Supply chain risk management is maturing

supply chain risk management

Despite companies being aware of the importance of risk management for supply chains, research shows that the reality often looks different: supply chain risk management (SCRM) is often only rudimentarily implemented and sporadically operated. However, SCRM now seems to be maturing. That is the key finding from the BME Logistics Survey 2020, which the Association for Supply Chain Management, Procurement and Logistics (BME) conducted in conjunction with Fulda University of Applied Sciences.

The cross-sectoral BME Logistics Survey 2020 was set up to explore the degree of SCRM maturity in industry, trade and services companies, including the strengths, weaknesses and improvement potential. This included addressing the main processes in supply chain management according to the SCOR model. A total of 214 company representatives from German-speaking countries took part in the study, 64% of whom came from the areas of SCM, logistics or purchasing and 25% from the areas of risk management or general management.

Independent SCRM function is still rare

The results show that SCRM across the entire supply chain has only been established in a few companies so far. A separate and independent organizational unit for SCRM exists in only one in five of the companies surveyed. In 70% of the companies, there is no independent function for SCRM. Nevertheless, 55% are ‘satisfied’ or ‘very satisfied’ with the effectiveness of SCRM. Risks and events are obviously already managed in the companies and precautions are taken, but in silos and not in a consistent, cross-company and coordinated manner.

In two out of three companies where SCRM is organized as an independent function, supply chain management (including logistics, purchasing or materials management) is in charge. In 22% of the companies, SCRM is led by the risk management department.

Supplier-side vs customer-side risks

Risks in the supply chain affect both the supplier side and the customer side. Nevertheless, SCRM often focuses on the supplier side, and the necessary supply chain visibility is only available to a limited extent. While 70% of companies cover their first-tier suppliers through their SCRM activities, less than half also cover their second-tier suppliers and less than 30% of companies extend their risk management beyond the second-tier level. It is a similar story on the customer side: only two out of five managers include first-tier customers in their risk management, while further customer tiers are considered by less than 20%. This picture is underlined by the fact that companies check significantly more supplier-side than customer-side early warning indicators.

Topics such as sustainability and social standards are increasingly becoming the focus of supplier audits. The researchers advise that greater visibility in the direction of both suppliers and customers leads to a better ability to identify risks, and there is still potential for improvement for many companies.

Improvements linked to maturity level

The maturity level, measured on a scale from 1 (‘initial’) to 5 (‘leading’), can provide clues for improving SCRM. The survey shows that companies without an SCRM organization have a maturity level of 3.0 (‘evolved’), while those companies with an SCRM organization have a higher maturity level (3.4) and are on their way to the ‘advanced’ level. The researchers consider the four categories that contribute to SCRM maturity – culture, organization, process and method – for concrete indications of where companies can improve and thus achieve a higher level of maturity. On average, companies have the highest maturity level in the category of the risk management process, with a mean value of 3.5. The use of methods, with a mean value of 3.2, demonstrates a slightly lower level of maturity. Meanwhile, the categories culture (3.1) and organization (3.0) – both of which are essential elements for effective SCRM – deserve special attention in order to achieve a higher maturity level.

Ill-prepared for pandemic scenarios

The study included consideration of SCRM in the context of the current COVID-19 pandemic. Around two-thirds of the companies surveyed still do not consider a pandemic as a risk. Only a quarter of the companies that do consider such a scenario in their SCRM, i.e. approximately 8% of all the companies surveyed, have also developed a concrete action plan for a pandemic scenario. This outcome is somewhat surprising, according to the researchers, since the coronavirus crisis cannot be described as a black swan. After all, epidemics and pandemics occur regularly – as demonstrated by MERS and SARS in the 2000s alone – and much analysis has been published about the potential damage they can cause to politics, society and the economy.

The researchers conclude that mature SCRM can clearly help companies to prevent risks as well as counter the effects of realized risks, and they warn that companies should not allow themselves to be lulled into a false sense of security.