Table of Contents
Risk assessment
Effective risk management is crucial in today's uncertain economic environment, especially from the point of successful and continual business operations in a company. As every organization is part of one or more supply chains, a holistic approach to risk management throughout supply chains is crucial, because an occurring risk in a single company can have a serious effect on the whole supply chain.
There are some internationally recognized standards in the field, but no standard exists today for holistic supply chain risk management. We based our research and catalogue on ISO 28000 (Security in supply chains) and ISO 31000 (Risk management) families, but none of these specifies a successful risk identification and description model as a whole. Because of that, we constructed a model to be used in risk assessment in companies and supply chains that identifies risks and then additionally describes them by different dimensions.
ISO 31000 defines the risk assessment process as a combination of three phases - risk identification, risk analysis and risk evaluation.
Risk identification is a process where an organization identifies sources of risk, areas of impact, events and their causes and their potential consequences. Our risk catalog, as a list of identified risks, accomplishes the identification of events that carry risk. Other parameters of risks, such as sources and impact, are specific to each individual organization and are therefore not in the scope of this general risk catalog. These risk parametres have to be added to the catalog in each organization during risk identification, where this general risk catalog is used as a checklist for an easier and more efficient risk identification.
Risk analysis is the second step in risk assessment, where the risk catalog also represents a valuable resource for organizations. ISO 31000 defines the purpose of risk analysis as developing an understanding of the risk. In our model, risks are described by different dimensions which define their attributes and provide information about general risk properties. We also propose some organization specific dimensions of definig risks during risk analysis, which every organization has to define in the frame of its specific external and internal context.
Risk evaluation as the final step of risk assessment as defined in ISO 31000 is the process of deciding about which risks need treatment and the priority for treatment implementation. This step can not be generalized and is therefore not in the scope of this risk catalog, but is entirely dependant on specific organizations.
Risk catalog
With our model we developed a tool for companies that are prepared to combine internal and external knowledge for identifying and defining risks.
The Risk catalog that represents the final product of this process, can be a permanent and valuable tool for a company's and supply chain's risk management processes. The catalog has to be examined and complemented on a regular basis to ensure actuality. It provides a base for risk management processes throughout the chain.
The current catalog with its identified risks is accessible here.
Dimensions of risk definition
List of groups by ISO 28000
This model is structured so that it complements an international standard on security in supply chains, ISO 28000. In this standard, several fields from where risks to a company or a supply chain can originate are defined. Each identified risk is placed in one of these groups.
| Code | Description |
|---|---|
| PHY | Physical failure threats and risks, such as functional failure, incidental damage, malicious damage or terrorist or criminal action. |
| OPT | Operational threats and risks, including the control of the security, human factors and other activities which affect the organizations performance, condition or safety. |
| NAT | Natural environmental events (storm, floods, etc.), which may render security measures and equipment ineffective. |
| OUT | Factors outside of the organization’s control, such as failures in externally supplied equipment and services. |
| STK | Stakeholder threats and risks such as failure to meet regulatory requirements or damage to reputation or brand. |
| SEC | Design and installation of security equipment including replacement, maintenance, etc.. |
| IDC | Information and data management and communications. |
| CON | A threat to continuity of operations. |
List of affected publics
When defining risks and their influences, we can take a different approach as that of most today's literature on the subject. If we assume that only people can perceive themselves and inanimate things cannot, we can also assert that finally, a certain risk can only influence people, who are susceptible to perceptions. According to this theory we segment all people, involved in a supply chain and its surroundings, to different publics, that is different groups of people with same interests or functions. When defining risks in our model, we say that one dimension of risk identification is exactly that – defining, which publics are affected by a certain risk. The publics, defined in our model so far, are shown below.
| Code | Description |
|---|---|
| IMP | Infrastructure maintenance personnel |
| EMP | Equipment maintenance personnel |
| DRV | Drivers |
| FIS | Financial sector |
| PLN | Planning sector |
| ITP | IT personnel |
| MNG | Management |
| INP | Internal public |
| OPE | Operational sector employees |
| BUY | Buyers |
| OWN | Owners |
| CCU | Company customers |
| ALL | Everybody affiliated with the company |
List of affected logistics resources
As we identify risks we need to be aware that there are four main resources of logistics operations in supply chains: the flow of goods or services, information, logistics infrastructure and suprastructure and people. Any risk, occurring in a supply chain, can have an effect only on one or more of these resources. If we wish to effectively manage risks, we need to be aware of logistics resources that a specific risk possibly affects. That is why this dimension of defining risk in our model is to ascertain which resources of logistics can be affected by an identified risk.
| Code | Description |
|---|---|
| FLW | Flow of goods or services |
| INT | Information |
| ISL | Logistics infrastructure and suprastructure |
| PPL | People |
| ALS | All logistics sources |
Supply chain risk origin
A supply chain is a complex system of several organizations that work together in a specific environment. Based on the extent of possible risk origins regarding the supply chain, we can define risks according to this dimension in our model.
| Code | Description |
|---|---|
| COM | Internal risk, in a company that is included in the supply chain. |
| SCR | A risk, derived from the supply chain as a whole. |
| OSC | A risk, derived from outside the supply chain. |
| ANY | A risk which can be derived from any of these scope definitions. |
Segmentation according to levels of logistics planning
In every organization, different levels of planning and control occur. These levels represent the importance of decisions of a certain level and also the time span in which they are relevant. The same can be said for risks in an organization – they appear on different levels of significance and impact, and can correlate to levels of logistics planning. Risks in supply chains can be segmented into levels of strategic, tactical and operational risks, correlative to levels of logistics planning. Strategic risks are on the highest level of significance and influence strategic logistics planning. Tactical risks influence tactical planning and operational risks influence day-to-day plans and operations. This is defined of our risk definition model.
| Code | Description |
|---|---|
| SPL | Strategic risk |
| TPL | Tactical risk |
| OPL | Operational risk |
Link for download supplychainriskcatalog_orig.csv
