By Professor John Gray
Tsunamis. Nuclear disasters. Factory fires. These are the kinds of cataclysmic incidents companies often label “100-year events,” putting even the best risk management infrastructures to the test and leaving an indelible stamp on the businesses that survive.
For companies with global reach, however, these so-called 100-year events can occur with striking regularity. For a firm operating in 30 independent regions, the likelihood that they experience at least one “100-year event” in one of those regions in a given year is over 25 percent. Considering each year independent of the other, this company in a half-decade will have a nearly 80 percent likelihood of experiencing at least one 100-year event, making the unpredictable seem, on the contrary, quite predictable.
The incidents themselves don’t indicate a company has taken undue risks or “failed.” In the end, what separates firms with strong risk programs and those with weaker ones is the degree to which they’re aware of risks they face (and have reduced these risks where appropriate), how they detect those risks, and how they respond when an event occurs.
One Columbus, Ohio-area company, Delaware-based industrial packager Greif experienced its own collision with supply chain risk when one of its plants in Turkey was taken over in the spring. News reports described the takeover as “led by a small radical group of individuals,” reportedly communist workers. The takeover and subsequent plant closing will cost the company $27 million this year, no small change for a firm whose 2013 net income was under $150 million.
From an outsider’s perspective, such an incident can raise many questions: When the company chose Turkey, were these risks considered in comparison with other locations? If they were, how was the risk incorporated into the decision? If not, would they have changed course if this possibility hit the radar? Once the plant was operational, what disruption mitigation plans were implemented? And finally, were there any opportunities for prevention?
It is important to note that Greif already has a well-structured and comprehensive risk management system in place, driven by risk management teams for each strategic business unit. They’re the source of regular monitoring of economic, political and regulatory changes that might impact operations along with education, auditing and compliance management for the company’s global footprint. Even with such a system in place, this incident still occurred, illustrating a brutal truth about supply chain risk management: You can do everything right and will still experience adverse events.
Doing everything right starts with a program that includes four key elements: Assessment, planning, detection, and response.
- Assessment is crucial as the supply chain is being designed, but it is impossible to assign expected costs to all potential supply chain risks. Companies often use a “red-yellow-green” or slightly more sophisticated coding system to supplement the analysis of quantifiable costs. Assessment also includes evaluations of “time to recover” ( TTR) and “revenue at risk” (RAR) (which goes by other names, including revenue impact and risk exposure) for a given site, which are critical for planning.
- A key aspect of Planning is Business Continuity Plans (BCPs), which outline steps to be taken in the event of foreseeable disruptions. This is also where firms invest in risk mitigation (for example, owning extra inventory or developing a second source for a component). TTR and RAR provide the justification for such investments.
- Detection is learning about risks as soon as possible, ideally while they are still developing.
- Finally, Response is the “real-time” work after an incident has occurred. Firms with sophisticated supply chain risk systems have “playbooks” to improve responsiveness to many possible incidents.
In the aftermath, companies faced with challenges similar to Greif’s typically revisit their location-related risk management programs and often face another classic problem of risk management: Return on investment. Because quantifying all risks, even probabilistically, is impossible, quantifying ROI is not feasible. Because of this, firms may overinvest in risk management plans after an incident hits close to home, and then scale back programs, ironically, when they have been effective at reducing risk. The general belief in the context of investment in supply chain risk managements currently seems to be “more is better.” As most firms historically have neglected this area, that’s probably a good thing. At some point, though, especially after periods of quiet, CFOs may start asking what return they are getting on risk mitigation plans with such as multiple/backup sources, extra inventory, and a staff working on plans they hope will never be used. Supply chain risk managers will likely need to rely on more and better data on the likelihood and costs of supply chain risks, not just for internal planning but for justification of risk-reducing investments. With the “big data” trend, consultants, entrepreneurs, and even insurance companies are stepping up to try to fill this need. It is far from clear whether supply chain risk will ever be quantifiable enough to develop accurate ROIs for risk-reductions , but it is likely firms will continue to get incrementally better. That’s all anyone, even the CFOs, can ask for.
Professor John Gray is an associate professor of operations at the Fisher College of Business and an affiliated faculty member of The Risk Institute. Prior to receiving his PhD from the Kenan-Flagler Business School at the University of North Carolina – Chapel Hill, he worked for eight years in operations management at Procter & Gamble while receiving an MBA from Wake Forest University. Prof. Gray’s research has received several awards and recognitions, including the 2012 Emerald Citations of Excellence award, the OM Division’s Chan Hahn best paper award at the Academy of Management conference in 2012, and the 2011 Pace Setters award for research at Fisher. He also serves as a senior editor for Production and Operations Management and an associate editor for the Journal of Operations Management. Among his service to professional societies, he is serving a 5-year leadership role for the Academy of Management’s OM Division from 2014-2018.
Interested in supply chain logistics and risk management? Join us for our executive education session on September 10, 2014 to learn more. Contact The Risk Institute for details.