by Peter J Blok, PhD CSCP, CLTD, PMP, LSSMBB
All mitigation strategies are not created equal.
Most organizations have some risk mitigation strategies in place. Often, these are resident in different places depending on what elements of risks are being considered. Corporate finance often manages catastrophic loss with insurance. Elements of performance and operational risk are often covered, at least in part, by policies in materials management and purchasing. The quality and compliance groups administer quality agreements and perform audits. Rarely are the details of these plans and policies known by the business leaders who are responsible for the business unit’s performance. It is also not often that all these plans are located in a place where everyone knows where and how to get information when needed.
Part of the risk management process is to assess any mitigation plans against the risk profile for the product. With the Risk Profile, there is now a quantifiable method to determine what risks the mitigation plans should focus on.
The next measure is assessing how well current mitigation plans address the risk items. For this, management must set standards for levels of risk acceptability. Plans must also be audited to ensure all the elements of a successful strategy have been included. Some of these elements include:
- identified team members with clear organizational roles and responsibilities
- detection and response team communication plans
- identification of resources, their location, and how to access them
- policy provisions and authorization channels for limits, if any, on the company’s responses
- public and internal communication protocols, as appropriate
- escalation protocols
- constraints in regulatory filings as well as commercial/import & export licensing
Very good plans will also have information on early detection/anticipation of events and situations.
Where to put your risk management dollar
Every business has limited resources and that’s never been more true than today. What is equally true is that our supply chains have been extended, made more international, and include more outside resources than ever before.
A practical approach to risk management is in order. Companies need to spend time, effort, and money on those areas of higher risk.
Developing Remediation Action Plan
Should a firm decide to examine supply chain risk, developing a remediation action plan is one mechanism to effectively control costs and ensure teams focus on priority items . The plan is a tool for the project team to highlight areas requiring attention. The plan is a result of examining the current supply chain, the current risk management and response process, and the robustness of the current plans against the risk profile.
There are many ways to come up with the priority plan. Mathematical tools are one method that can take bias out of the process. Good critical management review is, of course, always part of this process. Whether a rigorous mathematical technique is used or one more favoring judgment, it is important to that the analysis be complete it before new plans or processes are developed.
Mitigation Plans are not enough.
When executing a supply chain risk management project, resources are strained, and project budgets are spent. There are always pressures to bring things to closure quickly. Write up a new plan, distribute it, and close out the project is a typical process.
Unfortunately, a shelf full of plans is not enough. A successful risk management process needs to have some critical characteristics:
The overall process should be robust and self-sustaining. The process should be responsive to the changing business environment and variable dimensions of global risk. The process should be simple to maintain and operate, with minimal burden on existing resources. It should also be consistent with other business processes in common use, and capitalize upon existing knowledge and infrastructure.
- Everyone involved should be trained and competent in the operations of the processes.
When implemented a complete process should have three elements:
- Robust mitigation plans, centrally located and available to all that need them
- Risk response process with team members, roles, communication tools, and guiding policies clearly identified
- Risk Management Maintenance process to assure that the plans in place are current and reflect the supply chains, processes, and people currently involved in making and bringing the product to market.
Are Your Plans Robust?
Qualification of Remediation Plans
Prior to approving and communicating a risk mitigation plan, that plan should be tested as a conference room pilot. The test should include critical team members, subject matter experts, and critical suppliers. The testing process can involve scripts and scenarios developed by a few project team members and executed by others. In this way, an unbiased test of the process is performed.
Is Your Risk Management Process Sustainable?
To ensure the RM process is self-sustainable it needs to be supported with a maintenance process. The process should be easy to use and as familiar as possible. To that end, we’ve modeled our process after the change management life cycle that is common in the life sciences. (figure below) In the first three steps the maintenance process looks at the change event in the supply chain and develops an appropriate updated risk mitigation strategy. The fourth step is the validation/qualification step discussed earlier. It’s in place to ensure the proposed strategy works properly. The final step is the formal rollout of the updated mitigation strategy. This step requires the new information to be communicated to the appropriate persons in the supply chain, commercial, and financial teams. Impacted suppliers and contract service providers should also be included in these communications. If there are major changes, formal training may be necessary.
RM Maintenance Process
In addition to plans becoming static, business processes and the people who run them can also become static. To ensure the organization can respond, a periodic risk event response drill can be run. This can take the form of an internal audit. It should test participants’ awareness of plans and policies, communications channels, and escalation mechanisms. Ideally, the test should include suppliers and service providers critical to your supply chain.