Supply Chain Related Standards for Increasing Resilience

Supply Chain Related Standards for

Increasing Resilience

©2012 ICOR ALL RIGHTS RESERVED BCM 5000.1.2

Supply Chain Related Standards

1. ISO 31000: Risk Management2. PD 25222: Supply Chain Continuity3. ISO 28001: Supply Chain Security

Management

ISO 31000 Risk Management Standard

A risk assessment is performed when management needs to understand the organization’s potential to loss or vulnerabilitiesThe purpose of RM is to reduce the impact of the risks and exposures identified in the RA

Impossible to identify all threats and estimates of probability are often guesswork



Risk Management Outcomes

Identification and documentation of:Single points of failurePrioritized list of threats to the organization or to the specific business processes analyzedInformation for a risk control management strategy and action plan for risks to be addressedDocumented acceptance of identified risks that are not to be addressed


Management of Risk Increases Resilience

Increases the likelihood of achieving objectives;More aware of the need to identify and treat risk throughout the organization;Improves the identification of opportunities and threats;Complies with relevant legal and regulatory requirements and international norms;Improves mandatory and voluntary reporting and governance;Establishes a reliable basis for decision making and planning;Improves controls;Effectively allocates and uses resources for risk treatment;Improves operational effectiveness and efficiency;Enhances health and safety performance, as well as environmental protection;Improves loss prevention and incident management;Minimizes losses; andIncreases organizational resilience.

ISO 31000


Framework for Managing Risk


Risk Management Process


ISO 31000 Risk Management Process

What may happen and

why?What are the

consequences?

What is the probability?

How to mitigate or reduce

probability of the risk?


Drivers of Risk Management

ISO 31000

According to this graphic by the Institute for Risk Management (IRM), Supply Chain Risk Management falls under the category of managing external Infrastructure Risks.

It would be one aspect of the organization’s overall risk management strategy.


Risk Assessment Techniques


Risk Description


Risk Management Assignments

PD 25222: 2011Business Continuity Management – Guidance on Supply Chain Continuity

Goal: Obtaining assurance of suppliers’ own continuity arrangements.Audience: Supply procurement Focus on key suppliers & dependence on key customersUse of a risk-based approach

©2012 ICOR ALL RIGHTS RESERVED SCRM 2050.13

Promotes the Classification of Suppliers

Uses a “tier” approach


Tier 3

Tier 2

Tier 1

• Supplies to tier 2 supplier

• Supplies products and services to tier 1 suppler

• Direct contractual relationship

Scope of Standard


Critical

Activities Customers Suppliers Supplies

Potential Types of Supplier Relationships

Recurring product/service suppliers: Providing components, raw materials, financing, property rental, essential fixed asset maintenance, etc.One-off or infrequent product/service suppliers: Perhaps to provide a new piece of capital equipment.


Potential Types of Supplier Relationships

Outsourced or contracted out: Off-site service or business process providers, such as payroll bureau, IT services, contact centre, logistics or distribution).Strategic partners: Such as franchises, distributors and joint ventures.Cooperative relationships or interdependencies between suppliers.


Supply Chain Relationship Impact Factors

People: personal relationships;Formal agreements: contracts, work orders, service level agreements, operating level agreements, etc.;Information: electronic or paper; purchase orders, design specifications;Processes: workflow; product/service creation and delivery;Infrastructure: transportation systems, Internet;Culture: business networks, trading relationships; Environment: political, meteorological, economic (e.g. foreign exchange rates), etc.


Supplier & Contract Lifecycle


Who Owns the Risk?The organization owns the risk and must manage supply chain risk and respond to supply chain interruptions


Supply Chain Continuity Management

Key benefit of effective supply chain continuity management is the mapping of supply chain results provides a better understanding of where and how to improve the organization’s supplier management which should increase efficiency and reduce the likelihood and impact of supply chain disruptions.


Challenges1. Scale and complexity of supply chain2. Distance and visibility of suppliers3. Existing contractual relationships4. Lack of structured approach5. Lack of business case6. Lack of embedded responsibility

across stakeholder functions


Challenges7. Striking a balance between expense of risk

reduction & short term financial rewards8. Differences in risk tolerance/appetites9. International cultural and legal differences10.Lack of power for smaller suppliers11.Obtaining firm and meaningful service

commitments12.Difficulty identifying indirect impacts13.Difficulty understanding full cost of

disruption


Supply Chain Mapping


Impact of Loss of Critical Supplier


BCM Assurance & the Risk Portfolio

To implement a BCM assurance programme, the following need to be defined.1. The organization’s criteria for the BCM

capability of each tier of suppliers.2. The organizational process from

procurement to business-as-usual operation, including BCM consideration at all stages of implementation.

3. The process of assurance itself, including management of subsequent remediation


ISO 28000Security Management Systems for the Supply Chain (October 2007)

Provides requirements and guidance for organizations in international supply chains to • Develop and implement supply chain security

processes• Establish and document a minimum level of

security with a supply chain or segment of a supply chain

• Assist in meeting the applicable authorized economic operator (AEO) criteria set forth in the World Customs Organization Framework of Standards and conforming to national supply chain security programs

©2011 ICOR ALL RIGHTS RESERVED 27

Security of CargoCargo Management – Protecting cargo during all steps of manufacturing, shipping and transport processes:

Efficient prevention, detection and reporting of shipping process anomalies (routes and schedules continuous review; alerts management)Adequate inspections during the shipping process (in points where liability changes, to packaging materials and vehicles before being in contact with cargo).


Security of FacilitiesFacility Management – Guaranteeing the security of the facilities where goods are manufactured and cargo is stored and handled.

Optimal warehouse/terminal layout design (entry/exit controllability; clearly marked control areas; sufficient light conditions)Efficient facility monitoring (24hr camera system, security guards, filming activities of loading containers, picking ).


Security of InformationInformation Management – Protecting critical business data and exploiting information as tool for detecting illegal activities and preventing security breaches.

High protection of business information/data (management procedures and storing methods designed to protect information from unauthorized access and usage).Accurate and complete recordkeeping of shipping information for potential security audits (improved recordkeeping methods; quality control of records, error correction).


Security of PersonnelHuman Resources Management – Guaranteeing trustworthiness and security awareness of all personnel with physical or virtual access to the supply chains.

Professional employee hiring / exit process (background checks; interviews for leaving or fired employees).Efficient information dissemination process (internal and external publication of the company security policies).


Security of Company

Company Management Systems – “Building security” into internal and external organizational structures and company management systems, including supplier, partner and client management processes.

Adequate business partners evaluation system (selection of low risk and high security compliant suppliers, clients and subcontractors).Complete company security management system (defined security processes, defined and controlled security indicators, internal and external audits).


Vulnerability Map


Mapping by Key Process Area & Readiness


SCRM Maturity Levels


In Summary1. Using the management system described

by ISO 31000 to manage risks across the supply chain can mitigate risks and minimize supply chain interruptions.

2. An organization’s procurement specialists need to understand the importance of different suppliers and provide assurance that contracted services can be provided even during a disruptive incident.

3. Supply chains also face risks related to security logistics. These also need to be managed.


Questions?

Lynnda NelsonPresident, ICOR

[email protected] North America+1630-705-0910 International

www.theICOR.org

©2013 ICOR ALL RIGHTS RESERVED 37

mailto:[email protected]

http://www.theicor.org/

Documents

Supply Chain Related Standards for Increasing Resilience