SCRLC Metrics / Quantifying Risk (Track #4)

© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1

SCRLC

Metrics / Quantifying Risk (Track #4)

Edward Erickson

Track Co-leader

June 7, 2007


Agenda

Overview

Scope

Deliverables

Schedule / Milestones

What we need from the Council

Case Study


Overview Participation Excellent from thought leaders – lacking from practitioners

Track Track Leaders Track Members to Date*

4 Quantifying Risk / Metrics Feryal Erhun, Stanford

Edward Erickson, Cisco

Hau Lee, Stanford

Ely Kahn, TSA

Andrew Cox, TSA

Tim Astley, Zurich

Lance Solomon, Cisco

Survey Response Rate Poor

3 companies (P&G, Boeing, Cisco) + TSA

2 thought leaders (Stanford, Zurich)

Despite this track members believe that:

this is a critical focus area

it will lag the other tracks and will have a longer payoff time frame

Research members will lead the effort in the early phases


Scope In Scope

How to portray SC risk modeling & analysis results in an impactful way

Methods for quantifying SC risk to support decision making & measuring the impact of actions

Methods for modeling SC risk & identifying potential improvement actions

Tools & techniques for determining important risk events and the scope of models

How to ground SC risk data in reality

Out of Scope

Standards definitions

Tool/Modeling development

Industry specific methods


Deliverables – To Date

Survey practitioners to understand current SC risk metric practices

Survey thought leaders to determine Best Known Methods (BKMs)


Metrics/Quantifying Researcher Risk Survey

Who: All SCRLC research organizations – 1 survey per organization

Why: Get a good sample of all of the metrics/quantifying risk best practices from a research/theoretical point of view.

Questions:

1. What is the best way known way to quantify SC risk?

2. What is the best way you’ve seen in practice to measure SC risk?

3. What are the major gaps you see between the best methods and what you’ve seen in practice?

4. What are your current area of expertise and interest in measuring SC risk?


• Integrated view of supply chain risk• Utilize distributions for occurrence and intensity• Driven by historical loss/occurrence data• Application of expert knowledge to address gaps

in data

• Integrated view of supply chain risk• Utilize distributions for occurrence and intensity• Driven by historical loss/occurrence data• Application of expert knowledge to address gaps

in data

• Independent focus on supplier, disaster and IT risks

• Focus on easy to measure risks• Lack of data• Limited to analysis of the averages

• Independent focus on supplier, disaster and IT risks

• Focus on easy to measure risks• Lack of data• Limited to analysis of the averages

Where We Are

Where We Need to Be

Summary of Researcher Survey Results (2 out 5 Responded)

• Lack of data-driven analysis on key areas of supply chain risk• Lack of understanding for all risks affecting the supply chain

• Focus on consequences rather than vulnerabilities and triggers• Focus narrowly on cost – should include customer impact

• Focus only on most recent disruptions• Minimal use of stochastic modeling


Metrics/Quantifying Practitioner Risk Survey

Who: All SCRLC companies & government agency members – 1 survey per organization

Why: Get a good sample of all of the metrics/quantifying risk practices across all member companies

Questions:

1. To what degree is SC risk management driven at your company (e.g. not at all, a strategic program, an ongoing part of the business, etc)?

2. Where do you want see your company in 2 years with respect to SC risk measurement and metrics

3. Do you use metrics/measurement as part of your SC risk management organization?

If you don't, what metrics/measurements could you envision as part of an effective process for managing risk?

If you do, what metrics/measurements do you currently use?

4. What data do you use to manage SC risk and manage your SC risk programs?

5. How do you use these data to manage SC risk and manage your SC risk programs?

6. What tools do you use to drive SC risk management decisions?


Summary of Practitioner Survey Results (4 out 10 Responded)

Question P&G Boeing TSA Cisco

1. To what degree is SC risk management driven at your company (e.g. not at all, a strategic program, an ongoing part of the business, etc)?

On-going component of several business functions

Varies by subject and the division within the company. Mature in strategic planning and materials

Current - by each mode of transportation

Future - “systems” focused approach to risk management.

Subset of enterprise risk management group

2. Where do you want see your company in 2 years with respect to SC risk measurement and metrics

Continuing to use existing metrics in organizations that have risk responsibilities; will add other metrics as identified by the SCRLC if we believe they will add value

More focused, capable, and armed with more facts and data to more effectively guide SC risk management.

Accurately identify critical vulnerabilities and propose/develop countermeasures

Better quantification of the “ROI” for risk management activities.

SC risk part of the DNA within the business and operations groups

3. Do you use metrics/measurement as part of your SC risk management organization? If you don't, what metrics / measurements could you envision as part of an effective process for managing risk? If you do, what metrics / measurements do you currently use?

Identification and assessment, Audit Scores, Site risk assessment (risk identified, likelihood, business impact, risk rating) and plan against high risk rated scenarios

Volume of imports by supplier, country risk ratings based on a variety of criteria, metrics showing anticipated increases or decreases in supplier shipments.

Proxy metrics to determine effectiveness of risk management efforts

Risk scores/maps Time to recover, probabilistic revenue at risk

4. What data do you use to manage SC risk and manage your SC risk programs?

Data from the programs mentioned in question #3 & new ideas from industry leaders, consultants, academia, daily news

Individual Procurement Agents manage risk but higher level org. might oversee a collective SC risk program.

Classified intelligence information. Industry supplied transportation data.

Natural Hazard data, Geopolitical data, expert opinion

5. How do you use these data to manage SC risk and manage your SC risk programs?

Typically Scorecards & Leadership Reviews

N/A Proxy measures to estimate the effectiveness of various regulations or security programs.

Metrics drive SC risk priorities

6. What tools do you use to drive SC risk management decisions?

Internal standards, culture and business unit financial accountability and agreement at the right level of management

N/A Checklist tools in the field. Moving toward more advanced simulation models @ HQ. Macroeconomic models for costing.

Scorecards, Risk Ratings and Simulation


Deliverables - Planned

BKMs for portraying SC risk modeling & analysis results in an impactful way

BKMs for measuring SC risk and deciding what mitigation actions to pursue

BKMs and tools used for modeling risk and how to manage scope of these models

BKMs on SC risk data collection

BKMs for how to measure risk improvement based on supply chain improvements


Schedule / Milestones

Monthly teleconference except for months with core team meeting (9 meetings/yr)

May’07Kickoff & Agreement on Scope/Deliverables/Milestones/Meeting ScheduleComplete survey on Metrics/Quantifying metricsSession to review survey results and prepare for June core team update

June’07Session on post core team update, change scope, etc

July’07Session on Best Known Methods (BKMs) for measuring risk & deciding what mitigation actions to pursue

August’07 BKMs & tools used for modeling risk & how to manage scope of these models

September’07 BKMs on event probability data collection

November’07BKMs for how to measure risk improvement based on supply chain improvements


What we need from the Council

1. Are you supportive of the longer term view required?

2. Are you supportive of the defined deliverables?

3. Fill out the survey

4. Join the team


Cisco

Case Study


Supply Chain Risk Mgmt. (SCRMx)The Challenge

Strategic

Process / DNA

Foundational

Tactical

Responsive

RiskStrategy

RiskTolerance

RiskMeasures

& Processes

Business ContinuityPlans (BCP) - Partner

Business ContinuityMgmt. (BCM) - Process

Focus &Governance

Risk Budget

PandemicPlan

Risk Map& Modeling

Crisis Mgmt.Plan

QuantifyRisks

CrisisDrills

ComparativeRisk

Mitigation

PartnerSite Risk

Mgmt(PSRM)

Transformation Trans. & LogisticsComponents Customers


High Level Process

Iterative process combining metrics and probabilistic modeling

Use exposure and recovery metrics to assess and determine focus areas

Use probabilistic modeling to quantify and measure the impact to the business and pareto key drivers

AssessAssess

QuantifyQuantify

MeasureMeasure


Probability of an Event Occurring

(%)

Probabilistic Revenue Impact

Site Revenue

($/Wk)

Time to Recover (Wks)X

Revenue Impact ($)


($)

Probability of an Catastrophic

Site Fire = %.01

Prod. X Company Y $50 Mil /Qtr

52 Week Time to Recover (TTR)X

$2.6 Bil Revenue Impact


= $26 Mil


Exe

c. M

gm

t. /

Fin

ance

Man

ufa

ctu

rin

g O

per

atio

ns

Pro

du

ct O

per

atio

ns

What products should I be most

concerned about?

What products should I be most

concerned about?

Risk MapRev. vs Risk(Prod. View)

Risk MapRev. vs Risk(Prod. View)

What are the most critical

components?


components?

TTR(Product View)

TTR(Product View)

What is their impact &

likelihood?

What is their impact &

likelihood?

Rev @ Risk(Prod. View)Rev @ Risk(Prod. View)

What are the drivers?


Pareto of Drivers

Pareto of Drivers

What will be my ROI?


ROIROI

Are my partners resilient?


BCPBCP


issues?


issues?

TTR(Site View)

TTR(Site View)

What is the impact &

likelihood?

What is the impact &

likelihood?

Rev @ Risk(Site View)

Rev @ Risk(Site View)



Pareto of Drivers

Pareto of Drivers



ROIROI



BCPBCP

What sites should I be most

concerned about?

What sites should I be most

concerned about?

Risk MapRev vs Risk (Site View)

Risk MapRev vs Risk (Site View)

Cisco Case Study – Key Metrics

What should I be most concerned about?

What should I be most concerned about?

Risk MapRev. vs Risk (Event)

Risk MapRev. vs Risk (Event)

What is the impact to my customer?

What is the impact to my customer?

TTR (Top Product)TTR (Top Product)

What is my Risk?

How has it changed?

What is my Risk?

How has it changed?

Rev @ Risk (E2E)Rev @ Risk (E2E)

What are my costed options?

What has it cost me?

What are my costed options?

What has it cost me?

ROIROI


Cisco Case Study - Probabilistic Modeling Methodology

Inputs Integrated Model Outputs

Site/Region Events & Frequency

Site/Region Events & Frequency

Time to RecoverTime to Recover

Expected Capacity LossExpected Capacity Loss

Supply chain redundanciesSupply chain redundancies

Site RevenueSite Revenue

Disruption

Capacity Impact

Financial Impact

Revenue @ Risk (Prod)Revenue @ Risk (Prod)

Revenue @ Risk (Horiz.)Revenue @ Risk (Horiz.)

Revenue @ Risk (E2E.)Revenue @ Risk (E2E.)

Objective: Quantify drivers of risk and potential improvement from mitigations

• Excel Based• Monte Carlo• Crystal Ball Engine• Direct Data Links

• Excel Based• Monte Carlo• Crystal Ball Engine• Direct Data Links

Sensitivity Analysis identifying risk drivers

Sensitivity Analysis identifying risk drivers

What-if AnalysisWhat-if Analysis

Revenue @ Risk (Event)Revenue @ Risk (Event)

SCRLC Metrics / Quantifying Risk (Track #4)

Documents

Transcript of SCRLC Metrics / Quantifying Risk (Track #4)