Skip to content

Supply Chain Risk Management Standard: A Compilation of Best Practices

ATTENTION: This page is intended to be viewed online and may not be printed or copied.


This Standard provides guidance and current best practices for developing and embedding a framework and process of risk management in supply chain management. It can be applied to any type of organization, and its supply chain, regardless of size. This Standard adopts the risk management framework and process described in the ISO 31000:2009 - Risk management -- Principles and guidelines as the framework and process of Supply Chain Risk Management (SCRM). It provides current best practices to:

  • Identify internal and external environments (including dependencies and interdependencies);
  • Define risk criteria;
  • Assess risk (identify, analyze, and evaluate);
  • Consider and implement risk treatments and controls; and
  • Continually monitor and review risks and their treatment.


The following standard(s) contain provisions which, through reference in this text, constitute fundamental knowledge for the use of this American National Standard. At the time of publication, the edition(s) indicated were valid. All standards are subject to revision, and parties to agreements based on this American National Standard are encouraged to investigate the possibility of applying the most recent edition(s) of the standard(s) indicated below.

  • ISO 31000:2009, Risk management -- Principles and guidelines.


For the purposes of this Standard, the following terms and definitions apply:

  Term  Definition
3.1 consequence 

Outcome of an event affecting objectives.

NOTE 1: An event can lead to a range of consequences.
NOTE 2: A consequence can be certain or uncertain and can have positive or negative effects on objectives.
NOTE 3: Consequences can be expressed qualitatively or quantitatively.
NOTE 4: Initial consequences can escalate through cumulative effects from one event setting off a chain of events.

[ISO Guide 73:2009]

3.2 hazard

Source of potential harm.

NOTE: Hazard can be a risk source.

[ISO Guide 73:2009]

3.3 likelihood

Chance of something happening.

NOTE 1: In risk management terminology, the word “likelihood” is used to refer to the chance of something happening, whether defined, measured or determined objectively or subjectively, qualitatively or quantitatively, and described using general terms or mathematically (such as a probability or a frequency over a given time period).

NOTE 2: The English term “likelihood” does not have a direct equivalent in some languages; instead, the equivalent of the term “probability” is often used. However, in English, “probability” is often narrowly interpreted as a mathematical term. Therefore, in risk management terminology, “likelihood” is used with the intent that it should have the same broad interpretation as the term “probability” has in many languages other than English.

[ISO Guide 73:2009]

3.4 resilience

The adaptive capacity of an organization in a complex and changing environment. 

NOTE 1: Resilience is the ability of an organization to resist being affected by an event or the ability to return to an acceptable level of performance in an acceptable period of time after being affected by an event. 

NOTE 2: Resilience is the capability of a system to maintain its functions and structure in the face of internal and external change and to degrade gracefully when it must. 

[ANSI/ASIS SPC.1-2009] 

3.5 residual risk

Risk remaining after risk treatment. 

NOTE 1:  Residual risk can contain unidentified risk. 
NOTE 2:  Residual risk can also be known as “retained risk. 

[ISO Guide 73:2009] 

3.6 risk

Effect of uncertainty on objectives. 

NOTE 1: An effect is a deviation from the expected — positive and/or negative. 

NOTE 2: Objectives can have different aspects (e.g., financial, health and safety, and environmental goals) and can apply at different levels (e.g., strategic, organization-wide, project, product, and process). 

NOTE 3: Risk is often characterized by reference to potential events and consequences, or a combination of these. 

NOTE 4: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence. 

[ISO Guide 73:2009] 

3.7 risk appetite

Amount and type of risk that an organization is prepared to pursue, retain or take.  [ISO Guide 73:2009] 

NOTE:  The risk appetite of an organization reflects its philosophy towards managing risk. 

3.8 risk assessment Overall process of risk identification, risk analysis, and risk evaluation. [ISO Guide 73:2009] 
3.9 risk analysis

Process to comprehend the nature of risk and to determine the level of risk.  

NOTE 1: Risk analysis provides the basis for risk evaluation and decisions about risk treatment. 

NOTE 2: Risk analysis includes risk estimation. 

[ISO Guide 73:2009] 

3.10 risk criteria

Terms of reference against which the significance of a risk is evaluated. 

NOTE 1: Risk criteria are based on organizational objectives, and external and internal context. 

NOTE 2: Risk criteria can be derived from standards, laws, policies, and other requirements. 

[ISO Guide 73:2009] 

3.11 risk evaluation

Process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude are acceptable or tolerable. 

NOTE: Risk evaluation assists in the decision about risk treatment. 

[ISO Guide 73:2009] 

3.12 risk identification

Process of finding, recognizing and describing risks. 

NOTE 1: Risk identification involves the identification of risk sources, events, their causes, and their potential consequences. 

NOTE 2: Risk identification can involve historical data, theoretical analysis, informed and expert opinions, and stakeholders needs. 

[ISO Guide 73:2009] 

3.13 risk management

Coordinated activities to direct and control an organization with regard to risk.  

[ISO Guide 73:2009] 

3.14 risk treatment

Process to modify risk. 

NOTE 1: Risk treatment can involve: 

— avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk; 

— taking or increasing risk in order to pursue an opportunity; 

— removing the risk source; 

— changing the likelihood; 

— changing the consequences; 

— sharing the risk with another party or parties (including contracts and risk financing); and 

— retaining the risk by informed choice. 

NOTE 2: Risk treatments that deal with negative consequences are sometimes referred to as “risk mitigation,” “risk elimination,” “risk prevention, and “risk reduction.” 

NOTE 3: Risk treatment can create new risks or modify existing risks. 

[ISO Guide 73:2009] 

3.15 supply chain A two-way relationship of organizations, people, activities, logistics, information, technology, and resources engaged in activities and creating value from point of origin to point of consumption, including transforming materials/components to products and services for end users. 
3.16 supply chain management Management of a network of interconnected organizations and their activities related to the provision of goods and services from point of origin to point of consumption. 
3.17 threat

Potential cause of an unwanted incident, which may result in harm to individuals, assets, a system or organization, the environment, or the community. 

[ANSI/ASIS SPC.1-2009] 

3.18 tiers

The degrees of separation or stages of nodes of businesses, organizations, and logistic channels that make up the supply chain network involved in the provision of products and services.   

NOTE 1:  Tier number begins at the organization conducting the supply chain analysis.  For example, a tier one company supplies products and services to the organization conducting the supply chain analysis; tier two companies supply companies in tier one; tier three supplies tier two, and so on. 

NOTE 2 Product and service flow between tiers can be either uni-directional or bi-directional. 

3.19 uncertainty

Outcomes are not clearly identified, defined, or known and may be subject to change. 

NOTE:  The state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood. [ISO Guide 73:2009, ISO 31000:2009] 

3.20 vulnerability

Intrinsic properties of something resulting in susceptibility to a risk source that can lead to a consequence. 

[ISO Guide 73:2009] 


Next: Characteristics of Supply Chain Risk Management