The good news is insurers and risk managers are relying more and more on sophisticated analytics and models to identify and handle supply chain risk. But models don’t live by algorithms alone. The seeds for the knowledge that models provide derive from the data that feeds the analytics. In fact, a lack of data could become one of the greatest risks to the supply chain.

Never-ending Chain
The supply chain encompasses the upstream and downstream flow of resources associated with the creation, storage, transportation, distribution and delivery of a product or service, starting from raw materials until that product or service arrives in the hands of the consumer. Therefore, supply chain risk involves the potential for interruption — internal or external — in each step of the process. And any disruption can result in failure to deliver a product or service.

Most supply chains typically link to a much more complex series of supply chains. Take a loaf of bread as an example: It starts with the seeds to grow the wheat and ends up on the grocery shelf. From the field to the manufacturing plant to the retail location. The supply chain also includes electricity — lights, cooling, alarms, computers and whatever else requires power. That’s another link in the chain affecting the ability of a manufacturer or retailer to meet customers’ needs. Then multiply that by the other activities needed to distribute a loaf of bread, such as purchasing, production, and distribution. With that view, what schematic would suffice?

Traditionally, supply chain risk has focused on the movement of goods and materials. But in today’s world, supply chain risk applies to any object or activity related to the delivery of a product or service, including financial transactions and contracts. Examples of breaks in the supply chain include the bankruptcy of the fourth-largest U.S. investment bank, a clothing manufacturer’s sweatshop in Bangladesh, and a drug compounding center in New England. Due to severe weather or other hazards, regulation, disease, labor disputes, political activity, malfeasance, ineptitude, and the like, these companies’ actions not only had a direct and negative impact on their businesses but also on their trading partners’ businesses and, in one case, world economies.

How to Control the Risk
So, how does an organization get a handle on supply chain risk? A key first step is gathering facts: identifying all the internal and external touch points involved in a product or service.

In October 2012, the National Institute of Standards and Technology (NIST), an agency of the U.S. Department of Commerce, issued Report 7622, titled “Notional Supply Chain Risk Management Practices for Federal Information Systems.” The report includes 10 supply chain risk management practices that federal departments and agencies should consider as part of their supply chain risk management strategy. These practices, however, apply to any organization.

1. Uniquely identify supply chain elements, processes, and participants.
2. Limit access and exposure within the supply chain.
3. Establish and maintain the provenance of elements, processes, tools, and data.
4. Share information within strict limits.
5. Perform supply chain risk management awareness and training.
6. Use defensive design for systems, elements and processes.
7. Perform continuous integrator review.
8. Strengthen delivery mechanisms.
9. Assure sustainment activities and processes.
10. Manage disposal and final disposition activities throughout the system or element life cycle.

From a data and data management perspective, three components — discovery, data lineage, and interoperability — are central to supply chain risk mitigation.

In the discovery phase, the supply chain analyst (or data manager) should identify all parties involved in producing a product or service, internally or externally. Each party’s role in the relationship must be determined, in addition to the relationships among those parties and other parties not directly associated with the organization but affecting the organization’s supply chain. The identification should comprise characteristics associated with each party: location, personnel, raw materials, corporate structure, company financials, adverse legal activities, and so on. Any risk associated with those characteristics is critical to recognize as well. All the information should then populate a data dictionary, which becomes part of a data model and a data repository to support supply chain risk analyses.

Once the analyst has identified the “who” and “what,” the analyst needs to document the sources of data and any changes to the data from the beginning of the process to the end. This metadata is extremely important when there are many parties, roles and relationships and even more so when the information changes frequently. NIST labels that activity as “provenance,” using the term often associated with artwork and antiques. The data management community often labels that activity as data lineage.

After the metadata underlying data discovery and lineage has been documented, the analyst must now connect the dots: The data associated with each party and its characteristics, as a prelude to creating analytics, must allow for interoperability and for financial risk transparency. The interoperability is not only with other data within the repository but also with external data sources. For example, the supply chain risk associated with a loaf of bread must relate to the weather risk associated with the farm producing the grain used to produce the loaf.

For all supply chain risk, especially important to financial services, the analyst must identify corporate structure hierarchies at the macro level but not lose sight of the granularity needed at the micro level. An example at the micro level would include individual mortgage details underlying a mortgage portfolio being transferred from one financial entity to another. Transparency can be attained only when this macro- and micro-level information has been properly documented.

Regarding corporate hierarchies: In response to the recent financial crisis, the Financial Stability Board — working with other regulatory agencies, the International Standards Organization, and industry associations including the EDM (Enterprise Data Management) Council — has created the legal entity identification (LEI) code to uniquely identify all business and legal entities. Regulators and service providers within the insurance industry have also created corporate hierarchies. The insurance-specific hierarchies, however, may not recognize related business entities that are not insurance companies.

Other data management tools and techniques that can support interoperability are semantic databases and ontologies. Semantic database technologies, where each data element is put into context, can provide a common framework that promotes data linkage, sharing and reuse. Ontologies extend semantic functionality to relationships between data.

It is only after the analyst has documented metadata, lineage and linkages that risk analyses can be conducted and metrics compiled. Complete and comprehensive data and data management are therefore necessary prerequisites to any understanding of supply chain risk and identification of risk mitigation strategies.

Like seeds in a garden, if properly nurtured, relevant data can help companies become fertile ground for business growth.

Source: Verisk Analytics