Skip to content

Supply Chain Risk Management Standard: A Compilation of Best Practices

ATTENTION: This page is intended to be viewed online and may not be printed or copied.

4. Characteristics of Suppy Chain Risk Management

4.1 General

SCRM is an integrated and holistic management approach focused on ensuring the sustainability and resilience of the organization and its supply chain incorporating governance, change management, and continual improvement. SCRM expands the organization’s risk and resilience management approach to its supply chain in a synchronized fashion. Efforts to implement SCRM generally start by addressing four underlying concepts: leadership, the development of a business case, change management, and continual improvement.

4.2 Leadership and Team Composition

As with any significant initiative, a successful SCRM program requires a mandate, support, and commitment from top management. Top management support can be in the form of resources, engagement, encouragement, and guidance. An integrated and engaged top management team should communicate a clear mandate for SCRM throughout the organization, set the risk criteria (including the risk appetite), help identify risks, decide on risk treatments, and participate in process review and improvement. A multi-disciplinary SCRM Leadership Team should work in a concerted effort to prevent, mitigate, respond, and recover from any events that might occur. Ultimate accountability, leadership, reporting, and ownership of supply chain risk rests with top management. Effective engagement of leadership promotes a SCRM culture throughout the organization.

The multi-disciplinary SCRM team should be headed by a SCRM representative or champion, and include representatives from functions such as:

  • Accounting and finance;
  • Business continuity and crisis management;
  • Engineering, process control, and product design;
  • Environmental, health, and safety;
  • Facilities management;
  • Human resources;
  • Import/export compliance;
  • Information and communications technology;
  • Internal auditing;
  • Legal and regulatory compliance;
  • Procurement and purchasing;
  • Production and manufacturing;
  • Quality;
  • Risk management;
  • Sales;
  • Security and information security management;
  • Supplier management;
  • Top management;
  • Transportation and logistics;
  • Training and awareness;
  • Warehousing and storage; and
  • Other stakeholders (e.g., unions, associations, civil society groups, regulators, first responders, customs officials, etc.).

Appropriate functions should have ongoing representation on both the management level leadership team and the implementation team.
There should be a designated management representative with the defined responsibility and authority for overseeing, implementing, and maintaining SCRM. Several factors may influence the choice of a person or persons who serve as representative(s) and SCRM champion(s). Characteristics of the champion(s) include:

  • Respect for both leadership and staff;
  • Knowledge of operations, processes, manufacturing, services, and intangible assets;
  • Knowledge of assessing and managing risk;
  • Familiarity with high risk operation areas;
  • Understanding the operations and value chain;
  • Capability to coordinate information flow from various sources;
  • Appreciation for the dynamic and interdisciplinary nature of operations; and
  • Understanding the organizational culture and change management.

Team members should meet periodically to coordinate efforts and ensure that SCRM processes are being integrated into their ongoing operational processes. They should coordinate with change management to ensure risk treatment. Additionally, SCRM leadership should report to executive management on a periodic basis.

Top management should integrate the SCRM process into governance and all other management processes of the organization. By fully integrating SCRM into the decision making processes of the organization, it becomes part of the organization’s culture. The organization should develop clear governance and operating procedures, including clear definitions of roles, authorities, and responsibilities. The SCRM Leadership Team should gather information and support from discipline specialists (e.g., security, crisis, information security, and business continuity managers) in order to ensure a comprehensive SCRM strategy is in place and to acquire the resources from top management necessary to support the SCRM program. By integrating SCRM monitoring in its day-to-day process activities (including product and service delivery, meetings, training, and performance reviews) a SCRM culture can be instilled in the organization.

4.3 SCRM Business Case

A business case provides the justification for implementing and improving SCRM in terms of evaluating the benefits, costs, risk of alternatives, and the rationale for the preferred solution. The business case serves as a documented, structured proposal for a program or improvement process. It provides a basis for a selection decision by organizational decision makers. It identifies the requirements that are to be satisfied, an analysis of proposed alternative solutions (with reasons for rejecting or carrying forward each option), assumptions, constraints, a risk-adjusted cost-benefit analysis, and preliminary action plan. The business case should provide the information necessary to make financial decisions regarding prioritizing enterprise expenditures based on the value of the proposed project versus other projects.

Typically, business cases contain the following components:

  • Background description of the business need/issue;

  • Explanation of the identified benefits of addressing that need;

  • Identification of significant assumptions and constraints related to relative solutions;

  • Alignment of project benefits with organizational objectives;

  • Justification for undertaking the project;

  • Description of performance goals and measures;

  • Definition of success for the proposed project;

  • Analysis of alternative solutions, including the possibility of continuing with no change, identification of a preferred solution, and explanation of why the preferred solution is recommended;

  • Estimation of required resources such as funding, human resources, materials, etc. for both the project and ongoing support and maintenance of any related or ongoing project efforts;

  • Estimation of potential costs of risks (including human, financial, reputational, and environmental implications);

  • Benefits (tangible and intangible) and cost of executing the project;

  • Competitive advantage from dampened impact and faster recovery from risk events;

  • Potential opportunities related to risk events;

  • Estimation of return on investment, break-even point, operational/ongoing costs, etc.; and

  • Explanation of project risks/issues and strategies to address them.

Disruptions will have financial implications. A common approach has been to:

  • Identify risks for priority nodes and tiers in the supply chain;

  • Prioritize the identified risks;

  • Determine, with top management approval, the risk treatment strategies needed to meet organizational and supply chain objectives; and

  • Evaluate cost avoidance and opportunities for improvement to help justify SCRM investments.

SCRM can also offer intangible benefits. These include avoiding damage to reputation or brand that may accompany an undesirable and disruptive event in the supply-chain, as well as breaking down organizational silos, which is not only necessary for SCRM but can also help organizations in other initiatives required for a comprehensive enterprise-wide risk management program.

A business case can be constructed using various metrics from the disciplines within SCRM. For example, reducing the number of disruptions, thereby preventing losses, can be achieved through adaptive and preemptive measures. The case can be made that the organization is less susceptible to various risk scenarios (single or multiple). Reduced response times when incidents occur, (thereby protecting the organization’s tangible and intangible assets), can be demonstrated through fewer losses and mitigation of the consequences of an event. Other organizations make the business case based on reduced times for recovery of priority supply chain activities, services and products. By identifying, assessing, and mitigating the consequences of risks, the organization targets specific reductions in recovery times. In all these examples, the organization can predict and compare the loss with and without appropriate risk treatments. Historic data from previous events provide a good starting point for comparisons.

4.4 Change Management in SCRM

Establishing or improving SCRM in most enterprises represents a major change. Consequently, organizations that are implementing SCRM need to pay particular attention to the tenets of successful change management. These include a compelling case for change, unwavering top management support, a visible executive champion, and a clear vision of the implications of the change(s). They also include development of an action plan for implementation as well as ongoing monitoring and refinement to reflect lessons learned.
Change management requires ongoing monitoring, analysis, and amendments. It also requires stakeholders to be psychologically and emotionally prepared to effect the change. Therefore a change management strategy should include:

  • Ongoing monitoring and analysis of the changes that may be required in assessing the risks to the supply chain;

  • Training sessions to keep the team members aware of potential opportunities and to understand the need, rationale, and approach for change, with a view to ensure smooth change management; and

  • Linking SCRM and other organizational and supply chain objectives such as quality, environmental, sustainability, and occupational health and safety management.

Lastly, and perhaps most critically, they require sustained and transparent communication with key stakeholders throughout the change, including:

  • Proactive education and training so that personnel have the skills to execute the change;
  • Incentives aligned with the desired outcomes of the change; and
  • Adequate resources to successfully manage and implement the change.

Because resistance is natural and to be expected with a major change, those implementing SCRM also need to pay attention to the psychological and emotional aspects of the change. Linking SCRM to other organizational and supply chain objectives such as quality, environmental, sustainability, and occupational health and safety management is recommended.

4.5 Continual Improvement

Continual improvement in SCRM supports the overall business management strategy to identify and exploit opportunities for improvement. An integral part of the overall assessment of the organization’s performance is the assessment of its SCRM. The organization sets organizational performance goals and by measuring and benchmarking its performance identifies modifications to processes, systems, capabilities, resources, and competencies to enhance performance.

Next: Risk Principles and Process

Table of Contents


  • Scope
  • Normative References
  • Terms and Definitions
Characteristics of Supply Chain Risk Management
  • General
  • Leadership and Team Composition
  • SCRM Business Case
  • Change Management in SCRM
Risk Principles and Process
  • General
  • Risk Communication and Consultation
  • Establishing the Context
  • Risk Assessment Process
Risk Treatment
  • General
  • Protecting and Securing the Supply Chain
  • Responding to Events
  • Maintaining Resilience of Business Operations Post Incident

Performance Evaluation and Continual Monitoring

  • General
  • Testing and Adjusting the Plan
  • Tracking Change
  • Monitoring and Reviewing the Risk Management Program

Annex C: Sample Risks by Category and Type

Annex D: Generic Elements for Supply-Chain Security Agreements

Annex E: Sample Supply-Chain Security Self-Awareness Questionnaire for Suppliers or Other Supply-Chain Partners

Annex F: Elements of Supply-Chain Security Contract Language for External and Third-Party Logistics Service Providers

Annex G: Sample Crisis-Management Program Element Review

Annex H: Sample Site Crisis Plan

Annex I: Supplementary Forms

Annex J: Sample Regulatory Impact Assessment

Annex K: The supply Chain Risk Leadership Council's (SCRLC) Maturity Model

Annex L: Bibliography