Skip to content

Supply Chain Risk Management Standard: A Compilation of Best Practices

ATTENTION: This page is intended to be viewed online and may not be printed or copies.

0. Introduction

0.1 Supply Chain Risk Management: An Overview

This Standard defines supply chain risk as the uncertainty in achieving an organization’s objectives throughout its supply chain. Organizations of all types and sizes face internal and external factors and influences that make it uncertain whether and when they will achieve their objectives. The effect this uncertainty has on an organization's objectives is "risk". Supply chain risk management (SCRM) involves the assessment and control of risk events at all points in an end-to-end supply chain, from sources of raw materials to end use by customers and consumers. SCRM is the systematic assessment and treatment of potential risk events across operations with the objective to exploit opportunities and/ or to reduce negative impacts on the performance of the organization and its supply chain. This includes the coordinated activities and practices an organization uses to manage its operational risks related to its end-to-end supply chain. Potential risk events can occur within and outside the supply chain. Risk events may be caused by:

  • Natural disasters;

  • Intentional acts (e.g., criminal acts, terrorism, industrial espionage, labor and social unrest, regulatory actions, etc.); and

  • Unintentional acts (e.g., accidents, process breakdowns, wrong materials, personnel issues, etc.).

SCRM is part of an integrated and multifaceted business management strategy, and therefore also takes into consideration the organization’s image, reputation, and marketing, as well as the management of quality; environment, health and safety; purchasing; logistics; facilities; communications; human resources; and materials. SCRM integrates several different risk and resilience related disciplines, including, but not limited to security, cyber-security, crisis, business continuity, and emergency management, as well as asset conservation, insurance, and technology recovery. SCRM seeks to anticipate, prevent, protect, mitigate, manage, respond, and recover from potentially undesirable and disruptive events, as well as identify opportunities. The best strategy for addressing risk events will be determined by the organization’s context of operations, its risk appetite, and results of risk assessments.

Supply chain risk management is a holistic component of the overall risk management framework for an organization. Therefore, this Standard should be used as a complement to existing risk management programs for enterprise or fiduciary risk. Adoption of this Standard should build on rather than supplant existing specialized risk programs.

0.2 The Need for Supply Chain Risk Management

SCRM is vital for organizations that increasingly rely on extended operations, both internal and external, for their success. This is primarily due to the advantages organizations have found in utilizing strategies such as globalization, outsourcing, off-shoring, specialized manufacturing, supply-base rationalization, just-in-time deliveries, supplier consolidation and lean inventories. While these strategies offer many benefits in efficiency and effectiveness, they also make supply chains increasingly prone to risk and can increase the likelihood of supply-chain disruption.

Historic and recent events have proven the need to identify and manage supply chain risks. These past events illustrate that a single event can disrupt multiple elements of supply chains around the world. Disruptions can impact any aspect of the supply chain, including critical infrastructure, communications, logistics, supply, manufacturing, and distribution. Therefore, to protect itself, an organization needs to develop proactive risk management strategies and plans. Additionally, they need to be fully cognizant of potential adverse consequences, opportunities, and impacts on financial performance.

SCRM is essential for all public or private organizations to manage risks associated with their dependencies and interdependencies in order to survive and thrive. Operational maturity levels vary between organizations. Some organizations have yet to realize the importance of SCRM while others have emerging or advanced SCRM programs This Standard provides guidance on some current best practices that can be applied to any organization. An organization may select and use the appropriate guidance based on the maturity of its SCRM program.

In a globalized economy SCRM is critical for decision making and business planning of international operations and expansion of business. It is important that those responsible for analysis of international operations conduct a robust assessment of risk and resilience in their planning processes prior to domestic or international expansion, taking into account the local context and environment of operations. In the planning process the organization needs to understand the levels of control, exposure, and visibility it will have of the various tiers of its supply chain from end-to-end.

This guidance Standard is a compilation of evolving SCRM current best practices. It presents a generic approach to risk and resilience management that is intended to be applicable to all types of risk and all types of organizations. An organization’s approach to SCRM should be tailored to meet its needs, context of operation, risk appetite, risk criteria, and its unique supply chain characteristics. There is no single path to success; therefore, this Standard offers a collection of SCRM current best practices, tools and approaches that any organization can review, and use or customize to meet its unique needs. Illustrative examples of SCRM current best practices have been included. Organizations should modify and adapt the concepts and examples included in this Standard to fit their distinctive requirements, characteristics, and culture.

This Standard addresses operational risks in the supply chain and includes risks to tangible assets (e.g., human, physical, and financial) as well as intangible assets (e.g., brand, reputation, competitive position or intellectual property). Each organization should define the scope of its SCRM program consistent with its risk criteria. It presents SCRM current best practices as models and/or options to improve operational risk management performance in the organization and its supply chain based on empirical experience.

SCRM is an evolving field. The challenges faced by organizations and their supply chains are constantly changing, therefore SCRM is a dynamic discipline that in order to achieve maximum effectiveness should be integrated into business management and business planning processes of the organization. The contents of this Standard should be seen as a snapshot in time reflecting a collection of current best practices. Continual monitoring of risks is essential due to their dynamic nature and the manner in which they may impact the operations of organizations and their supply chains. When using this Standard, organizations should consider the concepts for their organization against their current operating environment to determine how best to structure SCRM to promote resiliency within their organization and its supply chain.

Next: Scope