Are We Ready for Supply Risk Officers (SROs)?


This article discusses the importance of risk management in global supply chains and the need for organizations to organize effectively to manage risks. While the concept of a Supply Risk Officer (SRO) is not widely adopted, the article provides eight habits for effective risk management organizations, emphasizing the significance of managing strategic and tactical risks at various levels within the organization.


Not organizing to manage risk is tantamount to managing for failure.

Highlighting and describing the various aspects of risk in the global supply chain has ranked high on ChainLink’s research priorities over the last couple of years. The concept of risk management is certainly not new or revolutionary; but with the evolution of global/virtual supply chains and the recent occurrences of natural disasters and terrorist attacks, risk management now stands in the spotlight as a vital competence at both the individual and enterprise level. Indeed, today’s globally extended supply chains with tiers of virtual partners are inherently fraught with the probability for failure.

We’ve given you numerous articles within these pages on assessing and identifying supply chain risks, the multi-dimensional nature of global risks, and even a research paper on pandemic preparedness. My colleague, Bill McBeath, introduced the concept of “resilient supply chains” which consciously incorporate various mitigating strategies to not only battle the multi-faceted risks that continually present themselves in the supply chain domain, but also make risk management a competitive advantage. If risk management is strategically important, then how do we organize for success?

The Chief Risk Officer (CRO)

As a result of some major collapses in the financial industry (Barclay’s currency hedging disaster) and increasingly complex regulatory requirements (Sarbanes-Oxley), the role of the CRO developed in the last 10 years to provide focus around managing risk, primarily in the financial and energy sectors, but also in many businesses with extensive foreign operations. Wikipedia describes the position as “the executive in charge of assessing and planning for potential risks in the various segments of a given business model, such as computer security, compliance, and lawsuits, to minimize the firm’s liability and related management costs.” An examination of the list of the companies with CROs includes mostly financial institutions, with one notable entry, Enron, whose CRO was obviously doing a “heckuva of a job!”

The Supply Risk Officer (SRO)?

What I found interesting while investigating the CRO relevant literature was that corporations with supply chains, particulary extensive global supply chains, have not readily or overtly adopted the organizational role. One might argue that because the breadth of the global supply chain risks spread themselves across many functional organizations from Finance to HR to Legal to Procurement, prudence would dictate that someone should be focused on managing these multi-faceted risks, particularly if your enterprise depends on the health of your supply chain. Siloed risks only multiply the probability of failure. Furthermore, to borrow a process quality technique, when presented with amplified risk in the form of burgeoning global risks, the operative approach might be to contain the risk by appointing someone to explicitly focus on it. So why not have a SRO?

First, one of the organizational lessons of the Quality era that US companies went through in the 80s and 90s in their attempts to catch up to the Japanese, was that you could not impose quality from outside an organization. Having legions of Quality personnel running around proselytizing on quality and attempting to “inspect in” product quality simply did not work and was costly. Many a Vice President of Quality found themselves in a losing position trying to influence masses of employees who did not report to them to behave differently. We learned that Quality as a process attribute resulted from educating and training all individuals and then reinforcing it with consistent, quantitative management focus within each function. Risk management can be viewed as a similar process attribute whose institutionalization can only be accomplished via a similar approach of education, training, and embedding the competence within each of the affected organizations.

Second, Supply Chain (SC) risks range from the strategic (i.e. geo-political, pandemics, etc.) to the every day tactical risks that SC managers face (i.e. supplier quality issues, demand variances, etc.); and these must be addressed via different approaches. Managing strategic SC risks is largely an analytical exercise of assessing risk and developing mitigating strategies; thus it may make sense to create a role or team to develop competence in this area. Conversely, tactical risks are more effectively managed via the functional organizations (i.e. Procurement, Master Scheduling, etc.) who own them because again, tactical risk management is a process attribute that can only be effectively institutionalized at the functional level.

Finally, the designation of “officer” implies corporate liability assigned to the role. Thus, on a practical basis, creating another corporate officer with such broad but only “dotted line” authority would not be attractive to either the enterprise or individual, unless driven by a very compelling corporate objective.

If not an SRO, then what?

Just because the SRO role might not be right for the moment, enterprises that are strategically dependent on their supply chains cannot abdicate responsibility and do nothing, unless of course they have a suicidial impulse. There are a number of organizational actions that they should initiate to ensure that, at a miminum, they contain their risks; or better yet, they develop risk management as a strategic capability. Here are my eight habits of highly effective risk management organizations.

  • Expand your CRO charter. If you do have a CRO, then they should be given oversight over supply chain risk. It’s as critical as IT security or regulatory compliance and perhaps inherently more prone to failure.
  • Assign executive responsibility for SC risk management. The top SC executive should have clear responsibility for SC risk management which should be explicitly spelled out in their performance objectives and in a policy statement.
  • Manage strategic SC risk with a focused team. Create a team of analysts, either full or part-time, to periodically assess the strategic risks and develop mitigating strategies. The risk mitigation plans should be reviewed by the executive team on a consistent basis.
  • Use external experts when necessary. Management of global, strategic risks may involve areas of competence beyond your company’s normal expertise (ex. pandemics, foreign laws, etc.), and thus it may be prudent to contract for some external help to address specific risk areas.
  • Create a culture of Risk Managers. This attribute should be selected for, reinforced, and awarded at all levels of the SC organization from Buyer/Planners to Master Schedulers to Sr. Commodity Managers and SC Executives. Managing risk becomes a competence that you interview for, focus education and training, and incorporate into individual development and performance plans.
  • Manage tactical risks at the functional level. This requires developing a functional competence by successfully executing on item 4. Institutionalize via process documentation methods such as documenting risk mitigation plans for product transitions or the use of range forecasts or demand hedging for managing potential demand variances.
  • Engage your key SC partners in risk management. In this world of global, virtual supply chains, risk is amplified by the myriad of partners that you utilize. Your strategic SC risk team should engage key suppliers in their assessment analysis and even the development of mitigation plans when possible. Similarly, Buyers and Commodity Managers should consistently include the discussion of potential risks as part of their normal reviews. Joint ownership of the mitigation plans will strengthen it and increase the probability of success.
  • Articulate supply chain risk management as a strategic competence. Developing the ability to avoid supply disruptions and provide consistently excellent customer service should stand at the top of anyone’s list of competive advantages. If you execute well, then you can advertise it and use it as a selling point with potential customers to gain market share.

Organizing around developing a competence at risk management can really be reduced to a couple of simple imperatives. Risks need to be exposed to the light of scrutiny, or they lay in wait like a landmine, ready to endanger your business. Once exposed, then the combined strength and expertise of the extended SC team has a greater probability of success to defeat the risk than the lone individual. And hopefully, you’ll all sleep a little better.

Scroll to Top