Deloitte discusses supply chain risk
Earlier this year, Deloitte published The Ripple Effect: How manufacturing and retail executives view the growing challenge of supply chain risk.
This is an interesting report, the result of a survey of 600 executives at manufacturing and retail companies around the world, with the majority in North America, Europe, and China.
In a report that is based on a survey, the results are always going to be limited by the questions. So, when a particular area is missing (such as the reputation risk from a failure in the supply chain), I have to assume that it was left off the types of risk included in the survey rather than being of minor significance to the executives.
Deloitte covers the traditional and expected areas. It is a useful but not a ground-breaking report. It’s an easy read and I recommend it.
Deloitte draws excellent conclusions.
There are four key attributes, or pillars, that are critical to supply chain resilience:
Visibility: The ability to monitor supply chain events and patterns as they happen, which lets companies proactively—and even preemptively—address problems. Critical enablers include people capabilities and analytics capabilities.
Flexibility: Being able to adapt to problems quickly, without significantly increasing operational costs, and make rapid adjustments that limit the impact of disruptions. Critical enablers include people capabilities and governance processes.
Collaboration: Having trust-based relationships that allow companies to work closely with supply chain partners to identify risk and avoid disruptions. Critical enablers include people capabilities and analytics capabilities.
Control: Having policies, monitoring capabilities, and control mechanisms that help ensure that procedures and processes are actually followed. Critical enablers include governance processes and analytics capabilities.
To build resilience, companies can follow a continuous process that begins with assessing the current state of supply chain resilience and pinpointing critical vulnerabilities, and then defines a business case for improvements/mediation and creates a prioritized roadmap for improvement. Working from that foundation, companies can then implement improvements and establish processes for monitoring and managing risk over the long run.
But there are additional ways I think organizations can improve their ability to address supply chain risk, including:
- Integrate risks from the extended enterprise, including supply chain, into the organizations’ risk management program. Don’t run supply chain risk management as a silo.
- When designing the product to be manufactured, take into consideration how components will be sourced or assembled. When there are options, consider the risk inherent in each option – the level of reliance on third parties and the confidence level you have in each of them,
- In other words, integrate the consideration of risk into product design as well as vendor selection and all other operational activities.
- Actively and continuously monitor all your supply chain partners. Report related risk levels to management on a regular basis
- This traditionally includes monitoring your company’s interactions with them, such as their ability to deliver quality products on time at the desired price.
- New technology enables you to monitor their reputation in the marketplace, including posts from their own partners and employees, and anticipate potential problems.
- Monitor macro-economic events (such as potential disruption from protests and political unrest) and their effect on your supply chain, on specific supply chain partners
- Use indicators such as reports from Transparency International to understand corruption and bribery risks relating to your supply chain partners
I welcome your comments and observations.
Recent Posts on this Blog
- Is a new maturity model for GRC the right model? September 25, 2016
- The Wells Fargo “Staff Scam”: More questions and fewer answers September 16, 2016
- The astonishing Wells Fargo fraud September 10, 2016
- Leading an effective information security capability September 4, 2016
- Have your provided comments on the COSO ERM draft? August 31, 2016
- How to do your internal audit risk assessment August 27, 2016
- Do techies really understand cyber risk? August 20, 2016
- Continuing to learn about culture from Toyota August 13, 2016
- The danger of an arrogant board August 7, 2016
- The Board and Technology: Questions to ask the management team July 31, 2016
- IIA Insights on Internal Audit Effectiveness July 22, 2016
- Deloitte predicts change for Internal Audit July 20, 2016
- Risk and Opportunity Management July 2, 2016
- Risk reporting to the Board June 26, 2016
- We need to review and provide feedback on the COSO ERM Exposure Draft June 19, 2016
- Reconsidering the Board: Its Composition and Oversight of Management September 19, 2016
- Time for the Board to Take a Deep Dive Into Risk Management and Risks September 12, 2016
- Oversight of the External Auditor September 6, 2016
- Signs of a Failing Board August 29, 2016
- Contrasting Comments on Internal Audit From a CAE and a Consultant August 23, 2016
- Asking the Tough Questions About Internal Audit August 15, 2016
- When Risk Management Fails August 8, 2016
- An Internal Audit Ambition Model August 1, 2016
- Understanding and Assessing Governance Risk July 25, 2016
- Internal Audit, Risk Management, and Technology July 19, 2016