Upload
twyla
View
32
Download
1
Embed Size (px)
DESCRIPTION
SCRLC Metrics / Quantifying Risk (Track #4). Edward Erickson Track Co-leader June 7, 2007. Agenda. Overview Scope Deliverables Schedule / Milestones What we need from the Council Case Study. Overview. Participation Excellent from thought leaders – lacking from practitioners. - PowerPoint PPT Presentation
Citation preview
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
SCRLC
Metrics / Quantifying Risk (Track #4)
Edward Erickson
Track Co-leader
June 7, 2007
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
Agenda
Overview
Scope
Deliverables
Schedule / Milestones
What we need from the Council
Case Study
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3
Overview Participation Excellent from thought leaders – lacking from practitioners
Track Track Leaders Track Members to Date*
4 Quantifying Risk / Metrics Feryal Erhun, Stanford
Edward Erickson, Cisco
Hau Lee, Stanford
Ely Kahn, TSA
Andrew Cox, TSA
Tim Astley, Zurich
Lance Solomon, Cisco
Survey Response Rate Poor
3 companies (P&G, Boeing, Cisco) + TSA
2 thought leaders (Stanford, Zurich)
Despite this track members believe that:
this is a critical focus area
it will lag the other tracks and will have a longer payoff time frame
Research members will lead the effort in the early phases
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 4
Scope In Scope
How to portray SC risk modeling & analysis results in an impactful way
Methods for quantifying SC risk to support decision making & measuring the impact of actions
Methods for modeling SC risk & identifying potential improvement actions
Tools & techniques for determining important risk events and the scope of models
How to ground SC risk data in reality
Out of Scope
Standards definitions
Tool/Modeling development
Industry specific methods
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 5
Deliverables – To Date
Survey practitioners to understand current SC risk metric practices
Survey thought leaders to determine Best Known Methods (BKMs)
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6
Metrics/Quantifying Researcher Risk Survey
Who: All SCRLC research organizations – 1 survey per organization
Why: Get a good sample of all of the metrics/quantifying risk best practices from a research/theoretical point of view.
Questions:
1. What is the best way known way to quantify SC risk?
2. What is the best way you’ve seen in practice to measure SC risk?
3. What are the major gaps you see between the best methods and what you’ve seen in practice?
4. What are your current area of expertise and interest in measuring SC risk?
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 7
• Integrated view of supply chain risk• Utilize distributions for occurrence and intensity• Driven by historical loss/occurrence data• Application of expert knowledge to address gaps
in data
• Integrated view of supply chain risk• Utilize distributions for occurrence and intensity• Driven by historical loss/occurrence data• Application of expert knowledge to address gaps
in data
• Independent focus on supplier, disaster and IT risks
• Focus on easy to measure risks• Lack of data• Limited to analysis of the averages
• Independent focus on supplier, disaster and IT risks
• Focus on easy to measure risks• Lack of data• Limited to analysis of the averages
Where We Are
Where We Need to Be
Summary of Researcher Survey Results (2 out 5 Responded)
• Lack of data-driven analysis on key areas of supply chain risk• Lack of understanding for all risks affecting the supply chain
• Focus on consequences rather than vulnerabilities and triggers• Focus narrowly on cost – should include customer impact
• Focus only on most recent disruptions• Minimal use of stochastic modeling
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 8
Metrics/Quantifying Practitioner Risk Survey
Who: All SCRLC companies & government agency members – 1 survey per organization
Why: Get a good sample of all of the metrics/quantifying risk practices across all member companies
Questions:
1. To what degree is SC risk management driven at your company (e.g. not at all, a strategic program, an ongoing part of the business, etc)?
2. Where do you want see your company in 2 years with respect to SC risk measurement and metrics
3. Do you use metrics/measurement as part of your SC risk management organization?
If you don't, what metrics/measurements could you envision as part of an effective process for managing risk?
If you do, what metrics/measurements do you currently use?
4. What data do you use to manage SC risk and manage your SC risk programs?
5. How do you use these data to manage SC risk and manage your SC risk programs?
6. What tools do you use to drive SC risk management decisions?
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 9
Summary of Practitioner Survey Results (4 out 10 Responded)
Question P&G Boeing TSA Cisco
1. To what degree is SC risk management driven at your company (e.g. not at all, a strategic program, an ongoing part of the business, etc)?
On-going component of several business functions
Varies by subject and the division within the company. Mature in strategic planning and materials
Current - by each mode of transportation
Future - “systems” focused approach to risk management.
Subset of enterprise risk management group
2. Where do you want see your company in 2 years with respect to SC risk measurement and metrics
Continuing to use existing metrics in organizations that have risk responsibilities; will add other metrics as identified by the SCRLC if we believe they will add value
More focused, capable, and armed with more facts and data to more effectively guide SC risk management.
Accurately identify critical vulnerabilities and propose/develop countermeasures
Better quantification of the “ROI” for risk management activities.
SC risk part of the DNA within the business and operations groups
3. Do you use metrics/measurement as part of your SC risk management organization? If you don't, what metrics / measurements could you envision as part of an effective process for managing risk? If you do, what metrics / measurements do you currently use?
Identification and assessment, Audit Scores, Site risk assessment (risk identified, likelihood, business impact, risk rating) and plan against high risk rated scenarios
Volume of imports by supplier, country risk ratings based on a variety of criteria, metrics showing anticipated increases or decreases in supplier shipments.
Proxy metrics to determine effectiveness of risk management efforts
Risk scores/maps Time to recover, probabilistic revenue at risk
4. What data do you use to manage SC risk and manage your SC risk programs?
Data from the programs mentioned in question #3 & new ideas from industry leaders, consultants, academia, daily news
Individual Procurement Agents manage risk but higher level org. might oversee a collective SC risk program.
Classified intelligence information. Industry supplied transportation data.
Natural Hazard data, Geopolitical data, expert opinion
5. How do you use these data to manage SC risk and manage your SC risk programs?
Typically Scorecards & Leadership Reviews
N/A Proxy measures to estimate the effectiveness of various regulations or security programs.
Metrics drive SC risk priorities
6. What tools do you use to drive SC risk management decisions?
Internal standards, culture and business unit financial accountability and agreement at the right level of management
N/A Checklist tools in the field. Moving toward more advanced simulation models @ HQ. Macroeconomic models for costing.
Scorecards, Risk Ratings and Simulation
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 10
Deliverables - Planned
BKMs for portraying SC risk modeling & analysis results in an impactful way
BKMs for measuring SC risk and deciding what mitigation actions to pursue
BKMs and tools used for modeling risk and how to manage scope of these models
BKMs on SC risk data collection
BKMs for how to measure risk improvement based on supply chain improvements
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 11
Schedule / Milestones
Monthly teleconference except for months with core team meeting (9 meetings/yr)
May’07Kickoff & Agreement on Scope/Deliverables/Milestones/Meeting ScheduleComplete survey on Metrics/Quantifying metricsSession to review survey results and prepare for June core team update
June’07Session on post core team update, change scope, etc
July’07Session on Best Known Methods (BKMs) for measuring risk & deciding what mitigation actions to pursue
August’07 BKMs & tools used for modeling risk & how to manage scope of these models
September’07 BKMs on event probability data collection
November’07BKMs for how to measure risk improvement based on supply chain improvements
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 12
What we need from the Council
1. Are you supportive of the longer term view required?
2. Are you supportive of the defined deliverables?
3. Fill out the survey
4. Join the team
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 13
Cisco
Case Study
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 14
Supply Chain Risk Mgmt. (SCRMx)The Challenge
Strategic
Process / DNA
Foundational
Tactical
Responsive
RiskStrategy
RiskTolerance
RiskMeasures
& Processes
Business ContinuityPlans (BCP) - Partner
Business ContinuityMgmt. (BCM) - Process
Focus &Governance
Risk Budget
PandemicPlan
Risk Map& Modeling
Crisis Mgmt.Plan
QuantifyRisks
CrisisDrills
ComparativeRisk
Mitigation
PartnerSite Risk
Mgmt(PSRM)
Transformation Trans. & LogisticsComponents Customers
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 15
High Level Process
Iterative process combining metrics and probabilistic modeling
Use exposure and recovery metrics to assess and determine focus areas
Use probabilistic modeling to quantify and measure the impact to the business and pareto key drivers
AssessAssess
QuantifyQuantify
MeasureMeasure
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 16
Probability of an Event Occurring
(%)
Probabilistic Revenue Impact
Site Revenue
($/Wk)
Time to Recover (Wks)X
Revenue Impact ($)
Probabilistic Revenue Impact
($)
Probability of an Catastrophic
Site Fire = %.01
Prod. X Company Y $50 Mil /Qtr
52 Week Time to Recover (TTR)X
$2.6 Bil Revenue Impact
Probabilistic Revenue Impact
= $26 Mil
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 17
Exe
c. M
gm
t. /
Fin
ance
Man
ufa
ctu
rin
g O
per
atio
ns
Pro
du
ct O
per
atio
ns
What products should I be most
concerned about?
What products should I be most
concerned about?
Risk MapRev. vs Risk(Prod. View)
Risk MapRev. vs Risk(Prod. View)
What are the most critical
components?
What are the most critical
components?
TTR(Product View)
TTR(Product View)
What is their impact &
likelihood?
What is their impact &
likelihood?
Rev @ Risk(Prod. View)Rev @ Risk(Prod. View)
What are the drivers?
What are the drivers?
Pareto of Drivers
Pareto of Drivers
What will be my ROI?
What will be my ROI?
ROIROI
Are my partners resilient?
Are my partners resilient?
BCPBCP
What are the most critical
issues?
What are the most critical
issues?
TTR(Site View)
TTR(Site View)
What is the impact &
likelihood?
What is the impact &
likelihood?
Rev @ Risk(Site View)
Rev @ Risk(Site View)
What are the drivers?
What are the drivers?
Pareto of Drivers
Pareto of Drivers
What will be my ROI?
What will be my ROI?
ROIROI
Are my partners resilient?
Are my partners resilient?
BCPBCP
What sites should I be most
concerned about?
What sites should I be most
concerned about?
Risk MapRev vs Risk (Site View)
Risk MapRev vs Risk (Site View)
Cisco Case Study – Key Metrics
What should I be most concerned about?
What should I be most concerned about?
Risk MapRev. vs Risk (Event)
Risk MapRev. vs Risk (Event)
What is the impact to my customer?
What is the impact to my customer?
TTR (Top Product)TTR (Top Product)
What is my Risk?
How has it changed?
What is my Risk?
How has it changed?
Rev @ Risk (E2E)Rev @ Risk (E2E)
What are my costed options?
What has it cost me?
What are my costed options?
What has it cost me?
ROIROI
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 18
Cisco Case Study - Probabilistic Modeling Methodology
Inputs Integrated Model Outputs
Site/Region Events & Frequency
Site/Region Events & Frequency
Time to RecoverTime to Recover
Expected Capacity LossExpected Capacity Loss
Supply chain redundanciesSupply chain redundancies
Site RevenueSite Revenue
Disruption
Capacity Impact
Financial Impact
Revenue @ Risk (Prod)Revenue @ Risk (Prod)
Revenue @ Risk (Horiz.)Revenue @ Risk (Horiz.)
Revenue @ Risk (E2E.)Revenue @ Risk (E2E.)
Objective: Quantify drivers of risk and potential improvement from mitigations
• Excel Based• Monte Carlo• Crystal Ball Engine• Direct Data Links
• Excel Based• Monte Carlo• Crystal Ball Engine• Direct Data Links
Sensitivity Analysis identifying risk drivers
Sensitivity Analysis identifying risk drivers
What-if AnalysisWhat-if Analysis
Revenue @ Risk (Event)Revenue @ Risk (Event)