Assessment of Supply Chain Vulnerabilities

This is a review of another chapter of the book by Zsidisin and Ritchie (Supply Chain Risk). The book can be bought at amazon.com, if you are interested in reading more.

I already reviewed chapter 15 on Behavioral Risks in Supply Networks.

The title of this weeks article is “Assessing the Vulnerability of Supply Chains” and since the author works for a consulting firm you can expect a more practice oriented approach to risk analysis.

Goals and definitions

There are three main questions to be answered in this article:

1. Understand the nature and types of factors that may pose threats and risks to the achievement of the supply chain system’s short and long term mission.

1. Understand the scenarios (processes and mechanisms) through which these threats, risks and vulnerabilities may evolve.

1. Understand how through the use of vulnerability scenarios, the likelihood and consequences of such threats may be reduced and managed in a cost- and service effective manner, whilst achieving an acceptable vulnerability level.

A vulnerability of a supply chain in this context is defined as

the properties of a supply chain system; its premises, facilities, and equipment, including its human resources, human organization and all its software, hardware, and net-ware, that may weaken or limit its ability to endure threats and survive accidental events that originate both within and outside the system boundaries.

Vulnerability analysis is seen as an extension to risk analysis.

Risk analysis is focused towards the human, environmental and property impacts of an accidental event, while a vulnerability analysis is focused towards the system mission and the survivability of the system.

In a risk analysis three questions make up the basis of the analysis: (i) what can go wrong, (ii) how likely is it to happen, and (iii) what are the consequences.

A vulnerability analysis, on the other hand, focuses upon (a) an extended set of threats and consequences, (b) adequate resources to mitigate and bring the system back to new stability, and © the disruption time before new stability is established [figure 1].

Figure 1: Disruption Sequence (Asbjornslett, 2009)

Vulnerability Analysis

Based on this definitions the author builds his approach on a generic approach for risk assessment. The flow chart in figure 2 highlights the seven steps.

Figure 2: Vulnerability Analysis Process (Asbjornslett, 2009)

These steps fall into three categories:

1. Understanding the context-specific threat and risk picture of the given supply chain and SCM context, and structure this into a taxonomy of the vulnerability factors [steps 1 to 3].

1. Analyse and rank the vulnerability scenarios, resulting in a criticality ranking of the scenarios [steps 4 and 5].

1. Handling of the vulnerability through cost- or service-effective likelihood or consequence reducing measures, bringing the vulnerability down to an acceptable level [steps 6 and 7].

The goal of the first step is to have a common understanding of the specific objectives of the vulnerability analysis, the level of analysis and setting the levels of acceptable risk.

In the second step the processes and infrastructure has to be mapped. Flows of money, information and goods are highlighted. Here, “it is recommended not to make the context description too fine-grained, but rather make notes of how the context could further be detailed if required.”

In the third step factors which lead to vulnerabilities are collected in a structured manner. Figure 3 shows a fishbone diagram with several different categories which can lead to vulnerabilities.

Figure 3: Example of Factors Contributing to Vulnerabilities (Asbjornslett, 2009)

Based on these vulnerabilities adverse scenarios are developed in the next step.

A scenario is a sequence of possible events, originating from an accidental event, where the events may be separated in time and space, and where barriers to prevent the sequence are part of the scenario.

In the next step the mentioned scenarios have to be documented. The author suggests the worksheet in figure 4.

Figure 4: Template for Scenario Documentation (Asbjornslett, 2009)

To get a better grasp of the actual criticality of the revealed vulnerabilities, each scenario has to be evaluated according to its likelihood and consequences (step 5). Figure 5 has a sample sheet.

Figure 5: Assessment of the Scenario’s Criticality (Asbjornslett, 2009)

Step 6 is about ranking the different vulnerabilities to best align risk mitigation efforts (figure 6).

Figure 6: Likelihood/Consequence Diagramm (Asbjornslett, 2009)

As such we have ‘low-criticality’ scenarios in the lower left corner (white), and ‘high-criticality’ scenarios in the upper right corner (dark grey shading). The ‘criticality areas’ should be based on the acceptance criteria developed in step one, both for the un-mitigated and the mitigated consequences.

The last step deals with finding mitigation strategies for selected scenarios. Figure 7 shows the template.

Figure 6: Mitigation Activities to Reduce Likelihood or Consequences of a Vulnerability (Asbjornslett, 2009)

Conclusion

This article presented a really business oriented approach to vulnerability analysis. In a similar manner how it could be found in a presentation of a business consultant.

This business orientation can be also seen in the structure of the article: A conclusive derivation of the process is missing completely at least the definitions are mentioned.

Nonetheless, from experience I can tell that this process contains several important steps which are also known from scientific literature. And it really is immediately applicable.

Why not include some of the insights and steps presented here in your next risk-management-meeting?

If you want to have a more scientific view on vulnerability analysis have a look at this article.