Assessing Vulnerability of a Supply Chain: A Strategic Risk Approach
Randy Jouben, Director Risk Management, • FIVE GUYS Enterprises, LLC • Randy is responsible for leading the mission of protecting the tangible and intangible assets of Five Guys in the areas of risk management, safety, security, business continuity and compliance.
What to Expect • To provide you with an understanding of the risk and vulnerabilities of a supply chain. • Understand options available to asses risk in the supply chain • Describe different ways you can integrate supply change management into the Strategic Risk management process
Uncertainty Increases Business Risk “Business managers regularly extrapolate from the past to the future but often fail to recognize when conditions are beginning to change from poor to better or from better to worse. They tend to identify turning points only after the fact. If they were better at sensing imminent changes, the abrupt shifts in profitability that happen so often would never occur. The prevalence of surprise in the world of business is evidence that uncertainty is more likely to prevail than mathematical probability.” “The evidence. . .reveals repeated patterns of irrationality, inconsistency and incompetence in the ways human beings arrive at decisions and choices when faced with uncertainty.” Peter L. Bernstein, “Against the Gods – The Remarkable Story of Risk”
Some Working Definitions • Risk • Risk Management • Strategic Risk Management • Supply chain vulnerability • Robust Supply Change Management • Supply Chain Risk Management • Resilience
Risk • In decision theory: a measure of the range of possible outcomes from a single totally rational decision and their values, in terms of upside gains and downside losses (e.g. gambling)
Risk • A particular type of hazard or threat e.g. technological risk or political risk • The downside only consequences of a rational decision in terms of the resulting financial losses or number of casualties • Risk = probability of occurrence x consequences
Risk Management • “Risk management is the process of measuring or assessing risk and then developing strategies to manage the risk. These strategies can involve the transference of risk to another party, risk avoidance or mitigation, and channel risk sharing.
Strategic Risk Management • “Strategic Risk Management (SRM) is a business discipline that drives deliberation and action regarding uncertainties and untapped opportunities that affect an organization's strategy and strategy execution.”
Supply Chain Vulnerability • We should strive to identify vulnerabilities by asking questions such as: • What has disrupted operations in the past? • What known weaknesses do we have? • What ‘near misses’ have we experienced? • What would be the effect of a shortage of a key material? • What would be the effect of the loss of our distribution site? • What would be the effect of the loss of a key supplier or customer?
Vulnerability vs. Risk Analysis • A vulnerability analysis is not equivalent to a risk analysis. • Risk Analysis focuses on human resources, on environmental and property impacts of an accidental event, • A vulnerability analysis is focused on the system survival.
Vulnerability vs. Risk Analysis • A vulnerability analysis is not equivalent to a risk analysis. • The vulnerability analysis has a wider range with respect to the risk analysis. • Particularly the first concerns the way to weaken the detected threats and restart the system after an accidental event.
Supply Chain Risk Management • Supply Chain Risk Management (SCRM) is a discipline of Risk Management which attempts to identify potential disruptions to continued manufacturing production and thereby commercial financial exposure • Focuses on the interdependences of the actors belonging to the same supply chain: sudden crisis, impacting one or more nodes inevitably creates disturbance which may destabilize the system as a whole
Robust SCRM • “Strong in constitution, hardy, or vigorous” • Enable a firm to manage regular fluctuations in demand efficiently under normal circumstances regardless of occurrence of a major disruption • But does not in itself make a resilient supply chain
Robust SCRM • A robust process can be defined as “a process able to deal with reasonable variability” • A resilient supply chain can be defined as “a supply chain with the ability to recover quickly from unexpected events impacting supply chain performance”
Robust SCRM • A robust process can deal with reasonable variability in input whilst maintaining good control over output variability. • It has some resilience but is it capable of recovery from an event that causes exceptionally high levels of variability in input or output requirement?
Resilience • “The ability of a system to return to its original [or desired] state after being disturbed” • The core concept of resilience is: • It encourages a whole system perspective • It explicitly accepts that disturbances happen • It implies adaptability to changing circumstances
Supply Chain Dynamics • Throughout the 1990s, many firms strived to improve their financial performance by implementing various supply chain initiatives. • These initiatives were intended to increase revenue, reduce cost (e.g., supply base reduction, online sourcing including e-markets and online auctions, offshore manufacturing, Just-in-Time inventory systems, vendor-managed inventory), and reduce assets (e.g., outsourced manufacturing, Information Technology, and logistics).
Supply Chain Dynamics • These initiatives can be effective in a stable environment; however, as the number of supply chain partners increases, these global supply chains become “longer” and “more complex.” • Long and complex global supply chains are usually slow to respond to changes, and hence, they are more vulnerable to business disruptions.
The Challenge Of Global Logistics PRODUCT LINE DIVERSITY MARKET CONCENTRATION
Global business : Singer Sewing Machines • Body shells from USA • Motors from Brazil • Drive Shafts from Italy • Assembled in Taiwan • Sold around the world
Categories of Supply • Supply chains comprise nodes and links • Nodes – organisational risk • Links – network risk
Understanding the total costs of ownership • Not just the purchase price, but ….. • Increased transport costs • Increased inventory financing costs • Increased uncertainty of supply • Longer lead-times • Less visibility and increased likelihood of “bullwhip” effect • Loss of control in quality • Longer development cycles for new products • Increased exposure to security risks
Changing Times & An Uncertain World • In a complex inter-organizational supply chain it would be difficult if not impossible for anyone to identify every possible hazard or point of vulnerability.
Why Are Today’s Supply Chains So Vulnerable? • Widespread adoption of ‘lean’ practices • The move to off-shore manufacturing and sourcing • Out-sourcing and reduction in the supplier base • Global consolidation of suppliers • Centralised production and distribution • All of which combine to make supply chains vulnerable to disruption
The Sources of Risk in Supply Chain • Supply risk • Demand risk • Process risk • Control risk • Environmental risk
Location Of Risk In The Supply Chain SUPPLY RISK PROCESS RISK DEMAND RISK NETWORK/ CONTROL RISK Environmental Risk
The Sources Of Supply Chain Risk Demand Risk Process Risk Supply Risk • Loss of major accounts • Volatility of demand • Concentration of customer base • Short life cycles • Innovative competitors • Manufacturing yield variability • Lengthy set-up times and inflexible processes • Equipment reliability • Limited capacity/bottlenecks • Outsourcing key business processes • Dependency on key suppliers • Consolidation in supply markets • Quality and management issues arising from off-shore sourcing • Potential disruption at 2nd tier level • Length and variability of replenishment lead-times Network/Control Risk Environment Risk • Asymmetric power relationships • Poor visibility along the pipeline • Inappropriate rules that distort demand • Lack of collaborative planning and forecasts • Bullwhip effects due to multiple echelons • Natural disasters • Terrorism and war • Regulatory changes • Tax, duties and quotas • Strikes
Supply Chain Risk Is Systemic • The biggest risk to business continuity may lie outside the company in the wider supply chain • The complexity and inter-connectedness of modern supply chains increases their vulnerability to disruption • Environmental risks are outside our control, but systemic risk is created through our own decisions
Supply chain risk (i) “The entire Japanese vehicle industry ground to a halt following an earthquake that stopped production of piston rings for engines provided by Riken, the industry leader in the domestic market. Toyota, in particular, was forced to stop operations at all 12 of its domestic plants.” • Financial Times, 24 July 2007
Supply chain risk (ii) “A fire at a key Philips semiconductor factory in 2000 caused a worldwide shortage of the radio frequency chips used by both Nokia and Ericsson. Nokia immediately lined up another source and redesigned other chips so they could be produced elsewhere. However, Ericsson responded more slowly and lost an estimated $400 million in mobile phone handsets.” - MIT Sloan Management Review - Summer 2006
Supply chain risk (iii) “Yesterday it emerged that ice-cream supplies may run short because Unilever’s only UK factory, based in flood-stricken Gloucester, has been closed for the past ten days. The company usually manufacturers five million ice-creams and lollipops a day at the plant. It has stocks in freezers but it could be days before normal production resumes. Industry insiders predict that there will now be an ice-cream war as rival brands attempt to exploit Unilever’s predicament and gain market share.” • The Times, 31 July 2007
Changing Times & An Uncertain World • ‘Known’ problems are only part of the picture • Known Unknowns, Knowable Unknowns and Unknowable Unknowns • Y2K: The Millennium Bug • Creeping Crises (e.g. Foot and Mouth disease) • Post 9/11 Security Matters • Corporate Scandals, Operational Risk and Business Continuity
Known Unknowns • Known Unknowns • We know that there exist uncertainties, which we know how to solve • ‘Known known’
Knowable Unknowns • Knowable Unknowns • There are some uncertainties which we don’t know how to solve, We may choose ignore or face it
Unknowable Unknowns • Unknowable Unknowns • However, there are still uncertainties that we don’t know that we don’t know
Y2K: The Millennium Bug • A ‘Known known’ example • In the UK, the government encourage businesses to take the necessary measures to prevent system crashes, and engage in business continuity planning
Y2K: The Millennium Bug • As a result, nothing happened and the government was delighted, believing the planning had saved the country from disaster • But the non-event left many managers skeptical as to whether the costly preventive measures had really necessary?
Y2K: The Millennium Bug • Y2K is one of the intractable problems about proactive measures to improve organizational and supply chain resilience • If successful, mean nothing happens, but leads to questions of value or cost/benefits justification • It is very difficult to make a business case for proactive ‘just in case’ measures to improve resilience
Creeping Crises • The outbreak of foot and mouth disease(FMD) in British livestock herds in February 2001 resulted in damage to whole sectors of economy • FMD was a known threat to livestock, albeit one that had not been seen in UK for a generation • The impact is engaged in production and distribution of food
Creeping Crises • But FMD also affected car manufacturers and fashion houses across Europe because of the shortage of high-quality leather • All ‘knowable unknowns’ events could be the example of ‘creeping crises’ • Creeping crises show the fact that supply chains are more than value-adding mechanisms underlying competitive business models • Supply chains link organizations, industries and economies, they are part of the fabric of society
Post 9/11 Security Matters • The events of 9/11 were so far out of risk managers’ field of reference, that they can be classed as “unknowable unknowns” • The closure of US borders and the grounding of transatlantic flights dislocated international supply chains making supply chain vulnerability front page new
Post 9/11 Security Matters • Post 9/11, new security measures were hurriedly introduced at US border posts, ports and airports, affecting inbound freight to USA, including: • Container Security Initiative (CSI) • CSI looked to new technology to pre-screen ‘high risk’ containers before they arrived at US ports • Customs-Trade Partnership (C-TPAT) • C-TPAT is a ‘known shipper’ programme, which allows cargoes from companies certified by US Customs to clear customs quickly
Corporate Scandals, Operational Risk and Business Continuity • In the world of corporate risk management events(e.g. 9/11) were unfolding that would push ‘operational risk’ to the top of the corporate agenda • The Enron Corporation collapsed in late 2001 • Once held up as a model of best practice corporate risk management • Another three companies quickly followed
Corporate Scandals, Operational Risk and Business Continuity • New regulation, Sarbanes-Oxley Act(SOX) is noteworthy • SOX requires full disclosure of all potential risks to corporate well-being within the business • Board members have become more interested in identifying ‘knowable unknowns’ and have turned to risk management and to Business Continuity Management(BCM)
The Risk Management Challenge High Consequence/ Impact Low Low High Probability of Occurrence • Where can we reduce the probability? • How can we reduce the consequence?
The Risk Management Challenge • Decision Theory and Managerial Tendencies • Objective Risk and Perceived Risk
Decision Theory and Managerial Tendencies • Concerned paid little attention to uncertainty surrounding positive outcomes, viewing risk in terms of dangers or hazards with potentially negative outcomes • Managers focus on the possible losses associated with plausible outcomes • Decisions involving risk are heavily influenced by their impact on the manager’s own performance targets