Category Archives: Risk Management

When (Out)Sourcing Goes Wrong

Today’s post is from Dick Locke, Sourcing Innovation’s resident expert on International Sourcing and Procurement.

Three hundred Pakistani garment workers die in a factory fire. (Source: New York Times) Doors were locked, windows were barred. And the factory had just been inspected by a subcontractor to a certification agency. Lesson here: If you can’t afford to visit the factory you are sourcing from, then no cost savings is sufficient. Do not let other companies do the research for you.


Thanks, Dick, for the valuable lesson here. (Global Supply Training)

Will Resilinc Resonate With Your Supply Chain?

On Monday, we introduced you to Resilinc, a new player in Supply Management that provides a Decision Support System (DSS) for identifying and evaluating risks in your supply chain if you are in the high-tech, medical device, and automotive space and have vast multi-tier supply chains.

We noted that Resilinc is unique in that it is able to provide an overall risk score, delivered in terms of the relative revenue impact of a disruption, for each location and each product; give you the ability to determine the impact of an external event in a given location with respect to specific supplier locations and sourced products; and identify with locations and products are likely to be impacted by a significant event anywhere in the world as soon as it happens. But we didn’t address another aspect of why Resilinc is unique and why they might shake up the risk management space.

Resilinc was founded, and the technnology was designed, and built, by risk management practitioners in the high-tech / device supply chains, and they have added experts in the medical device and automotive supply chains. One of the difficult, and unique, aspects about risk management is the differences in impact and effect of a supply disruption across industries. In some industries, like automotive, bringing a production line back up is not as simple as getting the missing parts or raw materials; in others, like electronic manufacturing, it’s not as simple as substituting one microchip for another if they have different input/output and voltage specs; and in others still, like medical device, it’s not as simple as switching suppliers when one runs out of production capacity as the industry is heavily regulated and it is often the case that all suppliers must carry certain certifications and insurance policies. Without practitioners who understand the specific requirements, and the differing severities associated with each type of disruption, you never get the right models. And if you don’t have the right models, you have zero chance of producing the right metrics and measurements.

For example, the founder, Bindiya Vakil, has served as the Program Manager for Supply Chain Risk Management at Cisco and the Supply Chain Manager at Solectron. Summit Vakil has worked in product management and leadership roles in Brocade, Cisco, and 3Com.

In addition, they recognize the criticality of solid Supplier Information Management as a foundation, and brought in Jon Bovit, with a long history in SIM at Ariba, Aravo, and CVM, to insure they got their unique functionality-focussed SIM model right for the problem they are tackling, which is different from the problems the standard SIM players are focussed on. (For example, in risk management, it really doesn’t matter where the headquarters are and whether you spend 100K or 100M with the supplier. A hurricane could shut down the headquarters and have no effect on your supply chain but if a supplier is sole source, even if you only buy one part, and only spend 100K, if the absence of that part could shut down the production line, that supplier is still a huge risk if they are located in a high risk zone.)

And their CEO is formally trained in Supply Management. She has a Master of Engineering in Logistics from MIT with a thesis on Design Outsourcing in the High-Tech Industry and its Impact on Supply Chain Strategies. Not many companies these days have a CEO who is technically competent in what the company actually does. It is my belief that having a CEO who knows what the product has to do, and how it should do it, greatly increases the chances that the company will develop the right products. (Because when you don’t, you get devices that light-up when they’re off and drain the battery until they die, and million-dollar toilet paper dispensers that limit you to 5 squares. Don’t laugh. Both have happened.)

So while Resilinc, like all new technology platforms, may carry a technology risk, for those of you in the high-tech, medical device, and automotive industries, I believe that it is more likely that it will resonate with your supply chain.

Do You Know What’s At Risk? Resilinc Does!

Resilinc, a new player in Supply Management, has a unique approach to identifying and evaluating risk in your supply chain. Eschewing the transaction-and-finance focussed approach of other players in the risk management space, and building on the lessons learned from SIM (Supplier Information Management) vendors, Resilinc has built a unique approach to identifying and quantifying the relative risks in your supply chain.

Started by a Risk Management practitioner in the high-tech and electronics supply chain, who has a Masters in Engineering in Logistics (from the Massachusetts Institute of Technology), Resilinc not only builds on the lessons learned from SIM, but on the lessons learned from real risk management practitioners and specifically focusses on the electronics and high-tech, medical device, and automotive supply chain – realizing that, when it comes to risk, not all supply chains are created equal.

So what is Resilinc? It’s an affordable DSS (Decision Support System) for larger mid-size and large multi-nationals that need to

  1. identify the most significant risks in their supply chain,
  2. keep tabs on what facilities may be impacted by a significant external event, and
  3. be immediately informed when an event could cause a disruption that requires immediate action.

The solution, delivered using the SaaS (Software-as-a-Service) model, does this by tracking all of the relevant information on each supplier and facility in your organization’s multi-tier supply chain. Whereas a typical SIM solution (that powers a typical financial risk analysis product) will track each supplier, their official information, their insurance certifications, their corporate addresses, etc., Resilinc’s solution tracks each individual manufacturing facility, the products produced at those facilities, the inputs required, the lead times required, and the time taken to get the plant up and running again as a result of a serious disruption (such as a natural disaster, border blockade, strike, etc.). Based on this information, integrated financial and location risk metrics imported from other systems (for which you have a license for), and the relative revenue impact of each product on your total organization revenue, Resilinc is then able to

  1. provide an overall risk score, delivered in terms of the revenue impact of a disruption, for each location and product,
  2. give you the ability to determine the impact of an external event in a given location with respect to supplier locations and sourced products, and
  3. determine which locations and products are likely to be impacted by a significant event anywhere in the world, as soon as it happens (and e-mail you a notice that the event — which may be an earthquake, war, or labour strike — is potentially impacting one or more locations in your supply chain).

Risk Managers can use this to determine which locations and products have the biggest risks, which facilities will be impacted the most as a result of a supply disruption in an area, and which product (line)s are at risk as the result of an event that just happened. And then they can take action.

Resilinc is a powerful tool for the high-tech, medical device, and automotive supply chain, which, until now, were probably too reliant on financial metrics, which are not the only risks one needs to be concerned about in a multi-tier supply chain.

While We’re All Remembering September 11

Let’s not forget September 16. While the scope of the tragedy was much less severe, the Wall Street Bombing of 1920, which took place 82 years ago today, is an indication of what can happen at home if social unrest gets too high. It was the deadliest act of terrorism on U.S. soil up until the day it occurred.

Given the anti Wall-Street resentment, the state of unemployment, and the dire straits America could find itself in if the Federal Reserve does not keep it on track, this, unfortunately, is an event that could conceivably reoccur. In our haste to not forget, let us not forget.

Understanding & Completing the C-TPAT 5-Step Risk Assessment Process

Today’s guest post is from Karen Lobdell, Director of Global Solutions at Integration Point.

The US C-TPAT program continues to evolve since its inception in late 2001. As a requirement of the program, members must complete an international supply chain security risk assessment and are expected to have a documented process for determining and addressing security risks throughout their international supply chain to meet minimum criteria.

This risk assessment is not only required as part of the application process, but it should also be incorporated into the member’s Annual Security Profile Review. To assist program members with this process, CBP developed the “5-Step Risk Assessment Process”. Is your company wondering how best to implement this process? Are you concerned that implementing the process will be administratively burdensome?

The 5-Step Risk Assessment Process is comprised of the following steps:

  • Mapping Cargo and Business Partners
  • Conducting a Threat Assessment
  • Conducting a Security Vulnerability Assessment
  • Preparing an Action Plan to Address Vulnerabilities
  • Documenting How the Security Risk Assessment is Conducted

While this exact format is not mandatory, a risk assessment process must be in place and incorporate these components, but how you do this is flexible. Let’s break this down into a more manageable process.

Mapping cargo and business partners can seem like an impossible task for companies that have a vast number of suppliers. So before mapping hundreds of trade lanes, take a look at those areas of highest threat and map those to drill down deeper within the supply chain and identify further areas of risk.

When conducting a risk assessment, values used for scoring are up to the individual company. The point is to go through the exercise and identify where the threats are and how severe the risk is. After this is done, you can move to the next step of conducting a security vulnerability assessment.

This step was designed to assist in identifying gaps or weaknesses in the supply chain that deviate from the standards. Vulnerability assessments should be done on business partners as well as internal departments, and are typically conducted via a questionnaire or survey. Although the minimum standards will be based on the C-TPAT criteria for this particular example, assessment could go above and beyond the program criteria and the standards would vary if conducting a risk assessment on an area other than C-TPAT/security. Many companies still perform this step manually with the use of Excel spreadsheets and email. This can be very administratively burdensome –especially for large corporations that may be working with thousands of suppliers/partners. This is one area where automation can be a huge time-saver, as well as improve accuracy.

A solid vulnerability assessment will identify those gaps/weaknesses that need to be addressed — but that is only one step. A successful risk management program includes implementation of an action plan to close those gaps, or at a minimum, mitigate the exposure that exists. Combining this information with threat scores and potential consequences can help prioritize actions that need to be taken.

The final step is documenting how you are conducting risk assessments. CBP’s mantra has always been — show us, don’t tell us.

CBP has stated that the focus will continue to be on segmenting high risk vs. low risk. This is more effective than the prospect of 100% scanning. Not only does CBP prefer to deal with safety and security from a risk standpoint, they expect the trade to do so as well. In ideal risk management, a prioritization process is followed whereby the risks with the greatest loss (or impact) and the greatest probability of occurring are handled first, and risks with lower probability of occurrence and lower loss are handled in descending order.

For more on the 5-step risk assessment process, best practices and how it can be used for other trusted trader programs, check out the on-demand webcast presented by Integration Point.

Thanks, Karen!