Proposed Supply Chain Risk Management Process Flow

1. Proposed Supply Chain Risk Management Process Flow Supply Chain Risk Leadership Council 20 April 2009 DRAFT

2. We can build on similar risk management processes to create a SCRLC risk management process. SCC Process RAND Process Proposed SCRLC Process Build the Program Recognize Existence Establish a SCRM Program and Apply Resources Define the Supply Chain Identify Define the Supply Chain and Risk Objectives Define Risk Objectives Estimate Likelihood of Occurrence Assess probable consequence/ duration Identify Supply Chain Risks Assess Supply Chain Risk Prioritize Quantify and Prioritize Risks Mitigate Risk Develop, assess, and execute management strategies Develop and Execute Risk Management Actions Implement and Monitor Develop Contingency plans Monitor Supply Chain Environment for Risks Monitor Note: The RAND process is a draft process under development and should not be released beyond the SCRLC Process team without permission from Nancy Moore. Capture lessons learned and improve

3. The risk management process must be iterative to be effective. The timing of each iteration should be dictated by the corporate risk strategy Proposed SCRLC Process Reassessment of risk program Establish a SCRM Program and Apply Resources Reassessment of supply chain Define the Supply Chain and Risk Objectives Reassessment of risk sources Identify Supply Chain Risks Quantify and Prioritize Risks Reassessment of management actions Reassessment of risk exposure Develop and Execute Risk Management Actions Monitor Supply Chain Environment for Risks Continuous Risk Monitoring

4. The proposed SCRLC process should cover all elements of a comprehensive risk management program Proposed SCRLC Process Establish a SCRM Program and Apply Resources • Recognize risk management as a priority • Secure executive support for risk management program • Secure resources necessary to execute risk management program Define the Supply Chain and Risk Objectives • Define the supply chain scope • Map the supply chain • Define the objectives of managing risk in the subject supply chain Identify Supply Chain Risks • Comprehensively review the supply chain to identify risks • Document identified risks to the extent possible Quantify and Prioritize Risks • Quantify each risk in terms of probability of occurrence and potential impact • Use the quantification of the risks to prioritize the risks according to defined objectives Develop and Execute Risk Management Actions • Develop risk management actions consistent with each risk’s priority • Define each action’s value in terms of reducing the probability and impact of the risk • Develop and execute an implementation plan for the identified actions Monitor Supply Chain Environment for Risks • Define monitoring requirements and action thresholds • Continuously monitor the supply chain environment for risk events or precursors. • When thresholds are triggered, execute applicable mitigation actions • Document results for after action review and program improvement

5. The proposed SCRLC process can map to the defined working groups Proposed SCRLC Process SCRLC Working Groups Establish a SCRM Program and Apply Resources Preparedness, Business Continuity, and Recovery Planning Define the Supply Chain and Risk Objectives Regulatory Compliance Supply Chain Risk Quantification & Measurement Identify Supply Chain Risks Supply Chain Security Quantify and Prioritize Risks Manufacturing, Transportation and Logistics Resiliency Develop and Execute Risk Management Actions Product and Materials Resiliency Supply Chain Monitoring & Crisis Management Monitor Supply Chain Environment for Risks

6. THE OPPORTUNITY TO MAKE A DIFFERENCE HAS NEVER BEEN GREATER ACQUISITION • FACILITIES & ASSET MANAGEMENT • FINANCIAL MANAGEMENT • INFORMATION & TECHNOLOGY • LOGISTICS • ORGANIZATIONS & HUMAN CAPITAL