Category Archives: Risk Management

Five Types of Supply Risk, and How to Mitigate Them

Today I’d like to welcome Jim Lawton, VP and General Manager of Open Ratings, a D&B company with a range of supply risk management solutions for automotive, aerospace and industrial manufacturers.

Risk is a painful reality in manufacturing today. Strategic initiatives like low-cost-country sourcing and supplier rationalization programs only increase manufacturers’ exposure and vulnerability to the risk of supply chain disruptions.

Working with Open Ratings’ Fortune 500 manufacturing customers, I’ve come to realize that even the most sophisticated companies need a reminder for the different types of risk, and how to mitigate each. As I see it, the best way to avoid the inevitable is to understand the many sources of potential risk – which can be defined in five broad categories – and put strategies in place to mitigate each one:

  1. Strategy Risk = Choosing the right supply management strategy.Know that what’s right for one business might not be right for yours. For example, a small family-run business may opt to source locally because they don’t have the resources needed to keep an eye on global suppliers.

    Mitigation and Management Approach: Define the right up-front strategy, and identify and qualify the right suppliers, using reliable market intelligence to drive decisions.

  2. Market Risk = Brand, compliance, financial and market exposure.When outsourcing part production or even entire product lines, you’re putting your company at the mercy of your suppliers. If they deliver a sub-par product, or fail to deliver completely, your customer will be looking to you – not them – for an explanation.

    Mitigation and Management Approach: Pinpoint the product line’s quality standards tolerance, and determine the possible impact of a compromise. Monitor those lines closely to detect early-warnings before issues wreak havoc with your firm’s brand, ability to meet compliance regulations and the bottom line.

  3. Implementation Risk = Supplier implementation lead-times and production/performance ramp.Know who you’re working with and what their capacity issues are before signing on with them. Working with a supplier for whom your business only represents a fraction of their revenue means you may not get the level of attention that you want.

    Mitigation and Management Approach: Ramp new suppliers quickly to gain early visibility into any risk factors that might hinder production, lead-times, initial performance, etc.

  4. Performance Risk = Ongoing supplier quality and financial issues.Now that you’ve selected a supplier, there’s still a lot of work to be done. Businesses are acquired, go out of business or shift strategy every day, so constant vigilance is needed.

    Mitigation and Management Approach: Continuously monitor all of your suppliers to avoid disruptions caused by bankruptcies, performance issues, ownership changes, labor strikes, geopolitical changes, etc. You may need to tap technology to effectively achieve this level of monitoring.

  5. Demand Risk = Demand and inventory fluctuations and challenges.While some suppliers jump at the chance to take on new opportunities, enthusiasm doesn’t necessarily mean they’re in the best position to excel.

    Mitigation and Management Approach: Watch your suppliers carefully for signs that they are overwhelmed with new business. Don’t let their desire to grow their business affect your commitments.

Risk will always be inherent in the supply chain. By implementing a comprehensive, proactive approach and working with your suppliers to define a strategy based on shared business goals, you will reduce your exposure to risk – and the catastrophic impact it can have.

Not only will you gain new ability to mitigate issues before they wreak havoc on the supply chain, your brand, and the bottom line – a supply risk management framework also supports more informed supplier development, and total-cost decision making to further reduce inventory levels; improve supplier quality; and remove additional cost and waste out of your supply chain.

The best-laid strategies require your team to shift their mind-set, to divide their attention equally between cost-reduction efforts and risk mitigation considerations, but the rewards are well worth the effort.

OpenRatings … Not Just for Performance Anymore

Recently, I had the opportunity to sit down with Jim Lawton and talk about not what Open Ratings was, or is, but what it will be now that it has been acquired by D&B and has access to not only the cash reserves one needs to create the next big thing but also the data it needs to take its analytics capabilities to the next level.

As discussed many times by Jason Busch over on Spend Matters (including in “Open Ratings Alert: A New Business Model”* and “Sourcing Innovation Next Generation On Demand”*), and also by Jim Lawton in his guest post (“Don’t Let the Supply Risk Grinch Steal Christmas”*), Open Ratings had the unique capability, built on some great predictive analytics work by some brilliant MIT graduates (whom I hope to be talking to in the future), to analyze a supplier’s financial and performance data relative to other companies in your space and tell you how likely they are to perform for you with respect to a contract to provide a certain category of product or service.

Considering most companies don’t have the data or the models to even attempt this, this is a great offering. However, with access limited only to a subset of D&B data and customer data from the Open Ratings Network, the results were often coarse grained compared to the fine-grained event and product specific events a buyer would really like to have. Considering your only other hope for a coarse-grained result was Austin Tetra (acquired by Equifax) (whom I will also address this week), this was rather fantastic when the capability first came out – but one could see the next step and it only made sense to push for it – which they did, and now that they are part of D&B, I dare say that they can give you a performance-based picture of a potential supplier that, in some ways, is more detailed than any other picture any other provider can give you.

However, performance is not the only issue you need to be concerned about. In today’s ultra-fast marketplace with ultra-lean supply chains, Risk is King. It’s not how good the supplier will perform, but how regularly they will perform. The last thing you want is for a great performing supplier to go bankrupt without warning nine months into a new contract. The real question is, with their new access to D&B’s huge data store, updated daily, will they be able to tell you not only how well a supplier can be expected to perform, but how risky the relationship could be be. After all, the real key to managing risk in your supply chain, is, of course, to not introduce it in the first place!

So, on this note, I’m going to end this post and ask you to stay tuned for tomorrow’s post where Open Rating’s Jim Lawton guest authors a post on the five major types of risk and what you can do to hedge against them. Keep the RSS feed alive!

* All posts prior to 2012 were removed in the Spend Matters site refresh in June, 2023.

Real Risk (in the Supply Chain)

As evidenced by the considerable number of posts in my Risk Management category, including my posts on Managing Business Risk and Disaster Recovery Planning, Risk is one of my favorite topics since I believe that with innovative thinking, much can be done to reduce risk and prevent significant disruptions regardless of what form they arise in or how unexpected they are.

I’m not alone in this non-revolutionary form of thinking and it was nice to see the onslaught of risk-related articles in the supply chain media in recent months. Three articles in particular that stood out to me were Line 56’s “Managing Global Supply Risk”, ISM’s “Mitigate Risk, Sustain Supply”, and Knowledge @ Wharton’s “Flexibility in the Face of Disaster: Managing the Risk of Supply Chain Disruption”.

The Line 56 article points out that global sourcing needs a different set of management guidelines, metrics, and skill sets that focus on addressing the five key sources for supply risks, which it defines as:

  • longer lead times
  • quality control is different in each country, if there is control at all
  • financial data on global suppliers can be inaccurate or unavailable
  • cultural differences prevail overseas
  • laws and regulations differ significantly from those in the U.S.

The article offers three sound suggestions for managing global supply risk:

Executive-Level visibility into exposure and dependency
If they see the risk, they’re more likely to provide support and budget for the development and implementation of risk mitigation plans.
Continuous Monitoring of all Suppliers
You want to catch wind of a potential disruption BEFORE it occurs, not after!
Complete, Accurate, Forward-Looking Supplier Information
It’s not just the business you plan on doing with your supplier tomorrow that is important, but the business you plan on doing with them next year. Make sure that they have the capability and sustainability to deliver before signing the contract.

The ISM article notes that remaining competitive requires mitigating potential risks by understanding supply chain interdependencies and discovering alternative solutions for areas with high exposure. After all, for the past five years a potentially catastrophic event to an organization’s supply chain has occurred and natural disasters, terrorism, and political unrest is not going away.

The ISM article also points out that the key barrier to addressing risks is the lack of a clear return on investment – executives are not receiving credit for preventing problems, only for leading their organizations to achieve superior financial performance. Senior management needs to understand that superior performance requires plans for sustained financial success, and those plans require both innovation and risk mitigation components. Maybe “amortized expected loss” needs to become part of the annual budget where the loss is the average financial loss experienced by an organization of equivalent size and geographical diversity over the last five years to unforeseen supply chain disruptions and disasters. Then, any plan that can be used to reduce that number could be hailed as a success and managers would be hailed for the risk prevention efforts instead of chastised for not spending more time on sales and marketing or beating up their suppliers for cost concessions (which we all know is a losing strategy in the long term).

The ISM article also has some good advice on how to identify potential supply chain risks and mitigate their potential impacts:

  • evaluate high-margin, high-revenue products to identify which disruptions would have the greatest financial impact
  • modify the strategic sourcing approach to include risk analysis
  • establish leading indicators to help identify emerging problems
  • conduct supply chain process mapping to understand dependencies and potential causes of a supply chain failure cascade
  • use impact modeling to determine (catastrophic) breakage points or single points of failure (and remove them)

This brings us to the Knowledge @ Wharton article which notes that experts from BCG and Wharton generally agree that managing supply chain disruptions revolves around two goals: first, to thoroughly understand the potential of identified risks; and second, to increase the capacity of the supply chain — within reasonable limits — to sustain and absorb disruption without serious impact and that risks fall into three main categories: operational contingencies, abrupt discontinuity of supply, and natural hazards.

In addition to noting that in order to mitigate and manage a disruption risk, you must first understand the vulnerabilities, it presents a multi-step approach to disruption risk management that you can use as an outline to develop your own risk mitigation planning process.

  1. Obtain senior management understanding and approval and set up organizational responsibilities for managing the disruption risk management process.
  2. Identify key processes that are likely to be affected by disruptions and characterize the facilities, assets and human populations that may be affected.
  3. Undertake traditional risk management for each key process to identify vulnerabilities, triggers for these vulnerabilities, likelihood of occurrence, and mitigation and risk transfer activities.
  4. Report on, periodically audit, and conduct management and legal reviews of implementation plans and results on an on-going basis (e.g., of near-miss management and other disruption risks).

Great companies create supply chains that respond to sudden and unexpected changes by building “Triple-A” supply chains that are agile, adaptable and aligned. Triple-A supply chains satisfy the following Triple-A goals:

  • Agile supply chains respond quickly to sudden changes in supply or demand.
  • Adaptable supply chains adjust supply chain design to accommodate market changes.
  • Aligned supply chains establish incentives for supply chain partners to improve performance of the entire chain.

Also, for more reading on supply risk management, my original weekend series is still up over on e-Sourcing Forum [WayBackMachine]. (Introduction, Risks and the Need for Resilience, Managing Risk, and the bonus SI post WisdomNet’s Point of View.)

Disaster Recovery Planning

In Managing Business Risk, we discussed Business Continuity Planning and how it is one of the best ways to manage risk, including supply chain risk. A major component of business continuity planning is disaster recovery planning, and after my recent posts on how Your Supply Chain is NOT Secure, diaster recovery planning should be at the forefront of your thoughts.

If you find planning for a disaster daunting, it never hurts to bring in some outside help, and if you think the costs of setting up a backup operation are prohibitive, then you might want to consider outsourcing that as well.

A recent article in the Outsourcing Journal, “Why Every Business Needs a Disaster-Recovery Plan”, demonstrates how it can be an effective option. It discusses how Citrix was able to literally move their factory from one side of the country to the other with the flick of a switch thanks to HP’s disaster recovery service which had the backbone and infrastructure needed to take over Citrix’s world-wide ordering and fulfillment process across all 670 SKUs.

Selecting a disaster recovery outsource provider is not an easy task, and Citrix spent 18 months interviewing and evaluating 20 firms globally before making a choice based on a 32-question report card. However, your process need not take quite as long if you heed Citrix’s advice and focus only on outsourcing provider willing to work with you and address your concerns. As the article notes, transition can be turmoil in most outsourcing arrangements, but if the company is willing to commit the necessary time and resources and work with you to make the transition seamless, it can be.

In addition, the provider should be comfortable with quarterly management reviews and clear metrics. Everybody should be looking at delivery performance, quality, customer satisfaction, and cost improvements every 91 days and identifying opportunities for improvements. Then, both parties should jointly choose two or three initiatives to work on during the upcoming quarter and follow through.

As per the article, done well, outsourcing has the following benefits:

  • Increases productivity
  • Increases mobility
  • Frees up resources to focus on core competencies and innovation
  • Provides business continuity and security
  • Reduces complexity and improves performance
  • Consolidates to create a single view into technology environment
  • Provides governance and compliance
  • Improves process
  • Reduces points of accountability
  • Provides accountability to service level agreements

Your Supply Chain is NOT Secure! Part II.

Yesterday we discussed how the article Nine Cautionary Tales in the September (2006) issue of IEEE Spectrum makes it abundantly clear that no matter what you think, your supply chain is NOT secure – regardless of how safe you think your supply chain is or what voluntary security initiatives you might subscribe to.

Today we are going to discuss some ways to mitigate the risks that are, more-or-less, out of your control. What is more important is that many of these risks are not just terrorist risks (where you literally have no control), but natural disaster risks as well (where you may not be able to take any reasonable precaution).

We’ll discuss each scenario in turn.

Bomb in a Box

Scenario: A bomb is detonated in a shipping container somewhere in a major port city. Hundreds, if not thousands, of shipping containers (which now contain 90% of international cargo) are destroyed or damaged and the port is shut-down for weeks during investigation and recovery.

Mitigation: There’s nothing you can do to stop this, but you can insure it does not devastate your business. In addition to mitigating supply risk by using two suppliers, you should also mitigate delivery risk of key shipments (critical direct materials or high-demand, low supply consumer goods such as those Sony PS3’s that are going to fly off the shelves) by using two logistics carriers or insuring that your logistics carrier splits shipments across ports, containers, and trucks. Make sure you use multiple ports as part of your regular operations, and can re-route shipments quickly if one port gets considerably backed up (or temporarily shut down due to a natural disaster, terrorist attack, or strike).

ElectroShock

Scenario: Terrorists take out part of the power grid and a whole city, state, or even region goes dark – taking out your operation with it.

Mitigation: Critical operations, which for most companies today revolve around data-centers, should have their own back-up generators. Your communications network should also have its own back-up generators. Even if you can’t work, you should still be able to keep in constant communication with your supply chain so that you can recover quickly when the power comes back on. (And cell phone batteries only last so long!)

Toxic Train Wreck

Scenario: A terrorist blows a hole in the side of a tank car transporting toxic chemicals, such as chlorine gas. This scenario is more dangerous than you think – most railway lines go through major cities near densely populated areas. And this could also be caused by a de-railing, which could be caused by a downed tree (due to a lightening strike), also putting this risk in the natural disaster category.

Mitigation: Make sure you have evacuation plans for all of your offices and plants and the ability to hot-swap your operations to a remote location.

Crude Attack

Scenario: A highly trained commando squad blows up a refinery. A very expensive processing plant is destroyed, toxic smoke fills the air, oil supply drops, and energy prices skyrocket.

Mitigation: Have evacuation plans in place if your offices or plants are close to refineries, power-generation stations, or chemical manufacturing or processing plants that could cause a significant hazard if something goes wrong. Make sure your critical back-up power centers can run basic operations on alternate sources of energy – wind power, solar power, biofuels, etc. Consider geo-thermal heating and cooling. You might not be able to meet all of your power needs this way, but the less gas you need to keep going, the less an oil-based energy crisis will affect your business.

Agro-Armageddon

Scenario: A small group of terrorists infect small groups of cows with mad-cow disease in geographically remote parts of the country and in order to contain what appears to be a burgeoning epidemic, hundreds of million of cattle are slaughtered across the country. (The virus that causes this disease is harmless to humans.)

Mitigation: The real danger here is if your business relies on beef – distributor or steak-house. The mitigation is to make sure you are set-up to import beef from multiple countries at any one time.

Black Christmas

Scenario: Terrorists blanket shopping malls with open containers of mercaptan (the highly volatile and noxious-smelling chemical ordinarily used to signal the presence of propane gas) and postal offices with anthrax stimulants, scaring consumers away from shopping malls and shutting down the largest delivery service. Sales plummet.

Mitigation: First of all, don’t bet your business on a single holiday season. If you are in the business of seasonal novelties, diversity and attack all the holidays. Secondly, make sure you are set up to work with multiple delivery carriers, local and national. Standard courier rates are quite high, but some companies will give you great deals on volume, which will allow you to use them instead of the post-office at only a slightly higher cost. (This is critical especially if the bulk of your sales are low dollar goods. Most people will not want to pay a 50%+ shipping premium. For example, I’ve never ordered a single 11.99 CD at 7.99 next-day courier shipping.)

Star Struck

Scenario: A group of highly trained activists takes over a prestigious televised event with a number of important people present.

Mitigation: This sort of endeavor would take months and months of up-front planning and infiltration into all of the appropriate service organizations. There are two potential approaches here. The first is to move the event around and not select your service organizations too far in advance. However, if you are holding your event at a high profile venue in a city where resources need to be booked months (and months) in advance, this is not feasible. Make sure that all of the organizations you use are establish, trusted, and cognizant of best-practice security procedures. Make sure they do background checks on all new employees and that the security firm you hire does a complete, up-to-date, risk assessment, even if it’s worked the venue before.

A Farmer’s Fury

Scenario: A group of angry activists make truck-bombs using their unrestricted access to ammonium nitrate fertilizer, drive them up to a building, walk away, and detonate them using a remote detonator.

Mitigation: Restrict parking near critical facilities. If you feel this is a real threat, manually inspect all large vehicles entering your premises.

Too Much – Or Too Little

Scenario: In the future, airline security has lapsed to pre-9/11 levels as the urgency to protect the homeland has subsided with reduced terrorist attacks and a new government to the point where someone could walk on the plane with a shoe-bomb. (This also has an accidental equivalent, the plane crashes.)

Mitigation: The time-tested “don’t put all your executives on the same plane (, bus, or boat)”.