the new asis supply chain risk management standard · 2014. 10. 24. · supply chain risk...
Post on 05-Oct-2020
1 Views
Preview:
TRANSCRIPT
The New ASIS Supply Chain RiskManagement Standard
ASIS International Seminar and ExhibitionMonday, September 29, 2014
Dr. Marc SiegelCommissionerGlobal Standards InitiativeASIS International, Brussels, Belgium
Robert M. Weronik, CPPSenior Director - Global SecurityAlexion Pharmaceuticals, Cheshire, CT
Copyright © 2014 ASIS International
Copyright © 2014 ASIS International
Supply Chain Risk Management:A Compilation of Best
Practices
Supply Chain Risk Management:A Compilation of Best
Practices
Developed in collaboration with theSupply Chain Risk LeadershipCouncil.
Provides a framework forcollecting, developing,understanding, and implementingcurrent best practices for supplychain risk management (SCRM).
Practitioner’s guide to SCRMwithin the organization and its end-to-end supply chain.
Provides guidelines and tools toassess and address supply-chainrisks.
Submitted to ISO as a NWIP.
2
Copyright © 2014 ASIS International
Supply Chain Risk LeadershipCouncil
Supply Chain Risk LeadershipCouncil
Our Vision◦ Create a cross-industry council comprised of world class
manufacturing & services supply chain firms that will worktogether to develop and share supply chain risk managementbest practices.
Our Mission◦ Work together to create best-practices supply chain risk
management standards, processes, capabilities and metricsto be adopted within our respective organizations. Leveragethis best practices effort to proactively initiate consistencyacross industries and their related organizations / councils.Enable standardizations across industries where applicableand become “industry integrators” for the betterment of amore efficient and consistent risk management environment.
Copyright © 2014 ASIS International
SCRLC MEMBERORGANIZATIONSSCRLC MEMBERORGANIZATIONS
Abbott AbbVie Accenture Accutant Airforce Alexion Pharma AMR APICS Applied Materials ASIS International Automotive Industries Action Group The Boeing Company California Emergency Management Caterpillar Cisco Coca Cola Council of Supply Chain
Management Professionals
Customer Paradigm Dell DelMonte Department of Homeland
Security DHL DIRECTV EMD Millipore Essilor Expeditors International Federal Express FoxConn Genentech General Electric Genzyme Georgia Institute of Technology
Copyright © 2014 ASIS International
SCRLC MEMBERORGANIZATIONSSCRLC MEMBERORGANIZATIONS
Glaxosmithkline Integrated Risk Solutions Intel Corporation IntraPoint Jabil Circuit John Deere Johnson & Johnson Lenovo LMI Massachusetts Institute of
Technology McCormick & Co., Inc. McDonalds Merck
Motorola Solutions National Institute of
Standards and Technology Navistar Notre Dame of Maryland
University Procter & Gamble RAND Rolls Royce Sony Stanford University The Supply Chain Council University of Michigan VLM Foods Wal-Mart Zurich
Copyright © 2014 ASIS International
The climate of uncertainty hasgrown - Turning the World
Upside Down
The climate of uncertainty hasgrown - Turning the World
Upside Down
• Organizations have become morefocused on managing myriad risks:o Rapid dynamic change of marketso Fragility of supply chainso Interconnectivityo Interdependencieso Crumbling infrastructureso Political instabilityo Demographic changeso Climate changeo Shift towards intangible assetso Dependencies replacing hard assetso Dispersed employee populations
• .
Copyright © 2014 ASIS International
Risk Managers Need a Change inAttitude to Gain Support
Risk Managers Need a Change inAttitude to Gain Support
• The days of the risk managers sitting in theirsiloed office are gone.
• Risk management must be aligned with businessstrategy and integrated into strategic planning
• Demonstrate efficiency gains and opportunities• Eliminate siloing (stovepiping) of risk management
disciplines• Define roles of risk professionals• Speak the language of business
management and be familiar withbusiness concepts
Copyright © 2014 ASIS International
Value Drivers:Value Chain and Managing Risk
Value Drivers:Value Chain and Managing Risk
Understand what is of value to the organization.◦ Most businesses make most their profits off a few activities.
Identifying the value chain Identify the risks in the value chain Asset characterization, threat analysis,
vulnerability analysis, and criticality-consequence analysis should all beconducted within the context of the value chain andachieving the organization’s objectives Not all risk has negative outcomes, also identify
opportunities.
Copyright © 2014 ASIS International
Don’t forget the IntangiblesDon’t forget the Intangibles
Intangible assets don't have an obvious physical value.May be very valuable for an organization and can be
critical to its long-term success or failure. Intangible assets that add value to an organization:
◦ Intellectual property (e.g. patents, trademarks, copyrights,confidential information, know-how, business methodologies)
◦ Goodwill and image; and◦ Brand recognition.
How do intangible assets contribute to theachievement of the organization’s objectives? Risk management supports innovation and
work performance.
Copyright © 2014 ASIS International
Interdependencies ChangingPerspectives
Interdependencies ChangingPerspectives
Recognize the weak links in connected systemsand value chainsAccount for interdependencies in risk
assessment and strategic planningSupply chain disruptions have cascading effectsWhat are the internal and external
dependencies and interdependencies◦ How they differ per locationA comprehensive risk picture is a
prerequisite for good businessmanagement
10
Copyright © 2014 ASIS International
Business Management NotRisk Management
Business Management NotRisk Management
Overall risk management strategyincludes security, crisis andcontinuity management.Risk and resilience management
must support the mission of theorganization.Organizations want to be resilient
and agile, not just manage events.The organization’s business is
doing business.Risk managers and practitioners
are there to help run the business.
Copyright © 2014 ASIS International
Bottom Line: Risk Managers areBusiness Managers
Bottom Line: Risk Managers areBusiness Managers
Old View New View
Event Focused Objectives Focused
Copyright © 2014 ASIS International
Supply Chain Risk Managementas a System
Supply Chain Risk Managementas a System
A group of interacting, interrelated, orinterdependent elements forming a complexwhole to accomplish a defined objective.An integrated set of interoperable elements
where:◦ Each element has explicitly specified capabilities.◦ Elements work synergistically to perform value-added
functions to enable the organization to achievemission-oriented operational needs in a prescribedoperating environment with a specified outcome andprobability of success.
Copyright © 2014 ASIS International
Risk Assessment DrivesDecision Making
Risk Assessment DrivesDecision Making
Risk management process needs cleargovernance structureRisk management is based on specific business
objectives and is objectives focusedRisk assessment is defined in terms of
organizational objectivesKey performance indicators linked to
business objectivesRisk management supports decision
making, therefore proactiveRisk management protects and creates value
14
Copyright © 2014 ASIS International
Navier–Stokes Equations – Providethe Basis for Risk Management
Navier–Stokes Equations – Providethe Basis for Risk Management
The Navier–Stokes equations are nonlinearpartial differential equations describingalmost every real situation.
Copyright © 2014 ASIS International 16
For Those Who Aren’t into Math:Using ISO 31000:2009 as a Base
For Those Who Aren’t into Math:Using ISO 31000:2009 as a Base
Copyright © 2014 ASIS International 17
ISO 31000:2009Risk Management
ISO 31000:2009Risk Management
Copyright © 2014 ASIS International
Making SCRM Part of BusinessManagement
Making SCRM Part of BusinessManagement
18
Copyright © 2014 ASIS International
Organizational and SupplyChain Context of Managing Risk
Organizational and SupplyChain Context of Managing Risk
Value generatorsContext of the organizationCultureSupply and value chain
mapping – value and risksNeeds and requirementsDefining risk criteriaDefining scope of risk and
resilience managementsystem
Copyright © 2014 ASIS International
Understand the ContextUnderstand the Context
20
Copyright © 2014 ASIS International
Supply Chain MappingSupply Chain Mapping
Identify the parties Involved in the followingprocesses:◦ Procurement◦ Production◦ Packing◦ Storage◦ Loading/Unloading◦ Transportation◦ Document Preparation
Copyright © 2014 ASIS International
Supply Chain OperationsReference - SCOR Model
Supply Chain OperationsReference - SCOR Model
Your OrganizationTier 1 Channels 1,2,3Tier 2
Copyright © 2014 ASIS International
Supply Chain Risks
Copyright © 2014 ASIS International
Supply Chain ProcessApproach
Supply Chain ProcessApproach
Copyright © 2014 ASIS International
Risk Management Resourcesand Mechanics
Risk Management Resourcesand Mechanics
Define risk management and assessmentmethodologies; Identify and secure risk management
resources; Define accountabilities and responsibilities; Evaluate time frames and logistics for risk
management activities; Determine cycles of process and divisions
of activities; Establish information, data, documentation and
communication requirements; How will success be defined? How is risk
management performance evaluated?
Copyright © 2014 ASIS International
Defining Risk CriteriaDefining Risk Criteria
The nature and types of causes and consequencesthat can occur and how they will be measured; How likelihood will be defined; The timeframe(s) of the likelihood and/or
consequence(s); How the level of risk is to be determined; The views of stakeholders; The criteria to decide when a risk needs treatment; The level at which risk becomes acceptable or
tolerable; and Whether combinations of multiple risks should be
taken into account and, if so, how and whichcombinations should be considered.
Copyright © 2014 ASIS International© 2011
Risk IdentificationRisk Identification
Is the process of finding, recognizing andrecording risks.Purpose is to identify what might happen
or what situations might exist that mightaffect the achievement of the objectives. Includes identifying the causes and
source of the risk (threats and hazards),events, situations or circumstances whichcould influence the outcomes ofobjectives and the nature of the impact.
Copyright © 2014 ASIS International© 2011
Identify the RisksIdentify the Risks
Why could something happen?◦ A cause or factor creating risk◦ Effectiveness of controls
Who could be involved?◦ Individuals or groups associated with threat,
control of risk, and/or impacted by risk How could it happen?
◦ A source of risk What could happen?
◦ Potential event◦ Potential consequences
When could something happen? Where could it happen?
Copyright © 2014 ASIS International
Identify the RisksIdentify the Risks
Use a well-structured systematic process,because a risk not identified cannot be analyzed.Asset/service identification, valuation and
characterizationRisk identification comprises:
◦ Criticality/impact assessment –‘what’ and ‘where’ answers;
◦ Threat/opportunity assessment –‘who’, ‘why’ and ‘when’ answers;
◦ Vulnerability/capability assessment –‘how’ answers
Copyright © 2014 ASIS International
Risk AnalysisRisk Analysis
Purpose:◦ Separate minor risks from major.◦ Provide data to assist in evaluation.
Determine the adequacy and appropriateness of existingcontrols to manage identified priority risks.
Prioritize risks for subsequent evaluation oftolerance or need for further treatment.
Provide a better understanding of the necessary risktreatments to protect the value of critical assets toidentified risks.
Identify opportunities means to achieve objectives.
Copyright © 2014 ASIS International
Identification Output = AnalysisInput
Identification Output = AnalysisInput
Copyright © 2014 ASIS International
Bow Tie DiagramBow Tie Diagram
32
Cause#3
Cause#2
Detaileddescription of
risk event
RISK EVENT
POSSIBLECAUSES
Cause#1
Treatment 2
Treatment 3.a
Treatment 3.b
Treatment 1.b
ACTIONS TOREDUCE
LIKELIHOOD
POSSIBLECONSEQUENCES
Consequence#1
Treatment 1
ACTIONS TOREDUCE
CONSEQUENCES
Consequence #2
Treatment 2
Treatment 1.a
Clearly distinguishes between causes (likelihood dimension) and consequences (consequence dimension)
Identifies actions that reduce the likelihood that a risk event will occur
Identifies actions that reduce the magnitude of consequences if a risk event occurs
Copyright © 2014 ASIS International
Risk EvaluationRisk Evaluation
Determining which risks are tolerable,and which risks require control andtreatment
Criteria for risk evaluation should havebeen indentified in the scope and policyof the management system inconsultation with top management
All risk cannot be eliminated – what isthe cost effective “As Low A ReasonablyPractical” risk.
Copyright © 2014 ASIS International
Risk Evaluation – The FunnelAnalogy
Risk Evaluation – The FunnelAnalogy
A “box” is filled up with all identifiedrisks, and tipped into a funnel.
Depending upon the organization'stolerance for risk, the funnel’s filterswill allow different sized risks to fallthrough the gaps, or remain at thetop.
The way risks are prioritizeddepends on where they sit in thefunnel; the higher they sit, thegreater the priority they represent.
Some risks are so small they fallthrough the bottom of the funneland accepted.
Levels of risk tolerance may differbetween assessments, or acrossorganizations, because of thecontext.
Copyright © 2014 ASIS International
Risk TreatmentRisk Treatment
Risk treatment involves acyclical process of:◦ assessing a risk treatment;◦ deciding whether residual risk
levels are tolerable;◦ if not tolerable, generating a
new risk treatment; and◦ assessing the effectiveness
of that treatment.
Copyright © 2014 ASIS International
Risk Treatment OptionsRisk Treatment Options
Avoiding the risk by deciding not to start orcontinue with the activity that gives rise to therisk; Taking or increasing the risk in order
to pursue an opportunity;Removing the risk source;Changing the likelihood;Changing the consequences;Sharing the risk with another party or parties
(including contracts and risk financing); andRetaining the risk by informed decision.
Copyright © 2014 ASIS International
Selection of Risk TreatmentOptions
Selection of Risk TreatmentOptions
Balancing the costs and efforts of implementationagainst the benefits derived, with regard to legal,regulatory, and other requirements.
Consider the values and perceptionsof stakeholders and the mostappropriate ways to communicatewith them.
Clearly identify the priority order inwhich individual risk treatmentsshould be implemented.
Copyright © 2014 ASIS International© 2011
Performance AssessmentPerformance Assessment
Check conformity and effectiveness of the risk managementprogram. Define KPIs based on risk criteria and risk assessment. Establish and maintain procedures to monitor and measure
performance on a regular basis. Conduct exercises and testing. Establish, implement and maintain corrective procedures for
dealing with actual and potential program shortfalls. Review any changes (internal or external) that
impact the organization in relation to the risk andsecurity operations management system. Self assessment should be conducted against the
organization’s objectives.
Evaluate risk management plans, procedures, and capabilitiesthrough periodic reviews, testing, post-incident reports,
lessons learned, performance evaluations, and exercises.
Copyright © 2014 ASIS International
Maintenance and Change Management(1)
Maintenance and Change Management(1)
Review and challengeassumptions made in the riskidentification.Ensure that any internal or external
changes that impact theorganization are reviewed. Identify any new critical activities.Update, amend or change SCRM
policy, strategies, solutions,processes and plans to keypersonnel under a formal change(version) control process.Verify key people who are to
implement the SCRM strategy andplans remain in place.
Copyright © 2014 ASIS International
Examples of procedures, systems, or processes thatmay affect the plan:◦ Systems and application software changes◦ Changes to the organization and its business processes◦ Personnel changes (employees and contractors)◦ Supplier changes◦ Critical lessons learned from testing◦ Issues discovered during actual implementation of the
plan in a crisis◦ Changes to external environment (e.g. political,
migration, demographic, and social changes.)◦ Other items noted during review of the plan
and identified during the risk assessment.
Maintenance and Change Management(2)
Maintenance and Change Management(2)
Copyright © 2014 ASIS International
Copyright © 2014 ASIS International
Copyright © 2014 ASIS International
Don’t Put the Cart Before theHorse
Don’t Put the Cart Before theHorse
It’s all about value creation,resilience, and agility in theorganization.
Copyright © 2014 ASIS International
Thank You – Questions?Thank You – Questions?
Robert M. Weronik, CPP |Senior Director, Global Security
Alexion PharmaceuticalsCheshire, CT, USA
WeronikR@alxn.com
44
Dr. Marc SiegelCommissioner, Global Standards Initiative
ASIS International, European BureauBrussels, Belgium
siegel@msiegel.net
top related