Supply Chain Risk
By Lyndon Bird
The exact nature of Organizational Resilience and how it differs from traditional Business Continuity has generated much heated debate and very few definite conclusions over the past five years. One concept most agree on is that resilience is more than responding to disruptive incidents. It is about being agile and having the embedded capability to adapt to changing circumstances. Whilst it is clearly not possible to be resilient without continuity, a resilient organization achieves that continuity mainly through pro-active cultural change rather than through fixed response plans.
This becomes a very important distinction when looking at Supply Chain risk. While a company may have many vendors, for most companies there are a few very critical ones and probably a significant number of important ones. Beyond that there may be thousands of providers of minor services and routine goods. From a resilience perspective, we need to understand which supply chain interruptions can harm us and which can be handled routinely as part of normal daily operations. A good BCM program will tell us which vendors, bought-in services, raw materials and logistics are critical. We will also know how long we can operate without such services and what we will do to prevent that time period from being exceeded. I would argue that a totally resilient organization would handle all of its supply chain disruptions as “business as usual” without invoking any formal Crisis Management or BC Plan. Few companies could claim to be at this level today and it will probably remain an aspiration rather than a reasonable target for most.
However, the importance of manging Supply Chain risk effectively has wider implications than the success or failure of an individual enterprise. The UK Government publishes a National Security Strategy Report every five years in which it articulates the biggest risks facing the country. In the 2015 version, it identified what it called the four “Tier 1 Threats” to the UK as a whole. These were physical terrorism, cyber (crime, espionage, terrorism), state-based hostile actions and the erosion of rules-based international order. It takes little imagination to realise that the current global supply chain model is massively at risk from all of these threats. This is implicitly recognized in the report with supply chain weaknesses identified as the major vulnerability that could be targeted by any or all of those Tier 1 threats.
Although the UK is particularly open in publishing this type of assessment, it is certain that these views will not be significantly disputed by other governments, given that supply chain risk is a totally interconnected and genuinely global issue. The problem that democratic governments face, however, is that although they have the power to make policy in this field, the actual resources (food, fuel, power, medicine, accommodation, cash) that are needed to implement that policy are mainly in private hands. In any situation short of war or a declared national emergency, elected governments cannot direct the private sector to do anything except that required by law or regulation. There are many examples of private firms delivering impressive levels of support, on a voluntary basis, to the population following major disasters - with Walmart’s work after Katrina often being quoted as one of the most inspiring. Realistically, it is perhaps unsurprising to see businesses responding well in such circumstances - but disasters of that scale are fortunately still relatively rare. The level of partnership needed between government and business to tackle global supply chain risk and make an entire country, its citizens and its wider economy more resilient is, unfortunately, greater than most countries are willing to support. The investment required is much less compelling than the response triggered by a high profile incident. Hence it is much harder to maintain the necessary focus and support required from private industry to achieve any significant cultural change at the Board level.
The argument that governments usually make is that supply chain interruption puts the country at serious risk of critical national infrastructure failure, exposes weaknesses in security and emergency services, causes unemployment and social unrest if leading industrial companies fail (not to mention the shortfalls in tax collected) and damages the nation’s overall reputation if it is unable to function orderly and effectively.
So why are we in this state? Techniques such as Just-In-Time, Lean Manufacturing and Offshoring have boomed over the past two decades, resulting in cost benefits that are easy to calculate because they are almost entirely quantitative. Generally, the risks of longer and more complex chains are also well recognized. However, since no one can really prove if and when those risks will materialize, the arguments in favour of mitigation strategies that cost money tend to be subjective and easier to ignore. So we need to be clear in our arguments to senior executives; complex chains are difficult to monitor or manage in any meaningful sense, with full transparency across the entire chain impossible to achieve. Cost saving has resulted in more risk acceptance, with service and quality inherently compromised. Globalization is inevitable, but needs to be managed more proactively and with more strategic oversight.
It is becoming fashionable to see globalization as the root cause of the problem and “jobs for our people” is being advocated by some leading politicians in both the US and Europe. However, it is difficult to see that enough political pressure could be exerted on massive global corporations to reverse this trend. Shorter supply chains and localization works well in some niche markets, but it is not the fundamental direction of travel for the world economy.
What cannot be really disputed is that all organizations (commercial, public or charities) have vendors on whom they rely. Even those who are not in the business of moving physical assets around have key vendors like utility suppliers or outsourced operational activities. A number of international surveys have been undertaken over the past few years, all of which show similar results. Typically, the three most important reasons for supply chain disruption are unplanned IT/telecoms outages, cyber-attacks/data breaches and adverse weather or “natural” disasters such as earthquakes. Interestingly, of course, this is pretty much the same list that similar organizations quote when asked about risks to their own operational continuity. However, when you look beyond the headline threats, there are often many risks which are particularly driven by the complexity of supply chains. Among these are arbitrary boundary closures due to migration pressure, transportation disruption, outsourcer commercial failure, labor disputes, differing laws and regulations, quality faults causing product recall, business ethics violations and failure to protect intellectual property rights. All of these risks grow rapidly as suppliers become more geographically diverse and less directly controlled by the parent or sponsoring organization. While such risks can be relatively easily managed in a domestic market, globalization provides almost unlimited potential for accidental failures or complex, deliberate criminal activity. Additionally, the scrutiny placed upon all firms today by the ever-present social media creates an ever increasing need to understand what is happening in the wider supply chain. Now a single incident in a tier 4 supplier in the developing world can almost overnight destroy reputations for social responsibility that a firm may have taken many generations to build.
What can we do about it? As individual managers in companies of all sizes and types we are not able to solve this problem alone. Nevertheless, the techniques that we have developed over many years in our business continuity programs act as our best starting point. The five-point plan below might help organizations get a grip on this key issue.
1. Build on your Business Impact Analysis (BIA). Use the same definitions and thresholds to categorise vendors (or specific purchased items) as you use to identify processes or activities in a regular BIA.
2. Classify your vendors on potential operational impact. Measure that impact exactly the way you would for loss of an internal system. Talk to your procurement people about your findings but do not use their vendor classification which will be usually based on spend or some subjective risk assessment.
3. Develop individual collaborative strategies for “show-stoppers”. There are probably a very small number of “stop-stoppers”. These are most likely to be strategic outsourced operations or a unique component/feedstock needed by manufacturing or process plants. There is no simple way around this; you cannot just rely on contracts or SLA’s and you must work individually with such vendors to find joint working methods that guarantee product or service availability. You must genuinely see your supplier as an equal partner – and treat them accordingly at all times. Some partnerships fail, of course, but even then you need to know how you would manage the “divorce”.
4. Agree on measurable resilience criteria for important vendors and monitor them. It is not feasible to give this group the same individual attention as above, although you must agree in contracts your expectation from them in all circumstances including disasters to you (additional support perhaps needed) and disasters to them (your importance in their recovery plan). You should look for proof of their reliability and capability to deliver in exceptional circumstances and agree on a monitoring schedule to ensure they continue to meet your expectations on an ongoing basis. Certification against an appropriate standard might help but is not sufficient proof in its own right that they will be able to supply you in all situations. Generally, single source suppliers should be discouraged and if possible a geographically better spread of strategic inventories introduced.
5. Work with procurement to define potential operational impact for new vendors. New vendors need to be assessed against resilience criteria as well as financial criteria. Co-operation between procurement and resilience professionals is essential in setting such criteria. This might prove challenging, as resilience often adds some degree of cost.
The final sentence in point 5 (above) is perhaps the true measure of how resilient an organization really wishes to be and how mature it is in understanding the global problems it faces and the ultimate consequences of not investing in resilience.
About the Author
Lyndon Bird, (Hon) FBCI, has worked exclusively in Business Continuity since 1986. He chairs the Future Vision Committee for New York-based DRI International and edits the quarterly “Journal of Business Continuity and Emergency Planning”. He is also well known internationally for his former role as Technical Director of The Business Continuity Institute from 2006 to 2014. He can be reached at firstname.lastname@example.org.