1 / 38

Principles for Building Secure and Resilient Supply Chains

Principles for Building Secure and Resilient Supply Chains. Presentation to: APL Limited Security Exercise October 4, 2007 James B. Rice, Jr. MIT Center for Transportation and Logistics. We’re at risk But we can do something about it! Reduce risk by reducing consequences resilience

vlad
Download Presentation

Principles for Building Secure and Resilient Supply Chains

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Principles for Building Secure and Resilient Supply Chains Presentation to: APL Limited Security Exercise October 4, 2007 James B. Rice, Jr. MIT Center for Transportation and Logistics

  2. We’re at risk But we can do something about it! Reduce risk by reducing consequences resilience Reduce risk by reducing probability  security Risk management maturity model for a pathway to economic viability Today’s Message

  3. Global sources of supply Increasing distances Dependence on transborder imports Global customer destinations More customers, increasing complexity Dependence on transborder exports Complexity! More parties in the supply chain Focusing on core competence, more outsourcing Greater interdependence among supply network Lean supply chains, reduced inventories Fragile supply chains Result is high vulnerability Our vulnerability is a function of the supply network Ex. Pan Am over Lockerbie; Williams Pipeline Supply Chains Today

  4. …and their impact on SCs Borders, plants shutdown Tourism, auto OEMs on hold Supply Availability $10-20B, no containers Loss of info systems Lost production, sales… Investment concern…. 10% oil refining capacity lost, impact on Fed interest rate, global economy! HC-LP Disruptions…. 9-11 Foot and Mouth Disease SARS West Coast Lockout 2003 Blackouts (EEU, US) London/Madrid Attacks Katrina, Rita… Continued terror attacks High Consequence-Low Probability Disruptions

  5. High Consequence-Low Probability Disruptions West Coast Ports Lockout Madrid Attack Ford-Firestone Tire Recall Sept. 11 Terrorist Attacks Toyota Brake Plant Fire Blackouts US - Europe GM Labor Strike Katrina Iraq War Philips Plant Fire Tsunami Ok. tornado - GM FMD UK 1997 1998 1999 2000 2001 2002 2003 2004 2005 UPS Labor Strike Taiwan Earthquake Quebec Ice Storm SARS Scandals: Enron, Andersen, Worldcom Nor’Easter London Attacks Ref: Adapted from Dr. Debra Elkins, General Motors

  6. SC Response Examples Matrix See Handout

  7. High High Vulnerability Probability/Risk of Disruption Low High Low Vulnerability Low Consequences of Disruption Reduce Vulnerability to Disruption 1. Reduce probability of disruption: increase security, prevention 2. Reduce consequences of disruption: increase resilience Ref. – Sheffi, Rice & SC Response Project

  8. Assess Vulnerabilities New or Foreign Competitors Credit Default Public Boycott & Condemnation Strategic Risk Financial Risk Shareholder Activism Offensive Advertising Adverse Changes in Industry Regulations Timing of Business Decisions & Moves Negative Media Coverage Corporate Culture Fuel Prices Interest Rate Fluctuations Market Share Battles Foreign Market Protectionism Loss of Intel. Property Pricing & Incentive Wars Equip., Facilities, Business Acquisitions & Divestitures Attacks on Brand Loyalty Currency & Foreign Exchange Rate Fluctuations Mergers & Industry Consolidation Supplier Relations Customer Relations Product-Market Alignment“Gotta Have Products” Asset Valuation Financial Markets Instability Dealer Relations Customer Demand Seasonality & Variability Accounting / Tax Law Changes Liquidity / Cash Uncompetitive Cost Structure Inadequate Mgmt. Oversight Ineffective Planning Program Launch Technology Decisions Inadequate / Inaccurate Financial Controls & Reporting Adverse Changes in Environmental Regulations Revenue Management Ethics Violations Budget Overruns or Unplanned Expenses Joint Venture / Alliance Relations Economic Recession Perceived Quality Union Relations, Labor Disagreements & Contract Frustrations Debt & Credit Rating Product Development Process Enterprise Vulnerability Currency Inconvertibility Health Care & Pension Costs Product Design & Engineering HR Risks – Key Skill Shortage, Personnel Turnovers Asbestos Exposure 3rd Party Liability General Liability Product Liability Warranty / Product Recall Campaigns Restriction of Access / Egress Harassment & Discrimination Mold Exposure Directors & Officers Liability Property Damage Theft Cargo Losses Loss of Key Equipment Vandalism Dealer Distribution Network Failures Bldg. or Equip. Fire Loss of Key Facility Embezzlement Geopolitical Risks Arson Workers Compensation Info. Mgmt. Problems Severe Hot / Cold Weather Kidnapping Logistics Provider Failures Accounting or Internal Controls Failures Boiler or Machinery Explosion Extortion Logistics Routeor Mode Disruptions Earthquake Building Collapse Loss of Key Personnel Deductible Limits Health & Safety Violations Flooding Building Subsidence & Sinkholes IT System Failures (Hardware, Software, LAN, WAN) Terrorism / Sabotage Service Provider Failures Wildfire Computer Virus / Denial of Service Attacks Land, Water, Atmospheric Pollution Gov’t Inquiries Disease / Epidemic Lightning Strikes Supplier Bus. Interruption Tornados Tier 1, 2, 3, …nSupplier Problems: Financial Trouble, Quality “Spills”, Failure to Deliver Materials, etc. Workplace Violence Animal / Insect Infestation Wind Damage Operator Errors / Accidental Damage Blizzard / Ice Storms Hazard Risk Loss of Key Supplier Hail Damage Tsunami Operations Risk Hurricane / Typhoon Volcano Eruption Utilities Failures Communications, Electricity, Water, Power, etc. Heavy Rain / Thunderstorms Ref: Dr. Debra Elkins, General Motors

  9. Analyzing risk – look at source of risk Terrorism Map network impact: Location, trophy status, proximity Threat adjusts to the response Labor unrest, supplier failure Labor unrest often adjusts to the response Awareness of supplier financial health Natural disaster (e.g. earthquake, etc.) Predictability by region, season Use data – probability distribution function (pdf) But limited data makes pdf impossible in many cases Qualitative analysis “Staple yourself to a shipment” Assess Vulnerability

  10. Staple yourself to a shipment: what REALLY happens en route… Ref: Permission to use photo by S. Lund

  11. Power Water Transportation systems Roads, bridges, ports, ferries Cargo, personnel Information Waste Other Infrastructure Vulnerability

  12. MacArthur Maze – Oakland, CA

  13. MacArthur Maze – Oakland, CA

  14. MacArthur Maze – Oakland, CA

  15. Shanghai Infrastructure at Risk Yangshan Deepwater Port $6.2B+, 3 years The Donghai Bridge; 31+ km, $1.2B

  16. Reducing the Consequences: Resilience

  17. Business Continuity Planning (BCP) Design to ‘fail smartly’ – the system WILL fail; plan to fail so that the damage is not crippling Focus on Failure Mode Analysis, not source “Options” thinking and planning Create Supply Network Resilience Ability of supply network to sustain variations in supply and demand, and to recreate itself after disruption Achieve through Flexibility and Redundancy Flexibility Responding through actions that entail prior investments in infrastructure and capabilities Redundancy Responding through actions that entail prior investments in capital and capacity that may not be used Principles of Resilience:Reduce the Consequences

  18. Disruptions result in a loss of: Capacity to acquire materials (supply) Capacity to ship/transport Capacity to communicate Capacity to convert (internal operations) Demand (customer failure) Human resources (personnel) Failure Mode Analysis

  19. Resilience Responses by Failure Mode See Handout

  20. Auto part supplier: Fire burned facilities, data Standard production process, suppliers provide ‘lost’ info Cantor Fitzgerald: Lost traders, customer info Recaptured 50% of trades using CRM for info Intel Interchangeable plants via “Copy Exact!”, E’quakes BCP UPS Standardized processes enable work force flexibility Lucent Technologies Interchangeable parts, standard models, concurrent SC Reebok Postpone customization of NFL jerseys Helix Technology Simplified production so supplier produces in emergency Jabil Circuits Builds flexibility into standard contracts, 100% in 4 weeks “Fail Smartly”* via Flexibility * “Fail smartly” was introduced in the article “Homeland Insecurity” by Charles Mann, The Atlantic, September 2002

  21. Morgan Stanley Redundant IT system, back up 9-12-01 (learned from ’93 attack) USPS: Anthrax Used massive excess capacity to shift processing to other sites Boston Scientific Financial analysis indicated cash flow crunch Set up redundant production facility, staff…. Waiting! US Government & J&J Maintain stock of medical supplies, rolling inventory “Fail Smartly”* via Redundancy * “Fail smartly” was introduced in the article “Homeland Insecurity” by Charles Mann, The Atlantic, September 2002

  22. Flexibility through interchangeability Standard facilities (Intel, GM) Standard parts (Dell, Lucent SCN, Southwest Airlines) Standard processes (Helix, UPS) Flexibility through postponement (Benetton, H-P) Flexibility through supply (Jabil, Lucent, Toyota) Flexibility through distribution (Caterpillar, Dell) Flexible culture Awareness of risks, tradeoffs Early warning systems (Nokia) Education for awareness Training for response (Intel) Distributed decision-making (P&G, UPS) Open and unconstrained communication (Dell) Many Pathways to Flexibility Sources: “SC Response Project Interim Report” by J. Rice, F. Caniato, Aug 8, 2003; Draft of SC Response Book project, Oct. 2004, later pub as “The Resilient Enterprise by Y. Sheffi

  23. Design for Resilience • Nokia cf. Ericsson • March 2000 – fire in Philips NM plant • Nokia – Fast detection via sensing system • Nokia – Immediate response • Cross-models trade-offs • Chip re-design • Philips capabilities elsewhere • Alternate suppliers • Results: Slide from Prof. Y. Sheffi, MIT SC Response Project 2004

  24. Reducing the Probability: Security

  25. Secure supply network operations Access control, physical security Employees screening: hiring, ongoing (‘the enemy within’) Reduce uncertainty via visibility, early detection systems Red Team Exercises to find weak points Collaboration for network security Industry: Shippers AND carriers develop standards of care Global Security Initiatives Education to create security/risk awareness Training for response and mitigation Secure supply network planning and design Network Design Location – multiple sites, low risk sites Fewer stages Organization Design Integrate logistics, risk management, security organizations Enable culture of awareness and response Actions to Reduce Probability

  26. Big ‘S’ Security (be careful how you pronounce it) Beyond compliance, asset and personnel protection, incident investigation Entails protecting the firm’s ability to maintain economic activity Security integrated into business decision-making Business leverages SC & security investments for advantage. Leaders see disruption as inevitable, focus on Identifying, mitigating and managing enterprise risk Prevention and then rebounding from loss/incidents Efficient and effective transborder capacity Multiple dimensions of security Physical, information, intellectual property/process Enterprise-wide, entire supply network considered Business case developed to support investments ROI on security investments….. Enlightened Security Leadership

  27. Safeguard Target’s direct import strategy Support speed to market, be in stock Rebound from disruption Protect the brand and assets Prevent infiltration by terrorist or criminal groups Ensure regulatory compliance Meet C-TPAT criteria Target Supply Chain Security Operation’s Objectives

  28. Operational Choices Impact Resilience Yangshan Deepwater Port $6.2B+, 3 years The Donghai Bridge; 31+ km, $1.2B

  29. Customer-supplier collaboration: Shared contingency plans, alternative sources. Learning from past disruptions: Building on past experiences to make orgzns stronger. Formal security strategy: Implementing a comprehensive, documented strategy as base of security & resilience initiatives Layered system, multiple failures required to really fail Supply chain drills and mock exercises: Perform training and conducting exercises that include simulations of supply chain disruption. Emergency operating control center: A facility to manage and coordinate the response to unexpected disruptions. Cost/benefit analysis: Quantifying actual or expected costs and benefits Capturing collateral benefits: ROI! Security Leader Actions

  30. Magic Wand Collateral Benefit Increased Security Asset Visibility Lower Working Capital, Op Costs Shorter Cycle Times

  31. More Realistic Collateral Benefit Location and Status Exceptions Evident Real-time Correction Theft and Interruption Prevented Asset Visibility Location, Status Known Real-Time Action Required!! Lower Uncertainty Less Safety Stock Required Lower Working Capital, Op Cost Lower Working Capital, Op Costs Less Space Required Reduce Stock Points Shorter Cycle Times Collateral Benefits Linkage Map

  32. Calculate the Benefits • Smart & Secure Tradelanes (SST) • “A single end-to-end SST move of a typical container nets $378-462 of potential (net) value to the shipper”* * Smart & Secure Tradelanes Phase One Report, November 2003** Based on average container cargo value of $70,000.

  33. Pathway to Economic Viability

  34. Business strategy leverages supply chain and security investments for comp advantage • Disruption seen as inevitable, focus on resilient supply chains. • Manage risk via secure, resilient, efficient, effective transborder processes Compliant Pre-Compliant • Not C-TPAT compliant • Secure facility, ltd prevention SC Risk Management Maturity Levels Ultimate Economic Viability Resilient Low Probability but High Consequences Secure • Outside stds insufficient • Emphasize security & prevention to help company protect its economic viability • Security seen as part of business model Not disadvantaged but not leveraging potential; high probability and consequence, C-TPAT Compliant • Response to regulations • Security as cost of business. • Standard transborder movements Economic viability at risk: High prob & consequence, disadvantaged vs C-TPAT compliant competitors Ref: Forthcoming article in Supply Chain Strategy by James B. Rice, Jr. (MIT) & William Tenney (Target)

  35. Focus by Process and Level

  36. A false sense of security & confidence? Some active responses, but not comprehensive A 2nd source may not the same security/resilience, or maybe less “We’re C-TPAT compliant, that’s our plan” Focus on facility security does not improve network security/resilience Most leaders had to experience pain first before responding….. Risk assessments not comprehensive, not quantitative Network risk not yet embraced Can firms learn? Nearly all progressive firms had to experience pain first Many examples of failure to learn from the pain…. Many Bhopal fatalities could’ve been avoided with basic evac training Union Carbide experienced another potentially deadly gas leak after Bhopal because improvement actions from Bhopal were not applied Key Resilience & Security Issues

  37. Today’s supply chains = complex + vulnerable How to respond? Reduce probability and consequences: depends on risk assessment Reducing consequence: resilience Business Continuity Planning: Focus on Failure Mode Flexibility offers daily payoff Socialize response: Educate for awareness, train for response Building resilience in supply chains protects our economic engines Closing

  38. “The time to help is before it happens”**Lynn Fritz, Founder, The Fritz Institute, September 8, 2005

More Related