Operational risk is commonly defined as “the risk of loss from failed or inadequate processes, people or systems or from external events”. These four categories represent the four cause categories of all operational risk. Root cause analysis, which forms a key component of Bow Tie Analysis or Fishbone diagrams, requires the assessment of “but why” did a risk incident or event happen? We ask “but why” until the answer is “it just is” or the answer is “outside of our influence”. Where it is outside of our influence, it usually forms part of the “external” cause category. This category covers those risks that are driven by events external to our organisation. However, this approach may lead us to overlook whether we can:
- Increase our sphere of influence outside of our own organisation
- Collect risk data external to our organisation to give us the ability for earlier detection of developing risk.
This article looks at increasing our risk management awareness, processes, capabilities and influence across the broader supply and delivery chain so as to make our risk management more proactive and widespread.
Supply Chain Risk Management
Potential risks emanating upstream from an organisation’s suppliers who provide faulty products or components are many and varied. Examples include the reputational damage and costs associated with events such as:
- Airline engine failures due to manufacturing faults.
- The use of child labour and the poor treatment and pay of employees in Bangladesh servicing the clothing sector.
- Illegal chemicals or unsafe practices being used in the food supply chain.
- Suppliers that are non-compliant with bribery, corruption and money laundering laws.
The causes of these risks may be external to an organisation but the organisation still owns the risks as they have the potential to be adversely affected by them.
Delivery Chain Risk Management
Risks can also arise downstream from the organisation. Examples include:
- The contagion effect of supplying undesirable customers (arms dealers, money launderers).
- Warranty risks due to changes in consumer protection laws imposing the warranty obligation on the local wholesaler or retailer if the manufacturer is offshore.
- Negative widespread social media commentary associated with poor or unsafe products.
Expanding the Scope and Reach of Risk Management
So how do we expand the coverage of our risk management further upstream and further downstream? Subject to a number of potential issues, discussed later, we should consider the following with our suppliers and customers:
- Carrying out a comprehensive up-front risk assessment of key suppliers and customers as part of initial due diligence and assessment. At present, this is often the only step undertaken by many organisations.
- Carrying out ongoing risk assessments and audits with our suppliers and customers, or at least being provided the results of internal assessments.
- Obtaining ongoing key risk indicator information from our suppliers and customers.
- Obtaining evidence of key control assurance.
- Obtaining attestations as to the compliance with legislation and internal policies.
- Systematic means for notification and monitoring of incidents that pertain to the organisation and / or supply chain issues.
- Including the relevant information collection requirements and assessments in any supply or delivery contract / service level agreement.
Issues to Consider
There are a number of issues to be addressed before developing such a supply chain risk management process including:
- Will the supplier or customer agree to provide the requested data and allow independent risk assessments? This will sometimes come down to relative size of the supplier or customer to the organisation and who has the most “muscle”.
- Whether there are any regulations around Know Your Client / Know Your Supplier. Such legislation can help enforce greater information capture.
- Ensuring relevant privacy laws are addressed.
- What is the motivation for the supplier or customer to supply the requested information? This may simply be the desire to be a supplier or customer. In addition, a pricing incentive may be offered if the relevant data is provided.
- What is the cost and effort involved in developing and managing a supply / delivery chain risk management process?
- What systems solution is required?
How can Protecht help?
Protecht.ERM is perfectly placed to support the expansion of your risk management upstream and downstream. Provided as software as a service, our advisory team can work with you to quickly establish or enhance your supply chain risk management capabilities. Start capturing supply chain risk management data more efficiently, improve your monitoring processes and report on them more effectively.
If you wish to discuss the topic further or would like more information on how Protecht can help you better manage your supply chain risk management, contact Protecht via email firstname.lastname@example.org