Category Archives: Risk Management

Real Risk (in the Supply Chain)

As evidenced by the considerable number of posts in my Risk Management category, including my posts on Managing Business Risk and Disaster Recovery Planning, Risk is one of my favorite topics since I believe that with innovative thinking, much can be done to reduce risk and prevent significant disruptions regardless of what form they arise in or how unexpected they are.

I’m not alone in this non-revolutionary form of thinking and it was nice to see the onslaught of risk-related articles in the supply chain media in recent months. Three articles in particular that stood out to me were Line 56’s “Managing Global Supply Risk”, ISM’s “Mitigate Risk, Sustain Supply”, and Knowledge @ Wharton’s “Flexibility in the Face of Disaster: Managing the Risk of Supply Chain Disruption”.

The Line 56 article points out that global sourcing needs a different set of management guidelines, metrics, and skill sets that focus on addressing the five key sources for supply risks, which it defines as:

  • longer lead times
  • quality control is different in each country, if there is control at all
  • financial data on global suppliers can be inaccurate or unavailable
  • cultural differences prevail overseas
  • laws and regulations differ significantly from those in the U.S.

The article offers three sound suggestions for managing global supply risk:

Executive-Level visibility into exposure and dependency
If they see the risk, they’re more likely to provide support and budget for the development and implementation of risk mitigation plans.
Continuous Monitoring of all Suppliers
You want to catch wind of a potential disruption BEFORE it occurs, not after!
Complete, Accurate, Forward-Looking Supplier Information
It’s not just the business you plan on doing with your supplier tomorrow that is important, but the business you plan on doing with them next year. Make sure that they have the capability and sustainability to deliver before signing the contract.

The ISM article notes that remaining competitive requires mitigating potential risks by understanding supply chain interdependencies and discovering alternative solutions for areas with high exposure. After all, for the past five years a potentially catastrophic event to an organization’s supply chain has occurred and natural disasters, terrorism, and political unrest is not going away.

The ISM article also points out that the key barrier to addressing risks is the lack of a clear return on investment – executives are not receiving credit for preventing problems, only for leading their organizations to achieve superior financial performance. Senior management needs to understand that superior performance requires plans for sustained financial success, and those plans require both innovation and risk mitigation components. Maybe “amortized expected loss” needs to become part of the annual budget where the loss is the average financial loss experienced by an organization of equivalent size and geographical diversity over the last five years to unforeseen supply chain disruptions and disasters. Then, any plan that can be used to reduce that number could be hailed as a success and managers would be hailed for the risk prevention efforts instead of chastised for not spending more time on sales and marketing or beating up their suppliers for cost concessions (which we all know is a losing strategy in the long term).

The ISM article also has some good advice on how to identify potential supply chain risks and mitigate their potential impacts:

  • evaluate high-margin, high-revenue products to identify which disruptions would have the greatest financial impact
  • modify the strategic sourcing approach to include risk analysis
  • establish leading indicators to help identify emerging problems
  • conduct supply chain process mapping to understand dependencies and potential causes of a supply chain failure cascade
  • use impact modeling to determine (catastrophic) breakage points or single points of failure (and remove them)

This brings us to the Knowledge @ Wharton article which notes that experts from BCG and Wharton generally agree that managing supply chain disruptions revolves around two goals: first, to thoroughly understand the potential of identified risks; and second, to increase the capacity of the supply chain — within reasonable limits — to sustain and absorb disruption without serious impact and that risks fall into three main categories: operational contingencies, abrupt discontinuity of supply, and natural hazards.

In addition to noting that in order to mitigate and manage a disruption risk, you must first understand the vulnerabilities, it presents a multi-step approach to disruption risk management that you can use as an outline to develop your own risk mitigation planning process.

  1. Obtain senior management understanding and approval and set up organizational responsibilities for managing the disruption risk management process.
  2. Identify key processes that are likely to be affected by disruptions and characterize the facilities, assets and human populations that may be affected.
  3. Undertake traditional risk management for each key process to identify vulnerabilities, triggers for these vulnerabilities, likelihood of occurrence, and mitigation and risk transfer activities.
  4. Report on, periodically audit, and conduct management and legal reviews of implementation plans and results on an on-going basis (e.g., of near-miss management and other disruption risks).

Great companies create supply chains that respond to sudden and unexpected changes by building “Triple-A” supply chains that are agile, adaptable and aligned. Triple-A supply chains satisfy the following Triple-A goals:

  • Agile supply chains respond quickly to sudden changes in supply or demand.
  • Adaptable supply chains adjust supply chain design to accommodate market changes.
  • Aligned supply chains establish incentives for supply chain partners to improve performance of the entire chain.

Also, for more reading on supply risk management, my original weekend series is still up over on e-Sourcing Forum [WayBackMachine]. (Introduction, Risks and the Need for Resilience, Managing Risk, and the bonus SI post WisdomNet’s Point of View.)

Disaster Recovery Planning

In Managing Business Risk, we discussed Business Continuity Planning and how it is one of the best ways to manage risk, including supply chain risk. A major component of business continuity planning is disaster recovery planning, and after my recent posts on how Your Supply Chain is NOT Secure, diaster recovery planning should be at the forefront of your thoughts.

If you find planning for a disaster daunting, it never hurts to bring in some outside help, and if you think the costs of setting up a backup operation are prohibitive, then you might want to consider outsourcing that as well.

A recent article in the Outsourcing Journal, “Why Every Business Needs a Disaster-Recovery Plan”, demonstrates how it can be an effective option. It discusses how Citrix was able to literally move their factory from one side of the country to the other with the flick of a switch thanks to HP’s disaster recovery service which had the backbone and infrastructure needed to take over Citrix’s world-wide ordering and fulfillment process across all 670 SKUs.

Selecting a disaster recovery outsource provider is not an easy task, and Citrix spent 18 months interviewing and evaluating 20 firms globally before making a choice based on a 32-question report card. However, your process need not take quite as long if you heed Citrix’s advice and focus only on outsourcing provider willing to work with you and address your concerns. As the article notes, transition can be turmoil in most outsourcing arrangements, but if the company is willing to commit the necessary time and resources and work with you to make the transition seamless, it can be.

In addition, the provider should be comfortable with quarterly management reviews and clear metrics. Everybody should be looking at delivery performance, quality, customer satisfaction, and cost improvements every 91 days and identifying opportunities for improvements. Then, both parties should jointly choose two or three initiatives to work on during the upcoming quarter and follow through.

As per the article, done well, outsourcing has the following benefits:

  • Increases productivity
  • Increases mobility
  • Frees up resources to focus on core competencies and innovation
  • Provides business continuity and security
  • Reduces complexity and improves performance
  • Consolidates to create a single view into technology environment
  • Provides governance and compliance
  • Improves process
  • Reduces points of accountability
  • Provides accountability to service level agreements

Your Supply Chain is NOT Secure! Part II.

Yesterday we discussed how the article Nine Cautionary Tales in the September (2006) issue of IEEE Spectrum makes it abundantly clear that no matter what you think, your supply chain is NOT secure – regardless of how safe you think your supply chain is or what voluntary security initiatives you might subscribe to.

Today we are going to discuss some ways to mitigate the risks that are, more-or-less, out of your control. What is more important is that many of these risks are not just terrorist risks (where you literally have no control), but natural disaster risks as well (where you may not be able to take any reasonable precaution).

We’ll discuss each scenario in turn.

Bomb in a Box

Scenario: A bomb is detonated in a shipping container somewhere in a major port city. Hundreds, if not thousands, of shipping containers (which now contain 90% of international cargo) are destroyed or damaged and the port is shut-down for weeks during investigation and recovery.

Mitigation: There’s nothing you can do to stop this, but you can insure it does not devastate your business. In addition to mitigating supply risk by using two suppliers, you should also mitigate delivery risk of key shipments (critical direct materials or high-demand, low supply consumer goods such as those Sony PS3’s that are going to fly off the shelves) by using two logistics carriers or insuring that your logistics carrier splits shipments across ports, containers, and trucks. Make sure you use multiple ports as part of your regular operations, and can re-route shipments quickly if one port gets considerably backed up (or temporarily shut down due to a natural disaster, terrorist attack, or strike).

ElectroShock

Scenario: Terrorists take out part of the power grid and a whole city, state, or even region goes dark – taking out your operation with it.

Mitigation: Critical operations, which for most companies today revolve around data-centers, should have their own back-up generators. Your communications network should also have its own back-up generators. Even if you can’t work, you should still be able to keep in constant communication with your supply chain so that you can recover quickly when the power comes back on. (And cell phone batteries only last so long!)

Toxic Train Wreck

Scenario: A terrorist blows a hole in the side of a tank car transporting toxic chemicals, such as chlorine gas. This scenario is more dangerous than you think – most railway lines go through major cities near densely populated areas. And this could also be caused by a de-railing, which could be caused by a downed tree (due to a lightening strike), also putting this risk in the natural disaster category.

Mitigation: Make sure you have evacuation plans for all of your offices and plants and the ability to hot-swap your operations to a remote location.

Crude Attack

Scenario: A highly trained commando squad blows up a refinery. A very expensive processing plant is destroyed, toxic smoke fills the air, oil supply drops, and energy prices skyrocket.

Mitigation: Have evacuation plans in place if your offices or plants are close to refineries, power-generation stations, or chemical manufacturing or processing plants that could cause a significant hazard if something goes wrong. Make sure your critical back-up power centers can run basic operations on alternate sources of energy – wind power, solar power, biofuels, etc. Consider geo-thermal heating and cooling. You might not be able to meet all of your power needs this way, but the less gas you need to keep going, the less an oil-based energy crisis will affect your business.

Agro-Armageddon

Scenario: A small group of terrorists infect small groups of cows with mad-cow disease in geographically remote parts of the country and in order to contain what appears to be a burgeoning epidemic, hundreds of million of cattle are slaughtered across the country. (The virus that causes this disease is harmless to humans.)

Mitigation: The real danger here is if your business relies on beef – distributor or steak-house. The mitigation is to make sure you are set-up to import beef from multiple countries at any one time.

Black Christmas

Scenario: Terrorists blanket shopping malls with open containers of mercaptan (the highly volatile and noxious-smelling chemical ordinarily used to signal the presence of propane gas) and postal offices with anthrax stimulants, scaring consumers away from shopping malls and shutting down the largest delivery service. Sales plummet.

Mitigation: First of all, don’t bet your business on a single holiday season. If you are in the business of seasonal novelties, diversity and attack all the holidays. Secondly, make sure you are set up to work with multiple delivery carriers, local and national. Standard courier rates are quite high, but some companies will give you great deals on volume, which will allow you to use them instead of the post-office at only a slightly higher cost. (This is critical especially if the bulk of your sales are low dollar goods. Most people will not want to pay a 50%+ shipping premium. For example, I’ve never ordered a single 11.99 CD at 7.99 next-day courier shipping.)

Star Struck

Scenario: A group of highly trained activists takes over a prestigious televised event with a number of important people present.

Mitigation: This sort of endeavor would take months and months of up-front planning and infiltration into all of the appropriate service organizations. There are two potential approaches here. The first is to move the event around and not select your service organizations too far in advance. However, if you are holding your event at a high profile venue in a city where resources need to be booked months (and months) in advance, this is not feasible. Make sure that all of the organizations you use are establish, trusted, and cognizant of best-practice security procedures. Make sure they do background checks on all new employees and that the security firm you hire does a complete, up-to-date, risk assessment, even if it’s worked the venue before.

A Farmer’s Fury

Scenario: A group of angry activists make truck-bombs using their unrestricted access to ammonium nitrate fertilizer, drive them up to a building, walk away, and detonate them using a remote detonator.

Mitigation: Restrict parking near critical facilities. If you feel this is a real threat, manually inspect all large vehicles entering your premises.

Too Much – Or Too Little

Scenario: In the future, airline security has lapsed to pre-9/11 levels as the urgency to protect the homeland has subsided with reduced terrorist attacks and a new government to the point where someone could walk on the plane with a shoe-bomb. (This also has an accidental equivalent, the plane crashes.)

Mitigation: The time-tested “don’t put all your executives on the same plane (, bus, or boat)”.

Your Supply Chain is NOT Secure!

The September (2006) issue of IEEE Spectrum ran an article entitled Nine Cautionary Tales designed to illustrate that we are not really prepared if terrorists decide to strike again, despite all of the spending on security initiatives and press statements.

However, what it does make abundantly clear is that no matter what you think, your supply chain is NOT secure – regardless of how safe you think your supply chain is or what voluntary security initiatives you might subscribe to. What does this mean? First of all, if security is critical, you need to take extra steps to insure that security is there. More importantly, it tells us that you should be prepared for disruption and have plans in place to deal with that disruption and mitigate the effects quickly and without serious incident.

So just how are they insecure? Let’s examine each of their scenarios.

Bomb in a Box

Scenario: A crazy dictator threatens to detonate a 2-kiloton atomic bomb hidden inside a shipping container somewhere in a major port city (which could do more damage then the 22-kiloton airburst that devastated Nagasaki at the end of World War II).

Danger: With 90% of international cargo now traveling in standard containers, and your average port only able to manually investigate a very small percentage, it would not be too difficult for a terrorist to hide a large bomb in random port container, detonate it, and damage hundreds, if not thousands, of neighboring containers.

ElectroShock

Scenario: Terrorists take out part of the power grid and a whole city, state, or even region goes dark – just as the US Northeast, Midwest, and southeastern Canada simultaneously failed in 2003.

Danger: There are about 1000 high-voltage transformers in the US that step voltage down from transmission levels (typically above 100 kilovolts) to distribution voltages (in the tens of kilovolts) across the US. Most are secured by nothing more than a chain link fence. Each one of these takes down a portion of the grid. The simultaneous knock-out of a handful of these could overload the grid and take out a very large portion of it. This could shut down significant parts of your operation – cold.

Toxic Train Wreck

Scenario: A terrorist blows a hole in the side of a tank car transporting toxic chemicals, such as chlorine gas.

Danger: The gas escapes and blankets the nearby area, making it uninhabitable and killing anyone who can’t escape quickly. Operations run on people – no people, no operations.

Crude Attack

Scenario: A highly trained commando squad blows up a refinery.

Danger: A very expensive processing plant is destroyed, toxic smoke fills the air, oil supply drops, and energy prices skyrocket.

Agro-Armageddon

Scenario: A small group of terrorists infect small groups of cows with mad-cow disease in geographically remote parts of the country. (The virus that causes this disease is harmless to humans.)

Danger: In order to contain what appears to be a burgeoning epidemic, hundreds of million of cattle are slaughtered across the country, significantly decreasing food supplies, driving up food costs, and making the terrorists, who invested in the futures market, rich in the process.

Black Christmas

Scenario: Terrorists blanket shopping malls with open containers of mercaptan, the highly volatile and noxious-smelling chemical ordinarily used to signal the presence of propane gas, and postal offices with anthrax stimulants.

Danger: Christmas sales plummet as consumers fear malls and deliveries can not be made. Furthermore, if the terrorists make threats to use real propane and anthrax next year if their messages go unheeded, Christmas sales, your primary revenue generators, are destined to be low for years to come.

Star Struck

Scenario: A group of highly trained activists take over the Academy Awards Ceremony.

Danger: This scenario applies to any function you hold with a number of important people.

A Farmer’s Fury

Scenario: A group of angry farmers make truck-bombs using their unrestricted access to ammonium nitrate fertilizer, drive them up to a building, walk away, and detonate them using a remote detonator.

Danger: This could be accomplished by any group with access to the right raw materials – farmers, distributor employees, manufacturer employees, etc.

Too Much – Or Too Little

Scenario: In the future, airline security has lapsed to pre-9/11 levels as the urgency to protect the homeland has subsided with reduced terrorist attacks and a new government.

Danger: Someone could walk on the plane with a shoe-bomb. More importantly, if security lapses across the board, it will be easier not only for terrorist attacks, but theft.

So what can you do? Tune in tomorrow!

Managing Global Trade Data

In our last post on Global Trade Data Management we indicated that not a lot of focus has been traditionally placed on the management of Global Trade Data because, if it’s done right, there are no significant savings opportunities and most companies still are not really aware that they should be focused on it. The reason they should be focused on it is that error rates in global trade processes approach 10% to 20% and this is costing many companies millions of dollars, especially when affordable technology solutions to tackle these problems now exist.

Why is managing global trade data so important? In addition to the fact that the Customs Modernization Act of 1993 shifted the responsibility of documentation accuracy from the government to the importer and that errors can result in long delays, huge fines or overpayments (that the government will not identify for you), this years budget for US Customers and Border Protection (CBP) increased 4.8%. As part of this increase, CBP plans to spend $305M in the implementation of the Automated Commercial Environment (ACE) and another $16M on the International Trade Data System (ITDS) program in conjunction with the Customs Trade Partnership Against Terrorism (C-TPAT). When you combine these initiatives with the compliance legislation of the recent Sarbanes-Oxley act, the level of visibility and control you really need with respect to your trade data is probably well beyond what you have. And since you never know when you could be audited, which is probably more likely than you think when you consider that statistics indicate that the goverment collects $7 in fines and interest on underpayments for every $1 it spends on a trade-compliance audit, you should be getting your data into shape now. (Furthermore, in addition to the Securities and Exchange Commission, depending on what you are importing or exporting, you may also be subject to oversight from the Department of Transportation, Department of Defense, Federal Communications Commission, Federal Aviation Commission, and the Food and Drug Administration, for example.)

You start with an audit of your current processes, systems, and, most importantly data, to determine where the issues are and what you have to address. A company like Global Data Mining (acquired by CUSTOMS Info which was acquired by Descartes) can help you do this using a 3-R process that recreates years of historical import transactions to identify and quantify errors and non-compliance activities, produces executive-level reports to provide decision makers the information they need to determine priorities and define go-forward plans, and reparis existing data and current control processes to prevent the same mistakes from happening again.

Manual processes, which are still standard for the majority of importers, and which typically rely on a person to make a decision with only shorthand invoice descriptions available, are subject to errors and generally produce the following common inaccuracies:

  • inaccurate notation of merchandise value
  • improper classification of merchandise
  • incorrect payment and documentation of duties

Generally speaking, your reporting process will highlight these issues and your repair process will focus on implementing new, preferably technology driven, processes that will prevent these errors from happening again.

The reality is that despite the fact there are tens of thousands of rulings by US Customs that need to be referred to in product classification, and that this shear number is beyond the grasp of even the best of human experts, this is a very small number from a systems perspective and a good technology solution can locate and apply the right ruling, classification, and rate in a fraction of a second with the right description and HTS codes.

For more information, I encourage you to check out Global Data Mining’s white papers and their white paper on Import Compliance in particular. I think it will be worth your time.