What can be done to manage resiliency in an increasingly risky world? Gary S. Lynch, Marsh’s supply-risk management expert, offers new strategies for organizations seeking to manage their resiliency and, in turn, survivability.
This is the moment of truth. Did or would your organization’s continuity plan effectively address business disruptions resulting from the confluence of the Japanese earthquake, tsunami, and radiation events? Did the volcanic eruption in Iceland put the brakes on your business because of inadequate or incomplete planning? For most organizations impacted by these events, typical business continuity planning was inadequate. When attempting to address business recovery and supply chain flows, most organizations failed.
Many business and operation executives at organizations impacted by recent events have told Marsh that not only were their recovery plans incomplete or inadequate, but they also were not aligned with, nor reflected, the needs of a globally interconnected and interdependent organization and economy. For example, the continuity plan of one manufacturer impacted by the recent Japanese quake/tsunami/nuclear incident addressed the loss of manufacturing capability but fell short when considering key interdependencies. The events in Japan displaced and/or destroyed the die casts – critical molds for the large scale and precision creation of critical components. The casting equipment and metal dies are an essential element in the mass manufacturing of intricate metal parts. The organization attempted to locate tool and die contractors familiar with the casts to recreate the molds; however, all were missing or had tragically perished.
The organization encountered a similar situation when it tried to locate the engineers who had designed the casts. A single point of failure (SPOF)—the casts, manufacturing facilities, and all those associated—was concentrated in a single region. The plan put in place didn’t address the loss of these critical resources; nor did the plan address further complications caused by rolling power outages and nuclear contamination.
Advancing Traditional Planning
Some might claim success because they have a plan in a binder on the shelf, or they’ve checked all the boxes to comply with good business continuity management standards. Often these efforts simply bolster a thinly veiled attitude of complacency. To achieve true resiliency in today’s interdependent and continuously changing world, traditional continuity planning needs to be re-engineered or “blown up.”
Managing resiliency today is as much about avoiding or minimizing exposure to risk as it is expediting recovery or adjusting to events. Over the last several years, many organizations have focused on optimizing efficiency but not resiliency, which was completed as a separate and disconnected effort. Concurrently optimizing resiliency and efficiency requires discipline, analytics, decision modeling, and the involvement of a broad cross-section of business, technology, and operation leaders both inside and outside the organization.
Where to begin? The initial step should involve changing a basic assumption.
Should what happened in Christchurch (earthquake), Brisbane (floods), Iceland (volcano), New Orleans (hurricane) and Japan (earthquake, tidal wave and nuclear disaster) be categorized as highly improbable—or “Black Swan”—events? Should extreme weather in Europe, cyber-attacks, pirates off the coast of Somalia, or political unrest in the Middle East be categorized as highly unexpected or low probability events? For purposes of managing resiliency, the answer should be an unequivocal “no.” Globalization, pervasive connectivity, an increase in natural weather catastrophes, a shortage of natural resources, and the expansion of the have/have not chasm have created enormous volatility in the geo-political and social landscape.
The story about the manufacturer in Japan was not the first time that industry experienced such consequences from an earthquake. In fact, black swans are seldom black and almost never entirely unexpected or unforeseen. They are truly white, similar to many previous instances of near misses, deviations, and disruptive incidents. We tend to normalize the exceptions, so long as they have not caused a major disruption, and focus on mitigating the risk to that which we can manage or see. Both make sense on the surface but given current events, they represent very dangerous practices.
Next Step: Improved Resiliency
Strategies for managing continuity and providing greater resiliency can be divided into four categories:
- Insurance driven/asset-based programs
- Compliance driven/functional-based programs
- Threat driven/event-based programs
- Value driven/flow-based programs
The first three categories represent the majority of today’s practices. They take into consideration only a small portion of exposure, and risk investments are typically aligned by a physical resource (a plant, for instance). Insurance-driven continuity typically does not take into account non-physical damage perils such as the failure of a supplier or of the public infrastructure.
The fourth category signals a rapidly emerging and business-aligned trend. It represents an integrated, end-to-end view of the extended supply chain (beyond the boundaries of the physical organization) that is viewed in the context of a given product, product category, or product family. Industries embracing this value-based strategy include those with the most highly complex and advanced supply chains, such as automotive and high-tech manufacturing.
The strategy begins with a clear articulation of the market and product/service families or categories that are of greatest organizational value: i.e., revenue, strategic, liquidity, brand, and/or compliance. For example, the auto manufacturer might identify the pickup product line to be sold in the Chinese market as its number-one value driver. Essentially, the organization must ask: If all of our capabilities were destroyed and we were starting from scratch, which market and associated products/services would we build out first?
Once the priority is articulated, the value/supply network can be mapped and SPOFs analyzed to determine the impacts at various “pinch points.” SPOF impact can be quantified and then prioritized to determine the level of investment needed to manage the risk at a very detailed level. The organization could then identify risk mitigation and financing options and measure the effect various investments had against reducing the exposure. Options would include—but not be limited to—diversification, buffering, repurposing or substitution, segmenting and inventory allocation, internal alternate sourcing, multi-sourcing, insurance, or even exiting the business. All solutions would be modeled to determine the effectiveness of the investment against reducing impact to the finished goods.
Finally, realize that supply chain optimization involves resiliency optimization. If you compete or source in the global marketplace, your organization defines value by velocity of cash, inventory turns, and profit margins. Risk management is rarely mentioned.
Competitive organizations generally go through intensive “leaning” of the supply chain. They remove excess inventory or capacity, pushing many non-core services to a lower cost provider, and consolidate third-party providers or suppliers. As a result, strategies such as consolidating inventory and network, leveraging single-source suppliers, and accessing suppliers and customers in geopolitically and socially riskier environments create greater sourcing risk.
The second part of achieving resiliency, beyond expediting trade recovery, is to design and optimize resiliency in conjunction with value/supply chain networks. Support the decision-making process by providing quantitative and qualitative data that clearly demonstrates the return on investment, or the effect that a given strategy has on reducing recovery time.
Here’s an example: One organization engaged in a supply-chain optimization effort considered the need to simultaneously optimize resiliency. Management was concerned about risks involved with consolidating multiple distribution centers into a single central distribution center. The project started out with the goal of consolidating and optimizing by moving inventory into the lowest cost-per-unit facility. On first glance, this seemed a sensible idea. However, this created a potentially serious aggregation risk. In the event of a catastrophe, ramifications for customers would have been profound.
The organization need a better understanding of risk-versus-benefit related to its optimization strategy. It quantified the impact of a catastrophic event to the fill rates of its product. First, it rationalized and prioritized the 20,000 product SKUs (stock keeping units) into a dozen product families. Next, it rated and ranked the product families based on value (revenue, cash flow, strategic importance, brand visibility). Finally, it ran the analytics for each product family, and then the aggregate, of a one-versus-two distribution center model to understand the net effect of the investments versus risks mitigated (i.e. trade recovery time). This analysis demonstrated that the benefit achieved through inventory diversification far exceeded the carrying costs of the second distribution center and additional inventory. This was also revealed: optimal resiliency placement of inventory for each product family. The simplest solution—risk diversification—proved the most cost-effective and safest way to proceed.
Moving Beyond the Basic Plan
If we accept that the “disruptive economy” is the new norm—and we acknowledge that catastrophic events can occur anywhere in business networks and supply chains—then we need definitive responses to a list of remaining questions. In this way, the resiliency objective remains in sharp focus.
Those remaining questions include:
- Are we—in conjunction with our partners—continuously evaluating, evolving, and improving the resiliency programs that support value-creating activities as determined by stakeholders (investors, customers, etc.)?
- How do we monitor volatility in our organization in relation to stakeholder behaviors, SPOFs, and supply chain interdependencies? What levels of volatility are acceptable? When do we react?
- What are the complete sets of resources (labor, technology, physical assets, relationships, and processes) needed upstream and downstream to deliver each product/service family to the market? Have we mapped the extended supply chain?
- Are we collecting business intelligence about our SPOFs, including the maximum financial, brand, strategic, compliance, liquidity, and asset impact at each point?
- Are the people, infrastructure, and suppliers that we depend on managing their market, financial, operational, and behavioral risk, at a minimum, to our expectations?
- Are we real-time monitoring the most critical supply chain dependencies for value-creation activities?
- Have we created decision models that support resiliency options at the time of the event?
- Have we created a collective culture along our supply chains that is risk conscious, intelligent, and motivated?
With discipline, analytics, decision modeling, and the involvement of a broad cross-section of business, technology and operation leaders in and outside the organization, we can answer these questions and optimize the resiliency of our organizations.
Author Gary S. Lynch, CISSP, is the global leader for Marsh Inc.’s Supply Chain Risk Management program. A widely recognized expert and advisor, Lynch consults with organizations throughout the world and within different industries. Also a respected author, Lynch has written two books that have provided templates for organizations seeking to move forward as far as risk management. He can be reached at firstname.lastname@example.org.