Supply Chain Risk Management and Disaster Mitigation: Part 1

Stephen DeAngelis

February 22, 2011

Today’s earthquake in New Zealand reminds us that bad things can happen quickly and unexpectedly. Cyclones in Southeast Asia, unrest in Egypt, and volcanic eruptions in Iceland have all made news over the past year as have automobile recalls, embargoes of rare earth minerals, and flaws in microchip manufacturing. What these events have in common is that each of them affects the supply chain in one way or another. As a result, there have been a number of articles about the importance of having a business continuity/disaster recovery (BC/DR) plan and system in place. Curt Barry, president of F. Curtis Barry & Co., a multichannel operations and fulfillment consultancy, claims that many businesses believe they have a BC/DR plan in place, “but it’s often not the case.” [“Develop a master disaster plan,” Multichannel Merchant, 1 February 2011]. He writes:

“Natural or man-made, disruptions and disasters that could pose threats to the well-being of our employees, physical plants and business viability are more common than we think — and it’s human nature to be overconfident about our preparedness. … Concerns about costs, as well as the ‘it can’t happen to us’ mindset, prevent many companies from addressing these crucial issues.”

Barry is correct that overconfidence and denial can prove disastrous for a company. This past year should have convinced most companies that “it can happen here.” Julian Evans writes:

“In a world where almost every company relies on global supply chains and an international network of outsourced activities, a freak event many thousands of miles away can have a potentially devastating impact on business at home. In this environment, it is critical that companies have a firm strategy in place to deal with the unexpected and a thorough knowledge of the insurance industry. Never was this shown to be more important than in 2010 – the so-called year of the catastrophe. It had everything: Devastating earthquakes in Haiti, Chile, China and Iran, severe flooding in Pakistan, forest fires and suffocating smog in Russia, a major oil spill off the coast of the U.S., an extremely cold winter that caused travel chaos, and even a volcanic eruption that left the skies empty of planes. Not to mention the banking system.” [“Weathering the Storm,” Wall Street Journal, 7 February 2011].

There are a number of things that must be considered when one thinks about supply chain risk management (see my post entitled Defining Supply Chain Risk). Evans reports that the consequences of natural disasters last year were devastating, both financially and emotionally. He writes:

“The insurance company Swiss Re estimates that worldwide economic losses from natural catastrophes and man-made disasters reached $222 billion last year – more than triple the losses in 2009. Moreover, the number of deaths due to catastrophe reached 260,000 in 2010, which is the highest figure since 1976, and more than the total killed through terrorism over the last 40 years.”

Supply chain professionals look at natural disasters in terms of the disruptions they are likely to cause. Evans notes that “the impact [of natural disasters on the supply chain] is exacerbated by the interdependence of global society.” He continues:

“Globalization has … exposed companies to greater catastrophe or crisis risk, because their supply chains are now stretched across the world, and they may have outsourced many parts of their business to suppliers or service companies thousands of miles away. If one link in the supply chain goes wrong, it can have a huge impact. Look, for example, at Toyota, the world’s biggest car company, which outsourced the manufacture of many of its parts, only to see its profit and reputation take a huge hit this year when it had to recall over 10 million vehicles for safety reasons. David Noble, chief executive of the Chartered Institute of Purchasing and Supply, says: ‘There’s certainly a risk that comes with outsourcing. We hear from CEOs of major multinationals that analysts are increasingly quizzing them about how well they’re managing their supply risk.'”

Evans then rhetorically asks, “So what can businesses do to expect the unexpected and control the uncontrollable?” His answer: “They can, at least, put together a business continuity plan.” That leads us back to Barry’s assertion that many companies overrate the plans they have in place. Evans continues:

“Vincent West, head of UK business continuity practice at risk manager Aon, says: ‘If companies create a business continuity plan, then they have a framework for response to catastrophes. They have identified in advance those activities that are absolutely essential to the running of the business – the people, the premises, the infrastructure – then they can plan how to protect these parts of the business if, for example, 40% of the workforce falls ill with swine flu. They can learn how to deploy resources to keep the core business up and running.'”

Enterra Solutions® uses its proprietary Enterprise Resilience Management Methodology® to help companies identify its core assets and processes. ERMM™ offers a strategic approach to analyzing an organization’s core infrastructure and assessing enterprise risk. It helps clients understand the connections between tactical decisions and enterprise strategy, with regards to critical practices, processes, and rules governing the enterprise. Of course, identifying core assets and processes is only the beginning of creating and implementing a BC/DR plan. Evans continues:

“Companies also need to address which parts of their supply chain are essential, and which parts are particularly vulnerable. ‘Companies are keen to ensure their supply chain is secure,’ says Mr. West, ‘because if they don’t, there’s a danger they will import disaster.’ An important part of any company’s response to freak conditions is their communication strategy. [James Crask, senior manager in consultancy PricewaterhouseCoopers’ risk and business continuity team] says: ‘A company needs to bear in mind how they’ll be perceived. If you lose the confidence of your customers during a crisis, it can be very hard to win back.’ Take the reputation of BAA, the operator of the U.K.’s Heathrow Airport, which was widely criticized for closing two runways for three days in the run-up to Christmas, after one day of snow, which made thousands of travelers unable to reach their destinations for Christmas. BAA made a bad situation worse by giving stranded passengers hardly any information about why it was taking so long to clear the snow or when the situation might improve.”

Evans concludes his article by noting that companies can always cover losses by buying catastrophe insurance; but such insurance doesn’t buy back lost good will from customers. The editorial staff at Supply Chain Digest agrees with Barry that there is some denial being experienced among businesses. It writes that there is a big difference between how important companies say risk management is versus what they are really doing about it. [“Key Drivers of Successful Supplier Risk Management,” 18 August 2010]. The article continues:

“The global recession proved perhaps the most challenging period ever, or at least since the Great Depression, in terms of managing supplier risk, as companies had to find new ways to both assess that risk and enact mitigation strategies as suppliers struggled to stay solvent. While the worst may be over, in these dynamic times supplier risk management will stay high on the procurement priority list, and companies need a formal process for managing that process. Research shows that on average large companies encounter a major supply chain disruption every 4-5 years. Just this year, for example, network equipment and other high tech companies have battled shortages on very basic electronic components, leading such as Ericsson, Nokia, Alcatel-Lucent and other firms to report pretty significant hits to revenue in Q2 and falling stock prices because they simply couldn’t deliver the goods to customers.”

The article notes that the Boston Consulting Group (BGC) “defines supplier risk management as ‘the use of processes and procedures to offset any risk factors that could interrupt a supplier’s ability to provide an organization with needed raw materials, components, or other inputs or services.” The article continues:

“[Boston Consulting] says typical risk factors include: financial risks that could affect a supplier’s solvency; operational risks that could affect quality, logistics or pricing; market risks related to regulatory and geopolitical events, or changes in commodity prices; major catastrophes and natural disasters; and anything that would compromise a company’s brand, intellectual property or proprietary processes.”

For an even more extensive list of risk factors, click on the link to my post mentioned above. BGC consultants Robert Tevelson, Petros Paranikas, and Byron Paul claim that “the majority of companies that do have [supplier risk management] practices tend to focus only on direct, supplier-driven risks, ignoring those related to market changes, geopolitical issues and other potentially disruptive, external events.” In other words, the focus of most BC/DR plans is too narrow. In a globalized world that is not a good thing. The Supply Chain Digest articles concludes with “Five Levers for Supplier Risk Management Success” identified by BCG. The first “lever” starts at the top:

Engage Top-level Management: This means both that senior procurement leaders must actively show their support for SRM within their organizations, and then also communicate that need to the CEO and executive peers. Yet, BGC’s research showed only 45% of respondents discuss SRM with the organization’s executive team on a quarterly basis; 20% never discuss SRM with senior management. Best-in-class companies, BGC says, set up regular SRM reviews that follow a standard format and offer clear escalation procedures when potential problems are flagged. The authors make the strong point that SRM cannot be only the province of the procurement group – the trade-offs and level of risk tolerance must be approached cross-functionally.”

It is hard to imagine that events that could “compromise a company’s brand, intellectual property or proprietary processes” would not be routine topics discussed at the highest levels of corporate management. The second “lever” identified by Boston Consulting is segmenting suppliers.

Segment Suppliers Based on Relative Risk: No company can manage detailed risk assessment and mitigation strategies across thousands or even hundreds of suppliers. So, procurement organizations must pick the most important suppliers to focus on, but too often this is done by ‘gut feel’ rather than a formal categorization process. ‘Best-in-class companies take a more formal approach, dividing suppliers into different risk categories based on predetermined criteria such as financial health, supply of critical components, supplier value-add, supplier power, time to switch and industry outlook,’ BGC says. ‘These risk assessments are refreshed at least annually, and, in some instances, every quarter. High-risk suppliers are reviewed more often, so that issues are identified early and quick action can be taken.’ Not surprisingly, the authors say, more frequent risk assessment is linked to more successful risk identification.”

More and more companies are beginning to score their suppliers so that they have a better understanding of which ones perform best. I believe this is a trend that will continue to grow. The third BCG lever involves measuring and managing.

Rigorously Measure and Manage Risk: Even though it has become well understood that companies need to assess both the probability of a supply disruption and the level of financial impact the disruption might cause, BGC’s research found only 40% of respondents were satisfied that their companies could effectively quantify the likelihood and impact of key risks. BGC says companies need to add more ‘rigor’ to the risk assessment process, and do a better job collecting cross-functional data that might help identify an emerging supplier problem earlier (for example, are key personnel leaving the supplier?).”

Obviously, some important data (like departing personnel) may be difficult to obtain in timely manner. I agree that collecting “cross-functional data” is important, but collecting data and understanding it are two different challenges. That is why I like systems that sense, think, and respond. The fourth “lever” deals with collaboration.

Collaborate with Key Suppliers: Complex, global supply chains require higher levels of collaboration. So do very ‘lean’ supply chains (and who doesn’t have one of those these days?), where disruptions can quickly lead to operational and financial problems. The key point: ‘Companies such as these must understand the risks of the entire supply chain, not just of individual suppliers. Yet few can single-handedly take on the substantial cost of managing risk across the board. Collaboration is critical,’ the BGC consultants say. The research found few companies say that their companies actively collaborate with suppliers to manage risk.”

Long-time readers of this post (or posts like those written by supply chain analyst Lora Cecere) understand that collaboration is going to play an increasingly important role in supply chain management. Collaboration is important for more effective functioning of supply chain during normal operations as well as preparing for disruptions. Look for a future post on this subject. The final “lever” identified by BCG involves giving supply chain personnel the right tools and training to help them be successful.

Give Category Managers Tools and Training: As with many things, most companies agree that supplier risk management is essential, yet the survey showed few companies effectively educate their senior leaders and category managers on how to do it well. The research showed two-thirds of respondents reported that their companies failed to provide even one full day of risk management training, and most expressed dissatisfaction with current programs company training programs on the subject. Technology support tools are equally lacking, though BGC says a few companies have complex tools that can track the potential impact of a single event in one location — such as a tornado in Kansas — on all aspects of the supply chain. ‘SRM is challenging and requires a proactive, customized approach to get it right,’ the BGC authors conclude. ‘Understanding your company’s model, based on your source of competitive advantage and degree of supply chain complexity, reveals critical best practices. These, combined with the five levers for success, can help your company stay ahead of potential supplier problems.'”

We will continue this discussion in Parts 2 through 4 of this series. Part 2 discusses some recommended approaches to supply chain risk management. Part 3 discusses establishing and testing risk management plans. Finally, Part 4 discusses hedging strategies.