Conceptual Paper: Supply Chain Risks and Security

Jitender Vashisht Arun Singh JDA Software, Bangalore 560037 (India) Dec 2013

International Conference on Supply Chain & Logistics Management (ICSCLM 2013) New Delhi, India, December 5-7, 2013

1 | Supply Chain Risks and Security

Table of Contents
Abstract ......................................................................................................................................................... 3 What is Risk? ................................................................................................................................................ 3 Types of Risks............................................................................................................................................... 4 Case Study: Risk management...................................................................................................................... 6 Risk Framework ............................................................................................................................................ 8 The Solution: Stay Risk-Ready ................................................................................................................ 13 Avoid: ..................................................................................................................................................... 13 Reduce: ................................................................................................................................................... 14 Share: ...................................................................................................................................................... 15 Retain: ..................................................................................................................................................... 15 Conclusion .................................................................................................................................................. 16 References ................................................................................................................................................... 18 About the Authors ....................................................................................................................................... 19

2 | Supply Chain Risks and Security

Abstract The entire Japanese vehicle industry ground to a halt following an earthquake. Toyota, in particular was forced to stop operations at all 12 of its domestic plants. Financial Times, 24 July 07. A fire at a key Philips semiconductor factory in 2000 caused a worldwide shortage of the radio frequency chips used by Ericsson, accounting the loss of around $400 Mn. MIT Sloan Mgt. Review 06. Similarly, Western Digitals loss of US$225$275 million during flood in Thailand (Oct, 2011) or Unilevers heavy loss in ice-cream production due to flood in Gloucester, UK (Jul 2007), there are tons of examples where companies have lost millions of USD due to such catastrophic events. These are the Environmental risks that companies deal-with every now and then. In addition to this, companies today have Supply Risks (e.g. dependency on key suppliers), Demand Risks (e.g. volatility in demand), Process Risks (e.g. limited capacity/bottlenecks), Network Risks (e.g. bullwhip effect due to multiple echelons) and may be more. Aim of the Research Paper is to identify and categorize various Risks associated with todays Global Supply Chains and also the Best practices followed globally to manage (Mitigation and Contingency) these Risks. Now, people may ask how this paper is different from several other papers available on Risk management. Well, this paper not only comes up with a Risk Framework which companies should follow to avoid the risks, it also links the Risk Framework with the overall company objectives. And finally this paper talks about the solution.

What is Risk? Supply Chain risk is the uncertainty of events which can affect optimal performance of supply chain operations to the extent so that it can impact business objectives. It is important for any firm to gain understanding of such events which may occur in any link of supply chain, so that they can ensure business continuity without losing the customer confidence and erosion of shareholders value. In this era of globalization, supply chain risks have increased manifold. Organizations are adopting lean practices, which mean fewer inventories, JIT stock movement etc. Such practices
3 | Supply Chain Risks and Security

do not plan for any uncertainty (which is bound to impact supply chains). Organizations are also adopting outsourcing for most of their manufacturing operations without understanding the risk involved with outsourced country. All these result in enhanced risks to supply chain. Some of these risks are analyzed in a framework as shown in Figure 1.1

As we see in the above framework, some risks such as Natural Disasters have HIGH impact on the business but the ability to control such Risk is negligible. At the same time process or product related risks also have a significant impact on the business and the ability to control such Risks is also HIGH. As we proceed we will focus more on such Risks that have more effect on the business and are more likely to be controllable.

Types of Risks All Supply Chain related risks can broadly be categorized into five categories
4 | Supply Chain Risks and Security

Process Risk

Supply Side
Supply Risk

Company
Control Risk

Demand Side
Demand Risk

Environmental Risk
Environmental risks: Environmental Risks are the risks that are caused by the external factors beyond the control of organizations. Such types of risks are most prevalent one as they are high in impact and low in control. Natural disasters, terrorism and war, regulatory changes, tax, duties, strikes, government policies, political instabilities are some of the risks which comes under environmental risks. These risks are mostly in news as they impact the complete industry rather than one organization. Supply Risks: Supply risks arise mainly due to weak and unorganized supply network of the organization. This risk can be controlled by various initiatives by the organization. In some industries suppliers are more powerful and then OEM so they pose a greater threat to price increase, continued supplies, material quality. Some of the risks covered under supply risks are dependency on key suppliers, cartels in suppliers, quality issues in supplies, lengthy and variable lead times. Demand Risks: Demand risk is partially in control of organization. Loss of major accounts, demand volatility, concentration of customer base, short life cycles, substitute products, innovative competitors are some of the risks comes under demand. Some of the risks can be minimized by agility of supply chains to adapt changing business environment. Process Risks: Process risks are very much visible in any organization as they directly impact the productivity. Organizations have complete control over process risks and with core functional teams and projects; they endeavor to control these risks. Some of the Process risks are Manufacturing yield variability, lengthy set up time, in flexible processes, equipment reliability and outsourcing key businesses. Tools like Six Sigma are used to control the variability in the processes.
5 | Supply Chain Risks and Security

Network Risks: Network rise arise because of the business relationship between various supply chain partners. Things like asymmetric power relationships, no collaboration between SCM partners, rules which can distort demand, bull whip effects are some of the network risks. These risks arise purely by policies internal to organizations.

Case Study: Risk management Company GLOBAL AUTO (name changed) is one of the largest car manufacturing companies in India with market share of 16%-17% in 2005-2006 for Passenger Car Business. This was the golden era of Car Business with demand exceeding the supplies and company was ramping up production capacities to meet the surging demand. During this time, there was major fire broke out in Company GLOBAL AUTOs Pune factory in Paint Shop. Paint shop has two paint booth and both of them were gutted to ashes in this fire. There was no human casualty but this was an unforeseen event and company had no contingency plan. Also since this was an unanticipated event so even experienced managers had no idea that how to keep the business running. Expected time to re build up the paint shop was at least 3 months. In such a competitive car business, if there are no supplies for 3 months, this means losing market share completely and rebuilding the whole credibility may take years. In such situation company had two challenges 1. How to keep the business running as usual and maintain supplies in the market 2. How quickly they can rebuild the Paint shop and bring the operations to normal To address these issues, there was immediate re shuffling of profiles and teams were made to address these issues. One team was deployed immediately to contact various vendors who played vital role in initial commissioning of Car plant. This team was on lookout for options to re build the paint booths with existing and new vendors. Second team was involved in finding out the alternatives to maintain the supplies in the market. During that time, Company GLOBAL AUTO had taken over Company K&K MOTORSs (name changed) India arm and K&K MOTORSs plant was 160KM away from Pune factory. That plant had idle capacity which could be used by Company GLOBAL AUTO for painting car bodies manufactured at Pune facility. Decision was taken to use that additional capacity for painting Company GLOBAL AUTOs Cars. Although this seems to be obvious solution but there were
6 | Supply Chain Risks and Security

many challenges which company faced once they started the sending Metal car bodies to K&K MOTORSs manufacturing unit, getting them painted and bringing them back to Pune factory for further fitment. Few of the challenges are mentioned below 1. Logistics arrangement for transporting cars between Pune and K&K MOTORSs Manufacturing plant which was 160KM away 2. New types of Racks designing and procurement for in transit transportation 3. Line design change at Kurla factory to accommodate Company GLOBAL AUTOs Cars 4. Paint quality deterioration during in transit movements 5. Planning and coordination issues between these two factories 6. Increased pipeline inventory 7. Diversion of paint related raw material to Kurla factory 8. Managing pipeline inventory of finished cars in market 9. Setting up the paint booth in the minimum time This risk was something which was not governed by external environment. At the same time, it was not completely in control of the organization as well. Company was agile to respond to this unforeseen event and due to effective coordination and effective management, they had just 1 week of production loss. This loss was covered by the additional inventory of finished goods they had in plant. Various teams put additional efforts to ensure that paint shop was up in 2.5 months, earlier than expected and during this time of PCBU achieved one of the highest sales months. Company GLOBAL AUTO was not having any wellorganized risk management framework but whatever actions were taken, were in some way or the other related to various strategies which we use for risk management. Although Global Auto was successful in maintaining market availability but due to additional transportation and rework cost of production increased. Due to increase in cost margin dipped and in spite of high sales the realized revenue was low. Also huge cost was spend on rebuilding paint shop. So overall business was hit not in terms of continuity but profitability.

7 | Supply Chain Risks and Security

Risk Framework In Current dynamic business environment, there are key corporate objectives which should be met to ensure long term sustenance of organization. Any risk management framework we make should be aligned to these key objectives of organization so that they can be translated to actionable plan which will help organizations to achieve these objectives.

Any business is primarily focused on following key KPI for its long term sustenance: 1. Profitability 2. Growth 3. Business Continuity 4. Market Leadership

8 | Supply Chain Risks and Security

Above focus area are connected with all 4 components with of risk management components 1. Risk Awareness Risk awareness is acknowledgement that risks exist in supply chain and finding out severity and occurrence and detectability of the Risks. By finding out these parameters we can assign Risk Priority Number (RPN) around all risks. RPN concept is well known in six sigma and Failure mode effectiveness analysis (FMEA). This concept can be extended to risk awareness phase and by application of RPN we are able to remove subjectivity around risks. Risk awareness is closely connected to Profitability. As we are able to assign RPN to all the risks, we can prioritize which risk need to be addressed immediately and which can be taken on later stages. If we are aware of the risk and we can assess the damage by the potential risk, we can take the cost impact and include that cost as part of product costing which will ensure the profitability in long run. A good example of ensuring profitability is that in Retail industry. All the retailers are aware that there is pilferage in operation. Based on historic values it was found that the pilferage varies between 2-3%. Retailers generally make investments in tracking system and install equipment which will reduce pilferage. Some of the retails are even build this 3% in product costing so that pilferage cost can be offset to revenue recognized. Immediate attention of potential threats will ensure that company will not lose business in short term and hence profitability is ensured. Risk Awareness has two stages which are action plan for any team involved in risk management Risk Identification: Identification is knowing the risk involved in supply chain from local as well as global perspective. It can be done by following methods o Focused group discussion o Industry identified risks Risk Assessment: It is quantifying the risk involved in supply chain with RPN model. RPN quantify the risk based on Severity, occurrence and probability

9 | Supply Chain Risks and Security

2. Risk Readiness Being risk aware is good for the organization but only awareness will not ensure business continuity and growth. Organizations need to be risk ready for implementation of any solutions. Readiness means organizations should have close collaborations with vendors and key solution providers who are agile enough to respond in case of unforeseen circumstances. As we saw in the case study discussed in the previous section, the Company GLOBAL AUTO was able to ensure that it business was least affected from unexpected event and hence organization was able to sustain the growth in the market. Had there been a gap in supplies for a month or so, business was bound to get impacted resulting in dent in the growth which company was nurturing before the fire event. Risk readiness has mainly two components: Key Stakeholders relationship In the case study, relationship with key stakeholders played a vital role in bringing back the business to normal. Stakeholders such as vendors were able to provide immediate support for rebuilding the paint shop. Other stakeholder such as sales team, dealer network were able prioritize the critical orders to be supplied whereas keep low priority ones for longer horizon. Also sales team efforts played pivotal role in selling the available inventory by collaborating with customers and modifying the orders. This reduced the pressure on manufacturing to provide fresh supplies for old orders. Risk Mitigation Strategy Risk mitigation is, systematically reducing the probability of occurrence of risk or its impact on existing business. Generally organizations do risk mitigation only after occurrence of event. If organizations proactively make risk mitigation strategy, they can reduce the impact of event and hence ensure the continuous growth. For internal risks, it involve process change whereas for demand and supply risk it involves redefining business rules to capture the upcoming uncertainties and risk associated with them 3. Risk Responsiveness Despite an organizations awareness and readiness, still there is a probability that some unforeseen events may occur and impact current day to day operations. At this point of time overall business continuity depends upon following factors:
10 | Supply Chain Risks and Security

Response Agility Agility is how quickly organizations are able to respond to risk and bring out a feasible solution. This depends upon the first phase that is risk assessment. Building robust solution is based on the capabilities of organization to quickly assess the risk and its impact and build an alternative plan for business continuation.

Solution Implementation Many organizations are capable of building solutions which may be realistic and feasible, but when it comes to implementation, they fail to show agile approach resulting in delayed and incomplete implementation. In the case study, Company GLOBAL AUTO was quick to respond and bring up the supplies in one week. Also because of available inventory there were almost zero disruptions to supplies in the market.

4. Market Risk Adaptability The Business environment around the world is changing and hence risks associated with business are no longer conventional. Organizations have to be equally innovative in their risk management strategies to maintain market leadership. Sometime back, there were floods in Thailand and as we know, many Laptop manufacturers procure the Hard disks from Thailands local factories. During those times, Lenovo was maintaining a better pipeline inventory of finished goods as compared to its other competitors, who were working on lean inventory model. Also, Lenovo was quick enough to build alternative sourcing when floods happened in Thailand. As a result when other companies (HP, Dell etc.) were bleeding during the floods because of shortage of hard disks, Lenovo was able to gain market share of others and attain market leadership as well. Changing Environment adaptability It is the capability of the organization to adapt to new business environment and be ready for risk which come along with it. This is important from the prospective of maintaining market leadership as adopting new environment quickly and making contingency plans to counter risk will ensure the competitiveness of organization. Glocalization Globalization + Localization. There was an era when sourcing to low cost manufacturing hubs like China and outsourcing services to other countries like India were key to lower the operations cost and maintain competitiveness. Issues of piracy, natural calamities, political instabilities, increasing inflation and unpredictable economic scenarios has challenged the
11 | Supply Chain Risks and Security

concept of outsourcing. There are numerous examples where organizations have lost heavily due to outsourcing. Also globalization has increased overall supply chain inventory which pose threat to obsolescence in short life cycle products. Hence now companies are taking a cautious call to make a perfect balance between globalization and localization.

12 | Supply Chain Risks and Security

The Solution: Stay Risk-Ready The Risks described earlier have hurt the companies badly in past and in some cases there were complete shutdown of the business. To avoid such extremes companies need to be prepared in advance. The companies that have Risk mitigation strategies in-place not only avoid big losses but also win their competitors market share such tricky situations, in cases when the competitors were not Risk-ready. Below is the four point strategy for making the companies Risk-Ready so that they are able to manage the Supply Chain Risks in a more efficient way

Avoid: This intends in not taking such steps that would lead to Risk. An example could be to avoid sourcing the items from a country that has political instability. Western Digital could have saved millions had they avoided being over dependence at a coastal country like Thailand for the productions of hard disks. There are several other examples where avoidance could have saved billions. So, basically companies must not take a path that may be cheaper but is risky as well. Now, avoiding risks may look like an answer to all the risks but another school of thought says that this avoidance may also lead to the loss of a potential gain (had the risk been allowed). In todays world of cost cuttings and the search of cheap labors leads the companies to such riskier propositions.

13 | Supply Chain Risks and Security

Reduce: As described earlier, in tough times the companies also have to take tough decisions and often they might not avoid a particular Risk completely. The reasons behind such decisions can be both monetary and nonmonetary. Hence, if a company cannot Avoid Risks, it should try for plan B which is to Reduce. Reduce the likelihood of the Risk. Reduce the severity of the loss from the Risk. Taking an example of the IT companies these days companies are following the Scrum model of software development in which they get ready with smaller shippable pieces of codes in smaller intervals rather than following the orthodox Waterfall model of software development where the deliverables were shipped after pretty longer intervals. The Scrum model gives the developers more flexibility and a reality check of what is going on and where they stand with respect to their final deliverable. Hence they can take corrective measures more efficiently (as compared to the Waterfall model) and hence can Reduce the likelihood of Process Risks (e.g. product developed does not match exact requirements etc.) and even if the some Risks occur, they will be minor and not severe. Similarly different industries follow (or they should follow) different methods to Reduce the Risks. Some general pointers for Reducing the Risks are as follows All employees should be Risk managers: Every employee involved in the Risk prone legs of the supply chain should be empowered and motivated to be Risk managers. They must be aware of what could cause Risk? What are the necessary steps to detect and then avoid it? Their knowledge while encountering such Risks should be collaborated and shared with the larger groups so that others could gain the insights while facing such risks and can take the necessary steps more effectively. Agile performance checks: The performance checks need to be more frequent and agile. The checks should be designed such that they can notice any and every disruptions in the Supply chain. In fact it should be one of the measures to evaluate ones performance whether or not he has caught all possible disruptions. Finding a disruption is in vain unless taken a timely corrective action against it. So agility of such checks will take care of that. Real time visibility of the supply chain: The system should be such that it enables the managers to have visibility of complete supply chain. Visibility in real time will help the managers to raise a flag when something does not go as planned. With the help of alerting technologies companies chances of detecting the source and reducing the risk get boosted up.
14 | Supply Chain Risks and Security

Know the big picture: The supply chain managers must be aware of the big picture around the supply chain. Awareness of the external factors that could affect some or the other processes in the supply chain is a must. If the manager knows that one of his key raw materials supplies could be shortened because of some environmental factors, the manager would take corrective measures well in advance as soon as he sees such environmental change happening. These and many more similar steps can be taken to Reduce the likelihood of the Risk and to Reduce the severity of the loss from the Risk. Share: If the Risk cannot be avoided and its severity also cannot be reduced, the companies should have a backup plan of sharing the Risk. Basically the companies should share the burden of loss OR the benefit of gain with a third party. This third party could be an insurance company or a vendor to which some processes are outsourced to. The company will pay a premium to the insurer and in turn will get a sum assured in case of the mishaps that are covered in their mutual terms and conditions. Similarly in case of outsourcing a process to some external vendor, the vendor will share both the Risks involved and the profits earned. In this way the companies can offset some of their Risks by paying a little premium or by sharing a part of their profits. Retain: At times when the Risks are so small that the premium for insurance itself will outplay the actual risk OR when the Risks are so large that they cannot be insured because of high premiums (mostly environmental risks like Earth quake, Tsunami etc.) OR when the likelihood of the risk to occur is very minimal, in such cases the companies tend to retain the risks by default.

15 | Supply Chain Risks and Security

Conclusion Today the world is becoming flat and companies are aiming for low cost sourcing and hence increasing the overall inventory across their supply chains. Due to this globalization of Supply Chains, organizations are more prone to risk in supply chain. Also due to cost competitiveness organizations are not making focused investments in Risk management. It is high time that the innovative organizations must step up and revive their Risk mitigation and Contingency plans. Companies must make their processes seamless, their networks efficient, their demand forecasting accurate and companies sourcing should be strategic, so that their losses pertaining to these risks are minimum. In process of making supply chains resilient to Risks, organizations need to work on various frameworks and thus implement a more focused and robust model of risk management. The environmental risks like Geo-political issues, Natural disasters etc. cannot really be predicted but they are within the realm of proper planning. Apart from this, other kinds of risks are either fully or partially in control of organizations.

16 | Supply Chain Risks and Security

Organizations, more than ever need to understand the risk attach with their nature of business and be agile in developing expertise and process to counter any unforeseen risk. Basically they need to be RISK READY, which is how they can Avoid the risks that have high impact on business and feature high on controllability; Reduce the risks that have low impact on business but feature high on controllability; Share the risks that have high impact on business but feature low on controllability; and Retain the risks that have low impact on business and feature low on controllability (Figure 1.1.1).

17 | Supply Chain Risks and Security

References 1. Mitigating Supply Chain Risks (David Simchi Levi / Professor MIT). 2. Dorfman, Mark S. (2007). Introduction to Risk Management and Insurance (9 ed.). Englewood Cliffs, N.J: Prentice Hall. ISBN 0-13-224227-3. 3. http://en.wikipedia.org/wiki/Risk_management#cite_ref-8. 4. http://www.husdal.com/2009/06/13/the-six-ways-of-dealing-with-risk/. 5. http://www.aon.com/switzerland/DE_Products_Services_Specialty/Risk_Services/Ent erprise_Risk_Management/LadingPage2_ERM.jsp 6. Course in Risk Management in Supply Chain at SPJCM Dr. Omera Khan

18 | Supply Chain Risks and Security

About the Authors Arun works as a Functional Architect, at JDA Software Pvt. Ltd. He has a Masters degree in Retail Management from SP Jain Center of Management (Dubai/Singapore). Arun has been closely working with global clients (like Wal-Mart, Adidas AG, Kraft Foods Inc., PepsiCo etc.) helping them into Assortment Planning, Digital marketing, other retail operations and Supply Chain optimization.

Jitender works as a Solutions Architect, at JDA Software Pvt. Ltd. He has a Masters degree in Supply Chain Management from SP Jain Center of Management (Dubai/Singapore). Jitender has worked in various industries with global brands like TATA Motors, John Deere, Britannia, HP, Baxter Inc. Jitender is also Six Sigma Black Belt Certified from Indian Statistical Institute, Bangalore.

19 | Supply Chain Risks and Security