Supply Chain Risk Management: An Ever-Changing Mosaic

Supply Chain Risk ManagementWe have recognized the need to better manage supply chain risks for the nearly two decades now.  Yet, we still seem to be deluded into thinking that the modern supply chain is resilient to the point of invulnerability.  Developing risk management strategies and embedding resilience processes can enhance the organization’s ability to actively assess and manage risk.  By creating a flexible framework for augmenting, retaining, or shedding vendor competencies to assure supply chain integrity, the organization can meet customer demand, expectations and generate consistent performance.  Four basic assumptions form the underlying premise for this article:

Complexity: Companies today are complex and their supply chains are complex systems operating within multiple networks

Touchpoints: All a company’s touchpoints (downstream & upstream) within its networks must be considered to effectively evaluate risks, threats, hazards and vulnerabilities to determine the effects and consequences of degradation on the entire system

Responsiveness: Actions at any given level within the network may be inadequate unless the entire network responds in kind

Resource Constraints: Most supply networks supporting the company lack the resources and specialized skills to know what to do to maximize operational resilience within the network

It Is All About Survivability

If you want senior management to pay attention, give them something that challenges their focus - and understand that their focus is not on how diversified your supply chain is or that you have a risk management/business continuity plan or that your customers are loyal.  Senior management is focused on one thing and that is business survivability - will we be in business tomorrow given the issues that we face today.

Structure – a Key Element

Identifying risk issues in the “Value Chain” touchpoints (internally and externally) needs to be one of the first steps in the process.  Developing a custom-fitted questionnaire for all elements of the “Value Chain,” as well as for internal stakeholders, can provide a basis for moving forward.  Integration criteria should be contained in the vendor’s contract, spelled out in specific terms.

Touchpoints – Internal and External

Identifying supply chain touchpoints can assure key concerns are adequately addressed.  Internal touchpoints include any part of the organization that has direct and/or indirect interface with the supply chain process.  Identifying external touchpoints may seem simple, but when you begin to identify vendors, you realize the components that allow the vendor to get their product or service to you are also touchpoints.  Vendors also outsource.  A tiered approach to identifying external touchpoints can facilitate organizing the process.  

Vendor Continuity Capability Questionnaire

Developing the vendor continuity capabilities questionnaire needs to be carefully thought through.  You are creating a legal document that could contain sensitive information and must be protected.  With the type of information that you will collect to assess vendor continuity capabilities, your organization could be held liable, under the concepts of negligence (foreseeability), constructive notice, and/or constructive knowledge, for NOT acting to mitigate potential losses.  The questionnaire that we have most often utilized consists of eight parts as highlighted below:

  • Part 1: Governance Provisions & Management Commitmentq
  • Part 2: Business Continuity Strategies: Developing and Implementing BCP
  • Part 3: Business Impact Analysis, Risk Evaluation & Control Mechanisms
  • Part 4: Maintaining Continuity: Training, Awareness, Exercising & BCP Updates
  • Part 5: Incident Response Operations
  • Part 6: Crisis Communications
  • Part 7: Coordination (External Entities)
  • Part 8: Vendor Certification

Vendor Continuity Capability Assessment

Data will be collected, analyzed and developed into assessment findings and recommendations regarding vendor continuity capabilities.  Organizing the data into Essential Elements of Analysis (EEA) can facilitate data collection, analysis and evaluation.  Examples of typical EEA are summarized below.

  • Organization: the current procurement structure, vendor roles/responsibilities, deliverables and current criteria for the organization’s risk and business continuity programs and plans. 
  • Vulnerability Identification and Control: establishing minimum acceptable criteria for vendor vulnerability identification and control methodologies and the ability of the vendor to integrate its methodologies on a sustainable basis with the client’s risk and business continuity strategy. 
  • Continuity Strategy and Approach: the metrics developed and used to verify vendor integration of risk and business continuity program and plans with the client’s resilience strategy. 
  • Documentation:  documentation of vendor programs and plan capabilities. 
  • Resource Management and Development: the metrics for vendor validation of resources (people, equipment, financial). 
  • Continuity Maintenance: the procedures used to assure resilience of the supply chain. 


The overall objective of integrating risk and business continuity criteria is to facilitate the ongoing development and implementation of enhancements to supply chain efficiency.  Careful consideration should be given to ease of use by procurement staff, other personnel and external parties (as appropriate). Three elements associated with enterprise assurance apply:

  • Strategic Element consisting of support for compliance efforts, communications to stakeholders (vendors, customers, internal groups, etc.) and strategic active analysis processes.
  • Operational Element consisting of support for implementation efforts, sustaining business operations, communicating upwards (internal focus), and grand tactical active analysis processes.
  • Tactical Element consisting of direct specific implementation steps, communication upwards (internal focus), external communications (vendor interface), mitigation of noncompliance/nonconformance and tactical active analysis processes (scorecards, vendor continuity questionnaire, etc.).

Procurement Planning Considerations

Procurement planning considerations will generally consist of the normal day to day functioning of the procurement process.  Supply chain risk management/business continuity integration elements should consist of a tiered evaluation structure focused on four aspects:

  • Comprehending and describing supply chain continuity requirements
  • Conducting business continuity capability assessments
  • Evaluating business continuity capabilities

  • Identifying actions to be taken

Early assessment and quantification of vendor, supplier, etc. capabilities are essential.  In addition to the Vendor Continuity Questionnaire we have developed a set of nine Risk Analysis Worksheets.  These worksheets are structured to build on the evaluation criteria in the form of Essential Elements of Analysis, Measures of Effectiveness and Measures of Performance. They are listed below.

  • Worksheet 1: Describe the Supplier 
  • Worksheet 2: Determine Demand Risk
  • Worksheet 3: Determine Supply Risk
  • Worksheet 4: Determine Process Risk
  • Worksheet 5: Determine Control Risk
  • Worksheet 6: Determine Environmental Risk
  • Worksheet 7: Evaluate Implications
  • Worksheet 8: Identify Actions
  • Worksheet 9: LMSCARVERtm Supply Chain Risk Analysis

We recommend that your company and its vendors negotiate periodic assessments of sub-tier vendors (vendor’s suppliers) to further assure business continuity capabilities.

Procurement Incident Management Considerations

Having an incident management system as a component of the procurement process can allow your company to respond, recover and restore supply chain operations with less potential for massive disruption.  Incident management can range from assessing and classification of a vendor incident to implementation of response actions, such as sending your personnel to vendor facilities to assist in incident mitigation processes. 

This article is related to the Whitepaper:
To get the full details, please view your free White Paper.

Phased Development and Integration

A phased approach to implementation and integration would generally consist of five phases:

  • Phase 1: Assessment & Vendor Continuity Questionnaire – deliverable: letter report with executive summary.
  • Phase 2: Procurement Integration (vertical/horizontal) – deliverables: Procurement Management System Vendor Business Continuity Management Program and Plan Integration Criteria Guide (Tools) and Procurement Management System Vendor Business Continuity Management Program and Plan Integration Criteria Guide training program materials (Knowledge Transfer).
  • Phase 3: Monitoring & Enforcement – deliverable: Procurement Management System Vendor Risk/Business Continuity Management Program and Continuity Plan Integration Criteria Guide maintenance criteria (Sustainability).

  • Phase 4: Sustainability – deliverable: periodic metrics, event response reports.

  • Phase 5: Maturity Model Evaluation – deliverable: metrics for maintaining the process, change management procedures.

Top Risk Areas

Below is a list of current risk areas that can have an impact on supply chain risk management and continuity.

 Sovereign Debt Top question: What will happen when governments cannot pay the interest on debt with tax revenue generation?

Geo-Political Instability Top question:  Will an incident start a global conflict?

Technology Top question:  How safe are we from cyber-threats?

Infrastructure Top question:  When and where will the next large scale disruption occur?

Social Top question: When will we learn that feeding people is not teaching them to be self-sufficient in terms of procreation control?

Economics Top question: What will happen when interest rates start to rise?

Environment Top question: What is the combination of environmental issues that will create the next great unseen crisis?

Sources of Energy Supply Top question: When is the next resource availability shock going to occur?

Global Workforce Top question:  When will we realign the workforce and match needed skills to educational attainment?

Renewables Top question: Will renewable energy ever evolve past an interesting sideshow?

Piracy Top question: At what point does the economic impact of pirated goods begin to undermine the stability of the global economy?

Markets Top question: When will the markets experience a significant imbalance sufficient to drive investors to the sidelines?

Competition Top question:  Where will the next competitive shock come from?


It is critical for senior management and the board of directors to:

  • Shape the evolution of "risk thinking" within the organization
  • Establish a clear definition of what "risk" means to the organization and its “Value Chain”
  • Know the line between risk oversight and risk management
  • Consider re-thinking the chief risk officer role and skill set
  • Monitor the company-wide risk culture
  • Avoid the trap of false precision
  • Get out of the weeds by taking a deep dive to determine risk and establish risk buffering strategies
  • Regularly assess, train and validate organizational resilience capabilities.


Geary SikichGeary Sikich is a seasoned risk management professional who advises private and public sector executives to develop risk buffering strategies to protect their asset base.  With a M.Ed. in Counseling and Guidance, Geary's focus is human capital: what people think, who they are, what they need and how they communicate. With over 25 years in management consulting as a trusted advisor, crisis manager, senior executive and educator, Geary brings unprecedented value to clients worldwide.

Geary is well-versed in contingency planning, risk management, human resource development, “war gaming,” as well as competitive intelligence, issues analysis, global strategy and identification of transparent vulnerabilities.  Geary began his career as an officer in the U.S. Army after completing his BS in Criminology.  As a thought leader, Geary leverages his skills in client attraction and the tools of LinkedIn, social media and publishing to help executives in decision analysis, strategy development and risk buffering.  A well-known author, his books and articles are readily available on Amazon, Barnes & Noble and the Internet.

Contact Information: E-mail: or  Telephone: 1- 219-922-7718.