the basis of Identification and Analysis. 3
Treatment
Risk Treatment is the selection and implementation of means to mitigate the risks identified in the order of prioritization. 3
Monitoring
Risk Monitoring is responsible for ensuring that the taken measures are adhered and effective, and that that no emerging risks are overlooked. 3
Communication
Communication should take place during all stages of the Risk Management Process, to allow all stakeholders to understand the risks and the decision making process. 3
Identification - Details
- The aim of the Identification Phase is to compile a list, that includes all the risks an organization might face.
- Together with the risks the list should include possible or (if known) definitive causes of these risks as well as the consequences that particular knock-on effects could have. 3, p.17
- It does not matter if these risks or their source are under control or not.
- All identified risks need to be on this list.
- Once the risks are identified, they should be categorized according to who should prevent or mitigate them. 4, pp.22ff
- Risks can be provided to the Identification Phase via an effectively established Risk Resilience process. For more informaiton on what types of risk there are please refer to our risks page or to the links below.
Analysis - Details
- During the analysis phase the identified causes and consequences should be further enhanced to a level where the factors influencing these causes and consequences are known. 3, p.18
- The analysis should always be conducted with the type of risk in mind. 3, p.18
- During the analysis it is okay and normal for experts/sources to disagree or have differing opinions about a risk. This however needs to be noted. 3, p.18
- The result of analysis is a set of possible consequences which can be tangible or intangible impacts. 3, p.18
- Risk analysis can be Qualitative or Quantitative or a mix of both. For more details on Qualitative or Quantitative Risk Analysis please refer to the list below.
Evaluation - Details
- Evaluation is the prioritization of risk identified. 3, p.18
- The risk evaluation should be made with all stakeholders in mind. Including the ones that do not benefit from taking a specific risk. 3, p.18
- The analysis will then lead to a decision. This decision can be to deal with the risk or to just monitor it further. This is influenced by the risk attitude of the organization. 3, p.18
Treatment - Details
- To effectively treat a risk a first a plan for mitigation and risk modificatoin is needed. 3, pp.18-19
- Developing this Risk Treatment Plan is a cyclical process consisting of:
- Defining the Treatment 3, pp.18-19
- Determining if Treatment reduces the risk to acceptable level 3, pp.18-19
- If Yes: Execute Treatment Plan and asses effectiveness 3, pp.18-19
- If No: revisit Treatment Plan Development 3, pp.18-19
- When choosing how to treat a risk, an organization should always consider how this approach might be perceived by and affect other stakeholders. 3, p.19
- It is important to keep in mind that risks treatments can bring their own risks with them. 3, p.19
Montitoring - Details
- To ensure effective Risk Monitoring, the responisibilites between all stakeholders in this process should be clearly defined. 3, p.20
- Therefore, Supply Chain Risk Goverance plays an important role in this phase. 9
- The purpose of the Monitoring Phase is:
- Ensuring the effectiveness of the established treatment 3, p.20
- Learning Lessons for the future and detecting future risks 3, p.20
- The resutls from the Monitoring Phase should be recorded and reported with all stakeholders. 3, pp.20-21
Communication - Details
- Once a Riks and/or its Treatment has been identified and defined, the process should be commmunicated with all stakeholders. The reason is that other stakeholders may take individual action, based on the communicated information. 3, pp.14-15
- The communication should be truthful, relevant and accurate. 3, p.15
- For guidelines on how to communicate risk and its treatment correctly and effectively, please refer to the article under "Communication" below.
Why is Supply Chain Risk Management important?
In the Context of Global Supply Chains, there can be two types of disruptions:
They can have multiple effects, ranging from short term supply problems, to unhappy customers,
product call backs and to even losing market share for several years. 4, p.4
Internal Risks
Supply Problems with certain supply chain internal components that the organization can control. 4, pp.3-4
External Risks
Natural Disasters, Pandemics, Wars and other elements that the organization cannot control. 4, pp.3-4
The need for effective Supply Chain Risk Management is more evident than ever, because ...
"Supply Chains have more points of possible disruption than they did in the past." 4, p.7; 43;44
"Supply Chains have less visibility, which causes slow decision-making and response in case of disruption." 4, p.7
"Local 'fixes' create problems in other parts of the supply chain." 4, p.7
Because of these factors, the damage done by disasters has increased by a factor of 10 since the 1960s. 4, p.8 Supply Chain disruptions fall into this category.
Despite this importance, it is proven that most companies do not do enough or even anything to mitigate Supply Chain Risks, because:
"Firms underestimate the risk in the absence of accurate supply chain risk assessment." 4, p.8
"Firms are not familiar with ways to manage supply chain risks." 4; 6
"With inaccurate estimates of the likelihood of the occurrence of a major disruption, many firms find it difficult to perform cost/benefit or return-on-investment analysis to justify certain risk reduction programs or contingency plans" 4, p.8; 7; 8
Additional explanations/zusätzliche Erläuterungen
| Nr. | Phase(s) | Description |
|---|---|---|
| 1 | Analysis | Qualitative Risk Analysis, Quantitative Risk Analysis |
| 2 | Communication | Risk Communication Strategies |
| 3 | Evaluation | Five Risk Analysis Methods, Selecting Appropriate Risk Assessment Techniques, Selecting the Appropriate Risk Assessment Techniques |
| 4 | Identification | Techniques to Identify Risk, Six Steps of Risk Identification |
| 5 | Monitoring | Importance and Methods of Risk Monitoring |
German
English