Supply Chain Risk Management: Disruption Losses are Probably Under-estimated

Stephen DeAngelis

July 5, 2013

Jennifer Baljko writes, “A new UN report that warns of $100 billion in annual losses from natural disasters should prompt supply chain managers to update risk management strategies and adopt more resilient practices.” [“Prepare Your Supply Chain for Natural Disasters,” EBN, 10 June 2013] Andrew Maskrey, lead author and head of risk knowledge at the United Nations Office Disaster Risk Reduction, says that it’s the small disasters, not the big ones, that cause the most disruption. In the following video, Maskrey summarizes the study’s findings.

In the video, Maskrey notes that no one really knows how much disruptions caused by natural disasters really cost businesses. He suspects the total is under-estimated because often only insured losses are reported. He also notes that disruptions from so-called small disasters cumulatively cost businesses more than losses from large disasters. Baljko writes:

“The report, ‘Global Assessment Report on Disaster Risk Reduction 2013,’ paints a gloomy picture. If news of direct economic losses from disasters walloping past $100 billion annually for three consecutive years — a figure that does not include uninsured losses — isn’t nervous-making enough, the report says in its first sentence on its first page, ‘the worst is yet to come.’ Continuing population growth, rapid urbanization, climate change, and an ‘approach to investment that discounts disaster risk’ open up the possibility for more catastrophic losses. The report goes on to say that the full scale of disaster losses has probably been grossly underestimated until now:

One trillion dollars have been lost in the last decade due to disasters. Such statements are familiar to investors but they only partially reflect total disaster losses. Between 1981 and 2011, total direct losses in these countries were approximately US$305 billion… The implication is that the headline-grabbing figures recorded in global datasets over the last decade may be quite conservative. Once the losses associated with nationally reported smaller disasters are included, those figures are likely to be at least 50 percent higher. At the same time, these figures refer only to direct losses and thus exclude the cost of indirect losses and wider effects of disaster.

Baljko insists that “potential globalized supply chain vulnerabilities” should cause companies to shudder. In developed countries that are more resilient to disasters than less developed countries, like the United States and United Kingdom, “companies still have to deal with these issues. The report found that most of the 1,300 businesses surveyed in disaster-prone cities in the Americas noted power, water supply, and telecommunications disruptions were top concerns.” She also notes, however, that the study is not all “doom and gloom.” She writes, “The report also points out spots of silver linings and encouraging signs of progress. One notable shift is that public-private partnerships in risk management are proving to be valuable assets in times of crisis.”

Unfortunately, too few companies do sufficient supply chain risk management planning. Jeff Karrenbaurer, President at Insight, Inc., told Dustin Mattison that this isn’t too surprising considering the fact that companies don’t get rewarded for their risk management efforts. “Wall Street certainly doesn’t reward you for it,” he stated. “They hammer you for it. It is ironic that the people who should be demanding prudent investment will hammer you for doing prudent management of the investment?” [“Supply Chain Risk and Vulnerability Planning,” Dustin Mattison’s Blog, 19 January 2012] Even though their efforts aren’t rewarded, Karrenbaurer told Mattison that it “drives him up the wall” that companies don’t put more effort into risk management.

About the same time that Karrenbaurer was talking to Mattison, Rachel Dines published an article in which she claimed that even companies that have disaster recovery plans don’t exercise them enough to make them effective. “The chance that you could successfully recover IT operations without having exercised your DR plans on a regular basis is slim at best,” she writes. “The chance that you could successfully recover and meet your recovery objectives is zero. Yet Forrester finds that exercising DR plans is one area in which many organizations continue to fall short.” [“How To Improve Disaster Recovery Preparedness,” CIO, 18 January 2012] Dines went on to offer “10 best practices for updating and improving your current DR exercise program.” They are:

1. Define specific exercise objectives upfront
2. Include business stakeholders
3. Rotate staff responsibilities
4. Develop specific risk scenarios for your exercises
5. Run joint exercises with Business Continuity (BC) Teams
6. Vary exercise types from technical tests to walk-throughs
7. Make sure to test all IT infrastructure concurrently at least once per year
8. Identify members of the core Disaster Recovery Team
9. Learn from your mistakes
10. Report results to stakeholders

Those are all good suggestions. Designing exercises, however, is not as easy as one might imagine. Something that might help is determining what metrics you want to measure. Mallory Davies, Editor-in-Chief of Supply Chain Standard, notes that disasters resulting in disruptions affect various economic sectors differently. It makes sense, therefore, that different metrics must be used to assess risk in those sectors. “There is room for discussion over what should be measured,” he writes. “The imperatives driving the food supply chain are significantly different to heavy engineering. A natural disaster, for example, will present risks to both, but the impact on each could be very different – and the metrics need to reflect that.” [“New metrics to measure supply chain risk,” 30 January 2012]

In another article, Davies discussed what Toyota did to improve its resiliency following major disruptions that occurred after the earthquake/tsunami hit Japan in 2011. “The clever thing,” he writes, “is to find ways of improving resilience without a major increase in costs. And, according to a recent Reuters report from Tokyo, this is the approach that Toyota is adopting.” [“A wake-up call…,” Supply Chain Standard, 5 March 2012] He continued:

“Following the earthquake and tsunami of [in March 2011, Toyota] has been identifying the suppliers that are most at risk coming up with a list of some 300 locations that were single sources for parts. Options include ensuring that components are produced at more than one location, increasing stock holdings, or purchasing from additional suppliers. At the same time, Toyota is looking to increase the number of common parts across its product range and so offering economies of scale to its suppliers. Toyota has strong reputation for the quality of its supply chain management. The fact that it sees a need to make such wide-ranging changes should be a wake-up call to rest of us.”

With all of the news coverage of global disasters, it’s unimaginable that a company could be operating in a state of denial that at some point a disaster is going to affect it. Catherine Bolgar writes, “Disasters are an unavoidable risk in doing business. No place on earth is completely safe from some kind of natural disaster.” [“Disaster Relief,” Supply Chain Risk Insights, 11 June 2012] She continues:

“Disasters don’t even have to occur nearby to cause a major impact on your company—Northern Europe was 2,000 kilometers away from the 2010 volcanic eruption in Iceland, which halted air transportation and disrupted supply chains. Natural disasters are particularly challenging because many facets of recovery are out of your control. Getting roads, ports or power back to normal often is up to government authorities. Your supplier may have escaped harm but not be able to send out goods, or its employees might not be able to get to work. While you might know a supplier is in an area prone to earthquakes or hurricanes or floods, you don’t know exactly when such disasters might hit, nor how hard. It’s impractical — even impossible — to simply avoid doing business with suppliers in sensitive areas.”

So what can you do? Bolgar reports that smart companies employ a number of strategies to mitigate the effects of a disaster. First, they avoid single points of failure scenarios. Bolgar writes:

“A chain is only as strong as its weakest link. In a supply chain, however, links are not equally important nor equally strong. The key is to identify the places where a bottleneck exists or where a disruption could hurt — often by looking at the potential impact on revenues. While commodity parts can cut costs and are easily replaced, customized parts and intellectual property are what differentiate a company’s products from the competition. In an emergency, customized parts tend to be the most difficult to swap out, and will often require significant re-engineering and cost.”

Even if a single point of failure is not a problem, sourcing parts or materials from a region might be. For example, Karrenbaurer told Mattison, “Over 90% of a particular resin which appears in every circuit board out there comes from Japan. Japan sits on a fault!” Should that concern makers of circuit boards? Absolutely. Otto Kocsis, global head of business resilience at Zurich, told Bolgar, “Everybody is trying to maximize efficiency and capacity, yet they have not taken the time to map the interdependencies and bottlenecks that expose them to added risk.” Bolgar concludes, “It would make practical sense for companies to do more risk assessment work to ensure they understand their exposures better.” The next strategy that smart companies utilize, Bolgar reports, is hedging their risks. She explains:

“Most companies’ financial departments use hedging, for commodity contracts, currency swings and other risks. Though it trims some gains, it can protect investments during market drops. Companies have been less willing to employ similar methods on the operational side. While industry has been focused on getting lean and cutting costs, ‘it pushes the supply chain into farther and farther reaches, and companies are not necessarily pricing the risk associated with those choices,’ says Dr. [Willy Shih, professor of management practice at Harvard Business School]. ‘We teach everybody about just in time and getting rid of inventory,’ he says. ‘That’s contradictory. Where along that spectrum of tradeoffs do I want to be? Maybe we had the dial set too much toward lean, which makes you more susceptible to disruption.’ Smart companies hedge their supply-chain risks, using the strategy or portfolio of strategies adapted to their industry and to the goods being supplied.”

Because lengthy supply chains increase both the complexity and risk involved, Bolgar reports that more companies are beginning to nearshore manufacturing. She calls this “geographic hedging.” She says they are also diversifying their supplier base. She warns, however, that this strategy comes with price. “Bigger orders usually mean lower prices,” she writes. Spreading orders among a number of suppliers means that each of those orders is going to be smaller. Finally, Bolgar says that smart companies also maintain the best communication connections with stakeholders. She concludes:

“In disasters, accurate information might be difficult to get because it might be politically embarrassing for the affected country, or the extent of damage might cut off communication. ‘Companies should assume the worst in these situations,’ says Lyndon Bird, technical development director at the Business Continuity Institute in London. ‘It’s better to start to put in place strategies and capabilities you rehearsed.’ Social media can back up traditional communications lines, especially if you have established good contacts with your supplier, both in getting good information quickly from the site of the disaster as well as in executing a response plan, says [Bob] Ferrari.”

Baljko concludes that companies that do their homework are “less likely to invest in hazard-prone areas and more likely to invest in measures to reduce the vulnerability of their facilities and supply chains.” Just as importantly, companies that do their homework won’t overlook the smaller disasters that could affect their operations. Although they might not threaten complete devastation, they are more likely to occur and can still be costly.