When Iceland’s Eyjafjallajökull volcano erupted in 2010, airline flights across the Atlantic were disrupted for days, and global supply chains for products like fruits and fresh flowers were severely interrupted. When a tsunami and nuclear meltdown hit northern Japan in 2011, automakers and electronics manufacturers in Asia and North America lamented that some key suppliers could not comply with their delivery dates, forcing slowdowns in their production scales and frustrating buyers. In these cases and others, many companies have been stymied by the fact that there was no way to forecast where and when the next natural disaster would occur.

What kind of analysis — and proactive strategic initiatives — should companies be enacting in order to mitigate their short- and long-term supply chain risks? What lessons have been learned from the turmoil of the past few years? Spurred by a sharp increase in concern about extreme weather events, leading discussion groups such as the World Economic Forum (WEF) and the Council for Supply Chain Professionals (CSCMP) have been intensifying their efforts to create comprehensive frameworks and common standards for evaluating and enacting risk-mitigation initiatives that are pro-active and strategic, rather than reactive or tactical.

The World Economic Forum’s Supply Chain Risk Initiative in 2011 began ongoing initiatives to explore the systemic risks and vulnerabilities of global supply chains and transportation networks. Its initial report on that initiative, launched at the 2012 annual meeting of the WEF in Davos, Switzerland, examined the possibility of these risks causing serious disruptions to global supply chains, while highlighting the need for companies to shift their focus from a reactive to a proactive stance.

In January, the WEF published an overall blueprint for resilient supply chains based on four core components: partnerships, policy, strategy and information technology. The report outlines a series of recommendations aimed at guiding multi-stakeholder engagement. Noting that systemic risks are characterized by “global geographic scope, cross-industry relevance, uncertainty as to how and when they will occur, and high levels of economic and social impact requiring a multi-stakeholder response,” the report added that such risks are also “magnified by the way supply chain systems are configured; and cannot be mitigated by individual actors. Risk management must be an explicit but integral part of supply chain governance.”

Noting that various institutions have widely different perspectives about supply chain risk assessment, the report made these key recommendations: institutionalize “a multi-stakeholder supply chain risk assessment process rooted in a broad-based and neutral international body”; mobilize international standards bodies to “further develop, harmonize and encourage the adoption of resilience standards”; incentivize organizations “to follow agile, adaptable strategies to improve common resilience” and “expand the use of data sharing platforms for risk identification and responses.” The report also outlined three “must-have” requirements that have emerged from WEF-sponsored workshops and dialogues held in recent months: First, the need for a “common vocabulary” when talking about risk; second, the need for improved data and information among those involved with supply chains, and third, “the need to build greater agility and flexibility into resilience strategies.”

Meanwhile, the Council of Supply Chain Professionals (CSCMP), the Chicago-based international organization for the industry, has also presented its members with a formal structure for identifying — and mitigating — the root causes and impacts of various kinds of risks commonly facing supply chains.Known as the Supply Chain Risk Identification Structure (SCRIS), it is designed to create a common language for supply chain professionals to address the challenges faced by companies of all sizes and in all sectors.

Why is there an urgent need for such a formal structure? “Ask 100 different people the same question — ‘What does supply chain risk mean to you?’ — and you will get lots of different answers,” according to Richard Sharpe, chief executive officer of Competitive Insights, an Atlanta-based provider of supply chain software. “For some people, risk means terrorist attacks. For others, it means port closures, IT infrastructure vulnerability or the financial collapse of their suppliers. Since supply chain risk means so many different things to so many different people, it is hard to communicate with people without having a common language and structure to think about supply chain operating risks.”

‘What If?’ Instead of ‘Why?’

Richard Sherman, president of Austin, Tex.-based consulting firm Gold & Domas, notes that another issue facing many firms regarding risk management is that they focus on the cause of a particular threat, rather than its results. For example, when companies hear about a devastating weather event, leadership will often try to figure out the best way to protect the firm from the same type of disaster occurring in the future. “It doesn’t matter what happened to cause a company to lose a key supplier” or to suffer a different sort of disruption to its supply chain, Sherman adds. “What matters is finding answers for such questions as: ‘What do we do if we lose any key supplier?’ or ‘What do we do if any one of our key plants goes down?’ Risk management is all about ‘What if I lose something?’ It is not about ‘Why did I lose it?'”

The CSCMP’s SCRIS framework is designed to make it easier for supply chain specialists — and senior executives at firms that have complex, often globalized supply chains — to identify and address the ‘what-if’ scenarios most relevant to their own specific operations. It makes no sense for companies to prepare a contingency plan for a specific disaster like a tornado, Sherman points out. “The odds of winning such a bet are so small, so it is not worth the planning.”

Long before the SCRIS was unveiled last November, this sort of pro-active approach had become standard operating procedure at leading global corporations like Coca-Cola, GE, Ford and GM, note analysts. Many of those firms have already developed a “risk management culture,” says Walter Kemmsies, chief economist at Moffatt & Nichol, a global infrastructure and transportation advisory firm. “It is already in those companies’ blood to go after supply chain risks.” But many smaller companies have yet to do so, he adds, either because they don’t understand the increasing vulnerability of their global supply chains, or they lack the resources to tackle its increased complexity.

Wharton operations and information management professor Marshall Fisher notes that it could be tempting for companies to try to predict the likelihood of the various kinds of risks facing their supply chains and prepare for those specific contingencies. For example, a company might avoid building a plant on an earthquake fault line, or build a second plant in a region safe from earthquakes. However, he adds, “so many things could go wrong that it is hopeless to predict what could happen.” He suggests that firms should instead design their supply chains to be resilient, even if that means spending significant resources in the form of constructing additional plants or contracting with extra suppliers.

The SCRIS model makes sense, according to Tom Linton, chief procurement and supply chain officer at Flextronics International, a $30 billion electronics manufacturing services firm with more than 200,000 employees and operations in 30 countries, but he notes that for a company like his, there is no such thing as a “simple” way to map risk due to all the different variables that come into play, such as sites, vendors, ownership, locations, materials, ability to effect, strategy and internal politics. “The model probably works well for a supply chain that isn’t too complex.”

Another hurdle is that many firms are “just starting to prioritize creating transparency throughout the supply chain and might not have a full picture of all of the entire supply chain,” says Wharton MBA student Dana Martin, who has worked in supply chain resilience and security consulting with numerous Fortune 500 companies. Martin points out that even Wal-Mart, despite all its sophisticated supply chain capabilities, was caught off guard when an unauthorized supplier in Bangladesh suffered a factory fire that killed 112 people. “One of the major challenges is a lack of commercial software and tools to analyze and quantify the risks associated with a company’s supply chain,” he notes. “Additionally, company executives need to transition their view of supply chain risks from a back-office cost center to a ‘bet-the-company’ issue that requires investment and executive attention.”

Developing a Road Map

Wharton operations and information management professor Morris Cohen says SCRIS and other initiatives help by giving people a framework to think about the process. He adds that even companies with a modest technology budget can develop a broad road map for thinking through their major risks. Cohen’s overall “thought framework” for risk management and mitigation involves analyzing the probabilities of various risks, including low-probability but high-impact events such as disastrous weather events. Having completed such an analysis, companies can then “make investments in capacity, flexibility and technology in advance of the event,” Cohen notes. “Ninety percent of the quality of the results will be determined by the decisions made in advance [of a risky event.] You can’t afford to put all your resources at all the places where something could go wrong.”

Cohen cautions that companies need sophisticated models of their supply chains that accurately reflect the challenges specific to their particular operations. These representations, whether simulations or mathematical models, must take into account all the important factors and the likelihoods that “low probability, high-cost events that have very expensive outcomes” will take place. “If you ignore the complexity, you can miss the whole point,” he adds.

According to Cohen, many firms that do not enact advanced risk management strategies probably have an intuitive understanding of the basic issues involved. “Many people have good intuition, but they may not have the tools and analytical data” needed to alleviate their supply chain risks. Cohen points out that nowadays, there exist “powerful tools, such as data mining and sophisticated logarithms…. But if you don’t invest in advanced thinking, it is a prescription for disaster. You can’t just think about the process, but must put in place prescriptions.”

Adding Redundancy, Increasing Resilience

Broadly speaking, three sorts of mitigation strategies emerge from the approach outlined in the SCRIS, says Sharpe, its co-author. The first category involves redundancy. In a very simple example, if a company has only one distribution center for its products, it risks a major failure in its supply chain if that distribution center cannot operate for a significant period of time. An appropriate redundancy strategy might involve building a second distribution center. Or leadership may decide that the firm needs to use at least two transportation carriers each month in order to service its best customers because high-quality customer service is absolutely vital to its business model.

Second, some strategies involve contingency planning, notes Sharpe. In such a case, company leadership identifies their top-priority risks, and then develops an action plan contingent on certain negative events taking place. Employees must be trained in that plan, and it must be communicated to all relevant stakeholders in and outside the organization. “A lot of people set up a war room and an action plan after the event, but by that time, you are racing against time,” Sharpe says. If, for example, a firm waits until after a key supplier goes bankrupt, it may find that it can’t satisfy customers’ orders. “You then have to deal with the reality of significant profit losses, lost market share and diminished shareholder confidence. That’s why you focus on mitigation activities in advance of the event,” he adds.

A third kind of mitigation strategy involves changing corporate policies, says Sharpe. In such a case, companies “change their operating policies to be less vulnerable to an identifiable, prioritized risk.” In one notable example, Toyota decided not to rely on single suppliers for any of its vehicle components following the Sendai tsunami and nuclear disaster of 2011. The earlier approach left Toyota vulnerable when single-source suppliers were forced to shut down.

Fisher, Martin and Wharton MBA student Hirotaka Ellis are currently involved in an independent study project focused on simulating supply chains in an effort to quantify one company’s supply chain resilience and recommend appropriate investments to diminish that firm’s supply chain risks — and consequently increase its resilience.

Ironically, writes Martin in his description of the research project, over the past decade global enterprises have focused on making their supply chains leaner by eliminating redundancy and cutting inventories in order to reduce costs. Such an approach “has significantly increased the importance of each node in the supply chain to the success of the entire system,” he notes. “Because nearly every node is critical, the relative risk of interference with a single node causing a disruption to the entire supply chain has grown significantly. These risks, previously not considered worthy of ‘C-suite’ consideration, have … changed the competitive landscape in numerous industries.”