There have been many positive developments in supply-chain security in recent years. The threats posed by terrorism and organised criminal networks have driven both technological and procedural security enhancements to better protect
high-value and high-profile cargo. The roll-out of sophisticated supply-chain IT systems has also enabled near real-time tracking of goods in distribution channels to customers, as
well as from suppliers to manufacturing
sites. All of these enhancements serve to better protect and secure supply chains around the globe.
Not all developments need to be new and shiny. The re-emergence of piracy in some waters has seen the need to resort to armed protection on cargo vessels, a conventional but nonetheless effective security countermeasure reminiscent of a bygone era.
The impacts of recent natural disasters have shown that ‘security of supply’ for organisations has a nuanced difference to ‘supply chain security.’ However the nuance can be significant – such as in the case of several major corporations who suffered as a result of the devastating earthquake and associated tsunami of 11th March 2011 on Honshu Island, Japan. It has been our experience with some clients, as well as our observation generally, that many risk assessments and business-continuity plans have not extended deeply enough into the supply chain to effectively mitigate worst-case risk scenarios.
The challenge is to make supply chains robust enough to not only continue operating in this risky business environment, but also to turn this resilience into competitive advantage.
As helpful as it is in establishing effective supply chain security, ISO 28000:2007 – Specification for Security Management Systems for the Supply Chain can mislead organisations into thinking that it will guarantee supply in the event of worst-case scenarios. The fault often lies in the thoroughness of applying risk-mitigation measures, particularly in the area of business-continuity planning and management. In risk-management plans we usually see the main threats adequately identified and the subsequent risk ratings assessed with both qualitative and quantitative accuracy. However it is in the area of risk-treatment plans where we often see gaps or glib statements as to how the risk will be managed.
Where there is the potential loss of a key supplier through complete destruction of one of their facilities, or even their sole facility, we often see business-continuity actions within plans listed as “shift to alternate supplier” or “use safety stocks and source from an alternate supplier.” This approach is appropriate if there is then further assessment of the availability of alternative suppliers and the time it would take to shift to that supplier and get supplies delivered. Then, following such an assessment, decisions can be made as to how the company wishes to approach the matter. Typical strategy questions that arise are:
- Should you identify a potential supplier but undertake no formal contracting due to IP or competitor sensitivities?
- What is the cost of establishing multiple suppliers? Is it in excess of the assessed cost of maintaining greater safety stocks to cover the supply outage period in an emergency?
- What is the residual risk? Is it so high that you should shift to a completely different supplier with a lower-risk profile?
This is by no means an exhaustive list of questions that will arise and in the end it is a business decision to weigh up the risks. Most companies will transfer some of the risk through insurance, which will cover the financial risks; however, you cannot completely underwrite your reputation and market share. Any strategy that simply seeks to insure against losses and not effectively mitigate the risks faced, to minimise the impact on reputation and market share, is simply giving up market share to those who will seek to fill the gap.
It is true that these strategies and questions are easier to deal with where supply is plentiful and available through multiple channels. Complex supply chains, such as those within the automotive industry, often face greater risks where many thousands of components must be available at the time of manufacture or the production line simply stops. Some specialised components are understandably restricted to a small number of suppliers, or even just one, representing a single point of failure.
In such cases, larger safety stocks could be maintained, and at the very least, the supplier should be called to prove its own resilience through risk assessments and business continuity plans. Extra inventory, however, is expensive to hold, particularly when preparing for large, infrequent disruptions. Also, as demonstrated by ‘Lean’ and ‘Six Sigma’ processes, it can lead to inefficient operations that result in increased costs and reduced quality. By contrast, increasing supply-chain flexibility can help a company not only withstand disruptions but also better respond to the routine fluctuations of the marketplace.
To build in flexibility for resilience, companies must involve many facets of supply chain design by:
- Developing the ability to move production among plants, use interchangeable and generic parts in many products and cross-train employees
- Using concurrent processes of product development, ramp up production and/or distribution
- Designing products and processes for maximum postponement of as many operations and decisions as possible in the supply chain
- Aligning their procurement strategy with their supplier relationships.
These principles create not only resilient supply chains that can recover from disruptions but also flexible supply chains that can respond to day-to-day demand changes.
Companies who have built their supply chains to respond to significant demand fluctuations have also built in the ability to respond to supply shortages.
Where suppliers have developed plans to guarantee supply, the audit process of such plans needs to be extremely thorough and comprise experts from your own staff as well as industry professionals in business continuity. Companies should set standards contractually with suppliers but then may also choose to assist them to meet those standards through the provision of planning templates and expertise.
In summary, supply-chain security has long been more about resilience than pure security and most readers will appreciate this. However, although it is a lesson often identified in reviews following serious interruptions, it is often not a lesson learned.
Grant Strudwick is Executive Manager of Crisis and Security Consulting, Control Risks Australia Pacific.