Resilient Supply Chains and Risk
Management
Ali Awni
December 2022
Risk Defined
The International Organization for Standardization (ISO, 2002)
defines two of the essential components of risk:
1. losses (along with related amounts) and
2. uncertainty of their occurrence.
In the financial industry, operational risk is defined as the risk of
loss resulting from inadequate or failed internal processes, people
and systems or from external events (New Basel Capital Accord,
2006).
Kevin McCormack
What is Supply Chain Risk Management?






Business Continuity Management (BCM), defined by the Business Continuity Institute
as “an holistic management process that identifies potential impacts that threaten an
organization and provides a framework for building resilience and the capability for an
effective response that safeguards the interests of its key stakeholders, reputation, brand
and value creating activities” (BCI, 2005).
Business Vulnerability, defined as an exposure to serious disturbances, arising from
risks within the supply chain as well as risks external to the supply chain (Christopher,
2003). Vulnerability is a result of any weakness within a complex system that can
seriously jeopardize its activities (Ayyub, 2003).
Enterprise Risk Management (ERM) as a set of coordinated actions about protecting
and enhancing share value to satisfy the primary business objective of shareholder
wealth maximization (Chapman, 2006).
Resilient enterprise meaning the ability of the company to recover quickly from a
disruption (Sheffi, 2005).
Deloitte and Touche (2004) and Tang (2006) define supply chain risk (SCR) as the
uncertainty of the occurrence of an event that could affect one (or more) partner or link
within the supply chain and that could influence (generally in a negative sense) the
achievement of company’s business objectives.
They define supply chain risk management (SCRM) as having the objective to control,
monitor and evaluate supply chain risk, optimizing actions in order to prevent disruptions
(that is, the occurrence of an event that causes a business interruption) or to quickly
recover from them.
Kevin McCormack
SCRM Defined
Supply chain risk management is the systematic identification,
assessment, and quantification of potential supply chain disruptions
with the objective to control exposure to risk or reduce its negative
impact on supply chain performance.
Potential disruptions can either occur within the supply chain (e.g.
insufficient quality, unreliable suppliers, machine break-down,
uncertain demand, etc.) or outside the supply chain (e.g. flooding,
terrorism, labor strikes, natural disasters, large variability in demand,
etc.).
Management of risk includes the development of continuous
strategies designed to control, mitigate, reduce, or eliminate risk.
Kevin McCormack
Impact of Major Supply Chain Disruption on Stock
Price
Average shareholder returns (%)
Trading day relative to announcement date
-61
-49
-37
-25
-13
-1
11
23
35
47
0
-5
-10
-15
-20
-25
Kevin McCormack
Hendricks and Singhal,
2005
59
Reasons for glitches
30
Number of firms (%)
25
22.54
20
15.61
15
13.48
10.21
10
5
0
6
Kevin McCormack
9.24
6.93
4.43
Supply Risk Disruption Profiles
Detection
and
response
“In the future”
Estimated Ave: $1,200,000
Recovery - minimized
Performance
Initial Impact
Sustaining
Impact = 0
Full Impact – Avoided!
Initial Impact
Preparation
Detection
and
Response
Full Impact
“At present”
Ave: $120,000,000
Recovery
Disruption
Event
Kevin McCormack
Time
Sustaining
Impact >0
Supply chain risk (i)
“The entire Japanese vehicle industry ground to a halt
following an earthquake that stopped production of
piston rings for engines provided by Riken, the industry
leader in the domestic market.
Toyota, in particular, was forced to stop operations at all
12 of its domestic plants.”
Financial Times, 24 July 2007
Page 8
Supply chain risk (ii)
“A fire at a key Philips semiconductor factory in 2000
caused a worldwide shortage of the radio frequency
chips used by both Nokia and Ericsson. Nokia
immediately lined up another source and redesigned
other chips so they could be produced elsewhere.
However, Ericsson responded more slowly and lost an
estimated $400 million in mobile phone handsets.”
MIT Sloan Management Review
Summer 2006
Page 9
Supply chain risk (iii)
“Yesterday it emerged that ice-cream supplies may run short
because Unilever’s only UK factory, based in flood-stricken
Gloucester, has been closed for the past ten days.
The company usually manufacturers five million ice-creams and
lollipops a day at the plant. It has stocks in freezers but it could be
days before normal production resumes. Industry insiders predict
that there will now be an ice-cream war as rival brands attempt to
exploit Unilever’s predicament and gain market share.”
The Times, 31 July 2007
Page 10
Supply chain risk is systemic
•
The biggest risk to business continuity may lie outside the company in the
wider supply chain
•
The complexity and inter-connectedness of modern supply chains
increases their vulnerability to disruption
•
Environmental risks are outside our control, but systemic risk is created
through our own decisions
Page 11
Supply Chain Story
Nokia
Ericsson
Philips factory
in New Mexico
Source: The Resilient Enterprise
Supply Chain Story
On responding to a supply chain disruption
Nokia
Ericsson
Philips factory
in New Mexico
Source: The Resilient Enterprise
Definition of Supply Chain Protection
and Security

The application of policies, procedures, and technology
to protect supply chain assets (product, facilities,
equipment, information, and personnel) from theft,
damage, or terrorism and to prevent the introduction of
unauthorized contraband, people, or weapons of mass
destruction.
Closs and McGarrell (2004), “Enhancing Security Throughout the Supply Chain,”
IBM Center for the Business of Government – www.businessofgovernment.org
Secure Supply Chain Requirements





Preventing any biological, chemical or unauthorized
agent to be incorporated into the product
Preventing any illegal commodity to be intermingled with
the shipment
Preventing transportation assets or a shipment’s
contents to be used as a weapon
Preventing unauthorized access to the product and/or
supply chain network
Preventing disruptions of the supply chain
network/infrastructure
Supply Chain Security Impact: A State
of Transition

From







Corporate security
Theft prevention
Inside the company
Vertically integrated supply
chain with 1st tier suppliers
Country or geographic
Contingency planning
Reactive

To







Cross functional team
To include anti-terrorism
End-to-end supply chain
Business model that includes
2nd and 3rd tier suppliers
Global
To include crisis management
Proactive
How do the results compare
Global risks sixth edition Longer term view
(produced in collaboration with Zurich)
TOP TEN
1) Climate change
2) Fiscal crises
3) Economic disparity
4) Global governance failures
5) Extreme weather events
6) Energy price volatility
7) Geopolitical conflict
8) Corruption
9) Flooding
10) Water security
ONES TO WATCH
Cyber security [online data /information security]
Demographic challenges [age structure/ population
growth]
Resource security – commodities / energy challenges
(volatility)
Retrenchment for globalisation [protectionism]
WMD [terrorists / geopolitical conflict]
Interactive website:
http://www.weforum.org/globalrisks2011
18
Supply Chains Today

Global sources of supply



Global customer destinations




Focusing on core competence, more outsourcing
Greater interdependence among supply network
Lean supply chains, reduced inventories


More customers, increasing complexity
Dependence on transborder exports
Complexity! More parties in the supply chain


Increasing distances
Dependence on transborder imports
Fragile supply chains
Result is high vulnerability

Our vulnerability is a function of the supply network
James B. Rice, Jr.
MIT Center for Transportation and Logistics
High Consequence- Low Probability Disruptions
HC-LP








Disruptions….
9-11
Foot and Mouth Disease
SARS
West Coast Lockout
2003 Blackouts (EEU, US)
London/Madrid Attacks
Katrina, Rita…
Continued terror attacks
…and








James B. Rice, Jr.
20
MIT Center for Transportation and Logistics
their impact on SCs
Borders, plants shutdown
Tourism, auto OEMs on hold
Supply Availability
$10-20B, no containers
Loss of info systems
Lost production, sales…
Investment concern….
10% oil refining capacity lost,
impact on Fed interest rate,
global economy!
High Consequence- Low Probability Disruptions
Toyota
Brake
GM Labor
Plant Fire
Strike
1997
1998
1999
FordSept. 11
Firestone
Terrorist
Tire
Attacks
Philips
Recall
Plant
Fire
2000
UPS Quebec Ice Taiwan
Labor Storm
Earthquake
Strike
2001
Scandals:
Enron,
Andersen,
Worldcom
James B. Rice, Jr.
21
MIT Center
for
Transportation
and Logistics
Ref: Adapted
from Dr. Debra
Elkins, General Motors
FMD2002
UK
West Coast
Madrid
Ports
Attack
Lockout
Blackouts
Katrina
Iraq US War Europe
Tsunami
Ok.
tornado
- GM
SARS
2003
2004
Nor’Easter
2005
London
Attacks
The risk management challenge
High
Consequence/
Impact
Low
Low
High
Probability of Occurence
•
•
Page 22
Where can we reduce the probability?
How can we reduce the consequence?
Reduce Vulnerability to Disruption
1. Reduce
probability of
disruption:
increase security,
prevention
Probability/Risk of
Disruption
High
High
Vulnerability
Low
Vulnerability
Low
Low
2. Reduce
consequences of
disruption:
increase resilience
Ref. – Sheffi, Rice & SC Response Project
Consequences of
Disruption
High
23
The five sources of risk

Supply risk

Demand risk

Process risk

Control risk

Environmental risk
Page 24
Location of risk in the supply chain
SUPPLY
RISK
PROCESS
RISK
NETWORK/
CONTROL
RISK
Environmental Risk
Page 25
DEMAND
RISK
The five sources of supply chain risk
Demand Risk
Supply Risk
Process Risk
• Loss of major accounts
• Volatility of demand
• Concentration of customer
• Dependency on key suppliers
• Consolidation in supply markets
• Quality and management issues
• Manufacturing yield variability
• Lengthy set-up times and
base
• Short life cycles
• Innovative competitors
arising from off-shore sourcing
• Potential disruption at 2nd tier level
• Length and variability of
replenishment lead-times
Network/Control Risk
• Asymmetric power relationships
• Poor visibility along the pipeline
• Inappropriate rules that distort demand
• Lack of collaborative planning and forecasts
• Bullwhip effects due to multiple echelons
Page 26
inflexible processes
• Equipment reliability
• Limited capacity/bottlenecks
• Outsourcing key business
processes
Environment Risk
• Natural disasters
• Terrorism and war
• Regulatory changes
• Tax, duties and quotas
• Strikes
Assess Vulnerability

Analyzing risk – look at source of risk

Terrorism



Labor unrest, supplier failure



Predictability by region, season
Use data – probability distribution function (pdf)


Labor unrest often adjusts to the response
Awareness of supplier financial health
Natural disaster (e.g. earthquake, etc.)


Map network impact: Location, trophy status, proximity
Threat adjusts to the response
But limited data makes pdf impossible in many cases
Qualitative analysis

“Staple yourself to a shipment”
James B. Rice, Jr.
27
MIT Center for Transportation and Logistics
Infrastructure Vulnerability



Power
Water
Transportation systems





Roads, bridges, ports, ferries
Cargo, personnel
Information
Waste
Other
James B. Rice, Jr.
28
MIT Center for Transportation and Logistics
Robust or resilient?
• A robust process can be defined as “a process able to deal with
reasonable variability”
• A resilient supply chain can be defined as “a supply chain with
the ability to recover quickly from unexpected events impacting
supply chain performance”
A robust process can deal with reasonable variability in input
whilst maintaining good control over output variability. It has
some resilience but is it capable of recovery from an event that
causes exceptionally high levels of variability in input or output
requirement?
Page 29
Characteristics of Robust and Resilient
Robust
Resilient
supply chains
‘Lean thinking’ central
to supply chain
management
Risk mitigation central to supply
chain management
Lean
Agile
Strong
Elastic
Internal quality control
Internal and external risk
management
Responsive to
reasonable variation in
input
Capable of responding to
sudden and significant variation
in input
Low inventory levels
throughout
Built in spare capacity and
buffers at critical nodes
Supply chain Velocity
Supply chain Velocity &
Acceleration
A culture of quality
awareness (i.e. Six
Sigma)
A culture of risk and quality
awareness
Processes are stable and under control
Non-value adding activities and processes removed
Page 30
Principles of Resilience:
Reduce the Consequences

Business Continuity Planning (BCP)




Create Supply Network Resilience



Ability of supply network to sustain variations in supply and demand,
and to recreate itself after disruption
Achieve through Flexibility and Redundancy
Flexibility


Design to ‘fail smartly’ – the system WILL fail; plan to fail so that the
damage is not crippling
Focus on Failure Mode Analysis, not source
“Options” thinking and planning
Responding through actions that entail prior investments in
infrastructure and capabilities
Redundancy

Responding through actions that entail prior investments in capital
and capacity that may not be used
James B. Rice, Jr.
31
MIT Center for Transportation and Logistics
Many Pathways to Flexibility

Flexibility through interchangeability







Flexibility through postponement (Benetton, H-P)
Flexibility through supply (Jabil, Lucent, Toyota)
Flexibility through distribution (Caterpillar, Dell)
Flexible culture






32
Standard facilities (Intel, GM)
Standard parts (Dell, Lucent SCN, Southwest Airlines)
Standard processes (Helix, UPS)
Awareness of risks, tradeoffs
Early warning systems (Nokia)
Education for awareness
Training for response (Intel)
Distributed decision-making (P&G, UPS)
Open and unconstrained communication (Dell)
Sources: “SC Response Project Interim Report” by J. Rice, F. Caniato, Aug 8, 2003; Draft of SC Response Book project, Oct. 2004, later pub as “The Resilient
Enterprise by Y. Sheffi
Design for Resilience
Nokia



March 2000 – fire in Philips NM plant
Nokia – Fast detection via sensing system
Nokia – Immediate response





cf. Ericsson
Cross-models trade-offs
Chip re-design
Philips capabilities elsewhere
Alternate suppliers
Results:
James B. Rice, Jr.
MIT Center for Transportation and Logistics
Slide from Prof. Y. Sheffi, MIT SC Response Project 2004
33
Actions to Reduce Probability

Secure supply network operations





Access control, physical security
Employees screening: hiring, ongoing (‘the enemy within’)
Reduce uncertainty via visibility, early detection systems
Red Team Exercises to find weak points
Collaboration for network security





Industry: Shippers AND carriers develop standards of care
Global Security Initiatives
Education to create security/risk awareness
Training for response and mitigation
Secure supply network planning and design

Network Design



Location – multiple sites, low risk sites
Fewer stages
Organization Design


Integrate logistics, risk management, security organizations
Enable culture of awareness and response
James B. Rice, Jr.
34
MIT Center for Transportation and Logistics
Enlightened Security Leadership

Big ‘S’ Security (be careful how you pronounce it)



Security integrated into business decision-making




Identifying, mitigating and managing enterprise risk
Prevention and then rebounding from loss/incidents
Efficient and effective transborder capacity
Multiple dimensions of security



Business leverages SC & security investments for advantage.
Leaders see disruption as inevitable, focus on


Beyond compliance, asset and personnel protection, incident
investigation
Entails protecting the firm’s ability to maintain economic activity
Physical, information, intellectual property/process
Enterprise-wide, entire supply network considered
Business case developed to support investments

ROI on security investments…..
James B. Rice, Jr.
35
MIT Center for Transportation and Logistics
Security Leader Actions

Customer-supplier collaboration:


Learning from past disruptions:



Perform training and conducting exercises that include simulations of
supply chain disruption.
Emergency operating control center:


Implementing a comprehensive, documented strategy as base of
security & resilience initiatives
Layered system, multiple failures required to really fail
Supply chain drills and mock exercises:


Building on past experiences to make orgzns stronger.
Formal security strategy:


Shared contingency plans, alternative sources.
A facility to manage and coordinate the response to unexpected
disruptions.
Cost/benefit analysis:


Quantifying actual or expected costs and benefits
Capturing collateral benefits: ROI!
James B. Rice, Jr.
36
MIT Center for Transportation and Logistics
Location and
Status
Exceptions
Evident
Asset
Visibility
Real-time
Correction
Theft and
Interruption
Prevented
Action
Required!!
Location,
Status
Known
Real-Time
Lower
Uncertainty
Collateral Benefits
Linkage Map
James B. Rice, Jr.
MIT Center for Transportation and Logistics
Less
Safety
Stock
Required
Lower
Working
Capital,
Op Cost
Less
Space
Required
Lower
Working
Capital,
Op Costs
Reduce
Stock
Points
Shorter
Cycle
Times
SC Risk Management Maturity Levels
Ultimate Economic
Viability
Resilient
Low Probability but High
Consequences
Secure
• Outside stds
insufficient
Not disadvantaged but not
leveraging potential; high
probability and consequence, CTPAT Compliant
Economic viability at
risk:
High prob & consequence,
disadvantaged vs C-TPAT
compliant competitors
Compliant
PreCompliant
• Not C-TPAT
compliant
• Response to
regulations
• Security as cost
of business.
• Emphasize security &
prevention to help
company protect its
economic viability
• Security seen as part
of business model
• Business strategy
leverages supply chain
and security
investments for comp
advantage
• Disruption seen as
inevitable, focus on
resilient supply chains.
• Manage risk via
secure, resilient,
efficient, effective
transborder processes
• Standard
transborder
movements
• Secure facility, ltd
prevention
38
Ref: Forthcoming article in Supply Chain Strategy by James B. Rice, Jr. (MIT) & William Tenney (Target)
Focus by Process and Level
Key Process
Areas
Pre-Compliant
Compliant
Secure
Resilient
Leadership
No risk focus
Program
Compliance
Prevention,
security
Response for
advantage
Internal
Integration
None
Reactive
coordination
Proactive
coordination
Integrated teams
manage security,
resilience, risk
External
Partnership
No defined
partners
Limited interaction
Partners involved
in security only
Partners in risk
mgt, resilience
Visibility
Zero to limited
visibility
Some system
visibility
Partner visibility
End-to-end visibility
Risk Mgt
No standards
Nascent security
standards
Partners prescreened
Partners help
manage risk
Risk Detection
None
Some reactive
procedures
Some proactive
procedures
Procedures to ID
emerging risks
Training
No training
Internal training
Security training
with/for vendors
Full scenario &
contingency ex.
Communication
No plans
Reactive
Proactive
Response and
recovery plans
Culture
No awareness
Compliance only
Security and
compliance
Actions affecting
security, resilience 39
Key Resilience & Security Issues

A false sense of security & confidence?

Some active responses, but not comprehensive





Most leaders had to experience pain first before responding…..
Risk assessments not comprehensive, not quantitative


A 2nd source may not the same security/resilience, or maybe less
“We’re C-TPAT compliant, that’s our plan”
Focus on facility security does not improve network security/resilience
Network risk not yet embraced
Can firms learn?


Nearly all progressive firms had to experience pain first
Many examples of failure to learn from the pain….


Many Bhopal fatalities could’ve been avoided with basic evac training
Union Carbide experienced another potentially deadly gas leak after Bhopal
because improvement actions from Bhopal were not applied
James B. Rice, Jr.
40
MIT Center for Transportation and Logistics
Closing


Today’s supply chains = complex + vulnerable
How to respond?


Reducing consequence: resilience




Reduce probability and consequences: depends on risk
assessment
Business Continuity Planning: Focus on Failure Mode
Flexibility offers daily payoff
Socialize response: Educate for awareness, train for
response
Building resilience in supply chains protects our
economic engines
James B. Rice, Jr.
41
MIT Center for Transportation and Logistics