ATTENTION: This page is intended to be viewed online and may not be printed or copied.

5. Risk Management Principles and Process

5.1 General

This Standard provides an approach to managing the risk in an organization’s supply chain. The process, based on ISO 31000, covers elements of defining contexts, risk assessment, and risk treatment (Figure 1). ISO 31000 is a key building block to this approach; while adapting it to the organization’s needs and purposes, the Standard recognizes the need to avoid replicating standards documents but rather to optimize current best practices that help promote and sustain organizational resiliency.

Figure 1: Risk Management Process (based on ISO 31000)

As described in ISO 31000:2009, the foundation of any risk management program is based on:

• Establishing the context;

• Risk assessment involving:

  • Risk identification – recognizing what risks exist;
  • Risk analysis – considered in terms of likelihood and consequence, after considering current controls; and
  • Risk evaluation - deciding how to prioritize the risks.

• Risk treatment – using the results of the risk assessment to determine how to treat the risks;

• Communication and consultation with internal and external stakeholders throughout the risk management process; and

• Ongoing monitoring and review conducted throughout the risk management process.

Risk management is an integral part of an overall business management strategy which specifically assesses and addresses the effect of uncertainty on the organization’s objectives.

Therefore, in managing risk it is important to understand the significance, influence, types, and sources of uncertainty. Factors to consider include (but are not limited to):

• Completeness of information;
• Availability and reliability of information sources;
• Dependability and effect of risk treatments and controls;
• Assumptions made in assessing and treating risk;
• Degree of certainty of likelihood and consequence predictions;
• Volatility of internal and external context;
• Context of time and perceptions of time;
• Results of sensitivity studies; and
• Effectiveness of risk monitoring and change management.

Risk management is an ongoing activity that involves continual monitoring and assessment of the risk landscape. The internal and external context of an organization and its supply chain are dynamic. Therefore the risk assessment process should be able to evaluate a wide variety of risks over time, as well as monitor, review, and adapt to a dynamic context of its operations.

5.2 Risk Communication and Consultation

The organization should establish and maintain a formal and documented communication and consultation process with its internal and external stakeholders in all steps of the risk management process to ensure that:

• Objectives, needs, and interests of the internal and external stakeholders are understood (including persons, organizations, communities, and upstream and downstream supply chain partners);

• Risks are adequately identified and communicated within the organization and throughout the supply chain;

• Dependencies and linkages with subcontractors and within the supply chain are understood;

• Risk assessment process interfaces with other management disciplines; and

• Risk assessment is being conducted within the appropriate internal and external context and parameters relevant to the organization and its contractors and supply chain.

5.3 Establishing the Context

5.3.1 General
The process begins with identifying the internal and external context and environment that may influence supply chain risk.

To conduct the risk assessment and manage risks, the organization needs to first understand the internal and external environment in which it operates. This includes identifying all relevant stakeholders that can affect risk or be impacted by risk. Defining the context provides the basis for defining the scope and stakeholders involved in the risk management process.

In establishing the context, the organization should identify its objectives and value drivers. What are the value generators and drivers for the organization, as well as its implicit and explicit goals and values? Understanding the activities that are instrumental in the organization providing its goods and services will provide a basis for prioritizing and evaluating risk. The organization needs to assess and evaluate what is key to the organization achieving its objectives and creating value.

Risks exist at all levels and entities within an organization. Process risks exist at production sites. Supplier risks exist at direct or indirect supplier sites. Distribution risks exist at suppliers and in upstream and downstream transportation and logistics systems. Legislative, compliance, intellectual property, sovereign, and regulatory risks exist at the country or regional level for multinational enterprises. Finally, operational risks exist at the agency, department, division, branch, unit, or corporate level.

Organizations should identify, own, prioritize, and manage risks at the point at which they occur. Organizations should also aggregate and report risks across the organization and vertically through business reporting structures. Organizations should give risks that exist within multiple entities common, coordinated treatments. When managing risks it is important to be aware of cumulative effects from one event setting off a chain of events, and the impact of one risk treatment method on other areas of risk.

Ownership of an identified risk is not always clearly defined. Defining risk ownership is necessary to treat the risk and assure that it does not adversely affect the organizations in the supply chain. Such risks may arise when franchises make, for local consumption, a final product whose performance will affect reputation of whole franchise. For example, risks may arise when a supplier uses lead paint on toys ultimately assembled for firms with strong brand‐name recognition. Governance controls and guidance to manage such risks may include corporate leadership setting policies, standards, procedures, and contractual and auditing requirements for suppliers to follow. When organizations cannot impose on franchises and supply chain partners how to operate their facilities, they should provide guidance and evaluate impacts of risks due to nonconformance.

The presence of differing risks at multiple levels of an organization underscores the importance of defining the context within which a risk-management program is implemented. This includes suppliers, production and services, logistics (e.g., transportation, warehousing, and distribution), customers, and other elements that can affect the supply chain. These elements will vary by industry, as will the efforts an organization can make to address them. For example, a manufacturing plant may have more control over assembly risks, while a business unit may be tasked with controlling supply-chain risks posed by legislative and regulatory issues as well as managing some procurement risks.

Defining the scope is a key decision in developing an SCRM program. The scope defines what activities of the organization and its supply chain will be included in the SCRM program. Organizations may initially focus on a Tier 1 entity, or even prioritize among Tier 1 supply chain entities. A Tier 1 entity is the main customer, contractor, or supplier that provides goods or services directly to or from the organization. In most cases, the scope should include suppliers and customers based on their role in the value chain. In determining how much of the supply chain to include beyond the first tier, managers may wish to characterize inputs by the number of suppliers and number of customers. For example, if many possible suppliers exist for a common commodity, it may be unnecessary to go beyond the first tier when considering supply chain risks. For materials with few or sole sources, it will probably be necessary to consider risks at the second tier. Between these two extremes, organizations need to assess how critical a particular component is or how easily a supplier can be replaced and, if necessary, consider supply risks in the second tier for priority components or suppliers. A key node is when the supply chain map funnels to a point when one or two deeper sub-tier suppliers provide the sources for all suppliers above. An example of this occurred with the Xirallic paint pigment supplier (Tier 3) that was the only source of glitter effect auto pigment in the world, affecting many auto manufacturers.

Understanding the activities that are instrumental in the organization providing its goods and services will provide a basis for prioritizing and evaluating risk. Distribution risks exist at suppliers and in upstream and downstream transportation and logistics systems. Legislative, compliance, intellectual property, sovereign, and regulatory risks exist at the country or regional level for multinational enterprises. Finally, strategic risks exist at the agency, department, division, branch, unit, or corporate level. When managing risks it is important for the organizations concerned to be aware of cumulative effects from one event setting off a chain of events, as well as the impact of one risk treatment method on other areas of risk.

By repeating this process for increasing numbers of tiers of suppliers and customers, organizations can identify the portions of the supply chain that have the greatest risks to operations. Specific knowledge of an organization and its supply chain, context of operation, and risks is necessary to guide decisions; and to this end, the initial risk assessment should look at all tiers without pre-prioritization of individual risks. The level of each risk should be validated.

5.3.2 Internal Context
Understanding the internal environment enables the risk management program to be in sync with the organization’s management style, processes, organizational structure, culture, and business strategy. Every organization is unique and each risk management application is a tailor made process. Examples of factors that should be considered in understanding the internal environment include (but are not limited to):

• Governance, accountabilities, decision making processes, and organizational structure;
• Resources and capabilities (human and physical);
• Cultural characteristics (including differences in education and social interactions and communications);
• Business model (including evaluation and performance criteria);
• Policies;
• Strategic initiatives;
• Processes and activities;
• Information systems, information security, and flow;
• Internal stakeholders;
• Organizational culture; and
• Communication and consultation protocols.

5.3.3 External Context
Understanding the external context, including its supply chain dependencies and interdependencies, should provide the basis for understanding the sources of uncertainty outside of the organization that may influence the achievement of objectives. The external context includes factors that the organization can and cannot directly control or influence, but are essential for understanding the risk environment (see Figure 2). Examples of factors that should be considered in understanding the external environment include (but are not limited to):

• Supply chain, dependencies and interdependencies (including critical infrastructure);
• Legal, regulatory and contractual obligations;
• Economic, social, political and cultural factors;
• Government and public relationships;
• Crime statistics;
• Meteorological and geological factors;
• Financial and competitive environment;
• Communication, transportation and logistics factors;
• Community resources, capacities, and capabilities;
• Market, brand and reputational factors;
• Perceptions of risk and values by external stakeholders;
• Transparency and integrity of external governance institutions;
• External stakeholders (including the media, interest groups, and first responders); and
• Communication and consultation protocols and capabilities.

5.3.4 Mapping the Supply Chain
The ongoing process of supply chain mapping is an essential decision making tool to ensure an organization identifies risks and how best to prioritize and manage them. Supply chain mapping should emphasize the importance of critical paths and value creation. To achieve desired objectives and outcomes, supply chain value mapping identifies priority processes for the organization. Understanding value propositions of different tiers of the supply chain will help the organization focus its risk management approach. Supply chain mapping should reflect the overall strategy of the organization in creating value and achieving its objectives. Therefore, the supply chain map should clearly identify supply chain partners, their contributions and value added, the various flow types, and the way the business is organized.

A supply chain map should document, by node, aspects affecting operations such as:

• Supply chain partners with highest spending levels or that affect major value flows;
• Dependencies and interdependencies (including utilities and other critical infrastructure);
• Single source suppliers;
• Upstream and downstream partners who support business functions;
• Logistics, storage, and transportation;
• Labor suppliers;
• Contractual and compliance requirements;
• Image and visibility;
• Access to highly sensitive internal information; and
• Partners in high risk businesses and/or locations.

Mapping supply chain processes provides a better understanding of the potential risks that exist as well as the organizations involved. Figure 3 presents a notional map. Upstream, it starts with raw materials, services, parts, assemblies, and packaging going directly to the organization or via its suppliers. Distribution systems, including trucks, trains, ships, aircraft, and the internet move items and information from suppliers to their customer inventory. These same distribution systems may move goods and services to end-user customers. Several factors are common to all these elements and can be the source of risks throughout the supply chain. These include infrastructure such as buildings, equipment and network security, dependencies and interdependencies (e.g., electricity, water, telecommunications, internet, etc.); process functions such as production planning or sales and operational planning; and all persons working on behalf of the organization. Not all of these nodes will have risks for all operations, but all should be considered.

The supply chain mapping process should identify the parties involved and the associated risks in the value chain, including, but not limited to, the following processes:

• Planning;
• Procurement;
• Production;
• Packing;
• Storage;
• Loading/unloading;
• Transportation;
• Product and service delivery;
• Document preparation; and
• Reverse logistics.

Figure 3: Notional Supply-Chain Process Flows

Information flows should also be documented with clear communication channels. Information can flow both upstream, downstream, and sideways. In particular, information flows on downstream conditions can help upstream processes provide the correct quantity and quality of materials needed. Sideways flow of information should be accompanied by responsibility to ensure the correctness of the flow of materials. Any abnormalities can be brought up to minimize and manage the risks.

Various analytical tools exist for identifying and prioritizing risks in the supply chain. The process of developing a supply chain or value stream map enables a better understanding of the product, material and information flows, value stream metrics, and the interaction of processes. For example, Pareto analysis can help firms identify the proportion of goods and suppliers on which it is most dependent in terms of cost, value creation, production, and failure, and hence the goods and services that can pose the most risk to the supply chain. Pareto analysis is designed for users to identify which small set of practices, functions, suppliers, staff, etc. have the greatest impact. More sophisticated portfolio analysis can help firms identify goods by both their value and the risk of supply continuity and lead firms to focus their SCRM first on strategic or critical goods of high value and high supply continuity risk. These may include scarce or high-value items, major assemblies, or unique parts which may have natural scarcity, few suppliers, and difficult specifications.

Accurate supply chain mapping will improve decision making processes and drive preventive actions that can avoid and mitigate undesirable and potentially disruptive events. This will allow an organization to be more preemptive in managing its supply chain and subsequently gain a competitive advantage.

5.4 Risk Assessment Process

5.4.1 General
Risk assessment is a dynamic process that should take a holistic, end-to-end approach. Using its supply chain map, the organization should also identify risks associated with its Tier 1 supply chain partners, expanding this analysis to additional tiers as necessary to develop a complete picture of the risk profile. Given the dynamic nature of risk, on-going monitoring of the risk criteria, profile, and assessment process are necessary for effective risk management. Also, the tangible and intangible costs of risk and risk treatment should be considered when conducting a risk assessment.

The risk assessment process should distinguish between risks that should be included in the risk management program and those that require treatment. Risks that could potentially prevent the organization from achieving its objectives should be considered. The organization should consider not only risks that are internal to the organization, but also those associated with its supply chain, dependencies and interdependencies. The organization should assess risks that could potentially cause undesirable and/or disruptive events.

5.4.2 Risk Criteria
Setting the risk criteria should be done prior to conducting the risk assessment. The risk criteria establish the organization’s approach to and parameters for assessing, accepting, pursuing, retaining, or treating risk. The risk criteria provide the basis for establishing the scope. The definition of the risk criteria will determine how risk is analyzed and evaluated. To prioritize and address risks, organizations need to define risk criteria for determining the method they will use to determine the acceptable level of risk to its operations and supply chain. Risk criteria provide a basis for evaluating the significance of risk within the bounds of the amount of risk the organization is willing to accept.

The risk criteria are set to understand the impact of uncertainty on the organization achieving its objectives. It sets the benchmarks for how the organization will measure and evaluate consequences and likelihood. Will level of risk be described qualitatively or quantitatively? How will the scales be expressed? Risk criteria should also be considered for the perceived and actual level of risk that will be tolerated by supply chain partners. Setting the risk criteria is a dynamic and iterative process and should be revisited and revised to reflect the changing landscape of risk.

By understanding the organization and its context, the organization can set the scope for its SCRM process, document its methodology, and justify its assumptions. Setting the scope is also a dynamic process and should be revisited based on the analyses conducted during the SCRM process.

5.4.3 Risk Appetite
Clearly defining the organization’s risk appetite internally and within its supply chain is a keystone to good governance and effective risk management, yet it is one of the more difficult tasks of top management. Risk appetite is the amount and type of risk that an organization is willing to pursue, accept, or tolerate. Understanding risk appetite is an indicator of maturity of the risk management program. Clearly defining the risk appetite sets the boundaries that enable an organization to increase its opportunities by optimizing risk taking and accepting calculated levels of risk within an appropriate level of authority.

When establishing risk appetite, top management should consider strategic, tactical, and operational aspects. An understanding of the culture of the organization is necessary for evaluating both pursuing and tolerating risk. The thoroughness, integrity, and reliability of information should be evaluated when establishing risk appetite. When establishing risk appetite, it is important to understand both the real and perceived risks of internal and external stakeholders in the organization and its supply chain, as well as interested parties perceiving themselves as impacted by the activities of the organization and its supply chain.

5.4.3 Risk Identification
Risk identification should consider the questions of what can happen, when, where, how, and why, as well as possible outcomes. Risk analysis will expand and further define these aspects. The outcome of risk identification is a prioritized list of risks associated with the organization achieving its objectives. Risk identification should be a well-structured process since a risk not identified cannot be analyzed. Risk identification comprises:

• Criticality analysis – Asset and activity valuation and potential impacts of undesirable and disruptive events (“what”, “where,” and outcomes);

• Threat and/or hazard analysis – Anything that has the potential to disrupt the achievement of objectives and the activities and processes that support them (“who/what”, “why,” and “when”); and

• Vulnerability analysis – Susceptibility of an event successfully materializing that has the potential to disrupt the achievement of objectives and the activities and processes that support them (“how”).

The risk identification process should not only consider negative consequences of a risk event but also the opportunities it may create. Many methods exist for conducting risk identification (e.g., previous risk assessments, exercises and modeling, surveys, historical data analysis, business impact analysis, logic trees/diagrams, brainstorming sessions, checklists, and “worst-case” scenario workshops). Regardless of the method or methods used, risk identification should be comprehensive, documented, and repeatable. It should consider (but not be limited to):

• Reliability and degree of uncertainty of information;

• Biases that may influence results (including the effect of assumptions);

• Root causes and triggers of risk;

• Broad consultations with internal and external stakeholders;

• Supply chain relationships, dependencies and interdependencies;

• Priority business functions and activities and the impact of their loss (including time dependencies);g) The value of assets to the organization, its supply chain partners, competitors, and adversaries;

• Single, multiple and compounded weaknesses including overlapping and multiple effects of risks;

• Likelihood of success of a risk event occurring as well as causing an undesirable and/or disruptive event; and

• The interactions between threat, criticality, and vulnerability analysis.

It may be helpful to categorize the risks by type. It is important to remember that risk assessments are dynamic and risk management should include continuous identification and analysis of all risks related to the organization’s business.

Table 1 presents examples of risks an organization may wish to consider in its risk identification process. Annex C presents a longer but not exhaustive list. Note that risks can overlap categories.

Table 1: Examples of Sources of Risk to an Organization and its Supply Chain

Examples of points to consider in identifying risk include (but are not limited to):

• Number and location of suppliers. For example, are there suppliers in countries with social unrest, terrorist or drug activity, or high levels of corruption and other crime?

• Number and origin of shipments. For example, have increased quantities or values of shipments posed additional risks?

• Contractual terms defining responsibility for shipping. For example, companies may specify security controls and procedures for their suppliers. (Annex D provides sample contractual terms and conditions for supply-chain security.)

• Compliance requirements, recall, and reverse logistics. For example, companies may have specific requirements for the handling and packaging of products as well as the return of damaged, expired, and recalled products.

• Brand and reputation protection. For example, some companies require measures for brand protection related social responsibility and legal obligations, including environmental, health, and safety issues.

• Modes of information transfer. For example, information protection and encryption may be required for data files and transmissions.

• Modes of transport and routes for shipments. For example, companies may ask their suppliers to follow certified security procedures for ocean-container or truck-trailer shipments.

• Risks related to logistics providers or partners involved in the supply chain who handle shipments (e.g., packaging companies, warehousing, trucking companies, freight forwarders, and air or ocean carriers). For example, firms may require that logistics providers meet all certification standards from an official supply-chain security program.

Risk identification is a function of local conditions and may vary from facility to facility within the same organization as well as between elements within a supply chain. It is essential to identify the risks associated with the locations of functions and choke points in the supply chain. For example, the administrative headquarters of a supplier may not be the same as the production location. Therefore, the risks may be very different, so the assumption should not be made that identifying the risks at the administrative headquarters will be representative of the risks throughout the supply chain.

The organization should periodically review the status of their risks in a catalogue of risks (e.g., a risk register), incorporating new risks as they develop and revising risk ranking. The catalogue of risks serves as the central repository for all risks identified by organization and includes (but is not limited to) information on risk criteria, likelihood, consequences, treatments, anticipated outcomes, and risk owners. Risk management activities should be documented, tracked, traceable, and non-repudiatory.

5.4.4 Risk Analysis
Risk analysis is a process to understand the nature and level of risk to determine its significance. The organization takes the information generated during the risk identification process and evaluates this within the context of its operations and the risk criteria. The risk analysis process should estimate the likelihood and consequence of risks facing an organization and accordingly prioritize them for ultimate treatment. To begin, organizations may choose to rank risk events with varying degrees of detail, depending on the risk, and the information, data, and resources available.

As seen in Figure 4, the output from risk identification provides the input to risk analysis.

Figure 4: Determining the Level of Risk

Likelihood and consequence can be expressed qualitatively or quantitatively (or a combination of methods). The decision on which approach works best for an organization is based on the:

• Availability and reliability of information;

• Scales and level of detail of the risk identification process;

• Methods for determining threats and impacts to tangible and intangible assets, as well as tangible and intangible impacts (intangible assets and impacts may not lend themselves to numeric evaluations);

• Other risk analysis processes and methodologies used by the organization; and

• Most effective method for communicating level of risk to decision-makers.

Regardless of the method used to determine the level of risk, care should be taken to assure a consistent approach and consider the level of confidence, particularly for aggregated data. Units and scales of measuring risk determined during the definition of risk criteria should be used consistently throughout the analysis. The risk analysis method used should meet the needs of the risk evaluation and treatment decision making process.

One method of risk analysis which uses a cause and effect analysis is the bow-tie method (for more information on this and other methods, see ISO 31010:2009). The bow-tie method provides a simple, qualitative approach to help fully understand the characteristics of a risk event. An event can have multiple causes and multiple consequences—the two dimensions of risk—and existing treatments. Risk treatments can be reviewed to understand their effectiveness and efficiency. It enables the evaluation of risk treatment methods to better understand inherent risk (i.e., risk in the absence of any treatment) and residual risk (i.e., level of risk remaining after treatment). The bow-tie risk analysis method clearly ties treatment actions against each dimension of risk event. The bow-tie method is a good way of visualizing risk and communicating the effectiveness of the treatment methods in place to manage risks. Figure 5 shows an example of the bow-tie method.

Figure 5: Bow-Tie Method for Linking Treatment to Cause and Consequence

The bow-tie method can be used to help simplify risk analysis and provide a subjective estimate of the level of risk by allowing the conceptualization of the interaction of causes, treatments, and consequences of a risk. The steps involved in conducting a risk analysis using the bow-tie method are as follows:

• Based on the risk identification, describe a risk event that may provide an opportunity or result in an undesirable or disruptive event;

• Determine the foreseeable possible causes of the risk event (left side);

• Identify the potential consequences of the risk event (right side);

• Evaluate what preventive and protective measures are in place to modify the likelihood;

• Evaluate what mitigation, response, and recovery measures are in place to reduce the consequences;

• Evaluate the effects of multiple layers of protection, as well as cascading and multiple impacts; and

• Determine the level of risk.

5.4.5 Risk Evaluation
Risk evaluation uses the risk criteria and outputs from the risk identification and risk analysis steps to determine what risks are acceptable with existing risk treatments and which require additional risk treatment. The level of risk determined during risk analysis will indicate the priorities for risk treatment. Evaluating the level of risk before and after treatment combined with value driver analysis provides the basis for determining if the residual risk levels fall within an acceptable level of risk set by the risk criteria. Risk treatment prioritization should also be predicated on an understanding of the risk tolerance. If the level of residual risks is found to be greater than the acceptable level of risk set by the risk criteria, then the organization should consider alternative or additional risk treatments to reduce the level of residual risk. Initial treatment decisions will be driven by tolerance, not just addressing residual risk. Risk evaluation considers the cost and benefits of different treatment options. Care should be taken during the risk evaluation stage to make sure treating one risk is not creating another risk.

Risk evaluation considerations include:

• Objectives of projects and opportunities;
• Tangible and intangible impacts;
• Legal, regulatory, and contractual requirements;
• Tolerability of risks to others;
• Whether a risk needs treatment;
• Deciding whether risk can be tolerated;
• Whether an activity should be undertaken; and
• Priorities for treatment.

Acceptable risk levels will be unique to each organization and supply chain. They may vary by project, commodity, product, or service, as well as over time. The organization may have varying levels of risk-tolerance for different divisions, subsidiaries, and partners. It may not be practical to eliminate all risk due to costs. It may be desirable to accept risk to gain an opportunity. To achieve as low as reasonably practical risk, a typical target of risk evaluation is to determine the most cost effective treatments.

Examples of reasons an organization may tolerate risk (by informed decision) include:

• The level of the risk is so low that specific treatment is not appropriate within the constraints of available resources;

• The risk is such that there is no treatment available. For example, the risk causes may not be within the control of an organization;

• The cost of treatment, including insurance costs, is so manifestly excessive compared to the benefit that toleration is the only option. This applies particularly to lower ranked risks;

• The opportunities presented outweigh the threats to such a degree that the risk is justified; and

• Organizations may also determine to accept a risk by informed decision-making or to maximize a business opportunity.

Regardless of the method used to evaluate risk treatment(s) to achieve a level of risk as low as reasonably possible, it is important to understand that this is an iterative process where the risk manager can pick multiple layers of risk treatment measures including:

• Eliminating the risk exposure;
• Isolating the risk source or potential targets;
• Technical modifications and substitutions;
• Administrative and procedural controls;
• Protective, preventive, and mitigation measures; and
• Accepting or exploiting risk by informed decision.

During the risk evaluation process, the proposed risk treatment processes should be evaluated to consider the cost-benefit of the measure to reduce risk and whether the risk treatment changes or introduces new risk to the organization and its supply chain. Figure 6 illustrates how the output from the risk identification and analysis steps can be represented by a funnel approach where intolerable risk must be treated at any reasonable cost. Treatment measures are applied to bring the risk to a level that is as low as reasonably possible where further task treatments are disproportionate to the cost/benefit. Risks reach a tolerable level where risk is within the level of tolerance of the risk criteria. Contingency measures might be considered for risks that remain after treatment.

Acceptable risk levels will be unique to each organization and supply chain. They may vary by project, commodity, product, or service, as well as over time. The organization may have varying levels of risk-tolerance for different divisions, subsidiaries, and partners. It may not be practical to eliminate all risk due to costs. It may be desirable to accept risk to gain an opportunity. To achieve as low as reasonably practical risk, a typical target of risk evaluation is to determine the most cost effective treatments.

Examples of reasons an organization may tolerate risk (by informed decision) include:

• The level of the risk is so low that specific treatment is not appropriate within the constraints of available resources;
• The risk is such that there is no treatment available. For example, the risk causes may not be within the control of an organization;
• The cost of treatment, including insurance costs, is so manifestly excessive compared to the benefit that toleration is the only option. This applies particularly to lower ranked risks;
• The opportunities presented outweigh the threats to such a degree that the risk is justified; and
• Organizations may also determine to accept a risk by informed decision-making or to maximize a business opportunity.

Regardless of the method used to evaluate risk treatment(s) to achieve a level of risk as low as reasonably possible, it is important to understand that this is an iterative process where the risk manager can pick multiple layers of risk treatment measures including:

• Eliminating the risk exposure;
• Isolating the risk source or potential targets;
• Technical modifications and substitutions;
• Administrative and procedural controls;
• Protective, preventive, and mitigation measures; and
• Accepting or exploiting risk by informed decision.

During the risk evaluation process, the proposed risk treatment processes should be evaluated to consider the cost-benefit of the measure to reduce risk and whether the risk treatment changes or introduces new risk to the organization and its supply chain. Figure 6 illustrates how the output from the risk identification and analysis steps can be represented by a funnel approach where intolerable risk must be treated at any reasonable cost. Treatment measures are applied to bring the risk to a level that is as low as reasonably possible where further task treatments are disproportionate to the cost/benefit. Risks reach a tolerable level where risk is within the level of tolerance of the risk criteria. Contingency measures might be considered for risks that remain after treatment.

Figure 6: Risk Evaluation Funnel

One way an organization may wish to assess its risk tolerance is through a risk “frontier” graph, plotting the likelihood of events by their consequence (Figure 7). Organizations may find some risks to be of such low likelihood or to have such limited consequence that they do not warrant any further treatment or consideration. For those of greater likelihood or consequence, the organization may wish to reduce, through resource management, an extra level of supplies or "safety stock" or development of a risk distribution strategy (e.g., use of multiple sourcing) or other mechanisms of risk avoidance or elimination. Such mechanisms may seek to reduce the likelihood, duration, or consequence of a risk event. Organizations may also determine to accept a risk by informed decision-making to maximize a business opportunity.

Figure 7: Conceptual Risk “Frontier”

Another means of representing the relationship between likelihood and consequences is to use a “heat” map showing risk-events on a matrix defining likelihood and consequence levels. This technique allows managers to easily see the relative likelihood and consequence of differing risks. To use this method effectively, it is critical to have well-defined and consistently used criteria for the different likelihood and consequence levels. Various scales are used by different organizations; the gradations, scaling, and terms used should be based on what is best understood by the users and the decision makers. Figure 8 shows a “heat” map illustrating the concept.

Figure 8: “Heat” Map

The “heat” map shows how firms may wish to prioritize risks by likelihood and consequence.

An example of an alternative scale would be:

• For consequence categories: Low, Moderate, Serious, Severe, Major, and Extremely Serious; and
• For likelihood categories: Very Unlikely, Unlikely, Possible, Probable, and Regular.

Next: Risk Treatment