The COVID-19 pandemic pushed risk to the top of virtually every corporate agenda. For the first time in about 10 years, most executives (95%) said they had formal supply chain risk management processes, according to a November 2021 McKinsey study, “How COVID-19 is Reshaping Supply Chains.” McKinsey also found that 59% of the companies said they adopted new supply chain risk management practices over the past 12 months. And a small portion of the companies (4%) set up a new risk management function from scratch. Almost all respondents said they had strengthened existing capabilities.
As supply chain risk and resilience (SCR&R) evangelists, we at the Supply Chain Risk Management (SCRM) Consortium found this report to be very encouraging. For the past 13 years, the SCRM Consortium has been building out a body of knowledge in supply chain risk and resiliency in an effort to lead, guide, direct, and coach companies toward successful SCR&R journeys. Over the last three years, we’ve witnessed more companies exercising many of the best practices that we profiled in our book, Supply Chain Risk Management: An Emerging Discipline, back in 2015.
Because COVID has had such an uneven and devastating effect on almost every industry, the watch word during these past few years has been “resiliency.” At the SCRM Consortium, we believe that “A resilient enterprise has the capacity to overcome disruptions and continually transform itself to meet the changing needs and expectations of its customers, shareholders, and other stakeholders.” That is a very tall order. However, in the last few years, we have seen a very robust dialogue among our clients, in our workshops and webinars, and on our social media, covering the strategies of effective or resilient supply chains versus those of super-efficient supply chains. These discussions have covered nearshoring, onshoring, just-in-time versus just-in-case, and the merits of Lean. There has also been a focus and commitment to identifying risks and building out supply chains that can weather several types of risk events. All of these discussions have been in an effort to reinforce resiliency throughout the entire industrial supply chain. This includes U.S. Congressional acts allocating funding to foster more secure, resilient, and strategic supply chains across multiple industries.
However, there is no one-size-fits-all strategy that can be implemented to create a resilient supply chain. Rather, in the supply chain risk and resilience arena, there’s no right or wrong answer—just different answers across every company. It is important to customize your supply chain risk management and resiliency strategy to fit your own operations. To do that effectively you need to understand three things:
- Your risk maturity, or where you currently are in terms of risk management practices;
- Your risk appetite, or who you are in terms of your tolerance for risk; and
- Your culture, or how your supply chain operates.
These three threads are critical to the success of an SCR&R journey. Why? If you don’t know where you are (maturity), who you are (appetite), and how you operate (culture), your SCR&R journey success is at risk.
Risk maturity: Where are you?
A key part of creating a SCR&R strategy is knowing where your company currently is in its risk and resiliency journey and how that compares with other companies. To help companies with this, our Consortium has created a five-stage maturity model (see Figure 1). By knowing where you are currently and what your next steps are, your company will be better able to operate in an era of volatility, uncertainty, complexity, and ambiguity (VUCA).
Stage 1: Foundational. In this stage, companies have little or no awareness of risk management or formal education on the tools, techniques, and solutions that are available today. Companies in this stage should develop supply chain processes that incorporate risk and resilience best practices.
Stage 2: Visibility. Visibility and awareness of risk across the supply chain is an important step. Here, transparency is generated across the supply chain—both upstream to suppliers and downstream to customers. The ability to become aware and respond faster than competitors to risk events is a critical success factor.
Stage 3: Predictability. At this stage, companies have the capability to test supply chains in terms of “what-if” scenario planning. Network modeling and mapping tools provide a view into how supply chains might react to risk events. The insights from these tools help companies create risk response plans. Exemplary companies at this stage proactively identify risks through alerts, assess them using digital twin models, and mitigate them (or even turn risks into opportunities).
Stage 4: Resiliency. Risk management leaders now embed their tools, techniques, and key risk indicators into daily supply chain decision-making processes. These frameworks, protocols, metrics, and organizational structures provide a foundation for operational excellence in risk management and building a resilient enterprise.
Stage 5: Sustainability. Companies build upon their organizational infrastructures through corporate frameworks such as enterprise risk management; governance, risk and compliance; and process standardization. Leaders continually assess their risk profile and leverage their knowledge database to improve processes.
Like any major corporate process, supply chain risk and resilience management requires continuous attention and improvement. Leaders who are ahead in this maturity model will fare much better than their competitors.
Risk appetite: Who are you?
Another key factor to consider when creating a SCR&R strategy is how your company views risk in general, or what its appetite for risk is. McKinsey, in its “Risk Report of 2017,” defined risk appetite as “the aggregate level and types of risk a board of directors and management are willing to assume to achieve its strategic objectives and business plan, consistent with applicable capital, liquidity, and other regulatory requirements.”1
Based on that definition, we’ve provided a profile of what we call the four risk perspectives or appetites, which you can read on the right of Figure 2. The key to understanding the different perspectives lies in the x– and y–axes. On the y–axis, is how a company might perceive risk. At the bottom of the y–axis, the perspective is somewhat risk averse, meaning, the company attempts to avoid any initiative that creates a risk to the bottom line. Moving higher on the y–axis, a company might perceive risk as an opportunity. The x–axis represents the risk strategies/tactics that tend to support the four risk appetite perspectives: nothing, seek to control losses, risk steering in which all decisions are driven by a careful cost/benefit analysis, diversifying, and risk acceptance. There’s no right or wrong risk appetite for a company to have, just differences.
Culture: How do you operate?
Finally, risk, from the Consortium’s point of view, is all about culture. When it comes to devising a SCR&R strategy, it’s important to remember what the world-renowned management guru Peter Drucker allegedly said: “Culture eats strategy for breakfast.” In other words, even the best devised risk and resiliency strategy will fail if it runs counter to a company’s internal culture or how it actually operates.
One way to think about a company’s culture is using the SCRM Consortium’s Operational Propensity graphic, which is shown in Figure 3. We call this graphic: “What’s the shape of your kite?” It uses four characteristics (shown around the edges) to define a company’s culture: speed, external focus and differentiation, agility, and stability and control. The four edges help define four different personas: bureaucratic, trapped, agile, and startup.
No company or organization is all one type of persona, but a company does tend to have an overwhelming propensity in terms of operational style and attitude, which we call the “longest shape of the kite.” The company depicted in this example is mainly bureaucratic, or slow to react and focuses on efficiency. However, the graphic also shows that the organization does have some startup qualities and push for collaboration. Again, there are no right or wrong kites here, just different ones.
Putting it all together
To help companies conceptualize these three key threads, the SCRM Consortium built an online survey, consisting of 92 questions covering risk perspectives, risk processes, risk maturity, risk appetite, and operational propensities. We advocate that companies have five to eight company executives from multiple disciplines take the survey to provide differing perspectives revolving around risk. The answers to the survey questions are then run through artificial intelligence/machine learning (AI/ML) algorithms, which produce:
• A computer-generated graphic positioning the company within our five-stage risk maturity model (where you are);
• A computer-generated graphic depicting your risk appetite (who you are);
• A computer-generated graphic profiling your operational propensity/culture (how you operate); and
• Five to eight action items, based on the above positioning, to move the company forward on an SCR&R journey. This is all encapsulated within a 90-Day SCR&R hardcopy report, packed with insights for a successful SCR&R journey.
The online survey and risk assessment tool helps the Consortium sit with clients and guide them on their risk journey. Typically, there are process checkpoint calls throughout the 90-day project, which includes hours of coaching.
Dow’s engagement
Many companies have used this tool to help them plot out their SCR&R journey, including the materials science company Dow. A global company with annual revenues of over $55 billion in 2022, Dow produces a large portfolio of products including plastics, industrial intermediates, coatings, and silicones at 104 manufacturing sites in 31 countries.
Dow’s executive risk teams have been in place for decades. They have been identifying and assessing risks for operational projects in logistics, procurement, manufacturing, and finance across multiple business units. Dow’s corporatewide approach has been to have its Global Security Operations Center (GSOC) manage external threats.
Recently the company has been trying to better understand what risks there are relative to the company’s own processes as well as how its employees think about and approach risk. As part of that effort, Dow used the Consortium’s online SCR&R assessment tool to profile a major product line’s as-is SCR&R maturity level, risk appetite, and operational propensity/culture.
A small group of Dow executives engaged in the online survey. It took Dow about 30 days to get 100% completion. The executives were from Risk Management, Supply Chain, Logistics, Engineering, the Tech Center, Finance, and Analytics. The feedback from the Dow team aligned very closely with the AI/ML computer-generated graphs depicting where they are on the risk maturity model, who they are from a risk appetite perspective, and how they operate. The SCR&R assessment tool report produced a 90-day plan and recommended new metrics for measuring supply chain resilience at Dow. The table in Figure 4 represents Dow’s future state metrics going forward in this space, identifying key performance indicators for each stage of the risk management process including: sensing a risk, interpreting it, generating alternatives, deciding what action to take, and executing on the action.
Dow’s experience with the SCR&R Assessment Tool is very reminiscent of other companies that have used it. The concept of using current risk maturity level, risk appetite, and culture to help formulate a SCR&R strategy has proven helpful to executives across multiple industry sectors, including consumer packaged goods, software, electronics, industrials, health care, and chemicals.
Risk and VUCA
It’s clear that we are operating in an increasingly complex and interconnected business environment that is experiencing many rapid and unpredictable changes. Often times it can be difficult to judge what these changes might mean for the future of our organizations. Some people describe this environment using the acronym “VUCA,” which stands for volatility, uncertainty, complexity, and ambiguity. In a VUCA world, supply chain risk and resilience become more important than ever.
While identifying and assessing risks is an important start on the supply chain risk management journey, it’s not enough. Unless you take real action, risk identification and assessment end up being only academic exercises. To truly know how your company should act to mitigate or manage those risks, you need to first understand where you are on the risk maturity curve, who you are in terms of risk appetite, and how you operate. Otherwise, you might create a plan that does not match your particular organization’s operations and needs. Only by understanding your risk maturity, appetite, and culture can you hope to realize the benefits of risk mitigation and management, which include cost reductions, cost avoidance, top-line revenue growth, market share growth and working capital improvement.
Notes:
1.McKinsey on Risk, No. 3 (June 2017): https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/mckinsey-on-risk/mckinsey-on-risk-number-3-summer-2017
