Paul Vanderspek, a clinical professor at Colorado State University, insists that "a number of factors have contributed to an increase in the risk of a supply disruption"; but, the most important factor "is the global nature of today's supply chains." Vanderspek's comments were contained in an article written by the editorial staff at SupplyChainBrain. ["Strategies for Reducing Supply-Chain Risk," 13 August 2012] The article notes that in order to reduce costs associated with extended supply chains "companies have undertaken a variety of business practices – including lean manufacturing, just-in-time delivery and supply-base reductions – that have served to increase risk. The impacts of those initiatives include fewer buffer stocks and less ability to respond to sudden and unanticipated change in demand."
In a number of past posts, I have noted that there exists a natural tension between lean principles (aimed at reducing costs) and resilient principles (aimed at increasing reliability). Companies that adopt strategies that are too lean greatly increase the chances of experiencing disruptions while companies that adopt strategies that are overly resilient risk becoming non-competitive since resilient supply chains are more costly to maintain. That's why companies need to find a "zone of balanced resilience" that addresses both costs and reliability. For more on that topic, read my post entitled Supply Chain Resiliency Still an Issue.
Dennis Omanoff, chief supply chain officer at McAfee, adds another globalization-related risk that isn't discussed as often as some others -- cyber security. ["A new and growing threat for supply chains," Modern Materials Handling, 9 November 2011] He writes:
"The volume and sophistication of cyber threats from totalitarian governments or nefarious individuals are increasing exponentially. This 21st-century threat jeopardizes not only our information infrastructure, including in the supply chain community, but also all levels of high-tech software and hardware products that connect with local or enterprise-wide networks, either hardwired or wirelessly."
Omanoff writes, "More than natural disasters, financial instability or political upheavals, what keeps me up at night is the fear that bad guys are injecting bad stuff into products that can disrupt, bring down or steal confidential information from networks." To underscore this point, Microsoft reports that some computers made in China come from the box with viruses already present. ["Right from the box, new computers made in China found with hidden virus, Microsoft suit says," Associated Press, Washington Post, 13 September 2012]
Speaking about things that keep people up at night, supply chain risk management continues to rise on the list of things that business executives worry about. A 2011 survey about things that worry business executives conducted by Crimson & Co places supply chain risk management at number 6 on the top 10 list of concerns. ["Ten issues that keep supply chain leaders awake at night," Supply Chain Standard, 8 November 2011] The survey involved "300 senior decision makers from more than 200 companies." Returning to Professor Vanderspek's thoughts, he notes that another trend that "stems from the globalization of supply chains" involves "longer shipping distances and lead times, and the heightened complexity of trade." If that weren't enough to worry about, he also notes that "companies have to account for such factors as currency shifts, political unrest, cultural differences, piracy and natural disasters." Adding to that complexity, he notes, is the "growing uncertainty of demand and shrinking of product lifecycles" which makes "the job of matching supply with demand" more difficult than ever before. The SCB article concludes:
"Businesses need to profile their risk exposure carefully and in depth. They must determine what can go wrong, the likelihood of any given occurrence and its potential impact. It starts with the 'pull-your-head-out-of-the-sand' phase, examining such possible disruptions as labor strikes. Each event should then be assigned a probability of high, medium or low. Finally, companies need to assess the financial impact of any event. 'Just answering those three questions can go a long way toward helping to understand risk,' Vanderspek says. Actions to be taken to minimize the impact of a disruption include the formation of a crisis management team, specifying who will lead the effort and the precise chain of command. Companies also must know how they will allocate scarce resources. They should have a full understanding of each product line and the resources attached to it. 'You want to avoid infighting when you're dealing with a crisis,' says Vanderspek. Other measures to be taken in advance include the formation of a detailed strategy for ensuring the continuity of suppliers and materials in times of crisis."
George Gibbons argues correctly that it's not enough to know who in charge when a crisis occurs, you need to know who is in charge of risk long before a crisis emerges. ["Who’s responsible for supply chain risk? Supply Chain Standard, 17 July 2012] He writes:
"Given the wide diversity of supply chain risk that most companies are exposed to, shouldn’t we be thinking about just who in the organisation should be responsible for keeping tabs on it? Supply chain risk exists in many varied forms. Damage to revenue may be inflicted by transport disruptions, natural disasters, strikes, political unrest – all of which may interrupt supply of product to the consumer or components to the factory. For these forms of impact to the supply chain, a logistics or materials operations management role might be considered an appropriate position to monitor and respond to such issues."
Gibbons notes that "creating a culture where risks are mapped, measured and balanced" is just as important as creating a risk management group on an organizational chart. The reason for that is because risk management often falls "between different functional silos." He explains:
"Some may see responsibilities residing in procurement, others perhaps, in logistics. In some organisations where supply chain encompasses procurement and logistics a central, co-ordinated approach to supply chain risk may be possible. But in general, different departments have different responsibilities and this lack of co-ordination can introduce risk."
Omanoff reminds us that the IT department needs to be a part of this coordinated effort. He writes:
"Supply chain professionals charged with manufacturing and delivery processes should look beyond traditional threats such as tsunamis, demand volatility or financial degradation and take extra precautions to ensure that technology products in particular are safeguarded from viral attacks. ... Compromising a company's IP can jeopardize an entity’s competitive advantage, cut into market share and even endanger our customers' reputations."
Richard Sharpe, CEO of Competitive Insights, says that with so "many things that can go wrong in today's extended supply chains" dealing with them all "can make managing supply chain risk seem overwhelming." ["Keys to Mitigating Supply Chain Risk," SupplyChainBrain, 15 August 2012] The article continues:
"While everyone is concerned about supply chain risk, the pervasive attitude is that there is not a lot that can be done about it – at least, not at a feasible price, he says. Sharpe is out to reverse that line of thinking. 'We are encouraging people to recognize that many risks can be mitigated, and you don't have to spend lot of money to do it,' he says. Sharpe says the key is to focus on three basic principles: identify the risk, develop an effective mitigation strategy and then measure activities associated with the risk."
Sharpe told that SCB editorial staff that organizations must recognize that "identifying the risk, 'is not a one-size-fits-all exercise.'" Sharpe told the staff, "What a company identifies as a high priority risk will depend on its unique circumstances." When trying to identify and prioritize risks, an organization must begin by identifying its most essential assets and processes. Then it must conduct a "what if" exercise to explore ways that those essential assets and processes might be at risk. Sharpe says, "Once risks have been identified and prioritized, a company needs to look at each one and determine the most appropriate and cost-effective risk management strategy." The article continues:
"For example, introducing redundancy by adding a supplier or producing a product at more than one facility is a common mitigation approach. Such strategies might be part of a larger contingency plan associated with that risk, he says. Having these decisions made by a cross-functional team also is important, Sharpe says. 'You need to have all the stakeholders in the company involved in the conversation,' he says."
Obviously Gibbons would agree with Sharpe on that last point. Sharpe concludes, "With a mitigation plan in place, the final step is to measure activities associated with the identified risks." Although the future may see more regionalization within the overall context of globalization, I doubt that the complexity of supply chains is ever going to decrease. That means the sooner an organization puts an effective supply chain risk management process in place the better it will be positioned for the future.