Skip to content

Supply Chain Risk Management Standard: A Compilation of Best Practices

ATTENTION: This page is intended to be viewed online and may not be printed or copied.

6. Risk Treatment

6.1 General

Once an organization understands its supply chain and has analyzed its potential risks, it can begin the process to modify and reduce risk. It is important to keep in mind when developing a risk treatment strategy that risk treatments have the potential to create new risks or modify existing risks.

After an organization has identified and prioritized the risks that it faces, it can devise risk treatment plans. Plans include developing strategies and measures to protect supply chains from sources of risks, responding to events that these risks may cause, and continuing operations and recovering from undesirable and disruptive events. Risk treatments seek to:

  • Remove the risk source, where possible;
  • Remove or reduce the likelihood of the risk event occurring;
  • Remove or reduce negative consequences;
  • Share the risk with other parties, including risk insurance;
  • Accept risk through informed decision or to exploit an opportunity; and/or
  • Avoid activities that give rise to the risk.

For organizations to cost-effectively manage risk, they should develop balanced strategies to adaptively, proactively, and reactively address minimization of both the likelihood and consequences of undesirable and/or disruptive events. Furthermore, the selection of risk treatment controls should be integrated with the overall supply-chain risk management program with its partners, that is, its suppliers, carriers, and logistics providers. Such a program should have at least three elements: protecting the supply chain, responding to events, and continuing business operations while recovering from events. Plans should also involve determining ways to measure risks as well as testing the effectiveness of the plan itself and its ability to limit risks. The organization should establish, implement, and maintain procedures to prevent and manage undesirable and disruptive events to prevent negative consequences and exploit positive ones to the organization, its key stakeholders including supply chain partners, and the environment. Procedures should be concise and accessible to those responsible for their implementation. Plans and procedures should be acknowledged by all different management areas and risk disciplines to avoid a silo approach (e.g., a business continuity plan needs to take into consideration how security measures within an incident response will impact continuity of operations). Examples of risk treatment procedures are provided in Annex B.

6.2 Protecting and Securing the Supply Chain

An effective supply-chain risk management program dictates how an organization and its partners implement appropriate measures to secure all upstream and downstream processes, from the procurement of goods and services, to the provision of finished goods and services, to the returning or receiving of returned products. The importance of SCRM programs can be viewed from six perspectives. Organizations should:

  • Protect assets from an all-risk perspective;

  • Prevent loss from theft or damage;

  • Protect the integrity of products and services and prevent unauthorized intrusion into shipments that could enable insertion of illicit contraband which could include but not be limited to: weapons, drugs, and counterfeit or diverted goods;

  • Prevent the potential loss of intellectual property and/or the corruption of technology associated with intellectual property;

  • Protect the integrity and reliability of information, communications, and telecommunication networks; and

  • Protect brand and reputation.

Effective supply chain security includes not only conveyance security but also physical security of areas where services are delivered or goods are manufactured, stored, or distributed. Aspects such as physical security of facilities can include: access controls; surveillance systems; personnel security; procedural security; information technology security; and education, awareness, and training.

To ensure maximum effectiveness, organizations and their partners should develop plans and/or programs to audit their supply chain security programs for compliance with written policies and procedures. Such audits should be conducted on a regular basis. This Standard illustrates below some benchmarks for each of these criteria. Plans and/or programs developed should reflect all supply chain risks, including any aspects that may be unique to a particular organization or industry; including, for example, tangible and intangible assets, and any assets which may have different intrinsic values either to an organization or an adversary.

When developing security plans and programs the organization should consider:

  • Physical security. That part of security concerned with physical measures designed to safeguard people; to prevent unauthorized access to equipment, facilities, material, and documents; and to safeguard them against a security incident. Logistics partners such as manufacturers, distributors, and transportation entities should have established physical security programs to prevent unauthorized access to their facilities while goods are in storage or transit. Such features should include (but not limited to): perimeter controls such as fencing and/or gated entry points; access controls to prevent unauthorized entry into/within facilities or vehicles; penetration alarms to notify authorities of illicit access attempts; and video surveillance systems to display, record, and play back access activities (for more information on physical security methods, see ANSI/ASIS PAP.1-2012, Security Management: Physical Asset Protection).

  • Personnel security. Organizations and their partners should screen prospective persons working on behalf of the organization (in ways consistent with local regulations) and verify employment application information prior to employment. This can include drug tests and background checks on educational and employment background and possible criminal records, with periodic subsequent checks performed for cause or sensitivity of a person’s position. Organizations and their partners should also have procedures in place to remove badges, uniforms, and facility and IT-system access for persons working on behalf of the organization who voluntarily or involuntarily leave employment.

  • Awareness, education, and training. The attitudes and behaviors of individuals, organizations, and institutions should be developed to support and enhance a security culture. Organizations and their partners should establish and maintain a security training program to educate and build awareness of proper supply chain security procedures for all persons working on behalf of the organization to address intentional, unintentional, and natural events. Current best practices within supply chain security consist of training persons who work in areas of risk to anticipate, prevent, protect from, and mitigate potentially undesirable and disruptive events. Persons should be aware of their role in the protection from the threat of malicious acts including theft; the potential introduction of illicit contraband, counterfeit, or diverted products into shipments; and the importance of maintaining the integrity of intellectual property within one’s own supply chain. Education and training should also include documented procedures for persons working on behalf of the organization to report security incidents or suspicious behavior.

  • Procedural security. Organizations and their supply chain partners should establish, document, provide training, and audit supply chain security programs and procedures. Procedural controls should complement physical, technical, and engineering measures by introducing work practices or procedures that reduce risk. Procedures can be documented in specific security Standard Operating Procedures and/or employee manuals or handbooks. Procedural supply chain security should address, but not be limited to: awareness of warning signs of potential events; how to inspect shipments; methods of secure storage and stowage of goods; tamper evident ways to package/seal goods in shipment; detecting suspicious shipments/packaging; detecting suspicious persons; and procedures for selecting secure warehousing and/or transportation options.

  • Information security. Information security protects information in all forms. Information security practices and procedures provide the guidance to ensure that organization sensitive information is adequately protected. Information security measures should ensure information and telecommunications systems are protected from unauthorized access and that information related to product integrity, intellectual property, logistics, routing, and personnel is protected. This should include password protection (including periodic changing of passwords) and accountability (including a system to identify any improper access or alteration).

  • Business-partner security. Organizations should have a documented business partner selection process which includes a pre-contractual security assessment to cover all aspects of security related risks. An effective supply-chain security program dictates that any supply chain partner, as well as any further sub-contracted suppliers or logistics service providers, employ consistent security practices throughout the supply chain. Firms should have binding contractual agreements with all business partners and sub-contracted entities within their respective supply chains that address such things as: screening and selection; the use of further sub-contracted entities; acceptable methods of storage and/or transportation; and reporting theft, damage, or suspicious incidents. All contractual agreements should have a documented “audit function/schedule” built into them.

  • Logistic security. Transportation, particularly drayage (inland truck support), may be the most vulnerable point of the supply chain. Areas that should be addressed procedurally within conveyance security (storage containers such as trailers, ocean freight containers, aircraft unit load devices, and railcars) should include: procedures for packing and sealing; inspections for integrity; availability of tracking; atmospheric sensitivity; individual storage; and routing including predefined back-up routes. The security conditions for all in-transit locations where the shipment is at any given time, despite the time of storage, should be addressed. Several airports, terminal, and ocean warehouses that are not in a secured area are critical points for potential pilferages and cargo thefts.

  • Product security. For organizations that involve any type of product, product security is paramount to the success of the organization and the effectiveness of the supply chain. Product security involves the specific security measures to protect a product from certain risks such as adulterated products, counterfeited products, and diversion of goods. Product security also involves the use of special signs, chemical mark components within the product, holograms, and cover and over marks to ensure that the final consumers get the intended product. Product security requires close teamwork between manufacturing, packaging, brand protection, security, quality, and legal departments as well as direct involvement with law enforcement.

6.3 Responding to Events

Even with the best laid plans, organizations may still confront undesirable and disruptive events which have the potential to impact their supply chains. This Standard characterizes “crises” as events that threaten the organization, apply intense time pressures, create high stress, and drive the need for rapid, but careful, decision making.

A crisis is an unstable condition involving an impending abrupt or significant change that requires urgent attention and action to protect life, assets, property, critical information, operations, or income, the environment, and an organization’s reputation. Crisis events can include natural disasters, major infrastructure failures, major fires, political and social unrest, labor disputes, organized protests, pandemics, information technology failures, or security threats.

Managing an event comprises the overall strategic and tactical responses of an organization to recognize and respond effectively, efficiently, and comprehensively to the identified threats before, during, and after they have occurred. It incorporates proactive measures to detect, respond to, and recover from an undesirable or disruptive event. Activities related to managing an event are characterized by several phases:

  • Prevention and mitigation constitute efforts to prevent threats from developing into disasters altogether or to reduce the effects of disasters and is a natural outflow of the risk identification and analysis processes of a risk management program.

  • Preparedness is a continual cycle of planning, managing, equipping, training, exercising, evaluating, and improving activities to ensure effective coordination and the enhancement of crisis management capabilities within organizations. Common preparedness measures include, but are not limited to:

    1. Establishing a communications, command, and control system with defined and tested roles, responsibilities, and capabilities;

    2. Establishing communication plans with easily understandable terminology and methods;

    3. Creating management plans, protocols, and tools that can assist in guiding the crisis team in resolving an incident;

    4. Developing exercise and training methodologies;

    5. Creating support documents including emergency shelter and evacuation plans and ensuring alignment with business continuity plans;

    6. Evacuation planning (including logistics, visas, and relocation planning); and

    7. vii. Implementing and maintaining a crisis communication system that can help identify the nature of a crisis and provide instructions when needed.

  • Response includes the mobilization of essential personnel to support crisis response activities. This includes onboarding an effective leadership team quickly to coordinate and manage efforts as they grow beyond essential personnel. The leader and team should implement a disciplined, iterative set of response plans allowing initial coordinated responses during crises.

  • Recovery efforts are focused on actions needed to restore operations to predetermined levels in order to meet customer needs and identify opportunities for improvement. This may include re-employment of personnel, rebuilding destroyed property, and the repair of other essential infrastructure after a crisis. It differs from the response phase in that it focuses on issues and decisions that should be made after immediate needs following a crisis are addressed.

  • Lessons learned and post incident review – this process critically examines the cause of the incident and the response that was applied. By learning and sharing internally, an organization can strengthen its crisis response capability, as well as identify opportunities for improvement and adaptation.

These processes are intended to enhance existing organizational crisis management capabilities by establishing a crisis management structure that will provide integrated and coordinated planning and response activities at all levels within an organization. They will also establish a common and consistent set of notification and activation thresholds. The structure and processes are designed to complement, not supersede, emergency response plans and procedures at various functional organization units and facilities. When an incident occurs, these units and facilities will follow established local response plans and procedures.

Figure 9 presents a notional hierarchy for a crisis management team in a large global organization. Should a local crisis response team (LCRT) not be able to manage a crisis, it would activate a broader crisis management team (CMT) that considers the impact of the crises throughout the supply chain and the rest of the organization. Other teams to be activated as needed, and focusing primarily on sustaining business operations, are a corporate crisis management team (CCMT) and an executive crisis management team (ECMT). Ultimately the size, nature, and scope of an organization’s operation will determine the most appropriate levels of response.


Figure 9: Notional Crisis Management Structure and Engagement Model

Incidents with high severity can quickly require the focus of crisis teams throughout a global organization. For example, the H1N1 swine flu pandemic, which originated in Mexico, led to simultaneous activation of the LCRT and relevant CCMT for one leading organization. Within three days, the CCMT was activated and held regular briefings with the ECMT. Crisis management bridges activities that respond to an emergency (any incident that can threaten human life, health, property, or the environment if not controlled, contained, or eliminated immediately through local level response) and those supporting the organization’s recovery (prioritized actions to return the organization’s processes and support functions to operational stability) and resumption (restarting defined business processes and operations to a predetermined level) of operations.

Figure 10 presents a more generic process of how a CMT might approach an incident. Members of the CMT continually monitor the supply chain for potential risks. Should an event occur, members assess its consequence by making direct contact with suppliers in a region or through direct feedback from suppliers, partners, or customers.

Figure 10 Crisis Management Team.png

Figure 10: Crisis Management Team Activation and Work Cycle

A crisis-response process includes the following steps, as depicted in Figure 11. Crisis response uses a measured approach commensurate with the severity of the incident. (Annex G provides a core-elements checklist for a crisis management program.)

  1. Crisis Occurs/Crisis Identified – Incident identification and escalation protocols need to exist in order to enable detailed assessment to occur. This involves defining trigger levels and their resource requirements. This enables a team to then evaluate if the incident could significantly affect the organization and the nature of the required additional resources to support local efforts.

  2. Gather Facts – Gather sufficient factual information to prepare an incident analysis.

  3. Risk Assessment – Assess the severity and impact of the event.

  4. Active Crisis Team – Assemble the appropriate internal and external teams to provide strategic and tactical support to mitigate or resolve the event. At this point, the team may decide that the event can be adequately addressed with local resources and return event control to the local crisis response team.

  5. Stakeholder Communication – Establish a schedule to provide periodic communications to persons working on behalf of the organization, customers, suppliers, financial organizations, stockholders, and news media.

  6. Crisis Management Event Control/Crisis Contained – Assess remaining risk, provide necessary resources, and communicate with stakeholders until such time as the crisis is contained. This phase encompasses business recovery and resumption.

  7. Post Incident Review – Review and analyze the organization’s response to the event. This may consist of two stages, a "hotwash" performed immediately after the event to gather information and initially debrief stakeholders, followed by a detailed evaluation as soon as practical after the incident to determine the lessons learned and the required corrective actions. Conduct a root cause analysis of the incident to determine if the risk was previously identified and plans were in place.

  8. Maintenance, Training, and Preparation – Provide training on the SCRM plans and test them periodically to ensure that the organization is prepared for future events. Incorporate lessons learned into its crisis-management plan and distribute the updated plan to crisis team members and appropriate stakeholders.

Figure 11.png

Figure 11: Ideal Crisis Response Process

6.4 Maintaining Resilience of Business Operations Post Incident

Business continuity planning comprises those activities, programs, and systems developed and implemented prior to an incident that are used to respond to, mitigate, and recover from supply chain disruptions, disasters, or emergencies. It is an ongoing process, not a one-time project. A complete and tested plan gives an organization the framework to respond effectively to an emergency, focus on protecting persons working on behalf of the organization and property, communicating to key stakeholders, and recovering and restoring the priority business activities within an acceptable time. These plans should be coordinated and tested alongside those of suppliers, customers, and other key stakeholders.

To be effective, business continuity planning (also referred to as business continuity management) should be an integrated management process supported from top management and managed at both organizational and operational levels. A business continuity management team should ensure that there are established organization risk tolerance levels and recovery priorities, validated business recovery strategies, designated team members for activities and functions, planning and documentation to achieve recovery time objectives, periodic testing and exercising, and periodic evaluation of the business continuity planning program as based on performance objectives.

Specific business continuity planning programs should be closely aligned to the risks identified in the tiers of the supply chain including employee assistance, emergency response, crisis management, and technology recovery to support restoration of operations.

Employee assistance programs help protect the most important assets and top priority of a firm: its employees. Employee assistance programs, typically offered with a health-insurance plan, can help persons working on behalf of the organization deal with personal problems that might adversely affect their work, health, and well-being. Such plans generally include assessment, short-term counseling, and referral services for persons working on behalf of the organization and their household members. They may also offer housing assistance and salary advances.

Emergency response planning outlines procedures to follow immediately after any emergency. Its objective is to protect people and property potentially impacted by events as identified in the risk assessment process. Among other elements, it should include procedures for reporting emergencies; activating the plan; evacuating and accounting for people; activating an emergency operations center; updating lists of emergency contacts; emergency protocols for data access, storage, and telecommunication; assessing damage, repairing and restoring facilities; and testing emergency procedures. Business continuity planning and emergency response planning are clearly separate plans utilized at different phases of a response. The emergency response plan may not necessitate activation of the crisis management team or business continuity plan. However, the emergency response plan should identify escalation triggers that activate that CMT and business continuity plan.

Technology recovery planning should include information on who needs to act, what needs to be done where, and when tasks need to be done to help resume operations. For example, for data center operations, the technology recovery plan should describe steps needed to recover and restore information technology infrastructure and services in case of site disaster. Disasters can destroy communications centers necessitating their re-establishment. This should include data backup and hardware redundancy or replacement plans. The plan should identify and rank applications that support priority business activities. Mission critical data, for example, should be backed up daily and stored offsite weekly, at a minimum. In addition, all communications networks and platforms (to include infrastructure and devices) should be available and periodically tested. This includes, but is not limited to, radio devices, mobile telephones, Wi-Fi systems, and social networks.

Depending on the nature of an incident, certain plans may need to be activated while others may not. For example, technology recovery plans may be activated during certain events (e.g., power outage) while other plans (e.g., business continuity plans or emergency response plans) may not be activated if there is no major impact on business operations and/or threat to personnel safety.

Next: Performance Evaluation and Continual Monitoring