Supply Chain Risk Management and Disaster Mitigation: Part 3

Stephen DeAngelis

February 24, 2011

This is Part 3 of a 4-part series on supply chain risk management. In Part 1 of the series, I discussed the fact that many companies are overconfident in their ability to handle supply chain disruptions or seem to be in denial that disruptions could affect their business. In Part 2, I noted that experts believe that supply chain risk management remains in its infancy (which could help explain why so few companies have truly robust business continuity/disaster recovery (BC/DR) plans in place. In this post, I want to relay some expert advice about how to establish and test risk management plans. Before I examine what the experts are saying, however, I want to remind you that supply chain risk management is much more complex than simply dealing with “inside the chain” risks that could affect internal processes, suppliers, and customers. A truly robust supply chain risk management system looks outside the supply chain at weather, politics, demographics, etc. The more factors that a company takes into account in preparing its plan, the better prepared it will be for whatever eventuality occurs. Bill McBeath notes, “Early warning gives companies a much broader range of options to deal with potential problems in a systematic way” [“Managing Supply Risk Part One – Quantifying and Predicting Supplier Risk,” ChainLink Research, 2 November 2010]. In his superb four-part series on this subject, McBeath begins by discussing “how companies [can] ensure continuous affordable supply by measuring supplier risk and anticipating potential supplier problems.” He writes:

“Sourcing professionals are expected to predict and mitigate the constellation of risks that have arisen from increasingly globalized sources and supply chain complexities, involving orders of magnitude more players. But we shouldn’t complain too much because risks = opportunities. Those who can handle this complexity, who create the agility needed to deal with supply disruptions, and who preemptively alleviate supplier problems, become valuable players within the organization. Managing supplier risks (non-performance, bankruptcy, etc.) as well as supply risk (industry capacity constraints, disruption of supply, allocation, etc.) has always been a core function of sourcing. However, with globalization and outsourcing, there are so many more things that can go wrong. The management of risk has taken on new dimensions of complexity and criticality, demanding new approaches and methods for mitigating risks.”

As noted in previous discussions, gathering data is not simple because knowing exactly what should be gathered, how to interpret it once it is obtained, and when to act on the knowledge gained is as much art as science. In an ideal world, data would be gathered on as many subjects as possible, all of that data would be integrated, and a combination of artificial and human intelligence would help make sense of it all. In the real world, however, somebody generally makes an assessment of what risks could have the most impact on a business and most of the company’s intelligence resources are focused on them. On the front end of this assessment, nothing is more important than reliable suppliers. McBeath continues:

“It is common sense, but not necessarily common practice to quantify the risks for each of your key suppliers. The approach taken by one major high tech manufacturer we talked to provides a good template for managing supplier risk. They group their suppliers into A, B, and C tiers, based on strategic importance, volume, and a few other factors. It is mandatory for their buyers to maintain a risk profile for every ‘A’ tier supplier. The risk profile incorporates elements such as financial health, political stability, infrastructure risks, and natural disaster risks of the regions in which the supplier operates. For example, some cities in China have frequent power outages, which can last days, which is disastrous for PCB (printed circuit board) manufacturing. The suppliers are ranked into risk categories—the lower the rating, the riskier the supplier. These are used in supplier selection and negotiations. Category 1 (highest risk) suppliers are never used. Use of category 2 suppliers (second highest risk) depends on the availability of alternatives. If there really are only one or two suppliers of a specific item or material worldwide, then this company may still do business even with a category 2 firm. If the supplier is important, the buyer will work with them to find ways to lower risks, but that is not always possible (you can’t necessarily ask your supplier to build a new factory in a different geographic region). So, the sourcing group sometimes will go back to the design engineering group, to explore if there is a way to redesign the product to allow selection of a lower risk supplier.”

Another method of mitigating a higher risk of disruption from a lower-rated supplier is maintaining a higher level of inventory from that supplier. Certainly that is not an ideal situation, but it is better than the alternative — having no supplies at a critical time. Risk profiles and supplier ratings, however, are great tools to help make more informed procurement decisions. McBeath continues:

“The key lesson here is that supplier risk should be methodically measured for key suppliers and systematically used in the selection process. Exceptions (selection of high risk suppliers) must go through a justification process and trigger risk mitigation planning activities and actions. No more eyes half shut to supplier risks, just because we’ve always used them or know someone there!”

Having just emerged from “the so-called year of the catastrophe” and a global recession, companies should now be operating with their eyes wide open to supplier risks. As the global middle class continues to emerge, they will bring with them social upheavals and new opportunities that should not be overlooked. McBeath goes on to note that risk profiles and supplier ratings can be bolstered by actual supplier performance data. In many ways, the past is prelude to the future. He notes that one “large diversified industrial manufacturer … found that having all their supplier performance data centralized proved to be very useful in helping them proactively manage supplier risk.” Using this centralized data, the manufacturer has “been able to automate predictive supplier risk management.” The manufacturer combines three sources of information, which are:

  • “Publicly available data—such as credit worthiness, how quickly the suppliers pay bills, lawsuits, court actions, earnings, number of people on payroll, etc., all of which can be bought from companies like D&B and mined from publications and the web by bots (software agents for data mining and monitoring).
  • “Qualitative supplier performance data—feedback and evaluation of suppliers by the people within the buyers’ organization: buyers, engineers, users, manufacturing, quality personnel, etc. Gather direct intelligence on how the supplier is performing relative to their peers from the individuals who are interacting with the suppliers.
  • “Quantitative supplier performance data—their centralized database pulls actual performance data (e.g. on-time delivery, quality, etc.) from the companies’ various execution systems.”

McBeath reports that this data is used to analyze “patterns to predict in advance the risk of supplier failure. For example, if quality and delivery are faltering, the firm’s financial performance is shaky, and/or qualitative ratings are declining, then a red flag is raised.” He goes on to note that some indicators (like deterioration in quality) “often precede financial declines.” The most important point he makes is that “integrating these different sources of information creates a better predictive tool than viewing the data points in isolation.” I couldn’t agree more. One of the things we specialize in at Enterra Solutions is aggregating data in order to make sense of it. McBeath concludes:

“The ability to spot trouble ahead of time is extremely valuable. It allows [manufacturers to implement] mitigation strategies before there is a crisis. This gives them a broader range of choices in action and the time to act calmly and deliberately, avoiding expensive, sub-optimal, hasty reactions and possibly a very expensive, high-profile supply failure. By quantifying supplier risk and proactively monitoring and predicting potential trouble, firms can greatly increase the chances of ensuring uninterrupted supply at a price that they can afford.”

To set the stage for the second part of his series, McBeath asks: “Do your key suppliers have a working disaster recovery/business continuity plan if one of their plants or critical IT systems goes down?” He then states, “If you don’t know, you are inviting disaster.” [“Managing Supply Risk Part Two – Supplier Business Continuity,” ChainLink Research, 9 November 2010]. In parts 1 and 2 of this series of posts, I discussed the need for your company to have business continuity and disaster recovery plans. McBeath is suggesting that you should insist on your suppliers having them as well. He writes:

“As part of your overall risk strategy, it is important to ensure that your suppliers have good disaster recovery/business continuity plans in place. This should be a requirement embedded in your contracts with key contract manufacturers and suppliers. It is particularly important during seasonal or end-of-quarter loaded timeframes when the majority of a company’s products are shipped and profits made. If disaster happens during that window of opportunity, it is vital to rapidly recover the critical processes and infrastructure or risk losing huge amounts of revenue, profit, and shareholder value.”

McBeath goes on to describe how one company uses “several useful elements to [implement] their supplier disaster recovery strategy.” Based on those elements, he believes that companies should:

  • “Audit and qualify … facilities owned by … contract manufacturers as possible backup manufacturing sites. This allows [companies] to know ahead of time what they are working with, and pre-plan the necessary migration steps with their suppliers.
  • “Use inventory management to minimize the impact. …
  • Have a very complete and up-to-date list of product-specific tooling – test fixtures, board fixtures. If disaster strikes, they won’t have to spend days trying to recreate that information, hoping their suppliers might have it. Instead, [companies know] exactly what they need in order to recreate the entire setup. …
  • [Build] priority clauses … into their contracts. [Negotiate] ‘go to the front of line’ clauses with key suppliers. … This provides valuable insurance, well worth the small added cost. A buyer with large volumes may be able to negotiate this type of priority clause without a price increase.
  • Audit the supplier’s business continuity plans and testing. Checking that suppliers’ plans have all the attributes of successful business continuity planning and that suppliers are conducting tests of their disaster recovery and continuity plans on a regular basis (e.g. every 6 months). A recovery plan that has not been tested recently is often nearly worthless.”

McBeath raises a great point about testing continuity plans on a regular basis. What he doesn’t tell you is how to test the plan. Daniel Stengel, a risk management expert, reports, “There is limited literature on using simulation to evaluate supply chains under stress [“Case Study: Stress Testing Supply Chains,” Supply Chain Risk Management, 7 February 2011]. But he does claim that “stress tests are an acknowledged method to test systems under extreme conditions.” Stengel’s post refers to a case study that did test a supply chain under stress using a simulation. He concludes:

“In this case stress testing helped the company: to gain a better understanding of their supply chain and to improve supply chain operations. It also helped the customer to gain confidence in the capabilities of its supplier. I find it an interesting thought, that proven reliability, in this case based on a transparent simulation model, can support a company to gain new customers. But also other companies, which have a strong emphasis on supply chain risk management, are using stress testing for their supply chains, one example would be Dow Chemical. The complete article can be downloaded here free of charge.”

If your company and its most critical suppliers can conduct simultaneous tests of your risk management systems, it might save both time and money and provide a better test of overall capabilities. I can promise you that if your testing procedures don’t stress the system to the point of breaking, you are doing yourself no favors. McBeath concludes:

“Of course the level of effort you put into ensuring supplier continuity will depend on the criticality of the supplier and the availability of alternate sources. For really critical suppliers, you will want to actively audit them. For the next tier of suppliers, it may be good enough to survey them about their capabilities (self scoring). Your supplier continuity program should be an integrated part of your broader supplier risk and supply chain risk program, which would consider things like whether you have too many resources across your entire supply chain concentrated in one geographic area. It takes time and effort to implement a decent supplier disaster recovery strategy. But the do-nothing-and-hope-for-the-best alternative is inviting a real disaster for your company … and for your career!”

In the final part of this series, I’ll discuss the importance of hedging strategies and examine attributes of a good business continuity plan.