Assessing Vulnerability of a Supply Chain:

Recording of this session via any media type is strictly prohibited.

Page 1

Assessing Vulnerability of a Supply Chain:

A Strategic Risk Approach


• Randy Jouben, Director Risk Management,FIVE GUYS Enterprises, LLCRandy is responsible for leading the mission of protecting the tangible and intangible assets of Five Guys in the areas of risk management, safety, security, business continuity and compliance.


What to Expect

• To provide you with an understanding of the risk and vulnerabilities of a supply chain.

• Understand options available to asses risk in the supply chain

• Describe different ways you can integrate supply change management into the Strategic Risk management process


Uncertainty Increases Business Risk

“Business managers regularly extrapolate from the past to the future but often fail to recognize when conditions are beginning to change from poor to better or from better to worse. They tend to identify turning points only after the fact. If they were better at sensing imminent changes, the abrupt shifts in profitability that happen so often would never occur. The prevalence of surprise in the world of business is evidence that uncertainty is more likely to prevail than mathematical probability.”

“The evidence. . .reveals repeated patterns of irrationality, inconsistency and incompetence in the ways human beings arrive at decisions and choices when faced with uncertainty.”

Peter L. Bernstein, “Against the Gods – The Remarkable Story of Risk”


Some Working Definitions

• Risk• Risk Management• Strategic Risk Management• Supply chain vulnerability• Robust Supply Change Management• Supply Chain Risk Management• Resilience

5


Risk

In decision theory: a measure of the range of possible outcomes from a single totally rational decision and their values, in terms of upside gains and downside losses (e.g. gambling)

6


Risk

• A particular type of hazard or threat e.g. technological risk or political risk

• The downside only consequences of a rational decision in terms of the resulting financial losses or number of casualties

• Risk = probability of occurrence x consequences

7


Risk Management

“Risk management is the process of measuring or assessing risk and then developing strategies to manage the risk. These strategies can involve the transference of risk to another party, risk avoidance or mitigation, and channel risk sharing.


Strategic Risk Management

“Strategic Risk Management (SRM) is a business discipline that drives deliberation and action regarding uncertainties and untapped opportunities that affect an organization's strategy and strategy execution.”


Supply Chain Vulnerability

We should strive to identify vulnerabilities by asking questions such as:o What has disrupted operations in the past? o What known weaknesses do we have?o What ‘near misses’ have we experienced?o What would be the effect of a shortage of a key material? o What would be the effect of the loss of our distribution

site?o What would be the effect of the loss of a key supplier or

customer?

10


Vulnerability vs. Risk Analysis

A vulnerability analysis is not equivalent to a risk analysis.

• Risk Analysis focuses on human resources, on environmental and property impacts of an accidental event,

• A vulnerability analysis is focused on the system survival.


Vulnerability vs. Risk Analysis

A vulnerability analysis is not equivalent to a risk analysis.

• The vulnerability analysis has a wider range with respect to the risk analysis.

• Particularly the first concerns the way to weaken the detected threats and restart the system after an accidental event.


Supply Chain Risk Management

• Supply Chain Risk Management (SCRM) is a discipline of Risk Management which attempts to identify potential disruptions to continued manufacturing production and thereby commercial financial exposure

• Focuses on the interdependences of the actors belonging to the same supply chain: sudden crisis, impacting one or more nodes inevitably creates disturbance which may destabilize the system as a whole


Robust SCRM

• “Strong in constitution, hardy, or vigorous”• Enable a firm to manage regular fluctuations

in demand efficiently under normal circumstances regardless of occurrence of a major disruption

• But does not in itself make a resilient supply chain

14


Robust SCRM

• A robust process can be defined as “a process able to deal with reasonable variability”

• A resilient supply chain can be defined as “a supply chain with the ability to recover quickly from unexpected events impacting supply chain performance”

15


Robust SCRM

• A robust process can deal with reasonable variability in input whilst maintaining good control over output variability.

• It has some resilience but is it capable of recovery from an event that causes exceptionally high levels of variability in input or output requirement?

16


Resilience

“The ability of a system to return to its original [or desired] state after being disturbed”The core concept of resilience is:

• It encourages a whole system perspective• It explicitly accepts that disturbances happen• It implies adaptability to changing circumstances

17


Supply Chain Dynamics

• Throughout the 1990s, many firms strived to improve their financial performance by implementing various supply chain initiatives.

• These initiatives were intended to increase revenue, reduce cost (e.g., supply base reduction, online sourcing including e-markets and online auctions, offshore manufacturing, Just-in-Time inventory systems, vendor-managed inventory), and reduce assets (e.g., outsourced manufacturing, Information Technology, and logistics).


Supply Chain Dynamics

• These initiatives can be effective in a stable environment; however, as the number of supply chain partners increases, these global supply chains become “longer” and “more complex.”

• Long and complex global supply chains are usually slow to respond to changes, and hence, they are more vulnerable to business disruptions.


The Challenge Of Global Logistics

PRODUCTLINE DIVERSITY

MARKETCONCENTRATION


Global business : Singer Sewing Machines

• Body shells from USA• Motors from Brazil• Drive Shafts from Italy• Assembled in Taiwan• Sold around the world

Page 21


How many countries does it take to make a coat


Categories of Supply

Supply chains comprise nodes and links • Nodes – organisational risk• Links – network risk

Page 23


Understanding the total costs of ownership

Not just the purchase price, but …..o Increased transport costso Increased inventory financing costso Increased uncertainty of supplyo Longer lead-timeso Less visibility and increased likelihood of “bullwhip” effecto Loss of control in qualityo Longer development cycles for new productso Increased exposure to security risks

Page 24


Changing Times & An Uncertain World

In a complex inter-organizational supply chain it would be difficult if not impossible for anyone to identify every possible hazard or point of vulnerability.

25


Why Are Today’s Supply Chains So Vulnerable?

• Widespread adoption of ‘lean’ practices• The move to off-shore manufacturing and sourcing• Out-sourcing and reduction in the supplier base• Global consolidation of suppliers• Centralised production and distribution• All of which combine to make supply chains

vulnerable to disruption

Page 26


Supply Chain Risk Perspectives


The Sources of Risk in Supply Chain

• Supply risk• Demand risk• Process risk• Control risk• Environmental risk

Page 28


Location Of Risk In The Supply Chain

Page 29

SUPPLY RISK

PROCESSRISK

DEMANDRISK

NETWORK/CONTROLRISK

Environmental Risk


The Sources Of Supply Chain Risk

Page 30

• Loss of major accounts• Volatility of demand• Concentration of customer

base• Short life cycles• Innovative competitors

• Dependency on key suppliers• Consolidation in supply markets• Quality and management issues

arising from off-shore sourcing• Potential disruption at 2nd tier level• Length and variability of

replenishment lead-times

Supply RiskDemand Risk

• Manufacturing yield variability• Lengthy set-up times and

inflexible processes• Equipment reliability• Limited capacity/bottlenecks• Outsourcing key business

processes

Process Risk

• Asymmetric power relationships• Poor visibility along the pipeline• Inappropriate rules that distort demand• Lack of collaborative planning and forecasts• Bullwhip effects due to multiple echelons

Network/Control Risk

• Natural disasters• Terrorism and war• Regulatory changes• Tax, duties and quotas• Strikes

Environment Risk


Supply Chain Risk Is Systemic

• The biggest risk to business continuity may lie outside the company in the wider supply chain

• The complexity and inter-connectedness of modern supply chains increases their vulnerability to disruption

• Environmental risks are outside our control, but systemic risk is created through our own decisions

Page 31


Supply chain risk (i)

“The entire Japanese vehicle industry ground to a halt following an earthquake that stopped production of piston rings for engines provided by Riken, the industry leader in the domestic market. Toyota, in particular, was forced to stop operations at all 12 of its domestic plants.”

– Financial Times, 24 July 2007

Page 32


Supply chain risk (ii)“A fire at a key Philips semiconductor factory in 2000 caused a worldwide shortage of the radio frequency chips used by both Nokia and Ericsson. Nokia immediately lined up another source and redesigned other chips so they could be produced elsewhere. However, Ericsson responded more slowly and lost an estimated $400 million in mobile phone handsets.”

- MIT Sloan Management Review - Summer 2006

Page 33


Supply chain risk (iii)

“Yesterday it emerged that ice-cream supplies may run short because Unilever’s only UK factory, based in flood-stricken Gloucester, has been closed for the past ten days. The company usually manufacturers five million ice-creams and lollipops a day at the plant. It has stocks in freezers but it could be days before normal production resumes. Industry insiders predict that there will now be an ice-cream war as rival brands attempt to exploit Unilever’s predicament and gain market share.”

– The Times, 31 July 2007

Page 34


Changing Times & An Uncertain World

‘Known’ problems are only part of the picture • Known Unknowns, Knowable Unknowns and

Unknowable Unknowns• Y2K: The Millennium Bug• Creeping Crises (e.g. Foot and Mouth disease)• Post 9/11 Security Matters• Corporate Scandals, Operational Risk and Business

Continuity

35


Known Unknowns

Known Unknowns• We know that there exist uncertainties, which we

know how to solve• ‘Known known’

36


Knowable Unknowns

Knowable Unknowns• There are some uncertainties which we don’t know

how to solve, We may choose ignore or face it

37


Unknowable Unknowns

Unknowable Unknowns• However, there are still uncertainties that we don’t

know that we don’t know

38


Y2K: The Millennium Bug

A ‘Known known’ example• In the UK, the government encourage

businesses to take the necessary measures to prevent system crashes, and engage in business continuity planning

39



• As a result, nothing happened and the government was delighted, believing the planning had saved the country from disaster

• But the non-event left many managers skeptical as to whether the costly preventive measures had really necessary?

40



• Y2K is one of the intractable problems about proactive measures to improve organizational and supply chain resilience

• If successful, mean nothing happens, but leads to questions of value or cost/benefits justification

• It is very difficult to make a business case for proactive ‘just in case’ measures to improve resilience

41


Creeping Crises

• The outbreak of foot and mouth disease(FMD) in British livestock herds in February 2001 resulted in damage to whole sectors of economy

• FMD was a known threat to livestock, albeit one that had not been seen in UK for a generation

• The impact is engaged in production and distribution of food

42


Creeping Crises

• But FMD also affected car manufacturers and fashion houses across Europe because of the shortage of high-quality leather

• All ‘knowable unknowns’ events could be the example of ‘creeping crises’

• Creeping crises show the fact that supply chains are more than value-adding mechanisms underlying competitive business models

• Supply chains link organizations, industries and economies, they are part of the fabric of society

43


Post 9/11 Security Matters

• The events of 9/11 were so far out of risk managers’ field of reference, that they can be classed as “unknowable unknowns”

• The closure of US borders and the grounding of transatlantic flights dislocated international supply chains making supply chain vulnerability front page new

44


Post 9/11 Security Matters

• Post 9/11, new security measures were hurriedly introduced at US border posts, ports and airports, affecting inbound freight to USA, including:

• Container Security Initiative (CSI)o CSI looked to new technology to pre-screen ‘high risk’ containers

before they arrived at US ports

• Customs-Trade Partnership (C-TPAT)o C-TPAT is a ‘known shipper’ programme, which allows

cargoes from companies certified by US Customs to clear customs quickly

45


Corporate Scandals, Operational Risk and Business Continuity

• In the world of corporate risk management events(e.g. 9/11) were unfolding that would push ‘operational risk’ to the top of the corporate agenda

• The Enron Corporation collapsed in late 2001o Once held up as a model of best practice corporate risk

managemento Another three companies quickly followed

46


Corporate Scandals, Operational Risk and Business Continuity

• New regulation, Sarbanes-Oxley Act(SOX) is noteworthy

• SOX requires full disclosure of all potential risks to corporate well-being within the business

• Board members have become more interested in identifying ‘knowable unknowns’ and have turned to risk management and to Business Continuity Management(BCM)

47


The Risk Management Challenge

Page 48

High

Low

Low High

Probability of Occurrence

Consequence/Impact

• Where can we reduce the probability?• How can we reduce the consequence?


The Risk Management Challenge

• Decision Theory and Managerial Tendencies

• Objective Risk and Perceived Risk

49


Decision Theory and Managerial Tendencies

• Concerned paid little attention to uncertainty surrounding positive outcomes, viewing risk in terms of dangers or hazards with potentially negative outcomes

• Managers focus on the possible losses associated with plausible outcomes

• Decisions involving risk are heavily influenced by their impact on the manager’s own performance targets

50


Decision Theory and Managerial Tendencies

• In comfortable circumstances managers are likely to be risk-averse, but when staring failure in the face, researchers show that this tendency reverses and they become risk-prone

• There is unlikely to be a single unified attitude to risk taking within a large organization

51


Objective Risk and Perceived Risk

A view of risk set out by the engineers and physicists of The Royal Society:

• ‘Objective risk’: determined by experts applying quantitative scientific means

• ‘Perceived risk’: the imprecise and unreliable perceptions of general public

• ‘Detriment’: the numerical measure of harm or loss associated with an adverse event

52



Social scientists contend that, where people were involved, objective and perceived risk become inseparable

• Risk is not a discrete or objective phenomenon• Risk is an interactive culturally determined one• Risk is inherently resistant to objective

measurement

53



• Engineering-derived ‘objective’ views lead to a business process engineering and control perspective

• Open interactive societal systems views offer a persuasive argument for perceived risk

• The global supply chain view illustrates that culturally determined perceptions of risk could vary greatly from one region to another

• Hence the forces of nature can demonstrate just how far removed from a controlled environment this all might be

54


Managing Supply Chain Risk

• Map the supply chain• Identify the critical paths• Utilise cause and effect analysis (TQM tools)• Implement supply chain event management• Adopt agile practices• Formalise supply chain risk management

Page 55


Identify The Critical Path(s)

Critical paths are characterised by:-• long lead-times • no short-term alternative source of supply • Bottlenecks • high levels of identifiable risk (i.e. supply, demand,

process, control and environmental risk)

Page 56


Use cause and effect analysis

How To.• pareto analysis • asking ‘why?’ five times • fishbone charts • failure mode and effects analysis

Page 57


Pareto Analysis

80% of disruptions will share 20% of the causes


Asking “Why?” Five Times

1. Q. Why did the machine stop?A. There was an overload and the fuse blew.

2. Q. Why was there an overload?A. The bearing was not sufficiently lubricated.

3. Q. Why was it not sufficiently lubricated?A. The lubrication pump was not pumping sufficiently.



4.Q. Why was it not pumping sufficiently?A. The shaft of the pump was worn and rattling.

5.Q. Why was the shaft worn?A. There was no strainer and metal scrap got in.



Repeating why five times like this can help uncover the root problem and correct it. If this procedure were not carried through, one might simply replace the fuse or the pump shaft. In that case the problem would reoccur in a few months.

– Taiichi Ohno - Toyota Production System


Cause And Effect Analysis

Page 62


Failure Mode And Effects Analysis (FMEA)

Asks three questions:- What could go wrong?- What effect would this failure have?- What are the key causes of this failure?

Provides an assessment of risk for each possible failure:S = severity of effectO = likelihood of occurrenceD = likelihood of detection

Page 63


Risk Analysis Scoring System

Page 64


Risk Analysis Scoring System


Supply Chain Risk and Risk Management Strategies


Creating a Resilient Supply Chain:Strategic Approaches


“It is not the strongest of the species that survive nor the most intelligent, but the one most responsive to change”.

– Charles Darwin

Page 70


Questions, Final Comments and Contact Information

Thank You for Joining us Today!Randy F. Jouben, CPCU, ARM,CBCP, MBCI, AIC, AINS,

Director, Risk ManagementFive Guys Enterprises, LLC10718 Richmond Highway

Lorton, Virginia 22079Direct: 703-436-1959

[email protected]

Assessing Vulnerability of a Supply Chain:

Documents

Transcript of Assessing Vulnerability of a Supply Chain: