logo
  • userLoginStatus

Welcome

Our website is made possible by displaying online advertisements to our visitors.
Please disable your ad blocker to continue.

Current View

Management Engineering - Operations risk management and resilience

Completed notes of the course

Complete course

1 Index 1. Course introduction ................................ ................................ ................................ ................. 4 1.1 What is risk? ................................ ................................ ................................ ................................ .... 4 Risk vs. uncertainty ................................ ................................ ................................ ................................ ................... 4 Aleatory vs Epistemic uncertainty ................................ ................................ ................................ ............................. 5 1.2 Managing uncertainties in Operations ................................ ................................ ............................. 5 Operational risks in buffered operations (old view) ................................ ................................ ................................ . 5 Operations Risk Management (ORM) approach (new view) ................................ ................................ ..................... 6 2. Operational Risk concept, models, and management processes ................................ ............... 7 2.1 Common classification of Operational Risks BY NATURE ................................ ................................ .. 8 2. 2 The Lewis’ model of operational risk ................................ ................................ ............................... 8 2.3 The anatomy of Operations Risk ................................ ................................ ................................ ...... 9 2.4 Bow tie model: an Event - based risk modelling ................................ ................................ .............. 10 2.5 Comprehensive Operational Risk model ................................ ................................ ........................ 11 2.6 Business Risk Continuum (BRC) ................................ ................................ ................................ ..... 15 2.7 Enterprise Risk Management (ERM) ................................ ................................ .............................. 15 2.7.1 Risk homeostasis ................................ ................................ ................................ ................................ ............ 16 2.7.2 Risk management framework and process ................................ ................................ ................................ .... 17 3. Monte Carlo simulation ................................ ................................ ................................ ......... 18 3.1 Di stribution functions ................................ ................................ ................................ .................... 18 3.1.1 Binomial distribution ................................ ................................ ................................ ................................ ...... 18 3.1.2 Poisson distribution ................................ ................................ ................................ ................................ ........ 19 3.1.3 Normal distribution ................................ ................................ ................................ ................................ ........ 20 3.1.4 Triangular distribution ................................ ................................ ................................ ................................ .... 21 3.1.5 Central limit theorem (CLT) ................................ ................................ ................................ ............................ 22 How do we implement Monte Carlo simulation? ................................ ................................ ................ 23 4. Supply Chain Risk Management – definition, process, strategies ................................ ........... 24 4.1 Evonik case ................................ ................................ ................................ ................................ .... 24 4.2 Supply Chain and Supply Network, SC Management ................................ ................................ ...... 24 4.2.1 Su pply chain visibility ................................ ................................ ................................ ................................ ..... 24 4.2.2 Definitions of Supply Chain ................................ ................................ ................................ ............................ 25 4.2.3 Supply chain management ................................ ................................ ................................ ............................. 25 4.3 Supply Chain Risk definiti on and classifications ................................ ................................ ............. 25 What is a supply chain risk? ................................ ................................ ................................ ................................ .... 25 Hierarchy of Supply Chain Risk Metrics ................................ ................................ ................................ ................... 26 What are the different types of uncertainties that concern SC managers? ................................ ............................ 27 Consequences of SC disruptions ................................ ................................ ................................ ............................. 28 4.4 Supply chain strategy and risk ................................ ................................ ................................ ....... 28 4.5 Operational VS Disruptions risk ................................ ................................ ................................ ..... 29 4.6 Supply Chain Risk Management SCRM ................................ ................................ ........................... 31 4.7 Supplier VS Supply chain risk ................................ ................................ ................................ ......... 32 2 4.8 Process view of SCRM ................................ ................................ ................................ .................... 32 4.9 Supply Chain Risk Maturity Model (SCRMM) ................................ ................................ ................. 35 5. Supply Chain Risk Management – Risk Assessment methods and tools (1/2) ......................... 36 5.1 Overview of Supply Chain Risk Assessment methods ................................ ................................ ..... 36 5.2 Risk Management in the sourcing process ................................ ................................ ..................... 37 5.2.1 FMEA approach (risk assessment in supplier qualification) ................................ ................................ ........... 37 5.2.2 Supplier segmentation (risk assessment in supplier segmentation) ................................ .............................. 39 5.2.3 Supply risk assessment: business impact of suppliers’ vulnerabilities ................................ ........................... 40 5.2.4 Supply risk assessment: One factor m odels and analysis ................................ ................................ ............... 41 MINOR 1 ................................ ................................ ................................ ................................ ... 42 6. Supply Chain Risk Management – advanced practices (2/2) ................................ ................... 43 6.1 SPTT Risk Map ................................ ................................ ................................ ............................... 43 6.2 Time - to - Recover (TTR) and Time - To - Surv ive (TTS) model ................................ .............................. 44 TTR model: estimation of the economic loss ................................ ................................ ................................ .......... 45 TTS model: estimation of the time to survive ................................ ................................ ................................ ......... 46 TTR – TTS base d decision support system ................................ ................................ ................................ ............... 47 6.3 The role of smart technologies and Data Analytics in SCRM ................................ ........................... 48 7. Hilti case: risk management in the sourcing process ................................ .............................. 50 7.1 Hilti Corporation and its supply chain ................................ ................................ ............................ 50 7.2 Sourcing Process (strategical) ................................ ................................ ................................ ........ 54 7.3 Sourcing Process (tactical) ................................ ................................ ................................ ............. 55 7.4 Business Interruption Risk Management and Consequence - based risk management ..................... 55 7.5 BI Gas & Electricity ................................ ................................ ................................ ........................ 58 8. Operational and Supply Chain Re silience ................................ ................................ ............... 60 8.1 Nokia - Ericsson Case ................................ ................................ ................................ ....................... 60 8.2 Dealing with the unexpected: unknown unknowns ................................ ................................ ....... 61 8.3 Resilience conceptualization and definition ................................ ................................ ................... 62 8.4 Disrupti on profile and resilience core functions ................................ ................................ ............. 64 8.4.1 Sense function ................................ ................................ ................................ ................................ ................ 65 8.4.2 Build function ................................ ................................ ................................ ................................ ................. 65 8.4.3 Sustain function ................................ ................................ ................................ ................................ .............. 66 8.4.4 Reconfigure function ................................ ................................ ................................ ................................ ...... 66 8.4.5 Re - enhance function ................................ ................................ ................................ ................................ ...... 67 8.4.6 Resilience Practice Bundles ................................ ................................ ................................ ............................ 67 8.5 Discussion of Disruption Cases ................................ ................................ ................................ ...... 68 9. Business Continuity Management and SC resilience ................................ ............................... 71 9.1 General concepts about Business Continuity ................................ ................................ ................. 71 9.2 Methods and techniques to implement Business Continuity ................................ .......................... 71 9.2.1 How to change the culture ................................ ................................ ................................ ............................. 71 9.2.2 Knowing the business ................................ ................................ ................................ ................................ ..... 74 9.2.3 Mitigating disruptions ................................ ................................ ................................ ................................ .... 76 9.2.4 How to validate plans, solutions, and strategies ................................ ................................ ............................ 80 9.2.5 Supply chain continuity cases ................................ ................................ ................................ ......................... 81 3 10. Business Continuity Management: Business Impact analysis ................................ ............... 83 10.1 Definition ................................ ................................ ................................ ................................ .... 83 10.2 The BIA process ................................ ................................ ................................ ........................... 83 10.2.1 BIA process ................................ ................................ ................................ ................................ ................... 84 10.2.2 BIA methodologies ................................ ................................ ................................ ................................ ....... 84 10.2.3 The output of the BIA ................................ ................................ ................................ ................................ ... 85 10.3 Risk assessment (RA) ................................ ................................ ................................ ................... 87 11. Business Continuity Management: serious game ................................ ................................ . 88 11.1 Busin ess Impact Analysis recap ................................ ................................ ................................ .... 88 11.2 Recovery Strategies ................................ ................................ ................................ ..................... 93 4 1 6 /09/ 2022 1. Course introduction Covid - 19 was the largest industrial disruption in the history : if we look at the situation before 2019 and after , we can see the impact on the industrial output (PMI = purchasing man agers index) . A s a consequence of the Chinese lockdown, we had an impact in Europe . We can assess the degree of vulnerability of different production sectors: the more you are dependent on Chinese exports and the lower the inventory levels (you have less buffers), the more you are exposed to the disruption . From this point of view, we could say that electronics is more vulnerable than automotive (data 2020) . After 2 years is this true? No, in fact the pandemic had effects not only on the supply side, but also on the demand side -- > the automotive side was much more affected on the demand sid e (the demand collapsed) . Moreover, the automotive sector depends on many other industries -- > for example, they are experiencing a shortage of microchips. The worst disruptions are those that affect both the supply and the demand side . Interdependency between industries creates the opportunity for an escalation of this disruption. 1.1 What is risk? • Possibility to lose something? • Making decisions with imperfect knowledge? • Likelihood that something goes wrong , differently from the plans ? To make decisions, it’s not enough to know that something is possible : w e want to assess how much , how likely it is that something is possible -- > estimated probability . Risk = something possible , that may happen according to a certain probability and that has consequences . The consequences can be physical (explosion, etc.) , and immaterial ( loss of confidential information, reputational consequences), etc. We need to assess the type and the magnitude of the consequences, so the impact , the “ severity ”. This concept implies that we have expectations and things may go wrong , so differently than expected. This concept is the combination of the concept of “opportunity” and “threat”. By definition, risk is neutral so we could have positive or negative effects. In practice, the use of risk is mainly focused on measuring downsides. Risk vs. uncertainty In e conomics , we have Knight (1921) : • Risk = even t subject to a known or knowable probability • Uncertainty = event for which it is not possible to specify numerical probabilities (“Knightian uncertainty”) In corporate strategy, Hubbard (2009): • Uncertainty = lack of complete certainty, so the existence of m ore than one possibility. • Risk = a state of uncertainty where some of the possibilities involve a loss, an undesirable outcome. ISO guide 73 (organization that define the state of art in many sectors , set standards ) : • RISK = EFFECT OF UNCERTAINT IES ON OBJEC TIVES 1 . An effect is a deviation from the expected, positive and/or negative. • Uncertainty = is the state of deficiency of information related to an event , its consequence, or likelihood. 1 This is the definition we will use. 5 Aleatory vs Epistemic uncertainty Uncertainties can be divided into 2 categories: • Epistemic uncertainty (the Knightian one) = comes from basic lack of knowledge about fundamental phenomena (ambiguity) . To mitigate this type of risk, we can invest in acquiring more knowledge. • Aleatory uncertainty = those that stem from variability in known populations and therefore represent randomness in samples . To mitigate this type of risk, we need to change the phenomenon. 1.2 Managing uncertainties in Operations How companies manage uncertainties that affect operations? How are they changing their risk management approach? Operational risks in buffered operations (old view) ® Companies’ operations were always affected by different sources of uncertainty, with implic ations on competitiveness (market growth, technology innovation, materials and energy prices, suppliers’ behaviors, etc.) ® According to an efficiency - driven operations strategy (until the late 90s), the most common way to cope with these risks was to use ot her functions in the organization to buffer the operations core of the organization against uncertainties in the external environment. Buffering the operations means that we set functions in the organization that need to en sure stable conditions for the in ternal processes so that they can maximize the efficiency . Each function takes care of a certain type of external uncertainty: ® The value chain model identifies support activities, aiming at serving the primary business processes where value is created. ® S everal experts claim that lean production (efficiency driven strategy) is suitable for stable conditions, so with no or low uncertainties and variability. To sum up the approach of Buffering Operations: • The operations function is in charge of achieving production objectives in a well - known and stable context, granted by other functions. • Thus, operations management is only charged of short - term objectives , mainly referred to productivity, quality and safety. • Operations managers are expected to i dentify which is the optimal configuration to achieve the objectives. 6 • There are no uncertainties , only disturbances (problems) to manage, that deviate the operations from the normal (optimal) functioning. • Risk is conceived only from a negative perspective (threats). Major disadvantages of this approach: 1. Communication delays between operations and other functions makes change difficult 2. Operations never develops the understanding of the environment , so they never see opportunities (no real strategic thinking ) 3. Operations is never required to take responsibility for long range impacts of its actions 4. Physical buffering often involves large stocks of input or output resources 5. The reactive approach + tradeoff between protection against disturbances /production relationship led to catastrophic disruptions in the past Operations R isk M anagement (ORM) approach (new view) Nowadays, the increasing complexity of the competitive context is forcing the transition to a new paradigm. Primary drivers of change : • Globalization of markets • Disruptive technologies • Climate change and circular economy paradigm • iges in the geopolitical situation • Etc. Main points: • The op erations function is expected to contribute to company’s strategic objectives acting under uncertain context conditions . • Not only maximize efficiency, but also identify the best way to achieve performance objectives, given a spectrum of possible different operational contexts . There is no well - know, stable, expected context -- > there are many different possible future scenarios so the production and operation capabilities should be able to rapidly adapt . • Operations management is charged of long - term objecti ves, mainly referred to value generation . • The uncertainties to be managed are all the ones that may have an impact on the capability of operations to generate value for the stakeholders. • Risk can be either positive (opportunity) or negative (threat). 7 30/09/2022 2. Operational Risk concept, models , and management processes Every year, t he association behind the World Economic Forum (most important annual convention ) prepares the Global Risk Landscape Report by interviewing managers, entrep reneurs, etc. from different sectors and ask them what these people consider the most critica l threats for the economic activity. These risks are reported on a map in which the x - a x is is the likelihood , and on the y - axis , there is the expected impact (economic, social, ecological, etc.). T here are different risks . D ifferent colors represent risk of different nature: for example, green are environmental risks like “climate action failure”, “extreme weather”; in red we can see the “infectious dis eases” like Covid . The spectrum of uncertainty is very broad. I f we focus on business related threats and opportunities, there is a consulting firm that released a survey “ Protiviti ” (825 top managers from all around the globe) about which are considered the “Top risks for 2019” affecting their organizations (so before COVID) . Th e se risks are classified under 3 main categories: • M acroeconomic (external risks that may affect the growth of the business and growth opportunities ) • S trategic (uncertainties related also to the external environment and that may affect the validity of its strategy for pursuing growth opportunities ) Number 2., 6., 8., 9., 10. are strategic risks. • O perational risks (uncertainties connected with the execution of internal process and the exploitation of internal resources , may affect key operations of the organization in executing its strategy ) . Number 1 ., 4. and 5. are operational risk s . 1. is the operational view of risk number 6. and 8. 4. is related to the flow of information (supply chain is also that), so cyber threats may affect the communication process. If we move from one sector to another, the types of operational risks are almost the same . The level of criticality of these risks can cha n ge: the relevance (priority) can change because of the inherent characteristics of these risks and how they affect th e specific sector . 8 In general, IT/Telecom outage is a very important risk nowadays as we can see from the table. For example, in financial and insurance services the main risk is the loss of IT/Telecom outages, while they are less impacted by adverse weat her. Instead, in the energy and utility services, the risk of adverse weather is 2 nd . Humanity has become remarkably adept at understanding how to mitigate conventional risks that can be relatively easily isolated and managed with standard risk management approaches, BUT we are much less competent when it comes to dealing with complex risks in the interconnected systems of our world . In the Global Risks Report it is also highlighted how nowadays risks are complex and interdependent : so , it’s even more comp licate to understand and manage the interdependencies between the risks. Risks are not independent issues that can be ranked in a list, but the landscape of risks is an interconnected map. Waterfall effect s can happen (no more incremental damage) . 2.1 Common classification of Operational Risks BY NATURE • Technology risk : uncertainties on selection and adoption decisions of available technologies on the market or uncertainties on our ability to make internal decision in terms of acquisition or disposal of technology , so a risk for example is obsolescence. Industry with the highest technology risk: electronics because it’s very difficult in their industry to keep the pace; also , automotive. • Information risk : uncertainties related to the ability to create, store data , and manage flows ; an example of risk are cyber - attacks. • Supply chain risk : logistics - related disruptions like disruption of infrastructure s or poor inbound quality from the suppliers ( other uncertainties relat ed to suppliers are delays, completeness ). S upply chain risks are also strategic risks: like strategic relations with the suppliers like bargaining power . • Occupational risk : employees - related uncertainties like availability of certain professional profiles, human capital, skills at a sustainable cost. Injuries, professional diseases are risks of this category. • Environmental risk : like extreme weather events, that may affect our ability to execute the processes or the risk that our proce sses may affect the environment (the environment could be the source of uncertainty or the target of some risks -- > ambiguity ) • Organization risk : … • Production risk : … O ther types of o perational risk classification s (other than the one by nature) are: ® from a Supply Chain perspective (distinction between demand risk, production risk, supply risk, environmental risk, etc.) ® In Enterprise Risk Management (distinction between internal and external risk s ) ® In Financial services ( distinction between internal and external risks) We see significant differences in the risk registers of enterprises in different sectors. The ambiguity in listing risks as “operatio nal” is not just because of a lack of expertise but also of the inherent limits of using a classification ( we are not considering similarities by setting boundaries and because different people may have different interpretations) . 2. 2 The Lewis’ model of o perational risk According to Lewis (2003) , an operational risk is “ any possible misalignment from the level of internal operational capabilities of a company, to the level of external market requirements ”. For example, the production capacity is an example of operational capability, and the market demand is the market requirement. O ther o perational capabilities are time, quality, time to market, cost, production capacity , also the level of innovation in the product , etc. We can define a “line of fit” that represents t he points in which the level of internal operational capability meets the level of market requirements . 9 Disturbances and uncertainties can push the company outside the line of fit. So , an operational risk “ is an uncertain event or factor with the potential to push the company outside the line of fit ”. If the company moves to the left, it means that the level of operational capability is lower than required from the market . Region of external losses -- > opportun ity costs . For example, when your production capacity is lower than required you are not exploiting a certain share of the market . If the company moves to the right: the level of operational capabilities is higher than required . R egion of internal losses -- > inefficiencies (ROI decreases, so underutilization of the CAPEX, or OPEX are higher than needed). For example, more quality than the market recognizes or higher production capacity than needed. • Company A experienced a reduction in a core oper ational capability (A’) under stable market requirements , resulting in significant ‘external’ losses (customer dissatisfaction, switching, opportunity costs, etc.) • Company B expanded its operational capability to capitalize on forecast demand growth (B’). Unfortunately, the market grown slower (B’’) resulting in ‘internal’ losses (excess capability, underutilization , etc.) 2.3 The anatomy of Operations Risk Concept of risk in the context of safety risk , so to analyze the possible impact of hazardous threa ts . A correct definition of operational risk needs to be grounded on a coherent risk concept (definition) and model . In some operations management domains (e x . safety/security, SCRM) risk is defined as “ the potential for (probability of) loss or harm resu lting from the exposure of a vulnerable t a rget to a hazard/threat ” . • Risk = event that may happen when a threat (entity with the potential to induce a loss) meets a vulnerable target. • The target can be tangible or intangible: like employee or the company’s confidential information that may be exposed to a hacker (the hazard) and the event is a cyber - attack. Another target could be the company’s reputation, the threat a supplier with very bad labo r conditions. • Hazards are entities who have the potential to create loss or harm when they meet the target. • Probability that the event occurs * level of impact. • Risk source = entities that may create a hazard or a threat. For example, a source could be a supplier that causes a delay or a poor - quality delivery (the hazard) . • Risk cause s = mechanism through which a risk source creates a hazardous condition. Key definitions: ® Target : the entity (person, plant, ...) or value/objective (revenue, privacy, reputation, ...) we want to safeguard/achieve. ® Hazard : source of potential harm (ISOGUIDE73:2009) 10 ® Vulnerability : intrinsic properties of something [target] re sulting in susceptibility to a risk source that can lead to an event with a consequence (ISO GUIDE 73:2009) ® Event : occurrence or change of a particular set of circumstances (ISO GUIDE 73:2009) ® Source (of risk): element which alone or in combination has the intrinsic potential to give rise to risk (ISO GUIDE 73:2009) ® Causes (of risk): the ways a source, or a set of sources, may combine to generate an event . Example: ® Target : production plant ® Hazard : energy supply ® Hazardous condition : energy shortage or unavailability of energy at a sustainable price ® Source (of risk): energy market itself, internal power generation ® Causes (of risk): energy shortage or energy price, incidents, disruption in the transmission network, etc. ® Conse quences: complete shutdown of the plants or margin erosion and loss of revenues (because we are producing at a higher price). 2. 4 Bow tie model : an Event - based risk modelling When we conceptualize risk, we refer to the concept of “ risk event” . Risk is asso ciated to an event. The risk analyst decides which is the event : based on the identification of the location of the event, we can identify what comes before ( causes ) and what comes after ( consequences ). Event - based definition of risk -- > bow tie model. • On the left side, we have the domain of countermeasures and preventing measures : risk is mitigated through prevention . • On the right side, we have p rotective inter v ention : so, risk is mitigated by reducing the severity of the consequences . Through this perspective of an event - based definition of risk we assign to an even a certain probability to occur and a certain severity. Risk = risk/likelihood/probability * severity In a continuous domain , a hyperbolic curve represents a constant risk : all the points on one curve represent events that have the same risk -- > “ iso - risk curves ”. Much frequently in the industrial practice, we refer to a discrete domain : probability and severity are defined through scales with 5 levels -- > we assign a risk e vent to a cell within a matrix. We can find “ iso - regions ” that have the same risk level. Above a certain curve or outside a certain region called the “acceptable line” or the “acceptable region”, the risk is too high. 11 2. 5 Comprehensive Operational Risk model In the business domain RISK is defined as the “ effect of uncertainty on objectives ”. If we consider the value chain (core processes that create value for the company’ stakeholders), any kind of event that introduces a variation in the value chain , so in the core processes , it results in the variation in the operational objectives . We can measure the consequences of a certain event. Strategic objectives are translated into operational objectives , like productivity, deli very time, time - to - market, environmental and safety objectives, etc. Operational risk = any variation to one or more core process capabilit ies of a company that translates into a variation in the value chain. There are different sources of this risk: they can be internal , so within the value chain itself (so inner core causes ) or ancillary process causes ( inner no - core cause , internal to the or ganization, support processes ) or external causes (authorities, suppliers, factors outside the boundaries of the organization, etc.). • Core process . It is a set of activities that directly contribute to generate value for the company (value chain). It is th e company’s mission that define what is a value, and the nature of the value what is a core process. • Ancillary processes . Any additional process needed to support the core process of the company. Ancillary process contributes to value generation indirectly. 12 • Variation . Any modification to the planned course of action in a core process that may have an impact in terms of value generation. Risk is neutral: value vari ation may be positive or negative . • Cause of risk . Any real event acting as a trigger for hazards ( - ) or opportunities (+) on core process variations. Referring to the boundaries of the organization, are classified as: Inner - core causes , Inner - no core cause s , and External causes . Operational Risk results from any uncertain event that would influence internal processes, people, systems or external resources causing a variation of a core operating , manufacturing or processing capability of the company, quantifiable in terms of value variation . Compared to Lewis’ model, this model better defines the operational capabilities we are interest in : the ones that are linked to the core processes of the company. The target is a core operating capability of the company . Depending on the company’s business model we can know which are the core processes and based on that we can identify which are the possible variations of them, so the operational risks. DISCUSSION OF SOME CASES These are events, they are not risk s . For each case: • C lassify the type of event in terms of the nature of the operational risk • Apply the Lewis model to investigate the type of operational risk (internal or external loss, which are the factors?) • Apply the Value - based operational risk mod el CASE 1 On 2 December 1984, the Union Carbide (India Limited) pesticide plant in Bhopal 2 released quantities of poisonous methyl isocyanate gas into the atmosphere. Estimates of the number of fatalities range from 3,000 to 10,000, with up to half a million injuries. Two investigations were launched (one by the firm, the other by the Indian go vernment) which came to very different conclusions about the cause of the leak. Regardless of the specific cause, it is significant from an operations perspective that the plant had only ever operated at 50% capacity because of declining global demand . The resultant cost pressures prompted managers to cut back expenditure on a range of facilities management practices. Apart from the horrific human costs of the tragedy, Union Carbide was exposed to potentially massive compensation claims and faced a product boycott in many of its markets. 2 One of the largest industrial accidents because of a leakage of a highly toxic substance. 13 • Nature of the operational risk : o I f the label points at the target affected: environmental or occupational operational risk because environment and employees were affected. o I f the label looks at the hazard: production risk is the more correct one because the hazard was poor maintenance . • Lewis’ model : the company invested in this huge facility to cope with the growing demand (from 1 ® 2 increasing production capacity). Unfortunately, demand grew slower than expected so they had inefficiencies because of excessive capacity. To go back to the line of fit, they reduced the OPEX by implementing measures like reducing maintenance staff and employees ( 2 ® 3) . They cut too much so they jumped in the area of external losses : environmental effects and fatalities among employees and citizens. • Core process model : the core process that was affected is “ plant operations and production ”. The effects on operation objectives are productivity, as production was stop ped and safety and environmental performances. The causes that led to the event are internal causes , but non - core causes: cost cutting programs and poor maintenance policies. CASE 2 In 1990 IBM posted US$ 6 billion profits and by 1992, the largest lo ss in US corporate history: US$ 4.97 billion! This reflected a series of poor decisions over the previous decade. As the computer industry shifted towards personal computers, IBM launched its first PC in 1981 and it proved to be a great success. As they at tempted to build on this opportunity, they made two fundamental supply chain miscalculations . (1) They passed up an option to acquire the operating system that became DOS leaving Bill Gates to buy it for US$ 75,000 (they also signed a joint development agreement with Microsoft in 1985 that excluded their new project, Windows). (2) Intel’s 80386 chip promised to be the fastest, most powerful processor on the market but IBM prevaricated over the decision of whether to source this product . Through this action they diminished their influence over a firm that would eventually dominat e hardware standards and in 1986 allowed Compaq (at that time a small firm) to launch a superior 80386 - based machine directly against their PC range. 14 • Type of operational risk : it can be either a technology risk (they decided not to acquire the operating system , wrong technical component ) or a supply chain risk (they decided not to use Intel as a supplier for the chips in their PCs , wrong sourcing decision ) . I t depends on where we set the boundaries between different operational risk categories. • Lewis’ mo del : • Core - process model : 15 2. 6 Business Risk Continuum (BRC) When we expand the perspective from operational risk to business risk , we need to pay attention because some definition may change in importance. In the past risk managers were tasked with focusing on managing the downside aspects of risk. Consequently, the focus has often been on managing or controlling hazards. While th ese are important, they need to be complemented by an approach that views risk in its upside potential . Looking at the spectrum of business risk within an enterprise, t here is a continuum : for example, talking about compliance and prevention (for different types of risk), we don’t have opportunities but only negative aspects and threats. People taking care of this uncertainty have to manage risk. Instead, people working on strategic initiatives so deal with strategic risks, they mainly define risks as oppor tunity risks. Operating performance risk can be both positive and negative . 2. 7 Enterprise Risk Management (ERM) Enterprise Risk Management ( ERM ) is a systematic approach (tools and methods) addressing all of a company’s risks at an enterprise or strategic level . Managers of the functions manage these risks. Major areas of risk in ERM (not only operational risk , but also market risks, counter party risks, etc.) : Companies have a risk register in which there are listed and classified the main risks for the enterprise. There are also listed preventive and monitoring procedures for the risks. 16 Risk appetite = maximum amount of risk a company is able to pursue or retain and manage , no matter the profit we can get to a certain risk exposure. It depends on how risk - prone or risk - adverse the decision maker is . It is an absolute value. Risk tolerance = relative threshold, amount of risk an organization is ready to bear and accept after risk mitigation in order to achieve its objectives . This amount is needed and must be lower than the risk appetite. Risk tolerance must always be lower than risk appetite. 2.7.1 Risk homeostasis Having to deal with threats and opportunities, it’s import ant to consider the risk homeostasis phenomenon : so, how decision makers adjust their risk decision according to dynamic, external conditions . Homeostasis is a regulating process that keeps the outcome close to the target by compensating for disturbing ext ernal influences. Decisions under uncertainty are taken under the homeostatic principle : the decision maker takes decision trying to keep the risk under a certain level . Risk homeostasis : the degree of risk - taking behavior maintained over time unless there is a change in the risk appetite. The relationship between risk exposure and utility: • W hen risk is used to measure opportunities , the higher the risk, the higher the expected utility. This relationship is not linear because there is a saturat ion effect . Utility is not infinite if we are exposed to an infi nite risk. • When risk measure hazards and threats : the higher the risk, the higher the potential losses. The relationship is more than linear: escalation effect because of the interconnection b etween different risks . • The net utility (gains – losses) is the black line: at lower risks, it follows the green curve; at higher risk, it follows the red line. There is a level of risk exposure that corresponds to the maximum net utility we can get . As a decision maker, it doesn’t make sense to take more risk than this because we will be lowering our utility, nor to take less risk , unless this risk is higher than the risk appetite -- > in this case we should align our risk appetite to the risk tolerance (th e maximum level of risk we are willing to take to maximize the utility) . 17 If we invest some money in risk mitigation to fix some potential losses (so to mitigate some threats, so we invest in protection/prevention) -- > the expected loss curve goes up (dotted red line) -- > the net utility curve goes up -- > the maximum of the net utility is higher -- > higher risk level . The risk mitigation investments are not intended to lower the risk exposure, but to increase the net utility (so to gain more) at a hig her risk tolerance level. This only happens when risk s are associated to both threats and opportunities: when there are only threats, we can only work to lower the risks ! 2.7.2 Risk management framework and process Risk management process: 1. Set the boundar ies of the relevant environment , of the “universe” , typically set by the managers. 2. Search for risks: risk identification within the risk universe . 3. Risk analysis : identification of sources, causes and consequences associated with the risks. This is important for 2 reasons: o R isk evaluation : b ased on this analysis , we can assign the probability and the severity of the risks identified. o To orient options and decisions : i n terms of choice of the risk treatment, we need to know causes to implement preventing methods. 4. Risk evaluation 5. Risk treatment: o A cceptance (acc ept that level of risk) o T ransfer ( someone else will undertake the risk) : contractual clauses can allow to transfer risk from one part to the other (insurance and financial products) o Protection (you take the risk but take solutions to mitigate consequences) o Prevention ( countermeasures to limit the probability of occurrence) o Avoidance (find a way to not be exposed to that risk) You start from the bottom: try to implement avoidance -- > then go up -- > if there is nothing to do , you just accept the risk . Risk register o Inherent risk : level of risk without countermeasures , probability and severity of the risk before treatment. o Actual risk level : based on the expected effectiveness of the treatment o Target risk level 18 7/10/2022 3. Monte C arlo simulation We use Monte Carlo simulation to learn how to incorporate uncertainties in an annual budget and to set the expected performance of the company. • Monte - Carlo method is a statistical technique used to substitute the lack of empirical observation of the pheno menon. ® I n place of empirical (observed) values , this method uses values obtained from specific mathematical distributions, chosen to represent relevant parameters of the problem through generation of suitable random numbers . • The method is useful for obtaining numerical solutions to problems which are too complica ted to solve analytically. • It is a non - parametric statistical method . • In the context of Risk Analysis, it is used to estimate: o the expected value of a performance parameter, o occurrence / recurrence of a given scenario, o or to estimate the uncertainty as sociated with such parameters under uncertain conditions, ex . input parameters . • Measures (Indices) of Central Tendency and Dispersion are estimated from a hypothetical sample obtained by simulating random sequences of the representative model of the probl em. • According to the law of large numbers , the average of a sample converges (in the stochastic sense) to the expected value of the population average, when the size of the sample increases. For this reason, the arithmetic average is a good estimate of th e expected value μ . We create an analytical model of the problem , and we model the input parameters with distribution function, that we can generate instances of these parameter to feed the model and obtain the risk parameters we are interested in. 3.1 Di stribution functions 3.1 .1 Binomial distribution Describes the behavior of a count variable X if the following conditions apply: • The number of observations n is fixed. • Each observation is independent. • Each observation represents one of two possible outcomes ("success" or "failure"). • The probability of "success" p is the same for each outcome (probability of the “failure” q=1 - p). If these conditions are met, then X has a binomial distribution with para meters n and p, abbreviated B(n,p) . The binomial distribution gives the discrete probability distribution of obtaining exactly x ‘successes’ out of the n observations (trials). C(n,x) is the Binomial coefficient , it stands for the number of possible com binations – computes the number of ways in which the outcome can occur (x out of n) 19 3. 1. 2 Poisson distribution Many situations occur in which we observe the counts of events within a set unit of time, area, volume, length, etc. Examples: car accidents ; rare diseases; number of typing errors on a page; failure of a machine in one month; probability of a stockout, queuing models, etc. To answer the question whether the events occur randomly or not , simply looking at the histogram isn’t sufficient. We nee d a probability model for the distribution of counts of random events that dictates the type of distributions we should expect to see. The Poisson distribution is a discrete probability distribution for the counts of events that occur randomly in a given interval of time (or space). If we let: X = [The number of events in a given interval] And if the mean number of events per interval is λ The probability of observing x events in a given interval is given by: 20 In practical applications the Poisson should only be used where the number of events observed is reasonably large (typically >25, and preferably >100) and the probability of an individual event occurring at any particular time or place is small (typically uniform probability distribution function because all the values between “a” and “b” are equally probable : Ex. when we roll some dice. 22 3.1.5 Central limit theorem (CLT) What happens to the output variable of the Monte Carlo method when we combine different inputs? The linear combination Y of N normally distributed variables X1, …, XN, it is still a normal distribution. But what happens if the Xi follow some other non - normal distributions? The Central Limit Theorem (CLT) states that the sampling distribution of the mean of any independent , random variable will be normal (Gaussian) or nearly normal , if the sample size is large enough , regardless of the distribution of the underlying random sample . In fact, the CLT applies regardless of whether the distribution of the Xi is discrete (e.g., Poisson or Binomial) or continuous (e.g., Exponential or Chi - square). What is “ sufficiently ” larg e? The n ° of samples depends on the skewness of the distribution: ® If the distribution of the Xi is symmetric, unimodal or continuous , then a sample size n as small as 4 or 5 yields an adequate approximation. ® If the distribution of the Xi is skewed , then a sample size n of at least 25 or 30 yields an adequate approximation. ® If the distribution of the Xi is extremely skewed , then you may need an even larger n. Example s: 24.33 (1) • In an experiment we roll a dice and register the value (x) • We repeat the test for 500 times (n) • The distribution of the observations is uniform (all the numbers between 1 – 6 are equally possible) . (2) • In three experiments, we roll 2 dices – 5, 10, and 3 0 times respectively – and at each throw we register the sum of the values (x) • We repeat the experiments 500 times (n) • The arithmetic mean distribution X tends to a normal (if n> 30) 3 different linear combinations of 2 variables uniformly distributed. 23 How do we implement Monte Carlo simulation? Example Suppose we wanted to determine the price for the participation in a lottery which consists of a single roll of a regular 6 - sided dice. The prize that will be given corresponds to the number that comes out (€ 1 if the dice shows 1, € 2 if the dice shows 2, and so on) . Our task is to determine the fair value for the participation in such game, so the participation price that would make the game fair (equalize gains and losses) . ANALYTIC AL SOLUTION The fair value is the MEAN value of the outcome of the lottery: Fair value = 1*1/6 + 2*1/6 + 3*1/6 + 4*1/6 + 5*1/6 + 6*1/6 = (1+2+3+4+5+6)*1/6 = 3,5€ MONTE CARLO METHOD Generate a random number between 1 and 6 = RANDBETWEEN(1;6 ) We repeat the experiment with a different number of samples. n N=10 N=20 N=10000 N=20000 24 14/10/2022 4. Supply C hain R isk M anagement – definition, process, strategies Today we approach risk management in the supply chain perspective. The fragmentation of the value chain in many sectors makes the operations deeply intertwined . M ore and more frequently within the companies the management of risk operations is fully embedded in the SC management perspective . 4.1 Evonik c ase In March 2012, the auto industry 3 was rocked by a shortage of a specialty resin called nylon 12 , used to manufacture fuel tanks, brake components, and s eat fabrics. This was attributed to the fact that the key supplier, Evonik 4 , had experienced a devastating explosion in its plant in Marl, Germany. It had taken Evonik six months to restart production , causing downstream production facilities of Ford and other major automakers to be severely disrupted for that period of time . The role of Evonik inside the SC is a tier 2 or 3 supplier (depending on who are we referring to): If we refer to the use of nylon 12 to manufacture fuel tank, Evonik is a tier 2 (supplier of the producer of the tank, which is tier 1 for the car manufacturers.) If we consider the braking system, Evonik could be a tier 3 if the manufacturer of the brakes is not the one who assembles the braking system. Because of this positioning i n the up stream part of the SC of the automotive sector, and the level of concentration of the production of a critical component -- > Evonik’s problems affected a lot of car - making companies like Ford because it was heavily relying on that specific plant . Evonik was a critical supplier (o ne supplier controlling up to as much as 75% of the feedstock + car makers couldn’t easily switch from one supplier to another because the component was critical for the car safety so it was not easy to get another one approved quickly ) -- > e ven a small SC disruption caused by a localized event may have huge consequences across global SC and sectors : • No control of causes to events in the SC • Only control over consequences of the events in the SC 4.2 Supply Chain and Supply Network, SC Management 4.2.1 Supply chain visibility Issue of SC visibility is a big topic in terms of SC risk management and prevention. If we look at the Survey conducted by the BCI, the main s upply chain vulnerability trends are: • In 2013: 58% of disruption occur at tier 1 , 32% at tier 2 -- > direct suppliers of the focal company , full or almost full visibility . 3 One of the most severe SC disruptions that affected the automotive industry. Nowadays, there is another problem which is the shortage of chips and micro - processors. 4 Evonik is a large conglomerate company, and it is serving different downstream markets, among which the automotive one. 25 • In 2017: 44% of disruption at tier 1 -- > the majority of disruption occurs at level 2 or higher , so the proportion is now completely different. So, the number of disruption events that are triggered by actors on which the focal company does not have visibility are increasing. 4.2.2 Definitions of Supply Chain • (Stevens, 1989) “ A system whose constituent parts include material suppliers, production facilities, distribution services and customers linked together via the feedforward flow of materials and the feedback flow of information .” • (Poluha, 2007 ) “ A supply chain, logistics network, or supply network is a coordinated system of organizations, people, activities, information and resources involved in moving a product or service in physical or virtual manner from supplier to customer. Supply chain activities tr ansform raw materials and components into a finished product that is delivered to the end customer .” From a risk management perspective , SC refers to coordination , collaboration , and communication at different levels: between organizations and intra - organizations ( also among people in different functions/organizations and proper flow of resource and information along the supply network ) . Supply chains are usually represented in a linear way , but this is not actually true . In many sectors, w e have supp ly networks : for different market segments/ p roduct families we can see an exchange of row s for example, so there are interconnected relationships, and it is not always easy to understand the positioning of an actors in a network. A more complex supply chain is the due to the growing of the circular value chains and business models -- > significant and rapid changes, new roles in the value chain also in the reverse value chains . Different sectors see different incumbents. Ex. automotive sector . Wh o is going to be the leading company in the reverse value chain in the management of batteries? It’s a competition between car manufacturers and battery manufacturers. Different actors are developing different strategies. 4.2.3 Supply chain management • (Ta ng, 2006; Ritchie and Brindley; 2000) “ T he management of material, information and financial flows through a network of organizations (i.e., suppliers, manufacturers, logistics providers, wholesalers/distributors, retailers) that aims to produce and deliv er products or services for the consumers. It includes the coordination and collaboration of processes and activities across different functions such as marketing, sales, production, product design, procurement, logistics, finance, and information technolo gy within the network of organizations .” Collaborations and coordination between organizations and intra - organization (manage resources, people, information) is the key to have an effective and efficient SC. This is relevant not only for the regular decisions, but also for risk management. 4.3 Supply Chain Risk definition and classifications What is a supply chain risk? Risks in a SC are a specification of operational risks . Operational risk = risks that resu lts from any uncertain event that would influence internal processes , people, systems, or external resources causing a variation of a core operating, manufacturing, or processing capability of the company, quantifiable in terms of value variation . 26 Risks in the SC stem from uncertainties and disruption between organizations connected in the end - to - end value chain that may influence the 3 main flows in a SC : • Materials/products/services (goods) • Information • Cash The sources of risk are potentially all the key processes and functions undertaken by all the organizations involved in the supply chain at different tiers . The Supply Chain Operations Reference Model (SCOR) can be taken as a reference: Hierarchy of Supply Chain Risk Metrics SC risks can be quantified by looking at the SC Metrics that the company uses to measure the performance at an operational level : for example, we can measure risks in terms of delay in the delivery, quality issues, probability of stock out, etc. Or we can me asure the expected impact the economic level , for example the expected losses due to a certain event. Example: energy crisis . This phenomenon directly affects production processes and also indirectly the cost of energy that may introduce additional vulnerabilities depending on how energy intensive you are, and your suppliers are. Companies may want to investigate how much of their sales and of their net profit is at risk. 27 • Top tier: suppl y chain health assessment -- > this is the higher level at which executives can assess with 3 metrics the overall health of the SC and the high - level tradeoffs a company might be making. • Midlevel: supply chain diagnostic -- > this level uses a composite cash - flow metric to provide an initial diagnostic tool. • Ground level: supply chain effectiveness -- > this level uses a variety of functional metrics to support effective analysis and allow surgical, highly efficient corrective action. To sum up: Supply Chain risks are operational risks that stem from any possible uncertaint ies or disrupting events that may cause a variation in the core SC processes and the impact on the objectives can be measured at different levels of this hierarchy of KPIs norma lly used to monitor, plan , and improve the performances of the SC. What are the different types of uncertainties that concern SC managers? In terms of severity of the impact that events may have on the SC , the top 4 events in 2017 are: • IT or telecommunic ations unavailability • Cyber threats and data breach • Loss of talent/skill ed workers -- > more relevant after the pandemic • Failure of key suppliers or outsourcers (due to economic difficulties a