Flexibility in the Face of Disaster: Managing the Risk of Supply Chain Disruption
When it comes to global supply chains, the potential for disruption comes in many forms, from large-scale natural disasters and terrorist attacks to plant manufacturing fires, wide-spread electrical blackouts, and operational challenges such as shipping ports too small to handle the flow of goods coming into a country. Today's leaner, just-in-time globalized supply chains are more vulnerable than ever before to natural and man-made disasters -- a reality that creates greater demands on companies to keep supply chains flexible and integrate disruption risk management into every facet of supply chain operations.
"So many companies are trying to get their piece of the global advantage that the operational risks and possibilities of disruption are pretty high," said Dave Young, senior vice president in the Boston office of the Boston Consulting Group (BCG). And one of the biggest challenges in managing these disruption risks "has to do with the fact that global supply chains are in a state of continuous evolution."
Like Murphy's Law, disruptions in supply chains seem inevitable -- a principle that Paul R. Kleindorfer, Wharton professor of operations and information management, argues "should be a high priority topic for senior management and shareholders."
"Disruption risk has received increasing attention in the last few years," Kleindorfer, co-director of Wharton's Risk Management & Decision Processes Center, wrote in a recently published paper, "Managing Disruption Risks in Supply Chains." "The reason is undoubtedly that, with longer paths and shorter clock speeds, there are more opportunities for disruption and a smaller margin for error if a disruption takes place."
Given the high stakes, experts from BCG and Wharton generally agree that managing supply chain disruptions revolves around two goals: first, to thoroughly understand the potential of identified risks; and second, to increase the capacity of the supply chain -- within reasonable limits -- to sustain and absorb disruption without serious impact.
Identifying the Risks
Kleindorfer has identified three main categories as the primary sources of supply chain disruption risk: operational contingencies, which include equipment malfunctions and systemic failures, abrupt discontinuity of supply (when a main supplier goes out of business), bankruptcy, fraud, or labor strikes; natural hazards such as earthquakes, hurricanes, storms; and terrorism or political instability.
Which category would a company consider the most threatening? "Companies generally focus on the risks that they can see," said Steve Matthesen, a vice president in BCG's Los Angeles office. "And, to be honest, most of us focus on those risks that someone would hold us accountable for. So when you get to [a risk such as] political instability or terrorism, most people don't worry about it that much, or they worry but they don't focus on it. For instance, you generally are not going to get fired for not having a plan if a terrorist blows up your building."
In a report on "Risk Analysis and Risk Management in an Uncertain World," Howard Kunreuther, co-director of Wharton's Risk Management Center, explains why. "When it comes to developing a strategy to reduce the risks of future terrorist activities," Kunreuther argues, "we do not know who the perpetrators are, their motivations, the nature of their next attack and where it will be delivered. Hence it is extraordinarily difficult to know what protective actions to take.
"We know from behavior following natural disasters, such as Hurricane Andrew or the Northridge earthquake, as well as technological accidents, such as the Bhopal chemical explosion or the Chernobyl nuclear power plant meltdown, that individuals and companies are not very concerned about these events prior to their occurrence," he continues. "Only after the event when it is often too late do they want to take protective action. Over time this concern dissipates. Thus it is very common for people to cancel their flood or earthquake insurance policies if they have not experienced losses from one of these events in several years."
But it's a different story when the supply chain disruption is highly visible and forecast by world-wide trends. For instance, what happens if a company ships products into the ports of Los Angeles, the entry point for almost half of the goods coming into the United States, and gridlock hits just before Christmas (as it did in 2004)? George Stalk, Jr., a BCG senior vice president in Toronto, noted in a recent BCG paper on volatile supply chains that when this very real scenario played out at the Los Angeles-Long Beach ports last winter, "nearly 100 cargo ships floated around cooling their keels and waiting to be unloaded -- a process that was taking up to twice as long as normal." In a case like this, says Matthesen, "the CEO of a company might say, 'This is your job, Supply Chain Person.' And that person would get flak."
Supply chain experts suggest that the key to first mitigating and then managing disruption risks is understanding a company's vulnerabilities.
"Your turn the problem on its head," says Kleindorfer. Businesses determine and review the consequences of various sources of disruption to a global supply chain "through the process of discovering vulnerabilities. Whatever the source of those might be -- hazards, strike, terrorists' bombs or some unforeseen event -- the first thing you do in the risk assessment process is to look at vulnerabilities in general, and then you have to have supply-chain-wide visibility of vulnerabilities."
Experts note that vulnerabilities need to be analyzed throughout the supply chain -- from critical processes and equipment to manufacturing and warehousing sites, from technology and transportation to distribution and management. Granted, this is not always easy, Kleindorfer noted, because it "requires information sharing across supply chain participants." Typically, a company with "special vulnerabilities may have every incentive to hide these from other supply chain participants." While current communication and information technologies such as ERP (Enterprise Resource Planning) systems and CPFR (Collaborative Planning, Forecasting and Replenishment) methods allow for improved information integration and supply chain visibility, "vulnerabilities to disruption are, by their very nature, more difficult to identify."
At the Wharton Risk Management & Decision Processes Center, supply chain experts and industry leaders have over the last decade developed a multi-step approach to disruption risk management. It addresses ways to help companies identify vulnerabilities, and includes the following four initial steps:
"Obtain senior management understanding and approval, and set up organizational responsibilities for managing the disruption risk management process.
Identify key processes that are likely to be affected by disruptions and characterize the facilities, assets and human populations that may be affected. Key processes typically include new product development, supply chain operations, and manufacturing. Key assets include both tangible assets (property and inventory) as well as intangible assets (brand image, public perceptions).
Traditional risk management is then undertaken for each key process to identify vulnerabilities, triggers for these vulnerabilities, likelihood of occurrence, and mitigation and risk transfer activities. This is the heart of the traditional industrial risk management process for disruption risks.
Reporting, periodic auditing, management and legal reviews of implementation plans and on-going results (e.g., of near-miss management and other disruption risks) complete the business process for disruption risk management. The audit process . . . is essential to providing on-going feedback to management and supply chain participants on the performance of their facilities and their compliance with agreed, supply-chain wide standards."
By taking these four steps, Kleindorfer argued, a company defines its own "risk architecture -- which is a way of looking at the world that allows you not to be generally worried all the time."
Contingency Planning and the 'Triple-A' Threat
What happens when a company that understands its vulnerabilities as well as its overall risk architecture confronts disaster? Consider the following example.
In March 2000, a Philips manufacturing facility in Albuquerque, New Mexico, was destroyed by fire; the facility supplied radio frequency chips (RFCs) for cellular telephone giants Nokia and Ericsson, and the way the two companies responded has become a textbook case for the dos and don'ts of disruption risk management, and a lesson in how the proper approach can turn into a competitive advantage.
When the fire wiped out the plant, both companies instantly lost a key link in their supply chains. As reported in Business Week:
"Nokia's response was two-fold. The company immediately created an executive-led 'strike team' that pressured Philips to dedicate other plants to making the RFCs that Nokia needed. Nokia engineers also quickly re-designed the RFCs so that the company's other suppliers in Japan and the United States could produce them." The plan worked: "Through quick action, Nokia was able to meet its production goals, and even boost its market share from 27% to 30% -- a level more than two times that of its nearest rival."
"Ericsson, however, reacted much more slowly. The company did not become aware of the supply problems for weeks, by which time its ability to meet customer demand had been seriously compromised. And because Ericsson relied exclusively on the Albuquerque plant for the RFCs, Ericsson -- unlike Nokia -- found itself with nowhere else to turn for these vital components. . . . Ericsson posted a nearly $1.7 billion loss for the year, and ultimately had to outsource its cellular handset manufacturing business to another firm."
Contingency planning -- the act of knowing secondary sources to turn to for supplies, manufacturing, or transportation needs when primary sources are interrupted -- has recently received a lot of attention and research from supply chain experts. Highlighting the value of contingency plans, the story of Nokia and Ericsson was incorporated into a recent Harvard Business Review article called "The Triple-A Supply Chain." Arguing that supply chains can no longer afford to be merely fast and cost-effective, author Hau L. Lee argued that "great companies create supply chains that respond to sudden and unexpected changes" by building "Triple-A" supply chains that are agile, adaptable and aligned. Lee outlined objectives and methods that companies should follow to achieve all three Triple-A goals -- a veritable blueprint for disruption risk management through the pursuit of flexible supply chains:
Agile supply chains "respond quickly to sudden changes in supply or demand." What methods can companies use to incorporate agility in supply chains? "Continuously provide supply chain partners with data on changes in supply and demand so they can respond promptly; collaborate with suppliers and customers to redesign processes, components, and products in ways that give you a head start over rivals; finish products only when you have accurate information on customer preferences; keep a small inventory of inexpensive, non-bulky product component to prevent manufacturing delays."
Adaptable supply chains "adjust supply chain design to accommodate market changes." Methods to use? "Track economic changes, especially in developing countries; use intermediaries to find reliable vendors in unfamiliar parts of the world; create flexibility by ensuring that different products use the same components and production processes; create different supply chains for different product lines, to optimize capabilities for each."
Aligned supply chains "establish incentives for supply chain partners to improve performance of the entire chain." Methods to use? "Provide all partners with equal access to forecasts, sales data and plans; clarify partners' roles and responsibilities to avoid conflict; redefine partnership terms to share risks, costs and rewards for improving supply chain performance; align incentives so that players maximize overall chain performance while also maximizing their returns from the partnership."
Redundancy and Other Strategies for Flexibility
When it comes to maintaining flexible supply chains that can respond to disruption, BCG's Young suggests that companies plan for the inevitable by incorporating a few simple steps. "A lot of this is good old-fashioned block and tackling, but it takes discipline and segmentation," he said.
First, companies should carefully segment their products and product lines in order to understand which ones are more time sensitive and critical than others. "If I'm going to spend time thinking about how I can bullet-proof the supply chain or make it more resilient, I'm going to do it around products or processes where time is most critical," said Young.
Second, once these areas have been identified, "you want to create a highly detailed assessment of all elements of the supply chain. Identify along that path the sources of greatest risk and look for ways to manage that -- hedging inventories, looking at redundant carrier options, for instance. You want to build in redundancy for these critical items."
But, Young cautions, "you can only have time and money to build in so much systems' redundancy." Because building in redundancy isn't cheap. In a recently published newspaper article, BCG's Stalk and Young wrote that offshore operations often expect and therefore plan for the unexpected by "building redundancy into the system, and probably back home. If such redundancy is included in the initial 'cost-advantage' calculation, the company may find it will take 2 to 2 1/2 years to recoup all the start-up costs associated with offshore sourcing and manufacturing."
BCG's Matthesen notes that when planning for redundancy, companies have to ask, "How much protection can you take? It's like insurance -- only some things are worth insuring against. It will depend a lot on what your business margins are and what the costs of failure are. For instance, I work with a pharmaceutical company that maintains two different plants. Either one would serve the entire world of demand for their products. But one plant is located in an earthquake zone; the other is only 25 miles from an airport, and they worry that an airplane could conceivably crash into it. So they maintain both plants. In their case, they justify the expense due to high margins and the human lives at stake."
When it comes to redundancy planning, transportation options or redundant carrier options are often high on a company's list. To figure out why, look no further than the shipping backlog in Los Angeles last winter. But building in transportation redundancy or shipping flexibility is tricky. "If your shipment is on one of 50 ships waiting to unload, your choices are a bit limited," said Matthesen. Often, companies can only hedge these risks by making sure their shipments are last on and first off.
In anticipation of rail or trucking strikes, companies often split their shipping business in order to build transportation relationships with more than one company. "People do this a lot. They offer 80 to 60% to one supplier, and 20 to 40% with the other. But how important are they if they are only doing 20% of their business with a company? Do you really achieve anything? I have one client who is a distributor, and we were looking at the level of redundancy they had. We discussed what would happen if you gave all of the business to one carrier, and then that carrier had a strike? Shouldn't you keep two carriers? But the CEO said, 'Our margins are low. It makes business sense to sole source, and if we get into a strike situation, well, that will have to be the cost of doing business.' And I think that this was the right call in that situation."
Matthesen allows that the essence of risk management boils down to adequately appreciating the risks that a company is exposed to for different areas of business; identifying the 'choke points' along the supply chain that would completely harm a business if disruption occurred; and then taking the right set of preventative measures to allow for some protection, remembering to periodically review your supply chain plans and risk assessment priorities.
"But the real story is that you don't have to run faster than the bear; you just have to outrun the folks you are with," said Matthesen. "If you can figure out that there has been a disruption faster than others in your industry, you have a lot more options. If you are the first person to come to a Federal Express and say, 'UPS is going to have a problem and I need your help' -- you get a good response. If you are the fifth guy to come over, now they have a problem because their capacity is full. This is the case with many disruptions, and this is the part to me that's most interesting about the Nokia and Ericsson example. It's not that Nokia had all these backup plans, but that they identified something was up and they acted on it before anyone else identified the issue."
The bottom line? "You can't protect against every risk," said Matthesen. "But if you can be quick to identify that there is a problem emerging and you've thought about it a little bit in advance and mobilized your options, that's the essence of risk management."