By Alan M. Field

When Iceland’s Eyjafjallajökull volcano erupted in Iceland in 2010, airline flights across the Atlantic were disrupted for several days, and global supply chains for products like fruits and fresh flowers were severely interrupted. When a mega-tsunami and nuclear meltdown hit Northern Japan in 2011, automakers and electronics manufacturers in Asia and North America lamented that some key suppliers on the other side of the world could not meet their deliveries, forcing slowdowns in their Asian production scales, and frustrating North American buyers. In these cases and others – including ‘Superstorm Sandy’ in 2012 — North American manufacturers, forwarders, third-party logistics providers and carriers came away focused on the sad fact that there was no way they could ever forecast where and when the next natural disaster would occur.

However, supply chain specialists at the Council of Supply Chain Management Professionals (CSCMP) – an international organization headquartered near Chicago, Illinois – have developed a very different perspective that could have a major impact on the way North American companies mitigate the broad array of risks that increasingly confront their international supply chains. In 2013 and beyond, CSCMP is spreading the word about that perspective so that global companies in North America and elsewhere can develop a more realistic plan to address the kinds of risks that they can actually mitigate.

New york hurricane sandy

The lessons from larger companies: Building a risk-management culture

So far, few companies outside the truly global names like Coca-Cola, GE, Caterpillar, “already have a risk management culture,” said Walter Kemmsies, Chief Economist at Moffatt & Nichol, a global infrastructure and transportation advisory firm. “It is already in those companies’ blood to go after supply chain risks.” The global automakers – such as Ford, Chrysler, GM, Honda, and Toyota – are also on this list of firms that are ahead of the curve when it comes to mitigating risks because they have developed extensive experience managing global supply chains.

In Canada, starting in 2006, Russ Doak, a Vancouver-based supply chain practitioner, began building multiple-layer risk-assessment and contingency plans for such major companies as Kodak, Canadian Helicopters, and Seaspan Corp.’s marine shipbuilding division. According to Mr. Doak, his plans laid out detailed strategies for dealing with all kinds of what-if alternative situations. What if, for example, a container got stuck on a particular route, or if shipments from key suppliers or geographical locations were delayed. “We would formalize the plan [about such scenarios] and present it to our CFO or the senior Vice-President of Operations; whoever would be most impacted or displayed the greatest interest in corrective action,” said Mr. Doak. If any such event occurred, the companies could respond right away with a targeted plan.

Focusing on the impact of disasters, not their causes

These kinds of initiatives are not happening in most other companies, according to supply chain risk specialists. Mr. Kemmsies said that genuine “awareness of supply chain risks is still low” and most companies in North America are still just reacting to supply chain events, rather than taking a strategic, forward-looking view in advance of disastrous events.

What’s needed is a fundamental change in mindset, experts say. “The biggest issue facing companies regarding risk management is that they focus on the cause of the risk, rather than on the result,” said Richard Sherman, President of Gold & Domas, an Austin, Texas-based consulting firm. Too often, noted Mr. Sherman, when companies hear about a devastating weather event, they react by trying to figure out the best ways to protect themselves from the next such weather event. They don’t realize that disaster risk mitigation is all about the impact of the disasters; not about their causes. Mr. Sherman said, “It doesn’t matter what happened to cause us to lose a key supplier” or to suffer a different sort of disruption to our supply chain. What matters is to focus on finding answers for such questions as: ‘What do we do if we lose any key supplier?’ ‘What do we do if any one of our key plants goes down?’ Risk management is all about ‘What if I lose something?’ It is not about ‘Why did I lose it?’” Moreover, disaster risk management encompasses not just the physical side of supply chain risks, but their financial side. Supply chain specialists need to ask themselves, ‘What if we were to take a $100 million loss?’ ‘How well are we prepared to meet that loss?’ ‘Am I looking at alternatives?’ It makes no sense for companies to prepare a contingency plan for a specific disaster like a tornado, he added. “The odds of winning such a bet are so small, so it is not worth the planning,” Mr. Sherman said.

On the other hand, noted Mr. Sherman, leading companies now “recognize that they have to be prepared to face losses, and so they prioritize those losses, and they don’t put all of their eggs in one basket. They look at their risks and the impact of those risks, but they don’t think about the cause because the causes are infinite.” Mr. Sherman noted, for example, that the New Madrid seismic zone—where the states of Missouri, Kentucky, Arkansas, and Tennessee meet—lies in the middle of the North American tectonic plate, thousands of miles from the plate boundaries where earthquakes usually occur. “The mathematical chances of an earthquake occurring there are low, but if that fault moves, it will be a big one,” said Mr. Sherman. And yet the chances of that happening are so low, it makes no sense to prepare specifically for that disaster. Mr. Kemmsies noted, “These are two types of risks: Those risks that are not manageable, for which you buy disruption insurance for your freight; and those risks that are manageable. The problem with disaster risks is that they are discovered in the worst way, and that you find out under the worst circumstances. Most manufacturers are still struggling to figure out how to manage those risks. Supply chain risk management is still in its infancy.”

Until recently, most North American companies sourced their components and raw materials in North America and sold only in that region. But more and more companies are now developing and expanding international supply chains. In the case of Canadian firms, going international no longer automatically means doing business in the United States, where traditional suppliers are quite familiar and hardly distant from production facilities and customers in Canada. When Canadian and U.S. companies extend their supply chains into Asia, Latin America or other distant locations, “They have to go through a different learning curve” that often starts out quite uncomfortable, noted Mr. Kemmsies. Assessing and mitigating the risks in this extended supply chain – with its new and unfamiliar supply chain partners — is not for the faint-hearted.

Identifying the root causes of supply chain disruptions

Ask one hundred different people the same question, ‘What does supply chain risk mean to you?’ and you will get lots of different answers, said Richard Sharpe, Chief Executive Officer of Competitive Insights, an Atlanta-based provider of supply chain software-as-a-service that provides companies with information about their operational costs, profits and risks. “For some people, risk means terrorist attacks; for others, port closures; for others, IT infrastructure vulnerability; for others, the financial collapse of their suppliers; and so on. Since supply chain risk means so many different things to so many different people, it is hard to communicate with people without having a common language and structure to think about supply chain operating risks,” Mr. Sharpe added.

There are many ways to worry about risk, and many ways to measure its potential for damaging your company, noted Mr. Sharpe. “It all depends, of course, on the kind of risk that has the highest potential to disrupt your ability to service your customers’ orders.” In those cases where they have reason to worry about the financial risk of a vendor going bankrupt, companies traditionally collect the usual data about their suppliers and even resort to doing their own surveys of their most important suppliers. “But it is often a trickier business than that, figuring out exactly how much operating risk your supply chain is facing,” added Mr. Sharpe. The key question is: What kinds of changes in conditions put me at risk of suffering a significant financial loss? To figure that out, you have to ask the right questions, based on your knowledge of your own unique supply chain. If, for example, you are shipping flowers across the Atlantic to North America, an appropriate question to ask would be: ‘How many of our lanes are using 90 per cent of our traffic?’ In posing such a question, it is immaterial whether or not such traffic is moving by air, land or sea. What matters is figuring out if your shipments are highly vulnerable to a disruption in a single traffic lane. And if you find out that a large percentage of your traffic – say, 90 per cent — is moving in only one or two lanes, you can set up alternate, redundant air routes for transporting those flowers to North America with other carriers.” Had European flower exporters asked themselves that question in advance of the Icelandic volcanic eruption in 2010, they could have significantly mitigated the resulting disruption to their trans-Atlantic supply chains – even if they had entirely failed to foresee the volcanic eruption in Iceland.

How can companies measure their risks? Mr. Sherman suggests that companies begin by identifying those attributes that are most critical to their success, and then carefully prioritizing those attributes. “Answer the question: What if I lost those capabilities and attributes?” If your company’s brand value is critical, for example, ask yourself: ‘What if we lost 50 per cent of our brand value when one of our product lines is found to be defective?’” In each case, “Don’t worry about what it is that happens – and leads to this outcome (i.e., a loss in brand value)” said Mr. Sherman. “It could be anything. The more you can identify your vulnerabilities, the more you can identify the threats – and then optimize the opportunities.” Supply chain managers need next to prioritize all of their risks, using various factors to consider what is most serious for their kind of business, customers, and business model. “You go after the risks that are material to you,” said Mr. Sherman, whether they involve weather, financial risks, commercial risks (such as the failure of a key supplier), technological failure (your IT systems fail) or supplier risk (one of your major trucking carriers goes bankrupt.) Mr. Doak cautions supply chain practitioners to remember that every company’s supply chain is unique in some respects. “The worst thing is to paint them all with one colour.”

Supply chain and risk are really two sides of the same coin, said Mr. Doak. “One side is the head and the other is the tail.” Rather than view risk management as something entirely negative, Mr. Doak advises corporate managers: “If you start to look at risk as more of an opportunity, it will force you to take out waste by looking at better processes.”

Enacting mitigation strategies

Broadly speaking, there are three forms of mitigation strategies, said Mr. Sharpe. First, there are those strategies that are built using redundancy. A very simple example would be if you have only one distribution center for your products, you risk a major failure in your supply chain if that distribution center can no longer operate for any significant period of time. And so a redundancy strategy would be to build a second distribution center. In another set of circumstances, redundancy may result in a different strategic decision: You may decide that your company needs to have at least two carriers each month in order to service your best customers because high-quality customer service is absolutely vital to your business model. In such a case, you may have a legitimate reason to fear driver shortages, which may make it impossible for you to service those customers. Or you may fear for the financial viability of one of your trucking carriers, so you can’t take the risk that that carrier won’t deliver reliably.

Second, there are strategies that focus on contingency planning. In this approach, you identify your top priority risks, and then develop an action plan that is contingent on certain negative events taking place. You train people about that action plan, and you communicate that plan to all relevant people in your organization as well as outside partners. Mr. Sharpe said, “A lot of people set up a war room and an action plan after the event, but by that time, you are racing against time.” If, for example, you wait until after a distribution center is significant or until after a key supplier goes bankrupt, you may find that you can’t satisfy your customers’ orders. “You then have to deal with the reality of significant profit losses, lost market share and diminished shareholder confidence. That’s why you focus on mitigation activities in advance of the event,” he added. A third kind of mitigation strategy involves adjusting corporate policies that may not actually involve any additional costs but that reduce a targeted operating risk. Mr. Sharpe said, “You change your operating policy to be less vulnerable to an identifiable, prioritized risk.”

Such a change in operating policy may result from previous failure to enact an appropriate action plan in advance of a major disaster that has already taken place. Take, for example, the tsunami that caused major delays in Toyota’s production supply chain because the Japanese automaker had single-source suppliers in both Tier One (which provide final equipment to automakers); Tier Two (which produce components for Tier One suppliers) and Tier Three (which supply raw materials used in the production of components.) After the disastrous aftermath of the tsunami on its supply chain became clear, Toyota made a policy change that involved increased redundancy: It eliminated many single-source supply arrangements, making it less likely that its manufacturing supply chain would be disrupted by disruptive events that shut down – or severely limited the output from – any single high-tier supplier.

Mr. Kemmsies warns against taking too narrow a view of your company’s risks and vulnerabilities. When companies identify and prioritize their risks, they need to take a comprehensive view of their supply chains; a broader view that incorporates the supply chains of their key suppliers, no matter where they be located, not just the supply chains within their own company. “Most people think that their supply chain begins from the moment they take control over a shipment to the moment that they give it to a customer,” Mr. Kemmsies said. “The problem is that you cannot think that way now.” He noted, for example, that when it comes to the supply chain for auto bumpers, a broader view of that supply chain would encompass the resin plant in Europe where that resin is produced. “One resin factory in Germany [recently] had a fire that shut down the plant for weeks, and impacted the U.S. auto industry,” said Mr. Kemmsies. “Everyone needs to realize that we are living in an age of the ‘global organization of production and distribution’ — in which supply chains are very long and very intricate.”

Mr. Doak advised supply chain managers to look beyond their Tier One suppliers, and investigate the supply chain processes and performance of their Tier Two and Tier Three suppliers. Too often, “You have a relationship with Tier One suppliers but not with your Tier Two suppliers,” said Mr. Doak. That means your company doesn’t know enough about your Tier Two suppliers to assess the quality of their products and the service they provide. It is important to remember that the quality of the materials you receive via Tier Two suppliers is critical to building and maintaining your company’s brand. “There has to be some gain sharing with your suppliers to get them to take an interest in this process,” he said. Boeing Corp., which has suffered significant quality-control issues regarding its new Dreamliner aircraft, apparently “did not go far enough” with respect to monitoring its suppliers, said Mr. Doak. Mr. Kemmsies added, “Companies need to analyze their entire supply chain to examine risks that potentially affect the production and delivery of their raw materials. Don’t just look at the guy in Germany who supplies the components to you, but at the guy who supplies the raw materials to the guy in Germany — and the one who supplies the materials to that guy…”

“Companies have adopted longer supply chains because they reduce costs,” Mr. Kemmsies added. “But in economics, there is always an opportunity cost; and the lower costs that are a benefit from globalizing your supply chain come with a higher degree of risk that a disruptive, distant event at a supplier’s plant, or in a remote port, will impede your company’s ability to bring your products to customers in a timely fashion”.

Building a formal structure for identifying risks

Although international banks and insurance companies utilize well-defined processes for assessing their risks, noted Mr. Kemmsies, when it comes to supply chain and operational risks, “there is no catalogue of business risks, and there is no pre-set method for researching, identifying and mitigating risks.” Mr. Doak agreed.

However, in an effort to address that challenge, CSCMP unveiled a formal Supply Chain Risk Identification Structure (SCRIS) last November, which it hopes will become the standardized method that companies use in to assess their specific risks, and develop cross-functional strategies for dealing with them.  “When done correctly, mitigation activities are based on a cross-functional understanding of the defined risk and the potential financial consequences of the risk, if it is should actually occur,” according to the Introduction to a CSCMP summary of SCRIS. Mr. Sharpe, in conjunction with Competitive Insights LLC, played a key role in developing this initiative. According to CSCMP, “the intent is to help minimize any misunderstanding of the area of risk being addressed in preparation for mitigation and measurement strategies to be developed.” Mr. Sharpe added, “We are focused on proactive mitigation; we are not reactive.”

The savviest global companies are already taking a broad view of their entire global networks and attempting to answer such highly focused questions as “What if we lost this node in our transportation network – or that particular node? What would it cost us?” According to Mr. Sherman, experienced scenario planners at Nabisco, Ford, GM and elsewhere are asking such specific “what-if” questions as: What if we lost this or that facility? What if we lost this or that carrier? What would be the impact on our ability to serve customers, and how much financial damage might that mean, if we don’t plan ahead properly? In drawing up such scenarios, it doesn’t matter how, for example, a particular carrier is ‘lost;’ hypothetically, such a carrier might go out of business or be unable to provide service because of a severe shortage of drivers. Or a weather event might disrupt service on a key traffic lane used by the carrier. Or a key competitor could buy up a lot of a carrier’s capacity, leaving your company with insufficient capacity to truck your goods to key markets.

A key difference between financial risk and supply risk, however, is that financial risks are “pretty tangible and pretty clear,” said Mr. Sherman, whereas the dimensions of supply chain risk are often not as tangible, nor so obvious. For example, it is much easier to recognize the impact of the loss of income from a bankruptcy than it is to quantify the impact if your major supplier in Asia is hit by a super storm, or if a volcanic eruption shuts down a key air cargo lane across the Atlantic.

What risk management means for ports

What role do ports play in the new approach to supply chain risk management? Strategically viewed, each port is a valuable asset that could be disrupted by a wide range of events that have a wide range of origins. These could include natural disasters, such as hurricanes and tornados, but also man-made events such as acts of terrorism (e.g., dirty bombs); or a prolonged labour dispute; and so forth. Because of the widespread perception that ports are highly vulnerable to man-made disruptions – including terrorism and labour disruptions — huge additional investments have already been made to enhance the physical security of port facilities and the cargo containers that pass through them, noted Mr. Sharpe. Vast sums have been spent on enhancing cargo security at the ports by investing in RFID hardware and software, and other monitoring equipment. None of this sort of thinking is new, thanks to the legacy of the 9-11 disaster in New York.

In another respect – that of redundancy theory – the mindset of supply chain professionals is likely to change with respect to ports. In the past, most products destined for North America’s East Coast from Asia came to the West Coast, and were then shipped by truck and intermodal service across the North American continent. But as the next generation of larger cargo ships begins to pass through the expanded Panama Canal, that can provide East Coast importers with additional choice in the ports they use. Supply chain partners along the East Coast could opt to balance their loads by shipping via the Panama Canal, in order to reduce the risk that a port on the West Coast is subject to any of the common risks – natural or man-made – that affect seaports.

Organizational Challenges

Unfortunately, in many companies it may be quite challenging to get support or “buy in” from senior management for forward-thinking supply chain risk mitigation initiatives, say supply chain analysts. One way to recognize whether a company is a leader in risk mitigation is to search the corporate hierarchy for the name and title of someone who focuses on that issue night and day, Mr. Kemmsies said. “How many companies have a Chief of Logistics, who has thought about the impact of seasonal events in your business?” added Mr. Kemmsies. “Many do not. But those companies that operate truly global supply chains need to have a Chief of Logistics.”

Unfortunately, many companies fail to make public their supply chain risk mitigation strategies even if doing so might help their own customers and other companies benefit from the best practices of the leading firms. The reason, said Mr. Sherman, is that “a lot of companies don’t like to expose their vulnerabilities,” any more than they might expose their marketing strategy or the details of their research and development plans. Unless they have no choice – because of a widely publicized disaster — most companies also don’t publicize any events that dramatize their vulnerabilities, such as container cargo theft. In some high-profile, publicly traded corporations, senior executives cannot travel without a bodyguard because of fears of kidnappings and political harassment, said Mr. Sherman. But such companies don’t publicize the details of such plans because doing so would inevitably compromise their executives’ security.

To get internal buy-in for a more strategic approach to supply chain disaster risk management, “the whole company has to understand why you are doing this,” said Mr. Kemmsies. That means reaching well beyond the logistics department. He added that supply chain specialists need to build buy-in from other key people throughout the organization by explaining that supply chain risks are more extensive and pervasive than they might otherwise realize. When a company operates in a location well-known for its physical risks – like some areas of Africa or Latin America – it’s not hard to understand why personnel has to be protected from the risk of violence. But it can be a great deal more difficult to explain the benefits of other kinds of targeted mitigation strategies.

That’s why supply chain analysts agree that there needs to be a “common language” for describing these risks; for analyzing them, and for taking action to mitigate them. That’s where CSCMP’s new Supply Chain Risk Identification Structure comes in.