The following is an excerpt from “The Resilience Operations Center: A New Framework for Supply Chain Risk Management.” Download the ebook or request a print copy here.
With the goal of reaching and maintaining operational resilience, organizations are looking for a modern approach to supply chain risk management (SCRM) and third-party risk management (TPRM). One way organizations are working to improve their preparedness—and overcoming the deficiencies of SCRM and TPRM approaches—is adopting Resilience Operations Centers (ROC).
The ROC framework can drive better outcomes because it is based on three simple but vital principles: 1) aligning risk management and organizational goals, 2) breaking down silos, and 3) modernizing threat detection and mitigation with technologies like automation, artificial intelligence, and natural language processing. Plus, it provides the insight and agility needed to capitalize on never-before-seen opportunities.
Challenges to Operational Resilience
Of course, aligning around a new risk management approach is not always a smooth journey. There are several areas where operational resilience breakdowns can occur. The following issues and pitfalls can occur across the extended supply chain and within your own organization:
- Weak, ineffective operational risk management governance processes at the board, senior management, business unit line management, and independent enterprise risk management levels.
- Incomplete business continuity management for critical operations functions, including monitoring, scenario analysis, periodic testing and tabletop exercises, staff training, and availability.
- Lack of scenario planning and analysis to anticipate potential disruptions in supply chains. Scenario planning should be combined with forecasting to assign probabilities of occurrence of scenarios to further refine plans.
- Insecure information systems, including inadequate protections for sensitive information in transit and in storage at all locations.
- Ineffective operations monitoring, log review, and follow-up actions and reporting.
Any one of these inefficiencies could result in the loss of significant financial resources and pose additional operational risk to your organization.
ROC Success Factors
Making a ROC successful involves many factors. But following these five fundamental principles will help any organization lay the groundwork for reaping the framework’s benefits.
- Be aware of your industry’s key operational risks. Different industries are exposed to different types of risks, along with varying levels of regulation. For example, financial services organizations focus on service interruptions to their supply chains caused by misconfigurations, misuse, and phishing/hacking. IT hygiene, focusing on active monitoring of your threat environment and proactive patching of security vulnerabilities, is a critical activity, as is having a mature software development life cycle. Manufacturing supply chain risk managers focus on disruption of logistics, transportation, and raw material procurement. Monitoring for and taking actions to address political instability, natural disasters, and the potential for black swan events such as pandemics can ensure greater operational resilience. Understanding your critical risks will allow you to focus on key mitigation steps to ensure operational resilience.
- Don’t think you can outsource business risk and accountability. Business units often assume that once a function has been outsourced to a supplier, they are no longer accountable for that functionality or the performance of their suppliers and extended supply chains. That is not the case. Establishing appropriate oversight of these relationships is management’s responsibility. By performing quarterly supplier performance reviews based on pre-determined success criteria, this can be easily done. Outsourcing oversight also includes the ability to preserve, and, as necessary, recover services in the event of a supplier failure. All outsourced critical business services need a contingency plan for either bringing the function back in house or migrating it to a new supplier in a timely manner.
- Maintain operating execution knowledge. Alongside accountability, the knowledge to effectively operate a business, if not carefully preserved by your organization, can disappear. You should always have a fallback plan for your suppliers to ensure your operational resilience should catastrophe strike. Preserving this knowledge within the business, with the capacity to insource or migrate the functionality should the need arise, is often neglected and can create a situation in which the ability to continue operating may be lost over time.
- Don’t equate compliance with risk management. Your SCRM program can become overly focused on compliance and “check the box” exercises to demonstrate that suppliers have been reviewed to identify operational risks. Focus on ensuring that proper steps have been taken to mitigate risks to a level that meets your risk appetite. Compliance isn’t resilience. Use KPIs to report trending changes in the delivery of critical outsourced products and services before product or service delivery resilience is negatively impacted. This leads to the next point.
- Focus on total cost of ownership (TCO) of your SCRM program. Your SCRM program can easily become a “Field of Dreams” endeavor in which you spend years building out an asset inventory, identifying supplier relationship managers, and performing increasingly large risk assessments without achieving risk mitigation. Risk assessments alone do not reduce operational risk. When combined with unfettered growth in the number of suppliers used by your organization, this can lead to inefficiencies in your overall risk management program and operational performance degradation. From the beginning of your program, identify quick wins that mitigate actual risks and report to all levels of management on progress being made towards greater operational resilience.
Need Operational Resilience? Get the ROC Book
The Resilience Operations Center book goes into more detail on these and other topics, including aligning a business operating model with strategic risk management objectives, identifying your risk management program’s maturity level, and defining key ROC governance processes. Get a copy of the book here and put your supply chain and your organization on the road to operational resilience.