You might be overthinking supply risk management. According to Ernest Gabbard, director of corporate strategic sourcing at Allegheny Technologies in Pittsburgh, supply risk management is just a way of looking prospectively at what could happen in the supply chain that might have a negative impact on the organization, financial or otherwise.

Granted, for many companies, the supply chain represents the most significant risk to economic profitability, and even, in some cases, organizational viability. “Even the lack of an inexpensive part or service can shut down an assembly line,” Gabbard points out. But put simply, buyers just “have to determine when and where a supplier failure could occur, and then develop a plan to mitigate or potentially eliminate the risk of that failure.”

Potential supply risks include relying on single or sole sources, sourcing in politically unstable countries or geographically unstable regions, using financially weak suppliers or failing to protect intellectual property. “For example, if you have a sole source in a volatile or unstable country, your supply chain is at risk,” says Gabbard. “If you don't have an alternate for that source, you may have a facility shut down, or at very least significantly impacted.”

Allegheny Technologies purchases natural gas and Gabbard says he has made sure not to sole-source that spend. “If we only sourced natural gas from the Gulf of Mexico and didn't have alternative sources of natural gas and other petroleum commodities, during hurricane season we could have some facilities negatively impacted,” he says.

According to Gabbard, most organizations understand supply chain risk is a significant issue that could have a negative impact on them, but not all of those companies go the next step and do a formal assessment to determine where that risk actually is. In fact, when organizations performed risk assessments as part of the Sarbanes-Oxley Act's requirements, many of those that identified supply chain risk as an exposure never followed through with risk mitigation plans.

One reason for the lack of follow-through, Gabbard believes, goes back to the historic role of procurement. “We have always been risk managers, but we have tended to be reactive,” he says. One example is expediting when something was late or looked like it was going to be late. The goal these days, he believes, is not to have 20-20 hindsight, but rather 20-20 foresight—trying to look forward with what might happen in the supply chain.

While part of the reason for not engaging in formal supply chain risk management may lie with supply chain managers, another part may lie with corporate management as a whole. They often believe that there are too many other higher priorities, that they lack the resources, or they are uncertain of where or how to begin the process.

These challenges have not stopped Allegheny Technologies from implementing a formal supply chain risk management process. The first thing Allegheny did was to define what risk meant to them. “If you ask a group of supply managers to define risk, you will end up with a lot of different definitions,” Gabbard says. “But we defined what risk was for us and also defined what an unstable country was.”

The next step was to define and identify critical items. Obviously, any item can be subject to disruption but the critical items are those that can have a significant impact on business if a disruption occurs. Allegheny identified the commodities that fit that definition and they were not necessarily always high dollar items. There could be low-value items that could shut a facility down.

Gabbard and his colleagues conducted a comprehensive review of all suppliers to determine which ones represented critical risk, which it defined as any supply or service that could substantially impact the function of the organization. There is a tendency in procurement to actively and aggressively manage suppliers that represent large dollar expenditures. However, in some cases, the major risks may lie with some smaller dollar value suppliers. Gabbard's team looked at both when identifying critical suppliers.

From there, it was time to prioritize the critical items to determine where to focus. “You can't go after all of the risks,” Gabbard warns. “When we began this process, we realized there were hundreds of suppliers that represented risk as we defined it, in terms of critical raw materials or other items.” To prioritize, the group looked at the probability of a disruption occurring vs. the cost of eliminating the risk. They then went after the items where they felt there was a risk that fit their criteria and was a priority item.

The next priority was to obtain executive management support for the supply risk management program. This involved articulating the business imperative, and sharing the vision of how procurement intended to eliminate or mitigate the supply chain vulnerability. “One challenge that supply managers seem to have is how to determine the business case,” says Gabbard. While they understand the need themselves, convincing their management that they ought to be spending resources today to mitigate a risk that may never happen is more of a challenge.

One strategy Gabbard finds effective in making executives understand supply risk is to use an insurance metaphor. “You never decline to insure something simply because you may never need it,” he states. “In the same way, you have to illustrate to senior management the financial impact of what happens if a critical supplier fails.”

To help drive support across the organization, Gabbard assembled a cross-functional team that included representatives from various departments that could consult on supply chain risk issues. For example, the engineering department may create a dilemma related to their design of a process or part.

From there, priority was to develop a strategic plan to work toward minimizing or eliminating the risk. Gabbard admits that this may end up taking years. However, the important thing was to begin and continue to move in the right direction. “We use a very methodical process,” he states. “We meet every month to go over each commodity and determine the status.” The team develops long-term (sometimes multi-year) mitigation plans where, over a period of time, they will be able to eliminate, or at least mitigate, their risks with the commodity being managed. “We may not accomplish it in one year, but we will always be moving in that direction,” he states.

After the planning is complete, execution of the strategic plan needs to become a priority, despite resource constraints or conflicts and further down the road, the emphasis moves to providing periodic status reports to executive management, to keep them informed and engaged in the process.

Gabbard has found that, while the major benefit of a formal supply chain risk management program is to reduce risk exposure in the supply chain, a secondary benefit, and one that is usually much more tangible, noticeable, and immediate, is that supply chain efficiency improves, the result of improved performance by the suppliers that have been identified as critical. That is, once these suppliers are identified and their performance measured, it is likely that their performance will improve in such areas as on-time delivery and/or product quality. In fact, this result may be an excellent way to gain the support of senior management from the start. Explain to managers that, while the goal is to reduce exposure to problems that may never come about, a likely result will be improved supply chain efficiency, which will definitely add dollars to the bottom line.