STANDARDIZING
THE LANGUAGE OF SUPPLY CHAIN RISK MANAGEMENT:
THE
BASICS
In
moving toward adoption of ISO 31000 as the Council’s endorsed standard in
supply chain risk management, it becomes increasingly important to generate a
mutually shared understanding of process vocabulary. Everybody needs to be on
the same page.
To
that end, John Brown, Director, Risk Management, Supply Chain Development,
Coca-Cola Company, and his colleagues on the SCRLC Risk Assessment and Monitoring
track, are compiling a kind of ‘lexicon’ of terms based on ISO/IEC Guide 73.
The
next several issues of the newsletter will provide up-dates on key aspects of
this exercise, beginning with Basic Terms.
Risk Management
constitutes the top-level concept within which all activities transpire. “Some people have been using Crisis
Management as a synonym,”
notes Brown, “but that’s after-the-fact, after the risk has manifested
itself. Risk Management is proactive,
crisis management reactive.”
Risk itself
is defined as ‘the effect of uncertainty with the level of risk expressed as a
combination of likelihood and consequence.’
“Everybody uses the term differently,” notes Brown. “I catch myself doing it, using ‘risk’ to be
mean likelihood.”
Likelihood,
the term favored in the United States but not elsewhere, will
be used to denote the chance of an event transpiring. “The international community prefers Probability,”
says Brown, “I was surprised that the U.S. won out. The ISO can be a pretty political
environment.”
Risk Appetite is
proving perhaps the most elusive term to define. “It’s a concept you can resonate to at fifty
thousand feet,” observes Brown, “but when you try to implement it on the ground
as a practical application it’s very tough. It’s important to have a measure so
individuals within a company don’t take more down-side uncertainty than a company
can reasonably bear or less than is optimal for a company to tolerate. But with the exception of financial services,
it’s very cutting edge to develop a metric that puts numbers on risk
appetite. There are so many functions
within a company, how can you say concisely what is acceptable risk? Most risk levels at the enterprise level are
more qualitative than quantitative.”
Risk Tolerance is
equally ill-defined. “ISO
defines it as an organization’s readiness
to
bear risk, which can be interpreted as an absolute boundary that the company
can accept and still survive. But some
companies would say just the opposite---that Appetite
is
the total picture and Tolerance falls
within that.”
Risk Register is
the record of information about identified risks. “This forms the heart of any
risk management process,” notes Brown.
“It’s where you document the potential risk events, likelihood,
consequences, and what you’re doing to treat them. It’s the book of record.”
Event is
the occurrence of a particular set of circumstances. “A risk event is something you can visualize
happening relative to your company,” observes Brown. The danger in the identification of potential
risk events is that “we put a lot more weight on recent events than remote
events. We tend to downplay the
likelihood of something happening if it’s been a decade in the past but the
reality hasn’t changed.”