What's over the horizon?

Supply chain leaders need to look over the horizon and anticipate. Sometimes what's over the horizon is a rainbow. Sometimes it's a tsunami. In either case, we need to be ready.

We call that process, supply chain risk management.

The U.S. Government Accountability Office (GAO) has a good way to structure the process. Late in 2016, the agency issued a publication with a holistic approach to risk management.¹ This government-sponsored research laid out simple framework to address the broad issue of risk at the organizational level. Although GAO framed this as a six-step process for overall enterprise risk management, it can be cascaded seamlessly to supply chain risk management.

By looking into the risk management practices found in different government agencies, GAO identified six key practices that, when joined together, create an effective risk management process.

1. Align the risk management process to the organization's overall goals and objectives. This step requires the full engagement and commitment of senior leaders because they play an active role in the goal-setting process. Their involvement also demonstrates to staff the importance of risk management.
2. Identify risks. In order to assemble a comprehensive list of risks, it is important to develop a culture where all employees can effectively bring attention to risks and are able to connect these risks to the organization's higher-level goals and objectives.
3. Assess risks. To help prioritize the risk, the organization needs to assess its probability and potential magnitude.
4. Select appropriate risk response. When creating a response or mitigation program for a risk, organizations should make sure it fits into their overall management structure, culture, and processes. Risk cannot be managed in isolation.
5. Monitor risks. Because risks are constantly changing, organizations should continuously monitor for and manage them. As a situation evolves, so will the organizational posture.
6. Communicate and report on risks. Organizations should share information with internal and external stakeholders on the risks that they have identified and the steps that they are taking to address them.

While GAO presents these ideas as a step-by-step sequence, the recommendations really describe an integrated and anticipatory oversight process. Good supply chain risk management strategies forecast, rather than react. Once upon a time, risk management was about "rolling with the punches." Today, risk management means anticipating events before they happen and avoiding the issue rather than reacting to it.

Forecasting means moving beyond reacting to traditional disruptions. Traditional supply chain disruptors include problems like missing shipments, hurricanes, strikes, and equipment failure. But to be more fully in control, we need to think about larger issues that might create vulnerabilities. Let the imagination roam. Tariffs? China taking over the South China Sea? North Korea meddling in communications or the Internet? All of these could happen, with a profound ripple effect.

This means that we all need to develop the ability to look over the horizon. That capability needs to be cascaded through all the layers of the supply chain and be held by everyone.

Alternatively, we may want to reduce the complexity of the supply chain by eliminating layers or pulling sources of supply closer. The word that supply chain risk managers need to apply is simplicity.

The danger of "silo thinking"

Today, when considering operations, supply chain experts think end-to-end, not in silos. Supply chain risk management should not be any different. But that's sometimes not the case.

Let's consider the approach taken by the National Institute of Standards and Technology (NIST), formerly known as the Bureau of Standards. Around the same timeframe as the GAO report, NIST published a bulletin called, "Supply Chain Risk Management Practices for Federal Information Systems and Organizations."² The abstract for the bulletin says, "Federal agencies are concerned about the risks associated with information and communications technology (ICT) products and services that may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the ICT supply chain."

While NIST's report asserts that it is about supply chain risk management, it isn't. Like the approach found in many government offices, the NIST policy treats supply chain risk as a cybersecurity issue. There is a cyber element in supply chain risk management, to be sure, but the topic of supply chain risk is broader than cybersecurity. Supply chain risk management extends beyond the cyber world and includes the physical.

Somewhere between the GAO high-level approach and NIST's narrow view lies the challenge for all of us: Understandthe layers of your supply chain, gather the data, analyze, characterize the processes, prioritize, and get to work.

Notes:

1. "Selected Agencies' Experiences Illustrate Good Practices in Managing Risk," GAO-17-63, a report to the Committee on Oversight and Government Reform, House of Representatives, https://www.gao.gov/products/GAO-17-63

2. "Supply Chain Risk Management Practices for Federal Information Systems and Organizations," NIST Special Publication 800-161, https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-161.pdf