Analyst Insight: Most companies fail to take a holistic approach to supply chain risk management. Individual functions do address some of their own risks in isolation, but typically there is no high-level executive with the charter and power to create and drive an integrated approach to managing supply chain risk.

-Bill McBeath, chief research officer at ChainLink Research

Who is responsible for managing supply chain risk in the enterprise? Many companies don't have a good answer. The responsibility is typically split between several roles:

• Risk Managers-Often companies have a risk manager, but frequently that person's focus is on managing insurance: ensuring that company is adequately covered and taking steps to control premiums.

• Sourcing and Procurement Personnel-They are generally responsible for managing suppliers performance. For mature sourcing organizations, this includes assessing risk during supplier selection and during the period of performance. But this is often confined to checking financial viability of the supplier and trying to limit sole-sourcing situations. Rarely does it include a more holistic approach to risk that would encompass things like the business continuity readiness of the supplier or the location of the suppliers plants or who the supplier might be outsourcing to.

• Business Continuity Manager-This is often an IT-centric function that focuses on keeping information systems up and running. It also can include disaster recovery plans for the various facilities and functions within the company, such as manufacturing, distribution, call center, etc.

• Supply Chain Planning-In long-term planning (network design) and short-term planning (inventory planning), some thought is given to the risks as part of the overall planning process.

• Logistics and Transportation-Usually seeks some diversity in carriers and routes and may or may not have backup plans in place.

So risk management is taking place in pockets. But do these functions coordinate their risk analysis and mitigation into a holistic plan? Rarely. And do they consider the risk going back several tiers into the supply chain, which is becoming more and more important? Almost never.

Sure, we have a few Chief Risk Officers in place, but that is the exception rather than the rule, and even then you have to wonder how much clout they really hold in the organization. Until supply chain risk management becomes high on the CEO's agenda, this situation is unlikely to change.

Research has shown that when there is a major disruption to a company's supply chain, their stock typically falls between 25 percent and 30 percent relative to the market (and it stays there for at least 12 months). That fact has not been enough to get the attention of the CEO. Not until the markets start explicitly pricing the stock (up or down), based on a company's level of supply chain resilience, do we expect the current approaches to risk management to change significantly.

The Outlook

The economic downturn was actually somewhat good for the risk management business. In particular, people were more worried about trying to know which of their suppliers will survive or not. So will the recovery be bad for risk management? Not necessarily, but don't expect a surge of interest in risk management this year. People are much more focused on growing their businesses.