Tag Archives: risk management

Analysing road vulnerability in Norway

Leave a reply
Revised on: 2015-09-09

How does the Norwegian Public Roads Administration NRPA assess the vulnerability of the Norwegian road network? This is the first post in an attempt at resurrecting this blog from its hibernating state that has now lastet for some 18 months., and marks the start of blog posts form my life as senior adviser in contingency planning and crisis management, where I spend much of my working hours developing tools for risk analysis and giving lessons on how to conduct risk analyses. The inspiration for this post is taken from the course material I prepared for a recent course.

 Why risk and vulnerability analysis?

As a government body, the NRPA adheres to many laws and rules, and is guided by a number of policies and principal documents. One of these documents, the National Transport Plan, or NTP in short, states that the national goal for transport is:

To provide an efficient, accessible, safe and environmentally friendly transport system that covers society’s requirements and encourages regional development.

with accessibility being one of four main goals, as described here:

Our transport policy is to improve traffic flow and reduce the time of travel in order to strengthen competitiveness of industry and contribute to maintaining the main features of existing settlement patterns.

The most recent NTP 2014-2023 emphasizes reduced vulnerability and more adaptation to climate change as an important issue for the future:

Precipitation, temperature and wind have a strong impact on transport infrastructure and traffic management. Extreme weather, with strong winds, storm surges, heavy rains and temperature fluctuations, imposes increased demands on infrastructure. Large sections of the current transport network are not sufficiently resilient to withstand such increased strains. The infrastructure must be made more robust and emergency preparedness must be improved.

The NRPA has its own bylaw, describing in detail which tasks that we are responsible for doing, and with accessibility closely linked to vulnerability, it is no wonder then that risk analysis and contingency planning (among many other tasks) is mentioned specifically:

The NRPA is to have an overview of the threats to and the vulnerability of the road network, and work across its own organsation (and together with other agencies) in necessary contingency planning in order to ensure the best possible accessibility under changing conditions and/or possible or actual threats.

 Being able to see, evaluate and manage potential risks and vulnerabilities is in fact part of the NPRA’s obligation towards society.

Societal security and business continuity

The background for this obligation can be found in the term “Societal security”, a term not very common outside of Norway. “Societal security”, which I tried to explain in a previous post, is best translated as the ability that a society has to persist under strenuous circumstances, to maintain important functions, and to provide the necessary services to uphold the life, health and welfare of its members.”It is very similar to the Finnish “security of supply” that I wrote about some time ago.

For the NRPA societal security, or “samfunnssikkerhet” in Norwegian, means the ability that we (the NRPA) has to to persist under strenuous circumstances, to maintain important functions, and to provide the necessary transport network so that society can persist. Since we plan, build, operate and maintain the Norwegian road network, it is our duty to make sure that it is functioning and accessible 24/7, even during worst of times. That is the obligation that we have towards society.

This obligation towards  “societal security” is apparently so important in today’s world that the ISO in 2013 published an international standard, ISO 22301 – ″Societal Security — Business continuity management systems”, as a response to governments and regulators beginning to recognize the role of business continuity in mitigating the effects of disruptive incidents on society.

This is also reflected in Helen Peck’s 2006 article on Reconciling supply chain vulnerability, risk and supply chain management, where Peck refers to the UK Civil Contingencies Act of 2004 that requires the undertaking of business continuity planning and risk management from local government authorities, utilities providers and commercial organizations with responsibilities for essential public transport and critical infrastructure.

Risk and vulnerability

Back to risk and vulnerability, according to ISO 31000 Risk Management, there is no distinction between risk analysis and vulnerability analysis, it’s just risk analysis. However, for reasons that I cannot really understand, in Norway we mostly call it risk and vulnerability analysis. Linking risk and vulnerability is difficult. Where does one end and the other start? In my understanding, I usually use these definitions:

Risk is the potential likelihood that an event will occur and the potential consequences if the event occurs.

Vulnerability is the ability that an object has to withstand the effects of an (unwanted) event and to resume its original condition or function after that event.

Hence, to me, risk is associated with the immediate consequences of an event, while vulnerability is associated with the extent of the ability to manage or handle the wider consequences and long-term effects rather than the imminent consequences. Essentially, the less you can handle, the more vulnerable you are. Or, to use the term business continuity, vulnerability is that which stops business from continuing.

Example: Risk: A bridge is prone to being closed because of frequent flooding. Vulnerability: There is no diversion route.

I often use the bow-tie figure below to illustrate the difference between risk and vulnerability, and between proactive and reactive measures, i.e. mitigative actions and contingent actions..

Please note that the consequence in the right column does not necessarily relate directly to the cause on the same line in the left column. Also note that the consequences illustrate the wider effects on society, i.e. the business continuity issues related to societal security, whereas the event is the immediate effect resulting from the cause(s).

ISO 31000 Risk and Vulnerability Analysis

The risk and vulnerability process in the NRPA follows the terms and steps (5.3 to 5.5) used in ISO 31000, as described in the figure below: While ISO 31000 describes very well what is meant by these terms, I have made my own a bit more hands-on descriptions for what a risk and vulnerability analysis contains:

What Values do we have? Establishing the context 5.3

What do we want to protect? What can we accept?

What are the Threats we face? Risk identification 5.4.2

What are our challenges? What can go wrong? What do we fear?

What are the Likelihood and Consequences of events? Risk analysis 5.4.3

Why and how can things go wrong? Causes, drivers and results?

How is our Vulnerability and Robustness? Risk evaluation 5.4.4

If things go wrong, how bad is it really? Can we cope (or not)? What are the wider effects?

Which Likelihood-reducing measures are there? Risk treatment 5.5

What have we done (and what more can we do) to prevent things from happening?

Which Consequence-reducing measures are there? Risk treatment 5.5

What have we done (and what more can we do) to prevent things from getting worse, if they indeed do happen?

Perhaps not the best of descriptions, but they work for me.

Three levels of analysis

As to the risk and vulnerability analysis itself, it is done at three different levels: simple, simplified and detailed. Simple analysis (Level 1):

A risk and vulnerability analysis that is used to identify what risks and vulnerabilities that exist and to make initial easement of how they should be treated. The analysis shall point at possible challenges and solutions, and is a mostly qualitative analysis, a best guess or estimate.

Evaluation criteria: Best judgement

  • Situation OK, risk treatment can be done if desired, but is not required.
  • Situation NOT OK, risk treatment is necessary and should be done, it is not required, but highly recommended.
  • Situation NOT OK AT ALL, i.e. unacceptable, risk treatment is required and must be done.

Simplified analysis (Level 2)

An extended risk and vulnerability analysis that is used to evaluate risk and vulnerability, when or where the first analysis does yield conclusive results or when or where there is a need for a more thorough analysis to evaluate different risks and risk treatments. This is a mostly quantitative analysis that aims at determining more precise values for likelihoods and consequences.

Evaluation criteria: Risk matrix

Note that this is a generic matrix and that one must decide on which values and increments to use for likelihood and consequence before starting the analysis, by answering the question “What can we accept?” when establishing the context. This also establishes the colour grading of the matrix, which may or may not be as seen above. Being generic, this matrix should be extended to include analysis-specific consequence categories, as seen in this book on Security Risk Management, e.g. consquences for people’s life/health, environment, accessibility, property/equipment.

Detailed analysis (Level 3)

A special risk and vulnerability analysis that is used to analyse specific risks and vulnerabilities, e.g. in the construction and design details of roads, bridges and tunnels. This is a detailed and quantitative analysis using statistical methods and forecasting tools aimed at ruling out any missed uncertainties in the previous levels of analysis.

Evaluation criteria:  analysis(object)-specific This type of analysis is not often used within the NRPA and mostly contracted out to consultants and risk analysis experts.

Events

Obviously, there are many events that could close down a road, too many to think of, actually. That is why the NRPA risk and vulnerability analysis guidelines lists a set of “standard” events for which a road should be analysed, in order to generate a risk profile.

  • Adverse weather
  • Bridge closed
  • Drainage failure
  • Electricity blackout
  • Ferry link failure
  • Fire (in objects on or near the road)
  • Flooding
  • Foundation failure
  • Frequent accident point
  • Hazardous goods accident
  • High winds
  • Landslide (earthflow)
  • Malicious actions/terrorism
  • Quick clay slide
  • Restrictions (in height, width, weight, axle load etc. that make the road inaccessible to some vehicles, typically Heavy Goods Vehicles)
  • Road rescue and towing (of Heavy Goods Vehicles, other car rescues are neglible)
  • Rockfall
  • Snow avalanche
  • Storm surge
  • Terrain sinking (non-slide)
  • Transport hub inaccessible
  • Tunnel closed

In a later post I will present some of the analyses done in my work region and the risk profiles they resulted in. It is quite interesting to see which events that are most frequent in which areas.

Summary

This post was meant to give some basic insight into how  the Norwegian Public Roads Administration NRPA assesses the vulnerability of the Norwegian road network. It will be followed up by more detailed posts.

Author’s note

This is my first post for some 18 months now, and it has taken me more time than expected to write this. Not just because of the language barrier, as the original material for this post is in Norwegian, but also because of a “writing barrier”. Wording and phrasing and structuring a blog post is a skill that needs regular training and I must admit that my skills are still a bit rusty. Nonetheless, there’s more to come.

Links

Related

What is risk?

Leave a reply
Revised on: 2015-10-24

What is risk, and how can it be expressed? Should risk be defined through probabilities or should risk be defined through uncertainties? That is what Eyvind Aven and Terje Aven are attempting to explain in their paper On how to understand and express enterprise risk. In the paper, they claim that different international standards, such as the AS/NZS 3460 Risk Management Standard, the COSO ERM framework and the ISO 31000 Risk Management Standard do not provide adequate guidance on these issues and lack the necessary precision. Thus, they establish their own framework, where risk has two main components, namely 1) the impact of events and consequences (outcomes), and  2) the associated uncertainties (probabilities).
Continue reading

Blog Review: RiskCzar

3 Replies
Revised on: 2015-09-10

How time flies. Another month has passed and it’s time for another blog review. This month it’s RISKCZAR’s BLOG by Trevor Levine, a blog that is based on his almost 20 years of experience in financial, operational and enterprise risk management (ERM), and process improvement. In other words,  a heavy-weight risk champion, but this is not a heavy-weight blog. It is a fun blog to read, for laughing more than learning, or rather “learning through laughing”. It is a blog that will make you smile. It is a blog that will make you realize that risk doesn’t have to be serious, because treating it too serious may make you end up in one of Trevor’s blog posts.

Trevor Levine

When presenting himself, Trevor writes this on his About page:

I am not a quant, an academic or an accountant but just a guy who likes writing about risk management in a way that anyone would understand. You will not see any Greek letters or equations in my posts because that side of risk management doesn’t interest me too much nor is that the audience I am trying to reach. I prefer the lighter side – while goofing on the misfortunes of those who failed to practice proactive risk management – just to make the point and make you laugh.

And indeed, that is exactly what his blog is about.

Blog Highlights

Here are some samples of what you can find on riskczar.com:

Recently he seems to be struck by “Harry Potter”-fever, because he has no less than four posts on Voldemort, including Voldemort as Risk Manager of the Year.

Lord Voldermort would make an excellent risk manager because when he identifies a risk, he assesses it and treats it immediately.

In the post Trevor comes up with four reasons why Voldemort makes and excellent risk manager. That said, I’m not sure I would want Voldemort as my own risk manager.

In Reputation Risk: Is Delta Airlines the Mel Gibson of Aviation he looks at some technically correct but perhaps morally questionable practices at Delta Airlines:

When Delta Airlines took over Northwest Airlines and their Detroit hub, they added Saudi Arabian Airlines to its SkyTeam Alliance of partner airlines. As a result of Saudi’s discriminatory policies, Delta will ban Jews and holders of Israeli passports from boarding flights to the Kingdom.

After this story came out, Delta of course had to defend itself by blogging: “We, like all international airlines, are required to comply with all applicable laws governing entry into every country we serve.”

I for one would like to know how Mel Gibson fits into this. What did I miss?

In The risk of driving: juice boxes and Howard Stern he pokes a bit fun at the ban of texting or phoning while driving, citing other distractions that may be far likely to cause a crash:

But after the phone risk is addressed, I think parents are still equally distracted by crying babies, infant siblings fighting in the back seats and the dreaded right-arm-reach-around to retrieve a juice box that recently fell that drips its red punch all over the beige floor mats when you squeeze it too hard.

As someone whose baby daughter was born 7 weeks ago I can only attest to that. Besides, holding and attempting to soothe a crying (read: raging) baby certainly adds to the risk of “crashing” something at home as well.

In Freshly ground typo risk he recalls the story of a “minor” typo in a cooking book:

An Australian publisher is reprinting 7,000 cookbooks over a recipe for pasta with “salt and freshly ground black people.”

Penguin Group Australia’s head of publishing, Bob Sessions, acknowledged the proofreader for the Pasta Bible should have picked up the error, but called it nothing more than a “silly mistake.”

Not sure how “silly” this is, but here in Norway the most famous brand for spices and herbs since 1952 was actually named “Black Boy” up until last fall, when they decided that while an established brand, it is perhaps not the best name for a brand these days. As I remember from my childhood, even the packaging featured the picture of a black boy, as can be seen in this article from a Norwegian newspaper who wrote about the name change. That said, their homepage URL is still blackboy.no.

Enterprise Risk Management

Trevor has a section devoted to the topic of enterprise risk mangement or ERM, where he lists 10 proofs of value of ERM, highlighting that while risk management is often seen as a mere expense, it does have a value. Interestingly, “resilience”, I topic I care about a lot was recently added as #10:

“While ERM is not a panacea for all the turmoil experienced in the markets in recent years, robust engagement by the board in enterprise risk oversight strengthens an organization’s resilience to significant risk exposures.” – COSO

I agree. Risk management and resilience definitely go hand in hand.

Conclusion

If you want to read about risk management in a fun and entertaining way, riskczar.com should be on your reading list. He’s been blogging since 2005, although regular posts first started in 2009, so there’s bunch of humorous posts for you to sift through.

Links

Related posts

What are you afraid of?

2 Replies
Revised on: 2011-08-01

What do businesses in Scandinavia fear the most? That is what Nordic insurance giant If Insurance decided to find out. So they asked 400 managers in major companies in Denmark, Sweden, Norway and Finland the question “What kind of risk or threat do you think that publicly listed companies in your country fear the most today?” The answer may surprise you…or maybe not, and interestingly, what is most on managers’ minds is very different from country to country. Supply chain risks do not rank very high. Actually, unless you count them in implicitly, they do not rank at all…almost. But what do business leaders in Denmark, Norway, Sweden and Finland fear the most?

Continue reading

Low Cost Country Sourcing

2 Replies
Revised on: 2015-09-12

Low-cost countries. A dream for some and a nightmare for other others. What are typical supply chain risks in low-cost countries and how can they be managed? That is the topic of the PhD dissertation by Holger Köhler, now available as a book: Supply Chain Risiken im Low Cost Country Sourcing: Reduktion von Lieferrisiken in China und der Türkei. In the book, which is a more or less unabridged version of his dissertation, Holger Köhler not only presents a (new) system for the systematization of supply chain risks, he also develops a model for the factors that influence supplier risk and he exemplifies the cause and effect of supplier risks in China and in Turkey.

Continue reading

Blog Review: Risk Containment

1 Reply
Revised on: 2011-08-04

Another month has passed, and it’s time for another dive into the blogosphere. This month’s blog is a blog for anyone who works with or is exposed to risk, and it’s a blog full of personal insights, funny stories and profound wisdom. Slightly belated, due to the recent arrival of my baby daughter, which is why I am now a bit behind on my blogging let alone sleeping routines, this month’s blog review is a tribute to one of my most faithful Twitter followers and re-tweeters, Nicholas Hawtin of riskcontainment.com. Hardly a post on husdal.com goes by without Nicholas retweeting it, and often more than just once, thus bringing a steady flow of visitors to my blog. Nicholas, I owe you one, and this post is my Thank You for helping this blog reach its audience. Hopefully I can do the same for you, by promoting you on husdal.com.
Continue reading

SME Risk Management

Leave a reply
Revised on: 2015-11-12

Small and medium-sized enterprises (SMEs) make up the majority of enterprises in most countries, and thus often play a considerable role in supply chains, yet they often lag behind in implementing effective risk management practices. For SMEs, the establishment of a risk management system is essential to their survival and their business continuity, and a potential supply chain partner may also want to assess the proper implementation of a risk management system before engaging in a relationship. That is why Thomas Henschel wrote Risk Management Practices of SMEs. Evaluating and Implementing Effective Risk Management Systems, where he provides precise recommendations for the implementation of an effective risk management in SMEs.

Continue reading

Acts of God or Acts of Man?

3 Replies
Revised on: 2015-09-10

Do we ever learn? How come we humans knowingly and willingly put ourselves and our critical infrastructure in harm’s way time and again? Instead of living with and adjusting to natural hazards, we turn them into natural disasters, by our own doings and short-sighted decisions. That is what Kerry Sieh wrote in 2000 in his article titled Acts of God, Acts of Man: How Humans Turn Natural Hazards into Natural Disasters. In his article, Kerry argues for a different approach to handling the natural hazards that Earth puts beneath our feet, and not just acquiesce to enduring the damage and death brought by natural disasters. Proper engineering is all it takes.

Continue reading

Book Review: Ethical Risk

Leave a reply
Revised on: 2015-09-04

This is – for the time being – the sixth and final review of the books in the Gower Short Guides to Business Risk Series, since so far, only 6 out of  13 have been published. The last one out for review on husdal.com is A Short Guide to Ethical Risk, written by Carlo Patetta Rotta. Corporate social responsibility is growing in importance, and this is a book that provides an overview of the theories of ethics that bear on today’s business world. It is also a book that describes the adoption of appropriate company cultures and corporate governance models, and it is a book that discusses the selection and retention of ethically sound staff and implementation of fair incentive systems.  It is a book for companies wishing to survive into the future, simply because developing effective protection against exposure to ‘ethical risk’ is the only possible way forward. Well, not the only possible way, but the only viable way.

Continue reading

Supplier selection based on supplier risk

2 Replies
Revised on: 2015-09-12

It’s amazing how supply chain risk papers appear in the unlikeliest of places, and today I discovered a paper from Iran by Ali Shemshadi, Mehran Toreihi, Hossein Shirazi, Mohammad Jafar Tarokh. It bears the title Supplier selection based on supplier risk: An ANP and fuzzy TOPSIS approach and is published in the Journal of Mathematics and Computer Science, not the obvious place where one would go to looking for a paper on supply chain risk. It is a highly quantitative paper, yet it seems to be very applicable in practice. The paper proposes a hybrid MCDM method based on  ANP and Fuzzy TOPSIS to enhance previous solutions for the problem of selecting the best supplier from a set of potential alternatives based on a set of risk factors. That is an approach I haven’t seen before.

Continue reading

Hiperos – the Integrated View of Supplier Risk

Leave a reply
Revised on: 2015-09-12

Supply chains have gone global. No longer are they a point-to-chain of goods flowing from a source to a consumer, but a global network of interlinked businesses, processes and services. Supply chain risks have gone global, too, and one tiny incident somewhere in this vast network may result in devastating effects that can ripple across the entire supply chain. No wonder then that supply chain risk has become a major selling point for consultants  who are making a living from selling solutions that are “guaranteed” to capture  and manage the exact and full risk that a company is facing. We academics often frown at these consultants and their glossy whitepapers, but truth is that some of them are highly valuable and well-researched, and excellent food for thought. Take this whitepaper for instance, An Integrated View of Supplier Risk by a company called Hiperos. Here, supplier risk management is focused on four areas: the supplier’s viability, performance, compliance and corporate social performance. That is a perspective very much in line with my own ideas of holistic risk management.

Continue reading

Zycus and the Supply Risk Explosion

Leave a reply
Revised on: 2011-03-21

“Ten or fifteen years ago, you could not convince most procurement and supply-chain professionals to talk about supply-risk management. Today you can not get them to stop talking about it.” That is what Zycus, the self-proclaimed spend management experts, claims in their latest whitepaper  “The Supply Risk Explosion – Building a business culture that can cope“. I must admit that they do indeed have a point. Today’s list of supply-related risks can seem nearly infinite: supplier bankruptcy, tight credit, emerging capacity constraints, commodity price inflation, low inventories, product recalls, supply-chain globalization, supply-base rationalization, corporate cost cutting, dangerous management decisions, currency fluctuations, terrorism, increased regulatory activity, outsourcing, sustainability, social responsibility, social media, unfair trade practices, and so much more. How can any firm not be overwhelmed by this?

Continue reading

Visualizing the risk of global sourcing

1 Reply
Revised on: 2015-09-23

The benefits of global sourcing as part of a firm’s purchasing strategy have been widely discussed in the academic literature, yet so there are few models that provide a comprehensive risk and cost assessment to guide managerial decision-making. A picture says more than a thousand words, and here is one paper that has it all and that literally illustrates the differences between different sourcing strategies: On risk and cost in global sourcing by Matthias Holweg, Andreas Reichhart and Eui Hong. The paper defines three basic cost elements in global sourcing: static, dynamic and hidden cost, and uses this framework to assess the costs and risks inherent in global sourcing scenarios from three different points of view: conceptually, analytically and empirically. It is  paper shows how brings the message across of where to source and where not to source.

Continue reading

Book Review – Fraud Risk

Leave a reply
Revised on: 2015-09-04

Last year I was approached by Gower Publishing and invited to review their Short Guides to Business Risk Series, a task I happily agreed to do since most of the topics covered in the series directly or indirectly link up with supply chain risk, which is what I mainly blog about.  It’s been a while since the last review, but here I go again, and the latest book on my nightstand this time is A Short Guide to Fraud Risk, co-written by Martin SamociukNiger Iyer and Helenne Doody. It is a fascinating book, showing how easy it may be for employees, customers, clients and consultants to commit fraud, and how easy it may be to prevent this. It is a book that anyone working in procurement or supply chain management should read and ponder.

Continue reading

Book Review: Political Risk

Leave a reply
Revised on: 2015-09-09

Egypt is in crisis. After Tunisia, now Egypt is rocked by a popular uprising, and the outcome of the so far peaceful protests is still uncertain. This unstable and developing political situation has brought me the perhaps perfect background for today’s book review: A Short guide to Political Risk by Robert McKellar. Every firm with a supply chain that sources globally or operates internationally is exposed to political risks that may be very different from what they are used to domestically, where political risks often limit themselves to de-regulations and re-regulations of business sectors, tax cuts or tax hikes or sudden environmental measures or security enforcements following major events or changes in government. On the international scene such and  perhaps even worse changes can come abruptly and without warning, not because they cannot be foreseen, but because the firm usually lacks the tools and the knowledge it needs to anticipate and react coherently to political risks.
Continue reading

Risk Management Simplified

3 Replies
Revised on: 2011-07-05

Risk management. Why make it difficult when you can make it easy? That is perhaps what Andy Osborne thought when he wrote his most recent book, Risk Management Simplified. The cover says that is is “A practical, step-by-step guide to identifying and addressing risks to your business”, and it doesn’t come much more practical than this. This is a handbook and a self-assessment tool that leaves practically no risk uncovered. It’s practical, well-illustrated, to the point, not academic at all, filled with case examples and easy to work with. In this post, I will take a closer look at the book, because despite it’s simplicity, it does hold a couple of hidden gems worth mentioning.

Continue reading

Risk management – Vocabulary

2 Replies
Revised on: 2015-11-20

What is risk management in supply chains? The more I study supply chain risk management, the more confused I get. The supply chain risk literature is inconsistent at best at conflicting at worst. There are so many terms and definitions,  and each author, book, paper, or article seem to have its own way of describing the subject matter. Perhaps they haven’t heard about ISO Guide 73:2009 Risk Management Vocabulary? After all, it provides the definitions of many of the generic terms related to risk management. That is why this post will present some of the most frequent used terms relating to the management of risk in an attempt to promote a coherent approach to the description of activities. Will it help? I’m not sure, but the least I can do is spread the word.

Continue reading

Book Review: Reputation Risk

Leave a reply
Revised on: 2015-09-12

Reputation. Not only is it practically impossible to measure, its value is also frequently underestimated. Anything that can devalue your reputation is a reputation risk, and reputation risk and supply chain risk go hand in hand. Why? Because whatever happens in your supply chain may affect your reputation, and what affects your reputation will ultimately affect your business. A short Guide to Reputation Risk by Garry Honey describes how  difficult it is to build a reputation, and how easy it is to destroy, how it can be measured, how it can be managed, what drives it and how different stakeholders focus on different aspects of reputation, and how reputation risk management is an integral part of overall risk management. All this is packed into one small book.

Continue reading

Hamilton’s Circle of Risk

Leave a reply
Revised on: 2010-11-16

Searching for background information in my preparation for tomorrow’s lecture on supply chain risk, I was again reminded of an old acquaintance in risk management: Gustav Hamilton’s Circle of Risk. First conceptualized in 1974, Gustav Hamilton, the risk manager for Sweden’s State Company Limited, or Statsföretag AB in Swedish, created a “risk management circle,” graphically describing the interaction of all elements of the  risk management process, from assessment and control to financing and communication. I have not seen it referenced in the international literature, but it does occur quite often in Swedish academic circles, and is frequently cited by both MSc and PhD students. Perhaps time to take a closer look?

Continue reading

ISO 28002 – Supply Chain Resilience

3 Replies
Revised on: 2015-09-20

Have you heard of ISO 28002?  No? You should take note of this standard, because the ISO 28000 series specifies the requirements for a security management system for the supply chain. The standards address potential security issues at all stages of the supply process, thus targeting threats such as terrorism, fraud and piracy. The most recent addition to the series is ISO 28002: Security management systems for the supply chain – Development of resilience in the supply chain, published in September 2010. ISO 28002 details how an organization can engage in a comprehensive and systematic process of prevention, protection, preparedness, mitigation, response, continuity and recovery. This post will take an inside look at ISO 28002 and highlight the essential content.

Continue reading