Optimism Bias towards Risks
Humans, by nature (at least a large percentage) are optimistic about future. But this optimism becomes dangerous when it leads to the belief that "it won't happen to me". That's why many people are under-insured, overspeed on the roads or walk freely without masks & precautions during Covid pandemic.
The same optimism bias translates into the approach towards managing risks in the business. Which parts of the business have the maximum exposure to the risks? No points for guessing right - Supply Chain and Finance. While a structured framework of identifying and controlling Financial risks exists in every business, the Supply Chain risks are left to the fait accompli. The reason is the optimism bias, "It never happened to us, why should we even bother", until one day it happens. The "long term" risks management loses the battle to the "short term" costs savings, when it comes to choosing one over another.
Why Supply Chain is a major source of business risks?
What percentage of end to end supply chain is controlled by one company? Hardly much!
With increasing outsourcing of Supply Chain including the manufacturing operations, the extent of direct control of the focused firms is continuously reducing. There have been number of instances of violation of compliances and norms by the contract manufacturers and outsourcing partners, leading to both loss of business and reputation.
The reasons why Supply Chain is becoming a major source of business risks, are:
According to a study done by Supply Chain Insights LLC, the factors contributing to the. supply chain risks have changed over last 5 years. According to the study, in 2013, 80% of the supply chain leaders accepted to have been impacted by, on an average, 3 material disruptions. The source of most critical risks in the near future will be from Operations Complexity, Regulatory Compliance and Geo-politics events.
How should one prepare for disruptions?
1. Shed Optimism Bias: This step requires a "foresight" into the changing environment and its potential impact on the entire value chain. The value chain includes your tier 2, tier 3 suppliers if these can't be easily and quickly switched-over to the alternative sources. These risks may have profound impact on the strategic supply chain decisions e.g. how many and which suppliers, logistics partners you will have for a category, the design of distribution network, location of the supply chain facilities, the inventory holding etc.
2. Identify Risks in Operations: Map the processes so that you have visibility of what happens in your operations. Process mapping is a useful tool for risk assessment and continued risk management by enabling business owners to better understand the processes and controls associated with identified risks. Once the processes have been mapped, then assess what may go wrong, what could be impact on the business and what controls exist to prevent the short-cuts & leakages. Prepare a Risk Register and update it periodically.
3. Structure Audit Programs to check the effectiveness of Process Controls: Operational audit or Internal audit has been effective and a tested technique to test the effectiveness of the process controls and risks management. Higher the perceived risk, higher is the periodicity of audits required. However, most of the companies have a very rudimentary system of conducting the audits, using pen & paper or excel sheets that do not provide end to end visibility into the audit management program. Also, few companies use an integrated audit management system that assesses the gaps and tracks the linked corrective & preventive action plans to plug the gaps. Implementing such an integrated system may not cost much but may give multiple times ROI in preventing the process control failures.
Operational or Internal Audits in most of the companies are riddled with long established manual processes, which results into high audit cost of in-house resource, lack of end-to-end audit visibility, and gaps in compliance.
Another gap in the audit process is that it is mostly focused on the internal operations. In the areas of outsourced logistics and sales channels, the audit means only inventory counting, as-if that is one and only risk that exist in the logistics operations. There are whole lot of risks in the categories of safety, security, legal and regulatory compliances, product quality, process adherence that are mostly ignored. What about the supplier audits? How many key suppliers are audited for a comprehensive risks assessment? A structured and automated audit workflow management e.g. SIMSA, based on the framework of operational excellence (Plan, Do, Check and Act) is a best practice to identify and mitigate risks in the operations.
4. Constitute a Risks Management Committee: A committee of senior management as well as independent board members should look into the overall effectiveness of the risks management, assess the risks associated with the gaps observed in various audits and monitor whether the gaps are being closed in a time bound manner. The committee also sets the risks management guidelines, policies, define the roles and responsibilities of the frontline and supporting roles in risks management and approves major decisions involved in the risks mitigation.
5. Build Agility and Resilience in Supply Chain: Despite taking all the possible measures internally, the external disruptions cannot be ruled out. Agility is about how quickly you can shift gears to counter the impact of any disruption. Resilience is the ability to bounce back to business as normal after encountering the disruptive event. Building agility and resilience requires proactive planning involving "what-if" scenarios and preparing a response for each scenario. Systemic use of predictive analytics and market intelligence involving weather data, port & transportation strikes, geo-political situation & impact on trade-policies / duties etc. go a long way in minimising the "time to recover" in the event of disruption.
Given that the frequency and impact of supply chain risks is increasing by the day, the risk management should be one of the top 3 priorities for any company. A structured risk management and business continuity planning is not just an option but a business imperative to survive and become more resilient to the shocks of disruptions.
Warehouses are no longer old dilapidated buildings in dingy lanes, conventionally used for the storage purpose. Warehouses today are part of optimal flow of goods, have increasing levels of complexity & automation, and play a strategic role in fulfilment of customer demand. Increasingly, warehousing operation is encompassing activities like postponement, packing, light manufacturing, sortation, cross-docking , reverse logistics, after sales service, orders fulfilment etc. Also, with use of information technology and automation, the need for the skilled manpower has gone up, which is not easy to find.
The increased level of warehouse complexity and activity also means more exposure to various kinds of risks. Though there are no statistics available for country-wide warehouse incidents but one could assess the gravity of the situation from news reports, while a majority of incidents are not reported. Unfortunately, barring few industries that are quite sensitive to risks across supply chain, most of the companies leave the risks management to their 3PL or don't bother at all. Few 3PLs put in place some common and basic safety & security procedures in place but is it what is needed for effective risks management?
Image: Fire incident in a warehouse in Delhi on Oct 6, 2020 (Image Source: ANI)
Let's first understand what risks warehouses are exposed to. The risks span from Safety, Security, Quality, Service, Regulatory, Legal, Financial, Environmental etc. The risk profile of a warehouse is determined by 3 major factors:
- Selection and location of a Warehouse: The risks associated with quality of building construction and quality of construction material used, cannot be easily identified and mitigated. The flooding of the surrounding area and seepage of water from the walls, flooring are the most commonly found issues in a warehouse. The problems get compounded with extreme weather events & intensity of rainfall. What was built for normal weather may not sustain under extreme weather events. The water drainage from roof gutters or stormwater drain may lead to water flooding & seepage. The warehouse situated in the cyclone prone area should have cyclone resistant design & construction. The same holds true for the strength, joints & quality of flooring, quality of electrical wiring & fixtures, fire control system etc. From the location perspective one needs to assess legal & regulatory compliance, potential of political interference, security environment, proximity from the fire station & hospital etc. Once a warehouse facility is decided, the associated risks are fixed during the period of occupancy, which are hard to mitigate. Therefore, a thorough due diligence and SIMSA automated audit workflowusing an exhaustive & standard checklist is a must before zeroing on the location & type of facility.
- Warehouse Layout, Fixtures & Equipment: Starting with the external flow of vehicles in the warehouse, space for parking of vehicles, designing of internal flow of people & equipment, providing enough space for various activities to prevent crowding go a long way in preventing major accidents. Putting up the right fixtures and using MHE based on the load requirement, built-in safety features and their regular maintenance determine the levels of risks. The warehouse layout & design would not only determine the safety, security hazards but also the productivity & turnaround time. If you are going for ready to use warehouse facility, it makes sense to use a checklist based assessment to compare various options.
- Warehouse Operations: The third category of risks emanate from how the warehouse operations are organised and managed. While organising the warehouse operations, one must take into account the risks carried forward from the first two categories i.e. the location & facility selection and layout, fixture & equipment. The risks associated with the warehouse operations are:
- Health & Safety
- Regulatory Compliance
- Quality & Service
With most of the warehousing operations being outsourced, the companies have a little visibility & control over the operations. Many companies have basic Standard Operating Procedures documents, which most of the time never referred to or updates. Some of these documents are so textual that it makes a good bed-time reading. Most of the supervisors and other people managing the operations may not have even seen these documents ever. Moreover, every site may have different risk profiles. How can one standard document serve the purpose of each site?
So people take short-cuts, especially during month-ends pressure and then slowly it creeps as the bad practice until it snowballs into a big incident. Until then, it is optimism bias that prevails, "it won't happen to us".
Optimism bias, "it won't happen to us" and leaving risks management to your 3rd party logistics provider or contract manufacturers are the biggest risks to your operations. The risks management should start on the day, you decide to build or outsource a warehouse.
Approach to handle Warehouse Risks
Risks management is a three level approach i.e. Strategic, Tactical and Operational.
- Strategic Level: Whether it's a green field or a brown field project, detailed risks assessment has to be an integral part of the project. To re-emphasise, the risks accepted at this stage cannot be mitigated easily. It requires a team of people from engineering, operations IT, legal compliance to visit sites to assess risks from various angles. This could be a burden on the company's resources and also many companies many not have that expertise in-house. A better alternative is to take the services of experts in this field. It should not be seen as a cost but an investment to prevent any unforeseen risk that may cost multiple times the fees of hiring the expert.
- Tactical Level: Before start of any operations, a thorough risk assessment must be done and corresponding internal controls should be implemented. For example, a company instituted a procedure for authorisation by the warehouse manager, if any operator has to work at more than 6 feet from the ground level. The authorisation is nothing but a checklist of do's & don'ts to be explained to the operator before starting the work.
But then how do you ensure whether the controls are effective and are being implemented in spirit and not just on papers. Internal audit is one of the most tested techniques in proactively identifying the gaps in controls. The audits are effective if:
- Aligned to the risks identified for a site and operation.
- Done periodically, rather than just once a year activity. The practice of monthly self-audits on high risk areas, followed by the quarterly more detailed audits by a 3rd party covering all the risk areas.
- Corrective and Preventive action planning, with accountability, visibility and tracking of the closure in a time-bound manner.
It may appear an additional work, but not investing time and resources on this aspect of risk management may cost dearly. It's easier to cure a cancer if identified much early, through periodic check-up. It may also sound daunting to manage the entire planning and managing the data as well as tracking corrective actions.
A platform like SIMSA, that is based on the operational excellence framework of Plan, Do, Check & Act, not only automates entire audit workflow but also ensures complete visibility & control over risks & corrective actions.
- Operational Level: It is at this level at which the controls are executed on day to day basis. It is best to automate the controls and workflows, so that the dependence on the people is minimised. As the technology is becoming affordable, the use IoT and Cameras with Analytics could be the of immense use not only to identify risks on real time basis but also help in predicting future risks. Instead of asking the warehouse manager to report a small fire incident, it may be automated using the sensors. Even in the absence of the advanced technology, simple workflow tools can be used to facilitate the implementation of checklists & reporting of events, instead of using excel sheets or emails.
Warehouses will increasingly play a much larger, complex and strategic roles in the supply chain. Therefore, the risks associated will also be much higher. The risks have to be managed at Strategic, Tactical and Operational levels. Use of information technology can facilitate the effective management of the warehousing risks. It's high time that companies start thinking in this direction and shed the optimism bias or dependence on 3PLs for risks management.
The Internal audit of the supply chain operations is one of the most powerful and fastest ways to reduce operational costs and provide the company competitive advantages in the global market in times of disruptions and economic crisis. The aim of internal audit is to make recommendations for improving the efficiency and effectiveness of operations and to help management in achieving the projected business goals. The key areas of internal audit help in assessing risk and analyzing the optimal functioning of the supply chain.
As a result of the economic crisis, companies are forced to analyze their business processes in order to reduce operating costs of business. Old cost impact strategies do not have the same effect as they once had. Traditional approaches based on improvement are also no longer adequate. Today under the influence of changes on a global level and under pressure to reduce costs the company diverts its attention to risk assessment, process management and environmental risks. Supply chain should not be viewed as a function that supports other functions, but as a separate activity which is involved in all functions of the company.
It is necessary to make a difference between cost savings and risk reduction, actually to regard them as different strategies that are often considered at the expense of one another. If a company wants seriously to dedicate itself to cost reduction, it must have access to contemporary ways and plan its actions and effects in the long term. Although internal audit bears certain costs in the short term as well as the risk management processes it encourages, in the long term its effects and actions may permanently lower the cost of doing business primarily through identifying risks.
The main objective of internal audit is to depict the types and effects of risks that affect the functioning of the supply chain, evaluate them and act before they occur in order to reduce future costs. Unlike financial statements audit which focuses on testing and assessing of the reality and objectivity of financial reports which is traditionally done by external auditors, internal audit focuses on testing and assessing of business and increasing the success of the organization as a whole. The internal audit should include:
The key supply chain management processes for internal audit include Customer Relationship Management, Supplier Relationship Management, Customer Service Management, Demand Management, Order Fulfilment, Manufacturing Flow Management, Product Development and Returns Management. All these processes cut across multiple functions in any business, and offers the opportunity to capture the synergy of intra- and inter-company integration and management. In that sense, SCM deals with total business process excellence and represents a new way of managing the business and relationships with other members of the supply chain.
Value Added Role of Internal Audit
In response to the financial crisis, organizations are also charging their internal audit function with value-added roles to assist in formulating and achieving strategic objectives and sustainable growth. Internal audit of supply chain is to help company in finding answers to crucial questions about managing success factors of supply chain excellence, which can be divided into five main sections:
Supply Chain Risk Management
The big challenge for managers is to mitigate risks by intelligently positioning and sizing supply chain reserves without decreasing profits. Internal Audit can work with business leaders to develop an appropriate supply chain risk management program to provide assessments of the supply chain risk management program through continuous monitoring and auditing. Before companies can devise effective means of reducing supply-chain risks, managers must first understand the universe of risk categories as well as the events and conditions that drive them (Table below). Then, armed with clear, specific knowledge about these crucial risks, companies can proceed to select and tailor mitigation strategies, which are likely to be most effective.
Internal audit can be used for improving supply chain process in terms of efficiency and effectiveness, by providing insight and recommendations based on analyses and assessments of available data from the company. Supply chain management is a very complex structure of activities with cross-functional processes, and it presents one of the most important functions in the company since it is directly linked to all functions of the company. Internal auditors have changed their roles of merely providing a check over accounting transactions into helping and providing support for companies in supply chain risk management. The supply chain internal audit aims to support managers in process optimization and above all in cost reduction which result from an uncertain environment by evaluating and directing management towards approaches which will prevent or reduce negative effects.
A structured and automated audit workflow management e.g. SIMSA Audit Management Platform, based on the framework of operational excellence (Plan, Do, Check and Act) is a best practice and helps to manage End-to-end audit more effectively. It’s a cloud-based web and mobile application which completely eliminates the huge paper work requirements by digitizing internal audits. The SIMSA framework maps all the stakeholders in the process, creates complete visibility to the risks, gives auto notification to the managers on the corrective actions and tracks actions with auto reminders and escalation. It also facilitates shared accountability across the organization for risks management.