The activities associated with the determination of the appropriate response ('controls') for each risk. Risk responses should focus on both sides of the Risk Bow Tie
- Preventive controls reduce or eliminate the probability or likelihood of the occurrence of the risk event. This is the left side of the Risk Bow Tie
- Corrective controls reduce or eliminate the impact or consequence once the risk event occurred/ This is the right side of the Risk Bow Tie
The objective of risk management is to prevent the occurrence of a root cause (right side) to reach the left side (consequence or impact). These controls serve as barriers. It is considered a Best Practice to implement multiple barriers or controls for each risk.
A common approach to identification of risk responses is known as the Four-Ts:
- Tolerate = Accept the risk as-is. No actions are taken to mitigate or reduce the risk. This should only be applied if the consequence of the risk event is smaller than the Risk Appetite
- Terminate = Change the process for the purpose of removing the risk
- Treat = Implement measures/controls that reduce the likelihood of the risk event occurring or minimizing its consequences once it has occurred
- Transfer = Buy insurance or other forms of payment to third parties who are prepared to accept the consequences of the risk event occurrence
It is strongly recommended to include risks for all Ts in the Monitor Risks process.
- Fire or flooding insurance to reduce the financial impact of a fire or flooding ('transfer')
- Multi-sourcing to reduce the occurrence of supply shortages from a single supplier ('treat likelihood')
- Distributed inventories to reduce the impact of logistics network congestion ('treat consequence')
- Implement Three-Way Matching to eliminate payment of incorrect invoices fro suppliers or service providers ('Terminate')
OpenReference recommends adoption of ISO 31000 processes to build Supply Chain Risk Management governance processes, systems and behaviors. Manage Supply Chain Risk (G3) provides the processes to describe an enterprise's Supply Chain Risk Management processes.
Compare to: ISO 31000:2009:5.4.4 Risk Evaluation.
ISO 31000 is copyright ISO.
|G3||Manage Supply Chain Risk||2||G3|
Note: Common inputs and outputs are listed in alphabetical order. Other inputs and outputs may be required to support varying use cases.