Disaster Resource Guide Advertisers   Disaster Resource Guide Advertisers   Disaster Resource Guide Advertisers   Disaster Resource Guide Advertisers   Disaster Resource Guide Advertisers

Risky Business
Failing to Assess Supply Chain Continuity

by Michael Porier & Brian Zawada

Considerable time and effort has been spent discussing the need to evaluate the resiliency of a company's supply chain continuum. Business continuity and risk management professionals, citing potential failure scenarios caused by over-reliance on single or sole source suppliers, have attempted to build a business case for redundancy. Although processes aimed at reducing risk caused by supplier failures seem rather basic, few organizations have undertaken the analysis and built supply chain-oriented strategies to recover. A September 2002 study conducted by the Council of Logistics Management states, "Specific plans to sustain supply chain operations are given limited coverage in most continuity plans." In today's business environment, supply chain redundancy and continuity has fallen on deaf ears - tough economic times and the bottom-line benefits of a streamlined supplier base have introduced continuity risk. All in all, the business continuity process that focuses exclusively on internal operations fails to manage many of the risks leading to business interruption. This article explores the process to assess supply chain continuity risk and the successful strategies that leading organizations employ to manage such risks.

The Issue
An organization's supply chain is made up of a number of parts or resources required to build or deliver products and services. These include vendors who build and service production equipment, outsourced service providers, utilities and product transportation organizations. Often times, procurement departments and business continuity professionals take a narrow view, and focus solely on the resources necessary to build a product. Taken one step further, the supply chain includes the internal processes necessary to receive goods and services, manage resources and inventory and ship product to the final destination.

Executive management is applying constant pressure to reduce production stock and inventory. Today's warehouse is the truck on the road, and managers are betting their suppliers will deliver resources on time in order to keep production flowing. Inventory is considered excess. Organizational metrics focusing on inventory levels push managers to risk production downtime in order to minimize production stock. Minimizing inventory delivers an immediate bottom-line return, despite the potential risk involved. Over the past decade in the U.S. auto industry, more than $1 billion dollars per year in inventory carrying costs have been saved by using just-in-time techniques. In addition to minimizing inventories, companies are also streamlining the number of vendors, both in aggregate and for specific production stock and equipment. This practice also delivers a bottom-line impact given that increased volume leads to a lower cost per unit.

The assumption that suppliers deliver on time and accurately 100% of the time sounds great. However, the threat environment, consisting of items such as labor disruptions, severe weather implications and upstream processing failures (to name a few) threatens this delicate balance. Contingent business interruption (CBI) insurance, in place to cover supply chain impact on production processes, is not sufficient to protect against customer defection to the competition. In today's uncertain business environment, companies must adopt supply chain continuity planning techniques that preserve bottom-line benefits.

For all of the benefits of a just-in-time supply chain methodology, certain inherent vulnerabilities exist. As the name implies, "just-in-time" leaves itself open to vulnerabilities that are largely outside the control of your organization. In all likelihood, larger organizations import goods and services from a foreign source, introducing a myriad of risks such as border-importing issues. As any well-designed Gantt Chart would illustrate, the level of risk can be directly linked to the number of "hops" that the inventory must endure prior to its final destination. The supply chain continuum is very complex and involves numerous entities. A delay at any point affects the value proposition of the JIT assumption.

Required Analysis - What's Critical?
An organization's supply chain can represent a very complicated matrix of processes and "touch-points" between various parties. However, in order to manage the risk within the process, the process must first be understood. Organizations should develop a thorough understanding of the entire process flow of goods and services related to their production cycle. Risks throughout the process cycle should be identified, sourced to the origin and documented. Significant attention should obviously be focused on the supply of "critical" components. Volume (monetary or the number of units) and frequency of orders are not the best indicators of a critical supplier. Instead of looking solely at volume or order frequency, we recommend using the following criticality and risk-related questions:

1. Is the vendor a single or sole source supplier?
2. Which product(s) or service(s) does the vendor support and what percentage of revenue/earnings do they address?
3. How close is the vendor to your production facility? Will a local or regional disaster affect both you and the vendor and impact recoverability?
4. How often is the vendor's product delivered (if applicable)?
5. What is the average on-site inventory level of the vendor's product (if applicable)?
6. How long does it take to order and take delivery of the vendor's product?
7. Does the vendor employ unique production processes and capabilities where an alternate vendor would be difficult to find?

After establishing vendor criticality, we recommend initiating discussions with the most critical vendors, particularly where high risk supply chain relationships persist, regarding business continuity process maturity. More and more organizations are discussing vendor continuity, particularly when the company employs JIT processes and single or sole source relationships exist. The following questions can assist in establishing a vendor continuity ranking:

1. Does your organization have a documented Business Continuity Management process?
2. Have you conducted a formal Risk Assessment and Business Impact Analysis (including an interdependency analysis)?
3. Are you comfortable that your company is adequately prepared to handle unplanned business interruptions?
4. Have you performed a supply chain continuity assessment?
5. Who in your organization "owns" the Business Continuity Management process?
6. How much does your organization budget for the development and maintenance of the Business Continuity Management process?
7. Do you have an alternate facility to recover operations in the event your main offices, production locations, or distribution centers are inaccessible? If yes, how far away are those facilities from your primary operating site?
8. Has your organization ever tested its Business Continuity Plan?
9. Does your organization offer a formal training and awareness program to familiarize employees with your Business Continuity Plan?
10. Has your Business Continuity Plan ever been benchmarked against industry standards/codes or your competitors?

The Solution
All supply chain risks cannot be eliminated given the myriad of uncontrollable factors involved. Additionally, too many controls and redundancies can be cost-prohibitive. So what is the right balance? As we've outlined above, understanding the supply chain process, vendor criticality and vendor continuity maturity enables the organization to determine the best options (and associated costs) to mitigate likely risks. This will confirm suppliers, or alternate suppliers, will be able to deliver the specified component at the correct time, to the correct location and within specifications.

Once this information is obtained, analyzed and validated by executive management, the company can begin to craft a strategy to manage supply chain risk to an acceptable level. Critical supply chain components may require safety stock, and alternative sources may be considered. Clearly, these decisions are left to a cost-benefit analysis. However, supply chain continuity should move beyond arranging for alternates in different locations. Manufacturers need a thorough understanding of alternate suppliers' capabilities, as well as vulnerabilities. Personnel responsible for the organization's business continuity process should be proactively involved in the alternate vendor selection process to confirm the vendor's capabilities match the organization's recovery requirements. Overall, supply chain continuity planning should begin with the product or service design and continue throughout the product/service lifecycle.

The 2002 longshoremen strike on the west coast highlights the need to understand logistics paths and potential bottlenecks. Supply chain management is not limited to planning for supplier redundancy, but requires an understanding of the route the product travels to your location and the method of transportation (i.e. rail, truck, aircraft or ship). Additionally, a mature, proactive procurement process will continuously monitor potential bottlenecks for situations that could result in delayed shipments. In today's business environment, procurement must also monitor border crossing procedures to avoid potential product delivery delays. Existing software solutions can help. Some logistics software applications track product movement and provide guidance.

Solutions to address logistics management include acceleration of shipments (based on an assessment of the current situation) and developing contingent shipping arrangements. However, these decisions should be based on executive management buy-in given these strategies may raise costs and affect production lead times and inventory levels.

A direct correlation exists between supply chain recoverability and the maturity of the supplier relationship. As part of the formalization of the supplier relationship, emphasis should be placed on developing robust day-to-day communications processes, as well as strong crisis communications processes to coordinate recovery operations.

Finally, supply chain continuity must address the internal processes that enable product receipt and shipment of finished goods. Every day, ERP and warehouse management systems fail, conveyor systems grind to a halt and labor strikes create havoc. Internal redundancy identification and recovery strategy development for single points of failure are the required first steps to minimize the affects of an internal supply chain outage.

Conclusion
Following a disaster or business interruption, the organizations that survive will be those with a defined strategy in place, have accurately anticipated and planned for contingencies, and understand the cost metrics associated with their strategy. Organizations relying on the timely receipt of goods and services to continue revenue generating production view supply chain continuity as a critical business continuity management component. As we've highlighted, mature and proactive supply chain continuity processes include in-depth analytics, with planning significantly beyond the inclusion of alternate suppliers. In addition to alternate supplier relationships, key supply chain continuity plan components include:

  • Maintaining safety stock
  • Monitoring transportation entities and planning for contingent shipping arrangements
  • Observing product transportation paths, looking for potential bottlenecks
  • Developing plans to allow for acceleration of shipments
  • Implementing a crisis communications process with key vendors
  • Developing continuity plans to address in-house product receipt, inventory management and product shipment processes, with an emphasis on labor interruption and other single points of failure

About the Authors
Michael Porier (CBCP, CISSP, CISA, CFSA) is an Associate Director in Protiviti's Houston office managing BCP and IT Security engagements for the Gulf Coast Region. Brian Zawada (CBCP), a Senior Manager and the firm's Business Continuity Management product leader, is located in Protiviti's Cleveland office. Both Mike and Brian specialize in the development and implementation of BCM solutions nationwide.

For more information contact Michael.Porier@Protiviti.com (713) 314-5030 or Brian.Zawada@Protiviti.com (216) 636-6098. Protiviti helps clients identify, measure, and manage operational and technology-related risks they face within their industries and throughout their systems and processes. The company also offers a full spectrum of internal audit services, technologies and skills for business risk management, and assists corporate board members in addressing corporate governance issues.

 
 
Copyright ©2008 DISASTER RESOURCE GUIDE P.O. Box 15243, Santa Ana, CA 92735 714/558-8940
Fax 714/558-8901