Risk Operations Centers provide a single, centralized resource point for risk and resiliency governance. When incorporated into organizational governance regimes they can provide real-time, ongoing horizon scanning and predictive information. To be practical, there must be the capacity to receive, analyze, and manage incoming information in relation to the supply chain ecosystem to reasonably ensure continuous monitoring of supply chains is effective and efficient.
Risk insight that remains siloed cannot be taken into account to inform risk management efforts across the full extent of your organization. A risk control listening post, or Risk Operations Center is a key element of a mature risk management program. Its goal is to gain significantly greater insight into the issues that you face on an ongoing basis. A Center provides an established pathway to receive data, validate and synthesize the information, and report to the necessary functions across the organization to manage the risk. It also provides a path for risk managers to use information more collaboratively and effectively than a decentralized process.
Risk Operations Center – Making Strategic Use of Information
Silos are obstacles to efficiency across all industries. Any combination of risk triggers – internal or external – needs to be recognized for its potential impact across the enterprise. To accomplish this, a central focal point is required.
As the vehicle for sharing data across your organization and with your vendors, an effective Risk Operations Center can:
- Provide a data-centric integration point for incoming risk intelligence.
- Provide real-time vision into your supply chain risk management (SCRM) that combines monitoring with automated and manually curated actions to improve operational resilience.
- Provide a platform for data sharing that improves your ability to maximize resources.
- Provide a feed-forward/feed-back loop that allows for continuous improvement to processes and management of risk.
What’s on the Horizon?
Horizon scanning is at the heart of a Risk Operations Center:
- Horizon scanning is a stepwise process that should be coordinated with the analysis and response to information gained through observation.
- Predictive analytics uses available data garnered through horizon scanning to try to identify future outcomes.
- Mapping out a multi-category profile of third and Nth parties can reveal where resources can be focused to better understand potential supply chain disruptions, including breaches, where an organization’s operations may be significantly impacted.
A roadmap for horizon scanning and predictive analytics will help focus attention where resources are needed to develop a listening post in your setting. This center should consider continuous monitoring solutions intelligence to make data become actionable intelligence. In response to the need for better disruption forecasting, continuous monitoring is shifting to a wider multi-category review where metrics are tied to operational concerns. Real-time, automated, curated data needs to be managed over the broad spectrum of cyber; financial viability of vendors; Environment, Social, and Governance (ESG); location beyond geopolitical; and fourth parties.
Using this expanded continuous monitoring dataset, horizon scanning processes can yield insight into cause and effect such as:
- Can you predict the financial stability of a company?
- Can you predict a cyber attack – can you show a company’s cyber defenses make it more likely that an attack will occur?
- Can you predict a delay in key source materials or parts?
An example of where using horizon scanning to anticipate organizational needs could have improved response times and shifted operational focus is vaccine manufacture. Producers were unaware during early stages of production of the potential for shortages in raw materials, drug distribution vials, syringes, and dry ice – each a discrete component of the manufacturing and delivery process. Had this been identified earlier, the production and delivery of these key elements of vaccine delivery could have been modified to reduce the impact on the production and delivery of high volumes of vaccines to clinics around the world.
Can You Make Scanning Effective?
To be effective, since “humans don’t scale,” you need to be able to manage the data you get in a way that is timely. The practical effectiveness of horizon scanning and predictive analytics relies on several practices:
- Robust, accurate supply chain mapping. This step requires that an organization has its data house in order so that it can identify all its suppliers and their importance.
- Identify and mitigate risk at a level that allows for resilience. This effort requires different disciplines and risk control areas to be measured and interpreted.
- Sharing information in a cohesive way. Without some type of coordination, ideally through a Risk Operations Center, horizon scanning and subsequent analytics and mitigation lose value.
Looking Back to See Forward
Probability-based forecast modeling will provide a strong basis for improving the ability to predict future disruptions through simulation, scenario analysis, and other forms of optimization that support foresight into how you may influence what could happen. To accomplish this, you need to move from purely descriptive metrics that identify issues after the fact, what did or did not happen; to diagnostic data discovery that links what happened to why it happened.
Forecasting is coming into the continuous monitoring marketplace; however, predictive models have to be calibrated against historical data. In the current risk environment, there are not accumulated data sets for many of the issues that have emerged in recent years. Theoretical data can be used, though this can be hard to locate or non-existent. Meta data can be sanitized to serve as a starting point, though few organizations have the capacity to manage this task.
In the cases where data may exist, discerning what to view poses its own challenges. For instance, an indicator of interest might be how many access rights requests a vendor has in a given quarter and how that compares with that vendor or vendor set over time. The data may exist, but the people on the risk side may not be experienced at sourcing that data.
Learning how to get those access request logs and interpret the data is an educational opportunity. With this education, practitioners can begin to understand how analyze multi-category data and communicate up and down the organization .
Few Incidents, Big Impact
Horizon scanning is separate from predictive analytics. The terms are two processes that work side by side. A wide aperture will allow you to see the big picture and then use the data gained to synthesize a forecast of what that data might mean. This is a high bar, and may seem unrealistic for some risk governance programs.
Horizon scanning is a relative term. Getting attention on the need for horizon scanning and predictive analytics can be realized by focusing on realistic issues. The opportunities for anticipating organizational needs can be demonstrated through the operational and relationship advantages of understanding:
- Supply chain resilience; and
- Supply chain stakeholder collaboration.
Operational resilience is the goal. Greater buy-in can be achieved by moving beyond the risk conversation to show the overall value of a Risk Operations Center to your organization. Look for halfway points that will allow you to bring stakeholders together to support a more robust control environment. A target maturity matrix for managing resilience may be useful for calibrating expectations. With the horizon always changing, defining what you want to look for within your own organization can help provide perspective and a foundation for collaboration.
Creating a Roadmap for Driving Toward the Aspirational Goal
A Risk Operations Center should be designed to streamline risk management and make everyone’s job easier. There are layers of information coming in that can drown a listening post. The pathway to best practice is a horizon view that provides both vision and long-range insight. Buy-in from all risk areas and divisions is itself aspirational. If one division or risk manager endorses a move to forecasting and analysis, but other senior managers do not follow that direction, it is harder to effect change. A defined mandate from your C-suite will have the strongest impact and provide the needed resources and the result in the greatest value.