The activities associated with the determination of the appropriate response ('controls') for each risk. Risk responses should focus on both sides of the
Risk Bow Tie:
- Preventive controls reduce or eliminate the probability or likelihood of the occurrence of the risk event. This is the left side of the Risk Bow Tie
- Corrective controls reduce or eliminate the impact or consequence once the risk event occurred/ This is the right side of the Risk Bow Tie
The objective of risk management is to prevent the occurrence of a root cause (right side) to reach the left side (consequence or impact). These controls serve as barriers. It is considered a Best Practice to implement multiple barriers or controls for each risk.
A common approach to identification of risk responses is known as the Four-Ts:
- Tolerate = Accept the risk as-is. No actions are taken to mitigate or reduce the risk. This should only be applied if the consequence of the risk event is smaller than the Risk Appetite
- Terminate = Change the process for the purpose of removing the risk
- Treat = Implement measures/controls that reduce the likelihood of the risk event occurring or minimizing its consequences once it has occurred
- Transfer = Buy insurance or other forms of payment to third parties who are prepared to accept the consequences of the risk event occurrence
It is strongly recommended to include risks for all Ts in the Monitor Risks process.
Use Cases
- Fire or flooding insurance to reduce the financial impact of a fire or flooding ('transfer')
- Multi-sourcing to reduce the occurrence of supply shortages from a single supplier ('treat likelihood')
- Distributed inventories to reduce the impact of logistics network congestion ('treat consequence')
- Implement Three-Way Matching to eliminate payment of incorrect invoices fro suppliers or service providers ('Terminate')
Notes
OpenReference recommends adoption of ISO 31000 processes to build Supply Chain Risk Management governance processes, systems and behaviors. Manage Supply Chain Risk (G3) provides the processes to describe an enterprise's Supply Chain Risk Management processes.
Compare to: ISO 31000:2009:5.4.4 Risk Evaluation.
Copyright
ISO 31000 is copyright ISO.
Risk Appetite
Supply Chain Risk Management
Risk Register
Hierarchy
ID | Name | Level | x | G3 | Manage Supply Chain Risk | 2 | G3 |
G304 | Evaluate Risks | 3 | G304 |
Workflow
Note: Common inputs and outputs are listed in alphabetical order. Other inputs and outputs may be required to support varying use cases.Evaluate Risks Manage Supply Chain Risk 930400 3 Evaluate, Risk, Management, SCRM, Supply Chain, Governance