What Are The Six Get Rights For an Effective Supply Chain Risk Management Program?

Our research shows that an average Fortune 500 company faces a staggering loss of $2.4 billion in market cap, $450 million in annual revenue, and $75 million in extra costs due to supply chain disruptions. Despite these numbers, many companies still struggle with managing supply chain risks effectively. The following six “get-rights” serve as a checklist for strengthening an existing SCRM program or a blueprint for building a new one (see figure).

1. Get senior leadership on board early

Supply chain risk is not just a procurement problem or supply chain problem—it is a business problem. These risks, if and when they materialize, can seriously impact customers and your top line. The first step is to secure support and commitment from your top corporate and BU executives to get behind building a robust program from the start. When corporate leaders are committed, SCRM becomes a strategic priority rather than just another task. Engaging BU leaders is crucial because they are accountable for the eventual business outcomes. Their involvement ensures risk management is integrated into the core business plans, fostering a culture of proactive risk stewardship.

For example, a healthcare provider faced significant challenges in its SCRM program due to evolving leadership priorities. Kearney’s PRISM survey and alignment model helped key stakeholders get on the same page by providing a clear picture of where value was at risk and priority areas to address. This collaborative and data-driven approach aligned senior leadership on the program's vision and strategy.

2. Ensure your data is in good shape for true quantified implications

Risk is not theoretical—it has a specific expected monetary value in very real-dollar terms. A robust SCRM program quantifies risk and draws qualitative insights from accurate, standardized, and harmonized supply chain data. Companies often focus on external data but neglect internal data quality. Inconsistent data formats can lead to misleading risk assessments, so it's crucial to standardize and harmonize internal data before integrating it with external data to draw your risk insights.

For instance, a utility equipment maker significantly underreported risk due to inconsistent supplier and component naming conventions across different business units. We cleansed, standardized, and harmonized internal data before integrating it with external market data. This approach improved data accuracy and revealed that 10 percent of suppliers were sole source with direct single-country risk, and five suppliers were unknowingly dealing with blacklisted firms.

3. Establish clarity of “who owns what and when”

It is imperative to put in place ways of working that ensure nothing slips through the cracks. This means having complete clarity of ownership and accountability at different levels—corporate, BU, and functional. The "three lines of defense" model is the base framework for this. The first line manages risks in the daily operations. The second line sets policies, frameworks, and methodologies and reviews compliance with them. The third line conducts independent assessments/audits to identify gaps. However, that is not enough. Detailed process mapping and decision rights clarity is required to determine who—once a significant risk is identified or starts escalating—will own the mitigation based on type and severity of risk.

Using this model, we helped a global tech firm establish a cross-functional integrated risk management operating model in a complex organizational setup involving legal, enterprise risk, government relations, sourcing, etc. This clarified roles and improved accountability, enabling the firm to quickly turn risk signals for its cloud business into mitigation actions 50 percent faster.

4. Ensure broad risk coverage but quickly zero in on priorities

Starting with broad risk coverage ensures no potential threats are overlooked, giving a comprehensive view of supply chain vulnerabilities. However, not all risks are equal, and you can’t dedicate resources to mitigating them all. Quickly zeroing in on highest-priority risks based on a quantified assessment allows organizations to allocate resources efficiently, addressing the most critical risks first. This involves examining the likelihood and impact of risks and adjusting for existing controls to quantify “residual risk.”

For example, a tech client using our value-at-risk approach discovered that its single approved supplier of rectifier diodes had all its manufacturing in a cyclone-prone area. This revelation encouraged the client to approve another supplier with a different manufacturing footprint, mitigating the risk of losing 22 percent of its revenue in the event of another cyclone.

5. This is not a “one-and-done” exercise—regular updates are crucial

Regularly refreshing the SCRM program is essential because new risks can emerge or become more severe at any time. Regular updates to the framework and process, real-time data sources, and stakeholder engagement are key to staying vigilant and responsive. This also involves updating the program when a risk vector is no longer relevant to the business and vice versa. Identify the right cadence to refresh methodologies, data inputs, etc., without over-doing it.

6. Embed SCRM into day-to-day operations

The final key to success is to truly embed risk management thinking and ownership in your daily operations (e.g., supplier selection, contracting, and procurement). This reduces exposure and speeds up response times by keeping everyone alert and ready. Once SCRM is embedded in your organization, it's easier to extend that culture to your supplier ecosystem. Often, clients focus on identifying risks and internal mitigation without a clear road map for supporting suppliers in their mitigation steps. Without embedding risk thinking internally first, it’s tough to get your suppliers on board.

We helped a pharmaceutical company embed SCRM into daily operations by focusing on procurement. They cultivated champions at various levels and introduced a reward program for innovative risk management. A year later, they saw faster response times and fewer disruptions—a remarkable turnaround. Now, they proactively shape their suppliers’ risk management strategies, leading by example and influencing their entire supply chain.

Conclusion

Building a resilient supply chain is challenging and requires thoughtful planning, significant effort, and persistent commitment to these get-rights. Even the most mature supply chain organizations don't get everything right. Our experience shows that implementing just a few of these elements can significantly enhance your SCRM program. Start by assessing your organization's SCRM maturity level using our proprietary PRISM Stages of Excellence Survey. This will provide powerful insights to secure leadership and BU support early and foster the top-down risk stewardship mentality needed for sustainable change. Often, this is all it takes to begin building a resilient and responsive supply chain.

The authors would like to thank Mike Piccarreta, Vishal Bhandari, Emal Eshan, Joe Belechak, Diya Shreenath and Lauren Yee for their valuable contribution to this article.

Authors:

Jane Wanklyn, Partner | Daniel Santiago, Partner | Aman Khan, Partner |   Samuel Adeoye, Consultant