If supply chain practice ever needs a fashionable rebranding, we could do worse than style ourselves ”risk managers”, for in these economically and politically febrile times, managing and mitigating risk is an increasing part of what we do.
And unlike some other functions, the supply chain sees the full range of risks. There are several varieties: some have always been with us, others are new developments, or at least new priorities. The traditional risks – the ship sinks, the computer crashes, the warehouse burns down – have tended to be things over whose occurrence supply chain management has little direct control. The effect can be roughly assessed as the product of probability of the occurrence and its impact on business, and mitigating measures taken. Those might range from holding buffer stocks to buying insurance to investing in computer back-up.
With faster moving and more global supply chains, the risks that are consciously bought in to the supply chain assume more prominence. Sources, suppliers and goods that are less familiar, may have little track record, are harder to control and where if things go wrong the comforting remedies of English contract law may be hard to apply. There may be more movements, more partners in the chain, greater exposure to political, geographical and even criminal hazards that may be poorly understood.
Thirdly, there is a new class of problem, where the supply chain itself is the risk to the wider public. Legitimate supply chains can be seen as vectors for perils as diverse as international terrorism, people smuggling, or the introduction of alien pathogens to an unsuspecting environment. And of course all these classes of risk interact.
The recent World Economic Forum at Davos, Switzerland, received a report ”Global Risks 2008” which highlighted supply chain as one of four key areas, alongside systemic financial risk, food security and energy. These other three are much in the news; supply chain risk, or what the report calls ”hyper-optimisation and supply chain vulnerability” less so. The sort of risk the WEF is most concerned about is exemplified thus: ”In September 1999 global semiconductor prices nearly doubled following an earthquake in Taiwan…Supply chains frequently appear to disperse risk between multiple parties, but they can also … lead to an unrecognised aggregation of risk”. The report goes on to talk of supply chains ”serving as a transmission of global risk”. WEF suggests that ”effective management of global risks requires a collaborative and co-ordinated approach in public-private partnership at an international level”.
Luis Olivie is COO of Achilles, an international consultancy that helps firms identify, quantify and qualify suppliers worldwide, as ”leaders” in collaborative services for sustainable procurement, and helping customers minimise risk (including CSR risk) in the supply chain.
His firm, he says, tackles several different types of risk. ”Our supplier pre-qualification systems include risk management across the spectrum of Health & Safety, environment, CSR, financials, quality, legal compliance, insurances and so on. We are evidence-based, looking at documentation, certificates, and using our local resources to verify these things on the ground, so that we can warrant to the potential buyer that the supplier is indeed in the particular situation they claim, and that will qualify them to meet the buyer”s minimum standards”.
But pre-qualification is not enough in itself, says Olivie. Achilles also has continuous monitoring and auditing routines to track, for example, changes of ownership or contact details, which may be symptomatic of greater underlying changes. Working through ”communities” of buyers, the compliance burden on suppliers is reduced, but equally, continuously updated data can be squirted into clients” SAP or equivalent systems. Indeed, Achilles is setting up a distinct Audit and Assessment Services operation globally to do just this.
A new area for Achilles, says Olivie, is in the verification not just of supplier firms but of their employees, especially where as in many outsourcings these employees may be entering customer premises. In many countries, the buying company may find itself liable if, for example, an on-site contractor is employing illegal labour, and so this is, says Olivie, a natural extension of Achilles” activities.
Richard Pascoe, a consultant at Morse, confirms that in the global supply chain retailers, in particular, are desperate to get to market first, but are finding themselves out of their depth in trying to manage situations they are not used to in, for example, the Far East. For Pascoe, communication is the key. ”It isn”t just language – there is a big risk from partners who can”t, or won”t “communicate” – even though you think they are communicating”. There are different possible approaches – you may have teams travelling the world; you may have your own office in, say, Hong Kong to keep an eye on Asia. The old approach was to use agencies – but since most agents would now be indigenous rather than ex-pat, the communication and cultural problems may still persist. Outsourcing the responsibilities to a 3PL has similar problems – are they really part of your team? One thing Pascoe insists on is the merit of ”bringing things into your system as early as possible – over there, so that things are checked before they start the deep-sea leg”.
With so many risks in so complex a space, clearly a rigorous systematic approach is indicated. Harjot Sachdeva is director of hi-tech solutions at i2. He says ”Most people look at risk as being about natural disasters. But there are also political risks, economic risks, a lot of operational risks that are still not fully under our control, and market risks. Defining risk means different things to different people, but think of what it is not! Exclude the typical things: risk management is not about responding to daily exceptions, which should be within your forecast error range.
”You need to look at a systematic process of identifying elements of risk in the supply chain, quantifying their impact, and making decisions by trading that impact against the expected cost of mitigating the risk, and you do this a priori”.
Sachdeva says the first step is to create ”heat maps” of the different risk elements which in the supply chain come in three dimensions. ”There are demand and supply side risks – eg uncertainty of demand, competitive pricing on the one hand, supplier or quality failures on the other. There are supply cost risks, which you may be able to have hedged but only if you recognise the underlying factors: the price of crude oil affects the price of petrochemicals which affects the price of plastics which affects the price of the toys which are what your supply chain is actually about. The risk is not so much that, but that you may not be able to increase your selling price to compensate.
”And then there are the obvious logistics risks – fires, breakdowns, damage, shipwreck and so on”.
”You need to run different scenarios, in a decently accurate representation of the supply chain – you can”t do it in Excel or the back of an envelope, because you can”t understand the interactions; the contracts, the capacities, the people. You need robust systems to run different supply and demand scenarios, right through from ”normal” operation with some unfactored event, through to scenarios like a complete plant shutdown”.
So far, businesses have made very much their own judgement on the assessment and management of risks, subject perhaps to a few contractual conditions imposed by customers – an insistence on dual sourcing, say, or of a minimum level of stock holding. But this is changing. ISO, the International Standards Organisation, has published its first internationally ratified benchmark document on incident preparedness and continuity management, and of more immediately practical application, the first award under BS 25999 on business continuity has been made, as it happens to logistics major TDG.
Simon Beesley, who enjoys the impressive title of business continuity & continuous improvement manager technical services – operational excellence at TDG describes what was required and how it works.
”The key thing”, he says, ”was our realisation that with supply chains becoming increasingly complex and dispersed, and with greater pressure to reduce costs and improve quality, there is a dilution of understanding of supply chain risks. Fewer people understand all the risks, and that alone increases the likelihood of risk turning into disruption. Also, the focus on cost reduction has taken contingencies out: fewer buffer stocks equals less resilience so the end user is more likely to feel the impact.
”We can cover our own risks through business continuity planning, and improve our own resilience, but also, if they are willing, we can advise and work with our customers. Business continuity planning is going to become increasingly key in customers” selection of outsource partners”.
BSI were looking for pilot sites for the new Standard, and TDG offered one of their sites dedicated to a national retailer. So how did the process work? Beesley says ”We basically ripped up everything that had gone before, and followed the Standard as written around the Business Continuity Life Cycle. We set the scope with the site management and the customer – this scope was actually quite narrow, since the operation was essentially warehouse only, but we built a project plan, with a bit of guesswork on what it would take to cover each part of the Standard.
Site centric plans
”A key part”, says Beesley, ”was that the plan was formed and carried out by the site, for the site – not by me centrally. That way, there is less risk of it getting ”stuck in a drawer” once someone has moved on. We spent a lot of time with people from each function, looking at every activity, its frequency and importance. That produced a 85 Post-It notes.
”And it was obvious that in a lot of cases it is the small things that cause the problem or risk. We have seen other organisations with very high level planning, that doesn”t work in a crisis because they haven”t got the level of detail”.
The next stage was to link the Post-It notes together to create a hard core of processes plus a lot of ”peripheral” (but not unimportant) activities. ”We narrowed our focus onto the key backbone activities and carried out an impact analysis in much more detail, covering the interdependencies between TDG, our suppliers and customers, and the impacts on every stakeholder over varied timescales – there is a great difference between a two hour disruption and a two week failure.
”From there we went on to risk assessment, sites, locations, risks, likelihoods of impacts, and what strategies might already be in place to reduce either the likelihood of an event or its impact. That can be matters as diverse as Health & Safety procedures, through to IT back-up. Actually, we found that this site was in fairly good shape”.
The important thing, says Beesley, is not looking at the type of incident, but it”s impact on the business, in terms of loss of access, skills and people, IT or whatever. This process was ongoing during last Summer”s floods, and this site had in fact been flooded before so there were ideas and measures in place. But the point is that if you have for example lost use of a facility for an extended period, it doesn”t matter that much whether it is because of fire, flood, or movement bans due to foot and mouth: the business impact, and the recovery plan, is much the same.
Another important point, says Beesley, is to identify with the customer how quickly, and to what service levels, they are expecting a restart. Any customer is at first going to say ”we want everything, now”, but in reality it is a non-obvious question. If you are distributing building materials, say, it may make sense to use as much of the site as you still can, and make other provision for what you can”t supply. In a grocery supply chain, there may be real commercial reasons for shifting all activity, at least temporarily, to another site or supplier, rather than try to supply multiple outlets with part loads from a partially-crippled site.
All this underlying ”business”, Beesley stresses, has to be done before writing the plan – a lot of people, he says, seem to write the recovery plan first, without understanding the underlying business issues.
In fact, says Beesley, there are two types of Plan: Incident Management Plans, which are overall, and incident specific. The site came up with 15 of these, and they should give everybody a view of roles and responsibilities, task lists, communications, media response and so on.
Then there are Business Continuity Plans, which are written around scenarios and focus more on day-to-day interruptions, albeit on a bigger, broader scale. The sort of actions that might come out of these would include, for example, a need to cross-train particular groups of staff.
Over and above these is exercising and monitoring. The BS requires that each plan does get tested to a suitable degree. You probably aren”t going to simulate a total warehouse loss in real time (customers might not be too understanding) but there are aspects that can be exercised for real, particularly those involving senior and front-line managers. Such exercises help train people in their roles and responsibilities, but may also suggest revisions to the plan.
An important element, Beesley stresses, is not to let plans lie dormant. They need maintaining, most obviously, when any part of the organisation itself changes, but also management needs to ensure that the plans and their purpose are still widely understood. The final part of the lifecycle, therefore, is embedding continuity management into the culture. ”We”ve engaged with people across the business right from the start. Everyone has received presentations, and we check their understanding through questionnaires. BCM features in the induction of all new staff, and in monthly communication days, so the profile remains high”. Consciously, TDG has chosen not to create huge print-outs but to produce whole set of plans on disk.
Fortunately, TDG”s planning, which is being rolled out across their sites in the same process, although not all will necessarily apply for BS certification, has not yet been seriously tested. But somewhere, somehow, someday it will be, and owners, staff, suppliers and customers will sleep that bit easier knowing that there are plans and, more importantly, that TDG”s people know what those plans are.
- In many countries, the buying company may find itself liable if, for example, an on-site contractor is employing illegal labour
- Risk management is not about responding to daily exceptions, which should be within your forecast error range
- Business continuity planning is going to become increasingly key in customers” selection of outsource partners