THE ART OF THE POSSIBLE IN
RISK METRICS
Feryal Erhun
Management Science and Engineering
Supply Chain Risk Leadership Council, London, February 22-23 2007
a short recap
Creating Value Through
Resilience
Likelihood
Qualitative risk analysis in BCM
Business Impact Analysis (BIA)
•Identify the key processes and activities
An insurer’s perspective on supply chain risk
management
1
5
•Determine the impact upon the business
if these were disrupted or lost
7
4
3
• Consider the GAP (MAO, RTO, etc).
E.g. financial, market, customer loyalty
impacts
Supply Chain Risk Leadership Council
February 2007
6
2
Impact
•Conduct a risk analysis to identify the
potential threats – prioritise resources
Tim Astley
Strategic Risk
Zurich Risk Engineering
© Zurich -Risk Engineering, Cisco SCRLC February 2007
24
Quantitative techniques
What tools and techniques does Zurich use to evaluate
supply chain risks?
Total Risk Profiling
Risk Profile
Company:
• ‘Traditional’
Scope:
Yourhealth com
Total Risk Profiling on Healthwatch
Analysis Date
14.04.2000
• Actuarial techniques
A
• Retention studies
• Interdependency analysis
• Total cost of risk
• Qualitative risk analysis techniques
B
Probability
• Risk grading and benchmarking
C
D
• Adherence to standards
•‘Simulation’ of data in difficult
areas
• Risk quantification
E
Probabili ty
• Evaluation of real loss / claims
data
F
Annual Loss Amount
IV
III
II
I
Severity
• Combine and analyse
© Zurich -Risk Engineering, Cisco SCRLC February 2007
Feryal Erhun, MS&E, Stanford University
14
© Zurich -Risk Engineering, Cisco SCRLC February 2007
SCRLC, London, February 22-23 2007
26
2
potential questions to think about
• What is the risk of potentially moving
manufacturing facilities overseas?
• What is the risk of not being able to fulfill a
spike in consumer demand for our products?
• What is the risk to your brand if an incident
occurs at one of your suppliers or distributors?
Source: Marsh Risk Consulting
Feryal Erhun, MS&E, Stanford University
SCRLC, London, February 22-23 2007
3
still more questions …
• What are the dependencies & weak links within your
supply chain (SC)?
• Do you understand the risk that has been inadvertently
built into our SC? Where does risk reside in your supply
network?
• Have you identified the SC risks that you might be able
to mitigate, eliminate, or pass on to another SC member?
Have you considered alternative SC structures?
• Have you fully integrated our business contingency plans
and emergency response plans into your SCM initiatives?
Source: Marsh Risk Consulting
Feryal Erhun, MS&E, Stanford University
SCRLC, London, February 22-23 2007
4
effective risk management includes
• Identifying and recognizing sources of
uncertainty, i.e., risk events.
• Measuring and assessing the frequency of
occurrence and severity of impact of an event
• Evaluating alternative approaches to mitigate or
take advantage of the risk
Feryal Erhun, MS&E, Stanford University
SCRLC, London, February 22-23 2007
5
an engineering approach to risk
management
• Goal
– Risk analysis to improve the “performance” of
supply chains
• Approach
– Using Probabilistic Risk Analysis (PRA)
techniques
• To provide a quantitative estimation of the overall
vulnerability of supply chains to uncertain events
(i.e., risk exposure)
• To support rational decision making
Feryal Erhun, MS&E, Stanford University
SCRLC, London, February 22-23 2007
6
Probability, P(V=v)
how do we define risk
Performance Measure, V
Source: Tim Astley. Creating Value Through Resilience. SCRLC, February 2007.
Feryal Erhun, MS&E, Stanford University
SCRLC, London, February 22-23 2007
7
obtaining a quantitative assessment
p(V  v)   p( si ) p(V  v | si )
i
Scenario Probability
Systems Modeling
If Si is composed of events A, B, C
Develop a model of the system to
obtain the distribution of the value
to the firm, V, given each scenario.
p(Si) = p(A)p(B|A)p(C|A,B)
where p(A) or p(B|A) are event probabilities
Deterministic or probabilistic
V = F(Si) or Si → FV|Si(v)
Event Probability
Statistical data, expert opinion, further
decomposition
Use Simulation to Simplify the Integration of Systems Modeling
Scenario
Computations
Feryal Erhun, MS&E, and
Stanford
University Probability
SCRLC, London,
February 22-23 2007
8
risk analysis methodology
Output
Definition of System and
Performance Value
Expert
Opinion
Components
Sub-assembly
Transportation
to Sub
-assembly
Transportation
to Assembly
Asia
North America
Risk factors on
Influence Diagram
Risk
Quantification
Reassessment
Monitoring
Performance
Measures
Risk
Identification
Probability
Distributions
Risk
Management
Feryal Erhun, MS&E, Stanford University
Expert
Opinion;
Statistics
Influence Diagrams
Expert
Opinion;
Statistics
Simulation;
Probabilistic
Modeling
Simulation; Box
Plots; Risk Curves;
Decision Analysis
SCRLC, London, February 22-23 2007
Customs
Information
Customs
Analytical Process
Tools and
Techniques
9
step 1: defining the system
Illustration
Critical Supply Sub-Assembly
Sites
Sites
Option 1:
Current Supply Chain Structure
Components
Assembly
Sites
Distribution
Centers
Customers
Sub-Assembly
Product 1
Product 2
Transportation
to Sub-assembly
Transportation
to Assembly
Product 3
Product 4
North America
Option 2:
Suggested Alternative Structure
Components
Customs
Product 5
Customs
Asia
Asia
Sub-Assembly
North America
Ground
Air/Ocean
Transportation
to Sub-assembly
Europe
Transportation
to Assembly
North America
Feryal Erhun, MS&E, Stanford University
SCRLC, London, February 22-23 2007
10
step 2: identifying risk factors (I/II)
Operational/ Forecast errors, capacity constraints, cargo losses, budget
overrun, emergence of a disruptive technology, storage risks,
Technological order minimums and maximums, virus attack, etc.
Social
Natural/
Hazard
Union and labor relations, negative media coverage, perceived
quality, holidays, loss of key personnel, third-party strikes,
fraud, human errors, etc.
Fire, storm, flood, hail, monsoon, tornado, hurricane,
earthquake, epidemic, etc.
Interest rate fluctuation, exchange rate fluctuation, commodity
price fluctuation, price and incentive wars, bankruptcy of
partners, stock collapse, global economic recession, etc.
Directors and officers liability, law suits, governmental
Legal/
incentives/restrictions, new regulations for industry, lobbying
fromUniversity
customer groups,
instability
overseas,
confiscations,
Political
Feryal
Erhun, MS&E, Stanford
SCRLC,
London, February
22-23
2007
11
abroad, terrorism, war, etc.
Economic/
Competition
step 2: identifying risk factors (II/II)
Illustration
Forecast
Variability
Component Sourcing
Problems
EDI Outages
CM Management
Qualifications
Leadtimeand
Cost
Sourcing
Fiscal Quarter
CM Capacity
Tools and Process
Changes
Leadtimeand
Cost
Sub-Assembly
Yield Variability
CM Bankruptcy
Time of
Year
Eng. Change Orders
Beginning of
Peak Season
Monsoon
Season
Leadtime
and
Cost
per unit
Carrier
Rate
Damage
and Loss
Rebuild
Decision
Import Clearance Time
Hurricane
Season
Dest. Trucking
Dest.
Delay
Leadtimeand
Cost
Transportation
Arrival Delay
Origin Trucking
Export Clearance
Time
Origin
Delay
Natural Disaster
Labor Strike
Leadtime
Disaster
Geo-political Instability
Feryal Erhun, MS&E, Stanford University
SCRLC, London, February 22-23 2007
12
step 3: quantifying risk
p(V  v)   p( si ) p(V  v | si )
i
0.45
Zone A
Zone B
Zone C
0.4
Illustration
0.35
Distribution of
Network Losses
Conditional on
Losses Being
Positive
0.3
0.25
0.2
0.15
0.1
0.05
0
20
Feryal Erhun, MS&E, Stanford University
40
60
80
100
120
140
160
SCRLC, London,
February
Quarterly
Losses22-23
($M) 2007
180
200+
13
step 4: managing risk –
mitigation strategies
Options/
Redundancy
Reinforcement
Diversification
Warning Systems
Frequency
vs. Impact
Impact
Frequency
Both
Both
Robust/
Resilient
Robust
Robust
Robust and
resilient
Resilient
Coupled systems
Risk displacement
Coupled systems
False positive and
false negative
Shortcoming
Supply
Chain
Example
Building extra
production
capacity
Splitting
production
Investing in
(freight) between
upscale IT servers
two manufacturing
sites (carriers)
Feryal Erhun, MS&E, Stanford University
Strike monitoring
and partner’s
financial health
monitoring
SCRLC, London, February 22-23 2007
14
High
communicating risk (I/II)
19
20
15
17
13
8
2
11
Impact
4
14
Medium
1
5
9
12
10
7
18
3
16
Low
6
Low
Medium
High
Likelihood
Feryal Erhun, MS&E, Stanford University
SCRLC, London, February 22-23 2007
15
communicating risk (II/II)
Frequency
Pr(Site Down during Time Horizon)
Feryal Erhun, MS&E, Stanford University
Severity
Pr(Network Losses ≠ 0 Given Site
Down During Time Horizon)
10
20
30
40
Less than
0%
%
%
%
%
SCRLC, London, February 22-23 2007
50
%
16
60
%
remarks
• This is not an optimization; the goal of the
PRA is to bring relevant information to the
decision maker
• The risk is captured by the variability of chosen
supply chain performance measures
Feryal Erhun, MS&E, Stanford University
SCRLC, London, February 22-23 2007
17
insights from the case study
• Managers should be aware of the hidden costs and account for them
in their analysis, by carefully choosing an adequate performance
measure
• A team of actors with different responsibilities should be in charge
of the analysis from the identification of risk factors to probability
assessments
• Risks may be specific to product families and supply chain structures
• From the managers’ perspective, the output of a risk assessment
process should be to know where the risk resides within the supply
chain and its order of magnitude
• Mitigation strategies should be appraised within a global context
Feryal Erhun, MS&E, Stanford University
SCRLC, London, February 22-23 2007
18
summary
• Supply chains are vulnerable to uncertainties, they should be
managed as such
– Managers have levers to improve the robustness and
reliability of supply chains
• Risk analysis can help supply chain managers choose a better, if
not best, alternative through
– Identification of the weak points of the system
– Quantification of risk exposure to serve as a support for their
decisions
Feryal Erhun, MS&E, Stanford University
SCRLC, London, February 22-23 2007
19
Kleindorfer and Saad’s framework
(I/II)
•
•
•
•
•
•
One has to put one’s own house in order first before expecting or requiring
others in the extended supply chain to do so.
Make use of, and extend the main premise of portfolio theory, namely:
diversification reduces risk. For disruption risk management, such
diversification should be extended to include facility locations, sourcing
options, logistics, and operational modes.
Robustness to disruption risks in a supply chain is determined by the
weakest link in the chain, especially with respect to the actions of
purposeful agents attempting to disrupt supply operations.
Prevention is better than cure, i.e., loss avoidance and preemption are better
than mitigation of losses after the fact.
Extreme leanness and efficiency may result in increasing the level of vulnerability, at
both the individual firm level and across the supply chain.
As a corollary to principle 5, establishing backup systems, contingency plans,
and maintaining reasonable slack, can increase the level of readiness in
managing risk.
Feryal Erhun, MS&E, Stanford University
SCRLC, London, February 22-23 2007
20
Kleindorfer and Saad’s framework (II/II)
• Collaborative sharing of information and best practices among supply chain partners
is essential in identifying vulnerabilities and in preparing for and
executing effective crisis management.
• Good crisis management is not enough; linking risk assessment and
quantification with risk management options ex ante is of fundamental
importance in understanding the potential for ultimate harm to the
organization from supply chain disruptions and for evaluating and
undertaking prudent mitigation.
• Modularity of process and product designs, and other key elements of
agility and flexibility for lean supply chain design, can also provide leverage for
risk reduction, especially for interruptions involving discontinuities in
raw material availability and component supply.
• Applying TQM principles, e.g., the Six-Sigma Approach, provides leverage
in achieving higher supply chain security and reduction of disruptive
risks faced while reducing operating costs.
Feryal Erhun, MS&E, Stanford University
SCRLC, London, February 22-23 2007
21
references
• Deleris, L.A., and F. Erhun. “Risk Management In A Supply Network: A Case
Study Based On Engineering Risk Analysis Concepts,” in Handbook of
Production Planning. Edited by K. Kempf, P. Keskinocak, and R. Uzsoy, Kluwer
International Series in Operations Research and Management Science,
Kluwer Academic Publishers (To appear).
• Deleris, L.A. and F. Erhun, 2005. Risk Management in Supply Networks
Using Monte-Carlo Simulation, in Proceedings of the 2005 Winter Simulation
Conference. Edited by M. E. Kuhl, N. M. Steiger, F. B. Armstrong, and J. A.
Joines.
• Kleindorfer, P.R. and G.H. Saad. Managing Disruption Risks in Supply
Chains. Production and Operations Management, Vol. 14, No. 1, pp. 53-68. Spring
2005.
• Lee, H. L., S. Whang. 2003. Higher Supply Chain Security with Lower Cost:
Lessons from Total Quality Management. Research Paper No. 1824, Stanford
University, Stanford, CA.
• Lee, H. L., M. Wolf. 2003. Supply chain security without tears. Supply Chain
Management Review 7(1) 12–20.
Feryal Erhun, MS&E, Stanford University
SCRLC, London, February 22-23 2007
22
potential discussion questions
• In your company:
– How do you define supply chain risk? How do you perceive risk?
– What supply chain performance metrics do you use? How should these metrics be
adjusted when risk is considered as well?
– Have you identified - and do you monitor - key risk indicators of upstream or
downstream activities that might result in a disruption in the supply chain? How
do you measure them? How do you communicate them?
– Do you incorporate the element of risk when making strategic or tactical
decisions about your supply chain? Have you fully captured your enterprise-wide
risk profile? Do you believe this can be done?
• What are the additional performance metrics for risk?
• Who do you see as the leader in supply chain risk management in your
industry? In general? Which industry is the leader when it comes to risk
management?
• Additional questions that the group wants to discuss ….
Feryal Erhun, MS&E, Stanford University
SCRLC, London, February 22-23 2007
23