Supply Chain Risky Business Part 4
Every 12 to 18 months or so I write one of these columns on supply chain risk management, and I am back here again on the topic, triggered by the new book "The Power of Resilience" by Dr. Yossi Sheffi of MIT.
More on that in just moment.
This is a fascinating subject, yet one devilishly hard to get one's arms around, especially as the scope of supply chain risk management seems to expand on a continuous basis. What's more, nearly all of the conversation is around what very large, multi-national companies are doing or should do, and much less if anything relative to how the thinking should be applied if at all by more mid-sized firms.
Risk management is hugely complex, like a giant Rubik's cube that just when you almost have it all lined up, some evil genius changes the colors on many of the blocks again.
WHAT DO YOU SAY?
Send us your
Finally for this intro, supply chain risk management is really a subset of what is often called business continuity management or increasingly enterprise risk management (ERM). While many companies face the preponderance of total risk from supply chain-related activities, there are obviously many others, including increasingly/urgently cyber risks and more recently social media risk.
But most of these others in the end tie into the supply chain, such as say the unpleasant discovery that your supply chain includes some slave labor, and that news then being amplified many fold through social media outlets.
So back to Sheffi's book. I, like many others, assumed when "The Power of Resilience" it was first published it was a sequel to or maybe even just an updated version of his similarly titled "The Resilient Enterprise" released in 2005.
But that is not the case at all. This is a very different book, and certainly stands on its own. As with the first book, Sheffi's work was supported by two dozen or more research assistance from MIT's graduate school, and it shows.
One of its key contributions to the discipline is chronicling in significant detail the risk management practices of companies such as Intel, Walmart, Cisco, Procter & Gamble, Flextronics, and others, each of which was willing to open up quite a bit how they plan for and respond to supply chain disruptions.
One catalyst for the book was certainly the 2011 earthquake and tsunami, and the impact of that event and how it caused many companies to rethink their approach to risk is a key theme throughout. I learned a few things, even just about the event itself.
The earthquake came from a 500 kilometer plate that literally slid under the Japanese islands. It was a magnitude 9 earthquake, largest in Japan's earthquake filled history, and well beyond the level 8 or so event much of the planning and construction in the country had been geared towards. It created a tsunami wave some 60-feet high. 1.2 million buildings in northern Japan were damaged or destroyed as a result.
What this major disruption did more than anything else was show that even companies that believed they had a good handle on their supply chain risk really did not, especially beyond tier one suppliers.
Let's look at one of the interesting anecdotes from the book. When the disaster first happened, GM engineers initially estimated that only about two dozen suppliers were impacted, affecting 390 parts in total. Within an hour, they upped that part number modestly, by about 100.
But that estimate didn't fully consider the extended supply chain. Two months later, a full understanding of the impact showed that some 5800 parts were actually affected, through the complex nexus of multi-tier supply chains. The magnitude forced GM early on to break those thousands of parts into a full 116 "commodity groups" for manageability, and then an elaborate white board exercise that showed the multi-tier impacts on each of the company's 16 global assembly plants over many months, with "white spaces" indicating when a given plant would be forced to stop production on one or more models.
It was a complex exercise, but eliminating these white spaces then became the clarion call of the crises response team.
This is a wide-ranging book, very difficult to summarize in a relatively few words, but I will give it my best.
Most of us familiar with the general risk framework of organizing potential disruptions on a two-dimensional matrix that plots each event in terms of likelihood of occurrence (high/low) as well as size of impact in terms of profits, market share or other metric.
As the book notes, many companies have greatly expanded on this basic framework. One large beverage company, for example, breaks each dimension into five levels each, and assigns a non-linear score to each level (1, 2, 4, 7 and 11). The mitigation priority is determined by multiplying those two values for each event. Interesting.
Sheffi himself suggests adding a third dimension to the model beyond likelihood and impact, and that dimension is "detectability." In some cases, an event can actually be detected before it occurs, such as early warnings that Hurricane Sandy was likely to wallop the New York and New Jersey areas days before it actually hit.
In other cases, the disruption will be perceived virtually as it occurs. An earthquake or tornado or major power outage generally falls into this category, which today can usually be recognized almost instantaneously.
But some events may take a while after the actual disruption occurs before they are recognized. Among the chief examples of this are quality issues, such Mattel failing to recognize that a new supplier was using lead-based paints, leading to its toy recall nightmare. While yes, in retrospect that problem could have been detected much more quickly by better testing, that in fact shows the value of adding this third dimension to the risk evaluation model.
Flowing from that, Sheffi says there are really three key areas of risk management strategy:
Prevention: Finding ways to reduce or eliminate a given risk to begin with, through myriad strategies that include dual sourcing (though that is a two-edge sword, the book notes), inventory buffers, contractual arrangements with suppliers and many more.
Detection: How can companies improve their ability to detect disruptions more quickly, and thus take action sooner? One manifest of this is the growth of "risk monitoring services" that provide global insight, often from difficult to obtain sources such as local foreign language newspapers, to give subscribers an early heads up.
Response: What happens and how quickly when a disruption is detected? Much of the book in fact details how Intel, GM, Cisco and others approach that response aspect, which can include defined emergency response teams, "play books" that detail what information is needed and what actions to take for different types of disruptions, and many other tactics.
There is so much more and I am almost out of space, so I think I am going to end the book review here and will likely picked it up again in a few weeks to share some of the more interesting insights I couldn't get to here.
But I will end with this. As shown in the simple graphic below, I think we must now more explicitly recognize we have four key supply chain competencies. For years, it was two: planning and execution. To that we must now add "strategy and supply chain design," and in the center "supply chain risk management," which impacts design, planning and execution.