Supply Chain Risk Management: Prevention is Better than Cure

Stephen DeAngelis

November 20, 2012

Some adages contain only situational verity. There are times, for example, that it makes sense that “if at first you don’t succeed, you should try, try again,” while at other times “there’s no point in beating a dead horse.” One adage that seems to have eternal verity is: “Prevention is better than cure.” We know that holds true for our health, but it also holds true for supply chain risks. Unfortunately, adages are often easier to repeat than implement.

 

Jonathan Webb, a research manager at the Procurement Intelligence Unit, told Dustin Mattison that too often supply chain risk management is conducted haphazardly or even worse is determined by stories in the news. To make his point, Webb noted, “Last year … we found that risks relating to corruption and bribery were one of the leading risks [mentioned by Chief Procurement Officers]. However, not a single participant to our current research mentioned this as an issue.” Why the sudden turnaround? Webb explained that in 2011 the United Kingdom passed the “UK Bribery Act,” which “applied to any instances of malfeasance throughout the world [for] any company with any sort of presence within the UK (including a single office).” [“Forecasting and Preventing Supply Chain Risk,” Dustin Mattison’s Blog, 24 October 2012] Webb told Mattison, “The response by the business press wasn’t far from hysterical -– whipping many businessmen into a state of panic over their exposure to risk.” Once the news story died down, so did interest in corruption and bribery as a major business risk. Webb concludes that this shows “that CPOs are not risk-focused, but take their agenda [from] the press.” The humanitarian assistance sector calls this the “CNN Effect”: The story that makes the news gets all of the attention. Important, but less covered issues, suffer from living in the shadows.

 

Webb’s point is that determining which supply chain risks to concentrate on by seeing what makes the news is not a good idea. After all, by the time a risk makes the news it is generally too late to respond appropriately. Mattison then asked Webb about the value of predicting future supply chain disruptions. Webb responded:

“Intelligence about your suppliers and the general risk environment is vital to protecting us from risk. There have been many developments in risk mapping and prediction software launched in recent years. New products on the market claim the ability of ‘predicting’ such events and mapping the consequences for particular supply chains. Only recently, the PIU spoke to a third-party risk provider which offered software that compares various scenarios from earthquakes to hurricanes in a range of different geographies. This is possibly useful, but it is perhaps not the best approach, given that all the potential events in all possible locations are practically infinite. All such scenarios yield the same output: bad.”

Webb’s last point is the most profound. Potential disruptive events are so numerous that actually predicting them is a fool’s errand. Does that mean that analysis and technology has no role to play. Absolutely not. Ignoring data and analytic tools would be equally unwise. Trends and interrelationships are important even if prophetic insight remains elusive. Webb provides one example of how new technologies can provide insight. He told Mattison:

“New products make heavy use of the immediacy and specificity of micro-blogging sites such as Twitter, which may reveal crucial insights from a casual blogger. For instance, the PIU spoke to a company which was able to forecast a supplier entering bankruptcy, based on the tweets of a worker from a neighboring firm, who simply observed how empty the company car park was looking. This intelligence anticipated by months changes in credit rating scores.”

Nevertheless, Webb warns, “The novelty of the newly found ‘scientific’ packages, plus the urgency of senior management to prevent the impact of another earthquake, may force buyers into a naïve purchase.” So what does Webb recommend? He told Mattison:

“It is better to rely on more practical measures of risk mitigation, which aim to build resilience in the supply chain. We cannot predict natural disasters in the future, but we can possibly contain their impact. Knowing our own supply chain is key in this process. We must appreciate our own exposure to generalized risk and implement continuity arrangements accordingly.”

Webb might have added that “knowing your own supply chain” relies on having access to the right data and the right technology. When it comes to supply chain risk management, ignorance is not bliss. This is a point he makes later in his interview. Mattison then asked Webb, “So, how can we prevent risk affecting our supply chains?” Webb replied:

“Perversely, in many cases, procurement must build-in ‘inefficiency’ into the system in order to shield the supply chain from future shocks. This redundancy of capacity allows companies to switch sourcing away from a stricken supplier. The quickest way to ensure this is through geographical spread. … By spreading risk by multi-sourcing, organizations do not prepare for specific events, but build in resilience to multiple threats within their supply chain, be that flood, earthquakes or man-made disasters. Another, perhaps ‘inefficient’ aspect to include in supply chains is supply velocity. By reducing the end-to-end time of delivery, procurement can ensure it has steady access to alternative sources, should it require it. For items requiring a longer lead-time, the only possible means of protecting the organization may simply lie in stock-piling of excess products or sourcing from multiple vendors. Arguably, this does not sit well with modern ideas of ‘just-in time’ manufacturing. However, engaging in these debates within the company helps establish its priorities and qualifies its own attitude to risk.”

Webb goes on to note that manufacturers must collaborate more closely with suppliers, even engaging in what he calls “supplier development.” He states:

“Within this process of supplier development, procurement may consider aligning the two organizations’ own continuity planning arrangements. This may involve contributing to the suppliers’ own business continuity plans, or including the supplier in the category management continuity arrangements. The objective in this regard, however, is to ensure strong over-sight.”

Webb eventually agrees that companies must have “the most accurate and relevant information” so that they can analyze the risks and implement “control measures that mitigate against these risks” in order to ensure “greater resilience.” He concludes:

“Arguably, this is the fundamental feature of all resilient supply chains. The lesson for all those in the supply chain is that you cannot anticipate risk, but you can build a resilient supply chain that can cope with a variety of different event types. However, the cost of this is redundancy.”

Webb is not alone in the belief that companies have to question themselves about how much risk they are willing to assume. “The topic of supply-chain risk management is fraught with agonizing questions,” writes Robert J. Bowman, managing editor of SupplyChainBrain. “Should global businesses emphasize risk prevention, or steel themselves to respond to whatever disaster might occur? Should they seek to transfer risk, or concentrate on achieving better risk-management up front? Should they attempt to do all of the above? The wrong answer can mean the death of an organization.” [“Risk Management: Making the Right Choices,” 29 October 2012] Although that warning may sound a bit hyperbolic, Bowman backs it up. He writes:

“Thirty percent of all companies that experience a catastrophic loss fail within the first two years, and another 29 percent go down after that, according to John J. Brown, director of risk management, supply chain and technical development with The Coca-Cola Company. And with supply lines getting longer due to off-shoring and the multiplication of partners, the chances of something going seriously wrong are greater than ever.”

Bowman then asks the big question, “So where should the emphasis be – on responsiveness or risk prevention?” Brown’s answer is that prevention is better than cure. Bowman continues:

“The problem is that most companies don’t do a very good job in this difficult area. ‘We’re wired as humans to react and respond, not prevent something from happening,’ he said on a panel at the annual conference of the Council of Supply Chain Management Professionals in Atlanta. ‘And company reward structures are the same way.’ The question is, reward for what? How does a company quantify the value of something that didn’t happen? When all goes well, no one spends a lot of time dwelling on ‘what-ifs.’ A good risk manager tends to be a quiet – and unappreciated – hero.”

Bowman is a realist and writes, “Of course, it’s ludicrous to believe that one can stave off all disasters.” He agrees with Webb that “no one knows when and where the next earthquake or flood will strike. A good risk-management strategy might assign probabilities to various scenarios, but it can’t focus too much on any one of them.” He reports that “at CSCMP, Brown laid out the essentials of an effective program.”

“From the start, he said, it needs to be multifaceted. Must-have elements include the capacity for emergency planning and response, incident management and crisis resolution, business-continuity planning and execution, and disaster recovery (especially with regard to IT systems). Coca-Cola has defined a number of discrete steps in its risk-management effort. First is basic deployment of the process. The company identifies significant risks, analyzes them, devises procedures for mitigating them, and creates a local ‘risk register.’ This document, which it maintains for every business unit, group, bottler and corporate entity, tracks the status of risk and corresponding treatment plans at ground level. Brown described it as ‘your living playbook.’ A valuable framework for setting up a workable program is the International Organization for Standardization’s 31000:2009 set of guidelines and standards.”

Bowman notes that setting up a risk management program is only beneficial if it can be sustained. He continues:

“Coca-Cola employs a three-pronged approach, said Brown. It reviews the risks that are currently being managed, preferably on a monthly basis, and no less frequently than once a quarter. It also identifies new and emerging risks, adding them to the risk register as necessary. Finally, it factors those key risks into the planning process, covering both strategic and annual business plans. Brown also described Coca-Cola’s ‘bow-tie’ process, so-called because of its two-sided nature. On one side are the factors that could cause a risk event to occur. On the other are its consequences. Then the company delves into what must be done to prevent a particular crisis from happening, or at least to mitigate its effects.”

Bowman also points out emphatically that “every organization needs to appoint a skilled risk manager.” Bowman goes on to discuss the risk management process implemented by Cisco. To learn more about what Cisco is doing, read my post entitled SCRM: Preparedness and Resiliency. Bowman concludes, “Unexpected consequences should be, well, expected. … It behooves companies to do a better job of preparing themselves for disasters and disruptions. Quick-response strategies, regardless of the nature of the event, are especially vital to have in place. Regardless of your size, if you’re not actively engaged in a program similar to that of Coca-Cola and Cisco, you need to wake up.”