TalkingPoint: Supply Chain Risk Management

May 2011

FW moderates a discussion looking at Supply chain risk management between Gary S. Lynch at Marsh Risk Consulting and Nigel Issa at Opera Solutions LLC. >>



FW: In your opinion, is continuity planning typically inadequate in addressing business recovery and supply chain flows? Does planning often fail to reflect global interdependency?

Lynch: In most instances, yes. It’s been my experience to date that most organisations are attempting to provide a static solution to a dynamic problem. There is a tendency to want to analyse the impacts caused by a disruptive event as if it occurred in isolation and as if the organisation has some ability to control all the variables that will eventually generate consequences. In addition, it can be tempting to claim success because you have a plan in a binder on a shelf, or you’ve checked off all the boxes saying you comply with a particular business continuity management standard. Too often, however, these efforts simply bolster a thinly veiled complacency. To achieve true resiliency in today’s interdependent and ever-changing world, traditional continuity planning needs to be re-engineered or ‘blown up’.

Issa: Business continuity planning is an essential element of any organisation’s risk management strategy. Business continuity is typically focused on sustaining the present business infrastructure against known risks and is often reviewed on a periodic basis. The approach does not work well for supply chains as they are constantly evolving as products, demand, operations, suppliers and macro economic factors constantly change. Therefore, organisations need a constant predictive risk assessment capability to monitor and react to small, as well as major, risks on a daily basis. In a global economy organisations are impacted by factors outside their immediate control, so a supply chain risk management approach has to identify the factors that have a significant impact on an organisation but in many cases an organisation may have to live with the impact in the short to medium term.

FW: Can you outline some of the major supply chain and sourcing risks facing companies? How can these risks be amplified by cost-saving initiatives such as reducing inventory, networks and suppliers?

Issa: I think of supply chain risks on two dimensions. They can be categorised on one dimension as occurring around demand, internal operations, and supply side, and on the other dimension as the scale of events, for example, natural disasters on the large scale, to small but significant events such as a ‘goods in’ bay being out of action. Supply chains move products, services, money and information, so disruption to information or cash flow can result in significant risk. Some of the major risks are failure of single source suppliers, new product introductions, system failure in any of the extended supply chain players and data loss. The major risks that can be influenced are in the internal and supply side of an organisation. Most risks will have a disruptive rather than catastrophic impact on an organisation, so many cost saving initiatives can be justified as an acceptable trade-off against potential risks. Organisations that have made too big a trade-off often suffer from low and inconsistent service due to the repetitive low impact events that are the result of cost cutting activity. To operate in a low cost operating model with little insulation from disruptive events, organisations need a real time but rarely have, predictive risk management capability that can quickly identify and  react to disruptive events.

Lynch: The most pervasive risk has been the proliferation of single points of failure or risk created by aggregating critical resources. Although one might conclude that aggregation risk is limited to geography, a significant lack of diversification in critical information, financial, and supply flows also exists. Furthermore, competitive organisations have been intensively ‘leaning’ their supply chains – removing excess inventory or capacity, pushing non-core services to lower cost providers, shedding or consolidating physical assets, and dramatically reducing third party providers or suppliers. This is especially evident in the sectors hardest hit by the earthquake in Japan – high-tech and automotive manufacturing – where in some instances OEMs have reduced the number of suppliers from 4000 to 1500 and are further reducing them to 750. As a result, strategies such as consolidating inventory and the network, leveraging single-source suppliers, and accessing suppliers and customers in geopolitically and socially riskier environments have created greater sourcing risk.

FW: Given the enormous volatility in the geopolitical and social landscape, are events traditionally considered ‘highly improbable’ becoming more common? Are too many ‘black swan’ events being dismissed or downplayed rather than incorporated properly into risk planning?

Issa: Many global supply chains have developed over the last 20 years based on the assumption of a stable world order with unlimited access to resources dominated by western firms. Recent events in the Middle East and the rapid growth of China and India at a time when the western economies have remained flat are beginning to change these assumptions. Less secure global supply routes, with volatile commodity prices and new competition from emerging markets means the assumption that a global extended supply chain is the default strategy looks a much weaker proposition. Given that these risks can only be overcome by restructuring the supply chain, organisations need to develop a revised organisation strategy rather than rely on supply chain risk planning to resolve it.

Lynch:
We need to change a basic assumption.

Many consider events like the Christchurch earthquake, the Iceland volcano and Japan’s disaster as highly improbable events – so-called ‘black swans’. The reality is that these should not be seen as highly unexpected or low probability events for the purposes of managing resiliency. Globalisation, pervasive connectivity, an increase in natural weather catastrophes, a shortage of natural resources, and the expansion of the have/have-not chasm, have created enormous volatility in the geopolitical and social landscape. As such, the symptoms leading to so-called black swans are almost never entirely unexpected or unforeseen. We find similar events such as near misses, deviations, and actual disruptive incidents if we look closely enough. Though perhaps not resulting in catastrophic consequences, the evidence exists and lessons are typically already learned. It’s more about whether the organisation is willing to sacrifice efficiency gains and invest in greater resiliency. We tend to normalise exceptions, so long as they have not caused major disruptions, and focus on mitigating the risks to what we can manage or see. Both make sense on the surface but represent very dangerous practices.

FW: Do companies underestimate the damage that major disruptions can inflict on their credibility with investors, stockholders and customers?

Lynch: In many instances, yes and justifiably so. The impact of a specific event takes a long time to unwind. It is often difficult to attribute the consequences of particular event to the damage caused on the supply or demand side. By the time the organisation figures out what happened, the event is typically downplayed or rationalised away. So the large organisation goes back to creating value and absorbing the impact into ‘business as usual’. There are many examples where the organisation simply could not tuck it away, such as the famous Ericsson/Nokia/Philips supplier failure. However, the potential systemic impact from a disruptive event is likely to be much greater today and in the future due to massive, global, interdependent supply chains, and aggregation of critical resources.

Issa: Most companies have disaster recovery plans so internal major disruptions can be quickly overcome while minimising the credibility damage. Over recent years significant reputational damage has been caused by the mismanagement and loss of sensitive data. Going forward I suspect many organisations will suffer reputational damage from disruption due to the failure of IT systems, cyber attack and data loss. Organisations do underestimate the vulnerability of their information supply chain.

FW: How can a company achieve true resiliency while optimising efficiency in today’s world? What strategies should be employed?


Lynch: Managing resiliency today is as much about avoiding or minimising exposure to risk as it is about recovering and minimising the impact of a disruptive event. Over the last several years, many organisations focused on optimising efficiency but not on resiliency, which was completed as a separate and disconnected effort. Concurrently optimising resiliency and efficiency requires discipline, analytics, decision modelling, and the involvement of a broad cross-section of business, technology, and operation leaders both inside and outside the organisation. As the need to become more efficient drives changes, such as a consolidation of production or distribution facilities, resiliency should be designed-in to optimise risk investments. The benefit derived by recovering more quickly should be quantified and weighed against impact. For example, could I reduce my recovery time from 54 weeks to 16 weeks if I diversified the inventory of my top three product families across two distribution centres? What would be the financial reward of the difference of 38 weeks, and how does the cost of the diversification investment weigh against the financial impact?

Issa: Supply chain structures are driven by the organisation’s strategy and the supply chain organisation must be capable of effectively predicting and communicating the structural and operational risk profile of the resulting supply chain. Therefore all organisations run a level of risk and will have areas of the supply chain that are less resilient. In a changing supply chain environment organisations can improve supply chain resilience by: Continuously mapping and measuring the supply chain to identify and predict risk; ensuring that the strategic planning and sales and operations planning processes assess risk; constantly reviewing the product/service portfolio to remove complexity and duplication; selectively regionalising the supply base; and making risk measures as important as service, cost and quality in the supply chain.

FW: To what extent is it important to measure the effect of various investments in reducing risk exposure?

Lynch: It’s no longer an option to both quantify and qualify risk investments and impacts. You wouldn’t ask the CFO or supply chain manager to rely on qualitative metrics to manage their business or the supply chains that support it. The same is true when it applies to supply chain resiliency. I strongly recommend that the threat be analysed only after the impact from the event, and the risk investment against it, at various points in the supply chain, is measured.

Issa: Organisational investments and changes define supply chain structures and build in risk profiles, so a supply chain organisation needs to be able to predict the performance and risk impact of these investments and changes, and build it into any business case. I can only see an investment being used to reduce risk exposure when an organisation has experienced a significant disruptive event and there is a clear need to mitigate it occurring again.

FW: Should companies look to continuously evaluate and improve their supply chain risk management program? Does the success of this process depend on building a culture of risk management throughout the entire supply chain?

Issa: Yes, organisations need to build the capability to map their evolving supply chain, capture relevant data on the extended supply chain and predicatively analyse it to identify risks, so mitigating action can be taken.

Supply chain risk management is dependent on linking detailed supply chain analysis into strategic planning processes rather than developing a culture of risk management. In today’s volatile global economy risks are inevitable, so organisations need to build the capability to understand and predict events rather than constrain their organisation by creating a culture where all risks are considered before action is taken.

Lynch: Managing risk within the supply chain and providing resiliency are an endless effort that will require continuous evaluation and additional focus when change occurs. There are both offensive and defensive goals of a supply chain risk management program. On the offensive side, the organisation must design and constantly evaluate how it might profit or capitalise when a ‘disruptive’ opportunity is presented. On the defensive side, it must continuously seek to minimise impact from an event by designing for resiliency and providing for an expeditious recovery.


Gary S. Lynch is a managing director and global leader of the International Trade & Supply Chain Risk Management practice at Marsh Risk Consulting. He is responsible for developing the organisation’s risk intelligence capabilities and offerings, as well as aligning and enhancing the firm’s various risk strategies, supply chain, and business continuity offerings. Additionally, he is responsible for developing thought leadership around emerging issues such as pandemics and terrorism. He is a renowned speaker on business resiliency issues, and an accomplished author. Mr Lynch can be contacted on +1 (973) 401 5357 or by email: gary.lynch@marsh.com.

Nigel Issa is European supply chain practice leader at Opera Solutions LLC. Opera Solutions are a next-generation management consulting firm that specialises in combining top-flight consulting expertise with cutting-edge analytics to solve executive teams most complex and challenging problems. Mr Issa is responsible for developing Opera’s capability to rapidly address supply chain challenges and has extensively published thought leadership on supply chain risk, planning and new product introduction. He can be contacted on +44 (0)20 7632 4670 or by email: nissa@operasolutions.com.