It takes more than one swallow to make a summer. Or: Top management commitment still low.

In November 2015, the Business Continuity Institute (BCI) and Zurich published the 'Supply Chain Resilience Report 2015'. This report, which is available via the BCI's website www.thebci.org, shows some positive trends in supply chain risk management. However, it also reveals that top management commitment is still on a low level.

Figure 1: Top management commitment to supply chain resilience (source: Business Continuity Institute/Zurich: Supply Chain Resilience Report 2015, Caversham.)

Figure 1 shows, that in comparison to the results of the 2014 survey, top management commitment to managing supply chain risks increased by 4 percentage points - which is for sure a positive trend. However, still only one third of the respondents see a high impact of top management commitment. If we follow the arguments of the reports, top management commitment is seen as an enabler of supply chain visibility, the percentage of high impact commitment is relatively low. Nevertheless, the percentage of respondents who see a low or no impact at all is reduced to 25 %.

Figure 2: Consequences of supply chain risks (source: Business Continuity Institute/Zurich: Supply Chain Resilience Report 2015, Caversham.)

One of the top question in risk management is 'what will be the consequences if risks do happen'? Figure 2 shows the consequences reported by the respondents of the survey. Not surprisingly, the loss of productivity is the type of consequence mentioned most. However, this type of consequence is an internal consequence, whereas the next important outcome are customer complaints, mentioned by 2 out of 5 respondents. Here, we can see, that consequences of risks are visible to and perceived by external parties.

Figure 3: Cumulative financial impact of supply chain interruptions (source: Business Continuity Institute/Zurich: Supply Chain Resilience Report 2015, Caversham.)

As figure 3 reveals, the cumulative cost of risks (assessed over a period of 12 month) show, that more than half of the risks have a slightly low impact. (Of course, this number should be seen in relation to the financial size of the company.) On the other hand, every 7th company realized cumulative cost of 1 million EUR or more. If we look at the cost of the most significant incident (a graphic that is accessible in the original report), we see that every 11th organization had a single incident with risk-related cost of 1 million EUR or more.

Figure 4: Predominant sources of risks with a supply chain (Business Continuity Institute/Zurich: Supply Chain Resilience Report 2015, Caversham.)

When we talk about supply chain risks, we should see the total supply chain. 'Supply chain visibility' is a key term - but has not been implemented widely yet. Figure 4 shows, that almost one third of the respondents does not (or is not able to) trace supply chain risks within the supply chain. Additionally, the diagram is also misleading, because it mixes exclusive and non-exclusive answers. The values for the first three bars should have been calculated on the basis of the 69 % of the respondents who do analyze the full supply chain. When we update those number we realize that

1. 72 % of the companies who analyze the full supply chain, identified the predominant source of interruption on 1st tier,
2. 30 % of those companies identified the main source on tier 2, and
3. some 11 % see the predominant source of the risk on a lower level.

Source: Business Continuity Institute/Zurich: Supply Chain Resilience Report 2015, Caversham. The full report, which contains much more information than shown in this short review, is available as a download from the BCI's website: http://www.thebci.org/index.php/bci-supply-chain-resilience-2015

'Business interruption' still THE hottest risk

The Allianz Risk Barometer - Top Business Risks 2016, the fifth annual survey focusing on corporate risks, has been published recently by Allianz SE and Allianz Global Corporate & Specialty SE (AGCS). It gives an overview on corporate risks, seen from the perspective of managers of AGCS and local Allianz entities. Overall, 824 respondents from 44 countries participated in the survey.

Figure 1: Top risks (Source: Allianz SE/Allianz Global Corporate & Specialty SE: Allianz Risk Barometer 2016 Appendix, 2016, p. 1)

A first look at the summary (see figure 1) does not reflect any surprises - and on the other hand leads to stop for a second: Two risks are new, they seem to be 'rising stars', since they were not existing in the previous study from 2015. Market development, which comprises volatility, intensified competition, and market stagnation, and macroeconomic development (i.e. austerity programs, commodity price increase, inflation/deflation) seem to be new. However, in former reports the individual risks of market respectively macoeconomic development had been ranked seperately - and are now ranked collectively. This leads to a shift in the top 10 list, and makes it difficult to compare the current results with the findings from 2015.

Besides that, the top 10 risks do not bear, as said, any surprises. Business interruption is still the 'hottest' risk. (We will look at some details in a minute.) The aforementioned market development is seen as second important risk. Cyber incidents are of growing concern: After 12 % in 2014 and 17 % in 2015, now 28 % of the respondents see cyber incidents as an important risk. The growth rate of those risks is alarming. (We will get back to cyber risks later in this article.) Both natural catastrophes and fire/explosion are seen to lose importance in relation to other risks. Changes in legislation and regulation also seems to be of lower significance, because it is ranked lower than in 2015. This, however, is a pitfall of the newly 'created' (i.e. compiled) risks - indeed the percentage of experts seeing changes in legislation and regulation as a risk, has risen from 18 % up to 24 %. Thus, the 'trend' shown in the rightmost column is a misleading and not fully correct information for some of the risks.

Figure 2: Geopolitical risks (Source: Allianz SE/Allianz Global Corporate & Specialty SE: Allianz Risk Barometer - Top Business Risks 2016, 2016, p. 5)

A second critical remark must be made about the classification of risk. Of course, an exact classification that avoids any grey or fuzzy areas is almost impossible. There are numerous schemes for classification, but almost non of them allows for a selective clustering of risks. In the 2016 risk barometer we can observe the problems of non-selective risk groups. Although there is one risk category 'business interruption' (THE no 1 risk), there are other classes of risks, that integrate or at least lead to some portions of business interruption. For example, when looking at details of political risks, we can see the cause effect relationship of those risks with business interruptions. When asked what risks within the context of geopolitical instability businesses were most worried about, more than half of the respondents mentioned impact on supply chains (see figure 2). Also, other risks, such as natural catastrophes, fire and explosion, and cyber incidents can lead to severe business interruptions (see figure 3). Thus, due to the fuzzy classification and some implicit cause effect relationships within the top risks, the ranking of the risks is not fully explicable.

Figure 3: Major causes of business interrpution (Source: Allianz SE/Allianz Global Corporate & Specialty SE: Allianz Risk Barometer - Top Business Risks 2016, 2016, p. 6)

Besides nat cat's and fires or explosions, business interruption risks are created within a supply chain: As figure 3 shows, also supplier failure is one of the top 3 causes of business interruptions that companies fear most.

In the future, cyber incidents are seen as heavily increase the threat of business interruptions: 59 % of the respondents see cyber incidents as major future threat.

Figure 4: Causes of economic loss after cyber incidents (Source: Allianz SE/Allianz Global Corporate & Specialty SE: Allianz Risk Barometer - Top Business Risks 2016, 2016, p.11)

Cyber incidents are not only cyber attacks (or cyber crime in general), but also data breaches and general IT failures. Industry 4.0 (or the 'Internet of Things') and its underlying trend of continuing and accelerating digitalization is a development that - besides increased effectiveness and efficiency - lead to new and more risks. Those possible negative impacts that companies fear most are shown in figure 4. As can be seen from figure 5, cyber incidents can lead to economic losses due to different reasons. Reputational loss is the most important cause for economic losses, followed by business interruptions.

Figure 5: Impacts of ongoing digitalization (Source: Allianz SE/Allianz Global Corporate & Specialty SE: Allianz Risk Barometer - Top Business Risks 2016, 2016, p.12)

If companies look into the long-term future, i.e. 10 years or later, cyber incidents are seen as the top emerging risk: 33 % of the experts see such cyber incidents as the most important future risk. This fits to the result mentioned earlier which described the rise of cyber risks as top current risks. Behind cyber incidents, managers see business interruptions (11 %) and terrorism (9 %) as emerging risks in the far future.

The study results (Allianz Risk Barometer - Top Business Risks 2016 and Allianz Risk Barometer 2016 Appendix) can be downloaded from AGCS' website: http://www.agcs.allianz.com/insights/white-papers-and-case-studies/allianz-risk-barometer-2016/

The mind-set has not changed... (or: results of the 4th survey on risk management in the logistics industry)

My colleague, Prof. Dr. Dirk Lohre of Heilbronn University, and I have been conducting empirical research in the logistics industry since 2008. Our intention has been - and still is - to monitor the status of risk management in logistics companies, to identify trends and developments, and to give recommendations to companies.

This year (2015), we have carried out the 4th survey on risk management in the logistics industry. And - to put it in a nutshell: The situation, i.e. the degree of application and also (and even more important) the mind-set of logistics service providers regarding risk management has not changed. That is the main result of this year's survey - and you could stop here, if you are not interested in any details.

If you, however, would like to get a more detailed idea of what the status of risk management in this industry is, please do carry on...

Before we look at results, let me give you some numbers on the survey: The online questionaire used for the survey was available from March to April 2015. The survey was promoted using social media channels (xing.com) and by our media partner EuroTransportMedia Verlags- und Veranstaltungs-GmbH. 73 companies have answered our survey.

Figure 1: Top 5 future risks for logistics companies

Let us look at some selected results. First, we were interested in the top risks from the perspective of logistics companies. Figure 1 above shows future risks and the percentage of companies that see those risks within their personal top 5 risks (multiple answers were possible). As in our previous studies, human resource related risks are seen as the top future risk. In our current survey, those risks are also seen as #1 of the current risks - and this is a change to previous years. The HR related risks have two basic causes: On the one hand, the current and future lack of truck drivers is obvious. On the other side, logistics processes and process chains are becoming increasingly complex, for example due to ongoing globalization and still increasing tendencies of outsourcing logistical business processes (contract logistics). To cope with those new challenges, more well-educated staff is required.

Although energy prices have decreased for some time, companies see fluctuations in energy prices as the #2 future risk. This is understandable, since energy cost are a major driver of total cost, especially for those companies with a focus on trucking.

It is interesting, that the top 5 risks differ from the top risks in the Allianz Risk Barometer (take a look at our blog entry from March 'Our number one is... Supply Chain Risks! (But beware of Cyber Crime!)': There, the top risks are business interruption and supply chain, natural catrastrophes, and fire and explosions. Cyber crime - a risk that is becoming more and more important - is not within the top 5 risks; however, 39 % of the LSP's see cyber risks as important risks.

Figure 2: Application of risk management in the logistics industry

Even if competition is becoming stronger, logistics process chains show an increased complexity, and German law requires risk management, the application of risk management in the logistics industry is on a relatively low level. As figure 2 displays, only a little bit more than half of the LSP's have a risk management in place. Looking at the development from 2008 until now, the use of risk management has not changed much over time. Instead, the percentage values are more or less constant over time. We still see a group of some 25-30 % of the companies that do not have risk management in place, and also do not plan to implement risk management soon. Thus, the need for risk management is not seen by many logistic service providers.

Figure 3: Methods used in risk management in the logistics industry

Those LSP's who have a running risk management in place, show - in average - only a medium level of maturity. Take, for example, the methods used for risk identification and assessment. As figure 3 shows, the methods most commonly used are expert and employee consultations, checklists and brainstorming. More sophisticated methods, such as FMEA, fault tree analysis, or simulation are only used by less the 3 out of 10 LSP's. Even risk maps, as an easy tool for communicating risks, are only used by 30 % of the companies. It is somehow irritating, that a risk inventory is not used by any of the companies - or that the term 'risk inventory' is maybe just unknown.

To sum it up: Comparing the results of our surveys over time, we do not see significant changes in both the application of and the maturity of risk management in the logistics industry. Both offer room for improvement. We forecast, however, an increasing pressure by customers, banks, and insurance companies on LSP's to implement a risk management system.

The full report Huth, M./Lohre, D.: Risikomanagement in der Speditions- und Logistikbranche: Bestandsaufnahme zu Verbreitung und Reifegrad, Discussion Papers in Business and Economics (17), Fulda 2015 (unfortunately only in Germna) can be downloaded here: fuldok.hs-fulda.de/opus4/frontdoor/index/index/docId/349

Our number one is... Supply Chain Risks! (But beware of Cyber Crime!)

Business interruption and supply chain risks are - by far - the most important risks for managers. Cyber risks on the other side made a significant jump into the top 10 business risks. That is the bottom line of the 'Allianz Risk Barometer - Top Business Risks 2015', published in January 2015 (see press release and downloadable files here: http://www.agcs.allianz.com/about-us/news/press-riskbarometer2015/). For the study, Allianz (Allianz Global Corporate & Specialty, or in short: AGCS) asked more than 500 managers from 47 countries, with a focus on the corporate insurance sector for both large industrial and mid-sized companies. (The term mid-sized companies, however, is in some way misleading, since it does not match the categorization by the European Union. In the Allianz survey, mid-sized companies are defined by a revenue of not more than 250 million Euros.)

Figure 1: Top Business Risks 2015. Source: Allianz Global Corporate & Specialty: Allianz Risk Barometer 2015 Appendix, http://www.agcs.allianz.com/assets/PDFs/Reports/Allianz-Risk-Barometer-2015_Appendix.pdf.

As show in figure 1, almost half of the respondents mentioned business interruptions (BI) and supply chain (SC) risks as a top risk (46 % - after 43 % in 2014). More specifically, those risks are crucial for manufacturing companies; in this industry BI and SC risks had been mentioned by more than two third (68 % - after 60 % in 2014).

On one hand, this results are accompanied by an increasing awareness of such risks and their consequences for an enterprise's business. As Mark Mitchell, Regional CEO for Asia at AGCS puts it: "Companies now have a greater understanding of the need to monitor risk aggregations, not just geographically, but also in business interruption exposures." On the other hand, AGCS identified crucial discrepancies between the awareness and actual measures and systems to prevent companies from those risks. The study states: "[...] adequate [...] business continuity management remains a gap in many multinational companies' supply chain risk management programs." And: "Interdependencies between suppliers is often a big unknown. Many businesses still do not have alternate suppliers."

One of the big 'movers' (or should we say: one of the 'rising stars'?) are cyber risks. While two years ago, cyber risks were ranked 15th (with 6 % of the respondents mentioning this type of risk), the importance of cyber risks has grown steadily: In 2014, those risks were ranked 8th, listed by 12 % of the companies. In 2015, cyber risks were mentioned as a top risk by every 6th company (17 %), and were ranked 5th. Cyber risks are ranked 2nd in Germany (32 %), 3rd in the UK (30 %), and 3rd in the US (26 %). And: cyber risks are seen as no 1 risk for the next five years.

Figure 2: Top risks for which businesses are least prepared. Source: Allianz SE/Allianz Global Corporate & Specialty SE: Allianz Risk Barometer - Top Business Risks 2015, http://www.agcs.allianz.com/assets/PDFs/Reports/Allianz-Risk-Barometer-2015_EN.pdf

However, cyber risks are crucially underestimated. 73 % (that's almost 3 out of 4 companies!) of the companies say, the risk of cyber crime is underestimated. Even worse, more than half of the companies (54 %) has not even analyzed the problem! As a consequence, 29 % of the enterprises admit not to be sufficiently prepared for cyber risks, while for other risks this number is significantly smaller (see figure 2). The most feared cyber risk is data theft and manipulation (64 %), followed by loss of reputation (48 %) and increased threat of persistent hacking (44 %).

It is interesting that a shortage of skilled talents in combination with an aging workforce is not seen as a major risk. Exceptions from this observation: This risk seems to be relevant for Australia and the USA - in those two countries, talent shortage/aging workforce are ranked within the top 10 risks.

Figure 3: Top risks for the long-term future (5 to 10 years 'plus'). Source: Allianz SE/Allianz Global Corporate & Specialty SE: Allianz Risk Barometer - Top Business Risks 2015, http://www.agcs.allianz.com/assets/PDFs/Reports/Allianz-Risk-Barometer-2015_EN.pdf

In a long-term perspective, climate change is identified as the most concerning risk, directly followed by natural catastrophes (see figure 3). This is understandable, since at least the financial lossed resulting from natural catastrophes have increased dramatically over time.

Don't play it safe...

'Don't play it safe when it comes to Supply Chain Risk Management' - that is the title of Accenture's new 'global operations megatrends study'. The analysist at Accenture took a look at SCRM to identify the current top risks for supply chains and also the functions or areas within a supply chain that seem to be most at risk. Accenture also aims to highlight some best-practices top companies are implementing when it comes to setting-up and effective SCRM.Thus, let's take a look at the results of the study...

The respondents that were contacted within the survey are more than 1,000 senior managers; most of them are from large global companies from all over the world.

Figure 1: Greatest sources of supply chain risk, source: Accenture: Don't play it safe when it comes to Supply Chain Risk Management, 2014, p. 5.

When focusing on the top souces for supply chains risks, the study shows that the most important risk  source is IT (see figure 1). Two contributing factors are mentioned: On one hand, companies have failed to set-up agile IT organizations that can quickly react to market demand changes. On the other hand, too much data is insufficient or even missing or not accessible - leading to a still low level of visibility within the supply chain. Disasters, however, although often leading to high negative consequences, are not ranked as a top risk - probably due to their low probability of occurrence.

Figure 2: Approaches to risk management, source: Accenture: Don't play it safe when it comes to Supply Chain Risk Management, 2014, p. 6.

More than 75 % of the companies see operational risk management as important or even very important. This importance can be seen in the different approaches to risk management (see figure 2). The most important approaches are having a risk management in place, the use of alternative partners when needed, and the use of IT and organization to reach a visibility regarding risks. It is interesting and seems contradictory that approaches to visibility are mentioned as some risk management measure, whereas there is still a high degree of intransparency in supply chains - as mentioned above in the sections on top risks.

Accenture reports about very promising quantitative results of risk management, which can be measured by the return on investment (ROI). 21 % of the companies reached an ROI of between 51 % and 100 % from their investments in SCRM. Another 7 % of the enterprises are proud to have an ROI of even more than 100 %. However, the the question remains, how an ROI from specific actions can be measured without taking into account additional influences (from outside risk management activities).

Accenture's analysts identified three key practices that support and enhance the effectiveness of SCRM:

1. Leaders (the abovementioned group of companies with an ROI of more than 100 %) take care that SCRM gets a top priority in a company. They support this approach by installing a risk management officer, by developing SCRM skills of employees, and other practices.
2. Leading companies show a higher degree of centralization when it comes to SCRM. 43 % of the leaders have a centralized risk management, whereas only 37 % of the other companies have risk management centralized.
3. Leaders are considerably investing into SCRM, especially to increase the end-to-end visibility within the supply chain. 60 % of the leaders increase their investments in this area by more than 20 %. Only 23 % of the other companies have planned such high investments.

The study shows interesting results. It can be used to promote SCRM in an enterprise. Also, some best-practice approaches are mentioned. On the other hand, since most of the respondents are managers from large companies, it is not clear if those results would hold true also for small and medium enterprises. Also, the identification of 'leaders' by the ROI on SCRM-related investments seems to be at least questionable. This also concerns some of the best-practice approaches (especially the question of centralization/decentralization of SCRM).

The full study 'Don't play it safe when it comes to Supply Chain Risk Management', published by Accenture in 2014, can be downloaded from Accenture's website: http://www.accenture.com/SiteCollectionDocuments/PDF/Accenture-Global-Megatrends-Operations-Supply-Chain-Risk-Management.pdf

Risk Management in the Logistics Industry - Still Room for Development/Risikomanagement in der Logistikbranche - noch viel Luft nach oben

Since 2009, my colleague Prof. Dr. Dirk Lohre of Heilbronn University and myself have been conducting surveys in the logistics industry to assess the degree of maturity of risk management (RM) in the logistics industry.

Our latest survey had been conducted already in 2013; however, the results were published only a few weeks ago. They can be found in the International Journal "Transport and Logistics".

What are key results of the survey?

Figure 1: Use of RM in the logistics industry

1. The current top risks for managers in the logistics industry are the competitive conditions in the in industry, risks involved with human resources (espc. truck drivers), and operational risks. They also see those three risks as top future risks. Beside those risks, they also see rising/volatile energy prizes as a thread.
2. Only a little more than half of the companies that responded to the questionaire have already an RM system in place (see figure 1). Some have planned the implementation of RM within the next two years. However, every sixth enterprise has not planned to set-up RM at all.
3. Although both HR and operational risks are seen as top threads, only less than half the companies continously apply RM to those functions. The rest either applies RM methods sporadically or not at all (see figure 2). In contrast, the application rate of RM in accounting/controlling and for the general management is tremendously higher.
4. When asked for what well-established methods/tools are used for RM, more than two third of the managers answered, that brainstorming, check lists, and interviews of experts and/or employees are the most common approaches. It is noteworthy, that FMEA and risk maps are used only by less than 30 % of the logistics enterprises. Other techniques are rarely used at all.

As a conclusion we draw from our 3rd empirical survey, we state that the degree of maturity of RM in the LSP sector is still relatively low. This can be seen by the low degree of using RM in general, and by the application of methods, instruments, and also IT tools.

The article "Risk Management in Logistics Enterprises: Findings from the 2013 Empirical Study" by Michael Huth and Dirk Lohre in "Transport Logistics" (No 2 (22)/2014) can be found here: http://www.logistics-and-transport.eu/index.php/main/article/view/323

-----

Seit dem Jahr 2009 führen mein Kollege Prof. Dr. Dirk Lohre von der Hochschule Heilbronn und ich empirische Befragungen in der Logistikbranche durch, um den Reifegrad des Risikomanagements (RM) in im Speditions- und Logistiksektor zu erfassen.

Unsere letzte Erhebung wurde zwar bereits im 2013 durchgeführt; die Ergebnisse wurde allerdings erst vor wenigen Wochen in der internationalen Logistikzeitschrift "Transport and Logistics" veröffentlicht.


Welche wesentlichen Ergebnisse lassen sich aus der Studie ziehen?

Figure 2: Use of RM for specific functions

1. Die aktuellen Top-Risiken für Manager im Logistiksektor sind die Wettbewerbsbedingungen in dieser Branche, personalbezogene Risiken (bspw. aufgrund des Fahrermangels) sowie operative Risiken. Die Befragten sehen diese drei Risiken auch zukünftig als die wichtigsten drei Risiken an. Daneben werden allerdings auch steigende bzw. volatile Energiepreise als Bedrohung wahrgenommen.
2. Nur etwas mehr als die Hälfte der Unternehmen, die auf den Fragebogen antworteten, nutzt bereits ein RM (siehe Figure 1). Einige der Unternehmen haben sich auf die Fahne geschrieben, innerhalb der nächsten zwei Jahre ein RM zu implementieren, aber für jedes sechste Unternehmen ist RM derzeit kein Thema.
3. Obwohl personalbezogene und operative Risiken als Top-Risiken angesehen werden, wendet nur weniger als die Hälfte der Unternehmen ihr RM kontinuierlich in diesen Bereichen an. Der Rest der Unternehmen befasst sich mit den Risiken in diesen Funktionen entweder nur von Zeit zu Zeit oder überhaupt nicht (siehe Figure 2). Im Gegensatz dazu ist die Anwendung von RM im Bereich Kostenrechnung/Controlling sowie für die Geschäftsführung deutlich höher.
4. Auf die Frage, welche Methoden oder Tools im Rahmen des RM angewandt werden, antworteten mehr als zwei Drittel der Manager, dass vor allem Brainstorming, Checklisten sowie Experten- und Mitarbeiterinterviews genutzt würden. Es ist allerdings auch bemerkenswert, dass FMEA und Risk Maps nur von 30 % und weniger der Logistikunternehmen angewandt werden. Andere methodische Ansätze werden kaum genutzt.

Als wesentliche Schlussfolgerung aus der 3. empirischen Befragung lässt sich konstatieren, dass der Reifegrad des RM in der Logistikbranche weiterhin als relativ niedrig anzusehen ist. Dies gilt sowohl auf Basis des doch recht niedrigen Anwendungsgrads insgesamt als auch für die Nutzung von Methoden, Instrumenten und IT-Anwendungen.

Informationen zum Artikel "Risk Management in Logistics Enterprises: Findings from the 2013 Empirical Study" von Michael Huth and Dirk Lohre in der Zeitschrift "Transport Logistics" (No 2 (22)/2014) sind an folgender Stelle im Internet verfügbar: http://www.logistics-and-transport.eu/index.php/main/article/view/323