The topic of supply-chain risk management is fraught with agonizing questions. Should global businesses emphasize risk prevention, or steel themselves to respond to whatever disaster might occur? Should they seek to transfer risk, or concentrate on achieving better risk-management up front? Should they attempt to do all of the above? The wrong answer can mean the death of an organization.

The statistics are unsettling. Thirty percent of all companies that experience a catastrophic loss fail within the first two years, and another 29 percent go down after that, according to John J. Brown, director of risk management, supply chain and technical development with The Coca-Cola Company. And with supply lines getting longer due to off-shoring and the multiplication of partners, the chances of something going seriously wrong are greater than ever.

So where should the emphasis be - on responsiveness or risk prevention? Brown comes down on the side of the latter. The problem is that most companies don't do a very good job in this difficult area. "We're wired as humans to react and respond, not prevent something from happening," he said on a panel at the annual conference of the Council of Supply Chain Management Professionals in Atlanta. "And company reward structures are the same way."

The question is, reward for what? How does a company quantify the value of something that didn't happen? When all goes well, no one spends a lot of time dwelling on "what-ifs." A good risk manager tends to be a quiet - and unappreciated - hero.

Of course, it's ludicrous to believe that one can stave off all disasters. No one knows when and where the next earthquake or flood will strike. A good risk-management strategy might assign probabilities to various scenarios, but it can't focus too much on any one of them. Nor can it guarantee that every potential threat has been identified. Who prior to 2010 listed "volcano" among the possible events that could disrupt a supply chain?

At CSCMP, Brown laid out the essentials of an effective program. From the start, he said, it needs to be multifaceted. Must-have elements include the capacity for emergency planning and response, incident management and crisis resolution, business-continuity planning and execution, and disaster recovery (especially with regard to IT systems).

Coca-Cola has defined a number of discrete steps in its risk-management effort. First is basic deployment of the process. The company identifies significant risks, analyzes them, devises procedures for mitigating them, and creates a local "risk register." This document, which it maintains for every business unit, group, bottler and corporate entity, tracks the status of risk and corresponding treatment plans at ground level. Brown described it as "your living playbook."

A valuable framework for setting up a workable program is the International Organization for Standardization's 31000:2009 set of guidelines and standards. Accepted worldwide, they provide a good start toward the development of best practices in risk management. "They're pragmatic, easy to use and flexible," said Brown.

In addition, ISO has published Guide 73:2009, a risk-management "vocabulary" which defines basic risk terms and aids companies in taking a uniform approach to the problem.

ISO has documented approximately 30 major risks of which businesses need to be aware, although Coca-Cola's list tops 350. From a high level, however, the picture can be broken down into 11 major categories, according to Anthony J. TenBarge, director of risk management with logistics services provider Genco ATC. They are: those assumed by contract, especially with suppliers; liability, including damage to third parties and copyright issues; professional liability losses, resulting in such errors as missed or lost shipments; environmental, covering the movement of hazardous materials such as lithium batteries; crime and theft; damage to physical property; lost, delayed or damaged cargo; business interruption; trade credit and the chance of not getting paid; political unrest, and risks to employees.

With the task of identification in place, companies should next focus on how to sustain the risk-management process. Coca-Cola employs a three-pronged approach, said Brown. It reviews the risks that are currently being managed, preferably on a monthly basis, and no less frequently than once a quarter. It also identifies new and emerging risks, adding them to the risk register as necessary. Finally, it factors those key risks into the planning process, covering both strategic and annual business plans.

Brown also described Coca-Cola's "bow-tie" process, so-called because of its two-sided nature. On one side are the factors that could cause a risk event to occur. On the other are its consequences. Then the company delves into what must be done to prevent a particular crisis from happening, or at least to mitigate its effects.

Finally - and this should go without saying - every organization needs to appoint a skilled risk manager. This highly placed individual, said Brown, must understand all aspects of operations, from human resources to contracts, finance and data management.

Companies like Cisco Systems, Inc. have devised their own sophisticated, hour-by-hour schemes for coping with disasters such as the devastating earthquake and tsunami that struck Japan in March of 2011. Cisco, too, utilized a "playbook" for dictating action in the wake of that crisis, including the setting up of a "war room" staffed by managers from multiple disciplines. Still, there's only so much that a globally distributed organization can do to react to an event of that scale. Inevitably, supply lines will be affected for a time, saddling the company with huge costs that can turn black ink into red.

Unexpected consequences should be, well, expected. Defining them all, though, is an impossible task. Coca-Cola couldn't have foreseen that Japan's five million soda-vending machines would be seen as "energy wasters" following the meltdown of a major nuclear reactor.

At such times, a company must consider the option of risk transfer. There are two primary ways to achieve it: through contracts with suppliers and other trading partners, and insurance. The latter can take many forms, including protection for cargo, merchandise, workers, facilities, infrastructure and customs issues, said Barbara M. Spain, senior vice president and national logistics manager with Aon Risk Services. There's also trade-disruption insurance, which covers a wide variety of losses.

Still, given the high cost and sometimes limited availability of the right type of insurance, it behooves companies to do a better job of preparing themselves for disasters and disruptions. Quick-response strategies, regardless of the nature of the event, are especially vital to have in place. Regardless of your size, if you're not actively engaged in a program similar to that of Coca-Cola and Cisco, you need to wake up.

- Robert J. Bowman, SupplyChainBrain

Comment on This Article