Concepts and definitions

Artificial intelligence (AI): Machines or devices that have software that learns from experience, adjusts to new inputs, and performs human-like tasks.

Benchmark test: Established criteria to determine whether a risk is significant to the organization.

Big data: A term that describes extremely large data sets that may be analyzed computationally to reveal patterns, trends, and associations.

Blockchain: A shared, immutable ledger that facilitates the process of recording transactions and tracking assets in a business network.

Buffer stock: The level of extra stock that is maintained to mitigate risk due to uncertainties or events affecting either the demand or supply side of the supply chain; also called safety stock.

Business continuity plan (BCP): A plan to ensure continuity of business operations in the event of a serious incident that impacts the port.

Business impact analysis: Analysis to assess the potential damage, loss or disruption that would be caused by the failure of the port as a whole or part of it e.g. failure of critical business process or infrastructure.

Cloud-based supply chain risk assessment tool: A risk assessment tool that allows users to gain insight into an organization’s risk exposures across an entire supply chain.

Cluster analysis: An analysis of the geographic concentration of entities within a supply chain including relating to a port facility to determine if any clusters present unusual risk.

Cognitive bias: A systematic pattern of deviation from the norm or rationality in judgment.

Cognitive computing: Technology platforms that, broadly speaking, are based on the scientific disciplines of artificial intelligence and signal processing.

Collaborative planning, forecasting, and replenishment (CPFR): A framework that aims to enhance supply chain integration through joint practices between organizations.

Commodity or category risk plans: Risk assessment plans developed by procurement to analyze the risks associated with sourcing a commodity (such as lithium) or categories of purchases (such as drayage services).

Compliance risk: Category of risk that is associated with the management of mandatory obligations.

Consequences: Effect on the strategic, tactical, operational and compliance core processes resulting from a risk materializing.

Contracting: the process of developing a contract, which is a legally enforceable agreement between two or more parties.

Control: Actions to reduce the likelihood and/or magnitude of a risk. Hazard controls can be preventive, corrective, directive, or detective.

Corporate Governance: Set of activities and policies that control the way in which an organization or port is directed, administered and/or controlled.

Corporate social responsibility: A self-regulating business model that helps a port be socially accountable to itself, its stakeholders, and the public.

Cost-to-serve: Involves the calculation of the profitability of a customer account, based on the actual business activities and overhead costs incurred to service that customer.

Current risk: Existing level of risk considering the controls in place, sometimes referred to as ‘net risk’ or ‘managed risk’, but most frequently as ‘residual risk’.

Cyber insurance: Provides protection for cyber risk and cyber related events.

Cybersecurity: Refers to the body of technologies, processes, and practices designed to protect networks, devices, programmes, and data from attack, damage, or unauthorized access.

Data science: A multi-disciplinary field that uses scientific methods, processes, algorithms, and systems to extract knowledge and insights from structured and unstructured data.

Detective control: Type of control designed to identify that a hazard risk has materialized, so that actions can be taken to avoid further or greater losses.

Directive control: Type of control based on giving directions to people to behave in a certain way and/or follow established procedures.

Digital twin: A digital replica of a living or non-living physical entity. It allows an organization such as a port to model its operations digitally and run several risk scenarios to look at the potential impact on port operations.

Digitization: The application of new technologies, including sensors, artificial intelligence, cloud computing, and predictive analytics allowing or assisting in the changing the way that ports operate.

Disaster recovery plan: Plan for use in the event of a serious loss, such as IT failure, fire, or earthquake to assist the recovery of the port or organization and support crisis management.

Enterprise risk management (ERM): Integrated and coordinated approach to all the risks faced by the port or relevant organization.

Extended value chain: Also called the extended enterprise; it not only includes the immediate value chain but also sub-tiers of suppliers and customers and other stakeholders.

Financial ratio analyses: The inputting of financial data into ratios to analyze various aspects of supplier and customer financial health and performance.

Governance, risk, and compliance (GRC): Integrated approach to risk management and risk assurance based on the three lines of defense.

Hazard Risk: Category of risk that is associated with the management of pure risks or perils – the effects of hazard risks need to be mitigated.

Hedging: Involves the simultaneous purchase and sale of contracts, often over a time frame that coincides with a purchase contract to protect against volatility; a common type of hedging is in respect of currency.

Impact: Effect on the finances, infrastructure, reputation, and marketplace when a risk materializes.

Inherent risk: Level of a risk before any control activities are applied, sometimes referred to as the ‘gross level’ or ‘absolute level’ of the risk.

Insurance: Risk response for risks outside risk appetite that the organization wishes to transfer or share with another party(s).

Leadership, involvement, learning, accountability, and communication: Set of attributes that should be present to achieve successful embedding of risk management in the port or organization.

Level of risk: Combination of the likelihood and impact of the risk, as established during the risk rating stage of risk assessment and can be determined at either gross (inherent) or net (residual) level.

Likelihood: Evaluation or judgement regarding the chances of a risk materializing, sometimes established as a ‘probability’ or ‘frequency’.

Logistics management: The process of planning, implementing, and controlling the efficient, effective flow and storage of goods, services, and related information from the point of origin to the point of consumption.

Loss control: Range of activities to reduce the potential impact of hazard risks on the port or organization, including loss prevention, damage limitation and cost containment.

Maritime supply chain risk maturity model: A model that illustrates the maturity of maritime supply chain risk management through various stages such as visibility, predictability, resiliency, and sustainability.

Maximum Tolerable Periods of Disruption (MTPD): The most time that the organization or port can be without the service or facility.

Multiple source: The use of more than one supplier for an item or service.

Network design: Includes the physical design and development of global supply chains. Design considerations include supplier locations, port and logistic routes, operations, distribution center location, distribution routes, customer service centers.

Operational risk: risk of loss or gain, resulting from inadequate or failed internal processes, people, and systems or from external events and capable of impacting the operations of the port or organization.

Operations management: The systematic design, direction, and control of processes that transform inputs into services and products for internal, as well as external, customers.

Predictive analytics: The branch of advanced analytics which uses data to make predictions about unknown future events.

Preventive control: Type of control that is designed to eliminate the possibility of an undesirable risk materializing.

Principles of risk management: Set of attributes defining the features of successful risk management, summarized as proportionate, aligned, comprehensive, embedded, and dynamic.

Probabilistic models: Models where uncertainty is explicitly considered in the analysis; also called stochastic models.

Process maps/value stream maps: Physical or graphical representations of organizational processes or the value streams that are designed to create customer value.

Qualitative risk indicators: Non-quantitative ‘signals or indicators in the marketplace that suggest a deeper investigation of a supplier or customer is in order

Recovery Point Objective (RPO): Defines the point to which information used by an activity must be restored to enable the activity to operate on resumption. In other words, what is the minimum level of information or data that you can have to operate a process.

Resilience: Ability to absorb and adapt in a changing environment (ISO 22300:2018).

Recovery Time Objective: Defines the period following disruption that the organization or port aims to recover or resume its activities, production, or service provision.

Risk: Effect of uncertainty on objectives. An effect is a deviation from the expected. It can be positive, negative or both, and can address, create, or result in opportunities and threats. Objectives can have different aspects and categories and can be applied at different levels.

Risk is usually expressed in terms of risk sources, potential events, their consequences, and their likelihood (ISO 31000: 2018.)

Risk analysis or assessment: Means by which significant risks are evaluated and prioritized by undertaking the three stages of risk recognition, risk rating, and risk ranking.

Risk appetite: Amount and type of risk that an organization or port is willing to pursue or retain; also referred to as risk tolerance or risk propensity.

Risk assurance: Means by which a port or organization receives reasonable assurance that the significant risks are being adequately controlled.

Risk capacity: Maximum level of risk to which the port or organization should be exposed, having regard to financial and other resources.

Risk categories: There are four categories of Risk: - compliance (or mandatory) risks; hazard (or pure) risks; control (or uncertainty) risks; opportunity (or speculative) risks.

Risk compliance: Includes the internal activities taken to meet required or mandated rules and regulations, whether they are governmental, industry-specific, or internally imposed.

Risk control room: A central command center where information is collected, categorized, analyzed, prominently displayed, and widely disseminated to the right people, at right place, at the right time.

Risk criteria: Basis for ranking or evaluation of the significance of a risk – will define the risk appetite of a port or organization.

Risk culture: The system of values and behaviors present in an organization or port that shapes risk decisions of management and employees.

Risk event: A risk event is a discrete, specific occurrence that negatively affects a decision, plan, firm, or port; a risk that has become a reality.

Risk exposure: Level of risk to which the organization is exposed, either regarding an individual risk or the cumulative exposure to the risks faced by the organization.

Risk governance: Includes the frameworks, tools, policies, procedures, controls, and decision-making hierarchy employed to manage a port or other organization from a risk management perspective.

Risk heat maps: A risk map that uses color coded display of risks, such as red, yellow, or green designation to identify risk probability and severity.

Risk management: Management activities to deliver the most favorable outcome and reduce the volatility or variability of that outcome.

Risk management framework: Set of activities that support the risk management process, referred to as the risk architecture; arrangements for designing, implementing, monitoring, reviewing and continually improving risk management.

Risk management information system (RMIS): Computer software system or part of the intranet of the port or organization that records and communicates risk information.

Risk management measures: measures or indicators whose primary focus is risk, including time-to-recovery (TtR) and value-at-risk (VaR).

Risk management policy: Statement of the overall intentions and direction of the port or organization related to risk management –usually a one-page document or poster.

Risk management process: Activities that deliver management and control of risks – can be defined as recognition, rating, ranking, responding, resourcing controls, reaction planning, reporting and review.

Risk maturity model: Structure for determining the level to which risk management is embedded within a port or organization, they should be looking to have a risk aware culture with a proactive risk approach where risk is considered at all stages.

Risk mitigation: Actions taken to reduce either the likelihood of a risk occurring or to minimize the extent of its impact after occurrence.

Risk priority numbering (RPN) indexes: Quantitative models that consider multiple factors to arrive at a single risk indicator score.

Risk ranking: Stage in the risk assessment process that analyses the likelihood and impact of a risk.

Risk rating: Stage in the risk assessment process that evaluates the risk with reference to the risk appetite or the established risk criteria, to help select the appropriate risk response.

Risk recognition: Early stage in the risk management process, which involves the identification of all the risks faced by the port or organization.

Risk register: Record of the significant risks faced by an organization, the controls currently in place, additional controls that are required and responsibility for control activities.

Risk resilience: The ability to ‘bounce back’ or adjust in respect of the occurrence of a risk event.

Risk response plan: A plan to implement actions to respond to risks, including decisions such as whether to tolerate, treat, transfer or terminate.

Risk severity and probability maps: A process by which organizations identify the types of risk they may be subject to, assess the relative impact of these risks, and determine the relative probability that these risks will occur, which are then mapped typically on a 2x2 grid. It is a similar approach to the use of heat maps.

Risk taxonomy: Practice of naming, and classifying and defining relationships between resources, risks, goals, and business processes in the port or organization. Without an organization wide taxonomy, every department and level would potentially speak a different risk language.

Risk tolerance: Deviation from the expected level of risk leading to implementation of risk escalation procedures – definitions of risk tolerance can vary considerably.

Risk vulnerability: Susceptible to harm; usually not as quantified as risk exposure.

Significant risk: Risk with the ability to impact above the established benchmark for that type of risk.

Strategic risk: Long-term or opportunity risk concerned with where the organization wants to go, how it plans to get there and how it can ensure survival.

Strategic supply management framework: a cross-functional, proactive process for obtaining goods and services that features evaluating and selecting suppliers; managing suppliers; and developing and improving supplier capabilities.

Strategy portfolio matrix: A segmentation tool that helps supply chain managers develop an appropriate strategy or approach for sourcing goods and services.

Stress testing: A technique that tests a set of scenarios using ‘what-if’ and statistical analysis. The primary output is a prioritization of risk scenarios based on Value-at-Risk (VaR).

Supplier and customer bankruptcy indicators: Algorithmic formulas that use financial data to estimate a supplier or customer’s bankruptcy potential.

Supplier audits: An objective examination and evaluation of a supplier’s performance and practices to ensure they are in conformance with various requirements, laws, and standards e.g. Business continuity.

Supply chain: A set of three or more organizations linked directly by one or more of the upstream or downstream flows of products, services, finances, and information from a source to a customer.

Supply chain disruption: An unplanned breakdown or interruption to the production or distribution nodes that comprise a supply chain.

Supply chain management: Proactive management of the two-way flows of goods, services, information, and funds from raw material through to the end customer.

Supply chain mapping: The process of graphically representing the entities that comprise a supply chain, ideally beyond a firm’s tier-one suppliers and customers.

Supply chain network: A network is an evolution of the basic graphically represented supply chain; compared with a supply chain, it is a more complex structure involving a higher level of interdependence and connectivity between more organizations into a network.

Supply chain (Third party) risk management (SCRM): The implementation of strategies to manage every day and exceptional risks along the supply chain through continuous risk assessment and management with the objective of reducing vulnerability and ensuring continuity.

Supply chain risk management roadmap: A cross-functional, proactive process for obtaining goods and services that features risk evaluating and selecting suppliers; managing suppliers; and developing and improving supplier capabilities.

Target risk: The ultimate level of risk that is desired by the port or organization when planned additional controls have been implemented.

Terminate: Risk response that is appropriate when the level of risk is not acceptable to the port or organization or outside risk appetite, also referred to as ‘avoid’ or ‘eliminate’.

The Internet of Things (IoT): A sensor network of billions of smart devices that connect people, systems, and other applications to collect and share data.

Tolerate: Risk response that is appropriate when the level of risk is within risk appetite, also referred to as ‘accept’ or ‘retain‘.

Trade-offs: A compromise that involves giving up something in return for getting something else.

Transfer: Risk response for risks outside risk appetite that the organization wishes to transfer or share, by means of insurance or commercial contract.

Treat: Risk response for risks that can be (further) treated by introduction of cost-effective (corrective) controls, also referred to as ‘control’ or ‘reduce’.

Value chain: The process or activities by which a company adds value to something, including production, logistics, marketing, and the provision of after-sales service.

VUCA – volatility, uncertainty, complexity, ambiguity: Elements related to operations including those in a port such as vessel activity that have the potential to create or contribute to risk (it is an acronym for volatility, uncertainty, complexity, ambiguity).