This content is part of the Essential Guide: The essential guide to supply chain management best practices

Are supply chain risk assessment and management CFO issues?

Supply chain disruption interrupts the flow of goods, and that means it has the potential to have a major effect on a company's financials. Here's what business leaders -- including CFOs -- should know.

Given how complex -- yet critical -- today's networks of suppliers and partners are to a company's profitability, supply chain risk assessment and management are critical areas of concern for today's CFOs.

Goods, including raw materials, components, assemblies and finished products are produced, handled, transported and stored between the original source and the end customer and, sometimes, move back to the producer through multiple logistics processes -- any of which could fail at any time. Supply chain risk management is the discipline that identifies and manages both everyday and exceptional risks along the supply chain. Today's longer global supply chains create more potential points of disruption. The effect of a disruption is more pronounced in lean operations that lack the inventory buffers used to allow operations to continue in spite of a supply failure.

Supply chain risk assessment, management today

Companies are more aware today of the risk and potential impact of supply chain disruption, given some high-profile failures in recent years as when flooding in Thailand greatly reduced the supply of hard drives, among other notable events. According to a study by PwC and the Business Continuity Institute, 75% of companies experience at least one major supply chain disruption a year. Prudent management suggests that avoidance, remediation and contingency planning should be a top priority.

Supply chain risk assessment and management seeks to identify potential risks, assess the likelihood and potential impact of the failure, and strategize ways to avoid risks or minimize their impact.

When things go well and the disaster never happens, that doesn't mean the insurance was unnecessary.

There are two major kinds of supply chain risks: everyday, predictable risks; and unexpected or exceptional risks. Predictable risks include common occurrences like traffic accidents, power outages, theft, and events such as cyberattacks, product recalls, product liability lawsuits, and equipment failures. These things happen frequently enough that statistics can accurately assess the likelihood and experience can suggest effective avoidance, remediation and recovery strategies.

From a financial perspective, these can be considered insurable risks. Actual insurance is available for some of these risks with premiums that can be budgeted and justified easily. Some of them, however, are better handled internally because insurance is not available or not the best option. And consider that insurance may reimburse the direct financial costs of the disruption but is unlikely to compensate for the indirect losses, including lost efficiency and productivity during the interruption and recovery, and damage to your reputation for reliability with your customers.

Many identified risks can be reduced in likelihood or avoided altogether by changes in operational strategy. Examples of ways to manage risk include sourcing materials, parts or products from a more politically stable region; moving from sources in earthquake-prone areas; avoiding less reliable transportation providers or modes; and dual sourcing items from different regions or environments. But here's the important point for the CFO: Each of these strategies is likely to increase costs above the lowest possible cost or source. The risk premium is embedded in these higher costs and may be difficult if not impossible to break out separately.

Other risk avoidance or minimization costs are more easily identified. They may include actual insurance premiums such as additional employees to monitor and manage sourcing and logistics; engineering projects to design out vulnerable components or materials or to design in features that help avoid risky situations (better packaging, for example); or employees, contractors and equipment to ensure physical and data security.

The art of imagination in supply chain risk assessments, management

Risk management is also the art of imagining the unimaginable and is critical to a supply chain assessment -- and to risk management. A company doesn't really expect that a particular supplier plant will explode or catch fire. The Fukushima earthquake and tsunami was a once-in-a-lifetime event in that particular place. Is there a reasonable expectation that a lightning strike will wipe out your database any time soon?

While these kinds of events are by nature unpredictable, they could occur. Some may even be avoidable and there's value in preparing a response that can be activated quickly if the unfortunate occurrence happens. Effective risk management requires that a company speculate about all these possibilities and develop strategies to reduce the likelihood if that's a possibility, limit the impact of the disaster should it occur and develop a plan for rapid recovery.

Once again, each of these avoidance, mitigation and recovery plans has a cost, and that cost should be viewed as insurance. The uncomfortable thing about insurance is that it usually doesn't show a direct ROI in the traditional sense. The best outcome is when you never need to activate the plan or the policy, but that makes the measurement of benefit even harder. When things go well and the disaster never happens, that doesn't mean the insurance was unnecessary. CFOs should be aware of this conundrum and be supportive of supply chain risk investments and their importance to the long-term operation and, indeed, survival of the company as an operational business.

In the year 2000, there was a lot of grousing about the apparently overhyped Y2K problem. Companies had spent millions to rework or replace their computer systems to avoid disaster when the calendar changed from 1999 to 2000 and older system that stored the year as 2 digits (99, then 00) would malfunction. When this disaster did not occur, some people felt that the investment was wasted. In truth, it was the remediation efforts, to a large extent, that averted the disaster. The ROI was substantial. But how does one measure the value of something that doesn't happen?

Next Steps

Know the essentials of supply chain traceability

Why you should think about a dual sourcing strategy

Making the case for supply chain sustainability

Dig Deeper on Supply chain planning and execution