Risk, as viewed as an exposure to a negative event, is a very broad and commonly used terminology. From the insurance industry, to medical services, to business operations, “Risk” is deeply ingrained in common vocabulary. With the recent global events, the question being asked frequently is how to effectively evaluate and manage risk when it seems that nearly everything is at risk?
Whether we are looking at risk for our organization from a localized or comprehensive level, a structured and disciplined Risk Management Program is key to the successful evaluation of specific risk exposures and the deployment of an effective Risk Management Plan. It is also important to understand that while many initial Risk Management Plans will look at a subset of Operations, Procurement, Process or Personnel; a comprehensive Risk Management Program will encompass a consideration of ALL aspects to an organization.
An effective Risk Management Program combines the evaluation of Risk – the likelihood and consequence of events, at any point in the organization, to disrupt the normal flow of supplies and/or result in negative impacts to downstream channel product flow and supporting infrastructure and services. With the deployment of Resiliency – the capability of a company or network to recover quickly and cost-effectively from an event and with minimal or no impact to the normal flow of supplies to the organization.
A Risk Management Program has four key elements that are tied together in a Risk Management Plan.
- Risk Identification
- Risk Assessment
- Risk Action Management
- Risk Reporting and Monitoring
This first step in the process, Risk Identification, can be a challenge for many organizations as it can be difficult to identify the “unknown-unknowns”. For example, the potential localized risk of fire, flood or tornado at your facility is a very common and quantifiable risk. We can estimate the cost of a building, loss of inventory and recovery time to resume operations. However, estimating the disruption in each segment of our supply chain that each of these more common events might cause makes the identification impact of risk more difficult. We only need to think back a few years to the tsunami which struck Japan to recall the many businesses and industries that were affected due to then-unknown lower tier suppliers who sustained damage or catastrophic loss when the wave hit.
Risk identification may also be a completely internal event such as the loss of a key team member with no backup capability or understudy. An ineffective or unresponsive process which leads to a poor response, or no response at all when an unplanned or unexpected event occurs is another simple example of an internal Risk. For example, in observing a supplier's gradual increase in lead time over a period of time without a suitable identification or alert to the organization.
Quantifying the probability of an event to happen (Occurrence) with its impact (Severity) and our ability to have advance warning (Trigger Rating) is the foundation of an assessment of Risk. These three measurements will allow the creation of a Risk Index Number, a mathematical way to quantify the impact of an event. The higher the Risk Index Number (or Risk Priority Number), the more severe of an impact an event will have on an organization and is also an indicator as to where actions should be taken to mitigate a risk (See Figure 1 Supply Chain example).
Figure 1: Supply Chain example
After potential risks are identified and assessed, they are evaluated and one or more techniques to manage or mitigate risks may be implemented:
- Avoidance (eliminate the risk or cease the activity)
- Reduction (reduce the likelihood or impact)
- Transfer (shift the risk to a third party)
- Retention (accept the risk as is)
A key component of this assessment and mitigation step is the development of a Recovery or Action Plan in the instance where a Risk Event has occurred. What will we do, how will we do it and who is responsible for seeing that it’s been done in a timely and correct manner would be included in this management assessment that is actively managed through the Risk Action Management Plan.
Figure 1: Supply Chain example
Risk Action Management
Execution of the risk plan is the point where Identification and assessment will begin to positively affect the organization. Risk Action Plans are developed and implemented. Risk Mitigation Plans for Suppliers, Vendors, Personnel and, yes, even Customers are put into place and validated. Trigger warnings, monitoring methods and data is monitored to provide advance warning of a potential or impending risk event. A key component of the success of this step is to accept that this is a continually evolving and maturing process. Risks will come and go, their potential severity will increase and decrease, sometimes in a matter of days. The cost of mitigation for the risk will change. With each of these issues, the Risk Index Number will change and a corresponding adjustment to the management of the Risk Plan and Program will be required.
Risk Reporting and Monitoring
All this work invested in identifying, assessing, quantifying and managing risk will not perform as expected if there is not access to timely, accurate and actionable information. Daily, and sometimes hourly updates, may be necessary to effectively monitor the risk triggers. Trigger Ratings are used to manage if specific events happen and drive a reaction to Risk Events. Testing of scenarios to validate the Risk Management Plans and Program should be a part of the regular testing of the Risk Management efforts to ensure an effective monitoring and response system.
The development and deployment of a Risk Management Program and the underlying Risk Management Plans have become a necessary component of comprehensive Business Continuity and Disaster Recovery planning efforts. Organizations with an eye on towards monitoring and mitigation of these risks should be expected to be positioned to better, and more quickly respond to Risk Events as they arise.
Contact IMEC for more information on Risk Management.