The coronavirus (COVID-19) pandemic has emphasized just how important risk management is to supply management organizations. But risk management is a critical process, no matter the circumstance. When done right, it enables practitioners to proactively react and make informed decisions as they confront situations that threaten organizational strategies.
Although many supply managers think of it as a negative, risk is just another word for uncertainty — which can manifest itself as either an opportunity or a threat. By managing risks, a company’s opportunities are more likely to come to fruition while threat impacts are reduced.
Defining Risk
There are three components to risk: An event that may or may not happen, the probability of the event’s occurrence, and the impact of its occurrence. The equation — an event’s probability multiplied by its impact equals risk exposure — is widely used to express risk.
An organization’s risk appetite or aversion plays a critical role on how it accepts risk and manages its portfolio. Organizations typically go through five steps — risk identification, analysis, prioritization, response development and strategy execution — when managing the risk process.
1) Risk identification. Create a comprehensive list of potential risks. Be specific and fully define each risk. This can be done by a leadership team or groups of team members.
2) Risk analysis. Quantify and/or qualify each identified risk for probability and impact and review the analysis with team members. A qualitative approach is quick and easy. It’s not as precise as a quantitative approach, which, however, has several drawbacks. The process is more time-consuming and can be misleading. Another consideration: Team members might be reluctant to commit to a number, even though it allows for a more robust strategy response.
3) Prioritization. Rank the identified risks according to the most severe impact on the organization. When possible, quantitative rankings are preferred; otherwise use qualitative rankings.
4) Response development. Develop a comprehensive plan to address each of the top 10 to 15 risks. Play with “what if” scenarios and create as many alternative outcomes as possible. Because risks rarely exist in isolation, evaluate strategies for each risk to understand how your response will affect other risks or parts of the business.
The response strategies: (1) acceptance, if risk exposure is acceptable to the organization, (2) mitigation — lowering the probability and/or impact of the risk occurrence, (3) deflection — transferring all or part of the risk to a third party, like a subcontractor and (4) avoidance — eliminating the source of the risk. 5) Strategy execution. As risks become actual events, implement the chosen strategy. Keep the team informed throughout and reevaluate the process as appropriate. Additionally, monitor any actions initiated during the response phase.
A Closer Look
When risk isn’t properly planned for, monitored or addressed, organizations set themselves up for failure.
Consider the example of a multibillion-dollar global company that performed an enterprise-wide risk assessment. When results were presented to the executives committee in 2017, the CEO said his No. 1 risk concern — a pandemic — wasn’t on the list. While the probability of an occurrence was moderately high, the impact from a pandemic would be catastrophic for the business. So, a pandemic was added to the list of risks.
The CEO eventually departed the company. Afterward, senior management minimized the risk of a pandemic and deleted it from the list. Fast forward to the first quarter of 2020: Impacts from the coronavirus pandemic have caused the company to lose 67 percent of its market value. It now faces having to wind down operations.
Practical Applications
Prepare to handle a variety of potential risks by considering these scenarios:
Scenario 1: Enterprise-wide focus (rapid assessment). Take a holistic approach by assessing risk impact on the entire business strategy and objectives. During the risk identification and analysis phase, use a top-down approach. Schedule individual interviews and ask interviewees to provide four to six risks to the organization. The deliverable is an enterprise-risk registry, including risk drivers and potential impacts.
During the risk prioritization and response phase, conduct a workshop with management focusing on assessing (1) impact, (2) likelihood and (3) perceived management preparedness. Then, rank risks and determine appropriate risk responses. Ask senior executives to review and rank identified risks, using an anonymous voting tool. The deliverable is an enterprise-risk heat map based on risk exposure and mitigation opportunities.
Scenario 2: Project focus. Use each component of the work-breakdown structure to create a list of potential risks. This way, the assessment will cover all aspects of the project. Proceed to the risk-prioritization, response-development and strategy-execution stages.
Scenario 3: Category focus. First, select a category and subcategory to be addressed; for example, chemicals as the category and active pharmaceutical ingredients (API) as the subcategory. Next, define your organization’s critical APIs and their sources (in this case, manufacturers).
Develop criteria for evaluating each API. For example, include the API manufacturer’s country, lead time and suppliers’ total capacity versus your requirements, among other factors. Rate each criterion on a 1-to-5 scale, with 5 being highest, and provide a definition for each rating. (Concerning lead time, a rating of 1 might indicate an immediate turnaround while 5 signals a long lead time.) Assign a weighting to each criterion, with 5 equaling high importance. For each API, multiply the rating by the weighting to get the score.
Then, plot all APIs based on their total scores. When developing a risk response, start with the highest priority APIs and work downward.
Most companies manage risks on a reactive basis. A proactive five-step approach to managing risk, however, can significantly decrease the likelihood of surprises while increasing the likelihood that your company’s strategies will be achieved, no matter the situation. In addition, such an approach will lead to increased communication among stakeholders and leadership, as everyone will be aware of the risks the organization faces and can make decisions based on an informed, risk-based methodology.
Comentarios