April 13, 2015

8 Ways to Scope Supply Chain Risk Management Programs

Wayne Caccamo



In the Ultimate Guide to Supply Chain Resiliency Program Success, I identify several dimensions which can be used to determine and describe the appropriate for a supply chain risk management program (SCRP). All are discussed in the broader context of building a complete business case for a supply chain resiliency program. Here is an excerpt from the guide. It is important to describe the boundaries of the program (what is and is not part of the program) from a variety of angles. This will bring clarity to the processes of communicating and setting expectations related to business goals and results. Depending on a number of factors including the organization’s business strategy, culture, and unique risk profile, one, or more typically, a combination of dimensions described below should be used to delineate your program’s scope.


Risk type identification approach 

An SCRP may be defined around a selection of target risks that need to be managed. One of the many published supply chain list catalogs or supply chain risk taxonomies can be used as a starting point. ChainLink Research, for example, provides a taxonomy which breaks risks into 5 major categories: financial/market, operational, geographic, corporate social responsibility, and regulatory economic [See “Supply Chain Risk Solutions: A Market Overview,” 2013]. A risk type driven program minimally identifies a set of relevant and vetted risks based on strategic/executive-level concerns, experience and consequences with previous supply chain disrup or eventstions 

Supply & demand chain approach

An SCRP can encompass some or all phases in a supply & demand chain from upstream process such as product design and development, to sourcing and manufacturing, to downstream delivery logistics and customer support. This life cycle is described as Source-Make-Deliver-Return (SCOR Model) and there is a unique set of risks that can be mapped to each of these phases. Many organizations take this approach and start with a program scope that focuses primarily on the “source risks” and within that phase focus only on upstream Tier 1 suppliers, at least initially, before expanding the scope end-to-end. Within Tier 1 organizations, the scope may be further narrowed to focus on a specific segment or number of named “highest risk” suppliers.

Internal versus external risk approach

An SCRP can focus on internal risks to supply chain (e.g., supply quality, supplier reliability, production/equipment reliability, demand forecasting) and external risks such as natural disasters, geo-political events, labor strikes and factory fires.

Risks to tangible versus intangible assets approach

An SCRP program can focus primarily on managing risks to tangible assets such as human, physical or financial resources. Alternatively, the focus may be more on intangible resources such as brand, reputation, IP or competitive positioning.

Solution/Tool-driven approach

While technology decisions should normally conform to people and process needs rather than the reverse, some organizations will adapt a technology platform and its inherent risk management focus which, for all intents and purposes, defines the program scope. They then configure the solution to the extent possible and extend the platform working with the vendor as a strategic partner to influence the product roadmap.

In an emerging early-stage and fragmented market for solutions, this approach can make a lot of sense. By definition it ensures that there are tools that align with your in-scope program processes, rather than risking having to cobble together a set of point solutions. Also, the emerging vendors are eager to work closely with large enterprises to validate their solution and build reference accounts.

  • Supply Chain Initiative-Driven Approach. This approach focuses on pursuing various supplier information base initiatives that are either directly or indirectly associated with supply chain risks. These include disruption risk, business continuity/recovery risk, capacity risk, compliance risk (e.g. conflict minerals), corporate social responsibility (brand risk) and security risk.  To the extent that solution/tool vendors take the approach of building solution modules for each supply chain initiative, this approach may be virtually synonymous with the solution/tool vendor approach described above.

  • Supply Risk Management Approach.  An SCRP may focus on (1) proactive risk management (efforts to decrease the likelihood and consequences of a supply chain risk event), (2) incident management (efforts to minimize the negative consequences of an event after it has occurred) and/or (3) risk avoidance/elimination/transfer management. Increasing second sourcing is an example of how risk can be reduced or eliminated. Increasing inventory is a tactic for mitigating supply risk, while insurance can be used to transfer risk to a third party.

  • Other Approaches. Other potential scope dimensions include “supply chain versus services chain” This guide focuses on supply chains, but its worthwhile understanding what processes, practices, concepts and ideas can be applied or cross-pollinated with service chain resiliency efforts.
    in disruptions or incidents, and/or high-level analysis of future vulnerabilities. 


The right answer typically blends elements of more than one approach. For example, a typical SCRP scope may start with a focus on select supply chain initiatives supported by a strategic technology or consulting services provider. The first phase may further focus only on select risk categories for tier 1 suppliers and then expand the types of risks and the number of supply chain tiers under management.

When taking the Supply Chain Initiative-driven Approach, core (disruption) risk management should always be complemented with business continuity planning (BCP) and capacity management solutions in order to provide a more complete resilience program. For example, business continuity measures should be in place to minimize supplier recovery time in the event of a disruption. Proactive collaboration with suppliers may be invoked in the event that a supplier has constrained capacity in a short-to-medium term planning window.

Download Ultimate Guide Now!

Topics: supply chain visibility, supply chain resiliency, supply chain risk management, supply chain event monitoring, SCRM Best Practices