Two significant areas of concurrent discussion in the risk-management marketplace are enterprise risk management (ERM) and supply chain.

Supply chain is generally viewed as a subset of ERM. We agree with that opinion, but view the two as also linked somewhat differently.

Effective enterprise risk management requires the risk manager to interact closely with most - if not all - operational units of an organization. And if those contacts are mapped, one will find that they most often reside in the supply chain.

Accordingly, our premise is that effective ERM is achieved by managing risk for the vital components and processes in the supply chain. In virtually all enterprises, expanding the application of risk management to as many supply-chain operations as possible may offer the most practical method of implementing ERM's major components. These components can include modification of an organization's internal atmosphere to look at the "big picture," potential event identification, assessment of risk and response thereto, and ERM monitoring.

Our view is that, for most organizations, expanding risk management to assess and mitigate risk within the supply chain may be the most prominent ERM endeavor, encompassing 80 percent of ERM efforts.

Moving ERM from Academia to Reality

Much of the ERM literature remains couched in relatively academic terminology verging on the theoretical. The theoretical tone in which ERM is often discussed makes it difficult to apply in organizations where business benefits must be measured and known in order to justify devoting scarce resources to a project. Ambiguities and difficulties in expressing the value of ERM will tend to cause management to isolate ERM to the point that only its practitioners may appreciate the work being done.

However, if we keep in mind that "the business of the business" is what every activity within risk management needs to serve first, and if we apply the basic tenets of ERM, we find that it is in the management of the organization's supply chain that ERM can add practical and measurable value. Thus, narrowing the overall focus of ERM to a comprehensive risk management approach in the supply chain is an important step in moving enterprise risk management out of an isolated silo and into the mainstream of operational practices. Said another way, comprehensive supply-chain risk management is 80 percent of the ERM solution for most organizations.

ERM and Supply-Chain Fundamentals

Comparison of ERM with supply-chain fundamentals is enlightening. The terms dealing with supply chain tend to be concrete, open to measurement, and readily understood. Such clarity facilitates the risk manager's ability to collaborate within each area of the supply chain and to embed risk management awareness into an important constituency. By building risk management into well-recognized supply-chain processes, many of the practical benefits of ERM can be obtained and leveraged.

The increasing degree to which supply-chain risk management (SCRM) is being recognized as a key risk-management endeavor is worth noting. The results of a survey conducted by AMR Research in 2007 included the following.

• Forty-six percent of companies intended to evaluate and/or implement SCRM technology in the upcoming 12 to 24 months.

• Supplier failure/continuity of supply was named as the number one risk factor for 28 percent of the companies surveyed.

• The top areas to which spending would be applied for SCRM were sales and operations planning, inventory optimization, supply-chain analytics, and event management.1

Additionally, we see the following supply-chain trends:

• offshore manufacturing;

• various outsourcing activities;

• lean manufacturing and just-in-time inventory;

• global lean sourcing;

• consolidated facilities;

• growing complexity of the supply chain and ever-greater reliance on automation;

The risks generally identified as those posing the greatest threats are:

• damage to brand or reputation;

• failure of product safety;

• supplier failure;

• information technology breakdowns;

• regulatory changes;

• logistics failure;

• adverse geopolitical event; and

• natural disaster.

The survey results underline the fact that supply-chain risk management is viewed as essential to the practice of modern organizational administration. With its emphasis on efficiencies, SCRM represents a significant strategy factor, encompasses a wide variety of issues and exposures, involves critical parts of the organization, and requires development of a common approach toward solving the complex issues noted.

We see these as factors that supply-chain management shares with ERM. Therefore, we view them as providing a reasonable foundation for basing an approach to "practical ERM" in terms of comprehensive supply-chain risk management.

Risk Management's Applicability to Supply-Chain Management

Risk management has often brought a perspective to decision-making that facilitates risk mitigation by introducing a framework and a new sensitivity to dealing with risk and uncertainty. Its most practical application has always been to make all business managers into risk managers within their own disciplines, so that from first-line supervisors to hiring managers to department heads and above, deliberation in terms of impact on organizational risk is part of the job, whether it be to include the risk-management department in decision-making, ask for expert outside advice, or simply remain aware of how a decision could play out in terms of risk to the overall organization.

Risk-management techniques and awareness will shed new light on balancing what may often be competing priorities within the supply chain itself. For example, the drive for efficiencies creates a bias toward just-in-time inventory, while the principles of risk mitigation seek to build in redundancies in inventory. Lean sourcing versus alternate vendors with in-depth resources, low-cost suppliers versus quality vendors, and dedicated high-volume manufacturing and distribution resources versus multiple sources - each represents the trade-offs that modern supply-chain managers are routinely asked to make.

A risk manager takes large steps toward fulfilling the promises of ERM when the proper risk distinctions are made among supply-chain decisions, including risk-weighting of alternatives relevant within the firm's distinctive business competence. The risk manager who is able to embed risk-sensitive distinctions into supply-chain decision-making has already achieved a great deal in terms of ERM.

Inherent in making risk distinctions is the need to apply probability measures across a variety of alternatives that have an impact on cost and benefit to the supply chain. Once risk analytics are factored into individual decisions and overall supply-chain risk is optimized for the particular applications involved, the standard risk-management process can be utilized. This process helps to determine the most appropriate manner in which to deal with the aggregated supply-chain risk profile by utilizing the familiar methods of retention, avoidance, mitigation, and transfer.

From the Academician's Whiteboard to the Risk Manager's Desk

As mentioned, ERM tends to be defined in academic terms.

ERM Defined

The Committee of Sponsoring Organizations (COSO) Integrated Risk Management Framework defines ERM as "a process, affected by an entity's board of directors, management, and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives."2

Further, ERM is defined as a process ongoing throughout an entity and implemented at all levels of the organization. By aligning risk appetite and strategy, enhancing risk-response decisions, and taking an entity-level portfolio view of risk, ERM identifies and manages risk to achieve objectives within and across multiple areas.

A sampling of other ERM definitions reveals various opinions, but there are commonalities. Many have schematics that offer varying degrees of complexity. But, in our estimation, few would enlighten a logistics or purchasing manager, a process or industrial engineer, plant manager, product manager, marketing or sales director, IT director, or any of the myriad other key decision-makers vital to the management of a world-class supply chain.

Supply Chain Risk Management Defined

Contrast ERM definitions to the following definition of supply chain: "The network of retailers, distributors, transporters, storage facilities, and suppliers that participate in the sale, delivery, and production of a particular product."

The supply chain definition is succinct, identifying various operations in the process - each tangible and easily recognizable. Compared with the various definitions of ERM, the greater clarity of the supply-chain description makes it more likely that a risk manager and the organization's managers along the supply-chain continuum can gain a realistic and practical understanding of their relative position within a risk-management decision-making framework.

To the preceding definition of supply chain, we add that supply-chain risk management is an integrating function, with primary responsibility for linking major business functions and business processes within and across companies into a cohesive and high-performing business model. This is done through the maintenance of a reliable, organized response to the consequences of uncertainty.

Commonalities of ERM and Supply-Chain Risk Management

This addition does nothing to diminish the straightforward nature of the concept of supply-chain risk management. But it does move it closer to enterprise risk management. Within the ERM context, an implied criticism of "traditional" risk management is that it is focused only on tangible assets and related liabilities dealt with in a "traditional" manner - risk transfer relying heavily on insurance and related skills designed to work with insurable risk. This is measured against the inherently broader requirements of ERM - that risk management needs to be embedded enterprisewide, dealing with protecting both tangible and intangible assets with emphasis on enhancing business strategy.

Yet supply-chain risk management is relatively broad in its own right, including oversight of activity around three key processes:

• product flow;

• information flow; and

• finance flow.

This broadness is amplified by tangible goals recognized as part of an effective supply-chain risk-management plan:

• identification and prioritization of critical elements of the business process;

• documentation of the full supply chain to demonstrate dependencies and required skills to sustain the processes; and

• identification of the key potential supply-chain failure points.

Coordinating Supply-Chain Management and ERM

We may consider that ERM deals with the following asset classes, with some examples where appropriate:

• physical assets (buildings, equipment);

• financial assets (investments, receivables);

• customers (distribution channels, alliances);

• employees, suppliers, and partners; and

• organizational assets (management leadership, brand, and reputation).

Typical supply-chain functions include the following:

• sales and marketing;

• logistics;

• manufacturing;

• purchasing;

• finance and accounting;

• real estate; and

• legal.

These functions are well beyond the theoretical. For example, logistics establishes the flow of product - whether goods or services - within the supply chain and the methods employed to keep the product moving. Accounting records the financial value of the assets that constitute the supply chain, the inventory values that flow, and the all-important value of the throughput for which the owners invested in the supply chain in the first place.

We see the overlap of ERM and supply chain within the recognizable business functions listed earlier, as illustrated by the alignment of the ERM classes with the supply-chain functions in the following examples:

• physical assets (manufacturing, real estate);

• financial assets (purchasing, finance and accounting);

• customers (logistics, sales and marketing);

• employees, suppliers, partners (manufacturing, purchasing, logistics, legal); and

• organizational assets (finance and accounting, real estate, legal, logistics).

We therefore view supply chain characteristics as inherently more easily understood than ERM. There likely is little debate over what constitutes "manufacturing," while defining "an entity-level portfolio view of risk" might require some extended discussion.

If we accept supply chain as encompassing practical elements of ERM, the risk manager - by connecting with the departments that make up the organization's supply chain - will be better positioned to become a major force in the organization's ERM initiative. This is not to imply that challenges do not exist - risk managers will require certain skills to accomplish this end.

One such skill is obvious: the ability to understand and communicate with the members of the supply chain. Two others go hand-in-hand: the ability - and the drive - to connect with the various departments and personnel of the supply chain and the ability to educate them about risk management and the need to integrate supply-chain planning with risk-management planning.

Managing the Supply Chain: The Greater Portion of ERM?

How does following the supply-chain flow benefit the risk manager? As we see it, the risk manager gains enterprisewide knowledge and the opportunity to work with supervisors responsible for their respective areas. Such expansive perspective is available to few other individuals below the organization's "C Suite" level. Following the flow is especially valuable from the perspective of risk to the enterprise itself, allowing the risk manager to take steps to protect the "cash-to-cash" stream (meaning the flow of cash from funds expended to begin producing a "product" to the funds collected from the sales of the "product"). This approach successfully places the risk manager at the heart of the "business of the business" - exactly where any modern risk manager needs to be.

The risk manager must become familiar with details and components that make the supply chain work. We are advocating that the risk manager must be better positioned both to influence the distinctions made in terms of risk in individual decisions and to determine which risk mitigation steps to take.

The Most Effective Course for the Risk Manager

In our view, ERM through the supply-chain risk management approach presents the most effective course for the practicing risk manager. Here's why.

• Supply-chain functions are mature and, therefore, readily understood by the parties involved. This lessens the amount of "academic" information, which is often difficult to apply directly to operations, that must be imparted by the risk manager to colleagues in the supply-chain process.

The result: risk management practices and procedures are more readily embedded in the organizationwide processes. This is a key result, as successful ERM can never be a stand-alone or part-time activity, but rather needs to be a continuous, comprehensive process.

• The supply chain is ultimately overseen at the corporate level and so must ERM be if it is to flourish. Critical senior management support for the effort is built into the process by employing a supply-chain risk-management focus.

• Although those running each segment of the supply chain may not realize it, in looking out for their respective functions, each is a risk manager. The corporate risk manager who effectively eases the translation of ERM from the academic whiteboard to the manager's desk empowers more constituents to become active risk managers within their own functions. The risk manager provides a context to develop the nascent risk-management abilities of fellow managers by embedding risk awareness across the organization. Accordingly, the risk manager further serves the enterprise as a "silo-buster" and benefits by being at the center of a core organizational process.

As a result, risk management - and the risk manager - will stand out as valued contributors to the organization's overall strategic planning process.

• Supply-chain management, as a mature corporate process, has conventional measurement tools, offering risk managers the capability to gauge the effectiveness of ERM programs. This may include using established technology to facilitate the development and deployment of a risk management information system for a new platform of measurement tools.

Conversely, the risk manager who is already a coherent part of the supply chain can offer an array of unique risk analytics as a way to better risk-adjust decision-making.

• Supply-chain risk management offers another avenue of measurement to the risk manager. Its maturity as a quantifiable discipline, in turn, lends itself to scenario-planning analysis, defined as determining a variety of potential outcomes with emphasis on plausibility over prediction.

The myriad benefits brought to the organization include the following. Supply-chain risk management:

• creates process consistency, mitigating redundant efforts;

• improves communication;

• improves the ability to anticipate "events" and set up means with which to deal with them;

• enhances the measurement of risk across the enterprise;

• helps business units to identify risks they might not otherwise have recognized; and

• enables better use of organizational assets.

Value of a Cross-Functional Supply-Chain Risk Management Team

The risk manager, via the supply chain and through the course of standard risk-management procedures, touches operational units across the organization. In fact, formalizing this situation via the creation of a cross-functional supply-chain risk management team - with an end-to-end perspective of the supply chain - is considered a critical step toward a successful plan. It has the added benefit of providing the risk manager with a window on the external elements of the supply chain, especially important with companies going beyond first-tier suppliers.

This enables another important element of successful supply-chain risk management: embedding risk management awareness and practices into mission-critical points along the supply chain. The ultimate goal is to have risk management principles so interwoven into the fabric of each operation that supply-chain managers become virtual extensions of the formal risk-management department.

Ultimately, the role of risk managers progresses to where they are involved with nearly all facets of the organization, playing a broad strategic role and connected to all types of risk, both insurable and noninsurable. By protecting the company's supply chain, the risk manager protects the greater portion of the organization itself - the 80% solution to ERM.

MIT wants to hear from you!

MIT is conducting an online survey of attitudes toward supply chain risks and risk management and ISO and InsWorld are collaborating to provide support for the effort.

Companies would like their Supply Chains to operate smoothly all day, every day. But disruptions occur. Events in your own shop and on the other side of the world can bring down your supply chain. We want to know if people in different regions and different cultures think about and manage risks differently.

Be the first view the results - If you complete the survey you can sign up to get a copy of the results in early 2010 when it is completed. Please help by adding your insights and experiences to our growing knowledge base on supply chain risks.

The survey will target:

• areas that include North America, Europe, China, India, Africa, and Latin America

• sectors that include manufacturing, retail, and distribution companies

• job functions that include supply chain, business, and financial management

The survey aims to gain a better understanding of:

• the importance of risk prevention, event response, and control points

• risk and disruption frequencies and priorities

• what companies are doing to address risks

• details about the respondent's region, country, languages spoken, work setting, size of company, and type of industry

The average time to complete the survey is 12 minutes.

It can be found by going to:
http://tinyurl.com/RiskSurveySN1

As senior insurance professionals, you are ideal respondents to the survey and ideal recipients for the survey's results.

ISO and InsWorld thank you in advance for your participation.

John Liner Review
ISO