For years now, I have been a proponent of a proactive, multitiered approach to supply chain risk management. To avoid or mitigate possible losses, I believe that members of the supply chain must establish the transparency necessary to identify potential risks both up and downstream, as well as the flexibility to be able to act quickly and effectively. But these efforts alone are not enough. Today's best-in-class companies understand that the most effective risk management strategy addresses both external (supply chain) and internal (enterprise) factors.
Establishing a unified risk management approach is no easy task, but when done right, it can be a significant competitive differentiator. Let's take a look at how taking risk management to the enterprise level enables you to protect your organization and its stakeholders and position it to capture opportunities that will help you continue to grow profitably and deepen your value proposition to your trading partners.
With the passage of the Sarbanes-Oxley Act in 2002 and the Dodd-Frank Wall Street Reform and Consumer Protection Act in 2010, enterprise risk management (ERM) was transformed from a prudent business strategy to a board-level mandate designed to ensure that companies are meeting their fiduciary and social responsibilities. Although both of these legal mandates seek to promote widespread awareness of the risks companies face at the enterprise level, there is still industry uncertainty about what constitutes a compliant and effective enterprise risk management approach.
A failure to assess enterprise risk could be even more devastating as businesses continue to globalize and pursue opportunities in emerging markets, where there are significantly greater risks, including economic, geopolitical, regulatory, environmental, quality and reliability, demand volatility, and increased threat of natural disaster. This is why I recommend the creation of a formalized preemptive risk management process that moves beyond disaster recovery and includes structured quantification, analysis, and control of risk across the enterprise.
At Avnet, I head our enterprise risk management initiative, which includes a cross-functional Risk Council, with executive-level sponsorship from all operating groups and key business operations, including logistics, IT, audit, trade compliance, legal, finance, human resources, and corporate communications. The council has responsibility for identifying, evaluating, and assessing enterprise risk; establishing risk policies and tolerances; and controlling risk functions and infrastructure.
To facilitate this process, we have developed a risk assessment tool modeled after the traditional Six Sigma quality control process known as failure mode and effect analysis (FMEA). The tool enables the Risk Council to assess risk priority by assigning ratings for severity, occurrence, and detection and then determine what action to take: accept the risk, mitigate it, avoid it, or transfer it. This allows us to take a more proactive approach, so that we are controlling the risk, not the other way around.
The Supply Chain Council also offers a value-at-risk (VAR) metric that enables users to calculate the probability of an event and multiply it by the expected monetary impact of the event (i.e., if this happens, what does it mean for my organization?). This data allows companies to determine the most effective allocation of resources based on a methodical ROI assessment.
The Avnet Risk Council has defined four main categories of enterprise risk: operational, financial, strategic, and hazard. Subsets of these generalized risk categories may include suppliers' risk, equipment breakdown, uncertain demand, labor strikes, and natural disasters. Of course, specific risk factors will vary from company to company depending on the vulnerabilities inherent in your particular business model.
Avnet's ERM program also includes consideration of customer and supplier impacts in the risk analysis. The risks that have the highest probability of hurting Avnet's customers are the ones on which we focus our greatest ERM resources. This approach is something we at Avnet feel very strongly about. We recognize that our success is inexorably tied to the success of our customers and suppliers. Our ERM strategy ensures that our corporate and supply chain interests are integrated.
We also believe that all employees share a degree of responsibility for ERM, so it is essential to have input from every layer of your organization -- from the executive level to the in-the-trenches perspective of someone who, for example, works on a warehouse floor. Instituting a Risk Hotline can be a good way to enable employees to report a risk they feel is not being adequately addressed. Although it is important for risk managers to be analytical in assessing potential threats, we encourage employees to follow their intuition. If they see something that raises a red flag, we want them to have a way of sharing their concerns.
As with any operational strategy, regular audits ensure that your time and resources are well spent. Risk is a fluid concept and must be managed in accordance with the ever-changing dynamics of your business and the changes that occur in the global supply chain. Once risk owners set their plans in motion, audits are necessary to periodically review each risk plan against actual mitigation activities. This provides the timely feedback needed to update and modify plans and thereby optimize ongoing implementation.
Creating and maintaining an effective enterprise risk management program is complicated and involves coordination of a lot of moving parts, but the effort is about more than protecting profits or meeting some arbitrary standard of compliance. Companies such as Avnet touch thousands if not hundreds of thousands of people in varying degrees, which is why ensuring the sustainability of our organization is more than just good business. It's our responsibility.
This article initially appeared in the December issue of Supply Chain Velocity digital magazine. Click here to read other articles in the package.