The New ASIS Supply Chain Risk

Management Standard
Dr. Marc Siegel
Commissioner
Global Standards Initiative
ASIS International, Brussels, Belgium

Robert M. Weronik, CPP ASIS International Seminar and Exhibition

Senior Director - Global Security Monday, September 29, 2014
Alexion Pharmaceuticals, Cheshire, CT

Copyright © 2014 ASIS International

Supply Chain Risk Management:
A Compilation of Best
Practices
 Developed in collaboration with the
Supply Chain Risk Leadership
Council.
 Provides a framework for
collecting, developing,
understanding, and implementing
current best practices for supply
chain risk management (SCRM).
 Practitioner’s guide to SCRM
within the organization and its end-
to-end supply chain.
 Provides guidelines and tools to
assess and address supply-chain
risks.
 Submitted to ISO as a NWIP.
Copyright © 2014 ASIS International 2
 Supply Chain Risk Leadership
Council
 Our Vision
◦ Create a cross-industry council comprised of world class
manufacturing & services supply chain firms that will work
together to develop and share supply chain risk management
best practices.
 Our Mission
◦ Work together to create best-practices supply chain risk
management standards, processes, capabilities and metrics
to be adopted within our respective organizations. Leverage
this best practices effort to proactively initiate consistency
across industries and their related organizations / councils.
Enable standardizations across industries where applicable
and become “industry integrators” for the betterment of a
more efficient and consistent risk management environment.
Copyright © 2014 ASIS International
 SCRLC MEMBER
ORGANIZATIONS
 Abbott  Customer Paradigm
 AbbVie  Dell
 Accenture  DelMonte
 Accutant  Department of Homeland
 Airforce Security
 Alexion Pharma
 DHL
 AMR
 DIRECTV
 APICS
 Applied Materials
 EMD Millipore
 ASIS International  Essilor
 Automotive Industries Action Group  Expeditors International
 The Boeing Company  Federal Express
 California Emergency Management  FoxConn
 Caterpillar  Genentech
 Cisco  General Electric
 Coca Cola  Genzyme
 Council of Supply Chain
Management Professionals
 Georgia Institute of Technology
Copyright © 2014 ASIS International
 SCRLC MEMBER
ORGANIZATIONS
 Glaxosmithkline  Motorola Solutions
 Integrated Risk Solutions  National Institute of
Standards and Technology
 Intel Corporation
 Navistar
 IntraPoint  Notre Dame of Maryland
 Jabil Circuit University
 John Deere  Procter & Gamble
 RAND
 Johnson & Johnson
 Rolls Royce
 Lenovo  Sony
 LMI  Stanford University
 Massachusetts Institute of  The Supply Chain Council
Technology  University of Michigan
 VLM Foods
 McCormick & Co., Inc.
 Wal-Mart
 McDonalds  Zurich
 Merck

Copyright © 2014 ASIS International

 The climate of uncertainty has
grown - Turning the World
Upside Down
• Organizations have become more
focused on managing myriad risks:
o Rapid dynamic change of markets
o Fragility of supply chains
o Interconnectivity
o Interdependencies
o Crumbling infrastructures
o Political instability
o Demographic changes
o Climate change
o Shift towards intangible assets
o Dependencies replacing hard assets
o Dispersed employee populations
• .
Copyright © 2014 ASIS International
Risk Managers Need a Change in
Attitude to Gain Support
• The days of the risk managers sitting in their
siloed office are gone.
• Risk management must be aligned with business
strategy and integrated into strategic planning
• Demonstrate efficiency gains and opportunities
• Eliminate siloing (stovepiping) of risk management
disciplines
• Define roles of risk professionals
• Speak the language of business
management and be familiar with
business concepts
Copyright © 2014 ASIS International
 Value Drivers:
Value Chain and Managing Risk

 Understand what is of value to the organization.

◦ Most businesses make most their profits off a few activities.
 Identifying the value chain
 Identify the risks in the value chain
 Asset characterization, threat analysis,
vulnerability analysis, and criticality-
consequence analysis should all be
conducted within the context of the value chain and
achieving the organization’s objectives
 Not all risk has negative outcomes, also identify
opportunities.
Copyright © 2014 ASIS International
 Don’t forget the Intangibles
 Intangible assets don't have an obvious physical value.
 May be very valuable for an organization and can be
critical to its long-term success or failure.
 Intangible assets that add value to an organization:
◦ Intellectual property (e.g. patents, trademarks, copyrights,
confidential information, know-how, business methodologies)
◦ Goodwill and image; and
◦ Brand recognition.
 How do intangible assets contribute to the
achievement of the organization’s objectives?
 Risk management supports innovation and
work performance.
Copyright © 2014 ASIS International
 Interdependencies Changing
Perspectives
 Recognize the weak links in connected systems
and value chains
 Account for interdependencies in risk
assessment and strategic planning
 Supply chain disruptions have cascading effects
 What are the internal and external
dependencies and interdependencies
◦ How they differ per location
 A comprehensive risk picture is a
prerequisite for good business
management
Copyright © 2014 ASIS International 10
 Business Management Not
Risk Management
 Overall risk management strategy
includes security, crisis and
continuity management.
 Risk and resilience management
must support the mission of the
organization.
 Organizations want to be resilient
and agile, not just manage events.
 The organization’s business is
doing business.
 Risk managers and practitioners
are there to help run the business.

Copyright © 2014 ASIS International

Bottom Line: Risk Managers are
Business Managers

Old View New View

Event Focused Objectives Focused

Copyright © 2014 ASIS International

 Supply Chain Risk Management
as a System

 A group of interacting, interrelated, or

interdependent elements forming a complex
whole to accomplish a defined objective.
 An integrated set of interoperable elements
where:
◦ Each element has explicitly specified capabilities.
◦ Elements work synergistically to perform value-added
functions to enable the organization to achieve
mission-oriented operational needs in a prescribed
operating environment with a specified outcome and
probability of success.

Copyright © 2014 ASIS International

 Risk Assessment Drives
Decision Making
 Risk management process needs clear
governance structure
 Risk management is based on specific business
objectives and is objectives focused
 Risk assessment is defined in terms of
organizational objectives
 Key performance indicators linked to
business objectives
 Risk management supports decision
making, therefore proactive
 Risk management protects and creates value
Copyright © 2014 ASIS International 14
Navier–Stokes Equations – Provide
the Basis for Risk Management

The Navier–Stokes equations are nonlinear

partial differential equations describing
almost every real situation.

Copyright © 2014 ASIS International

For Those Who Aren’t into Math:
Using ISO 31000:2009 as a Base

Copyright © 2014 ASIS International 16

 ISO 31000:2009
Risk Management

Copyright © 2014 ASIS International 17

 Making SCRM Part of Business
Management

Copyright © 2014 ASIS International 18

 Organizational and Supply
Chain Context of Managing Risk

 Value generators
 Context of the organization
 Culture
 Supply and value chain
mapping – value and risks
 Needs and requirements
 Defining risk criteria
 Defining scope of risk and
resilience management
system
Copyright © 2014 ASIS International
 Understand the Context

Copyright © 2014 ASIS International 20

 Supply Chain Mapping

 Identify the parties Involved in the following

processes:
◦ Procurement
◦ Production
◦ Packing
◦ Storage
◦ Loading/Unloading
◦ Transportation
◦ Document Preparation

Copyright © 2014 ASIS International

 Supply Chain Operations
Reference - SCOR Model

Tier 2 Tier 1 Your Organization Channels 1,2,3

Copyright © 2014 ASIS International

 Supply Chain Risks

Copyright © 2014 ASIS International

 Supply Chain Process
Approach

Copyright © 2014 ASIS International

 Risk Management Resources
and Mechanics
 Define risk management and assessment
methodologies;
 Identify and secure risk management
resources;
 Define accountabilities and responsibilities;
 Evaluate time frames and logistics for risk
management activities;
 Determine cycles of process and divisions
of activities;
 Establish information, data, documentation and
communication requirements;
 How will success be defined? How is risk
management performance evaluated?

Copyright © 2014 ASIS International

 Defining Risk Criteria

 The nature and types of causes and consequences

that can occur and how they will be measured;
 How likelihood will be defined;
 The timeframe(s) of the likelihood and/or
consequence(s);
 How the level of risk is to be determined;
 The views of stakeholders;
 The criteria to decide when a risk needs treatment;
 The level at which risk becomes acceptable or
tolerable; and
 Whether combinations of multiple risks should be
taken into account and, if so, how and which
combinations should be considered.
Copyright © 2014 ASIS International
 Risk Identification

 Is the process of finding, recognizing and

recording risks.
 Purpose is to identify what might happen
or what situations might exist that might
affect the achievement of the objectives.
 Includes identifying the causes and
source of the risk (threats and hazards),
events, situations or circumstances which
could influence the outcomes of
objectives and the nature of the impact.

© 2011 Copyright © 2014 ASIS International

 Identify the Risks

 Why could something happen?

◦ A cause or factor creating risk
◦ Effectiveness of controls
 Who could be involved?
◦ Individuals or groups associated with threat,
control of risk, and/or impacted by risk
 How could it happen?
◦ A source of risk
 What could happen?
◦ Potential event
◦ Potential consequences
 When could something happen?
 Where could it happen?
© 2011 Copyright © 2014 ASIS International
 Identify the Risks

 Use a well-structured systematic process,

because a risk not identified cannot be analyzed.
 Asset/service identification, valuation and
characterization
 Risk identification comprises:
◦ Criticality/impact assessment –
‘what’ and ‘where’ answers;
◦ Threat/opportunity assessment –
‘who’, ‘why’ and ‘when’ answers;
◦ Vulnerability/capability assessment –
‘how’ answers
Copyright © 2014 ASIS International
 Risk Analysis
 Purpose:
◦ Separate minor risks from major.
◦ Provide data to assist in evaluation.
 Determine the adequacy and appropriateness of existing
controls to manage identified priority risks.
 Prioritize risks for subsequent evaluation of
tolerance or need for further treatment.
 Provide a better understanding of the necessary risk
treatments to protect the value of critical assets to
identified risks.
 Identify opportunities means to achieve objectives.
Copyright © 2014 ASIS International
 Identification Output = Analysis
Input

Copyright © 2014 ASIS International

 Bow Tie Diagram
ACTIONS TO ACTIONS TO
POSSIBLE POSSIBLE
REDUCE REDUCE
CAUSES CONSEQUENCES
LIKELIHOOD CONSEQUENCES

Treatment 1.a Treatment 1.b

Cause Treatment 1
#1
RISK EVENT
Consequence
Treatment 2
#1
Detailed
Cause
#2 description of
risk event
Treatment 3.a Consequence #2

Cause
Treatment 2
#3
Treatment 3.b

 Clearly distinguishes between causes (likelihood dimension) and consequences (consequence dimension)
 Identifies actions that reduce the likelihood that a risk event will occur
 Identifies actions that reduce the magnitude of consequences if a risk event occurs

Copyright © 2014 ASIS International 32

 Risk Evaluation

 Determining which risks are tolerable,

and which risks require control and
treatment

 Criteria for risk evaluation should have

been indentified in the scope and policy
of the management system in
consultation with top management

 All risk cannot be eliminated – what is

the cost effective “As Low A Reasonably
Practical” risk.
Copyright © 2014 ASIS International
 Risk Evaluation – The Funnel
Analogy

 A “box” is filled up with all identified

risks, and tipped into a funnel.
 Depending upon the organization's
tolerance for risk, the funnel’s filters
will allow different sized risks to fall
through the gaps, or remain at the
top.
 The way risks are prioritized
depends on where they sit in the
funnel; the higher they sit, the
greater the priority they represent.
 Some risks are so small they fall
through the bottom of the funnel
and accepted.
 Levels of risk tolerance may differ
between assessments, or across
organizations, because of the
context.
Copyright © 2014 ASIS International
 Risk Treatment

 Risk treatment involves a

cyclical process of:
◦ assessing a risk treatment;
◦ deciding whether residual risk
levels are tolerable;
◦ if not tolerable, generating a
new risk treatment; and
◦ assessing the effectiveness
of that treatment.

Copyright © 2014 ASIS International

 Risk Treatment Options

 Avoiding the risk by deciding not to start or

continue with the activity that gives rise to the
risk;
 Taking or increasing the risk in order
to pursue an opportunity;
 Removing the risk source;
 Changing the likelihood;
 Changing the consequences;
 Sharing the risk with another party or parties
(including contracts and risk financing); and
 Retaining the risk by informed decision.
Copyright © 2014 ASIS International
 Selection of Risk Treatment
Options
 Balancing the costs and efforts of implementation
against the benefits derived, with regard to legal,
regulatory, and other requirements.
 Consider the values and perceptions
of stakeholders and the most
appropriate ways to communicate
with them.
 Clearly identify the priority order in
which individual risk treatments
should be implemented.

Copyright © 2014 ASIS International

 Performance Assessment

Evaluate risk management plans, procedures, and capabilities

through periodic reviews, testing, post-incident reports,
lessons learned, performance evaluations, and exercises.
 Check conformity and effectiveness of the risk management
program.
 Define KPIs based on risk criteria and risk assessment.
 Establish and maintain procedures to monitor and measure
performance on a regular basis.
 Conduct exercises and testing.
 Establish, implement and maintain corrective procedures for
dealing with actual and potential program shortfalls.
 Review any changes (internal or external) that
impact the organization in relation to the risk and
security operations management system.
 Self assessment should be conducted against the
organization’s objectives.
© 2011 Copyright © 2014 ASIS International
Maintenance and Change Management
(1)
 Review and challenge
assumptions made in the risk
identification.
 Ensure that any internal or external
changes that impact the
organization are reviewed.
 Identify any new critical activities.
 Update, amend or change SCRM
policy, strategies, solutions,
processes and plans to key
personnel under a formal change
(version) control process.
 Verify key people who are to
implement the SCRM strategy and
plans remain in place.
Copyright © 2014 ASIS International
Maintenance and Change Management
(2)
 Examples of procedures, systems, or processes that
may affect the plan:
◦ Systems and application software changes
◦ Changes to the organization and its business processes
◦ Personnel changes (employees and contractors)
◦ Supplier changes
◦ Critical lessons learned from testing
◦ Issues discovered during actual implementation of the
plan in a crisis
◦ Changes to external environment (e.g. political,
migration, demographic, and social changes.)
◦ Other items noted during review of the plan
and identified during the risk assessment.

Copyright © 2014 ASIS International

Copyright © 2014 ASIS International
Copyright © 2014 ASIS International
 Don’t Put the Cart Before the
Horse

It’s all about value creation,

resilience, and agility in the
organization.

Copyright © 2014 ASIS International

 Thank You – Questions?

Dr. Marc Siegel

Commissioner, Global Standards Initiative
ASIS International, European Bureau
Brussels, Belgium
siegel@msiegel.net

Robert M. Weronik, CPP |

Senior Director, Global Security
Alexion Pharmaceuticals
Cheshire, CT, USA
WeronikR@alxn.com

Copyright © 2014 ASIS International 44