Supply Chain Risk Management and Disaster Mitigation: Part 4

Stephen DeAngelis

February 25, 2011

This is the final post in a four-part series on supply chain risk management. In this post, I’d like to discuss some hedging strategies and techniques offered by Bill McBeath from ChainLink Research. He notes that “global dynamics ensure that commodity prices will remain volatile, with huge price spikes, for decades to come. Good hedging strategies are increasingly critical.” [“Managing Supply Risk Part Three – Hedging Strategies: Cross-Functional Teams,” ChainLink Research, 16 November 2010]. For businesses, there are few greater challenges than dealing with supply chain disruptions. One challenge that approaches the level of concern created by disruption is volatile commodity prices. McBeath believes that cross-functional teams can help address this challenge. Long-time readers of this post know that I’m a fan of such teams. In numerous past posts on the subject of innovation and creativity, I have noted how assembling cross-functional teams can foster an environment for solving problems. McBeath writes, “Cross-functional teams are a great way to accomplish smarter hedging.” He continues:

“The meteoric growth of emerging economies, in particular China, has had a dramatic impact on the price of raw materials and energy. With infrastructure construction in China continuing at breakneck pace, the world’s supplies of steel, concrete, copper, and other commodities are diverted and prices have risen dramatically as a result. China will almost certainly continue its spectacular building spree for many years (probably decades) to come, and is being joined by India, South East Asia, and other fast growing regions. … As much as commodity prices have risen in the past few years, they could rise to new unheard of heights. But not in a straight line; they will likely remain highly volatile for many years, if not decades, to come.”

All supply chains eventually lead back to raw materials. For now, most of those raw materials continue to be extracted from the earth. In the centuries ahead, more raw materials are likely to come from recycled goods than from extraction — but let’s not get ahead of ourselves. McBeath notes that “price volatility does not apply just to raw materials.” He explains:

“In many cases intermediate materials (e.g. titanium sponge or tantalum powder) or components (e.g. memory chips) can be constrained by the production capacity, which can be overwhelmed during periods of high demand. For these industries, it can take a year or two to bring significant new capacity online. When these shortages occur, prices skyrocket. All too often it seems that just as demand cools off, the suppliers have just managed to create significant new capacity which now far exceeds demand, and the prices drop like a rock. The bottom line is that sourcing personnel will have to learn to deal with commodity price volatility for many decades. That is why good hedging strategies are becoming an increasingly important element in the sourcing professional’s arsenal of methods and skills.”

McBeath discusses the importance of commodity price hedging strategies and I recommend that you read his article if it is a subject that affects your company. He points out that the problem with hedging strategies is that they are like insurance policies and there are bound to be corporate executives who whine if they are never used. He writes, “That is a little like complaining about the expense of buying insurance because you haven’t had any fires or hurricanes to make those insurance costs worthwhile.” Hedging strategies, of course, can be useful in more situations than just dealing with volatile commodity prices. Although McBeath’s discussion about cross-functional teams focuses on the challenge of commodity prices, I think you will see how such teams could be useful for discussing other potential disruptions to the supply chain as well. He writes:

“One of the firms that we interviewed uses cross-functional teams to create and manage their hedging strategies, leveraging a complementary mix of knowledge and skills. This seems to be a very smart approach. Their team consisted of people from the following functions:

  • “Sourcing/Commodity Manager—Understands dynamics of supply markets, such as pricing trends, sources of supply, capacity constraints, risks (political, geologic/weather, etc.), overall consumption, etc. Knowledgeable commodity managers have a good handle on the overall capacity and the current and projected levels of capacity utilization (i.e. degree of supply constraint) for the industry supplying the commodity.

  • “Treasury—Expertise in financial and risk analysis, hedging instruments, accounting and regulatory requirements, tax and other consequences

  • “Engineering—Knowledge of emerging technologies and new designs that may dramatically impact the quantities of particular materials and components needed in each product being manufactured. The need for some materials may be dramatically reduced or eliminated altogether, and at the same time new ones arise. …

  • “Product Management—Knows the product mix/roadmap, and forecasted volumes, all of which impact the firm’s expected levels of consumption of commodities. Also should know the overall industry growth rate, which can be used to estimate industry-wide consumption of commodities.

  • “Economist—Knowledge of the broader global conditions and long-term outlooks, which could impact both demand and supply.”

That, of course, is not an exhaustive list of potential members of a cross-functional team. The make-up of the team should be determined by the kinds of challenges that confront the flow of supplies — from natural disasters to weather to politics. In the final segment of his series on this subject, McBeath describes how one consumer packaged goods company uses hedging strategies to protect its business [“Managing Supply Risk Part Four – Hedging Strategies: Approaches,” ChainLink Research, 30 November 2010]. To conclude my post, however, I would like to examine the research of one McBeath’s colleagues, Michael J. Corby, who offers his thoughts on what constitutes a good business continuity plan [“12 Attributes of a Successful Business Continuity Plan,” ChainLink Research, 13 April 2010]. Corby writes:

“Business Continuity Planning is the one of the four commonly linked components of an organization’s risk management strategy. The distinction and relationship among the four components are commonly misunderstood. Often one component is confused with the other three. Frequently all four are combined into an overall process, which is good, but then handed off to a single person, or a small team of people who are charged with trying to satisfy the basic requirements of all of them in one fell swoop. This has generally proven to be an impossible task. All are important and each one has a specific critical role to play in resolving serious disruptions, but each one is a complex process and can require more effort than a single person or small group of people can accomplish. In Business Continuity Planning, shortcomings are like mistakes made in parachute packing. Neither one is recognized until it’s too late, with very poor results.”

In other words, risk management is a corporate responsibility and it requires broad support and participation. Corby obviously supports McBeath’s assertion that the risk management process will be more successful if cross-functional teams are involved. Corby refers to “four commonly linked components of an organization’s risk management strategy” which he depicts in the graphic below (click to enlarge).

Risk Managment Components

Although each of the four components is important, Corby’s article deals only with business continuity. He continues:

“Over many years of Business Continuity Plan development, I’ve come to recognize twelve telltale signs that often foretell the fate of the business continuity planning effort. Let’s look at the role of Business Continuity Planning within risk management and these twelve indicators of success. Business Continuity Planning joins with Emergency Response, Crisis Management and Disaster Recovery Planning to create a comprehensive process for recovering from unexpected events that threaten stability or even the future existence of an organization. Business Continuity is often the most crucial element in determining whether an organization can survive a major disruption over the long run. While the other three are certainly important factors in reducing damage, saving lives and re-establishing a reliable snapshot of the organization’s technology infrastructure, databases and transactions, all are rendered ineffective without a sound Business Continuity Plan (BCP).”

Before discussing his “12 attributes” of a successful BCP, Corby reminds us that all plans need to be tested — a point I stressed in the last part of this series. He also provides the caveat that his 12 attributes “do not necessarily mean the plan will be a success, nor do they indicate that failing to demonstrate them foretells failure.” Corby provides excellent discussions of each of his attributes and I recommend that you read his entire article. I’ll only be providing the abridged version.

1. Critical Business Functions Have Been Identified and Prioritized — The root of a sound business continuity plan lies in the ability to quickly and accurately determine the most important business functions. To be effective, the inventory of all critical business functions (both manual and automated) must be created in advance and be accurate. This inventory needs to include factors that can change an item’s priority, such as a cash management application that is extra important just before scheduled large payments like payroll or acquired inventory payments are processed.”

Corby notes that “determining the truly critical applications can be a challenge.” Sometimes the challenge comes because executives don’t really know what their most critical assets and processes are and sometimes the challenge comes before they deem everything critical. As I noted in an earlier post, Enterra Solutions uses its proprietary Enterprise Resilience Management Methodology™ to help companies identify its core assets and processes. ERMM™ offers a strategic approach to analyzing an organization’s core infrastructure and assessing enterprise risk. It helps clients understand the connections between tactical decisions and enterprise strategy, with regards to critical practices, processes, and rules governing the enterprise. Corby continues:

2. Recovery Time Objectives Have Been Determined for Critical Assets — The impact of a loss or delay in completing a business function typically changes over time. Usually we find that most business functions do not result in a significant brand image or product creation immediately, even though the effect on product quality, regulatory compliance or direct revenue can be immediate. A temporary workaround can often be used for some period of time before the effect is actually felt, but in almost all business functions, that temporary fix can only be continued for a short time before it becomes cumbersome at best and totally ineffective. That point in time when the process must be restored is called the Recovery Time Objective (RTO). When connected to the revenue streams the RTO represents the maximum time that the facility, person, process or technology is unavailable or delayed until revenue is seriously impacted.”

This is one of the areas that a business really needs to test. Guessing about your RTO could prove disastrous. For example, if your business suffered a fire that resulted in both loss of infrastructure and life, does your RTO account for the fact that critical employees might not be available to get back in operation? Corby continues:

3. Recovery Point Objectives Have Been Established for Critical Applications — Recovery Point Objectives (RPOs) are similar to Recovery Time Objectives except that they represent the tolerance for lost data once the process has been recovered or restored. For most computer applications that require data entry, archiving the source documents for re-entry will support full data recovery however the source documents may be lost or destroyed along with the computer files. Effective file and document archive procedures can help prevent losing these critical transaction records entirely.”

In the case of the World Trade Center disaster, companies like Cantor Fitzgerald had moved their data bases offsite following the 1993 attack on the buildings. As a result, those businesses managed to restart operations remarkably soon considering the nature of the catastrophe.

4. A Comprehensive Risk Assessment Has Been Conducted On Critical Facilities — The risk of loss of critical facilities can be mitigated, but generally at very high costs. Successful Risk Management methods strive to achieve a risk mitigation strategy that it proportionate to the potential for loss. There have been numerous attempts at detailing the steps required for a thorough risk assessment strategy. As in many other processes, perfection is the enemy of the good. I’ve seen organizations get so mired in the details that the objective can never be met. If risk management efforts start at the lowest level of detail, chances are pretty good that before all the details have been tallied, the cost factors will have changed. Then what do you do? Too frequently the answer is to start all over. … It is much easier to look at the four key elements of People, Process, Plan and Technology and to ignore the event that can cause a disruption, but instead look at the effect on those elements in only two categories: Total Loss and Significant Reduction in functionality. That transforms the target of the risk assessment from an infinite by infinite matrix by a much simpler four by two matrix. Only eight possibilities for each critical business function. By my calculation this is a much more attainable result.”

I think what Corby is trying to drive home is that a little common sense can go a long way. Thinking about “black swans” is important and can help executives fine tune their instincts; but, cutting to heart the matter as recommended by Corby, executives can put in a place a “good enough” system that can serve as a foundation on which they can rebuild.

5. Succession Plans Exist for Key Employees or Consultants — One of the most overlooked aspects of successful Business Continuity Planning is the potential loss of key decision makers during the response and recovery time when their abilities are most crucial. If you want to see the impact of key decision makers in a Business Continuity Plan, try running a recovery test without certain key roles. Often the head of Corporate Communications, the Data Center Manager, the I/T Network specialist or the authentication server administrator has knowledge that eluded the recovery documents.”

The point is that investments in a good training program and a robust internal communications plan that fosters lots of shared information could pay off big during a disaster. I agree with Corby that too often plans concentrate on things rather than people. The most valuable asset a company has is its people.

6. A Technology Backup Strategy Exists and Is Tested Regularly — Several years ago, an interesting I/T disaster Recovery approach was developed. Called the ‘No-Plan Plan,’ it prescribed that every day should be a Disaster Recovery exercise. … Too often however, I/T Disaster Recovery Planning is confused with full Business Continuity Planning, but in reality it only represents part of the enterprises risk management strategy. I/T recovery can be fruitless if there are no available people or facilities to use the restored computer applications. Creating and testing is an effective element in Business Continuity, but it cannot become the sole activity.”

Corby points out that testing an IT recovery plan without having to really disrupt operations can be tricky and time consuming. He concludes, “One philosophy I’ve used over the years is ‘Don’t create a disaster trying to test the recovery from one.'” In the last post, Daniel Stengel recommended using simulations to test your plans. Simulations allow you to push the system to its breaking point without actually disrupting operations. Corby continues:

7. Multiple Sources Are Available for Critical Supplies and Processes — Product quality and information privacy regulations make the task of identifying alternate suppliers more challenging. You cannot relinquish your need for proper controls over your alternate sources.”

In my previous post, I discussed the importance of maintaining supplier risk profiles and supplier ratings to help address the point being made by Corby. Such tools need to be used for alternate suppliers as well as primary suppliers.

8. People (an often overlooked critical business resource) Are Included in Business Continuity — Recently, pandemic response planning has taken its place in Business Continuity Planning, both from an employee absence perspective and one that represents a dramatic alteration in public behavior (e.g. restaurants, public transportation, hospital care).”

Earlier Corby stressed the importance of continuity of leadership. His point here is that a pandemic can affect the regular work force as well as leadership. At what point would absences caused by a pandemic constitute a crisis for your company? It’s worth thinking about. I know that there is some preliminary work being done to see how social networks could be used to help understand how a “dramatic alteration in public behavior” unfolds during a crisis. It is an area that deserves a lot more study.

9. Tools and Training Are In Place to Provide Advanced Warning of Incidents — The best Business Continuity Plans are ones that can be initiated very early before the interruption has progressed to the point of a crisis. Well-trained and practiced employees are the first line of defense in identifying situations that could become serious. Part of the plan is to teach employees to recognize the signs of an impending disruption in normal activity. Many computer incidents such as failing components, hacking attempts or infection by computer viruses can be recognized by intrusion detection and operations management tools. These components are often included in technology operations strategies, but they must be run and monitored to be effective.”

Corby once again underscores the importance of training and exercising. Plans that sit on shelves gathering dust until they are needed are plans that are going to go terribly wrong at the worst possible time.

10. All Projects Include a Disaster Recovery Component — For complex I/T applications, experience has shown that developing Disaster Recovery (DR) elements after the application has been completed costs much more than anticipating DR needs during the design stage. Operational sync-points and offline versions of key data files can more easily be accommodated at the onset of the project. Many effective techniques exist for building a resilient facility that can provide risk remediation, especially for computer and communications capabilities. This capacity is often cost prohibitive in existing facilities, but over time, as plants are expanded, upgraded or acquired, these modifications can be made with minimal increased cost.”

The old carpenters’ adage “measure twice and cut once” should be applied to the planning of any facility. In other words, make sure you know what you are doing before proceeding. Corby is correct that the challenges of trying to bring old infrastructure up to snuff can be cost prohibitive — just ensure that the alternative (failing to modernize) doesn’t risk putting the company out of business if disaster does strike.

11. Technology Domains Are Defined to Include Business Continuity and Security — Technology can be used to effectively create a domain structure that enhances the ability to consolidate resources with similar requirements for Confidentiality, Integrity and Availability. Technical infrastructure and advanced processes can be applied at the domain group level, saving considerable costs and substantially reducing complexity. Most business units cannot justify the expense associated with providing a continuous availability strategy, rigorous monitoring or enabling strong authentication techniques. When several business units share the benefits and costs however, the expense can be more easily justified.”

Like with so many other aspects of running a company, a business case has to be made for implementation of risk management procedures and systems. Cross-functional teams can help ensure that a good case is made when they are being designed. Corby concludes his list of attributes:

12. Capacity Planning Includes Strategy for Increased Demand — Business Continuity Planning is not exclusively for the restoration of processes after a disaster or disruptive event. Successfully executing an effective plan can also provide considerable benefits including increased market share. Like the old joke about the two guys in the jungle trying to outrun the tiger, Business Continuity Planning is the ability to respond more quickly and more successfully than competitors to gain a competitive advantage.”

That’s a lot information to take in; and, as I noted earlier, Corby provides even more information in his full article. Hopefully, this series of posts have given you some grist to think about.