What’s the best supply risk management model?

• The methodology we adopted consisted of a preliminary phase of literature analysis, followed by field work in which we interviewed the CPOs who are members of the Procurement Lab at SDA Bocconi, a research center dedicated to procurement and supply relationship management.

Then we did risk mapping with the help of a matrix, drawing connections between the likelihood and the severity of risk. This risk classification enabled us to pinpoint the most appropriate mitigation strategy.

In our study, we did not categorize various types of damage; instead we focused on assessing the magnitude of damage, in light of the fact that damage entails a cost that has economic-financial impact. This cost, a proxy of risk, will be the main determinant of the mitigation action the company decides to take.

We considered two mitigation strategies: flexibility and redundancy.

Both share the objective of limiting or neutralizing the negative effects of damage by allocating additional resources that can be used in case of any deviation or adverse effect. But the two strategies differ in essential ways:

• A flexibility strategy is a proactive approach that calls for upstream intervention to lessen the likelihood of an adverse event and prevent the deviation it would trigger. In-depth knowledge of the phenomenon and continuous information exchange and transparency are essential with this approach. Compared to the redundancy strategy, implementation takes longer and operations management is more complex.
• The redundancy strategy instead is a reactive approach involving direct intervention when the discontinuity occurs or containment of the resulting damage - a simpler solution which is faster to implement. This strategy is generally more expensive than other alternatives, and doesn't require any particular knowledge-sharing.

When potential damage is highly likely and very severe, we adopted a combination of the two strategies. We present risk mitigation solutions in clusters (typically two or three), highlighting: the managerial style, the risk mitigation measures deployed, and the pros and cons.

At the same time, for the risk mitigation strategies, we chose a similar framework with the variables: managerial style, redundancy or flexibility strategies, and usage scenarios.

Finally, we demonstrate the existence of a relationship between how companies measure risks and how they mitigate those risks.

The main risk factors that emerged during the research are: financial, economic, operational, innovation-related; ESG (Environment, Social, Governance), geopolitical, process-related, with some amplifiers: dependence and supply chain risk.

In our research project, rather than one approach predominating, several different ones emerged. What's more, we found that often the approach in question is determined by the risk context. The damage that emerges also differs, which may be due to the level of integration of the supply chain.

What we see in our study is that risk measurement approaches and mitigation strategies are contingent on a number of factors:

• corporate culture and managerial approach (also depending on the sector);
• vendor willingness to collaborate and share information and processes;
• sensitivity to actual, explicit costs alone vs. sensitivity to the cost of potential damage as well;
• short-term vision vs. medium-term vision;
• the complexity of the solution and the skills in the organization.

We also found that our Lab partners integrate supply risk management within the framework of their Enterprise Risk Management (ERM) system, in most cases.

A few companies use systems to support risk management equipped with a comprehensive dashboard, tracking internal and external sources of risk. In contrast, several other companies adopt a structured view, one that is limited to economic-financial risks, or they task external providers with risk monitoring.

Finally, when critical issues arise, only a few companies activate a risk mitigation process semi-automatically (e.g. blocking payments, blacklisting etc.). Leading the mitigation process in most cases is the Procurement Department, which draws up an action plan and shares it with other business functions.

To sum up, our research highlights how companies achieve different results depending on the sector where they do business and their sensitivity to various aspects of risk. So, we conclude that there doesn't seem to be a single model that is best, but rather one that may be better aligned with a given context.