Company A

The supply chain configuration for Company A is defined as global. Company A did not identify security risks and macro risks as a source of structured risk in the interview. As an alternative category, Company A suggested that environmental risks could be included in the risk assessment, as environmental awareness was part of the supply chain management, despite it being defined outside the company’s risk management at the time. Apart from the two non-identified categories the risk evaluation resulted in a somewhat even spread, mostly between average levels of probability and impact. Although some categories could be considered critical. The risk profile associated with Company A is presented in Figure 8.

Figure 8: Company A risk profile

According to the risk map the most important risks for Company A are competitive risks [4,4], followed closely by the second cluster of supply risks, operational risks and policy risks [3,4; 2,5]. From purely risk impact perspective policy risks are rank among the highest with a very high impact, but these risks are evaluated to occur very infrequently, lowering their total risk score in the risk map. The new risk typology as proposed by Company A, environmental risks [2,4], ranked slightly below the second cluster with higher impactfulness but lesser probability. Demand and resource risks fall into the middle of the risk evaluation map [3,3]. Macro and security risks were not a part of structured risks; therefore, they have been attributed to have very low probability and impact. To complement the risk profile of Company A, the risk mitigation capabilities are presented next in Figure 9.

Figure 9: Company A mitigation capabilities

Risk mitigation capabilities of Company A are reflected by a high perceived risk mitigation strategy implementation against competitive risks which was ranked the highest risk source for the company. Furthermore, corresponding to the earlier risk severity assessment next crucial risk categories fall into the intermediate risk mitigation capabilities. This would suggest that Company A has employed a proactive risk strategy for competitive risks, but is slightly behind in supply, operational, policy and environmental risks if the level of mitigation is used as a counterpoint. Low mitigation capabilities assessed for demand and resource risks indicate also that they have potential to be developed further, since their scores in the risk map fall into the area of average risk severity. Overall, eight out of nine (89%) potential risk categories were mitigated on intermediate level or worse, which leaves many improvement opportunities on that regard should the company pursue more efficient risk mitigation capabilities. It was agreed that since security and macro risks are not considered as structural part of the company risks, their risk score and mitigation were ranked into the

minimum values of the spectrum, however in this consideration it could be suggested that relevant areas to them are still monitored at some level to prevent possible future disruptions.

When discussing risk management strategy, it was mentioned that the basis for initiating, developing, and assessing risks more particularly is a realized risk event or perceived occurrence of negatively affecting event.

“We have initiated risk management when the risk has realized for the first time, and after that we have been trying to more actively manage it in future’s perspective.”

This statement somewhat underlines the problems associated with uncertainty – it is difficult to assess and manage without having concrete evidence of the risks that can take place. Of course, a framework for risk management must exist at some level but at least in the case of severe supply chain risks it seems that their appearance and required management can be sudden. Following a discussion about realized risk impacts it was mentioned that in the pharmaceutical industry the most prominent forms of risk impact that came to mind were related to competitive risks and policy risks. This was also reflected in the risk assessment framework.

“One big risk which is related to our industry is that our suppliers can turn into our direct competitors and start selling the [previously supplied] products themselves.”

This form of development in the supply chain’s supplier relations is not only possible but already happened according to Company A. The transformation of supplier into competitor cannot be easily predicted, if at all, Company A representative re-iterated further. This is another example of risk management protocol initiating after a risk has realized. Active way of managing this risk is mostly related to balancing the business relationship by incentivizing the supplier to not take these sorts of actions in order to keep the supply chain stable.

In the case of policy risks it was briefly mentioned that they happen in the upstream of the supply chain. An example was given that the governing authorities denied a supplier of manufacturing permits. Even though supply and operational risks were ranked to be somewhat critical in the risk map, they were not seen to have been realized in the supply chain with enough importance to give any sort of anecdotal information. Raw material availability was one of the aspects seen as related to supplier-side risks and understood only as a theoretical risk.