Site moved to, redirecting in 1 second...

86 posts categorized "Risk Management"

November 01, 2013

SAP Discusses the Future of Business, Part 2

In Part 1 of this two-part series, I indicated that I divided the facts presented in an interesting SAP slideshow entitled "99 Facts on the Future of Business" into thirteen separate categories. In that post, I discussed the first five categories: Big Data; Business Leadership; Customer Service/Experience; and Education. In this post, I'll discuss the remaining eight categories, namely: Emerging Markets; Innovate or Perish; the Internet of Things; Risk Management; the Supply Chain; Targeted Marketing; Urban Growth; and a Miscellaneous category. SAP introduced the presentation by explaining:

"Business Innovation is the key ingredient for growth in the future of business. Changes in technology, new customer expectations, a re-defined contract between employees and employers, strained resources, and business and social networks are requiring businesses to become insight-driven businesses. In this presentation, we have gathered 99 facts that represent the changes taking place in the world today. Each fact represents a key insight and suggests where we need to focus and change to become viable, sustainable and growing future businesses."

As noted in Part 1, I placed these facts into thirteen categories to help paint a more coherent picture of the future as seen by the analysts at SAP. In the first post, I included the first five categories: Big Data; Business Leadership; Customer Service/Experience; and Education. In this post, I'll discuss the remaining eight categories, namely: Emerging Markets; Innovate or Perish; the Internet of Things; Risk Management; the Supply Chain; Targeted Marketing; Urban Growth; and a Miscellaneous category.

99 Facts

To continue reading this post, click on this link to the new Enterra Insights site.

October 01, 2013

Cyber Security: A Growing Risk to Supply Chains

Guy Carpenter, a reinsurance brokerage firm, recently published a report highlighting emerging risks facing the (re)insurance sector. One of the three emerging risks identified was cyber risk. The other two risks were climate change and space risk. ["Cyber, Climate Change And Space Highlighted As Critical Emerging Risks In Guy Carpenter Report,", 8 September 2013] Insurers and reinsurers are constantly looking for risks that could affect their bottom lines. Some of those risks could affect their own operations, but most of the risks identified could significantly and negatively impact the companies they insure. Cyber risks fall into both categories. Concerning cyber risks, the article states:

Cyber_keyhole"Instances of cyber attacks are indeed on the rise and have reached alarming levels. Moreover, cyber risks are not isolated and are usually connected to other seemingly less obvious risks. For example, the immediate risks associated with a cyber attack can range from legal liability and computer security breaches, to privacy breaches of confidential information. Reputational damage is another concern. A company may also be vulnerable to risks to their supply chain as a result of cyber threats, as technology has become a critical enabler of a supply chain's operations. According to the report, technology failure and cyber attacks represent a greater threat to most organizations than adverse weather, fire and social unrest combined. Given the growing loss potential from supply-chain risks, companies need to ensure they understand their supply chains and offer all data to their insurers. Every company that utilizes technology and collects or handles data should therefore consider cyber insurance cover. The (re)insurance sector has reacted quickly to cyber developments and now offers coverage that addresses nearly all aspects of technology-based risk faced by modern companies."

Over the past few years, supply chain disruptions caused by natural disasters have captured most of the headlines. That's why it may come as a surprise that cyber risks to supply chains are a greater risk than adverse weather, fire, and social unrest combined.

Zurich, another insurance company, is also keeping its eye on cyber security. In an article written for Zurich, Catherine Bolgar writes, "One of the biggest threats on every executive's minds is cyber security. Businesses are more dependent than ever on information technology." ["Emerging Risks," Supply Chain Risk Insights, 8 April 2013] Bolgar continues:

"The new cyber security breaches are 'not for taking assets or taking money, but to control assets,' says James B. Rice Jr., deputy director of the Center for Transportation and Logistics at the Massachusetts Institute of Technology in Cambridge, Massachusetts. 'Many operations are managed by machines, and it's quite possible for somebody to wrest control of those.' An indication of the potential damage is the Stuxnet worm that attacked Iran's nuclear facilities in 2010. As with social media, the threat can come from disgruntled employees, pranksters or hackers. Risk also can come via suppliers. Companies evaluate risks in terms of physical operations and facilities, but they 'don’t always think about the maintenance providers that have access to service the facilities in person or remotely,' Mr. Rice says. 'That represents a significant opportunity for bad actors to take action, whether against a particular company or against infrastructure to cause a systemic risk.'"

Kirsten Doyle reports that Edna Conway, chief security strategist at Cisco, expressed a number of concerns about cyber security at a conference earlier this year. Conway was concerned that "today's supply chain is reliant on a complex network involving the movement of goods, services, funds and information across a range of parties worldwide. This makes the supply chain vulnerable to not only cyber attacks and disruptions, but also cyber espionage." ["Securing the supply chain," ITWeb, 16 May 2013] Conway told conference participants, "We have to get security right, and apply it across the supply chain. We need to think end-to-end. Introduce a security model that moves away from the endpoint. We need to capture failures within the supply chain, so the customer is never affected."

Michael de Crespigny, CEO of the Information Security Forum (ISF), an international association that focuses on cybersecurity issues and information risk management, told CSO magazine that supply chains are increasingly a target for hackers. "It's a case of the hackers identifying the weakest link and breaking in," he observed. ["Supply chain the new tempting attraction for hackers," by John P. Mello, Jr. (CSO), Network World, 10 April 2013] De Crespigny continued, "Criminals are seeing the supply chain as a means of accessing information they wouldn't otherwise be able to get from a large, proficiently run, well secured global organization." Supply chain analyst Bob Ferrari agrees with de Crespigny that supply chains are sometimes the weakest link in corporate networks. This is because those networks must often connect with other, less secure, networks. Ferrari writes, "The weakest links in global supply chains, namely supplier networks, can sometimes be the target of [cyber] attacks. Insure that your supplier audits involving strategic suppliers include some basis of insuring that adequate information security measures are in-place." ["The Growing Threat of Cyber Attacks Across the Global Supply Chain," Supply Chain Matters, 20 May 2013]

Earlier this year, you might remember reading about how the Chinese military is conducting persistent cyber attacks against both government and commercial organizations. As Kathrin Hille reported, "Western governments are ... accusing China of sponsoring aggressive, highly co-ordinated and long-running cyber espionage campaigns against the rest of the world, often in pursuit of corporate and military secrets." ["Chinese cyber crime: More crooks than patriots," Financial Times, 19 May 2013] Hille pointed out, however, that not all cyber attacks emanating from China are government sponsored. She related the story of six young Chinese men who decided to attack Foxconn on a whim. As a result, she concluded, "Governments and companies must design their defences to resist not only state-sponsored attacks but also threats from half a dozen young men looking to make a quick buck by extorting a multinational."

If there is any good news in all of this, it may be "that supply-chain attacks are harder to carry out and require more resources than other modes of attacks." At least that is what "officials from four industry groups and one research institution" told the Government Accountability Office. ["Is supply-chain risk overstated?" by Mark Rockwell, FCW, 22 May 2013] Rockwell reports that most experts agree that software vulnerabilities ("like malicious software uploaded to equipment through the Internet") greatly outweigh hardware vulnerabilities. Rockwell writes, "Three network providers told [the] GAO the most common anomalies found in equipment were caused by unintentionally bad coding in their software. A third-party testing firm, however, said the anomalies could lead to exploitable vulnerabilities." Rockwell noted that Roger Schell, senior computer scientist at the University of Southern California, spoke earlier this year at the SAS Government Leadership Summit in Washington, D.C. At that conference, Schell indicated that "software manufacturers ... are not doing nearly enough to protect their users. As evidence of the oversight, he cited a recent government-sponsored 'red team' practice attack on a U.S. armed forces computer network in which the team replaced six lines of code in a Windows XP program, resulting in loss of control of the program."

Supply chain professionals are not generally IT professionals as well. They don't write code, they are users of programs. It is up to the software providers to help make supply chains more resilient to cyber attacks. As more losses are accumulated as a result of cyber risks, I suspect that insurance companies will start identifying software providers that place their clients at greater risk of cyber attacks. With so much at stake, neither governments nor companies can treat cyber risks lightly.

September 13, 2013

Supply Chain Risk Management: Judging Appetite and Capacity

SCE Magazine reports "that company executives are coming under increasing pressure from customers, shareholders and regulators, to better address the issue of supply chain risk." ["Just How Resilient Is Your Supply Chain?" SupplyChainBrain, 3 September 2013] This increasing pressure is undoubtedly the result of a string of major supply chain disruptions that has plagued global supply chains over the past decade. These disruptions have been caused by unexpected natural disasters (e.g., volcanoes and tsunamis) as well as man-made disasters (e.g., conflict and industrial accidents). The article notes that because "many businesses operate a 'just in time' production strategy to keep inventories low and the production of key components and other services is outsourced to reduce costs" even the slightest disruption can have significant perturbative effects. The article concludes:

Risk 02"To reduce the risks, companies need to make resilience of their supply chains a top priority. They need to ensure that they and their suppliers have business continuity plans that are capable of responding to any number of potential crisis scenarios. Executives should be aware that it is not just their own supply chain that is at risk, but any weakness in a supplier’s supply chain is also a problem. A common issue that companies often overlook is the risk beyond their immediate suppliers – to their suppliers' suppliers – and don't regularly assess the resilience of the risk mitigation standards of even their most critical suppliers."

Noted supply chain analyst Lora Cecere has been making this point for years. Even though supply chain risk management is rising on corporate priority lists, a recent study concluded that "only 41% of companies surveyed are considered to have 'mature' supply chain risk management processes." ["Majority of firms lack 'mature' supply chain risk management: survey," Canadian Underwriter, 13 August 2013] The article goes on to report that even though companies don't have mature SCRM processes, "nearly four in five mitigate against disruptions by implementing a dual sourcing strategy." If, however, the both sources are in the same general location, this strategy is only effective against man-made disruptions from a single supplier.

The report, entitled 2013 Global Supply Chain and Risk Management Strategy, was released by the Massachusetts Institute of Technology (MIT)’s Forum for Supply Chain Innovation and was written in collaboration with the audit and consulting firm PricewaterhouseCoopers. The report concludes:

"Our research validated that companies with mature risk processes perform operationally and financially better. Indeed, managing supply chain risk is good for all parts of the business - product design, development, operations and sales."

According to the article, respondents who participated in the study looked on potential risks with a fairly broad perspective:

"About half (53%) said raw material price fluctuations were sources of risk, 47% identified currency fluctuations, 34% identified environmental catastrophes, 28% identified raw material scarcity, 22% identified geopolitical instability, 22% identified supplier partner bankruptcy, 20% identified change in technology, 12% cited unplanned IT interruptions and 5% identified telecommunications outages while only 2% identified cyber attacks as sources of risk to their supply chains."

I'll explain in a future post why downplaying cyber risks could prove dangerous. Glen B. Alleman reminds us that "there are many definitions of risk from a variety of sources." ["More Uncertainty and Risk," Herding Cats, 5 May 2013] "In the end," he writes, "these definitions are all pretty much the same." The elements of most definitions, he points out, include:

  • "Risk involves the probability of something happening in the future.
  • "When that something happens it impacts the project in ways that are not good.
  • "There can be a probability of the effect of the impact as well.
  • "Handling the risk means knowing what kind of risk it is, and what the choices are for handling the risk."

He offers the following redacted definition of risk that he believes "can be used in probably any domain."

"Risk refers to the uncertainty that surrounds future events and outcomes. It is the expression of the likelihood (probability of occurrence) and (probability of) impact of an event with the potential to influence the achievement of an organization’s objectives." - Managing Risk in Government: An Introduction to Enterprise Risk Management, IBM Center for The Business of Government.

Supply chain analyst Bob Ferrari asserts, "Every supply chain management team needs to have ... vibrant supply chain risk mitigation and management plans in-place. Evidence continues to point to yet more profound reminders to the ongoing existence of supply chain risk." ["Yet More Evidence to the Ongoing Existence of Industry Supply Chain Risk," Supply Chain Matters, 19 August 2013] The question often arises about how much risk a company is willing to take. This is sometimes referred to as Risk Appetite. A blog entitled Riskviews lays out four strategies that can help a company determine whether it is suited to determine its Risk Appetite (see the image below).

Risk Strategies

The article explains these strategies this way:

"If your risk attitude is what we call MAXIMIZER, then you will believe that you should be able to accept as much adequately priced risk as you can find. If your risk attitude is what we call CONSERVATOR, then you will believe that you should mostly accept only risks that ... you are comfortable with. ... If your risk attitude is what we call PRAGMATIST, then you will believe that it is a waste of time to set down a rule like that in advance. How would you know what the opportunities will be in the future? ... You would think that it is a waste of time to worry about such an unknowable issue. Only the companies that are driven by what we call the MANAGERS would embrace the risk appetite idea. ... The risk managers should also be able to help the top management of the company to select the corporate strategic balance, reflecting the best combination of risks to optimize the risk reward balance of the company."

David M. Katz believes that Risk Appetite should always be partnered with another metric called risk-bearing capacity (RBC). ["How Much Risk Can Your Company Bear?" CFO, 23 April 2013] Katz insists that using RBC is necessary for companies "to gauge their appetite for risky, financially threatening activities." Katz indicates that he finds it puzzling that some "CFOs may be trying to judge risk appetite without the benefit of valuable quantitative metrics, like RBC." He continues:

"RBC is a prospective view of risk that is useful in establishing allocations of risk, capital or both to drive value for the shareholders and the organization as a whole. ... While RBC is calculated in different ways depending on the key performance indicators of a given company or industry, the common basis for the calculation is 'how much risk the organization can bear before [it becomes] insolvent,' said Carol Fox, the director of the strategic and enterprise risk practice at [Risk and Insurance Management Society (RIMS)]."

Katz points to a survey published by RIMS that concludes, "Given the widespread disconnect between senior management and risk pros, [companies] may have a long way to go." Douglas Macdonald, Procurement Portfolio Product Marketing Leader at IBM, indicates that best-in-class companies all share several characteristics when it comes to dealing with risk management. ["Develop risk management through an adaptable supply chain," SupplyChain Digital, 15 April 2013] They are:

"Risk Identification: Best-in-class procurement organizations use technology and information services as a starting point to identify sources of risk. Examples include:

• Identifying components sourced from either suppliers that are at financial risk or are concentrated in a specific geographic region more vulnerable to political conflicts or currency fluctuations.

• Identifying components of production that are either sole sourced or come from very specialized suppliers, thus increasing the company’s dependence on them.

"Risk Prioritization: Best-in-class procurement organizations perform 'what if' analysis and quantify the impact of supply risk for specific components and commodities. Armed with such analysis, they prioritize actions on those components and commodities that have the greatest potential impact on the business.

"Risk Mitigation: Best-in-class procurement organizations also go beyond mere risk identification, to actively manage and mitigate supply base risks."

I agree with Macdonald that the companies that will flourish in the decades ahead are those who implement adaptable supply chains that proactively manage and mitigate supply chain risks. Regardless of how careful a company is or how good of a risk management process it maintains, it is going to still face risks that are out of its control. How much risk it is willing to bear is something that that each company should carefully consider.

August 26, 2013

Preparing for Supply Chain Disruptions

"After tsunamis, protests, wildfires, and riots — to name just a few recent major disruptions — few managers can be unaware of companies' vulnerability to the vagaries of politics and extreme weather," writes Mary Driscoll. She editorially adds, "You'd think." ["Research: Why Companies Keep Getting Blind-Sided by Risk," Harvard Business Review Blog Network, 18 July 2013] "Yet," she reports, "three quarters of the 195 large companies surveyed recently by APQC got hit by an unexpected major supply chain disruption in the last 24 months." Driscoll's question is: Why are these disruptions unexpected in light of recent history? In many cases, she notes, "C-suite executives had to get involved in the fix-it process for a sustained period of time." She finds it even more puzzling that these disruptions were "unforeseen" considering that "these are the same senior executives and middle managers that have supposedly been embracing formal enterprise risk management (ERM) for some time." Which raises another question: "Why did these systems fail so spectacularly?" The quick answer is: Shortsightedness. Driscoll explains:

"Part of the problem stems from the familiar gap between the talk and the walk. Survey findings indicate that most organizations' leaders did indeed express concern about the impact of political turmoil, natural disasters, or extreme weather. But the findings also show that the people at the front lines of the business were hamstrung by a lack of visibility into risk. Nearly half said they lacked the resources needed to adequately assess business continuity programs at supplier sites. Many relied on the suppliers filling out perfunctory, unreliable checklists. It's likely that the push to protect profits during the recession made matters even more difficult for supply chain operators. Seventy percent of the respondents to the APQC survey say their organizations pruned their lists of suppliers over the past five years, with the intent to reduce costs. Moreover, nearly three-quarters (74%) of the companies over the period added suppliers physically distant from their facilities, with 63% acknowledging that their suppliers are located in areas of the world known for high-impact natural disasters, extreme-weather events or political turmoil. It appears the urge to source in low-cost regions clouded the cost-versus-risk calculus for some."

In several previous posts on the subject of supply chain risk management, I've noted that the "push for profit" can have a negative impact on supply chain resiliency. For example, in one previous post, I wrote:

"Time and again the issue of balance between 'lean' and 'resilient' supply chains is raised by risk management experts. In his doctoral dissertation entitled Supply Chain Resilience: Development of a Conceptual Framework, an Assessment Tool and an Implementation Process, Timothy J. Pettit, included a graphic that, in a very general way, illustrates why balance is the key.


"Pettit's point is that resiliency does come with a price that can erode profits. A lack of resiliency, however, can also affect profits and even expose a company to total failure. Hence, finding what Pettit calls the 'Zone of Balanced Resilience' is essential. In his abstract, Pettit writes, 'The business environment is always changing and change creates risk. Managing the risk of the uncertain future is a challenge that requires resilience – the ability to survive, adapt and grow in the face of turbulent change. ... Findings suggest that supply chain resilience can be assessed in terms of two dimensions: vulnerabilities and capabilities.'"

Analysts at the Strategic Sourceror state the problem this way:

"As a business attempts to become more efficient, it may make its supply chain increasingly vulnerable to risk. Businesses use strategies such as outsourcing, supplier consolidation and low cost sourcing to improve efficiency, but these practices can add risk and a supply chain is only as strong as its weakest link, [David Oxland and Richard Kettle from] Supply Management stated. Risk analysis in strategic sourcing is crucial, and failure to identify and minimize risks can lead to profit loss." ["Supply chain risk management important to business success," 30 April 2013]

Driscoll calls this the triple whammy: Lengthened supply chains; pruned supplier lists; and doing business in risky areas. The Strategic Sourceror article goes on to state that most companies enter outsourcing arrangements with their eyes wide shut. "Ninety percent of firms fail to perform a risk assessment before outsourcing, Supply Management found." Catherine Bolgar agrees with Driscoll that companies really have few excuses for being blind-sided by risks. "Keeping tabs on supply-chain risks sometimes seems like removing weeds in your garden," she writes, "every time you get one area under control, a new risk pops up." ["Emerging Risks," Supply Chain Risk Insights, 8 April 2013] Bolgar continues:

"Some companies still take a reactionary approach to supply-chain disruptions; more mature companies take a proactive approach. The best companies look farther out, toward emerging risks, for full resilience, says Nick Wildgoose, global supply chain product leader at Zurich Global Corporate, based in London. 'You're looking at future threats — or future opportunities. If you can cope better as an organization, you can perform better.' The more effective organizations carry out analysis with a long horizon."

Let's be clear, even with great analysis, no company can make itself immune to risks and supply chain disruptions. The best companies can do is make themselves more resilient. Last year Dr. David Simchi-Levi, a professor at MIT and founder of the consulting firm OPSrules, introduced something he calls the Risk Exposure Index. Simchi-Levi's methodology helps companies calculate the financial impact of supply chain disruptions as well as the estimated time to recovery or TTR. ["Risk Exposure Index Starting to Gain Traction, Change Supply Chain Thinking, David Simchi-Levi Says," Supply Chain Digest, 24 April 2013] Simchi-Levi told Supply Chain Digest editor-in-chief Dan Gilmore that "the effort to collect information on TTR across the supply chain changes a company's approach to risk management. First, such companies realize they don't have this data, and when they do collect the information there are usually some surprises. Second, the approach then often spurs companies to find ways to reduce TTR, and thus the financial impact."

Lloyd's, the world's largest specialty insurance market, notes, "As production networks and supply chains become increasingly globalised, localised incidents can have a number of major effects on every level of business at home and abroad – from manufacture to distribution to sales." ["Building Supply Chain Resilience," 8 May 2013] Tom Teixeira, a partner in the global solutions consulting group at Willis, told Lloyd's, "What people forget is the supply chain now is a global network and that’s why there really is a need to get into quite a lot of analytics to understand what the pinch points are." In other words, doing their homework should be an essential task for any company that relies on a global supply chain. Driscoll agrees. She writes:

"Supply chain disruption risks often [get] painted as ... operations-level risks and for that reason never [make] it onto the list of 15 or so major strategic/enterprise risks assessed and managed by the Chief Risk Officer's formal ERM process. Many ERM assessments focus on risks related to competitive strategy or the customer experience. The result is that too many boards don't think to ask about — and are not briefed on — the risks of, say, sourcing key components in risky regions of the world. They wind up blind, therefore, to many crucial strategic risks. 'The important thing is to figure out what might be a severe disruption and to do this you have to look down into the different tiers of supply. People at the top need to ask: "What might be out there that we are not currently aware of,"' says Dr. Paul Walker, an expert in ERM at St. John's University in New York."

There are no silver bullet solutions for assessing and mitigating supply chain risk. I like Bolgar's weed analogy: "Every time you get one area under control, a new risk pops up." Vigilance, analysis, and awareness are the keys to addressing the challenge.

August 22, 2013

Nasdaq Technical Glitch Highlights System Vulnerabilities

Trading today came to a sudden halt on the Nasdaq exchange as the result of a technical glitch. Jacob Bunge, Kaitlyn Kiernan, and Tomi Kilgore, reported that the"unexplained technical issue paralyz[ed] the market for thousands of securities and rais[ed] new questions about the robustness of U.S. trading systems following a series of high-profile glitches." ["Nasdaq Market Halts Trading," Wall Street Journal, 22 August 2013] They continue:

NASDAQ"The outage saw a large chunk of the U.S. stock market effectively come to a standstill at midday, freezing prices in stocks, exchange-traded funds and options listed on Nasdaq and prompting other trading venues to stop trading those securities. Dark pools and other electronic trading platforms were also forced to suspend trading in Nasdaq-listed stocks, since there were no publicly quoted prices on those securities, traders said. Traders said there was confusion about what stocks were affected, and that phones were lighting up across trading desks as investors tried to figure out what was happening."

The halt to trading lasted over three hours and Nasdaq shares dropped more than 3 percent. Bunge, Kiernan, and Kilgore concluded their article by noting that this "problem is the latest in a string of technology-related mishaps affecting exchanges and brokers as markets over the past two decades have migrated to electronic systems." As the following Bain & Company graphic shows, the financial services sector is enormous in terms of the amount of data it involves.

Bain & Company 01

Since the global economy took a nosedive in 2009, there has been a lot of chatter about organizations that are "too big to fail" without dire consequences. If ever there is a sector that is too big to fail without such consequences, the financial services sector is the poster child. Nowadays it is impossible to isolate the effects of financial failure. Regulators should use this latest wake-up call to force financial services organizations to conduct a vulnerability assessment and take measures to close vulnerability gaps. Enterra Solutions has developed a perfect methodology for such a task — patented Enterprise Resilience Management Methodology (ERMM)TM..

Today’s typical business organization operates in an environment of extreme complexity and enterprise stress. This is certainly true in financial services sector. Generally, companies continually face: Ongoing demands of new requirements, competition and operational performance; compliance pressures (e.g., regulations, directives, and policies); security threats (e.g., corporate espionage, cyber-intrusions, internal criminal activity, and natural disasters; and other business issues associated with investors, industry partners and all levels of domestic and international government organizations. Meeting these demands requires organizational systems that provide them with a high degree of visibility, insight, control, and responsiveness. These systems must also provide real-time information about external events and about internal processes; the ability to effectively intervene in those events and processes to minimize negative impacts; efficiently marshal information from any point in an organization and direct it to any other point; and redirect and adapt an organization's resources as needed when a threat arises or an opportunity emerges.

Most organizational systems fall short of this ideal and typically only provide static solutions to dynamic challenges. Enterra’s ERM Methodology takes a holistic approach so that an organization can identify and protect its most valuable assets. In addition, the enterprises’ existing legacy environments do not readily interface nor is their data easy to integrate (from a technical or security standpoint). These systems are often built around outdated policies that are continuously re-written and updated with the expectation that the technology will be able to immediately exploit them − nothing could not be further from reality.

The ERM Methodology diagnoses the security, compliance and performance requirements, and risks of organizations and determines how to make them resilient to those risks. Enterra’s approach to accomplish the goals for a strategic risk management program follows a four-step phased approach. Phase involves the initial assessment. During this phase, assets or nodes within an organization or a network that are critical for competitiveness and sustainability are identified along with the critical processes and functions that enable the critical assets. Additionally, security, compliance, and requirements that apply to each of the processes and functions are analyzed; along with business opportunities and prioritized business objectives. The analysis is performed at a level of detail such that the rules and processes may be later codified as needed into an automated SaaS solution.

The next phase is a design and build phase. During this phase, a design is developed for migrating information and converting business policies into rules sets and workflow logic that operate across systems and functional organization. The third stage involves solution delivery and the final phase is the operational phase. When fully implemented, the Enterprise Resilience Management Methodology integrates performance optimization, compliance, and security into a truly seamless and enduring solution that is embedded in advanced cloud service delivery.

July 05, 2013

Supply Chain Risk Management: Disruption Losses are Probably Under-estimated

Jennifer Baljko writes, "A new UN report that warns of $100 billion in annual losses from natural disasters should prompt supply chain managers to update risk management strategies and adopt more resilient practices." ["Prepare Your Supply Chain for Natural Disasters," EBN, 10 June 2013] Andrew Maskrey, lead author and head of risk knowledge at the United Nations Office Disaster Risk Reduction, says that it's the small disasters, not the big ones, that cause the most disruption. In the following video, Maskrey summarizes the study's findings.

In the video, Maskrey notes that no one really knows how much disruptions caused by natural disasters really cost businesses. He suspects the total is under-estimated because often only insured losses are reported. He also notes that disruptions from so-called small disasters cumulatively cost businesses more than losses from large disasters. Baljko writes:

"The report, 'Global Assessment Report on Disaster Risk Reduction 2013,' paints a gloomy picture. If news of direct economic losses from disasters walloping past $100 billion annually for three consecutive years -- a figure that does not include uninsured losses -- isn't nervous-making enough, the report says in its first sentence on its first page, 'the worst is yet to come.' Continuing population growth, rapid urbanization, climate change, and an 'approach to investment that discounts disaster risk' open up the possibility for more catastrophic losses. The report goes on to say that the full scale of disaster losses has probably been grossly underestimated until now:

One trillion dollars have been lost in the last decade due to disasters. Such statements are familiar to investors but they only partially reflect total disaster losses. Between 1981 and 2011, total direct losses in these countries were approximately US$305 billion... The implication is that the headline-grabbing figures recorded in global datasets over the last decade may be quite conservative. Once the losses associated with nationally reported smaller disasters are included, those figures are likely to be at least 50 percent higher. At the same time, these figures refer only to direct losses and thus exclude the cost of indirect losses and wider effects of disaster.

Baljko insists that "potential globalized supply chain vulnerabilities" should cause companies to shudder. In developed countries that are more resilient to disasters than less developed countries, like the United States and United Kingdom, "companies still have to deal with these issues. The report found that most of the 1,300 businesses surveyed in disaster-prone cities in the Americas noted power, water supply, and telecommunications disruptions were top concerns." She also notes, however, that the study is not all "doom and gloom." She writes, "The report also points out spots of silver linings and encouraging signs of progress. One notable shift is that public-private partnerships in risk management are proving to be valuable assets in times of crisis."

Unfortunately, too few companies do sufficient supply chain risk management planning. Jeff Karrenbaurer, President at Insight, Inc., told Dustin Mattison that this isn't too surprising considering the fact that companies don't get rewarded for their risk management efforts. "Wall Street certainly doesn't reward you for it," he stated. "They hammer you for it. It is ironic that the people who should be demanding prudent investment will hammer you for doing prudent management of the investment?" ["Supply Chain Risk and Vulnerability Planning," Dustin Mattison's Blog, 19 January 2012] Even though their efforts aren't rewarded, Karrenbaurer told Mattison that it "drives him up the wall" that companies don't put more effort into risk management.

About the same time that Karrenbaurer was talking to Mattison, Rachel Dines published an article in which she claimed that even companies that have disaster recovery plans don't exercise them enough to make them effective. "The chance that you could successfully recover IT operations without having exercised your DR plans on a regular basis is slim at best," she writes. "The chance that you could successfully recover and meet your recovery objectives is zero. Yet Forrester finds that exercising DR plans is one area in which many organizations continue to fall short." ["How To Improve Disaster Recovery Preparedness," CIO, 18 January 2012] Dines went on to offer "10 best practices for updating and improving your current DR exercise program." They are:

  1. Define specific exercise objectives upfront
  2. Include business stakeholders
  3. Rotate staff responsibilities
  4. Develop specific risk scenarios for your exercises
  5. Run joint exercises with Business Continuity (BC) Teams
  6. Vary exercise types from technical tests to walk-throughs
  7. Make sure to test all IT infrastructure concurrently at least once per year
  8. Identify members of the core Disaster Recovery Team
  9. Learn from your mistakes
  10. Report results to stakeholders

Those are all good suggestions. Designing exercises, however, is not as easy as one might imagine. Something that might help is determining what metrics you want to measure. Mallory Davies, Editor-in-Chief of Supply Chain Standard, notes that disasters resulting in disruptions affect various economic sectors differently. It makes sense, therefore, that different metrics must be used to assess risk in those sectors. "There is room for discussion over what should be measured," he writes. "The imperatives driving the food supply chain are significantly different to heavy engineering. A natural disaster, for example, will present risks to both, but the impact on each could be very different – and the metrics need to reflect that." ["New metrics to measure supply chain risk," 30 January 2012]

In another article, Davies discussed what Toyota did to improve its resiliency following major disruptions that occurred after the earthquake/tsunami hit Japan in 2011. "The clever thing," he writes, "is to find ways of improving resilience without a major increase in costs. And, according to a recent Reuters report from Tokyo, this is the approach that Toyota is adopting." ["A wake-up call…," Supply Chain Standard, 5 March 2012] He continued:

"Following the earthquake and tsunami of [in March 2011, Toyota] has been identifying the suppliers that are most at risk coming up with a list of some 300 locations that were single sources for parts. Options include ensuring that components are produced at more than one location, increasing stock holdings, or purchasing from additional suppliers. At the same time, Toyota is looking to increase the number of common parts across its product range and so offering economies of scale to its suppliers. Toyota has strong reputation for the quality of its supply chain management. The fact that it sees a need to make such wide-ranging changes should be a wake-up call to rest of us."

With all of the news coverage of global disasters, it's unimaginable that a company could be operating in a state of denial that at some point a disaster is going to affect it. Catherine Bolgar writes, "Disasters are an unavoidable risk in doing business. No place on earth is completely safe from some kind of natural disaster." ["Disaster Relief," Supply Chain Risk Insights, 11 June 2012] She continues:

"Disasters don't even have to occur nearby to cause a major impact on your company—Northern Europe was 2,000 kilometers away from the 2010 volcanic eruption in Iceland, which halted air transportation and disrupted supply chains. Natural disasters are particularly challenging because many facets of recovery are out of your control. Getting roads, ports or power back to normal often is up to government authorities. Your supplier may have escaped harm but not be able to send out goods, or its employees might not be able to get to work. While you might know a supplier is in an area prone to earthquakes or hurricanes or floods, you don't know exactly when such disasters might hit, nor how hard. It’s impractical — even impossible — to simply avoid doing business with suppliers in sensitive areas."

So what can you do? Bolgar reports that smart companies employ a number of strategies to mitigate the effects of a disaster. First, they avoid single points of failure scenarios. Bolgar writes:

"A chain is only as strong as its weakest link. In a supply chain, however, links are not equally important nor equally strong. The key is to identify the places where a bottleneck exists or where a disruption could hurt — often by looking at the potential impact on revenues. While commodity parts can cut costs and are easily replaced, customized parts and intellectual property are what differentiate a company's products from the competition. In an emergency, customized parts tend to be the most difficult to swap out, and will often require significant re-engineering and cost."

Even if a single point of failure is not a problem, sourcing parts or materials from a region might be. For example, Karrenbaurer told Mattison, "Over 90% of a particular resin which appears in every circuit board out there comes from Japan. Japan sits on a fault!" Should that concern makers of circuit boards? Absolutely. Otto Kocsis, global head of business resilience at Zurich, told Bolgar, "Everybody is trying to maximize efficiency and capacity, yet they have not taken the time to map the interdependencies and bottlenecks that expose them to added risk." Bolgar concludes, "It would make practical sense for companies to do more risk assessment work to ensure they understand their exposures better." The next strategy that smart companies utilize, Bolgar reports, is hedging their risks. She explains:

"Most companies' financial departments use hedging, for commodity contracts, currency swings and other risks. Though it trims some gains, it can protect investments during market drops. Companies have been less willing to employ similar methods on the operational side. While industry has been focused on getting lean and cutting costs, 'it pushes the supply chain into farther and farther reaches, and companies are not necessarily pricing the risk associated with those choices,' says Dr. [Willy Shih, professor of management practice at Harvard Business School]. 'We teach everybody about just in time and getting rid of inventory,' he says. 'That's contradictory. Where along that spectrum of tradeoffs do I want to be? Maybe we had the dial set too much toward lean, which makes you more susceptible to disruption.' Smart companies hedge their supply-chain risks, using the strategy or portfolio of strategies adapted to their industry and to the goods being supplied."

Because lengthy supply chains increase both the complexity and risk involved, Bolgar reports that more companies are beginning to nearshore manufacturing. She calls this "geographic hedging." She says they are also diversifying their supplier base. She warns, however, that this strategy comes with price. "Bigger orders usually mean lower prices," she writes. Spreading orders among a number of suppliers means that each of those orders is going to be smaller. Finally, Bolgar says that smart companies also maintain the best communication connections with stakeholders. She concludes:

"In disasters, accurate information might be difficult to get because it might be politically embarrassing for the affected country, or the extent of damage might cut off communication. 'Companies should assume the worst in these situations,' says Lyndon Bird, technical development director at the Business Continuity Institute in London. 'It's better to start to put in place strategies and capabilities you rehearsed.' Social media can back up traditional communications lines, especially if you have established good contacts with your supplier, both in getting good information quickly from the site of the disaster as well as in executing a response plan, says [Bob] Ferrari."

Baljko concludes that companies that do their homework are "less likely to invest in hazard-prone areas and more likely to invest in measures to reduce the vulnerability of their facilities and supply chains." Just as importantly, companies that do their homework won't overlook the smaller disasters that could affect their operations. Although they might not threaten complete devastation, they are more likely to occur and can still be costly.

May 21, 2013

Supply Chains: Growing Risk, Less Preparedness

In spite of the numerous supply chain disruptions that have occurred over the past several years, results from "the 2013 Aon Global Risk Management Survey points to a significant decline in risk readiness among many of the survey respondents. On average, reported readiness for the top 10 risks dropped a material 7 percent (from 66 to 59 percent) from the 2011 survey and reported loss of income increased 14 percent." ["Worrying trend emerges from 2013 Aon Global Risk Management Survey," PR Newswire, 22 April 2013] Not all industry sectors were found in retreat, "Of the 28 industries defined in the report, only three industries – pharmaceutical and biotechnology, non-aviation transportation manufacturing and agribusiness – reported the same or improved levels of readiness this year." A decline in risk readiness is a bit surprising since risk awareness has never been higher. This was underscored by the fact that the number of respondents to the 2013 survey was 47 percent higher than the number who responded to the 2011 survey. Risk sign clear

Stephen Cross, chairman of Aon Global Risk Consulting, stated, "One possible explanation of the decline in risk readiness could be that the prolonged economic recovery has strained organizations' resources, thus hampering the abilities to mitigate many of these risks. Our survey revealed that, despite diverse geographies, companies across the globe shared surprisingly similar views on the risks we are facing today – whether or not they feel prepared." Another possible explanation for the decline in risk readiness might be the result of increased risk awareness. Executives are no longer living in blissful ignorance when it comes to risks and, therefore, their sense of readiness may have declined.

Below is the Top Ten list of risks identified by respondents.

Risk Description

Risk rank - 2013

    Risk rank  - projected 2016

Economic slowdown/slow recovery



Regulatory/legislative changes



Increasing competition



Damage to reputation/brand



Failure to attract or retain top talent



Failure to innovate/meet customer needs



Business interruption



Commodity price risk



Cash flow/liquidity risk



Political risk/uncertainties



Judging from the top three risks (which aren't predicted to change over the next few years), respondents seem convinced that economic recovery is going to be sluggish even as competition increases. Kenneth Rapoza notes that those risks "are largely uninsurable," which may account for their high priority. ["What Keeps Business Leaders Up At Night?" Forbes, 23 April 2013] Cross told Rapoza, "The [insurance] industry globally should wake up and think that these are the risks and concerns their clients worry about most." Thinking about it and being able to do something about it are two different things. As Rapoza asserts, "It's one thing to insure an oil spill or lost cargo deep in the Pacific Ocean. But how does a German nuclear power company insure against legislative risk?"

The press release notes, "Political risk/uncertainties broke into the top 10 risks for the first time in 2013. Due to the increasing civil wars and social and political conflicts around the world, this risk is projected to move up to number six in the 2016 survey." For more on that topic, read my post entitled Geopolitics and Supply Chain Risk. In what was the biggest surprise to me, weather/natural disasters did not make the Top Ten list for 2013. It ranked number 16 (although it is "projected to jump into the top 10 list at number nine" by 2016). Most of the significant supply chain disruptions that have occurred over the past five years have been related to weather or natural disasters. Aon Global Risk Consulting analysts don't anticipate this will change "given the unusual climate patterns worldwide and an unprecedented increase in natural disasters and weather events." Rowan Douglas, Chairman of the Willis Research Network (WRN), asserts, "[The] breadth and impact of natural disasters in recent years, coupled with growing concern about the emerging effects of climate change on assets and business operations, have driven resilience to natural hazards high up the corporate risk agenda." ["Willis Report Warns of Growing Risks from Natural Catastrophe Exposures," Insurance Journal, 23 April 2013]

The next 10 risks on the survey list were:

11. Exchange rate risk
12. Technological failure
13. Third party liability
14. Supply chain failure
15. Corporate credit risk
16. Natural disasters
17. Property damage
18. Cybercrime
19. Compliance
20. Counterparty credit risk

A list of the Top 50 risks can be found by clicking on the following link. The Aon Global Risk Consulting analysts "uncovered several significant risks to watch, as these are perceived to be underrated risks." Those risks include: Computer crimes/hacking/viruses/malicious codes; Counter party credit risk; Loss of intellectual property/data; Social media; and Pension scheme funding. Norman Marks, who was a chief audit executive and chief risk officer at major global corporations for more than 20 years, believes there are other "massive risks that are faced ... by a majority of organizations and, even if they are recognized, are often accepted instead of corrected." ["The Important Risks That Are Overlooked but Should Come First," Marks on Governance, 23 April 2013] His list includes:

  • The board and top management setting organizational objectives and monitoring performance without sufficient information. ...
  • A failure to consider risks when establishing strategies and objectives. ...
  • Executives making business decisions without adequate, current, timely, and reliable information. ...
  • A failure to consider risk when making day-to-day business decisions. ...
  • An inability to monitor risk as it changes, which is very often at least daily. ...
  • A failure to communicate and explain the personal relevancy of organizational strategies to every manager and decision-maker. ...
  • Putting cost considerations ahead of the quality of the management team and the workforce in general. ...
  • Processes and systems that cannot move and adapt – a lack of agility. ...
  • A board that is unable to provide effective oversight. ...
  • A conflict between the personal interests of the executive team (short-term results, bonuses, stock appreciation) and the long-term interests of the organization as a whole. ...

Javier Gimeno, a professor in international risk and strategic management at INSEAD, agrees with Marks that corporate boards need to be more involved in risk management. "As part of the board's responsibility to endorse and monitor strategy," he states in the press release, "directors should gain an intimate understanding of the major strategic risks, possible scenarios and how the appropriate strategy allows the exploration of uncertainties and mitigation of strategic risks."

One thing that most analysts seem to agree upon is that because the world is more connected it is more difficult for companies to isolate themselves from catastrophes. Cross told Rapoza, "There's an inter-connectivity of global risk. What happens overseas can impact you anywhere." Phil Ellis, CEO of Willis Global Solutions Consulting Group, agrees, "Major catastrophes – so called 'black swans' – are not the rare risks they once seemed. Population density, urbanization, globalization and climate change make the world increasingly interconnected. A catastrophe in a far-off locale is no longer a remote risk; it could have an immediate impact on a company's operations. Risk modeling can help companies understand, quantify and articulate threats to the bottom line, which in turn helps them plan and prepare for these scenarios."

The Strategic Sourceror concludes, "Organizations that understand risk management is not just part of the business but a means to improve the organization can drive their bottom line. ... Early risk identification can be a method for minimizing the impacts of changes to a supply chain." ["Companies are less prepared for risk," 23 April 2013] A good place to start identifying potential risks to your business is the list generated in the 2013 Aon Global Risk Management Survey.

May 06, 2013

Food Security Requires Implementing Complementary Strategies

Mankind has been trying to control the weather since the dawn of time. Historically, this intervention has taken the form of sacrifices, offerings, dances, and prayers to the gods who supposedly control such matters. There have also been more scientifically-based attempts to make rain, such as cloud seeding. Needless to say, these attempts have generally fallen short of the desired goal. Yet, as Keith A. Wheeler, chairman and CEO at ZedX Inc., reports, "All farmers, no matter their size, depend on the weather to the grow crops that feed the world, while providing a livelihood for their families and communities. This makes them among the most vulnerable to the changing climate. By 2050, if farmers are not assisted to meet these changes, agriculture yields will decrease with impacts projected to be the most severe in Africa and South Asia, with productivity decreasing by 15% and 18% respectively. Therefore, strategies to adapt to the significant shifts in weather patterns are greatly needed." ["Building resilient food systems in a world of climate uncertainty," The Guardian, 21 December 2012]

Food security clearIn other words, if we can't change the weather then the weather needs to change us. The irony of this situation is that "agriculture today accounts for 14% of total greenhouse gas emissions, with another 17% attributed to land use change linked to deforestation." That means that farmers are in some measure contributing to the climate variability with which they must contend. So one of the first strategies recommended to help shore-up food security involves empowering "farmers with the knowledge, practices and technologies needed to adapt and reduce agriculture's contribution to global warming." Fortunately, Wheeler reports, "Amidst these colossal challenges there is hope." He explains:

"Technological innovations are at the forefront of meeting the world's growing food demands, while reducing carbon emissions. High tech methods such as Precision Agriculture, for example, calculate the exact amount of fertilizer required by the soil on your farm, preventing over application and the release of unnecessary greenhouse gases, while simultaneously improving yields. Other practices, such as integrated pest management and pest information systems, improved training for farmers at all levels and new finance and risk management tools for smallholder farmers will all go a long way to building more resilient food systems. The thread that ties all of these innovations together is greater access for farmers to research, information and extension."

The need for better food security is becoming increasingly evident. "Pressure on the world’s resources is intensifying," writes Paul Polman, CEO of Unilever. "Increased competition for these resources has been compounded by the effects of severe weather conditions." ["Now is the time for action," Financial Times, 21 November 2013] He explains:

"Since 2000, food prices have more than doubled because of soaring demand, with desertification, floods and drought adding significant volatility to the trend of food price inflation. To make matters worse, it is countries with already high rates of malnutrition that tend to be worst hit. People in Chad, Ethiopia and Angola spend up to 60 per cent of their weekly budget on food – much of it imported. The most vulnerable are hit the hardest by price rises."

Polman admits there are no silver bullet solutions to the food security challenge. But he offers three strategies that he believes should be taken immediately. "First, we should eliminate the use of unsustainable biofuels." By "unsustainable" he means biofuels derived from food crops (such as corn) or feedstock that is grown on ground that could be used to produce food crops. "Second, we need increased investment in those parts of Africa and Latin America where the last remaining serious agricultural expansion potential lies, or wherever current yields are threatened." On this point, he agrees with Wheeler. Finally, he asserts that "developing country governments need to create long-term partnerships with the private sector, donors and civil society, to stimulate investment in commercial agriculture. The Copenhagen Consensus concluded that an investment in fighting malnutrition would benefit people more than any other type of investment – with a return of $30 for every $1 invested. And the World Bank found that an investment in nutrition can translate to a 2-3 per cent increase in a nation's GDP each year, breaking the cycle of poverty that traps families and nations."

Another recommended strategy for creating better food security is reducing food waste. The Institution of Mechanical Engineers asserts "the world wastes from one-third to one-half of the four billion metric tons of food it produces each year." ["The World Wastes As Much As Half Its Food, New Study Finds," by Jeff Spross, Climate Progress, 14 January 2013] If the waste itself is not bad enough, Spross reminds us, "Because any item of food also represents an entire chain of production, wasted food also translates into wasted fresh water, wasted energy, wasted cropland, and further contributions to global warming with no discernible counter-balancing benefit." And one shouldn't forget the amount of wasted money represented by wasted food. With the global population continuing to swell, wasted food puts greater pressure on rising food prices. Although the causes of wasted food are different in the developing and developed worlds, the problem is global. The report explains:

"In less-developed countries, such as those of sub-Saharan Africa and South-East Asia, wastage tends to occur primarily at the farmer-producer end of the supply chain. Inefficient harvesting, inadequate local transportation and poor infrastructure mean that produce is frequently handled inappropriately and stored under unsuitable farm site conditions. As the development level of a country increases, so the food loss problem generally moves further up the supply chain with deficiencies in regional and national infrastructure having the largest impact. […] In mature, fully developed countries such as the UK, more-efficient farming practices and better transport, storage and processing facilities ensure that a larger proportion of the food produced reaches markets and consumers. However, characteristics associated with modern consumer culture mean produce is often wasted through retail and customer behavior."

Since the causes of food waste are different, the strategies for reducing such waste must adapt to the situation. The report points out that controlling waste is beyond the capability of any single stakeholder (i.e., farmer, distributor, retailer, or consumer). Fortunately, it reports, "In most cases the sustainable solutions needed to reduce waste are well known. The challenge is transferring this know-how to where it is needed, and creating the political and social environment which encourages both transfer and adoption of these ideas to take place." Brad Plumer reviews a few of the solutions that could be implemented. ["How the world manages to waste half its food," Washington Post, 12 January 2013] He writes:

"For poorer countries, simply building better food-storage buildings could cut down massively on waste in places like Pakistan or Ghana (which lost 50 percent of its stored maize in 2008). Better harvesting technology and techniques could also help, although the report suggests that some nations like India will need more sweeping societal and political changes to cut down on waste. Meanwhile, wealthier regions like the United States and Europe will need to think harder about not throwing out so much perfectly good food. ... One small step, which Britain has been exploring of late, is to rethink their use of food labels, which often encourage supermarkets to toss out food long before it actually goes bad."

Another irony that we confront when discussing food security involves dietary habits. As food security improves so does the economic condition of impoverished people. As their wealth increases, their eating habits change and that can have a profound effect on food production. For one thing, studies have shown that as people scratch their way out of poverty their taste for meat grows. Raising livestock, however, is not the most efficient way to provide the protein that we need to be healthy. It takes a lot of land, feed, and water to raise livestock. Livestock, particularly cattle, also produce a lot of methane gas. You can't blame (or prevent) those who have struggled to survive from wanting a more varied and enriched diet; but, we need to realize that our dietary choices have an impact. In the end, changing human behavior may be the most difficult challenge we face in striving for better food security.

For an excellent discussion on the challenges that lie ahead and some of the strategies that can be used to meet them, watch the video of a panel discussion held at The Aspen Institute last year. The first speaker, Jon Foley, Director, Institute on the Environment, University of Minnesota, stated that if we don't get agriculture right nothing else really matters. Foley offers five recommendations for improving global food security. The first recommendation he offered is to stop deforestation and halt agricultural expansion. This would help reduce agriculture's carbon emission footprint. Second, he recommended closing "yield gaps" on underperforming lands. There are huge opportunities in Eastern Europe where farms are producing only 20 percent of what could be produced. Third, he recommended improving cropping efficiency. That is, ensure that resources like water and fertilizers are being used to maximum efficiency. Israel, for example, uses water 100 times more efficiently than Pakistan. Fourth, he says we need to shift dietary preferences. Finally, as discussed above, we need to reduce waste. Polman concludes, "Securing the future of agricultural development needs individual commitment and action on the ground. All of us, individuals, companies, policy makers and consumers, have a responsibility to act together, and the time to act is now."

April 22, 2013

The Supply Chain Crisis and Disaster Pyramid

Back in 2009, R. Glenn Richey. Jr., a professor in the Manderson Graduate School of Business at the University of Alabama, wrote an article entitled "The supply chain crisis and disaster pyramid: A theoretical framework for understanding preparedness and recovery." [International Journal of Physical Distribution & Logistics Management, Volume 39 Issue: 7, pp.619 - 628] In the abstract concerning that article, Richey wrote:

"The research on supply chains concerning disaster and crisis situations is in its infancy, but rapidly expanding on the backs of top researchers in the field. As with most young research streams there is very little theoretical grounding in extant studies. The purpose of this research is to integrate four prominent existing theoretical perspectives to provide a concise yet holistic framework for grounding future research."

The "four prominent theoretical perspectives" used by Richey in his paper were: the resource-based view; communication theory; competing values framework; and relationship management theory. These four theories identified the corners of a three-sided figure he called the "Supply Chain Disaster and Crisis Pyramid." To better understand how the pyramid interrelates these theories, let me provide a little background on each theory.

Resource-based view -- According to Wikipedia, "The resource-based view (RBV) as a basis for a competitive advantage of a firm lies primarily in the application of the bundle of valuable interchangeable and intangible tangible resources at the firm's disposal. To transform a short-run competitive advantage into a sustained competitive advantage requires that these resources are heterogeneous in nature and not perfectly mobile. Effectively, this translates into valuable resources that are neither perfectly imitable nor substitutable without great effort." In other words, a company needs to identify those resources that differentiate it from its competition and provide it with a substantial competitive advantage and then figure out how to protect those assets.

Communication theory -- Wikipedia states, "Communication theory is a field of information and mathematics that studies the technical process of information and the human process of human communication." In other words, companies need to understand how they communicate best with the stakeholders in their supply chain and then ensure that those lines of communication are going to be available during a disaster.

Competing values framework -- A University of Twente website, provides the following explanation of this theory:

"The Competing Values Framework emerged from a series of empirical studies on the notion of organizational effectiveness (Quinn & Rohrbaugh, 1983). These efforts were an attempt to make sense of effectiveness criteria. Quinn and Rohrbaugh (1983) discovered two dimensions of effectiveness. The first dimension is related to organizational focus, from an internal emphasis on people in the organization to an external focus of the organization itself. The second dimension represents the contrast between stability and control and flexibility and change. The Competing Values Framework received its name because the criteria within the four models seem at first to carry conflicting messages. We want our organizations to be adaptable and flexible, but we also want them to be stable and controlled. [The four models are: the Internal Process Model; the Open Systems Model; the Rational Goal Model; and the Human Relations Model.] ... While the models seem to be four entirely different perspectives or domains, they can be viewed as closely related and interwoven. They are four subdomains of a larger construct: organizational and managerial effectiveness. The four models in the framework represent the unseen values over which people, programs, policies, and organizations live and die."

From a supply chain perspective, there are not only competing values within a company but between companies in the supply chain as well.

Relationship management theory -- Relationship management theory focuses on what is commonly called public relations. According to Wikipedia, "Public relations (PR) is the practice of managing the flow of information between an individual or an organization and the public." In simple terms, communication theory tells you how you are going to get your message to its intended audience while relationship management theory helps you craft the message itself.

Daniel Dumke identifies the four corners of the crisis and disaster pyramid discussed above in simpler terms: resources (resource management); collaboration (relationship management); communication; and contingency planning (competing values). ["Supply Chain Crisis and Disaster Pyramid," Supply Chain Risk Management, 2 November 2011] Those terms are much easier terms to understand as well as being much more recognizable to most risk managers. Dumke concludes:

"All in all Richey's framework is aimed at providing a guideline for future researchers to find new insights into supply chain disaster management and how to improve supply chain reactions at the intersection of communication, collaboration, resources and values. And these four aspects should not only be considered by researchers, but also by supply chain professionals. I especially liked the inclusion of the competing value theory, which might lead to a shift in research from the currently leading paradigm that goals of supply chain partners are always well aligned. On the other hand, this framework could also be used beyond only disaster and crisis management, the aspects could perhaps prove influential in a larger number of supply chain related research fields and applications."

Jan Husdal was disappointed that Richey's article was so theoretical and aimed at researchers rather than supply chain risk managers. "If you are a supply chain or logistics professional looking for a paper that discusses the intricacies of managing a supply chain in a disaster area, how to prepare and how to recover," Husdal writes, "this is NOT it." ["Pyramidal thoughts,", 10 March 2010] Despite his disappointment, Husdal concludes, "It is a framework that is well founded, based on the literature review. It will be interesting to see how many researchers pick up on this article and develop the suggested research strands."

Husdal points out that planes created by the four corners of Richey's pyramid identify specific relationships that need to be fostered and utilized during a crisis. They are:

1 – the independents
resources – competing values – communication
How do firms re(act) as disconnected and disinformed individual organizations?

2 – the proactive partnership
resources – communication – relationship management
How can firms develop communication and collaboration?

3 – the co-opetition resource
resources – competing values – collaboration
How do firms grow their situational awareness balancing when to compete and when to collaborate?

This is how the Supply Chain Crisis and Disaster Pyramid looks in three dimensions.

Crisis Pyramid 02

Obviously, each "plane" of the pyramid requires different approaches for the stakeholders involved. One of the biggest challenges in determining the right approach to take is identifying who all is involved. The more complex supply chains (or value networks) become, the more difficult it is to identify all of the players and their relationships. Supply chain analyst Lora Cecere has frequently insisted that supply chain visibility must at least include your suppliers' suppliers and your customers' customers. One recommended approach to understanding complex networks is to map them. Daniel Dumke writes, "There are several key advantages to supply chain mapping." ["Solution to Strategic Supply Chain Mapping," Supply Chain Risk Management, 23 April 2012] Among those advantages are:

  1. To link corporate strategy to supply chain strategy.
  2. To catalog and distribute key information for survival in a dynamic environment (in order) to direct the focus of the managers.
  3. To offer a basis for supply chain redesign or modification.
  4. Current channel dynamics can be displayed in a supply chain map.
  5. The process of building the strategic supply chain map, in itself, will help define the perspective of the supply chain integration effort.

Even though Richey's article didn't provide any recommended solutions for dealing with supply chain crises and disasters, if you are a supply change risk manager, his framework is worth considering. Simply identifying who are independent, cooperative, and proactive partner stakeholders is a valuable thing to know.

April 09, 2013

Water, Water, Every Where -- What Can We do About It? -- Part 2

In Part 1 of this three-part series, I discussed the overall problem of predicted water shortages. In this post, I want to discuss the affect that water shortages can have on the supply chain. The most obvious impact perhaps is the affect that water shortages can have on agricultural (a subject touched upon in Part 1). Without enough water to raise crops, the world can go hungry. In this post, I want to look at some of the less obvious impacts that water use can have on the supply chain.

"Supply-chain professionals deal with all kinds of risks every day," writes Jennifer Baljko, "from managing routine shipping delays to second-sourcing products when a natural disaster hits a key supplier. But there are a number of other global issues that should compel supply chain experts and corporate senior management teams to rethink their risks and their potential impact. One of them is the growing scarcity of stable water supplies." ["Water Risks Impacting Supply Chains," EBN, 7 February 2013] Baljko reports that "water shortage was named one of the top global risks for 2013" at the most recent World Economic Forum discussions in Davos, Switzerland. She continues:

Pipes drilpping clear"On a global scale, the industry uses 20 percent of water resources, notes the Cousteau Society. And as Bloomberg reported, without available, affordable, and clean water, companies could see disruptions, higher commodity costs, and reduced earnings. Given the data and growing awareness around this, it should come as no surprise that more watch groups are monitoring the world's water situation and groups like the WEF and the Pacific Institute, the U.N.'s Global Compact CEO Water Mandate, are encouraging more government, local, and corporate involvement in monitoring and managing water-related risks."

Baljko doesn't offer any solutions to the conundrum she raises; but, she does ask some pretty good questions: "Will it escalate enough to become something supply chain managers will have to deal with fairly regularly? Will secondary sourcing strategies have to be put in place if factories located in water-risk areas run dry? Will teams of purchasers be dedicated to negotiating spot water prices the way they negotiate prices for gold or copper?" In the Bloomberg article referenced by Baljko, Andrew Steer reports, "CEOs increasingly recognize that water is essential for their business models and economic growth." He added:

"More than half of the Global 500 companies that responded to the 2012 Carbon Disclosure Project Global Water Report cited 'detrimental' water-related impacts. These effects include property damage from drought or flooding, higher prices for water itself, poor water quality requiring on-site pre-treatment, and fines and litigation over pollution. According to the report, the associated costs for some companies ran as high as $200 million, up 38 percent from the previous year. ... Water risks are increasingly compromising businesses. ... In response, companies are realizing they need to work with governments and local communities to improve water management. Some industries are beginning to define water stewardship principles and water accounting standards. For example, 45 major companies representing hundreds of billions of dollars in revenue endorsed the U.N.'s Global Compact CEO Water Mandate, an initiative designed to help companies develop, implement and disclose water sustainability policies and practices.

The biggest threat is to companies whose current water usage is unsustainable. "Unsustainable water use is threatening agriculture, other business and populations in China, India and the US, according to a study by risk analysis company Maplecroft." ["Excessive Water Use ‘Threatening Business in Major Economies’," Environmental Leader, 11 May 2012] The article continues:

"The Water Stress Index calculates the water stress of over 168 countries by evaluating renewable supplies of water from precipitation, streams and rivers against domestic, industrial and agricultural use. The arid Middle East and North Africa region is the most at-risk region in the index, with Bahrain, Qatar, Kuwait, Libya, Djibouti, UAE, Yemen, Saudi Arabia, Oman and Egypt categorized as the 10 most water-stressed countries, listed in order of risk. However, the widespread use of irrigation for agriculture, combined with increasing domestic and industrial water demand in India (ranked 34th in the index), China (50) and the US (61) means that those economies' water resources are coming under increasing pressure – and this may place more of an impact on the wider world, Maplecroft says."

The greatest challenges for businesses are going to be in areas where their interests are in direct conflict with the interests of the community. "Companies ... have for the most part made progress on managing water resources," reports Suzanne Zweben. "Largely they recognize that access to water will be one of the greatest challenges of our time." ["Behind the Brands: The Human Right to Water AND Supply Chain Responsibility," Oxfam America, 18 March 2013] Zweben continues:

"It's projected that by 2025, just 12 years away, that 1.8 billion people will be living in countries or regions with absolute water scarcity. Two-thirds of the world's population is expected to have limited access to clean water. This is one sustainability issue food and beverage companies grasp as core to their business; it will impact their ability to make products and touch the lives of their employees, consumers and the communities where they operate and from which they source."

In addition to physical risks associated with water (such as, not having access to enough water to operate), there are also reputational risks. Organizations, like Oxfam, are now ranking companies with respect to how well they manage water resources. Of Oxfam's so-called "Big Ten companies," none were given a good score (although Nestle came close). Below is how Oxfam assessed three main aspects of its scorecard relating to water.

(1) Human Right to Water: Has the company recognized the human right to water as defined by the UN? Has the company committed to consult communities on plans to develop water resources, i.e., before a project has started? Have grievance mechanisms been established in cases where water rights have been violated? (A recent report by The Special Rapporteur on the human right to safe drinking water and sanitation, On the Right Track, addresses good practices in implementing the human right to water. See Chapter 3 especially.)

(2) Transparency: Does the company disclose information on water withdrawals, discharges (i.e., the quality of water released into lakes and rivers), water-stressed regions where the company has operations, regions where the company operates that are at risk for water stress, and raw materials that come from regions subject to water-related risk? (Seven of the ten companies companies assessed through the Behind the Brands scorecard disclose information through the Water Program of the Carbon Disclosure Project.)

(3) Supply Chain Management: Does the company require its suppliers to report on their water use, risks and management? Are requirements on water rights and use specified in a company’s supplier code? Has the company set a specific target to reduce its water use along its whole value chain?

Zweben reports that "food and beverage companies have played a central role in the CEO Water Mandate ... yet no one company has taken significant steps on both the human right to water and supply chain management." Ramit Plushnick-Masti predicts that self-interest will keep beverage companies, in particular, involved in water conservation and best practice programs. ["Beverage Companies Pay Millions To Conserve Water,", 8 August 2012] He writes, "For Dr. Pepper and other beverage companies engaged in similar work, the impetus is their bottom line — conserving water guarantees long-term access to the most crucial ingredient in their products." He continues:

"The biggest players — from Coca-Cola and Pepsi Co. to Miller and MolsonCoors — as well as smaller, regional beverage companies list water as a risk in long-term plans. In 2006, 18 companies created an alliance called the Beverage Industry Environmental Roundtable to tackle water, energy and other issues that could affect the industry's growth. There is no total available for how much has been invested in water conservation projects in the past five years, but experts believe it's more than $500 million dollars. Thomas Lyon, a professor at the University of Michigan who researches connections between industry and the environment, said three factors have pushed beverage companies to conserve water: future markets in developing countries don't drink enough soft drinks, from their perspective; the impacts of climate change are starting to become more apparent; and some of the countries targeted for growth are the same ones experts believe will be most affected by climate change."

With Asia predicted to be the focus of the global economy in the decades ahead, experts are concerned that water issues could have significant impacts in that region. ["Supply Chains in Asia Run High Risk of Water Shortages, Study Finds," by KPMG, SupplyChainBrain, 5 April 2012] The article notes:

"Of the sectors with the highest levels of water use, the share consumed by suppliers is greatest for food & beverage, personal & household goods and automobiles & parts companies. They could be affected by pressure on water resources through water pricing or scarcity driving up commodities costs. Companies are at the starting blocks of understanding financial risks and opportunities from water-related challenges in operations and supply chains. Companies that assess water risks will be well placed to strengthen water management strategies, secure supplies and stabilise input costs."

If all that is not enough for companies to worry about, Jonas Kron, an investment advisor at Trillium Asset Management, told Bloomberg "that he thinks the world's dwindling supply of fresh water may soon impact results at the companies the fund invests in." ["Water Risks Becoming Investor Concerns, as New Interactice Tool Helps Companies Assess their Own Risk Levels," The Green Supply Chain, 11 January 2012] In other words, if companies don't manage water resources better, they may find access to investment capital difficult to find.

The bottom line is that potential water shortages are going to affect private and public organizations as well as individuals. The problem is international in scale and will require widespread private/public partnerships to address it. In the final segment of this series, I'll look at some technological breakthroughs as well as some strategies that have been recommended for dealing with water challenges.