In most of life’s endeavors, having a proven example (i.e., a benchmark, best of class, or award winning specimen) generally helps organizations achieve desired ends without having to reinvent the wheel as they go. The area of supply chain risk management (SCRM) is no different. If you are looking to improve your SCRM, you might look to Cisco Systems. Recently, Cisco’s “end-to-end supply chain resiliency initiative won the Institute for Supply Management™ — Michigan State University Awards for Excellence in Supply Management award in the Process category.” [“Building a Resilient Supply Chain,” by Mary Siegfried, Inside Supply Management, April 2012] Siegfried notes that Cisco’s global footprint makes it vulnerable to most of the risks that have caused disruptions over the past few years and that “the company understands the variety of risks such a worldwide operation faces.” She continues:

“That’s why the San Jose, California-based company, with more than 700 direct suppliers and five manufacturing partners in more than 30 locations, created a centralized risk management team to ensure business continuity for its global supply chain. When a 9.0 earthquake struck northeastern Japan on March 11, 2011, the team, along with professionals throughout the organization, was able to guide the company through the most significant global supply chain disruption in modern history.”

According to Siegfried, Cisco maintains “a centralized [SCRM] team in Cisco’s Supply Chain Operations organization that partners with stakeholders across the organization and other functions, such as engineering and customer operations, to ensure supply chain business continuity and to build a resilient supply chain.” The team must obviously partner with stakeholders outside the organization as well in order to achieve the kind of end-to-end supply chain resiliency that wins awards. James B. Steele, Cisco’s program director for SCRM, told Siegfried that “Cisco has always been committed to risk management,” but that the company “began to focus more on ‘proactive resiliency’ in the supply chain between 2008 and 2009.” He explained, “We look at risk management as having two key focus areas — preparedness and resiliency.” Siegfried reports that Cisco embeds “end-to-end resiliency in the supply chain” through the implementation of “four key processes.” The first process involves product resiliency.

“Product resiliency. Working with engineering and product operations during new product introduction, risk trade-offs are identified early in the development and sourcing phases.”

Although Siegfried doesn’t indicate how deep into the sourcing phase Cisco’s program looks, most analysts believe that, at a minimum, companies should know what’s happening with their supplier’s supplier. The next process is supply chain resiliency.

“Supply chain resiliency. Working with Supply Chain Operation’s Global Supplier Management and Global Manufacturing Operations function, SCRM helps to identify and mitigate circumstances that could limit certain products recovering from a major disruption within a specified time frame.”

The implication here is that Cisco actively engages in “what if” exercises to identify circumstances that could cause disruptions as well as the consequences of such disruptions. As I’ve noted in previous posts on this subject, even though every potential risk can’t be identified, by regularly planning for and exercising on how to recover from any potential disaster makes a team much better equipped to respond when something does happen — regardless of what the triggering event might be. The next process involves having a business continuity plan.

“Business continuity planning (BCP). The BCP process uses a unique web-based tool to compile more than 30 resiliency data points for all critical supply chain partners, refreshed regularly. The information — including emergency contacts, alternate power providers and estimated time to recover — provides the data backbone for the company’s supply chain incident management process.”

This sounds like the heart and soul of Cisco’s SCRM process and I’m impressed. Organizations can’t simply develop a business continuity plan and then place it on the shelf believing that they have “checked the box” and are now good to go. Cisco obviously understands that BCPs are only as good as the latest information integrated into them. As the business landscape changes, plans need to change as well. Cisco’s efforts to keep its BCP constantly updated provides a great example for other organizations to follow. The final process is supply chain incident management.

“Supply chain incident management. This process uses an alert service to help monitor worldwide events on a 24/7 basis ‘for any potential disruption that could impact worldwide suppliers, transportation lanes or contract manufacturers,’ Steele says. His team developed a crisis management dashboard, which provides visibility into what incidents are being managed as well as a robust set of crisis playbooks that detail processes for reacting to and mitigating various types of incidents.”

Based on that brief description of Cisco’s SCRM process, you can understand why it was singled out for recognition. The company isn’t passively sitting back waiting for something bad to happen. It is proactively monitoring events that could trigger a disruption so that decision makers can act to mitigate consequences as quickly as possible in order to stay ahead of events as they unfold. Siegfried reports that “these processes were instrumental in helping Cisco Systems weather the devastating Japan earthquake.” She explains:

“‘Before it was even announced on the news, our crisis manager received a notice from the alert service about the earthquake,’ Steele recalls. ‘Given the size and location, and our knowledge of the supply base, we knew it would be an impactful event,’ he says. The SCRM team immediately went into crisis management mode. It notified senior leadership, called in key supply management personnel and used the BCP tool to both identify suppliers and manufacturers in the area of the earthquake and to gain visibility into the components and commodities that could be affected. ‘We were able to get a picture very quickly — in about five hours — about the potential impact,’ Steele notes. ‘By the next morning, we escalated the incident to the highest level because of its potential to cause billions of dollars in lost revenue.’ Within two days, a war room was set up as a central management point and decision-making forum.”

In the past, many companies have waited until a disaster has occurred, then set up a war room, then gathered facts for an ad hoc team to analyze. Cisco has turned that process on its head — it has all the facts and begins taking mitigation actions even before setting up a war room. From what I can tell, establishing a war room is only necessary for the most catastrophic events. Siegfried describes how the process worked:

“More than 1,100 unique components were impacted across 65 suppliers in Japan, requiring more than 900 new qualified sources that were executed three times faster than the average time. Cisco was able to manage through the crisis, ensuring minimal customer order fulfillment disruption and resulting in virtually no impact to revenue.”

As the old adage goes, “actions speak louder than words.” Cisco’s results say volumes about it processes. Although I’m sure Cisco executives were pleased with the results, they hardly had time to pat themselves on the back when they were confronted with another disaster — severe flooding in Thailand. Siegfried describes how Cisco responded:

“Similar to Japan, the Thailand flood had broad impact throughout the electronics industry. As part of its 24/7 monitoring of worldwide events, Steele’s team was tracking the weather patterns in the region a month before the flooding became national news. ‘When it escalated into a major disaster, we were ready,’ he says. He emphasizes that the risk team shares its successes with the broader supply chain organization, senior leadership, and its supplier and manufacturing partners. ‘We bring together and facilitate an incident mitigation team based on our process that is comprised of representatives from across the organization. Success is dependent upon their input, expertise and dedication in getting the job done.’ Cisco’s resiliency processes were also invaluable during the 2008 financial crisis to identify critical suppliers under financial stress and during other high-profile events such as the 2010 Iceland volcano eruption.”

If you want know why I stress the fact that supply chain risk management requires constant attention, Steele told Siegfried, “At any given time, my team is aware of and actively tracking five to 10 different incidents or potential risks. Many of these never hit management’s radar screen as they fortunately do not have material impact on our operations. However, the mandate of our team is to be simultaneously paranoid and prepared.” I believe that organizations that can make good decisions faster than their competitors are going to be the winners in the decades ahead. You cannot get inside your industries decision cycle if you don’t have good information. As with any business activity, SCRM requires companies to think about people, process, and technology.

In addition to natural disasters that can cause supply chain disruptions, SCRM teams need to look at other risks as well. One such risk is volatility. The editorial staff at SupplyChainBrain writes, “Volatility is one of the most significant supply chain challenges, and one that most companies can identify with because it affects how much of anything they need to buy or make.” [“Strategies for Responding to Supply Chain Challenges,” 1 May 2012] The article continues:

“Globalization is clearly related to that as the supply chain disruptions of the past year – the earthquake, tsunami and Southeast Asian flooding – have shown. Higher customer expectations and new-product introductions are also related somewhat. Customers are ever more demanding for any number of things, not least of which are additional products. Companies have to cater to those tastes as surely their competitors will if they don’t. The implications of these factors? ‘We’re finding more and more companies struggling to adjust their inventory levels,’ [Puneet Saxena, vice president of industry strategies at JDA Software], says. ‘We find more and more cases of inventory being at the wrong place, leading to obsolescence, higher write-offs, sales being impacted – and higher expenses incurred because of expediting. The standard problems you see in the supply chain are being exacerbated by the current challenges.'”

Steele noted that companies look at supply chain risks because they represent threats that could significantly reduce revenue and profits. In addition to natural disasters, Saxena highlighted other risks that could also reduce revenue and profits. Although some of the factors she mentions might be looked at by an SCRM team, many of them probably fall outside of the team’s scope. What the risks share in common, however, is that organizations need good and current information in order to meet the challenges they create. Armed with actionable, real-time information, Saxena asserts that organizations can pursue strategies that will mitigate some of the consequences of the risks she discussed. The first strategy she recommends is segmenting supply chains.

“A segmented supply chain is one way to address these issues. Saxena says many companies realize now that under their ‘umbrella’ are several supply chains that need to be tended to individually. He cites Dell, which has a direct model and products available on store shelves. Each has to be configured differently.”

Like many other supply chain analysts, Saxena recommends developing a demand-driven supply chain as another strategy that can be pursued.

“Another response strategy means being demand-driven, relying more on point-of-sale information. Even companies way upstream in the supply chain can use POS data to understand what’s really happening with their products. Fairchild Semiconductor is able to make market predictions based on what it monitors in its distribution channels, Saxena says.”

Another strategy that Saxena recommends is implementing a world-class sales and operations planning process. He told the staff at SCB, “Sales and operations planning enables a synchronization across different functions, … but S&OP often is talked about more than actually implemented.” Saxena’s final recommendation involves supply chain management.

“Supply chain management is the final response strategy. Variability is the enemy, he says, and inventory and capacity – both expensive to use – can be effective ‘shock absorbers.’ Leading supply chain companies figure out how to position inventory appropriately, utilizing postponement and segmentation techniques. At the same time, they understand well the risks associated with those decisions.”

The point of this discussion is that supply chain risk management, when it is done well, involves a lot of moving parts that must be aligned and coordinated. Such alignment can only be achieved when a company uses integrated data that can be analyzed and disseminated to the right people at the right time in the right format. That’s how you make a company both prepared and resilient.