Confidential 1 Supply Chain Risk Management Framework Supply Chain Risk Leadership Council 24 Oct 2007

Confidential 2 Overview Scope  Develop a Supply Chain Risk Mgmt Framework that will allow SCLRC members to work from common terms of reference and that will help guide future SCLRC activities Deliverables  This presentation  Adjustments as they become necessary

Confidential 3 SCRLC Track Definition Track TitleSupply Chain Risk Management Framework Track Objective Develop a Supply Chain Risk Mgmt Framework that will allow SCLRC members to work from common terms of reference and that will help guide future SCLRC activities Track Scope In Scope: Supply Chain Risk Management Framework which includes the following issues 1) Supplier Reliability 2) Security 3)Regulatory Concerns 4) Risk Management and 5) Incident/Crisis Management Out of Scope: Broader issues of enterprise risk management will be considered separately from supply chain risk management. For example: Issues not included are 1) Intellectual Property 2) Branding Next Milestone(s) 1.Obtain consensus from the broader SCRLC group 2.Close out track until adjustments are necessary

Confidential 4 Team Members and Sources Team Members  Ely Kahn and Andrew Cox, TSA  Tim Astley, Zurich  Brent Myers, FedEx  Craig Babcock, P&G  Ravi Anupindi, University of Michigan Sources  Committee of Sponsoring Organizations of the Treadway Commission (COSO), Enterprise Risk Management - Integrated Framework, 2004  Supply Chain Risks and Risk Sharing Instruments, Robert Lindroth & Andreas Norrman, 2001

Confidential 5 Definition of SCRM Supply Chain Risk Management (SCRM) is the practice of managing the risk of any factor or event that can materially disrupt a supply chain whether within a single company or spread across multiple companies. The ultimate purpose of supply chain risk management is to enable cost avoidance, customer service, and market position. Supply chain risks can be grouped into 3 broad categories: physical, process, and institutional risks

Confidential 6 Downstream Customer Primary Customer Your Company First-tier Supplier X-Tier Supplier Supply Chain Risk Framework Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring Risk Management is an iterative process Risk management components Types of risk Types of risk are not mutually exclusive Supply Chain Scope Includes links (logistics and electronic transfer of information) between supplier, your company, and customer PHYSICAL PROCESS INSTITUTIONAL

Confidential 7 PurposeVisionPrinciplesBreach ConcentrationRisk/Supply Chain Resilience Product Quality/ Safety Phys. Security People/Assets Company Tax Structure AcquisitionIntegration MarketingStrategy Major IT Outage Earnings/Sales Miss CEO/Leadership Succession Plans Supply Chain Risk Management vs. Enterprise Risk Management

Confidential 8 Key Risks Supply Chain Enterprise Stock market volatility Global terrorism Over-regulation Currency fluctuations Reputational risk Corporate governance issues Price deflation Emerging technologies Increased competition Loss of key talent Cost of capital General availability (cost, quality) of labor Regulatory concerns Reliability of suppliers (quality, warranty, yield,…) Commodity shortage/price fluctuations Fluctuations of foreign exchange rates Intellectual property theft Obsolescence of product inventory or technology War, terrorism, other geopolitical concerns Problems with supply chain infrastructure Plant breakdown, mechanical failures Natural disasters Others Source: McKinsey quarterly global survey of business executives, Sept 2006 Source: PWC : 7th Annual Global CEO Survey – Managing Risk, 2004)

Confidential 9 Risk Management Components

Confidential 10 Risk Management Components The components should be looked at as being interrelated. Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring Components of SCRM  Internal Environment  Objective Setting  Event Identification  Risk Assessment  Risk Response  Control Activities  Information & Communication  Monitoring

Confidential 11 Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring  Encompasses the tone of an organization  Influences the consciousness and awareness of its people  Basis for all other components  Provides discipline, structure and organization  Establishes a philosophy regarding risk management, including its risk appetite  Oversight by board of directors  Integrity, ethical values, competence  Assigning of authority and responsibility

Confidential 12 Objective Setting Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring  Set at the strategic level, establishing a basis for operations, reporting and compliance  Precondition for event identification, risk assessment and risk response  Aligned with the risk appetite (as defined in internal environment)  Risk tolerance

Confidential 13 Event Identification Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring  Management identifies potential events  Differentiates risks and opportunities.  Events that may have a negative impact represent risks, which require management response  Events that may have a positive impact represent natural offsets (opportunities), which management channels back to strategy setting.  Involves identifying those incidents, occurring internally or externally, that could affect strategy and achievement of objectives.  Addresses how internal and external factors combine and interact to influence the risk profile.

Confidential 14 Event Identification Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring Possible techniques  Event inventories  Scenario analysis  Internal analysis  Escalation or threshold triggers  Facilitated workshops and interviews  Process flow analysis  Leading event indicators  Loss event data methodologies  Interdependencies

Confidential 15 Event Identification Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring Categorization of events (with reference to other framework axes), e.g.  External -Economic -Environment -Political -Social -Technological  Internal -Infrastructure -Personnel -Process -Technology

Confidential 16 Risk Assessment Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring  Allows an entity to understand the extent to which potential events might impact objectives.  Assesses risks from two perspectives: -Likelihood -Impact  Employs a combination of both qualitative and quantitative risk assessment methodologies.  Relates time horizons to objective horizons.  Assesses risk on both an inherent and a residual basis.  Impact of events should be assessed individually or by category across the entity

Confidential 17 Risk Assessment Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring Assessment Techniques  Benchmarking  Probabilistic models  Non-probabilistic models

Confidential 18 Risk Response Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring  Identifies and evaluates possible responses to risk.  Possible Responses: -Avoidance -Reduction -Sharing -Acceptance  Evaluates options in relation to risk appetite, cost vs. benefit of potential risk responses, and degree to which a response will reduce impact and/or likelihood.  Selects and executes response based on evaluation of the portfolio of risks and responses.  Examines, whether residual risk is within risk tolerance

Confidential 19 Control Activities Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring  Policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out.  Occur throughout the organization, at all levels and in all functions.  Include approvals, authorizations, verifications, reconciliations, review of operating performance, security of assets and segregation of duties.

Confidential 20 Information & Communication Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring  Management identifies, captures, and communicates pertinent information in a form and timeframe that enables people to carry out their responsibilities.  Communication occurs in a broader sense, flowing down, across, and up the organization.  Personnel receive a clear message from top management  Means for communicating upstream  Communication with external parties

Confidential 21 Monitoring Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring  Monitoring shall assess presence and functioning of ERM over time  Effectiveness of the other ERM components is monitored through: -Ongoing monitoring activities. -Separate evaluations. -A combination of the two.  Serious matters reported to top management and the board

Confidential 22 Issues to be aware of  Risk Management is an iterative discipline---Risks must be revisited on a regular basis  Need to balance the audit approach (avoid or mitigate risk) vs. proactive approach (deal actively with risks)  Need to recognise role of risk management in realizing strategic objectives  Risk should be seen as a necessary component and factor in strategic opportunity.  There might be an economic benefit in accepting a particular risk, the focus should be on the risk-return tradeoff  Risk quantification needs to be included as well as the focus on risk mitigation.  Need to adequately reflected the external environment even though some risk-factors are beyond management’s control  Need to recognise correlation of risks – often difficult  Risk management is a coordinating function  Risk management is a dynamic process, not a check list approach  Need to recognise risk to reputation

Confidential 23 Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring Risk Management Components  Where do exposures remain after risk responses (mitigations/ controls) which are still beyond the company’s tolerance level?  Develop plans to respond to these residual exposures should they occur: -Business Continuity Plans -Incident Response Plans -Disaster Recovery Plans -Crisis Management Plans etc.

Confidential 24 Risk Mitigation Effects Risk Map Before Response / Controls Likelihood Limit Of Risk Tolerance Impact Risk Map After Response / Controls Likelihood Impact Limit Of Risk Tolerance Develop Recovery Plans

Confidential 25 Incident Management “Planning P”

Confidential 26 Types of Risk

Confidential 27 Types of Risk  Physical Disruptions: Destruction of critical infrastructure in the supply chain -Critical Infrastructure includes the material components or assets necessary for the continuous operation of the transportation system including equipment and personnel  Process Disruptions: Events that involve day-to-day operations of supply chain processes -Processes include the rules, actions, decisions, and information flows that give life to the physical level and are necessary for efficient and effective operation of the transportation system. Processes are what allow material components to work together—physically or virtually—as a system or supply chain  Institutional Disruptions: Events that involve changes in company or supply-network governance and strategy. -Institutional considerations include the policies, guidance, and organizations that empower and constrain the operation of the supply chain to meet large-scale company goals. Public sector examples of institutional disruptions include federal legislation, national policies, and state regulations. Private sector examples include company reorganizations, mergers, market shifts, and technology breakthroughs. PHYSICAL PROCESS INSTITUTIONAL

Confidential 28 Risk Category Examples  Physical Disruptions -Natural Disasters -Terrorist Attacks -Accidents  Process Disruptions -Cyber Attacks -Demand Forecasting Errors (Bullwhip effect) -Missing or late shipments  Institutional Disruptions -New / Increased Regulations -Geopolitical Issues / War -Technology Step-Change (Supplier Reliability) PHYSICAL PROCESS INSTITUTIONAL

Confidential 29 Supply Chain Scope

Confidential 30 Downstream Customer Primary Customer Your Company First-tier Supplier X-Tier Supplier Supply Chain Scope As a company looks beyond its own suppliers and customers, the scope of what is Included in supply chain expands…  Your company: Your company is the center of your supply network. The scope here refers only to in-house supply chain issues  First-tier supplier: Any supplier that directly supplies your company. This scope does not include companies that are 2nd tier or beyond  X-tier supplier: Companies that supply your first-tier suppliers.  Primary customer: Any direct customer of your company  Downstream customer: Any customer of your customers. Scope includes links between supplier, your company, and customer

Confidential 31 Financial Flow Information Flow Physical Movement Information Flow Supply Chain Framework Interdependencies Plan SourceDeliver Return Your Company Supplier Internal or External Customer Internal or External SourceDeliver Return Deliver Return SourceDeliver Return Source Return Customer’s Customer Supplier’s Supplier Make Design

Confidential 32 Next Steps  Discussion -Close out track? -How do we use this framework?