Operational Risk • 137
market obsolete. Unknown risks could also be a re that destroys a plant,
an attack on a plant, a weather event, and from Table7.3, areas such as time
delays or any unforeseen disruption. An eective way to respond to these
risks is to develop and practice response scenarios, what we call business
continuity planning (BCP). e disconcerting aspect of so risks is that
most companies do not develop or practice scenario response plans or risk
response plans. In fact, as you scan down the traditional remedies column
for the so risks in Table7.3, you will notice that almost all are reactive
rather than proactive.
Chronic Risks. e primary characteristic of chronic risks is that when
these occur they tend to cause only minor internal disruptions. ey may
occur continually and because of the nature of their low impact, organiza-
tions tend to absorb the risk and develop work- arounds. e disruptions
could be persistent and the root causes may not be obvious and therefore
become tolerated over time. Some of the risks from Table7.3 that could
fall into this category include manufacturing yield, capacity issues, time
delays, human errors, and equipment failure.
Environment/ Ecosystems Risk
e fourth risk pillar is probably the most immature pillar since there are
so many new government rules and regulations, weather events, and fraud
and corruption possibilities emerging around the globe. Furthermore,
most organizations are operating global supply chains in areas where
they’ve never operated before. is is all in an eort to grow top- line reve-
nues and penetrate new markets. Globalization strategies bring additional
risk, which Table7.4 proles.
Known Risks. In this arena we could categorize risks such as currency
rates, customs regulations, environmental regulations, industry regula-
tions, and country regulations. We may not like all the regulatory statutes
placed upon us, but they tend to be known and developed over a wide time
span, thus providing organizations ample time to prepare for and comply
with these rules. Many companies do not have the skill sets to understand
and manage all the rules and regulations and therefore rely on 3PLs and
freight forwarders to ensure compliance. One caveat before we move to
the unknown risks is that all companies have a distinct style and attitude
regarding risk, and sometimes their risk appetite is not what it should be.
Subsequently, they may or may not choose to adhere to all the rules.
138 • Supply Chain Risk Management: An Emerging Discipline
Unknown risks. Risks within this category could be political, weather
and acts of God, fraud, corruption, counterfeiting, and competition. e
bulk of these risks is mitigated and managed through the use of scenario-
based planning approaches, be it at a specic facility level or throughout
an entire supply chain network. Most of the unknown or so risks in this
category can and should be planned for using scenario- based BCP or risk
TABLE7.4
Environment/Ecosystem Risks
Environment/
Ecosystem Risk Cause Horizons Traditional Remedies
Currency
exchange rates
Central banks, country
issues, conicts
Both Use of nancial hedging
techniques
Political
environment
Conicts, political upheaval Both Calls with country
ocials, tapping own
government contacts
Customs
regulations
Improper paperwork,
poorly packaged material,
terror
Both Use of 3rd party logistics
partners, conversations
with customs, enhanced
paperwork
Weather/acts of
God
Floods, tornados,
hurricanes, res,
volcanoes, war
Both Disaster insurance
Environmental
regulations
Lack of discipline, failure of
audit, poor management
and diligence
Both Excessive overtime for
remedial compliance
Industry
regulations
Same as above Both Same as above
Country
regulations
Same as above Both Same as above
Fraud/
corruption
Country policies or
lack-thereof, suspect
partners,
misrepresentation by 3rd
party contractors
Both Fines, penalties,
shutdowns and remedial
policy enhancements,
including discharge
Counterfeiting Same as above Both Same as above, including
alternative sourcing and
partnerships
Competition Lack of focus, poor
company communication,
poor product introduction
process, poor execution
Both Price reductions,
marketing promotions,
customer visits, enhanced
product portfolio and
extended warranties
Operational Risk • 139
response plans. However, a few of these risks, such as fraud, corruption,
the, and counterfeiting lend themselves to a more reactionary approach.
Historically, almost every so risk is event- driven in nature. e has
traditionally been a reactionary risk, followed by countermeasures, inci-
dent follow- ups, and bulletins to recover the loss. Counterfeiting has tra-
ditionally been much more of a sensitive subject, because based on the
industry, when it occurs governments tend to get involved to protect citi-
zens. And fraud and corruption is a sensitive subject since no company
wants its brand on the news or the web for the wrong reasons.
When these so risks emerge, whether inside or outside a company,
organizations should address the issue as quickly as possible. Many fraud
events emanate from within the organization and are dealt with quietly
using third- party fraud investigative companies. When fraud, bribery, and
corruption emerge outside the organization, in countries where a com-
pany’s products are being manufactured or sold, that’s when the brand is
most at risk. e bottom line in this area of risk is that it will continue to
grow in terms of scope and scale as long as companies continue to pen-
etrate new global markets. e approaches to manage these risks will also
continue to emerge and perhaps migrate from reactive to more proactive
in nature. We’ll share many of those new proactive approaches in subse-
quent chapters.
BUSINESS CONTINUITY PLANNING
Adopting a business continuity plan (BCP) is the start of a journey that
ensures continuous operations of critical processes within a company and
expands to include critical suppliers as the program matures. It is a concept
that is absolutely central to eective risk management. In reality, this topic
could appear in one of many chapters. We simply made a decision to place
business continuity planning in this chapter because so many supply chain
risks are operational in nature. Before describing business continuity plan-
ning in detail, we will dene some important concepts and denitions.
Business continuity is the process of planning for and implementing
procedures that are designed to enable continuous operations of critical
business processes and functions. Incident management is the process that
is responsible to guide the company through an incident or disaster and
execute the overall business continuity plan. e incident management
140 • Supply Chain Risk Management: An Emerging Discipline
team focuses on incidents that have escalated beyond emergency response
and that could impact business operations (i.e., business continuity). e
responsibilities of the incident management team include the following:
• Activate department business continuity plans and disaster recovery
plans as appropriate
• Make workplace recovery decisions
• Activate disaster recovery decisions
• Allocate resources among recovering departments/ groups
• Coordinate eorts between recovery and response teams
• Approve disaster- related purchases
• Develop and distribute messages to employees, customers, and vendors
• Provide direct updates to the executive team
• Carry out governance board and executive directives
Emergency response is the process that is responsible for human and life
safety issues during an incident. e emergency response team leads the
evacuation and assembly or shelter- in- place activities.
BUSINESS CONTINUITY PLANNING OBJECTIVE
5
e objective of a business continuity plan is to ensure the availability,
reliability, and recoverability of business processes servicing a compa-
ny’s customers, partners, and stakeholders. In order for business conti-
nuity to be eective, it must be an integral part of the business planning
life cycle. Whenever business changes impact a process or function,
business continuity considerations must be evaluated and adjusted
as necessary to understand the eect to existing recovery strategies
and plans. We all make plans based on trade- os of cost and benets.
Business continuity formalizes a company’s overall approach to eective
risk management and should be closely aligned to a company’s incident
management, emergency response management, and information tech-
nology disaster recovery. Successful business continuity management
requires a commitment from the company’s executive team in order to
show commitment, raise awareness, and implement sound approaches
to build resilience.
Operational Risk • 141
The Business Continuity Life Cycle
e business continuity life cycle includes six stages:
1. Governance
2. Business Impact Analysis
3. Risk Assessment
4. Recovery Strategies
5. Business Continuity/ Disaster Recovery Planning
6. Test and Verication
Governance. Senior management involvement and support are critical to
the success of a company’s business continuity program. Executive buy- in
enables the business continuity program to be in alignment with the com-
pany’s strategic direction and business objectives. is also ensures that
the program is able to obtain appropriate resources and visibility. Without
adequate senior management involvement and support, a business con-
tinuity program risks losing eectiveness and alignment with business
strategy, misspent or unt resources, gaps between capability and require-
ments, or in the worst case, senior management eliminating business con-
tinuity altogether because they do not see the value in the investment.
A key component for governance is the creation and enforcement of
business continuity standards and policies. ese standards and policies
outline the what and how of business continuity. is allows for program
consistency across the company and supports corporate audits. e gov-
ernance board has the responsibility to support and oversee the business
continuity program.
No company can implement a robust business continuity program over-
night; it can take years for a complex global company to fully implement
a business continuity program. Business continuity is a journey that must
be evaluated, maintained, and aligned with an organization’s three- to
ve- year strategy. e governance board is responsible for business conti-
nuity oversight and direction; the board is in charge of the journey.
Business Impact Analysis (BIA). A BIA is a methodology to identify
critical business processes and functions based on operational and/ or
nancial impacts. is is accomplished by interviewing business process
owners and asking them to describe their business processes. is inter-
view includes the identication of critical resource requirements (sta,
equipment, etc.), vital records and data, along with internal and external
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.