Planning for Supply Chain Crisis (Disruption) By

1. Planning for Supply Chain Crisis (Disruption) By Apichai IntakaewSCGProgram Director: Business Continuity Management

2. “Disruption Event” • “Event” means an existing or unusual occurrence in the natural or human-made environment that may adversely affect human life, property, or activity to the extent of a disaster.

3. Types of Events e-Business Risks 3rd Party-Outsourcing Physical Operational • Disruption of IT services/support • Disruption critical databases, networks • Disruption of Telecomms services • Computer viruses • Cyber terrorism, Hacker attacks • Breach of info security, confidentiality • Loss at 3rd party warehouse • Gaps in 3rd party risk assessment & clear understanding of 3rd party’s commitment to business continuity • Contract breach • Legal issues • Disruption to supplier • No operating capacity • Loss of JIT inventory • Disruption of distribution • Unstable political environment • Regulatory requirement issue • Disruption at manufacturing • Loss at CM site • Fire • Flood • Earthquake • Tornado • Hurricane • Snow storm • Utility failure • Bombing • Riot/Civil unrest • Terrorism • Kidnapping • Theft • SARS/other viruses • Hazardous chemicals

4. “Black Swan Event” The Black Swan Theory or "Theory of Black Swan Events" was developed by Nassim Nicholas Taleb to explain: 1) the disproportionate role of high-impact, hard to predict, and rare events that are beyond the realm of normal expectations in history, science, finance and technology, 2) the non-computability of the probability of the consequential rare events using scientific methods (owing to their very nature of small probabilities) and 3) the psychological biases that make people individually and collectively blind to uncertainty and unaware of the massive role of the rare event in historical affairs. • Identifying a black swan event based on the author's criteria: • The event is a surprise (to the observer). • The event has a major impact. • After the fact, the event is rationalized by hindsight, as if it had been expected. Nassim Nicholas Taleb

5. Conventional Wisdom Conventional Supply Chain Management focused on… • Optimization • Just-in-Time • Lean

6. New Paradigm of Supply Chain Resilient Supply Chain Management focused on… • Just-in-Case • Business Continuity Context • Resilience

7. Stages of Disruption Source: MIT Sloan Mgt Review

8. Impacts of Supply Chain disruption • Case Study 1vs • On March 17th 2000, Philips Semiconductor plant in New Mexico, caught fire. • The fire was brought under control in minutes • The damage from smoke and water contaminating the stock of millions of chips. • Philips assured its customers that the fire was likely to disrupt production for around a week. • Nokia • Increased monitoring of in-coming supplies from weekly to daily checks. • Pressured Philips highest level management to ensure that all other Philips plants using additional capacity to meet Nokia’s requirement. • Collaborate with other suppliers in the US and Japan to secure all available chips. • Reconfigured its products to take slightly different chips from other sources. • Successfully maintained production level, and still being global market leader. • Ericsson • Had not acted further until early April • Had no alternative sources of supply because its decision to source key components from single supplier, in order to reduce total supply chain cost. • Lost an estimated € 400 million in new product sales. • Was forced to cease manufacturing of mobile phones.

9. Impacts of Supply Chain disruption • Case Study 2: Land Rover and UPF Thompson • UPF-Thompson, the sole supplier of chassis frames for the Discovery models, unexpectedly went bankrupt in December 2001. • Land Rover was totally unprepared and eventually had to pay off some of UPF’s debt (about € 70 m) to ensure the resumption of chassis supplies, and to prevent the lay-off of 1,400 workers at its Solihull plant. • Inadequate monitoring of its supplier base almost cost Land Rover its business. • A deeper relationship with UPF would likely have alerted Land Rover before the crisis

10. How long can a company survive without a BC Program? • 80% of businesses affected by a major incident either never re-open or close within 18 months (Source, Axa) • Companies that aren't able to resume operations within ten days (of a disaster hit) are not likely to survive. (Strategic Research Institute) • According to Contingency Planning Research & Strategic Research Corporation: 43% of U.S. companies experiencing disasters never re-open, and 29% close within 2 years • Within two years after Hurricane Andrew struck in 1992, 80 percent of the affected companies that lacked a business continuity plan failed (FEMA) • According to a recent Touche Ross study, the survival rate for companies without a disaster recovery plan is less than 10%!

11. BCM Global Standards • UK: British Standards Institution (BSI), BS 25999 • Thailand: 22301-2553 • North America: National Fire Protection Association NFPA 1600: Standard on Disaster/Emergency Management and Business Continuity Programs. • ISO: ISO/PAS 22399:2007 Guideline for incident preparedness and operational continuity management • Australia/NZ: HB 292-2006 : A practitioners guide to business continuity management. In 2010, Standard AS/NZS 5050 was released. • ASIS: ANSI/ASIS SPC.1-2009 Organizational Resilience: The ANSI/ASIS SPC.1-2009 Organizational Resilience: Security, Preparedness, and Continuity Management Systems—Requirements with Guidance for Use American National Standard

12. How to create practical Business Continuity Plan (BCP)? Business Continuity Management Lifecycle Source: BS 25999

13. Step 1 Understanding the Organization Purpose To enable the organization to identify the critical activitiesand resources needed to support its key products and services, understand the threats to them and choose appropriate risk treatments. Service Level Disruption Maximum Tolerable Period of Disruption Normal Service Level Recovery Time Objective High Vulnerability High Minimum Service Level • Value Chain Analysis Time Disruption Probability Low Vulnerability • Business Impact Analysis (BIA) Low - Risk Assessment (RA) Light Severe Consequences

14. Step 2 Determining BCM Strategies Purpose To identify BCM arrangements that will enable the organization to recover its critical activities within their recovery time objectives. Define - Incident response structure - Resources required for resumption (e.g. people, facilities, equipments, etc.) - Mitigation strategies - Recovery strategies

15. Step 3 Developing and Implementing BCM Response Purpose To enable the organization to develop and implement appropriate BCM plans and arrangements to manage any incident and continue its critical activities. Define the detail of - Incident response structure - Business continuity plan, and - incident management plan • Each plan shall • Identify line of communications • define roles and responsibilities for people having authority during crisis • contain essential contact details for all key stakeholders • contain detail of actions and tasks that need to be performed • a process for standing down once the incident is over • etc.

16. Step 4 Exercising, Maintaining, and Reviewing BCM Arrangements Purpose To verify the ongoing effectiveness of the BCM arrangements and to provide greater assurance following an incident that critical activities will be recovered as required. • BCM Exercising • The organization shall • Develop exercises that are consistent with the scope of the BCMS • Ensure that exercises are carried out at planned intervals and when significant changes occur. • Carry out a range of different exercise that taken together to validate the whole of its business continuity arrangements • - etc. • Maintaining and Reviewing BCM Arrangements • The organization shall • Review its BCM arrangements to ensure their continuing suitability , adequacy, and effectiveness. • The review of BCM arrangements shall be regular and conducted either through self assessment or audit. • etc.

17. Be prepare…

18. “Thank You” Q & A