165
9
Emerging Risk Management
Frameworks for Success
Our focus in this chapter will be on emerging frameworks that are being
leveraged to drive successful supply chain risk management (SCRM)
initiatives. We will become grounded with basic definitions and explore
some of the new frameworks, standards, and rules and regulations that
frame the supply chain risk management landscape. We’ll then profile the
frameworks from several research organizations’ perspectives and present
several leading companies who are utilizing these frameworks to implement risk initiatives within their organizations. We’ll conclude by highlighting several benefits to be derived from utilizing these frameworks.
What Is a Framework?
A framework is a skeletal, openwork, or structural frame. This term also
describes a frame of reference, which includes an arbitrary set of axes with
reference to which the position or motion of something is described or
physical laws are formulated.1 One professional organization profiles the
term framework in several perspectives. One perspective provides a concept revolving around organizational design by viewing a framework as
an organizational structure to support the strategic business plans and
goals of an enterprise (e.g., for-profit and not-for-profit companies). Given
the mission and business strategy, the organizational structure design
provides the framework within which operational and management
activities will be performed. A second perspective revolves around the
operating environment and views a framework as the global, domestic,
Schlegel, Gregory L., and Robert J. Trent. Supply Chain Risk Management : An Emerging Discipline, Taylor & Francis Group, 2014.
ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=1680353.
Created from apus on 2022-04-05 15:13:48. Copyright © 2014. Taylor & Francis Group. All rights reserved.
166  •  Supply Chain Risk Management: An Emerging Discipline
environmental, and stakeholder influences that affect the key competitive factors, customer needs, culture, and philosophy of each individual
company. This environment becomes the framework in which business
strategy is developed and implemented.2
Frameworks Supporting the New Supply
Chain Risk Management Discipline
Whether you are in operations, finance, distribution, banking, or academia, several frameworks are critical for supply chain risk management.
Recall that Chapter 1 defined SCRM, which is expanded here to refer to
the implementation ofstrategiesto manage everyday and exceptionalrisks
within the supply chain through continuous risk identification, assessment, mitigation, and management with the objective of reducing vulnerability and ensuring sustainability. We view SCRM as the intersection of
supply chain management and risk management. Let’s discuss several of
the critical frameworks.
Enterprise Risk Management (ERM) Framework
As mentioned in Chapter 1, the general ERM framework has been around
for many years, emanating from the finance and classical risk insurance
disciplines. We’ll take a high-level view at ERM first, and then dig deeper
with profiles from CAS, the Casualty Actuarial Society. Recall that
Chapter 1 provided one perspective of ERM. A second perspective is from
CAS, which has defined ERM as the discipline by which an organization
in any industry assesses, controls, exploits, finances, and monitors risks
from all sources for the purpose of increasing the organization’s shortand long-term value to its shareholders.
ERM can also be described as a risk-based approach to managing an
enterprise, integrating concepts of strategic planning, operations management, and internal control. ERM is still evolving to address the needs
of various stakeholders who want to understand the broad spectrum of
risks facing complex organizations and their supply chains to ensure they
are appropriately managed. Government regulators and debt-rating agencies have increased their scrutiny of the risk management processes of
many companies.
Schlegel, Gregory L., and Robert J. Trent. Supply Chain Risk Management : An Emerging Discipline, Taylor & Francis Group, 2014.
ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=1680353.
Created from apus on 2022-04-05 15:13:48. Copyright © 2014. Taylor & Francis Group. All rights reserved.
Emerging Risk Management Frameworks for Success  •  167
COSO ERM Framework
An important perspective about risk is put forth by the Committee of
Sponsoring Organizations of the Treadway Commission (COSO), a wellknown group formed to help businesses develop their internal control
systems. Thousands of organizations have incorporated COSO’s Internal
Control Integrated Framework to help manage their activities. In 2001, in
response to a heightened awareness of global risk, COSO partnered with
PriceWaterhouseCoopers to develop a framework that would enable organizations to evaluate and improve enterprise risk management. COSO
defines ERM as follows:
A process, effected by an entity’s board of directors, management and other
personnel, applied in a strategy setting and across the enterprise, designed
to identify potential events that may affect the entity, and manage risk to
be within its risk appetite, to provide reasonable assurance regarding the
achievement of entity objectives.3
Eight interrelated components comprise COSO’s ERM framework.
These components are derived from the way management runs an enterprise and are integrated within the management process. These eight components, which are also relevant to our discussion of SCRM, comprise a
fully developed ERM system:
• Internal Environment. The internal environment sets an organization’s tone, including how risk is viewed and addressed by an organization’s people, including its risk management philosophy, risk
appetite, integrity, and ethical values.
• Objective Setting. Enterprise risk management ensures that
management has a process to set objectives and that the chosen
objectives support the entity’s mission and are consistent with its
risk appetite.
• Event Identification. Internal and external events affecting the
achievement of objectives must be identified, distinguishing between
risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes.
• Risk Assessment. Risks are analyzed in terms of theirlikelihood and
impact. This is used as a basis for determining how to manage risks.
• Risk Response. Management selects various risk responses, including avoiding, accepting, reducing, preventing, or sharing risk. A set
Schlegel, Gregory L., and Robert J. Trent. Supply Chain Risk Management : An Emerging Discipline, Taylor & Francis Group, 2014.
ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=1680353.
Created from apus on 2022-04-05 15:13:48. Copyright © 2014. Taylor & Francis Group. All rights reserved.
168  •  Supply Chain Risk Management: An Emerging Discipline
of actions are developed that align risks with the entity’s risk tolerances and risk appetite.
• Control Activities. Policies and procedures are established to help
ensure risk responses are carried out.
• Information and Communication. Relevant information is identified and communicated in a form and time frame that enable people
to carry out their responsibilities. Effective communication flows
down, across, and up the organization.
• Monitoring. The entirety of enterprise risk management is monitored and modifications are made as necessary. Enterprise risk management monitoring is accomplished through ongoing management
activities, separate evaluations, or both. Management makes modifications to the ERM plan as required.
ISO Standards
Most of us probably knowsomething about the International Organization
for Standardization (ISO) standard organization, but for those of you who
are not familiar with this standards body, we’ll start with some basic foundational elements of this worldwide organization. Founded in 1947 in
Geneva, Switzerland, ISO is an international standard-setting body composed of representatives from various national standards organizations to
promote worldwide proprietary, industrial, and commercial standards.
The official languages of the ISO are English, French, and Russian. The
organization adopted the abbreviation ISO based on the Greek work isos
(meaning equal) as its universal short form name of their organization.
The organization known today as ISO began in 1926 as the International
Federation of the National Standardizing Associations (ISA), whose focus
was mainly on mechanical engineering. It was disbanded in 1942 during
World War II but was reorganized under its current name in 1947. ISO is
a voluntary organization comprising 163 member countries, whose members are recognized authorities on standards, each one representing one
country. The bulk of the work of ISO is done by 2,700 technical committees, subcommittees, and working groups. Each committee and subcommittee is headed by a secretariat from one of the member countries. ISO is
funded by a combination of (1) organizationsthat manage specific projects
or loan experts who participate in technical work, (2) subscriptions from
Schlegel, Gregory L., and Robert J. Trent. Supply Chain Risk Management : An Emerging Discipline, Taylor & Francis Group, 2014.
ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=1680353.
Created from apus on 2022-04-05 15:13:48. Copyright © 2014. Taylor & Francis Group. All rights reserved.
Emerging Risk Management Frameworks for Success  •  169
member bodies, which are in proportion to each country’s gross national
product, and (3) the sale of the standards’ work products. With that as our
backdrop regarding the organization, let’s talk about what this standardssetting body has developed relative to our SCRM discipline.
ISO 31000. The purpose of this standard, introduced in 2009, is to provide principles and generic guidelines on risk management. It seeks to provide a universally recognized paradigm for practitioners and companies
employing risk management processes to replace the myriad of existing
standards, methodologies, and paradigmsthat differed between industries,
subject matters, and regions.The scope and intent of thisstandard isto provide generic guidelines for the design, implementation, and maintenance
of a risk management process throughout any organization, regardless of
industry. The standard is designed to enable all strategic, management, and
operational tasks of an organization, through projects, functions, and processes, to be aligned to a common set of risk management objectives.
The implementationofthisstandard isto be appliedwithinexistingmanagement systems to formalize and improve risk management processes as
opposed to wholesale substitution of legacy management practices. When
implementing ISO 31000, attention should be given to integrating existing
risk management processes into the new paradigm addressed in the standard. The focus should be centered around the following:
• Transferring accountability gaps in ERM
• Aligning objectives of the governance frameworks with ISO 31000
• Embedding management system reporting mechanisms
• Creating uniform risk criteria and evaluation metrics
Using ISO 31000 can help organizations increase the likelihood of
achieving their objectives, improve the identification of opportunities and
threats, and effectively allocate and use resources for risk management.
ISO 31000 cannot be used for certification purposes but does provide
guidance for internal or external audit programs. Organizations can compare their risk management practices against internationally recognized
benchmarks for effective management and corporate governance.
A Risk Insurance and Management Society (RIMS) survey of risk professionals found that 22% of firms use the COSO standard as their ERM
framework, while 23% follow the international ISO 31000 standard.
Schlegel, Gregory L., and Robert J. Trent. Supply Chain Risk Management : An Emerging Discipline, Taylor & Francis Group, 2014.
ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=1680353.
Created from apus on 2022-04-05 15:13:48. Copyright © 2014. Taylor & Francis Group. All rights reserved.
170  •  Supply Chain Risk Management: An Emerging Discipline
Twenty-six percent of firms say they do not follow a particular standard
or framework.4 A large percentage is not sure or has nothing significant
in place.
ISO 73. This new Risk Management Vocabulary standard, updated in
2009, provides a wide breadth of terms. This standards body has been
updating the vocabulary recently to take into account the growing need
for additional terms and taxonomy within global supply chains. Some
commonly used risk terms in this standard are risk management, risk
assessment, risk analysis, risk, risk source, risk evaluation, risk criteria,
risk avoidance, risk transfer, risk reduction, risk mitigation, risk retention, risk optimization, risk acceptance, risk financing, risk control, risk
communication, risk perception, stakeholder, and interested party, just to
name few. Many of these terms have been defined in our earlier chapters
and will be discussed in subsequent chapters as well.
Besides the ISO standard, the new Supply Chain Council supply chain
risk model, residing in the new SCOR 11.0, is available. The SCOR community has performed a comprehensive update to its supply chain models,
metrics, and terminologies, including an updated view of supply chain
risk.5 APICS has also aggressively developed a body of knowledge covering SCRM for members and customers.
ISO 28000. This standard is also new. It was developed in 2010 and
is actually a series of standards, all under the umbrella of 28000, which
broadly covers the requirements for a security management system within
the supply chain. The standards inside 28000 are 28001, 28002, 28003,
28004, and 28005. You may not have stumbled into this standard as of
yet because it’s actually listed under “Ships and Marine Technologyâ€
on the ISO website. This is not surprising to us, because most of today’s
global trade is done by cargo ships circling the globe in a complex pattern.
Nonetheless, the ISO 28000 series of standards are applicable to all modes
of transport, air cargo included, considering all the threats within that
industry and others. We’ll briefly introduce you to all the standards in this
series and then profile 28002 individually.
• 28001—Best practices for implementing supply chain security,
assessments and plans, and requirements and guidance
• 28002—Development of resilience in the supply chain
• 28003—Requirements for bodies providing audit and certification of
supply chain security management systems
Schlegel, Gregory L., and Robert J. Trent. Supply Chain Risk Management : An Emerging Discipline, Taylor & Francis Group, 2014.
ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=1680353.
Created from apus on 2022-04-05 15:13:48. Copyright © 2014. Taylor & Francis Group. All rights reserved.
Emerging Risk Management Frameworks for Success  •  171
• 28004—Guidelines for the implementation of ISO 28000
• 28005—Electronic Port Clearance (EPC) part 1 and part 2
Published in September 2010, ISO 28002 covers security management
systems for the supply chain and the development of resilience in the
supply chain. Resilience is the adaptive capacity of an organization in a
complex and changing environment. It also describes the capability of an
organization to prevent or resist being affected by an event or the ability
to return to an acceptable level of performance in an acceptable period
of time after being affected by an event. This newly published standard
attempts to provide insights into how an organization can engage in a
comprehensive and systematic process of prevention, protection, preparedness, mitigation, response, continuity, and recovery.
Jan Husdal, an early and prolific SCRM blogger, has done follow-up
work on these ISO standards and has provided various process maps,
which provide us a perspective on how the standards group is looking at
both internal and external supply chain security.6 Figure 9.1 is an illustration of one such map for ISO 28002. Husdal notes that the process maps
are similar to the SCOR model approach.
Reassessment
of risk program
Reassessment
of supply chain
Reassessment
of risk exposure
Reassessment
of risk sources
ISO 28002:2010
Establish a Supply
Chain Risk Management
(SCRM)
Program and Apply
Resources
De€ne the Supply
Chain and Risk
Objectives
Monitor Supply Chain
Environment for Risks
Execute Risk
Treatment Programs
Quantity and Priorities
Risks-Goals
Identify Supply Chain
Risks
Reassessment of
management actions
Continuous risk
monitoring
Figure 9.1
ISO 28002. (Source: Husdal, Jan, SCRM Blog, 2013. http://www.husdal.com/2010/11/04/
iso-28002-supply-chain-resilience/.)
Schlegel, Gregory L., and Robert J. Trent. Supply Chain Risk Management : An Emerging Discipline, Taylor & Francis Group, 2014.
ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=1680353.
Created from apus on 2022-04-05 15:13:48. Copyright © 2014. Taylor & Francis Group. All rights reserved.
172  •  Supply Chain Risk Management: An Emerging Discipline
Governance, Risk, and Compliance (GRC)
The GRC framework has been around for some time. Through discovery,
this framework has been continuously scrutinized and criticized as somewhatill-defined.However,muchmore rigor has beenspentrecently reviewing and solidly codifying this framework. The next segment attempts to
provide some context on this subject, which we feel supports the foundation for successful SCRM. The following describes the three basic tenets of
this framework: governance, risk management, and compliance.
Governance. Governance describes the overall management approach
through which senior executives direct and control the entire organization, using a combination of management information and hierarchical
management control structures. Governance activities ensure that critical management information reaching the executive team is sufficiently
complete, accurate, and timely to enable appropriate management decision making and provide the control mechanism to ensure that strategies,
directives, and instructions from management are carried out systematically and effectively.7 Aberdeen Group has synthesized this definition by
saying that governance includes the frameworks and tools, policies, procedures, controls, and decision-making hierarchy employed to manage
the business.8
Risk Management. Risk management is a set of processesthrough which
management identifies, analyzes, and where necessary responds appropriately to risks that might adversely affect realization of the organization’s
business objectives. The response to risks typically depends on their perceived gravity and involves controlling, avoiding, accepting, or transferring those risks to a third party. Whereas organizations routinely manage
a wide range of risks, commercial/financial, information security, external
legal, and regulatory compliance risks are arguably the key issues in GRC.
Compliance. Compliance means conforming to stated requirements. At
an organizational level, it is achieved through management processes that
identify the applicable requirements, defined by laws, regulations, contracts,
polices, etc.; assess the state of compliance; assess the risks and potential
costs of noncompliance against the projected expenses to achieve compliance; and hence prioritize, fund, and initiate any corrective actions
deemed necessary. Aberdeen Group views compliance as meeting the
required or mandated regulations that are governmental, industry specific, or internally imposed.9
Schlegel, Gregory L., and Robert J. Trent. Supply Chain Risk Management : An Emerging Discipline, Taylor & Francis Group, 2014.
ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=1680353.
Created from apus on 2022-04-05 15:13:48. Copyright © 2014. Taylor & Francis Group. All rights reserved.
Emerging Risk Management Frameworks for Success  •  173
With much more focus on risk, many research organizations, such as
Aberdeen Group, AMR (now Gartner), and others have revisited the GRC
framework. Itseems apparent to some that executives are viewing effective
compliance and risk management as opportunities for corporate growth,
keeping in mind that customers and partners will always choose to do
business with a company possessing fewer liabilities. Furthermore, being
aggressive in building a business is about taking risks, so by having an
effective risk management structure in place, a company can essentially
be bolder in addressing new market opportunities. And finally, compliance is crucial in establishing new grounds for business, such as global
or regional expansion, which requires companies to meet a strict set of
guidelines in order for the company to conduct successful business. The
following quote sums up well the importance of the GRC framework:
The challenges with risk management are in embedding an understanding
of the risk management process, ownership of risks within the business,
and the cultural change required for a truly risk-aware decision-making
culture rather than being seen as a compliance obligation. To overcome
these challenges we have been conducting risk management training for
all staff, increasing engagement and constantly iterating in all communications that risk management is to assist the business in achieving objectives.
Risk and Compliance Manager
Liberty International Underwriter
A set of primary objectives underlie those companies that are best-in-class
in terms of utilizing the GRC framework. These companies:
• Drive the organizational alignment of executive and staff agendas
through effective governance
• Understand risks in terms of dollar-value impact and corporate
brand equity
• Prioritize organizational initiatives based on risk type and risk level
of severity
• Create additional revenue opportunities by meeting compliance
requirements for selling into new markets/regions
A set of strategic capabilities needed to achieve bottom-line results from a
GRC framework include promoting accountability within the organization
Schlegel, Gregory L., and Robert J. Trent. Supply Chain Risk Management : An Emerging Discipline, Taylor & Francis Group, 2014.
ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=1680353.
Created from apus on 2022-04-05 15:13:48. Copyright © 2014. Taylor & Francis Group. All rights reserved.
174  •  Supply Chain Risk Management: An Emerging Discipline
through effective communications, providing visibility and access to
dynamic regulatory requirements, standardizing work flow forrisk identification and mitigation, systematically monitoring key risk indicators, and
centralizing risk information and data. Figure 9.2 illustrates Aberdeen’s
profile of a best-in-class GRC framework. Table 9.1 provides some new
performance measures emerging within the GRC framework.
Pressures Actions Capabilities Enablers
• Increase in
regulatory
requirements
• Promote accountability
within the organization
through e ective
communication
• Provide visibility and
access to dynamic
regulatory requirements
• Standardized
workow for risk
identication and
mitigation
• Systematic
monitoring of key
risk indicators
• Centralized
repository for risk
information & data
• Standardized
procedure to
communicate
management
direction
• Governance, risk &
compliance solutions
• Risk management tools
• Workow automation
• ERP, Enterprise Resource
Planning
• Safety compliance
solutions
• Environmental solutions
• Financial modeling
• IT security solutions
• Regulatory portals
• Sustainability solutions
• Supply chain
management
• EPM, Enterprise
Performance
Management
Figure 9.2
Best-in-class GRC framework.
Table 9.1
Governance, Risk, and Compliance Metrics
GRC Metric GRC Measurable Values
Year-over-year change in
risk value
Percentage change in risk value in the past 2 years (risk value
is defined as monetary equivalent of the liability)
Year-over-year change in
compliance-related cost
Percentage change in compliance-related cost in the past
2 years (e.g., cost of delayed production, recalls, stopshipments, fines, penalties incurred from non-compliance)
New market revenue New-market revenue, as a result of compliance, as a
percentage of total revenue in the past 12 months
Compliance audit
success rate
Percentage of compliance audits that yielded positive results
in the past 12 months
Governance effectiveness Percentage of management directives executed successfully in
the past 12 months
Source: Aberdeen Group,“Effective GRC Management: Strategiesfor Mitigating Risks and Sustaining
Growth in a Tough Economy,†May 2012.
Schlegel, Gregory L., and Robert J. Trent. Supply Chain Risk Management : An Emerging Discipline, Taylor & Francis Group, 2014.
ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=1680353.
Created from apus on 2022-04-05 15:13:48. Copyright © 2014. Taylor & Francis Group. All rights reserved.
Emerging Risk Management Frameworks for Success  •  175
We will end our GRC conversation with some comments from a senior
risk manager at McKesson, the nation’s oldest and largest health care services company. The senior manager of IT governance, risk, and compliance at McKesson provides his view about the GRC framework when he
says that GRC is about organizational collaboration including internal
audit, technology risk management, compliance groups, legal, and more.
He further argues that most companies are faced with organizational
and functional silos, poor integration, lack of visibility, wasted resources,
unnecessary complexity, and wasted information.
Over the past few years, McKesson has acquired a number of companies. Each acquisition has required McKesson to take on a new set of
challenges in terms of developing an integrated platform. McKesson’s risk
manager maintains it is difficult to reduce cost if you don’t have an integrated view of the activities within your organization, something the GRC
framework demands. This means sometimes you have to step away from
the tactical tools and process controls. If your leaders are not visionary
and don’t understand what they don’t know, this risk manager argues you
have serious challenges ahead. The visionary leadership at McKesson has
enabled the risk management team to make great strides toward an integrated GRC platform. This senior risk manager argues a company must
have visionary leadership, communications, an enterprise-wide perspective, fact-driven analytics, and stakeholder engagement to be successful.
If a company maintains these basic GRC elements, the end result will be
unprecedented transparency and visibility, the ability to make risk-based
decisions, accountability, and alignment across the business.10
Risk Taxonomies—An Operational
Framework For SCRM
We’ve mentioned several strategic frameworks that are critical success
factors to an effective supply chain risk management discipline. To make
managing an enterprise-wide risk management process simple and practical, we need to take complex material, break it down, and make it accessible to everyone in an organization. What is needed is the ability to build
a more operationally oriented methodology, something we will refer to as
a risk taxonomy. Taxonomy is the practice and science of naming, classifying, and defining relationships between resources, risks, goals, and
Schlegel, Gregory L., and Robert J. Trent. Supply Chain Risk Management : An Emerging Discipline, Taylor & Francis Group, 2014.
ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=1680353.
Created from apus on 2022-04-05 15:13:48. Copyright © 2014. Taylor & Francis Group. All rights reserved.
176  •  Supply Chain Risk Management: An Emerging Discipline
business processes across an enterprise. Without risk taxonomies or a way
to structure and classify risk events, it is difficult to understand different
types of risks across the enterprise. And without taxonomies there is no
common set of standards or way to manage relationships between different data types. If each area of the business uses its own terms to classify risk, then the aggregated information will be subjective, incomplete,
redundant, or at best, flawed. Each silo in an organization and level within
each silo will speak a different dialect.
The basic approach when creating a risk taxonomy is to develop a common framework for all risks, their readiness standards, and a balanced
scorecard of objectives. To handle the complexity of a large-scale supply chain, this approach obviously requires a tool to effectively manage
built-in libraries for use across the enterprise and highlight how one risk
event in one functional area affects other functions. These tools enable
the organization to create structured, centralized repositories of all risk
elements within the organization. Some of these elements are risks, goals,
requirements, relationships (vendors, customers, third parties), software
applications, physical assets(buildings,servers, data centers, plants, equipments, and tools), data repositories, people, policies, and user-defined
applications (models and spreadsheets). For each of these elements, taxonomy tools and techniques allow for flexibility and customization to
manage cross-functional cause-and-effect relationships. Some basic capabilities of these taxonomy tools include the following:
• Creating and Maintaining a Central Repository of Information—
This could include the use of predefined fields or completely customized data elements needed by the organization.
• Full Document Management—This should provide the ability to
upload documents, link them to shared applications, with a version
control aspect and permission rights so that all information related
to these areas can be centrally stored.
• Enterprise-wide Task Management—From a more tactical perspective, this could provide for creating automatic reminder e-mail
triggers for due dates, contract renewal dates, monitoring dates,
approvals, and change notifications.
• Risk Assessment Scoring—In this area, tools can provide best-practice
assessment factors or allow organizations to develop their own risk
factors. With this capability, organizations can rate these elements to
Schlegel, Gregory L., and Robert J. Trent. Supply Chain Risk Management : An Emerging Discipline, Taylor & Francis Group, 2014.
ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=1680353.
Created from apus on 2022-04-05 15:13:48. Copyright © 2014. Taylor & Francis Group. All rights reserved.
Emerging Risk Management Frameworks for Success  •  177
determine priorities and criticality. They normally allow the company
to also enter explanations for each of the assessments, thereby codifying the point-in-time assessment for future analysis and trends.
A risk taxonomy manages all the risk elements and links them to other
elements within the organization to create a network of terms, definitions, and resource relationships. It codifies all the things that an organization should worry about before surprises occur, manages those things
in one place with connections to provide assurance that these elements
are actually being done effectively to mitigate risk. And in some cases,
taxonomy tools provide the content to alert the organization to important
changes within an industry and to be in a position to identify who and
what resources are connected to or impacted by an industry or compliance issue.
Leveraging ERM, GRC, and Risk Taxonomies
The importance of SCRM can’t be stressed enough, as Ericsson found
out in March of 2000. During this period, Ericsson, a leading mobile
phone manufacturer, experienced a disruption in supply from Phillips
Electronics. A lightning strike caused a fire at a Phillipsfacility in Arizona,
resulting in the loss of millions of microchips and rendering this supplier
dormant. Ericsson’s production was totally disrupted because Phillips was
the buyer’s sole supplier of microchips. This disruption resulted in $400
million of lost sales and eventually caused Ericsson to exit the phone business. Conversely, Nokia, Ericsson’s main competitor, had a multisource
supplier strategy and quickly ramped up the production of microchips
from another supplier. Nokia managed the supply chain risk and actually
turned this risk event into an opportunity. After this risk event Ericsson
implemented a risk management process that includes the identification,
assessment, treatment, and monitoring of risks across its supply chain.
The company created a corporate function called corporate risk management that consists of a council of members in supply and sourcing as well
as members from each business area. Ericsson also created a risk management evaluation tool, which appears in Figure 9.3. This process looks at
all areas of the supply chain, both internally and externally, along with
Schlegel, Gregory L., and Robert J. Trent. Supply Chain Risk Management : An Emerging Discipline, Taylor & Francis Group, 2014.
ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=1680353.
Created from apus on 2022-04-05 15:13:48. Copyright © 2014. Taylor & Francis Group. All rights reserved.
178  •  Supply Chain Risk Management: An Emerging Discipline
contingency planning to analyze risk exposure. Ericsson and Nokia are
now two of the most ardent advocates of SCRM and actually don’t talk
much about their integrated SCRM approaches because they both consider these tools, techniques, and methodologies a strategic advantage.11
Leggett & Platt, Inc., a 125-year-old manufacturer of sleep technology that introduced the first bedspring and now designs and produces a
diverse array of products for homes, offices, and vehicles, took a risk more
than 10 years ago and introduced an ERM project across its entire organization.12 In the mid-1990s, a company vice-president attended several
ERM classes facilitated by the RIMS organization and felt the ERM process would benefit Leggett & Platt. However, the concept languished until
the CFO raised the topic of implementing an ERM program. The company
quickly formed a committee to launch the program.
The ERM committee consists of the functional heads at the corporate
level, including the CFO, treasurer, and vice-presidents of IT, tax, legal,
audit, and accounting. Each functional head identified internal and external risks in their own disciplines. They then assessed those risks in terms
of severity and frequency. The committee continuously categorizes these
risks, tracks them, plots them, and reports on them at every committee
meeting. The committee now rates all risks and correlates them against
other risks and operational key performance indicators (KPIs). Some
Financial
Business Control
– Management systems
– Environment, quality,
information security
– Risk Management policies
– RM organization
– Audits & Inspections
Hazards at the Site
Secure sourcing
– Material
– Risk management
Property protection
– Buildings
– Site protection
– Fire Prevention
– Resource shortages
– Chemical products
Environment
Distribution
Production
– Critical equipment and tools
– Service and maintenance
– Spare parts
– Bottlenecks
Employees
– Staff training
– Key persons
Flexibility and capacity
Information
– Information Security
– IT-platforms
– Computer rooms
Hazards in the
Surroundings
Natural
– Avalanche
– Blizzards, ice and winter storms
– Drought or extreme heat
– Earthquake or tsunami
– Floods or flash floods
– Fires (forest/brush)
– High winds, hurricanes or
tornadoes
– Landslides or mud flows
– Lightning or thunderstorms
– Volcanoes
Man-made
– Dams or locks
– Domestic disturbances
– Risky production units or
warehouses
– Severe environmental pollution
– Resource shortages in the area
– Severe building collapses, fires or
explosions
– Transportation incidents
– Other hazards
Business Interruption
Handling
Interruption handling
– Business interruption
analysis
Business continuity plans
– Mitigation measures
– Contingency plan
– Crisis organization
Incident handling
– Investments
– Cash flow
– Solidity
– Cash position
– Liability
– Capital turnover
– Owner structure
Figure 9.3
Ericsson risk management and evalulation tool (ERMET).
Schlegel, Gregory L., and Robert J. Trent. Supply Chain Risk Management : An Emerging Discipline, Taylor & Francis Group, 2014.
ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=1680353.
Created from apus on 2022-04-05 15:13:48. Copyright © 2014. Taylor & Francis Group. All rights reserved.
Emerging Risk Management Frameworks for Success  •  179
lessons learned include (1) risk is a big part of business and if you don’t
take risks, you limit your potential for success; (2) taking on too much
risk threatens a company’s survival; (3) categorize risks in terms of severity, develop treatments for those different risk issues, and overtly manage those risks; and (4) without an ERM framework, a company does not
have a process that is predictable and sustainable to identify, assess, mitigate, and manage risk.
From a GRC perspective, one company that stands out is Bayer Crop
Science. Led by the director of forecasting and Sales and Operations
Planning (S&OP), the company has developed a comprehensive approach
for managing risk throughout its global supply chain. The forum used by
Bayer Crop Science is its S&OP process. The framework they use is the
classic GRC framework supported by the SCOR model.13 According to
the director of forecasting, risk management plays an integral part in the
execution of Bayer’s S&OP process. This approach allows the business to
get a better feel for potential dangers and the impact they may have on the
business. Bayer Crop Science is also an advocate of the GRC framework
presented earlier in the chapter.
Another company focusing on SCRM and exercising diligence in terms
of developing and maintaining a risk taxonomy is Coca-Cola. The formal
SCRM group at Coca-Cola is driven by three directors of supply chain
risk. Having an actual corporate group structured to drive supply chain risk
and led by SCRM directors is still novel. The SCRM group utilizes many
of the SCOR model elements, which include many of the Supply Chain
Council’s risk protocols, process maps, and metrics. The key aspect of
Coca-Cola’s approach to SCRM is its dedication to classifying and categorizing all risks within the company’s global supply chain. Coca-Cola
classifies and categorizes risks based on severity, treating risks differently,
and maintaining a strict methodology to classify its risks. How do they do
this? The company has built what it calls “risk registers.†Every business
unit maintains its own risk register, every region maintains a rolled-up or
aggregated risk register, and every risk registeris rated and compared with
a corporate risk tolerance table before action is taken. The risk registers are
updated and reviewed quarterly by the SCRM group. From a 50,000-foot
level, Coca-Cola classifies risks primarily into strategic and operational
risks, which Figure 9.4 illustrates.
The actual risk registeridentification and assessment process operates as
follows. When a risk event occurs, employees access the online, worldwide
Schlegel, Gregory L., and Robert J. Trent. Supply Chain Risk Management : An Emerging Discipline, Taylor & Francis Group, 2014.
ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=1680353.
Created from apus on 2022-04-05 15:13:48. Copyright © 2014. Taylor & Francis Group. All rights reserved.
180  •  Supply Chain Risk Management: An Emerging Discipline
risk registersystem to first evaluate if their business unit orregion has ever
dealt with this type of risk before. If so, they immediately review all the
pertinent information stored in the system in terms of how the business
unit or region “treated†that risk and how long it took to mitigate the risk.
If the unit or region has never encountered the risk, they search the worldwide risk register system to see if another unit has encountered this risk.
If the corporation has never encountered the risk, a call to the SCRM corporate group is made, and collectively the teams begin the mitigation and
management process. Without a diligent approach to risk taxonomy, the
organization would not be able to quickly and effectively mitigate risks
across the enterprise and around the globe.
Benefits of ERM and GRC Frameworks
An exciting benefit of utilizing ERM as an SCRM framework comes from
AON (a leading global provider of risk management, insurance and reinsurance brokerage, human resources, and outsourcing services) and the
Strategic Risks are generally out of our
control and must be factored into business
planning
Operational Risks are generally within our
control and must be factored into business
operations
We identify, assess, mitigate, and manage
External (Strategic) Risks and
Internal (Operational) Risks
through risk classication and categorization
Buy Make Move Sell
Examples of Risk Categories:
Water
Raw materials
Ingredients
Packaging
Manufacturing processes
Natural hazards
Energy
Environmental
Figure 9.4
Risk classification at Coca-Cola. Source: MIT/Coca-Cola presentation by Dr. Bruce
Arntzen, director Global SCALE Risk Initiative—MIT, and John J. Brown, director risk
management—Coca-Cola, “Current and Future State of Corporate Supply Chain Risk
Management,†Supply Chain World North America, May 25, 2011.
Schlegel, Gregory L., and Robert J. Trent. Supply Chain Risk Management : An Emerging Discipline, Taylor & Francis Group, 2014.
ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=1680353.
Created from apus on 2022-04-05 15:13:48. Copyright © 2014. Taylor & Francis Group. All rights reserved.
Emerging Risk Management Frameworks for Success  •  181
Wharton School of the University of Pennsylvania. Using annual financial results and Bloomberg market data for 361 publicly traded companies, these researchers found a statistical link between higher levels of risk
maturity and higher relative stock price returns along with lower levels of
stock price volatility and higher relative levels of return on equity performance.14 The companies rated highest in maturity exhibited +18% stock
return performance as opposed to the lowest rated companies, who demonstrated a negative stock return of –10%. A second performance indicator was return on equity.
Companies with the highest risk rating exhibited a return on equity
of +37%, while organizations with the lowest rating produced a negative
return of –11%. This differential between best and worst is the most dramatic metric in the study. And the researchers didn’t stop there. They took
the financial data and subjected that data to “stress resting†by simulating
how securities would respond in the immediate aftermath of significant
risk events to the financial markets based on historical data.
The researchers essentially conducted “shock therapy†on the data for
companies in the study by modeling the Japanese earthquake and tsunami in 2011. Organizations with the highest maturity rating exhibited
a stock price return of –0.3% over a certain period compared with organizations with the lowest rating exhibiting a return of –3.4%. We feel this
speaks volumes for why companies should spend time and resources on
ERM and other risk management frameworks. Although risk management can be a hard sell, these numbers are convincing when it comes to a
solid SCRM ROI.
An additional study published by RIMS asked 564 organizations to
participate in an in-depth assessment of ERM. The participants compared their ERM activities against a comprehensive set of best practices
and readiness indicators inside a risk maturity model. The premise of the
study was the belief that better-managed companies tend to have higher
credit ratings and higher ERM competency. Credit ratings for participating companies were compared using statistical analysis to measure the
relationship between credit rating scores and risk maturity model scores.
The correlation coefficient was calculated for each model factor and found
to be positive. The researchers also conducted statistical analyses that
compared the model scores of two groups, those using ERM and those not
using ERM. The researchers found statistical differences between the two
Schlegel, Gregory L., and Robert J. Trent. Supply Chain Risk Management : An Emerging Discipline, Taylor & Francis Group, 2014.
ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=1680353.
Created from apus on 2022-04-05 15:13:48. Copyright © 2014. Taylor & Francis Group. All rights reserved.
182  •  Supply Chain Risk Management: An Emerging Discipline
groups that supported the value of ERM. Overall, the researchers’ report
concluded the following:
• Organizations with formalized ERM programs have higher risk
maturity model scores (as we would expect).
• Organizations with higher risk model scores have higher credit
ratings.
• Organizations without formalized ERM programs have lower risk
maturity model scores.
• Organizations without formalized ERM programs have lower
credit ratings.
Additional benefits from utilizing ERM as a risk framework from the
RIMS study include the following:
• Companies can avoid potential future rating agency downgrades
and increased cost of capital since Standard & Poor’s and many other
rating agencies have incorporated ERM into their business models.
• Companies can minimize the personal liability of board members and risk of criminal charges against executives for failure to
act responsibly in making Sarbanes–Oxley quarterly certifications
against fraud.
• Companies can meet regulators’ expectations leveraging ERM and
in turn minimize incremental compliance costs that can negatively
impact the bottom line.
Finally, we’d like to share some relevant statistics on benefits derived
from utilizing GRC as a risk framework from the Aberdeen study referenced earlier in the chapter.15 This study reveals that top-performing companies that leverage the GRC framework experienced a 34% reduction in
risk value and a 23% reduction in compliance-related costs over a two-year
period. Those who lag in the use of GRC are much more likely than bestin-class companiesto lose money on compliance investment, while best-inclass GRC companies are much more likely to obtain a positive ROI from
their compliance initiatives. And best-in-class GRC companies are 54%
more likely than their competitors to systematically evaluate business processes for compliance and 29% more likely than their competitors to conduct quantified risk assessments. These are compelling statistics.
Schlegel, Gregory L., and Robert J. Trent. Supply Chain Risk Management : An Emerging Discipline, Taylor & Francis Group, 2014.
ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=1680353.
Created from apus on 2022-04-05 15:13:48. Copyright © 2014. Taylor & Francis Group. All rights reserved.
Emerging Risk Management Frameworks for Success  •  183
Concluding Thoughts
Part of the reason for discussing risk frameworks and taxonomies is to
illustrate the evolving nature of SCRM into a bona fide business discipline.
How else can we tell that SCRM is evolving into a legitimate discipline?
Research organizations are developing supply chain risk frameworks and
taxonomies and supporting these with research and metrics of success;
academic organizations are starting to teach the concepts and providing
additional research; and standards organizations are codifying standards
around terms, definitions, processes, protocols, and measures of success.
Furthermore, large consulting firms are writing white papers on supply
chain risk management as Fortune 500 companies are executing those
concepts to mitigate and even prevent supply chain risk. When this all
occurs each and every day, it is safe to conclude that this thing called supply chain risk management just might be the real deal.
Summary of Key Points
• Frameworks provide a frame of reference for disciplines to operate
successfully, whether in operations, finance, distribution, banking,
or academia.
• ERM is a management framework that is critical to the success of
SCRM. It can be leveraged to support the identification, assessment,
mitigation, and management ofstrategic,tactical, and operationalrisks.
• GRC is another framework being embraced by many organizations
to support SCRM initiatives. This framework should be considered
an overarching approach to managing enterprise risk.
• The ISO organization and standards have been around since the
1940s. It’s encouraging when a standards organization, made up of
professionals from around the globe, begins to embrace a concept
such as SCRM with new standards for terminology, best practices,
security, and resiliency.
• A risk taxonomy is the practice and science of naming, classifying,
and defining relationships between resources, risks, goals, and business processes within an enterprise. Without risk taxonomies or a
risk breakdown structure or operational risk event classification, it is
difficult to compare different types ofrisks acrossthe enterprise.This
critical, yet sometimes neglected, success factor to SCRM provides a
Schlegel, Gregory L., and Robert J. Trent. Supply Chain Risk Management : An Emerging Discipline, Taylor & Francis Group, 2014.
ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=1680353.
Created from apus on 2022-04-05 15:13:48. Copyright © 2014. Taylor & Francis Group. All rights reserved.
184  •  Supply Chain Risk Management: An Emerging Discipline
common set of standards or a methodology to manage relationships
between different types of data and risks.
• Bottom-line benefits, including hard and soft ROIs demonstrate dramatically why organizations embrace risk frameworks to ensure a
successful risk management journey.
Endnotes
1. Accessed from Webster’s Dictionary.
2. Accessed from APICS Dictionary.
3. Accessed from Enterprise Risk Management—Integrated Framework. 2004. http://
www.coso.org/documents/coso_erm_executivesummary.pdf.
4. Teach, Edward. “The Upside of ERM.†CFO, November 2013: 44.
5. Accessed from SCOR, The Supply Chain Council, https://supply-chain.org.
6. Accessed from Husdal SCRM Blog, http://www.husdal.com/2010/11/04/iso-28002-
supply-chain-resilience/, 2013.
7. Lamm, Blount. “Under Control: Governance across the Enterprise.†Accessed from
http://www.amazon.com/2013.
8. Aberdeen Group. “Effective GRC Management: Strategies for Mitigating Risks and
Sustaining Growth in a Tough Economy Report.†May 2012.
9. Aberdeen Group, May 2012.
10. As cited in Aberdeen Group, May 2012.
11. Daniels, Yanika, and Timothy Kenny. May 2008. “Leveraging Risk Management
in the Sales & Operations Planning Process.†Submitted for MS of Engineering in
Logistics, Massachusetts Institute of Technology Engineering School, Certified by
Dr. Larry Lapide.
12. Sleeping Better with ERM. RIMS Magazine, 60, 7 (September 2013): 18-9.
13. Brewer, Curtis, Director of Forecasting for Bayer Crop Sciences. “Injecting Risk
Management into the S&OP Process.†IBF Conference, 2011.
14. Accessed from AON Risk Maturity Index Insight Report, November 2013.
Schlegel, Gregory L., and Robert J. Trent. Supply Chain Risk Management : An Emerging Discipline, Taylor & Francis Group, 2014.
ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=1680353.
Created from apus on 2022-04-05 15:13:48. Copyright © 2014. Taylor & Francis Group. All rights reserved.
Get Professional Assignment Help Cheaply
Are you busy and do not have time to handle your assignment? Are you scared that your paper will not make the grade? Do you have responsibilities that may hinder you from turning in your assignment on time? Are you tired and can barely handle your assignment? Are your grades inconsistent?
Whichever your reason is, it is valid! You can get professional academic help from our service at affordable rates. We have a team of professional academic writers who can handle all your assignments.
Why Choose Our Academic Writing Service?
- Plagiarism free papers
- Timely delivery
- Any deadline
- Skilled, Experienced Native English Writers
- Subject-relevant academic writer
- Adherence to paper instructions
- Ability to tackle bulk assignments
- Reasonable prices
- 24/7 Customer Support
- Get superb grades consistently
Online Academic Help With Different Subjects
Literature
Students barely have time to read. We got you! Have your literature essay or book review written without having the hassle of reading the book. You can get your literature paper custom-written for you by our literature specialists.
Finance
Do you struggle with finance? No need to torture yourself if finance is not your cup of tea. You can order your finance paper from our academic writing service and get 100% original work from competent finance experts.
Computer science
Computer science is a tough subject. Fortunately, our computer science experts are up to the match. No need to stress and have sleepless nights. Our academic writers will tackle all your computer science assignments and deliver them on time. Let us handle all your python, java, ruby, JavaScript, php , C+ assignments!
Psychology
While psychology may be an interesting subject, you may lack sufficient time to handle your assignments. Don’t despair; by using our academic writing service, you can be assured of perfect grades. Moreover, your grades will be consistent.
Engineering
Engineering is quite a demanding subject. Students face a lot of pressure and barely have enough time to do what they love to do. Our academic writing service got you covered! Our engineering specialists follow the paper instructions and ensure timely delivery of the paper.
Nursing
In the nursing course, you may have difficulties with literature reviews, annotated bibliographies, critical essays, and other assignments. Our nursing assignment writers will offer you professional nursing paper help at low prices.
Sociology
Truth be told, sociology papers can be quite exhausting. Our academic writing service relieves you of fatigue, pressure, and stress. You can relax and have peace of mind as our academic writers handle your sociology assignment.
Business
We take pride in having some of the best business writers in the industry. Our business writers have a lot of experience in the field. They are reliable, and you can be assured of a high-grade paper. They are able to handle business papers of any subject, length, deadline, and difficulty!
Statistics
We boast of having some of the most experienced statistics experts in the industry. Our statistics experts have diverse skills, expertise, and knowledge to handle any kind of assignment. They have access to all kinds of software to get your assignment done.
Law
Writing a law essay may prove to be an insurmountable obstacle, especially when you need to know the peculiarities of the legislative framework. Take advantage of our top-notch law specialists and get superb grades and 100% satisfaction.
What discipline/subjects do you deal in?
We have highlighted some of the most popular subjects we handle above. Those are just a tip of the iceberg. We deal in all academic disciplines since our writers are as diverse. They have been drawn from across all disciplines, and orders are assigned to those writers believed to be the best in the field. In a nutshell, there is no task we cannot handle; all you need to do is place your order with us. As long as your instructions are clear, just trust we shall deliver irrespective of the discipline.
Are your writers competent enough to handle my paper?
Our essay writers are graduates with bachelor's, masters, Ph.D., and doctorate degrees in various subjects. The minimum requirement to be an essay writer with our essay writing service is to have a college degree. All our academic writers have a minimum of two years of academic writing. We have a stringent recruitment process to ensure that we get only the most competent essay writers in the industry. We also ensure that the writers are handsomely compensated for their value. The majority of our writers are native English speakers. As such, the fluency of language and grammar is impeccable.
What if I don’t like the paper?
There is a very low likelihood that you won’t like the paper.
Reasons being:
- When assigning your order, we match the paper’s discipline with the writer’s field/specialization. Since all our writers are graduates, we match the paper’s subject with the field the writer studied. For instance, if it’s a nursing paper, only a nursing graduate and writer will handle it. Furthermore, all our writers have academic writing experience and top-notch research skills.
- We have a quality assurance that reviews the paper before it gets to you. As such, we ensure that you get a paper that meets the required standard and will most definitely make the grade.
In the event that you don’t like your paper:
- The writer will revise the paper up to your pleasing. You have unlimited revisions. You simply need to highlight what specifically you don’t like about the paper, and the writer will make the amendments. The paper will be revised until you are satisfied. Revisions are free of charge
- We will have a different writer write the paper from scratch.
- Last resort, if the above does not work, we will refund your money.
Will the professor find out I didn’t write the paper myself?
Not at all. All papers are written from scratch. There is no way your tutor or instructor will realize that you did not write the paper yourself. In fact, we recommend using our assignment help services for consistent results.
What if the paper is plagiarized?
We check all papers for plagiarism before we submit them. We use powerful plagiarism checking software such as SafeAssign, LopesWrite, and Turnitin. We also upload the plagiarism report so that you can review it. We understand that plagiarism is academic suicide. We would not take the risk of submitting plagiarized work and jeopardize your academic journey. Furthermore, we do not sell or use prewritten papers, and each paper is written from scratch.
When will I get my paper?
You determine when you get the paper by setting the deadline when placing the order. All papers are delivered within the deadline. We are well aware that we operate in a time-sensitive industry. As such, we have laid out strategies to ensure that the client receives the paper on time and they never miss the deadline. We understand that papers that are submitted late have some points deducted. We do not want you to miss any points due to late submission. We work on beating deadlines by huge margins in order to ensure that you have ample time to review the paper before you submit it.
Will anyone find out that I used your services?
We have a privacy and confidentiality policy that guides our work. We NEVER share any customer information with third parties. Noone will ever know that you used our assignment help services. It’s only between you and us. We are bound by our policies to protect the customer’s identity and information. All your information, such as your names, phone number, email, order information, and so on, are protected. We have robust security systems that ensure that your data is protected. Hacking our systems is close to impossible, and it has never happened.
How our Assignment Help Service Works
1. Place an order
You fill all the paper instructions in the order form. Make sure you include all the helpful materials so that our academic writers can deliver the perfect paper. It will also help to eliminate unnecessary revisions.
2. Pay for the order
Proceed to pay for the paper so that it can be assigned to one of our expert academic writers. The paper subject is matched with the writer’s area of specialization.
3. Track the progress
You communicate with the writer and know about the progress of the paper. The client can ask the writer for drafts of the paper. The client can upload extra material and include additional instructions from the lecturer. Receive a paper.
4. Download the paper
The paper is sent to your email and uploaded to your personal account. You also get a plagiarism report attached to your paper.
GET A PERFECT SCORE!!! 
