Mittwoch, 10. Februar 2016

It takes more than one swallow to make a summer. Or: Top management commitment still low.

In November 2015, the Business Continuity Institute (BCI) and Zurich published the 'Supply Chain Resilience Report 2015'. This report, which is available via the BCI's website, shows some positive trends in supply chain risk management. However, it also reveals that top management commitment is still on a low level.

Figure 1: Top management commitment to supply chain resilience (source: Business Continuity Institute/Zurich: Supply Chain Resilience Report 2015, Caversham.)

Figure 1 shows, that in comparison to the results of the 2014 survey, top management commitment to managing supply chain risks increased by 4 percentage points - which is for sure a positive trend. However, still only one third of the respondents see a high impact of top management commitment. If we follow the arguments of the reports, top management commitment is seen as an enabler of supply chain visibility, the percentage of high impact commitment is relatively low. Nevertheless, the percentage of respondents who see a low or no impact at all is reduced to 25 %.

Figure 2: Consequences of supply chain risks (source: Business Continuity Institute/Zurich: Supply Chain Resilience Report 2015, Caversham.)

One of the top question in risk management is 'what will be the consequences if risks do happen'? Figure 2 shows the consequences reported by the respondents of the survey. Not surprisingly, the loss of productivity is the type of consequence mentioned most. However, this type of consequence is an internal consequence, whereas the next important outcome are customer complaints, mentioned by 2 out of 5 respondents. Here, we can see, that consequences of risks are visible to and perceived by external parties.

Figure 3: Cumulative financial impact of supply chain interruptions (source: Business Continuity Institute/Zurich: Supply Chain Resilience Report 2015, Caversham.)

As figure 3 reveals, the cumulative cost of risks (assessed over a period of 12 month) show, that more than half of the risks have a slightly low impact. (Of course, this number should be seen in relation to the financial size of the company.) On the other hand, every 7th company realized cumulative cost of 1 million EUR or more. If we look at the cost of the most significant incident (a graphic that is accessible in the original report), we see that every 11th organization had a single incident with risk-related cost of 1 million EUR or more.

Figure 4: Predominant sources of risks with a supply chain (Business Continuity Institute/Zurich: Supply Chain Resilience Report 2015, Caversham.)

When we talk about supply chain risks, we should see the total supply chain. 'Supply chain visibility' is a key term - but has not been implemented widely yet. Figure 4 shows, that almost one third of the respondents does not (or is not able to) trace supply chain risks within the supply chain. Additionally, the diagram is also misleading, because it mixes exclusive and non-exclusive answers. The values for the first three bars should have been calculated on the basis of the 69 % of the respondents who do analyze the full supply chain. When we update those number we realize that
  1. 72 % of the companies who analyze the full supply chain, identified the predominant source of interruption on 1st tier,
  2. 30 % of those companies identified the main source on tier 2, and
  3. some 11 % see the predominant source of the risk on a lower level.
Source: Business Continuity Institute/Zurich: Supply Chain Resilience Report 2015, Caversham. The full report, which contains much more information than shown in this short review, is available as a download from the BCI's website:

Dienstag, 19. Januar 2016

'Business interruption' still THE hottest risk

The Allianz Risk Barometer - Top Business Risks 2016, the fifth annual survey focusing on corporate risks, has been published recently by Allianz SE and Allianz Global Corporate & Specialty SE (AGCS). It gives an overview on corporate risks, seen from the perspective of managers of AGCS and local Allianz entities. Overall, 824 respondents from 44 countries participated in the survey.

Figure 1: Top risks (Source: Allianz SE/Allianz Global Corporate & Specialty SE: Allianz Risk Barometer 2016 Appendix, 2016, p. 1)

A first look at the summary (see figure 1) does not reflect any surprises - and on the other hand leads to stop for a second: Two risks are new, they seem to be 'rising stars', since they were not existing in the previous study from 2015. Market development, which comprises volatility, intensified competition, and market stagnation, and macroeconomic development (i.e. austerity programs, commodity price increase, inflation/deflation) seem to be new. However, in former reports the individual risks of market respectively macoeconomic development had been ranked seperately - and are now ranked collectively. This leads to a shift in the top 10 list, and makes it difficult to compare the current results with the findings from 2015.

Besides that, the top 10 risks do not bear, as said, any surprises. Business interruption is still the 'hottest' risk. (We will look at some details in a minute.) The aforementioned market development is seen as second important risk. Cyber incidents are of growing concern: After 12 % in 2014 and 17 % in 2015, now 28 % of the respondents see cyber incidents as an important risk. The growth rate of those risks is alarming. (We will get back to cyber risks later in this article.) Both natural catastrophes and fire/explosion are seen to lose importance in relation to other risks. Changes in legislation and regulation also seems to be of lower significance, because it is ranked lower than in 2015. This, however, is a pitfall of the newly 'created' (i.e. compiled) risks - indeed the percentage of experts seeing changes in legislation and regulation as a risk, has risen from 18 % up to 24 %. Thus, the 'trend' shown in the rightmost column is a misleading and not fully correct information for some of the risks.

Figure 2: Geopolitical risks (Source: Allianz SE/Allianz Global Corporate & Specialty SE: Allianz Risk Barometer - Top Business Risks 2016, 2016, p. 5)

A second critical remark must be made about the classification of risk. Of course, an exact classification that avoids any grey or fuzzy areas is almost impossible. There are numerous schemes for classification, but almost non of them allows for a selective clustering of risks. In the 2016 risk barometer we can observe the problems of non-selective risk groups. Although there is one risk category 'business interruption' (THE no 1 risk), there are other classes of risks, that integrate or at least lead to some portions of business interruption. For example, when looking at details of political risks, we can see the cause effect relationship of those risks with business interruptions. When asked what risks within the context of geopolitical instability businesses were most worried about, more than half of the respondents mentioned impact on supply chains (see figure 2). Also, other risks, such as natural catastrophes, fire and explosion, and cyber incidents can lead to severe business interruptions (see figure 3). Thus, due to the fuzzy classification and some implicit cause effect relationships within the top risks, the ranking of the risks is not fully explicable.

Figure 3: Major causes of business interrpution (Source: Allianz SE/Allianz Global Corporate & Specialty SE: Allianz Risk Barometer - Top Business Risks 2016, 2016, p. 6)

Besides nat cat's and fires or explosions, business interruption risks are created within a supply chain: As figure 3 shows, also supplier failure is one of the top 3 causes of business interruptions that companies fear most.

In the future, cyber incidents are seen as heavily increase the threat of business interruptions: 59 % of the respondents see cyber incidents as major future threat.

Figure 4: Causes of economic loss after cyber incidents (Source: Allianz SE/Allianz Global Corporate & Specialty SE: Allianz Risk Barometer - Top Business Risks 2016, 2016, p.11)

Cyber incidents are not only cyber attacks (or cyber crime in general), but also data breaches and general IT failures. Industry 4.0 (or the 'Internet of Things') and its underlying trend of continuing and accelerating digitalization is a development that - besides increased effectiveness and efficiency - lead to new and more risks. Those possible negative impacts that companies fear most are shown in figure 4. As can be seen from figure 5, cyber incidents can lead to economic losses due to different reasons. Reputational loss is the most important cause for economic losses, followed by business interruptions.

Figure 5: Impacts of ongoing digitalization (Source: Allianz SE/Allianz Global Corporate & Specialty SE: Allianz Risk Barometer - Top Business Risks 2016, 2016, p.12)

If companies look into the long-term future, i.e. 10 years or later, cyber incidents are seen as the top emerging risk: 33 % of the experts see such cyber incidents as the most important future risk. This fits to the result mentioned earlier which described the rise of cyber risks as top current risks. Behind cyber incidents, managers see business interruptions (11 %) and terrorism (9 %) as emerging risks in the far future.

The study results (Allianz Risk Barometer - Top Business Risks 2016 and Allianz Risk Barometer 2016 Appendix) can be downloaded from AGCS' website:

Donnerstag, 29. Oktober 2015

The mind-set has not changed... (or: results of the 4th survey on risk management in the logistics industry)

My colleague, Prof. Dr. Dirk Lohre of Heilbronn University, and I have been conducting empirical research in the logistics industry since 2008. Our intention has been - and still is - to monitor the status of risk management in logistics companies, to identify trends and developments, and to give recommendations to companies.

This year (2015), we have carried out the 4th survey on risk management in the logistics industry. And - to put it in a nutshell: The situation, i.e. the degree of application and also (and even more important) the mind-set of logistics service providers regarding risk management has not changed. That is the main result of this year's survey - and you could stop here, if you are not interested in any details.

If you, however, would like to get a more detailed idea of what the status of risk management in this industry is, please do carry on...

Before we look at results, let me give you some numbers on the survey: The online questionaire used for the survey was available from March to April 2015. The survey was promoted using social media channels ( and by our media partner EuroTransportMedia Verlags- und Veranstaltungs-GmbH. 73 companies have answered our survey.

Figure 1: Top 5 future risks for logistics companies

Let us look at some selected results. First, we were interested in the top risks from the perspective of logistics companies. Figure 1 above shows future risks and the percentage of companies that see those risks within their personal top 5 risks (multiple answers were possible). As in our previous studies, human resource related risks are seen as the top future risk. In our current survey, those risks are also seen as #1 of the current risks - and this is a change to previous years. The HR related risks have two basic causes: On the one hand, the current and future lack of truck drivers is obvious. On the other side, logistics processes and process chains are becoming increasingly complex, for example due to ongoing globalization and still increasing tendencies of outsourcing logistical business processes (contract logistics). To cope with those new challenges, more well-educated staff is required.

Although energy prices have decreased for some time, companies see fluctuations in energy prices as the #2 future risk. This is understandable, since energy cost are a major driver of total cost, especially for those companies with a focus on trucking.

It is interesting, that the top 5 risks differ from the top risks in the Allianz Risk Barometer (take a look at our blog entry from March 'Our number one is... Supply Chain Risks! (But beware of Cyber Crime!)': There, the top risks are business interruption and supply chain, natural catrastrophes, and fire and explosions. Cyber crime - a risk that is becoming more and more important - is not within the top 5 risks; however, 39 % of the LSP's see cyber risks as important risks.

Figure 2: Application of risk management in the logistics industry

Even if competition is becoming stronger, logistics process chains show an increased complexity, and German law requires risk management, the application of risk management in the logistics industry is on a relatively low level. As figure 2 displays, only a little bit more than half of the LSP's have a risk management in place. Looking at the development from 2008 until now, the use of risk management has not changed much over time. Instead, the percentage values are more or less constant over time. We still see a group of some 25-30 % of the companies that do not have risk management in place, and also do not plan to implement risk management soon. Thus, the need for risk management is not seen by many logistic service providers.

Figure 3: Methods used in risk management in the logistics industry

Those LSP's who have a running risk management in place, show - in average - only a medium level of maturity. Take, for example, the methods used for risk identification and assessment. As figure 3 shows, the methods most commonly used are expert and employee consultations, checklists and brainstorming. More sophisticated methods, such as FMEA, fault tree analysis, or simulation are only used by less the 3 out of 10 LSP's. Even risk maps, as an easy tool for communicating risks, are only used by 30 % of the companies. It is somehow irritating, that a risk inventory is not used by any of the companies - or that the term 'risk inventory' is maybe just unknown.

To sum it up: Comparing the results of our surveys over time, we do not see significant changes in both the application of and the maturity of risk management in the logistics industry. Both offer room for improvement. We forecast, however, an increasing pressure by customers, banks, and insurance companies on LSP's to implement a risk management system.

The full report Huth, M./Lohre, D.: Risikomanagement in der Speditions- und Logistikbranche: Bestandsaufnahme zu Verbreitung und Reifegrad, Discussion Papers in Business and Economics (17), Fulda 2015 (unfortunately only in Germna) can be downloaded here:

Montag, 19. Oktober 2015

Huth, M./Romeike, F. (Hrsg.): Risikomanagement in der Logistik: Konzepte - Instrumente - Anwendungsbeispiele, Wiesbaden: Springer Gabler 2015

In eigener Sache - and sorry, guys, this post is in German.

Gemeinsam mit Frank Romeike, einem der führenden Köpfe im Bereich Risikomanagement, habe ich das Buch "Risikomanagement in der Logistik: Konzepte - Instrumente - Anwendungsbeispiele" herausgebracht. In 17 Kapiteln werden grundlegende, aber auch branchenbezogene Risikomanagement-Themen aufgegriffen und diskutiert, die für ein effektives Logistik-Risikomanagement relevant sind.

Das Buch ist am 19. Oktober 2015 bei Springer Gabler erschienen und bspw. hier bei Amazon erhältlich:

Mittwoch, 5. August 2015

Global MMOG/LE: an example how a standardized supplier evaluation can be used for assessing risks

The automotive industry is one of the most important industries for Germany (and also in many other industrial countries worldwide). For logistics and supply chain management, there arise certain requirements due to the increasing number of derivate products that lead to a further rising complexity of the global supply chain. Additional challenges exist due to changes in supply markets and due to volatile regional demand markets.

Against this background of this trend, supplier management serves as an approach to guarantee an effective supply chain. One element of supplier management is supplier evaluation, which generates information for the selection of new suppliers and for the development of current suppliers. To keep the effort for a supplier evaluation low, companies in the automotive sector developed a standardized evaluation approach. For this development, Odette International and Automotive Industry Action Group (AIAG) worked strongly together. The approach had been published as ‘Global Materials Management Operations Guideline/Logistics Evaluation’ (in short: Global MMOG/LE), and is available in various languages as a tool for Microsoft Excel.

The objectives of the Global MMOG/LE are:
  • “Produce a common SCM evaluation that can be used by all business partners, both internal and external.
  • Establish the components of an SCM system for suppliers of goods and services within the automotive industry […].
  • Enable SCM continual improvement plans to be developed and prioritized, thus enabling time to be spent on those activities that offer the greatest benefit.
  • Provide a basis for benchmarking activities and identify ‘Best Practice Criteria’ of SCM processes for driving continual improvement plans.” (AIAG, Odette: GLOBAL MMOG/LE – Introduction and Instructions, 2014.)
 The evaluation is structured into 6 chapters:
  1. Strategy and improvement
  2. Work organization
  3. Capacity and production planning
  4. Customer interface
  5. Production and product control
  6. Supplier interface
For the 197 questions (or better: criteria) of the Global MMOG/LE there exists some prioritization:
  • F1 criteria have the lowest importance. ‘Complying with F1 criteria contributes to the organization’s long-term sustainability and/or competitiveness.’ (AIAG, Odette: GLOBAL MMOG/LE – Introduction and Instructions, 2014.)
  • ‘If an F2 criterion is not met, the organization’s performance and/or customer satisfaction may be seriously affected.’ (AIAG, Odette: GLOBAL MMOG/LE – Introduction and Instructions, 2014.)
  • F3 criteria focus on fundamental requirements for business processes. ‘If an F3 criterion is not met, there is a high risk of interruption and/or incurring increased costs to the organization's and/or customer's operations.’ (AIAG, Odette: GLOBAL MMOG/LE – Introduction and Instructions, 2014.)

Figure 1 – Global MMOG/LE’s assessment sheet (screenshot from the Microsoft Excel-based 'Global MMOG/LE')

Figure 1 shows a screenshot of the assessment sheet of the Global MMOG/LE tool. It indicates the importance of the criteria by different colors (white, yellow, and red). It also shows met and unmet criteria by using green and red background color.

In chapter 2, you can find a sub-chapter, that explicitely deals with ‘risk assessment and management’. However, in each chapter one can identify questions that show a link to risk and risk management. But let’s look at chapter 2 first.

Table 1 lists criteria of sub-chapter 2.5, which explicitly focuses on risk assessment and management. The importance of risk management immediately becomes by realizing that 3 out of the 7 criteria are F3 criteria – and thus are essential for a company’s performance. One of the F3 criteria evaluates the existence of a process for risk assessment, the other two F3 criteria focus on emergency plans. It is important to note, that if any F3 criteria is not met, the supplier will automatically be ranked as a C supplier (the lowest and not achievable rank).

Table 1: Risk-related criteria from sub-chapter 2.5 (source: AIAG, Odette: GLOBAL MMOG/LE, 2014)

Beside sub-chapter 2.5, there are more criteria that explicitly or implicitly focus on risk and risk management. Some of those criteria are listed in table 2. Again one can realize that most of the criteria are of F2 or F3 type.

Table 2: Selected further risk-related criteria (source: AIAG, Odette: GLOBAL MMOG/LE, 2014)

Let us sum up the findings from using the Global MMOG/LE:
  • The Global MMOG/LE had been developed as an industry-wide standard for logistics evaluations. This purpose is satisfied to a high degree.
  • The structure of the catalogue of criteria is not intuitively understandable. For example, if it had followed the widely used SCOR model, there had been a better structured basis for the assessment. (See, for example, the post on using SCOR for risk management in the electronic industry in a post from November 2014.)
  • Risk management is covered both explicitly and implicitly. On the one hand, there is sub-chapter 2.5, which lists seven criteria (three of them F3 criteria), that explicitly cover risk management topics. On the other hand, one can identify a large number of questions in other chapters, that also deal with risk and risk assessment.
  • Global MMOG/LE does not explicitly identify risks. It rather lists criteria that should lead to an effective risk management.

A big ‚thank you‘ goes to Sascha Gröbel from the VDA for supporting this short article by giving me access to the Global MMOG/LE.

A longer version of this blog entry will be published (in German) in the upcoming book by Michael Huth and Frank Romeike: Risikomanagement in der Logistik: Konzepte – Instrumente – Anwendungsbeispiele, Springer 2015.

Mittwoch, 18. März 2015

Our number one is... Supply Chain Risks! (But beware of Cyber Crime!)

Business interruption and supply chain risks are - by far - the most important risks for managers. Cyber risks on the other side made a significant jump into the top 10 business risks. That is the bottom line of the 'Allianz Risk Barometer - Top Business Risks 2015', published in January 2015 (see press release and downloadable files here: For the study, Allianz (Allianz Global Corporate & Specialty, or in short: AGCS) asked more than 500 managers from 47 countries, with a focus on the corporate insurance sector for both large industrial and mid-sized companies. (The term mid-sized companies, however, is in some way misleading, since it does not match the categorization by the European Union. In the Allianz survey, mid-sized companies are defined by a revenue of not more than 250 million Euros.)

Figure 1: Top Business Risks 2015. Source: Allianz Global Corporate & Specialty: Allianz Risk Barometer 2015 Appendix,

As show in figure 1, almost half of the respondents mentioned business interruptions (BI) and supply chain (SC) risks as a top risk (46 % - after 43 % in 2014). More specifically, those risks are crucial for manufacturing companies; in this industry BI and SC risks had been mentioned by more than two third (68 % - after 60 % in 2014).

On one hand, this results are accompanied by an increasing awareness of such risks and their consequences for an enterprise's business. As Mark Mitchell, Regional CEO for Asia at AGCS puts it: "Companies now have a greater understanding of the need to monitor risk aggregations, not just geographically, but also in business interruption exposures." On the other hand, AGCS identified crucial discrepancies between the awareness and actual measures and systems to prevent companies from those risks. The study states: "[...] adequate [...] business continuity management remains a gap in many multinational companies' supply chain risk management programs." And: "Interdependencies between suppliers is often a big unknown. Many businesses still do not have alternate suppliers."

One of the big 'movers' (or should we say: one of the 'rising stars'?) are cyber risks. While two years ago, cyber risks were ranked 15th (with 6 % of the respondents mentioning this type of risk), the importance of cyber risks has grown steadily: In 2014, those risks were ranked 8th, listed by 12 % of the companies. In 2015, cyber risks were mentioned as a top risk by every 6th company (17 %), and were ranked 5th. Cyber risks are ranked 2nd in Germany (32 %), 3rd in the UK (30 %), and 3rd in the US (26 %). And: cyber risks are seen as no 1 risk for the next five years.

Figure 2: Top risks for which businesses are least prepared. Source: Allianz SE/Allianz Global Corporate & Specialty SE: Allianz Risk Barometer - Top Business Risks 2015,

However, cyber risks are crucially underestimated. 73 % (that's almost 3 out of 4 companies!) of the companies say, the risk of cyber crime is underestimated. Even worse, more than half of the companies (54 %) has not even analyzed the problem! As a consequence, 29 % of the enterprises admit not to be sufficiently prepared for cyber risks, while for other risks this number is significantly smaller (see figure 2). The most feared cyber risk is data theft and manipulation (64 %), followed by loss of reputation (48 %) and increased threat of persistent hacking (44 %).

It is interesting that a shortage of skilled talents in combination with an aging workforce is not seen as a major risk. Exceptions from this observation: This risk seems to be relevant for Australia and the USA - in those two countries, talent shortage/aging workforce are ranked within the top 10 risks.

Figure 3: Top risks for the long-term future (5 to 10 years 'plus'). Source: Allianz SE/Allianz Global Corporate & Specialty SE: Allianz Risk Barometer - Top Business Risks 2015,

In a long-term perspective, climate change is identified as the most concerning risk, directly followed by natural catastrophes (see figure 3). This is understandable, since at least the financial lossed resulting from natural catastrophes have increased dramatically over time.

Donnerstag, 20. November 2014

SCRM in the electronic industry – an industry recommendation

A few days ago, the ZVEI, the German Electrical and Electronic Manufacturers’ Association, published an industry recommendation how to set-up and run Supply Chain Management in the electronic industry. The recommendation ‘Guideline Supply Chain Management in Electronics Manufacturing’ is the result of an initiative started by two divisions of ZVEI – the Electronic Components and Systems Division and PCB and Electronics Systems Division. The reason that these two division started the initiative is simple: The members of those two division are located upstream in electronic supply chains – and therefore they face stronger consequences of the well-know bull-whip effect (volatility of demand, out of stock situations etc.). Thus, these companies are highly interested in establishing SCM in their supply chains to reduce the bullwhip effect and to decrease the level of risk.

The document addresses different topics of SCM: It starts with a general introduction into Supply Chain Management, then discusses robust supply chains, focuses on external framework conditions, and gives recommendations for education and training in SCM. From an SCRM perspective, chapter 2 (‘Robust Supply Chains with High Responsiveness and Flexibility’) is of special importance.

Figure 1: List of possible risks for different process types. Source: ZVEI - German Electrical and Electronic Manufacturers’ Association: Guideline Supply Chain Management in Electronics Manufacturing, Frankfurt/Main 2014.

The ZVEI starts with defining robustness in supply chains: “This means that a robust supply chain must be as reliable and immune as possible to external influences and risks, possibly intercepting errors when they occur to minimise their impact on downstream processes.” The document then lists different risks that might occur in various areas of the supply chain. The underlying concept is the well-established SCOR model, the ‘Supply Chain Operations Reference’ model, which is a set of standard processes on different levels, which can be used to model, document, and analyze supply chains. Following the SCOR approach is one of the strengths of the document. By applying SCOR to the SCRM process means to build a solid structure for risk management. Figure 1 shows the result of the generic risk identification using SCOR model – a table with potential risks, that are assigned to the 5 different types of processes used in the SCOR approach. (The ‘return’ process was omitted intentionally, since the group found it played a minor role.)

After identifying and listing various risks in the electronic supply chain, the document focuses on measures to safeguard against risks. Again, when suggesting and discussing different approaches, the document follows the SCOR model. Those measure contain suggestions that are typical to SCM, such as supplier management and the use of SCM IT applications. On the other hand, risk management specific approaches are suggested, such as FMEA and the simulation of supply chain scenarios. It also recommends the use of a risk classification matrix.

Figure 2: Questionnaire. Source: ZVEI - German Electrical and Electronic Manufacturers’ Association: Guideline Supply Chain Management in Electronics Manufacturing, Frankfurt/Main 2014.

The paper not only lists risks and possible counteractions, but also addresses the organizational implementation of risk management. Within a few pages, the paper gives valuable hints for setting up a risk management in supply chains, and also focuses on communication in risk management. Additionally, the document provides a questionnaire that helps to ask the right questions in SCRM in the electronic industry (see Figure 2).

We Germans would probably ask: Aren't there any weaknesses of the paper? And then we would answer: Yes, there are some. But: I don't want to focus them - because I would like to look at the recommendations' strengths. So: Is the paper helpful? Definitely! One of the strengths is to give an overview over SCM and SCRM in a specific industry. Of course, this leads to some general suggestions and recommendations (as mentioned above), but those recommendations still focus on the electronic industry. (And if you ever worked on industry standards, you for sure know how difficult it is to find a compromise even for definging single termns.) Another strength is to link SCRM activities to an existing, structured approach – the SCOR model. The SCOR approach thus builds the framework for identifying, evaluating and managing supply chain risks. By following SCOR the paper shows a strong methodic structure, that can be followed easily!

The document ‘Guideline Supply Chain Management in Electronics Manufacturing’ can be downloaded from the ZVEI’s homepage: