When Iceland’s Eyjafjallajökull volcano erupted in April 2010, airline flights across the Atlantic were disrupted for days, and global supply chains for fruits, fresh flowers and other products were interrupted severely. When an earthquake, tsunami and nuclear meltdown hit northern Japan in a year later, automakers and electronics manufacturers in Asia and North America lamented that some key suppliers couldn’t comply with their delivery dates, forcing slowdowns in production and frustrating buyers.
In these cases and others like them, many companies have been stymied because there was no way to forecast where and when the next natural disaster would occur. So what kind of analysis and strategic initiatives should companies enact to mitigate their short- and long-term supply chain risks? What lessons have companies learned from the turmoil of the past few years?
Spurred by new, heightened concern about extreme weather events, discussion groups such as the World Economic Forum and the Council for Supply Chain Management Professionals have intensified their efforts to create comprehensive frameworks and common standards for evaluating and enacting risk-mitigation initiatives that are proactive and strategic, rather than reactive or tactical.
The World Economic Forum’s Supply Chain Risk Initiative in 2011 was the first in a series of actions to explore the systemic risks and vulnerabilities of global supply chains and transportation networks. Its initial report on that initiative, launched at the 2012 annual meeting of the WEF in Davos, Switzerland, examined the possibility of these risks causing serious disruptions to global supply chains, while highlighting the need for companies to shift their focus from a reactive to a proactive stance.
In January, the WEF published a blueprint for resilient supply chains based on four core components: partnerships, policy, strategy and information technology. The report outlines recommendations aimed at guiding multi-stakeholder engagement. Systemic risks are characterized by “global geographic scope, cross-industry relevance, uncertainty as to how and when they will occur, and high levels of economic and social impact requiring a multi-stakeholder response,” the report noted. Such risks are “magnified by the way supply chain systems are configured; and cannot be mitigated by individual actors. Risk management must be an explicit but integral part of supply chain governance.”
Noting that various institutions have different perspectives about supply chain risk assessment, the report made these key recommendations: institutionalize “a multi-stakeholder supply chain risk assessment process rooted in a broad-based and neutral international body,” mobilize international standards bodies to “further develop, harmonize and encourage the adoption of resilience standards,” incentivize organizations “to follow agile, adaptable strategies to improve common resilience” and “expand the use of data sharing platforms for risk identification and responses.”
The report also outlined three requirements that have emerged from recent WEF-sponsored workshops and dialogues: First, the need for a common vocabulary when talking about risk; second, the need for improved data and information among those involved with supply chains; and third, “the need to build greater agility and flexibility into resilience strategies.”
The CSCMP, meanwhile, presented its members with a formal structure for identifying — and mitigating — the root causes and impacts of various risks commonly facing supply chains. Known as the Supply Chain Risk Identification Structure, it’s designed to create a common language for supply chain professionals to address the challenges companies of all sizes and in all sectors face.
One Question, Many Answers
Why is there an urgent need for such a formal structure? “Ask 100 different people the same question — ‘What does supply chain risk mean to you?’ — and you will get lots of different answers,” said Richard Sharpe, CEO of Competitive Insights, an Atlanta-based provider of supply chain software. “For some people, risk means terrorist attacks. For others, it means port closures, IT infrastructure vulnerability or the financial collapse of their suppliers. Since supply chain risk means so many different things to so many different people, it is hard to communicate with people without having a common language and structure to think about supply chain operating risks.”
Another issue facing many companies regarding risk management is that they focus on the cause of a particular threat, rather than its results, said Richard Sherman, president of Austin, Texas-based consulting firm Gold & Domas. For example, when companies hear about a devastating weather event, leadership often tries to figure out the best way to protect the company from the same type of disaster occurring in the future.
“It doesn’t matter what happened to cause a company to lose a key supplier” or to suffer a different sort of disruption to its supply chain, Sherman said. “What matters is finding answers for such questions as: ‘What do we do if we lose any key supplier?’ or ‘What do we do if any one of our key plants goes down?’ Risk management is all about ‘What if I lose something?’ It is not about ‘Why did I lose it?’ ”
The CSCMP Approach
The CSCMP’s SCRIS framework is designed to make it easier for supply chain specialists as well as senior executives at companies with complex, often globalized supply chains to identify and address the what-if scenarios most relevant to their specific operations. It makes no sense for companies to prepare a contingency plan for a specific disaster such as a tornado, Sherman said, because “the odds of winning such a bet are so small, so it is not worth the planning.”
Long before SCRIS was unveiled last November, this sort of proactive approach had become standard operating procedure at global corporations such as Coca-Cola, GE, Ford and GM, analysts note. Many of those companies already have developed a “risk management culture,” said Walter Kemmsies, chief economist at Moffatt & Nichol, a global infrastructure and transportation advisory firm. “It is already in those companies’ blood to go after supply chain risks.”
But many smaller companies have yet to do so, he added, because they don’t understand the increasing vulnerability of their global supply chains, or they lack the resources to tackle its increased complexity.
The SCRIS model makes sense, said Tom Linton, chief procurement and supply chain officer at Flextronics International, a $30 billion electronics manufacturing services company with more than 200,000 employees and operations in 30 countries. For a company such as his, however, there is no such thing as a simple way to map risk because of the different variables that come into play, including sites, vendors, ownership, locations, materials, strategy and internal politics.
“The model probably works well for a supply chain that isn’t too complex,” Linton said.
Three Ways to Manage Risk
Broadly speaking, three sorts of mitigation strategies emerge from the SCRIS approach, according to Sharpe, its co-author. The first category involves redundancy. In a simple example, if a company has only one distribution center for its products, it risks a major failure in its supply chain if that distribution center can’t operate for a significant period of time. An appropriate redundancy strategy might involve building a second distribution center. Or leadership might decide the company needs to use at least two transportation carriers each month to service its best customers because high-quality customer service is absolutely vital to its business model.
Second, some strategies involve contingency planning, Sharpe said. In such a case, company leadership identifies their top-priority risks, and then develops an action plan contingent on certain negative events taking place. Employees must be trained in that plan, and it must be communicated to all relevant stakeholders in and outside the organization. “A lot of people set up a war room and an action plan after the event, but by that time, you are racing against time,” Sharpe said.
If, for example, a company waits until after a key supplier goes bankrupt, it may find it can’t satisfy customers’ orders. “You then have to deal with the reality of significant profit losses, lost market share and diminished shareholder confidence,” Sharpe said. “That’s why you focus on mitigation activities in advance of the event.”
A third kind of mitigation strategy involves changing corporate policies, he said. In such a case, companies “change their operating policies to be less vulnerable to an identifiable, prioritized risk.” In one notable example, Toyota decided not to rely on single suppliers for any of its vehicle components following Japan’s tsunami and nuclear disaster. The earlier approach left Toyota vulnerable when single-source suppliers were forced to shut down.
Contact Alan M. Field at firstname.lastname@example.org.