You have designed and implemented a pretty good logistics system and are proud of how effective and efficient your aupply line provides your programmes with any materials they need. Transport and administration cost are now at their minimum, fulfilment rates are close to 100%, and you process and fill almost every order within set timeframes. You feel pretty good about yourself (and not without reason), and are ready to hand over the system to your successor with justifiable pride.
And then the ministry of trade announces that as of tomorrow, clearing rules will be changed, adding three weeks to the current four to five days it takes you to clear your goods. Suddenly things look a lot less optimistic: your carefully balanced and trimmed-down supply chain is strained to the snapping point, and you are looking at having some of your key operations suspended. Even worse: one of those is a treatment programme for TB patients, and suspension of treatment might cause resistance to the drugs involved – making a bad situation suddenly look catastrophic. What went wrong? Click to read on.
A lot has been written about how to deal with logistics disasters, or how to avoid specific types of mishaps. Much less attention is given to the process of managing those risks.
Risk management for the supply chain is not really different from generic risk management. Like all risk management processes, you start by making an inventory of possible risks, based on your environment, the programmes that you try to support, possible future scenarios, etcetera. This inventory includes the nature of the risk, its likelihood of occurrence, as well as its possible and likely impact. The result should be an overview of the possible extent of risk for each of the risks that you list. Some examples:
- If a meteorite would hit your main logistics hub, you would be in dire straits indeed. However, the likelihood of this happening is vanishingly small. As a result, the extent of your risk is still very low.
- If one of your 15 drivers would fall ill, it would probably not pose much of a problem; however, the likelihood of this happening in any given year approaches certainty. Still, because of its low impact, the extent of the risk would be low.
- Having your one and only purchaser fall seriously ill would not be a big problem in a well set up system, in which everything is well documented. The likelihood of this happening is also quite small, so the extent of the risk here is very low.
- However, if documentation is sketchy and most of the knowledge about markets and suppliers is locked up inside the head of your purchaser, the impact of this happening would be a lot bigger. Suddenly, the extent of your risk is now medium or possibly even high.
This last example points to the importance of the risk environment when performing your risk analysis. (It also points towards a possible way of dealing with it, about which more later.)
The next step is to design a strategy to deal with the risks. All risk strategies can be divided into four basic categories: avoid, reduce, transfer, and retain. In our example, this would mean:
- Avoid: an avoidance strategy could take the form of not doing any local purchasing, or perhaps withdrawing from the programme. This illustrates that avoidance strategies are rarely feasible in the environments in which we work, but nevertheless they should be considered.
- Reduce: ways in which we could reduce the extent of the risk include hiring a second purchaser (reducing the likelihood of being marooned without a purchaser) or ensuring good systematic registration and documentation (reducing the impact of the purchaser falling ill).
- Transfer: we could outsource our purchasing to an external company, using service level agreements to ensure that they deliver what we we need, when we need it. This is not a very likely scenario for most of us, but it is something that we often do with e.g. air transport: we transfer the (very real) risks linked to these operations to e.g. a charter company.
- Retain: we could decided that the extent of the risk is so small (e.g. because we hardly do any local purchasing anyway), that we take no action and leave things as they are. In other words: grit your teeth and suck it up.
A risk management plan basically consists of the risk analysis, with the appropriate strategy for each of these risks. Risk management plans for multinationals often comprise whole volumes (or, more and more often, many Gigabytes of documentation, code, and data), but for most field operations there is no need to go to that length: two to five pages would normally be enough. On an organisational level, it will obviously depend on how big your organisation is as well as its nature: the risk management plan for a two-project, one-country educational organisation will probably be not much more than the one-page result of a day’s hard work, but WFP’s risk management plan will more likely resemble that of a big multinational company.
However, whatever the size or nature of your organisation: you cannot afford to go without some form of risk management; organisations that think they can tend to be unpleasantly surprised at some stage.