the new asis supply chain risk management standard · 2014. 10. 24. · supply chain risk...

The New ASIS Supply Chain RiskManagement Standard

ASIS International Seminar and ExhibitionMonday, September 29, 2014

Dr. Marc SiegelCommissionerGlobal Standards InitiativeASIS International, Brussels, Belgium

Robert M. Weronik, CPPSenior Director - Global SecurityAlexion Pharmaceuticals, Cheshire, CT

Copyright © 2014 ASIS International


Supply Chain Risk Management:A Compilation of Best

Practices

Supply Chain Risk Management:A Compilation of Best

Practices

Developed in collaboration with theSupply Chain Risk LeadershipCouncil.

Provides a framework forcollecting, developing,understanding, and implementingcurrent best practices for supplychain risk management (SCRM).

Practitioner’s guide to SCRMwithin the organization and its end-to-end supply chain.

Provides guidelines and tools toassess and address supply-chainrisks.

Submitted to ISO as a NWIP.

2


Supply Chain Risk LeadershipCouncil

Supply Chain Risk LeadershipCouncil

Our Vision◦ Create a cross-industry council comprised of world class

manufacturing & services supply chain firms that will worktogether to develop and share supply chain risk managementbest practices.

Our Mission◦ Work together to create best-practices supply chain risk

management standards, processes, capabilities and metricsto be adopted within our respective organizations. Leveragethis best practices effort to proactively initiate consistencyacross industries and their related organizations / councils.Enable standardizations across industries where applicableand become “industry integrators” for the betterment of amore efficient and consistent risk management environment.


SCRLC MEMBERORGANIZATIONSSCRLC MEMBERORGANIZATIONS

Abbott AbbVie Accenture Accutant Airforce Alexion Pharma AMR APICS Applied Materials ASIS International Automotive Industries Action Group The Boeing Company California Emergency Management Caterpillar Cisco Coca Cola Council of Supply Chain

Management Professionals

Customer Paradigm Dell DelMonte Department of Homeland

Security DHL DIRECTV EMD Millipore Essilor Expeditors International Federal Express FoxConn Genentech General Electric Genzyme Georgia Institute of Technology


SCRLC MEMBERORGANIZATIONSSCRLC MEMBERORGANIZATIONS

Glaxosmithkline Integrated Risk Solutions Intel Corporation IntraPoint Jabil Circuit John Deere Johnson & Johnson Lenovo LMI Massachusetts Institute of

Technology McCormick & Co., Inc. McDonalds Merck

Motorola Solutions National Institute of

Standards and Technology Navistar Notre Dame of Maryland

University Procter & Gamble RAND Rolls Royce Sony Stanford University The Supply Chain Council University of Michigan VLM Foods Wal-Mart Zurich


The climate of uncertainty hasgrown - Turning the World

Upside Down

The climate of uncertainty hasgrown - Turning the World

Upside Down

• Organizations have become morefocused on managing myriad risks:o Rapid dynamic change of marketso Fragility of supply chainso Interconnectivityo Interdependencieso Crumbling infrastructureso Political instabilityo Demographic changeso Climate changeo Shift towards intangible assetso Dependencies replacing hard assetso Dispersed employee populations

• .


Risk Managers Need a Change inAttitude to Gain Support

Risk Managers Need a Change inAttitude to Gain Support

• The days of the risk managers sitting in theirsiloed office are gone.

• Risk management must be aligned with businessstrategy and integrated into strategic planning

• Demonstrate efficiency gains and opportunities• Eliminate siloing (stovepiping) of risk management

disciplines• Define roles of risk professionals• Speak the language of business

management and be familiar withbusiness concepts


Value Drivers:Value Chain and Managing Risk

Value Drivers:Value Chain and Managing Risk

Understand what is of value to the organization.◦ Most businesses make most their profits off a few activities.

Identifying the value chain Identify the risks in the value chain Asset characterization, threat analysis,

vulnerability analysis, and criticality-consequence analysis should all beconducted within the context of the value chain andachieving the organization’s objectives Not all risk has negative outcomes, also identify

opportunities.


Don’t forget the IntangiblesDon’t forget the Intangibles

Intangible assets don't have an obvious physical value.May be very valuable for an organization and can be

critical to its long-term success or failure. Intangible assets that add value to an organization:

◦ Intellectual property (e.g. patents, trademarks, copyrights,confidential information, know-how, business methodologies)

◦ Goodwill and image; and◦ Brand recognition.

How do intangible assets contribute to theachievement of the organization’s objectives? Risk management supports innovation and

work performance.


Interdependencies ChangingPerspectives

Interdependencies ChangingPerspectives

Recognize the weak links in connected systemsand value chainsAccount for interdependencies in risk

assessment and strategic planningSupply chain disruptions have cascading effectsWhat are the internal and external

dependencies and interdependencies◦ How they differ per locationA comprehensive risk picture is a

prerequisite for good businessmanagement

10


Business Management NotRisk Management

Business Management NotRisk Management

Overall risk management strategyincludes security, crisis andcontinuity management.Risk and resilience management

must support the mission of theorganization.Organizations want to be resilient

and agile, not just manage events.The organization’s business is

doing business.Risk managers and practitioners

are there to help run the business.


Bottom Line: Risk Managers areBusiness Managers

Bottom Line: Risk Managers areBusiness Managers

Old View New View

Event Focused Objectives Focused


Supply Chain Risk Managementas a System

Supply Chain Risk Managementas a System

A group of interacting, interrelated, orinterdependent elements forming a complexwhole to accomplish a defined objective.An integrated set of interoperable elements

where:◦ Each element has explicitly specified capabilities.◦ Elements work synergistically to perform value-added

functions to enable the organization to achievemission-oriented operational needs in a prescribedoperating environment with a specified outcome andprobability of success.


Risk Assessment DrivesDecision Making

Risk Assessment DrivesDecision Making

Risk management process needs cleargovernance structureRisk management is based on specific business

objectives and is objectives focusedRisk assessment is defined in terms of

organizational objectivesKey performance indicators linked to

business objectivesRisk management supports decision

making, therefore proactiveRisk management protects and creates value

14


Navier–Stokes Equations – Providethe Basis for Risk Management

Navier–Stokes Equations – Providethe Basis for Risk Management

The Navier–Stokes equations are nonlinearpartial differential equations describingalmost every real situation.

Copyright © 2014 ASIS International 16

For Those Who Aren’t into Math:Using ISO 31000:2009 as a Base

For Those Who Aren’t into Math:Using ISO 31000:2009 as a Base

Copyright © 2014 ASIS International 17

ISO 31000:2009Risk Management

ISO 31000:2009Risk Management


Making SCRM Part of BusinessManagement

Making SCRM Part of BusinessManagement

18


Organizational and SupplyChain Context of Managing Risk

Organizational and SupplyChain Context of Managing Risk

Value generatorsContext of the organizationCultureSupply and value chain

mapping – value and risksNeeds and requirementsDefining risk criteriaDefining scope of risk and

resilience managementsystem


Understand the ContextUnderstand the Context

20


Supply Chain MappingSupply Chain Mapping

Identify the parties Involved in the followingprocesses:◦ Procurement◦ Production◦ Packing◦ Storage◦ Loading/Unloading◦ Transportation◦ Document Preparation


Supply Chain OperationsReference - SCOR Model

Supply Chain OperationsReference - SCOR Model

Your OrganizationTier 1 Channels 1,2,3Tier 2


Supply Chain Risks


Supply Chain ProcessApproach

Supply Chain ProcessApproach


Risk Management Resourcesand Mechanics

Risk Management Resourcesand Mechanics

Define risk management and assessmentmethodologies; Identify and secure risk management

resources; Define accountabilities and responsibilities; Evaluate time frames and logistics for risk

management activities; Determine cycles of process and divisions

of activities; Establish information, data, documentation and

communication requirements; How will success be defined? How is risk

management performance evaluated?


Defining Risk CriteriaDefining Risk Criteria

The nature and types of causes and consequencesthat can occur and how they will be measured; How likelihood will be defined; The timeframe(s) of the likelihood and/or

consequence(s); How the level of risk is to be determined; The views of stakeholders; The criteria to decide when a risk needs treatment; The level at which risk becomes acceptable or

tolerable; and Whether combinations of multiple risks should be

taken into account and, if so, how and whichcombinations should be considered.

Copyright © 2014 ASIS International© 2011

Risk IdentificationRisk Identification

Is the process of finding, recognizing andrecording risks.Purpose is to identify what might happen

or what situations might exist that mightaffect the achievement of the objectives. Includes identifying the causes and

source of the risk (threats and hazards),events, situations or circumstances whichcould influence the outcomes ofobjectives and the nature of the impact.


Identify the RisksIdentify the Risks

Why could something happen?◦ A cause or factor creating risk◦ Effectiveness of controls

Who could be involved?◦ Individuals or groups associated with threat,

control of risk, and/or impacted by risk How could it happen?

◦ A source of risk What could happen?

◦ Potential event◦ Potential consequences

When could something happen? Where could it happen?


Identify the RisksIdentify the Risks

Use a well-structured systematic process,because a risk not identified cannot be analyzed.Asset/service identification, valuation and

characterizationRisk identification comprises:

◦ Criticality/impact assessment –‘what’ and ‘where’ answers;

◦ Threat/opportunity assessment –‘who’, ‘why’ and ‘when’ answers;

◦ Vulnerability/capability assessment –‘how’ answers


Risk AnalysisRisk Analysis

Purpose:◦ Separate minor risks from major.◦ Provide data to assist in evaluation.

Determine the adequacy and appropriateness of existingcontrols to manage identified priority risks.

Prioritize risks for subsequent evaluation oftolerance or need for further treatment.

Provide a better understanding of the necessary risktreatments to protect the value of critical assets toidentified risks.

Identify opportunities means to achieve objectives.


Identification Output = AnalysisInput

Identification Output = AnalysisInput


Bow Tie DiagramBow Tie Diagram

32

Cause#3

Cause#2

Detaileddescription of

risk event

RISK EVENT

POSSIBLECAUSES

Cause#1

Treatment 2

Treatment 3.a

Treatment 3.b

Treatment 1.b

ACTIONS TOREDUCE

LIKELIHOOD

POSSIBLECONSEQUENCES

Consequence#1

Treatment 1

ACTIONS TOREDUCE

CONSEQUENCES

Consequence #2

Treatment 2

Treatment 1.a

Clearly distinguishes between causes (likelihood dimension) and consequences (consequence dimension)

Identifies actions that reduce the likelihood that a risk event will occur

Identifies actions that reduce the magnitude of consequences if a risk event occurs


Risk EvaluationRisk Evaluation

Determining which risks are tolerable,and which risks require control andtreatment

Criteria for risk evaluation should havebeen indentified in the scope and policyof the management system inconsultation with top management

All risk cannot be eliminated – what isthe cost effective “As Low A ReasonablyPractical” risk.


Risk Evaluation – The FunnelAnalogy

Risk Evaluation – The FunnelAnalogy

A “box” is filled up with all identifiedrisks, and tipped into a funnel.

Depending upon the organization'stolerance for risk, the funnel’s filterswill allow different sized risks to fallthrough the gaps, or remain at thetop.

The way risks are prioritizeddepends on where they sit in thefunnel; the higher they sit, thegreater the priority they represent.

Some risks are so small they fallthrough the bottom of the funneland accepted.

Levels of risk tolerance may differbetween assessments, or acrossorganizations, because of thecontext.


Risk TreatmentRisk Treatment

Risk treatment involves acyclical process of:◦ assessing a risk treatment;◦ deciding whether residual risk

levels are tolerable;◦ if not tolerable, generating a

new risk treatment; and◦ assessing the effectiveness

of that treatment.


Risk Treatment OptionsRisk Treatment Options

Avoiding the risk by deciding not to start orcontinue with the activity that gives rise to therisk; Taking or increasing the risk in order

to pursue an opportunity;Removing the risk source;Changing the likelihood;Changing the consequences;Sharing the risk with another party or parties

(including contracts and risk financing); andRetaining the risk by informed decision.


Selection of Risk TreatmentOptions

Selection of Risk TreatmentOptions

Balancing the costs and efforts of implementationagainst the benefits derived, with regard to legal,regulatory, and other requirements.

Consider the values and perceptionsof stakeholders and the mostappropriate ways to communicatewith them.

Clearly identify the priority order inwhich individual risk treatmentsshould be implemented.


Performance AssessmentPerformance Assessment

Check conformity and effectiveness of the risk managementprogram. Define KPIs based on risk criteria and risk assessment. Establish and maintain procedures to monitor and measure

performance on a regular basis. Conduct exercises and testing. Establish, implement and maintain corrective procedures for

dealing with actual and potential program shortfalls. Review any changes (internal or external) that

impact the organization in relation to the risk andsecurity operations management system. Self assessment should be conducted against the

organization’s objectives.

Evaluate risk management plans, procedures, and capabilitiesthrough periodic reviews, testing, post-incident reports,

lessons learned, performance evaluations, and exercises.


Maintenance and Change Management(1)


Review and challengeassumptions made in the riskidentification.Ensure that any internal or external

changes that impact theorganization are reviewed. Identify any new critical activities.Update, amend or change SCRM

policy, strategies, solutions,processes and plans to keypersonnel under a formal change(version) control process.Verify key people who are to

implement the SCRM strategy andplans remain in place.


Examples of procedures, systems, or processes thatmay affect the plan:◦ Systems and application software changes◦ Changes to the organization and its business processes◦ Personnel changes (employees and contractors)◦ Supplier changes◦ Critical lessons learned from testing◦ Issues discovered during actual implementation of the

plan in a crisis◦ Changes to external environment (e.g. political,

migration, demographic, and social changes.)◦ Other items noted during review of the plan

and identified during the risk assessment.




Don’t Put the Cart Before theHorse

Don’t Put the Cart Before theHorse

It’s all about value creation,resilience, and agility in theorganization.


Thank You – Questions?Thank You – Questions?

Robert M. Weronik, CPP |Senior Director, Global Security

Alexion PharmaceuticalsCheshire, CT, USA

[email protected]

44

Dr. Marc SiegelCommissioner, Global Standards Initiative

ASIS International, European BureauBrussels, Belgium

[email protected]

the new asis supply chain risk management standard · 2014. 10. 24. · supply chain risk...

Documents