Supply chain risk and disruptions have become increasingly common since the COVID-19 pandemic began. Companies today are faced with skyrocketing container costs, material and labor shortages, unexpected shipping delays, and other challenges associated with COVID-19 variants. Consumers, meanwhile, are confronted with empty shelves and out-of-stock notices, as well as higher prices for a seemingly endless array of goods ranging from new cars to a gallon of milk.
Given this state of economic instability — and the likelihood that it will continue for some time — it is no longer enough for organizations to acknowledge and accept the existence of supply chain risk. Rather, it is vital that executives make supply chain risk management an integral part of their organizational DNA.
We recommend they do so by using a framework (as a fully functional tool) to break down the value chain and help analyze risks and mitigation strategies specific to certain areas of their business. This framework can help your organization think through what a supply chain risk management strategy might look like and tailor an approach specific to your business needs.
In this article, we will break down our framework and answer key questions that will help you protect your business from the disruptions of certain supply chain risks. A framework, however, is only as good as the processes, structures, and behaviors instilled in the organization. Your organization should scale the risk management framework to fit your risk profile. The degree to which an organization sets up and invests in these principles depends on the complexity of its supply chain. We recommend that you use this framework to look across your supply chain to determine where and how the risk categories impact you.
How Do You Find Risk Across Your Supply Chain?
When considering supply chain risk management, it’s crucial to start by examining your value chain from beginning to end. Risk naturally occurs across every aspect of your business — from overall strategy and product development to manufacturing, purchasing, and how you go to market. Because each area contends with different types of risk, we recommend using a framework to break down the value chain.
This allows you to analyze the specific risks — and mitigation strategies — associated with each link in the chain, as well as those that persist across multiple stages. This Supply Chain Risk Management Framework helps assess risk by providing an initial value chain breakdown and can be tailored to any industry or business. So, even if you don’t manufacture widgets, for example, you can still evaluate what your business “sources” (e.g., laptops, office supplies, talent) or “makes” (e.g., financial or insurance products, presentation material, thought leadership) — each area of the value chain carries an element of risk.
There are six stages in the Supply Chain framework. Step one is to break them down and examine the specific risks and mitigation strategies associated with each. There are many ways to go about conducting the initiative; we recommend a small team of analytical-minded business experts to take lead on the execution, meeting with experts across the business (and externally) to analyze risks and develop mitigation strategies. Strong executive sponsorship including clear communications to the business about the “why” and the “what” of the initiative is critical to clear the runway for the team to dive into the framework.
1. Develop
The first link in the value chain relates to the products you develop and bring to market. It includes creating new products, as well as managing any changes to your existing product or service portfolio. And because many risks occur early in the value chain — the effects of which often aren’t felt until much later, when it is too late to mitigate — it is important to think about risk proactively.
For example, if your new product has multiple options that require inputs from different suppliers, you could be introducing an unnecessary supply risk that you may not recognize until you begin sourcing. Or if your designs require rare or scarce materials (e.g., earth metals, castings, forgings, etc.) that are only supplied by a small number of niche sources, or from certain regions of the world, you are inherently taking on the risk. These materials cannot be easily outsourced. Or maybe you have an extremely robust design approval process that doesn’t end until everyone in the company agrees and signs off on the perfect design. That could be effective unless the process takes so long that by the time you have a design in hand, your initial market analysis is out of date and new competition/technologies have made your product obsolete before you even get to market. Each of these scenarios demonstrates why it is important to think about how risk can impact your development phase. Process flexibility is critical for new product introductions. Some new products introduce major changes and need additional review and approval, while others — like a color change or a minor design tweak — do not. Maintaining the flexibility to handle products differently can help you balance risk and get the right products to market.
2. Plan
This capability is about proactively setting up your supply chain to efficiently get your products to customers. So, what can go wrong? A lot. Unfortunately, it is difficult to predict the future, no matter how good you are at modeling supply and demand, and the further into the future you look, the less certain you will be. But that does not make long-term forecasting a waste of time.
On the contrary, setting up a supply base, identifying, and onboarding a new supplier all take time. And if you cannot look out far enough to be able to execute those activities, you will find yourself scrambling to try to secure the supply you need to meet your demand, which means you will not have time to properly vet suppliers, often leading to poor quality, late deliveries, expedited shipping, and ultimately higher costs.
Additionally, while every company wants to work lean, planning for a perfect supply chain will likely leave you with stockouts and missed opportunities to serve your customers. Setting your supply chain up for resiliency to absorb market shocks is critical to the stability of supply. Another consideration, when sourcing overseas, is to compare the cost per unit savings and margin potential and the complexities (e.g., geopolitical factors, tariffs, demand forecasting, and lead time management) vs. domestic sources or developing internal production capabilities for strategic products/materials.
Planning is difficult — it can be unpredictable, and you often need to make decisions when it is unclear if your previous predictions were correct. We recommend putting a focus on product life cycle and the impact that it will have on you and your supply base — how long will your product be in the market? What service or aftermarket will it require? What will future iterations of the product look like? And what will demand look like over time? As you start to frame that up, think about your product and all the aspects (components, intellectual property, etc.) that go into making it. Consider the aspects of the product that fit into your core competency or that you want to control — this can guide your strategy on what you make vs. buy or help you identify categories/commodities/systems that you may be willing to pay more for to secure supply. For other aspects of the product that you can outsource, how will you measure success from your partners? Are you solely focused on the lowest piece price? Are you looking for suppliers that are reliable in terms of quality and delivery, and are you willing to pay more upfront for it? Or perhaps you are looking to grow significantly, and you need a supply base that is ready for that without you having to subsidize it. Whatever it is you are looking for in a supply base, build that into your toolset to qualify and evaluate your suppliers so that you find and maintain the ones that help you succeed. And then take the same rigor for your internal manufacturing capabilities — after all, an internal supplier is, ultimately, a supplier.
3. Source
The third stage of the chain is identifying, selecting, onboarding, and managing your suppliers. For decades this has been the primary focus of supply chain risk management, and with good cause — your suppliers are an extension of your business. Even if you own or maintain significant influence over them, there is an inherent risk with outsourcing critical capabilities. What can you do to mitigate some of that risk? Simple: Identify alternative suppliers and secure contracts and approvals with them before they are ever needed. This ensures you have options and can make business-saving decisions quickly and without disruptions.
In addition, visibility is critical if you use a multitiered supply base and it’s difficult to tell where bottlenecks are occurring or if your suppliers are weak at managing their suppliers. Understanding who your suppliers are, what they do, when they do it, and how well they execute can help you to anticipate and address problems before they occur.
4. Make
This stage is where you produce your goods or services. Manufacturers, distributors, financial institutions, health care companies, etc. — they all “make” something that provides value to their customers. But because of the variability across industries and companies, risk can take many forms. Generally, the risk relates to a lack of visibility in the production process, which leads to quality and delivery issues, lack of available equipment to produce, or difficulty managing labor. As a result, risk mitigation strategies need to address those specific areas and should include:
- Understanding your processes and conducting quality reviews to quickly identify constraints and inefficiencies.
- Being able to predict and proactively conduct maintenance to keep machines running.
- Effectively managing your workforce, including the ability to quickly scale up and down when your schedules shift.
5. Deliver
This capability is about getting your goods or services to the customer. No matter how established your logistics partners are, you are outsourcing a critical capability that has a major impact on customer satisfaction. Especially now, even the most reliable delivery options are at risk of being delayed.
What can you do about it? Like in other areas of the value chain, visibility is the key to addressing risk during delivery — and trackable shipping is often the difference-maker in terms of cost and satisfaction. Additionally, reviewing and managing your logistics partners with the same rigor as the rest of your supply base can help proactively identify and manage issues such as delayed shipments, missing or unfilled orders, and damages/quality challenges.
In some cases, however, even the most proactive management cannot mitigate all delays and lost shipments. When this occurs, manage your customers’ expectations by communicating early and often so that you avoid surprises, and they aren’t unexpectedly disappointed.
6. Sustain
How do you manage your products and customers after the original delivery? There are many aspects to consider in the “sustain” process, including how you engage with your customers once they have your products (e.g., subscriptions, services, etc.), as well as what products you offer in the aftermarket (e.g., upgrades, repairs, etc.) and how you manage your product life cycle from delivery to until end of life (e.g., change control, obsolescence management, etc.).
In terms of risk assessment, a major focus is again on proactive management. Knowing what you want to provide your customers and managing the value chain proactively can help you keep your customers happy long after they initially interact with your business. Additionally, preparing a proactive plan to manage change and obsolescence helps to reduce cost and waste (e.g., unnecessary inventory, upstream implications of changes) and provides greater flexibility to adapt to changing customer needs.
Now that you have a high-level orientation of where risk might reside within your supply chain, it’s important to acknowledge that the framework only helps if your organization sets up the supporting processes and structures, and you provide your people with the techniques and best practices to influence how they manage risk.
Developing flexible processes and implementing controls in the areas that generate the most customer value, or support supply chain risk agility, should be key areas of focus. These are the three core areas to consider when setting up processes to support the risk management needs of the business.
a. Efficient and Flexible Processes: The longer and more rigid a process, the harder it is to get a product or service to market efficiently, which then increases the risk of being behind the competition or unable to adapt to market changes. To ensure that processes are efficient and flexible, your organization needs to have visibility to areas of risk (slowdowns) or opportunity (potential to speed up). This gives your organization the ability to quickly identify and address issues and capitalize on opportunities.
b. Controls: You must implement the correct controls to maintain quality and have the proper levels of security — including cybersecurity protocols and procedures — to avoid major slowdowns from hostile parties (see “A Lesson in Controls” at top of page).
c. Stress Testing: Do not assume that the processes and controls work and/or are rigorous enough simply because they exist — each must be stress tested. Predictive modeling and simulations are a great way to see where risk mitigation strategies may be insufficient, but pilots and other controlled situations can also provide real-world testing to give your organization confidence about its risk management capabilities.
Standing up risk management structures is fundamental to drive consistent results and ensures no one “drops the ball”; accountability and responsibility should be placed on the logical functions and roles.
a. Establish a proactive risk management governance structure that defines the enterprise risk management processes, tools, and methodologies. This results in a consistent approach to measure, prioritize, align your teams, and build plans to mitigate risk. It also ensures that your departments and teams are correctly represented and have formal channels to collaborate and communicate routinely. This can take many forms given the unique structure and needs of your organization — we recommend a formal meeting cadence with clear agendas, objectives, and outputs to help you effectively plan, execute, and review what worked and what didn’t work to keep the team focused and avoid redundant meetings and the unnecessary prep work that goes into them. We also recommend clear roles and responsibilities in your operating model — who will do what, when, and how so that you don’t have to spend time figuring that out for each situation. As always, reporting and metrics will be critical to defining success and showing progress to leadership and other stakeholders — these should focus on tangible achievements if possible, and avoidance of future risks counts — for example, preventing shortages before they occur is valuable and should be treated as such.
b. Appoint “risk captains” and cross-functional teams by risk category. Drive accountability into areas of your business where risk knowledge and mitigation plans can be ideated, prioritized, agreed to, and executed. The “risk captains,” as designed by the governance structure, should meet on a set frequency to share concerns, risks, and mitigation plans with cross-functional teams to maintain collective awareness.
How Do You Make Risk Management a Part of Your Business DNA?
The below practices accelerate the adoption of risk management behaviors, namely through aligning on how to quantify risk, reward employees for mitigating risk, focusing on root causes and not symptoms of risk, and being intentional with partnering with strategic suppliers.
a. Quantify the impact of risk in relation to key business drivers — e.g., cost, revenue, reputation (not as easy to quantify), or other meaningful operational metrics. Once your company has agreed to those drivers, their relative importance, and methodology to measure, this will help decision-makers engage in intelligent conversations with key stakeholders when determining priority, timing, and action plans. The “so what?” question is much easier to answer when risk can be translated into something meaningful.
b. Incentivize and reward your employees for mitigating risk. Often organizations do not think holistically about the “total value” of an employee — especially if the only focus is on revenue growth and margins. By quantifying the impact of risk, it becomes easier to reward employees when they positively influence risk outcomes. And if done right, this motivates employees to be the eyes and ears in their daily interactions with stakeholders to positively impact their area of the value chain.
c. Focus on the root cause and what you can control versus what you cannot control. There are multiple frameworks (Five Why’s, Drill Down, Fishbone Diagrams) to help you focus on the data/facts and not the symptoms. Following a robust methodology to solve the root cause will put energy in the right place and provide far more effective outcomes. Additionally, when looking to solve for the root cause, you should be aware both upstream and downstream of what impact those root causes could have on other areas of the value chain when implementing a resolution or fix.
d. Engage suppliers in risk management practices to enable visibility throughout your supply chain. This is especially important for organizations that have a high degree of supply complexity — e.g., large spend footprint or rely on outsourced products and services for competitive differentiation. High complexity of supply exists when a business provides specialized products/services to the market, has limited availability of supply and/or few suppliers exists, and is dependent on a long supply chain (multiple intermediaries/suppliers). In these instances, the business should develop partnerships with these “strategic suppliers” by providing these suppliers with forecasts, gaining visibility to their supplier’s capacity, and understanding their suppliers’ bottlenecks and risks, so that lead times and material availability can be managed to limit customer interruptions/shortages.
Regardless of your current forecast — and despite your best efforts to manage what is in your control — supply chain risk is here to stay. To protect market share, stakeholder value, and operating margins, it’s important that organizations set up a supply chain risk management strategy and approach tailored to their specific needs. Preemptively implementing preventive risk measures allows the C-suite to devote its time, energy, and resources toward building its business rather than continually evaluating what to do with the ashes after the next fire drill.
