Identifying risks in the supply chain
The first step in managing risks in a supply chain is identifying them. You probably have a good idea of some of the things that could go wrong with your supply chain. To really understand the scope of risks, however, you need to get input from other people who see, understand, and manage different parts of the supply chain.Following are some of the groups you should include in your process to identify supply chain risks:
- Transportation
- Distribution/warehousing
- Purchasing
- Information technology
- Accounting and finance
- Legal
- Sales and marketing
- Key customers
- Key suppliers
You can create this list by brainstorming, and you may need to give people some ideas to prompt their thinking. Here are some risk categories that you can ask your supply chain team members to think about:
- Accidents
- Crime, terrorism, and war
- Financial problems
- Government regulations and politics
- Management problems
- Manufacturing problems
- Market trends
- Natural disasters and epidemics
- Supplier problems
- Surge in customer demand
- Technology trends
- Transportation and distribution problems
- Workforce and training issues
Classifying risks in the supply chain
Once you have identified your supply chain risks, you need to decide which risks are most important. You may be most concerned about the risk of a fire at your supplier’s distribution center, for example, or with the risk of disease outbreak that would shut down travel between countries.One approach is to classify risks according to their scope. Classifying risks according to their scope is useful when you want to decide how — or whether — to mitigate them. Risks fall into three general scope categories:
- Global: Risks that affect everybody in the world. Managing global risks is the responsibility of senior management, but your risk management planning can ensure that your leaders are aware of the global risks and their potential effects on your supply chain.
- Systemic: Risks that affect more than one facility or company. These risks could disrupt the entire supply chain, not just its parts. Systemic risks are especially important in supply chain risk management because you are looking at how all of the companies in a supply chain contribute to delivering value to a customer. Many times, people don’t realize how severe a systemic risk can be because they think about it in terms of how it affects them locally rather than how it affects the rest of the supply chain. The responsibility for managing systemic risks is often shared between leaders in several different companies, so these companies need to collaborate in order to manage the risks effectively.
- Local: Risks that affect the people in a particular company or facility. Local risks are the responsibility of facility and operations managers and are often addressed in a business continuity plan. Your supply chain risk management process can be useful in ensuring that each of these separate plans are complete and properly aligned.
Scoring risks to the supply chain
After you identify and classify the risks in your supply chain, the next step is scoring them. Risk scores can help you prioritize which risks you need to be most concerned about.You score risks based on how likely they are to occur (the probability) and how severe their effects would be (the impact). Then you multiply these scores together to get an overall risk score. There are many different scoring systems for probability and impact ratings, but here’s an example to get you started.
On a scale of 1 to 10, assign a value to the likelihood that a risk will occur in your supply chain:
- 10: Will occur; 100 percent probability
- 5: May occur; 50 percent chance
- 1: Very unlikely to occur; 10 percent chance, or less
- 10: Would stop the supply chain or cost someone his or her job
- 5: Would be a major problem taking days to fix but wouldn’t stop the supply chain from operating
- 1: Would create a problem that the supply chain can handle in the normal course of business
- 100: This risk needs to be resolved immediately.
- 50: This risk needs to be monitored closely and mitigated effectively.
- 25: The company should have a mitigation plan in place for this risk.
A risk can never have a zero score for either probability or impact. If the score is zero in either category, it isn’t a risk.
The document that you use to track and score risks is called a risk register. The table below shows a typical risk register.| Risk | Probability | Impact | Risk Score |
| Port strike | 9 | 9 | 81 |
| Supplier fire | 3 | 9 | 27 |
| Forklift breakdown | 6 | 1 | 6 |
| Comet strike | 1 | 10 | 10 |
| Canceled customer order | 8 | 6 | 48 |
A common way to visualize risks is to use a risk plot or a heat map. The image below shows an example heat map for supply chain risks.
Supply chain risk heat map.Risk scoring is handy but not perfect. Just because a risk gets a low score doesn’t mean that you should ignore it, especially if the potential impact is severe. Any risk that has the potential for someone to get hurt needs to be addressed, even if the probability (and the risk score) are low.
Risk scoring is like taking a snapshot of risks as they are today. You should keep your risk register up to date as circumstances change, watch for new risks to appear, and monitor changes in the scores of existing risks.
Want to learn more? Use this guide to learn how to make a risk-management plan.