Single Point of Failure E-Book

Table of Contents

Title Page

Copyright Page

Dedication

About the Author

Preface

Acknowledgements

Introduction

CHAPTER 1 - The Laws of the Laws

Laws of the Laws

Risk Management Defined

Law of the Laws #1: Everyone, without Exception, Is Part of a Supply Chain

Law of the Laws #2: No Risk Strategy Is a Substitute for Bad Decisions and a ...

Law of the Laws #3: It’s All in the Details

Law of the Laws #4: People Always Operate from Self Interest

Indirect and Secondary Impacts

What Can You Conclude?

Notes

CHAPTER 2 - Law #1: If You Don’t Manage and Lead Change, You Have to Surrender ...

The Risk Wake-Up Call—Planned Change, Unplanned Consequences

We Can’t Change the Past, but . . . Can We Change the Future?

Can You See the Icebergs Ahead?

Notes

CHAPTER 3 - Law #2: The Paradigm Should Destroy the Parasite

The Paradigm in Action

Why Does the Organization Need to Identify a Supply Chain Risk Paradigm?

Beware! The Paradigm Can Shift without Notice

If the Shoe Fits

Notes

CHAPTER 4 - Law #3: Manage Your Business DNA in a Petri Dish of Evolving Risk

Expanding the Risk Awareness Universe

Know Your Business—Know Your Surroundings

The Keys to Your Risk Kingdom

Your Operation’s Complete Footprint

Your Action Plan

Notes

CHAPTER 5 - Law #4: In Supply Chain Risk Management, Demand Trumps Supply

Everyone’s Customer

Building Your Demand-Based Strategy

Market and Client Factors to Consider

Notes

CHAPTER 6 - Law #5: Never Set Up Your Suppliers for Failure

Supply Chain Risk Management Program

Sourcing Strategies That Create More Risk, Not Less

Trust but Verify

Notes

CHAPTER 7 - Law #6: Managing Production Risk Is a Dirty Job

Going Global with the Production of Risk

A New Collaborative Effort

Why Is Production So Critical?

Part Two of the Double Whammy: Labor

Notes

CHAPTER 8 - Law #7: The Logistics Risk Management Rule: Managing the Parts ...

What Is Logistics Risk?

Cargo and Warehouse Theft

The Piracy Risk

What’s at Risk?

Single Points of Failure and Aggregate Risk

Supply Chains Don’t Survive on Product Flows Alone; Information Flows Are Essential

In the End It’s All about the Priorities and Economics

Notes

CHAPTER 9 - Law #8: Mitigation: If Supply Chain Risk Management Isn’t Part of ...

Now What Do I Do?

Enter the Risk Intelligent Supply Chain

Economic Change—A Catalyst for Redefining Resiliency Management

Predisruption

At Time of Disruption

Postdisruption

What Is Risk Mitigation?

Notes

CHAPTER 10 - Law #9: Financing

Insurance and Its Role in Supply Chain Risk Management

Background on Insurance in the Supply Chain Risk Area

Current Insurance Solutions and Their Limitations

Introducing Supply Chain Insurance: Approach and Challenges

Corporate Customer Benefits Arising from Supply Chain Insurance

Conclusions

What Does the Future Hold?

A View from the Insurer’s Side

Notes

CHAPTER 11 - Law #10: Manage the Risk as You Manage Your Own

Questioning Old Assumptions

Personal Laws of the Laws

Index

This book is printed on acid-free paper.

Copyright © 2009 Gary S. Lynch by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400, fax 978-646-8600, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, 201-748-6011, fax 201-748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services, or technical support, please contact our Customer Care Department within the United States at 800-762-2974, outside the United States at 317-572-3993 or fax 317-572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books.

For more information about Wiley products, visit our Web site at http://www.wiley.com .

Library of Congress Cataloging-in-Publication Data:

Lynch, Gary S. (Gary Scott), 1958-

Single point of failure : the ten essential laws of supply chain risk management / Gary S. Lynch.

p. cm.

Includes index.

eISBN : 978-0-470-57046-3

1. Business logistics. 2. Risk management. I. Title.

HD38.5.L963 2010 658.5’03-dc22 2009026530

I dedicate this book to the future generationsthat now must manage the risk created by priorgenerations. To my children Christopher, Robert,Colleen, and Brian; my daughter-in-law Katie; mynieces and nephew, Brian, Jennifer, Matt, Tracey,and Katie; to my best friend’s children, Edenand Erika—I wish you well, for you are the oneswho have to tame the risk parasite, a new worldof uncertainty, one that is moving faster thananyone’s ability to understand. Finally, I dedicatethis book to all those who protect and serve ourgreat nation—thank you.

About the Author

Gary S. Lynch, CISSP, is an internationally recognized expert on risk management issues. He is an author and Global Leader of Marsh’s Supply Chain Risk Management Practice. He also leads Marsh’s Global Pandemic Response Center. He works as a management consultant, specializing in helping senior executives solve complex risk issues. He has developed critical thought leadership and solutions around emerging risk issues, including supply chain risk management and financing, information protection strategies and schemes, value chain risk strategies, pandemic preparedness, and IT risk.

Lynch has contributed to the World Economic Forum (WEF) Global Risks Report and participated on a China European Institute & Business Studies/WEF panel on risk with directors and CEOs from privately owned Chinese-based organizations. Lynch has been a speaker on pressing global business risk issues for organizations such as Asia Pacific Economic Cooperation (APEC), Risk and Insurance Management Society (RIMS), the World Customs Organization (WCO), and the Wharton School, Center for Risk Management and Decision Processes. He also is a member of the advisory board for the New York Institute of Technology’s Center for Risk.

Lynch has held client-facing leadership positions over sixteen years:

He has also held senior management positions over seventeen years:

Lynch is the author of At Your Own Risk: Creating a Risk-Conscious Culture to Meet the Challenge of Business Change, published by John Wiley & Sons in May 2008. He has appeared on Bloomberg TV, CNBC Asia Squawk Box, NBC Nightly News, and ABC. Lynch has been published in the Wall Street Journal, Financial Week, CEO Magazine, Financial IT Decisions, CIO Insights, The Asset (Asia Pacific), Business Review Weekly, Institute of Internal Auditors (Information Security Management & Assurance), Information Security magazine, Knowledge at Wharton, The Conference Board, and Computerworld.

Lynch is a member of the National Association of Corporate Directors (NACD). He received a commendation from the U.S. Secret Service for his 9/11 disaster response and support activity and was awarded the Silver Medal of Valor by the Nassau County Fire Service, New York.

Preface

Have you ever stopped for a moment to think about what is needed to produce the products you depend on? Critical drugs like blood thinners, polyethylene (plastic) based products such as syringes, isotopes for medical imaging, or milk based baby formula? Or maybe your livelihood depends on your ability to transport products, your customers having access to your online order entry system, or the timely receipt of parts from your suppliers on the other side of the world. But because of a product contamination, failure of a key supplier, labor strike, trade credit squeeze, earthquake, pandemic, software glitch, project mismanagement, or some other adverse event—what you depend on is simply not available.

Ironically, as this book was on its way to print, that was the case for a select group of patients with rare genetic disorders. According to a Wall Street Journal article, Genzyme Corporation, the biotech company that produces Cerezyme and Fabrazyme (enzyme replacement drugs), had to shut down a critical node in its supply chain—the main U.S. manufacturing plant. The identification of a suspected virus in a vat used to make Cerezyme was the suspected cause. Company officials stated that this single point of failure would cause shortages over the next few months, while analysts were estimating the potential lost revenue from the shutdown to range from between $100 million and $300 million.a A virus, an unplanned event that suddenly threatened the well-being of the patients as well as the financial stability of the organization, had halted this supply chain.

The occurrence of a single point of failure, the breakdown of any given product, information, and/or cash flow caused by a process or resource (e.g., people, technology, physical, or relationship) failure at any given point in global interdependent and interconnected supply chains may interrupt the flow of goods and cause systemic failure. Ask yourself:

These are just a few of the questions that I set out to address when I began this book and that you need to keep in mind as you read forward.

When I began the journey, I found that many of the people with whom I interacted globally struggled to define, understand, and articulate the concept of supply chain risk management. All acknowledged that it was important and that they should be addressing the risk—but most weren’t sure if they really were addressing it and they couldn’t concisely define who owned the problem. In many instances, they didn’t know where to start.

So with the help of dozens of experts from industry and academia located around the globe, I set out to define a common language, a shared context, and comprehensive framework to help better understand and manage supply chain risk management. I documented the lessons learned as well as the lessons not learned. This is just the beginning of the journey, and after I completed the manuscript, I realized that I had only begun to scratch the surface. There was so much more to address: enterprise resource planning systems and supply chain technologies, environmental risk and regulations, geopolitical challenges, climate change, and compliance to name a few. I will save those topics for another time. I share with you the countless challenges, practical experience, and the frustration faced by so many senior managers—risk, procurement, logistics, operations, security, product quality, distribution, compliance, manufacturing, finance, and even directors and senior officers. The issues are not unique to any industry, geography, company, function, or individual. But what is unique is the supply chain itself. Richard Steinke, Executive Director of the Ports of Long Beach, stated, “if you have seen one supply chain . . . you’ve seen one supply chain.”b I would add to his comment that if you’ve seen it—look again—that supply chain and associated risk has probably changed. Simply put, organizations rely on dozens, if not thousands, of virtual supply chains in which the participants and the paths are constantly reshuffled.

So let’s begin the journey together and acknowledge that there is no end point and that we will be forever learning, improving, and hopefully reducing the risk to the supply chains that we depend on so heavily to deliver what we value the most.

Acknowledgments

Over the past few years, I was fortunate to work alongside many brilliant and experienced professionals from a variety of private industries, public organizations, and geographies. All were concerned about the mounting supply chain risk issue. It was their concern that motivated me to write this book. I’d like to recognize some of the many people who have help me assemble Single Point of Failure. Unfortunately, contractual obligations of my day job force me to maintain client confidentiality so, for the most part, I regretfully am unable to publicly share their names or the employer’s names. However, I silently want to extend a special thanks for their contribution, confidence, and, most of all, countless real-world stories of the near misses and failures they experienced while trying to manage the forever changing supply chain risk parasite.

Single Point of Failure would not have been possible without the participation, writing, and mind-share from a group of individuals that share my passion to raise awareness to this escalating concern. Nick Wildgoose, Supply Chain Global Product Manager, Zurich Global Corporate, thank you for taking time out of your incredibly hectic schedule to provide the extensive content that led to the creation of the chapter on risk financing. I would like to thank Ben Tucker, Managing Director, Property Practice and Paul McVey as well, Managing Director at Marsh Property Claims for sharing his many, many years (I promised I wouldn’t tell) of experience managing complex business interruption and property-related claims. I would like to extend my gratitude to Paul Ranta and the Corporate Responsibility Team at Nike for their contribution—I appreciate that you took the time to discuss your “war stories,” daily challenges, and evolving strategies. Thank you, Kate Meyers, Senior Manager, Global Corporate Media Relations; Caitlin Morris, Director of Stakeholder Relations; Mark Loomis, Manager, Corporate Responsibility, and, of course, Paul, Sustainability Manufacturing Operations. Thanks for bringing it all together and helping me understand the daily risk challenges of operating in so many different cultures and political systems. Craig Bartol, Nike’s Global Risk Manager, thank you for your insight with regard to the learning challenge and the need to apply lessons learned to continuously improve the overall risk management program. As I began the process of creating this book, several people were instrumental in shaping my thinking. Gary Mucha, Senior VP of Business Integration and Performance Excellence—thanks for challenging my thinking and driving the concept of the “risk paradigm.” David Nadler, Vice Chairman, Marsh & McLennan Companies, and an expert on organizational behavior—thank you for your insights on the changing business climate and the need for intelligent, collective, technology driven, and socially engineered risk problem solving. Rajeev Kadam, Vice President of Olam International Ltd.—your explanation of risk was spot on; I will carry it forward in my global travels. James Irwin, Global Tamiflu Product Manager, Roche—I appreciated your early insights and perspective on the “people” element of managing complex risk. The research you and your organization provided early on was helpful in formulating the content in the chapter on the demand driven supply chain. Bob Murphy, VP of Operations, Rockwell Automation, thank you for agreeing to share your 30 plus years of experience and insight; your passion for execution is what moves many of these concepts and constructs off the paper and onto the shop floor. Your view of managing supply chain risk management within a given corporate culture was enlightening.

I would also like to express my gratitude to Karen Avery, Managing Director and Head of Business Continuity, for your valuable insights, perspective, and the eleventh-hour proofing; Drew Staniar, a 30 year consumer packaged goods expert and SVP, Marissa Antonio, and Marc Cerro, all colleagues of mine on the Marsh Supply Chain Risk Management Solutions team; Matt Enuco for your early writing and ideas; and Colleen and Brian Lynch for sacrificing the time to proof the many revisions of the chapters.

This book represents the beginning of a journey, one with many twists and turns I experienced while trying to create this material. Yes, even I was substantially impacted by change as the financial crisis took hold; it forced me to dispense with the early writings, push back the delivery schedule, and start over. So let me end the acknowledgments by saying thank you to John DeRemigis and Judy Howarth at John Wiley & Sons, Inc. for being so patient and supportive. I’d also like to thank Michael Thomsett for helping me write this book. Michael, your patience and support (let’s not forget your ideas) made this happen. Finally, I’d like to thank Myriam Carayannis, my executive assistant at Marsh, for running interference, working the network and calendar, and basically keeping me from jumping off the ledge. Thank you!

P.S.: I forgot one more acknowledgment—to the crew at the Chester Starbucks in New Jersey and Liz and the gang from the 44th Street Starbucks, thank you for the caffeine kick and the conversations. I knew I could count on a visit to get the words flowing again whenever my engine stalled. Please, keep your supply chain resilient; it’s part of my critical infrastructure!

INTRODUCTION

Getting to the Truth

It’s not what you look at that matters, it’s what you see.

—Henry David Thoreau

One thing that never ceases to amaze me, after 30 years of working for or with dozens of organizations, is that there are so many conflicting beliefs about the true objective of that organization. This is especially true when it comes to managing and prioritizing the risk to the lifeline of that organization—the supply chain.

Most of you know what I mean. If you ask three people in your organization to describe the objective of their business, you are going to get three different answers. The marketing manager might tell you that the objective of their business is to get the product visible to the greatest number of customers; accountants might say they are in the business of controlling budgets and preparing payroll; and the mail-room clerk might explain that he is in the business of sorting and delivering mail. All have a functional view of their organization, and their actions typically extend to only what they can see, feel, or touch.

These disparate points of view overlook a key reality: The sum of parts enable the whole, but only if the objective is the same and the incentives and penalties are aligned with the agreed-upon objective. This is especially true when managing supply chains and supply chain risk. Everyone in the corporate hierarchy, from top to bottom, as well as anyone that comes in contact with the supply chain, has a role and specific responsibilities when managing risk to the flow of goods, services, information, and cash. However, the effectiveness and efficiency of supply chain risk management is totally dependent on understanding the organization’s value proposition (through the customer’s vantage point); product, information, and cash flows that support the creation of value; and the functions and resources that are used to support critical flows. Once this is understood then the strength of each individual link in the chain as well as the strength of the connection between the links must be assessed. (see Exhibit I.1).

To achieve this objective, the strength of the individual and connected links must be in proportion to the value being protected. Hence, the need to understand the hierarchy from the value to the resources used to support the creation and delivery of value. This applies to all those you’ve entrusted to be part of your chain; they must manage the risk to the links with the same degree of diligence. The responsibility for managing risk to the supply chain extends far beyond the accountability of anyone’s function. But those responsible for designing and maintaining the strength of the links, that is, mitigating the risk, must do so by first agreeing on the value and then on the risk appetite. Once the risk expectations have been set, then the goal is to establish a common risk conscious culture throughout the extended supply chain—one that provides clear incentives and penalties, and one that is not ruled by individual operating paradigms or static views of the risk profile. This is rarely the case.

Exhibit I.1Supply Chain Hierarchy

The fact that so many people have not given serious thought to this reality is of great concern because it allows risks to permeate the organizational culture and behavior on all levels—internally (the organization) and externally (third parties). “It’s not my job” is a common answer to concerns raised about any number of problems, existing or anticipated, not due to the fault of the individual but merely inherent in functionally designed organizations, especially those with more than 1,000 employees. How many times have you heard “It’s not in my job description,” “It’s beyond my pay grade,” or “I think that’s someone else’s responsibility”? Unfortunately, our global economy is now dependent on far reaching, interconnected, and interdependent supply chains—with an infinite number of single points of failure. The market, these “chains,” and all of the resources now exist in a world where extreme volatility has become the norm—where we witness wild fluctuations in energy, material, and commodity prices; geopolitical instability; increasing numbers of natural and weather related events; and a constantly changing trade credit and financing market.

This extreme volatility directly impacts the supply chain by constantly shifting the network configuration, whether through a change to terms from cash payments to suppliers prior to shipping (versus a traditional letter of credit) or a change to the distribution strategy for which warehouses service customers. The need for financial discipline and rigor with regard to supply chain risk management and investment has never been greater. The days of rocky rides on roller coasters are over. Globalization has placed organizations on a supersonic rocket and launched them into deep space where many of the risks are unknown. We are now reaching a critical juncture, one that was highlighted by the World Economic Forum’s Global Risk Network in its “2008 Global Report on Risk.” For the first time, supply chain risk was identified as one of the top global risks. Single Point of Failure analyzes how the failure of one link, the failure of the interconnected links, and an abrupt shift in demand or supply (extreme volatility) could cause systemic failure. The book also describes why this growing problem is not isolated to a single company, industry, or country. I am hoping that you will gain insight from this book. After reading it, I believe that everyone will change their opinion and point of view and say, “It is my job” and believe that they really need to think about their own role in managing risk and promoting a risk conscious culture.

I’ve broken down the discussion of supply chain management into ten basic laws. These are universally applicable to all supply chains and to all participants, on one or more levels. These are not academic concepts, theories, or mathematical formulas; they are the operational basis and management principles that define whether your organization’s supply chain risk program succeeds or fails. I begin by setting some ground rules in Chapter 1, “The Laws of the Laws.” This chapter demonstrates the basic truths and practical realities about supply chains and supply chain risk management and defines common assumptions and the initial rules everyone needs to have in order to succeed. For example, you cannot expect others to manage the risk to the supply chain unless there is something in it for them—incentive or penalty. I refer to this reality as “people always operate from self-interest.” So when an organization pressures its suppliers to cut costs, then they should expect the people of that organization to do so in a way that does not significantly impact their financial well-being. A cost cut to an already laser thin supply chain will most likely result in a change to the risk profile, including the level of quality, service, and security. The balance must be struck between your risk appetite or tolerance and the opportunity offered by change. But one fact is certain: Everyone will operate from his or her own self-interests! I provide examples of this throughout the book, where best intentions turned into catastrophic single points of failure.

If the operating premise is wrong, so will be all subsequent efforts to fix these problems. While this might seem obvious as a mere statement, application proves that it is not quite so obvious. Without any doubt, you will be able to locate numerous examples of inefficient, expensive, and perhaps even dangerous systems within your organization, which have grown from a lack of definition in the first place.

As I expand into each of the ten laws, I apply “The Laws of the Laws” to each of the focused areas of discussion. I provide you with statistics, surveys, case histories, real life examples, and conversations from organizational leaders who have experienced not only successful supply chain operation but, of equal value, have gone through the expensive disaster of systems that have failed.

The purpose to this book is to focus narrowly on supply chain risk management as an expansion of my previous book, At Your Own Risk (John Wiley & Sons, 2008), where I addressed issues broadly for the risk-conscious culture of organizations. I use the term “supply chain” to distinguish a specific and comprehensive value chain described in my previous book—the flow of products/ services, information, and cash. One important note: I use the term “supply chain” because of its universal acceptance (and, quite frankly, because of the way search engines are designed). However, this term is somewhat limiting. The supply chain represents the ecosystem of flows, relationships, infrastructure, labor, assets, technology, and process that drives the business. For most, it is the business—excluding the market and clients. As the supply chain concept evolved over the past decade, so did the opportunity to improve productivity, eliminate overhead, and speed the flow of goods and services.

Supply chains and supply chain management have matured and now represent the “business network” or “value chain” needed to support the innovation, creation, manufacturing, assembly, distribution, service, and disposal of product. So I will use the term “supply chain” as commonly accepted terminology and as a way of keeping everyone on the same script—one of the lessons I learned is the importance of common and standardized language to facilitate timely and accurate communication. My first book included detailed discussions and many, many examples of change and its impact; understanding the functional paradigms that served as the root cause for a certain decision (the way a function such as procurement or the external suppliers view their role in supply chain risk management); and consciousness as the beginning element of an action plan. While I discussed the supply chain in this context, the previous book was designed as an overview of the problems and solutions for operational risks.

This book shows you how everyone is involved in the supply chain itself, often on several levels at one time; how the footprint (the network) of the chain is exposed to an infinite number of constantly changing threats; how weak links in that chain represent threats and vulnerabilities (to profitability, continuity, safety, and health); and how those threats and vulnerabilities can be managed, reduced, and eliminated. This book is designed to address the concerns of executives responsible for overall operations; managers at divisional or even departmental levels (supply chain, procurement, logistics, risk management); employees; subcontractors (manufacturers and producers, outsourcing centers, and vendors, for example); and department or section leaders involved in day to-day operations or in specialized projects. In other words, because everyone participates in numerous supply chains, everyone needs to be aware of common problems and what it takes to support a pervasive, risk-conscious, and common supply chain risk philosophy.

Of course, the best known examples of supply chain begin at the beginning—those industries that are closest to the raw materials or source of value. These industries include mining and minerals, energy, agriculture, and forestry. Without the natural resources—farms, fields, mines, rivers, animals, trees—there would be no opportunity to create value and enable the dependent industries, such as transportation, utilities, communications, life sciences, retail, chemicals, medical, and financial, to name a few. So, as we move upstream, closer to the source, the importance of managing risk becomes exponentially more important. On the other side of the equation, and equally important, is the demand, the market, and customers (and their organizations) whose chains touch the customer, patient, or the end buyer. These organizations wake up every day, relying on others’ chains to support the brand. Their chains are just an extension of others’ chains; however, they bear the burden of the brand risk. When those in the agricultural chain fail to manage risk and the result is melamine contaminated infant formula, the hospitals and retailers are the ones on the front line with the media and the public.

This view of supply chains and supply chain risk management is referred to as the demand view—without the demand, there is, of course, no need for supply. Therefore, when we look at supply chains and their outputs, we must look at them in the context of the customer and markets or demand side of the equation (downstream). As customer needs constantly evolve, and in many instances change in unpredictable ways, the supply chain must be ready to respond by rapidly expanding or contracting capacity, especially in times of great volatility and tight financial markets. The decisions to do so have significant risk implications as described in this book. My point in Single Point of Failure is to demonstrate that those same lessons also have universal application, and their solutions have universal appeal. So a contract manufacturer in an overseas product factory actually is not dealing with unique or segregated problems; the processes at that plant exist as part of a complex supply chain, and an enlightened manager recognizes that the level of risk passes from there all the way up the chain—from the manufacturing floor in Taiwan to the customer in New York. Marketing manager, accountants, and mail room supervisor all face the same issues (as well as those who are directly engaged with the operations of supply chain such as logistics, procurement, production, and transportation personnel); they may not have the same name or involve the same control demands, but the concept is identical. All processes consist of a series of steps and functions that equate to a chain. But it takes only a single weak link, thesingle point of failure, for the entire chain to fail; so the risk conscious culture must be agile, resilient, sustainable, and adaptable. This premise applies everywhere and to everyone, and the simple truth of this problem cannot be ignored.

More alarming, perhaps, is the very real possibility that a supply chain could contain many weak links and failure can (and will, based on Murphy’s Law) happen at the worst time, in the worst conditions, and more than once—such as a pandemic. This book looks at how the aggregate risk is often overlooked and the planning assumptions used by many organizations are flawed (not to mention inefficient and possibly misleading). It only takes one, but you may confront several of these problem areas. Unfortunately, my experience is that risk strategies usually assume the best-, not the worst-case scenario. The truly successful supply chain is one in which the potential worst-case single points of failures are assumed and that decisions about the supply chain are structured on the anticipation of potential future failure points. When you are able to continue keeping a supply chain up and running even in an environment of rapid and complex change, then you have mastered the principles I bring up in this book.

Remember, believing that all is well may be a self deception. You need to continually analyze and evaluate the risks to your supply chains and business networks, determine and learn from the root cause of problems, and decide whether you have the proper philosophy, culture, and systems in place to identify, measure, mitigate, and finance risk. Good business strategy dictates that you must:

I address risk from several points of view: demand, supply, production, and logistics, to name a few—and always from the angle that the customer uses, which I call the “demand lens.” Anyone who wants to stay in business needs to adopt this organizational world view, and the most successful enterprises historically are those that have recognized this reality early enough to ensure that risk did not overcome them on the road to success.

CHAPTER 1

The Laws of the Laws

Laws are like cobwebs, which may catch small flies, but let wasps and hornets break through.

—Jonathan Swift, “A Critical Essay upon the Faculties of the Mind,” 1709

The time is far in the future. A commercial space towing ship, the Nostromo, makes an unscheduled stop at a remote planet, whereone of the crew members is attacked by a parasite. A horrible scenein which the parasite bursts through his chest sets up the rest of thestory in which each crew member meets a horrible death until onlyone remains. As it turns out, the encounter was intentional. Thecreature, a perfect killing machine, was known to authorities monthsbefore and they wanted to use the ship’s crew to bring one of themback so it could be weaponized. The crew, of course, had no idea.

—Synopsis of the movie Alien

The lesson we can learn from Alien is profound and has many aspects. One lesson, perhaps, is that if you find yourself in an unknown situation, assume the worst case and don’t get too close to the unknown danger. Another is that if you don’t know your real mission, disaster is likely to follow. Alien is all about risk, the unknown single point of failure, and the consequences of operating in an undefined environment. The movie should be required watching in every organization and in every business school.

Have you ever considered the possibility that the premise on which you built your organization might not be valid anymore? It is a profound suggestion not only because the answer might startle you, but because the question does not occur to many of us. Poor Ripley, the sole survivor in Alien, thought she was towing ore and had no idea that she was really set up as bait for the perfect killing machine alien creature. And like the movie itself, the lessons have a lot to say about the nature of risk in today’s organization.

Risk is a parasite that resides in every process.

We have lost the association of risk as a threat or even as a negative. Risk itself has become meaningless. Terms like “risk management” and “risk expert” have normalized the concept of risk as a parasite and as a very real threat, not only to profitability and brand but often to an organization’s ability to survive. Much new risk has been introduced—threats once not relevant now impact global supply chains with greater frequency and consequences. Thanks to globalization, the risk parasite can quickly weave its way through the logistics, sourcing, and production processes that support these long tailed supply chains. The parasite can lie dormant in these processes, undetected by the organization. Then an event unleashes the parasite, creating a single point of failure, a broken link in the chain. The catastrophic outcomes can affect any stakeholder in the supply chain regardless of geographical or organizational boundaries. The trigger, large or small, can result in the same outcome. No longer can we distinguish between low probability /high impact events and everyday incidents. Whether an explosion at a natural gas plant or the availability of a single part, today’s interdependent and lean supply chains as well as a fiercely competitive global marketplace leave little space, or time, for error.

Consider, for example, that an explosion in western Australia in the summer of 2008 to an Apache Energy gas line significantly threatened global commodities supplies because Rio Tinto and Alcoa, two major miners in the region, lost power to their mines. Or, in another case, the shortage of components for windmills (which have 8,000 components) and solar panels has been hampering the growth of alternative energy. Even the failure of a single ingredient, such as osteoblast milk protein (melamine), in the food and dairy supply chain, can be far reaching. In a recent case, melamine was added to the product and allegedly killed eleven; sickened another 296,000; bankrupted Sanlu Group, a major Chinese dairy company; and caused significant negative global media attention to Fonterra Co-operative Group Ltd, a joint partner of Sanlu Group and a major contributor to the global dairy supply chain. The parasite was released; as a result, globally interconnected supply chains were idled. The release of the parasite is not limited to natural hazards or events that affect only physical assets. In June 2009, the Venezuelan government ordered Coca-Cola Company to withdraw its Coke Zero beverage from the country, citing unspecified health risks.1 No organization is exempt from the parasite and most have experienced its wrath—ExxonMobil Corporation, Fonterra Co-operative Group Limited, Rio Tinto Group, Gazprom, Cadbury Schweppes plc, Apache Energy, Wal-Mart, General Motors Corporation, Baxter, Intel, Petróleos Mexicanos (PEMEX), Microsoft, Toyota, and Mattel—to name only a few.

I think of the risk parasite as a metaphor to remind me how to address existing vulnerabilities and anticipate future challenges throughout the supply chain before they become catastrophic. The risk parasite knows no boundaries. It resides in every resource and attaches to every process flow. However, often an organization divides its supply chain risk defenses against the threat of a parasite by organizational functions. A security issue is treated by the Security Management group, an environmental issue by the Environmental, Health and Safety group, and an IT risk issue by the IT Risk group. Each function has its own assessment techniques and standards for measurement, as well as its own turf. However, the risk parasite does not distinguish between functions and locations. When the parasite is attached to the process, it can take on any form and easily travel up- and downstream in the supply chain. Unlike each of these groups, this invasive parasite has freedom of movement.

But risk management is not separate and distinct; the effective approach is to think of the supply chain risk management process as part of the supply chain network. It is an overlay to the major processes of the network: sourcing (material requisition, third-party management), logistics (transportation, distribution, warehousing, inventory management, IT/ERP), and production (manufacturing, assembly, subassembly). Refer to Exhibit I.1 in the Introduction. Simply stated, an effective supply chain risk strategy is one that is holistic and mirrors the supply chain network design and cash, information, and product flows, not just the functional design. The risk strategy is discussed further in later sections.

Exhibit 1.1Supply Chain Risk Overlay

The strategic supply chain risk overlay shown in Exhibit 1.1 identifies and minimizes the impact of potential single points of failure, improves quality, protects critical data, and makes the supply chain more efficient. The risk parasite is a negative but realistic metaphor; the solution is to manage the whole body of the supply chain by identifying and removing, containing/isolating, or reducing the effects of the risk parasite.

This book is organized into a series of laws that apply to everyone along the extended supply chain. However, before proceeding, I want to provide you with a brief set of questions about the nature of your business network, the value your organization creates, the supply chain relationship, and a definition of risk.

Questions to ask yourself before you proceed:

A good starting point for any challenge is to understand the context in which the solutions must be implemented. What are the practical realities of the culture, behaviors, and intangibles that cause the solution to succeed or fail? Most people know these unwritten rules, whether they are budgeting an expansion program, introducing a new product, eliminating manufacturing defects, or heading up a quality control team. This premise leads to four specific precepts that I call the Laws of the Laws. These specific points are articulated below and reflect how most of them successfully attack the parasite based on the unique culture of your organization. The ten laws of the supply chain risk process you find in the following chapters all have to address these four basic precepts on some level, and often on several levels.

Before getting to these precepts, I have to start with the basic definition of risk management itself. There are many definitions in use and the meaning varies depending on your role. During my travels through Singapore, I ran into Rajeev Kadam, Vice President of Olam International Ltd., a global leader in the supply chain management of agricultural products and food ingredients. Rajeev articulated a simple but concise definition of risk.2

Risk has two essential components:

We face risk when both uncertainty and exposure are present.

Consider an example: A man jumps from a sixty-story sky-scraper. According to our definition above, there would be no uncertainty if the man were to jump off the building without a parachute. His chance of survival would be zero. However, if the man were to jump with a parachute, then there would be some degree of uncertainty about whether the man would live or die. The jumper faces risk because he is personally exposed to the uncertainty of the parachute failing to open. We could begin to calculate this uncertainty.

Suppose you are watching this event as a bystander from the pavement below this tall building. Are you facing any risk even if there is uncertainty in this event? The answer is no, because you are not personally exposed—unless the jumper is your relative, or has borrowed money from you, or you have a coffee shop on the pavement where he may crash land.

We could continue with this example but I am sure you understand the point. Uncertainty can be difficult to calculate, especially when the exposure is not understood or realized. This, by far, is the most fundamental challenge of supply chain risk management—organizations not knowing or understanding how exposed their supply chains are to uncertainty, or to how much.

You need to define exposure to uncertainty in terms of impact: the cost of the loss, and what that loss means in terms of stakeholders, your brand and reputation, and even to the basic ability to provide your goods and services to your customers. With this definition in hand, I can now introduce the practical realities, or the Laws of the Laws, to guide you with the execution of your own supply chain risk management. Consider these four precepts.

It was a revolutionary innovation in assembly line automobile production when a major manufacturer decided to give any individual on the line the power to stop the process if he or she saw a flaw. Before that, without the vested interest, the theme “It’s not my job” allowed visible flaws to proceed through the line even though dozens of assembly line workers saw the flaws. Because “It’s not my job” was the cultural rule, several points prevented diligence on the assembly line:

All of these flaws added to supply chain problems rather than solving them. In the 1980s, Toyota Motors first employed jidoka, the concept of empowering workers to stop an assembly line to prevent defects. The goal was to make it possible for everyone, at all critical points, to understand their role in the greater goal of supply chain value creation and, when appropriate, participate. This idea flew in the face of assembly line standards set by the Ford Motor Company, where once the line began to move, nothing was allowed to stop it:

At every stage of the assembly line, Toyota employs devices allowing workers to stop production to correct defects. Such devices may be as simple as a rope strung above the assembly line, or a button that can be pushed. In other cases, it is sophisticated monitoring software such as Activplant’s Performance Management System, which can alert operators to problems with equipment or robots in real time.3

The concept of allowing individual assembly line workers to bring the whole line to a grinding halt because they see a flaw is culturally revolutionary. It is also diligent, a method for gaining participation among key stakeholders—the employees—and preventing and correcting flaws many steps before end users discover problems after purchase. By changing the broad assumption to “It is my job” and doing away with the self-interest of the individual or even of the shift, assembly line workers were given a sense of ownership in the end result quality of their product. They recognized their individual contribution and were empowered to the end goal of producing the highest value to the customer. Toyota acknowledged early that workers were not just part of the supply chain, they were the supply chain. If they failed, the supply chain failed.

This is a relevant example of how supply chain risk thinking usually works versus how it should work. The Toyota example demonstrates why there can be no shortcuts and everyone is part of the whole. Before the institution of jidoka, an assembly line worker might fear punishment for making waves, not to mention the antagonism of fellow workers, notably those on whom the whistle had been blown. The observation that “There can be no shortcuts” can be expressed in another way: “Without diligence, no supply chain can be expected to work.”

A point of view worth adopting is that performance based on diligence is the only acceptable operating method. Diligence is a means for assigning responsibility for all of the pieces that add up to the whole. An auto assembly worker is trained to recognize that any flaws make the singular product defective. Stopping the line to correct existing flaws and prevent new ones is essential. You can apply the same thinking to anyone’s home life. The necessities—food, shelter, energy, safety, transportation—do not simply appear on their own. The household pays for all of these necessities, but the family also relies on food growers, stores, and transportation facilities; on home builders and designers; on financial institutions for credit; on an endless range of experts required to maintain the property; on utility companies and energy generation as well as raw materials; on infrastructure at local and national levels that creates roads for vehicles; as well as on auto manufacturers and mass transit facilities. This primary residential supply chain is complex and far reaching, involving all aspects of commerce and government not only in one country but internationally. It requires incentives and the consciousness and empowerment of all those involved—that is, to hit the stop button when someone witnesses something wrong. The personal supply chain is an excellent model for beginning to develop an appreciation of the basic law. Imagine trying to find shortcuts for provision of food or shelter.

It would have a snowball effect and cause great suffering and loss throughout the supply chain. Supply chain risk management begins with awareness, a consciousness that everyone is part of an endless stream of supply chains, which are linked together by relationships and configured according to needs. Ask yourself the following:

Whatever products your organization sells or what services it offers, your role is an essential part of the supply chain, and potentially of other supply chains within the organization. Be ready—you will need to be able to continually measure value and impacts and prioritize risk within your supply chain.

We are living in the age of interdependency; small ripples upstream cause tidal waves downstream.

Numerous examples in today’s world involve seemingly small glitches causing large consequences. In one such example, jellyfish caused a reactor to shut down. PG&E Corporation, California’s largest utility company, silenced its Diablo Canyon 2 reactor and was forced to operate another reactor at 50 percent capacity when a rapid influx of jellyfish reduced water flow to pumps. This is not the only case. Globally, jellyfish have caused hundreds of millions of dollars in damage to fisheries, seabed mining operations, ships, and other industrial operations.4

It’s not always a material issue. Look at what happened in 2008 and 2009 with the market-wide credit meltdown. In the past, you might have trusted your “establishment institution” to protect your assets, if only on the premise that they were experts in managing other people’s money. After the meltdown, in which many of those banks and brokerage firms went broke or were bought out at bargain-basement prices, it became obvious that you could not merely assign risk to the experts. It was your risk as well, and it had been your risk all along. They were merely custodians of your assets. You were always part of the supply chain involving capital, credit, investment, money management, market risk, and even basic evaluation of companies. The fact that the brokerage firm did not do its job (assuming that included protecting clients against market risk) does not exclude anyone from the supply chain, or from its very real risks. You owned the risk, you were exposed to uncertainty, and you felt the pain.

We all know that now, of course. But in the future, how can you better protect yourself and reduce these market risks? Some fundamental changes may include self-directing most of your money and using outside experts for advisory help only (risk ownership); distributing capital among several management resources, such as banks, brokerages, or mutual funds (risk diversification); and improving knowledge about the range of risk activities of a firm. For example, is your brokerage firm holding billions in mortgage obligations? If so, what are those risks (risk education, measurement, and transparency)? Ultimately, you are responsible for risk itself (risk accountability). The same is true for the management of supply chain risk—seeing, understanding, measuring, and mitigating or financing. One fact is certain—everyone, without exception, is part of a supply chain.

The main theme for the second Law of the Laws is that almost all adverse impacts can be traced back to a bad decision somewhere in the chain. Bad decisions are made without accurate or relevant information (uninformed decisions), significantly influenced by emotion and not made fast enough. One case of an organization not moving fast enough was that of Intel’s Pentium FDIV bug. The Pentium FDIV bug caused errors in certain floating point division operations. According to Intel, a few missing entries in the lookup table used by the divide operation algorithm caused the bug. The flaw was discovered by a professor at Lynchburg College, who subsequently reported the issue to Intel. Intel would later admit that it had been aware of the flaw during testing but did not take action. This was bad decision making by Intel. It had knowledge of the bug but chose not to manage the risk fast enough. While many independent estimates found that the bug would have negligible effect on most users, public outcry ensued. Intel offered to replace flawed Pentium processors on the basis of requests in response to mounting public pressure that brought a huge potential cost to the company.

This makes the point that in protecting yourself and your organization against the risks inherent in the supply chain, you need to develop a strategy to support effective and efficient risk decision making (intelligence gathering and tracking, monitoring, filtering, surveillance, and analysis) to keep things flowing and to engage all others in your supply chain; for knowing how to prevent potential losses; and, of course, to respond if and when a loss or delay does occur. You need to understand interdependencies, pain points, impact of failure at each link, and alternatives to ensure free flow of information, products or services, and cash. No one can plan for everything; understanding how big an impact the issue might present and gauging an appropriate response can help you navigate around most losses.

Only by recognizing that everyone is part of the supply chain and that risk decisions will be part of standard operations can you expect yourself to effectively take the needed steps. Being resilient, agile, and ensuring against insurable losses is only a small aspect of the larger, more enlightened, and more progressive approach. Other behavioral attributes of good risk decision making include education, awareness, and training; critiquing and learning from failures and near misses; and understanding motives, incentives, and penalties.

A well-recognized supply chain risk management case that shows the benefits (and consequences) of good risk decision making involves a major supplier to Nokia that produces semiconductors for Nokia phones. The company suffered a severe fire at its plant in Albuquerque, New Mexico, on March 17, 2000. Smoke spread throughout the facility and contaminated wafers in almost every stage of production, destroying millions of chips in just a few minutes. Consequently, production of cell phone chips intended for Nokia and Ericsson was halted. Nokia quickly realized that the disrupted supplies would prevent production of some four million handsets and could impact 5 percent of its annual production. The team quickly ascertained the availability of alternate sources for the parts. Nokia responded by working with existing suppliers to ensure that Nokia operations would continue with minimal interruption. When it was clear that the much-needed chips were significantly delayed, lower level employees at Ericsson did not communicate the news to their bosses. The head of the consumer electronics division did not learn of the problem until several weeks after the fire. By the time Ericsson realized the magnitude of the problem, it was too late and it lost market share to Nokia. If Nokia were to follow the Band-Aid approach, it would have stopped after the disrupted supplier had recovered. However, it took further action following this event. Nokia developed a series of visibility systems to track major shipments of all of its major suppliers. It also established a risk management assessment for each of its major suppliers and created contingency plans for disaster planning at each location. Then, suppliers were trained in all of these planning elements. Finally, Nokia reevaluated its entire supply chain network to avoid single sourcing any major component, and it integrated these plans into its global sourcing strategies.5

Exhibit 1.2Food Supply Chain