Let’s say you are a large manufacturing, retail, or industrial concern; and you want to assure that your supply chain won’t be disrupted by climate change. How would you actually assess and quantify that risk?
That’s not a hypothetical question for large businesses. As global warming continues, extreme weather events become more frequent and more severe: drier droughts, stronger hurricanes, deeper cold snaps, longer fire seasons. Those events can cause huge disruption to your operations.
Most large businesses already know and address that risk for their own facilities, either through insurance coverage or design rules for physical stores or whatever. But if you’re an audit or risk manager trying to assure continuity of operations, you also need to push that risk assurance down through your supply chain.
Which brings us back to the original question: How can you assess and quantify climate change risk lurking in your supply chain? What are those risks, specifically? How can your business mitigate its exposure to climate change risk that affects a third party?
As fate would have it, the Government Accountability Office just published a report on how the Defense Department is trying to address climate change risk in its own supply chain. For audit and risk professionals here in the corporate realm, the report is worth reading to help understand how you might frame your own approach to “climate resilience” and what you should do to audit your third parties’ exposure.
First, Understand the Relevance
I know, I know — climate change risk in the supply chain is an obscure issue. Assuming you even fight your way through all the financial, cybersecurity, and compliance audits that take priority in most organizations, you still need to define a clear business case for spending the audit team’s time on this. What is that case? The Defense Department frames the issue as part of “mission assurance,” which the department defines as “the continued resilience of capabilities and assets in any operating environment or condition.”
That is, the military must always be able to mobilize its personnel and assets, regardless of what conditions might exist when that moment comes. The military must be able to keep operating, no matter what disruption or shock comes along.
Well, hold on. Businesses and regulators talk about that idea already. We just call that idea by a different name: operational resilience.
Operational resilience has been a hot topic in banking regulation for several years. The Fed and other central banks, for example, want assurances that financial firms can keep providing their services even in the event of a major cybersecurity disruption. And since modern corporate IT systems rely so much on cloud-based technology providers, that conversation is really about resiliency in the banking supply chain.
The business case for studying climate change risk in the supply chain is a lot like that. If climate change might leave your key suppliers unable to operate due to extreme weather events; or unable to provide services at feasible prices because climate change strains their business model (prolonged drought driving up the price of water, for example), that could leave your business vulnerable to disruptions they suffer.
Not every business will need to worry about climate risk in the supply chain. Service providers that rely on people more than physical assets, for example, could respond to climate risks more adroitly. But for large organizations with extensive physical assets and global supply chains, climate risk will catch up to you eventually — including through the third parties you use to keep operations going. That’s why this issue can be worth your team’s time.
Develop the Risk Assessment
OK, the board and management support your audit of climate risk in the supply chain. Now what do you actually assess and audit? We can start with four basic questions for any assessment of operational resilience:
- What are your company’s mission-critical assets and capabilities?
- What are the risks that might make those assets and capabilities fail?
- What are the risk management and risk response plans to keep the assets and capabilities protected?
- How will you monitor and report on the threats that might jeopardize those assets and capabilities, and the controls intended to keep them protected?
That’s a versatile checklist you could use to assess all sorts of threats, from climate change to cybersecurity to public health. For climate change in particular, you need to tailor that checklist with a few more specific questions.
- How could climate change disrupt your mission-critical assets or capabilities?
- Which suppliers contribute to those mission-critical assets or capabilities?
- How could climate change affect those suppliers, too?
- What assessment tools and mitigation measures could you put in place for those third parties?
I’m sure risk libraries already exist that give many examples of climate change risk; or you could find climate specialists happy to provide their advice for a fee. But for example — stronger hurricanes or tornadoes could level manufacturing plants; drought could drive up the cost of wastewater treatment or needed agricultural commodities; increased flooding could leave development projects needing a design overhaul.
Those things could affect your business, or your suppliers.
Mitigation measures for risks in your supply chain can be tricky. On one hand, you can try to diversify your supplier base to reduce the risk that any one supplier leaves you stranded — but that strategy won’t always work with climate risks, because climate is global. If drought ruins agricultural commodities across whole continents, or if sea levels rise around the world, you can’t diversify away from that.
On the other hand, you can go the tried and tested route of managing expectations with suppliers via contractual obligations. That’s nothing new; compliance officers have been forcing FCPA or human trafficking clauses onto their supply chain for years, and conceptually climate risk is no different. That said…
- You’ll need to know what your climate risk management objectives are;
- You’ll need to negotiate climate risk clauses with your suppliers, and define service-level agreements for climate risk mitigation that the suppliers will need to fulfill;
- You’ll need to know what metrics you want suppliers to report to you;
- You’ll need at least the right to audit those efforts, even if you don’t ever perform those audits.
The more you think about it, the more climate risks in the supply chain behave like any other supply chain risk: they threaten your organization’s ability to keep delivering services to your own customers. Likewise, the mechanisms to control those risks behave like any other: you identify key suppliers and negotiate climate mitigation measures into your business relationship.
The big flaw that the GAO found in its report on the Defense Department was simply that the Defense Department didn’t do enough of the actual work; it wasn’t assessing climate risk in the supply chain, even though DoD regulations said procurement officers should.
Not confronting difficult risks when you know you should. Honestly, that’s not news to risk, audit, and compliance professionals either.