Supply chain risk management can't be isolated in a single function or department — it must be instilled throughout the organization, says Anish Buch, vice president of supply chain for consumer products with L'Oréal.

Q: Why do you think so many supply-chain organizations today struggle with the issue of risk management?

Anish: The definition of risk changes, but the way it's evaluated does not. Identification of risk needs to be looked at from a shareholder standpoint. When we narrow it down to the boundaries of risk assessment at the brand, product or location level, we sometimes lose the shareholder. The other reason is lack of shared metrics and growth targets. Knowing that your KPI [key performance indicator] is my KPI develops a “skin-in-the-game”-type mindset that allows risk to be universally assessed in one manner across multiple functions in an organization.

Another area where organizations tend to struggle with risk comes with an over-reliance on precedent. History often dictates what we think the future will be when we perform the same activities. But the circumstances under which we perform those activities are constantly changing, now more than ever. That’s a bit of a handicap with a lot of organizations. And one final thing I would add is that a lot of organizations struggle to find that sweet spot of which sacrifices they're willing to make in order to see whether that risk will actually manifest itself or not.

Q: What about the issue of accountability? Where should the management of supply-chain risk reside within an organization in terms of responsibility? Should one person be tasked with it?

Anish: It depends on the type of the organization, and the team dynamic and culture. Up until maybe a decade or so ago, it was the cool thing to say that supply-chain risks are shared risks. But today, I don't think there's a need to say that anymore. Organizations are understanding the value that supply chain brings to them, especially in the era of e-commerce. Supply chain is now a top-line driver, so accountability for supply-chain risk becomes organizational in nature by default. There’s still a need from an internal audit standpoint to make sure there's a button for audit, risk or strategy officers. But the accountability for managing that risk, I think, has become that of the organization as a whole.

Q: What do you mean when you say there’s a certain degree of sacrifice that has to be taken into consideration when creating a supply-chain risk-management policy?

Anish: You're going to have to make choices on 60, 70 or 80 percent of the information, if you want to act on time. And time has become more sensitive today than it was. When we talk about two-day, one-day or one-hour delivery, time is no longer a luxury. So when you have a certain percentage of the facts, you need to be willing to jump and make a decision. Which means you sacrifice what would be considered in the past as an ideal planning process or horizon. Another consideration is the need to quickly move past individual or functional targets when going for the organizational top line, or even bottom line. You need to make sure that all parties are connected and holding hands, and letting go of certain things in order for the greater goal to be met. A lot of supply-chain organizations struggle not so much with what to do, but what to stop doing.

The third thing that comes to mind in terms of sacrifice when managing risk is to know that you're willing to take a bet that will fail. It’s about knowing that for every four or five successes there's going be one or two failures, and being okay with that. You shouldn’t be dwelling on the post-mortem of those things so much that you forget to take risks and move forward. This is a changing world and mistakes will happen, but how we respond to those mistakes will determine whether our organizations and teams will be willing to take risks in the future.

Q: What’s required in terms of investment and preparation, whether in the maintenance of buffer stock or launching of training programs?

Anish: With a good supply-chain professional, you're never going to shy away from giving credit for preparation and planning. But the horizon within which you do it is shrinking, while the frequency is increasing. In other words, we're now in an environment where “test and learn” is common, which means you’re going to do a little prep and act, then do it again. The classic way of looking at business cases in the past was to consider them as more valuable with reliability and repeatability. The long-term investment plan talks about returns over three or five years, as you try to optimize and consolidate processes. Now, you want to look at immediate return, realizing that what makes a business case relevant today might not be relevant in three to four years. Think in short, frequent buckets, then come back and reevaluate very quickly. That’s what the supply chain of the future demands.

Q: How can technology help? Can artificial intelligence step in and help us to get a better sense of what might happen in the future?

Anish: I think it absolutely can, as the technology matures and becomes more available to different types of businesses. But it depends on how the technology is managed and deployed, by people who are skilled in its use. Organizations are rushing into A.I. for predictive data management. They’re going down the right path, as long as they're willing to give up certain things in order for those endeavors to succeed.

Q: How can companies instill an awareness of risk management throughout the organization and corporate culture?

Anish: Two things come to mind. One is making risk management into something positive. When a risk manifests itself, the consequences of course are negative, but if the planning and management of the processes are viewed that way, you're going to have fewer people involved because of a feeling of fear — of something bad happening when a risk manifests itself. Organizations that do well with risk management do so in the normal course of business. They don't give too much importance to what could happen if that risk manifested itself. If you train well for it, when it does manifest itself, your instincts will kick in and the organization will do the right thing.

The second requirement is for leaders to communicate that it’s okay to work in an environment of risk. They need to define the type of reward they’re willing to put on the table, against what kind of risk. Every level in the organization needs to be clear about what kinds of risks they are empowered to take, and what kind of rewards in return can be derived. If that becomes clear, combined with the management of risk as something positive instead of a source of fear, then that’s how I see risk management being managed better in organizations.