Skip to main content

7. Caveat Emptor

Published onApr 08, 2020
7. Caveat Emptor
·

The options for creating resilience mentioned in the first part of chapter 6—redundancy and flexibility—as well the constructs described later in that chapter (business continuity planning, emergency operations centers, and incident management systems) all help organizations respond to and mitigate a disruption after it occurs. In contrast, strategies and processes for managing procurement risks can help prevent disruptions before they occur or detect their onset, enabling effective mitigation. This is especially important given the engagement of off-shore suppliers, driven by globalization, which has increased the risks to supply chain operations.

Assessing Supplier Risks

Supplier risk assessment typically relies on the same triplet of likelihood, impact, and detectability introduced in chapter 2 but focuses on each of a company’s suppliers and their inputs to the company. Given that large companies can have thousands of suppliers providing tens of thousands of different subassemblies, parts, materials, software, and services, many companies focus their efforts on “key” or “critical” suppliers, defined by some metric. Supplier prioritization metrics can include the importance of the material to the company, the availability of alternative suppliers, the speed with which a change (in supplier or material) can take place, total “spend” (total amount of money given to that supplier in a time period), supplier location, or a more formal analysis of the supplier’s financial contribution to the company’s business. The majority of supply-chain risk managers within the companies surveyed by the Business Continuity Institute (81 percent) say they have identified all or almost all of their key suppliers, which is the first step in such an analysis.1

Consider the (Sole) Source: Prioritizing Key Suppliers

To cope with the risk of supplier bankruptcies during the financial crisis of 2009, Boston Scientific Corporation, the Massachusetts manufacturer of advanced medical devices, identified which components in its product portfolio came from sole source, single source, dual source, or multi-source suppliers. A “sole source” means that there are no other readily available sources of supply, which may be due to intellectual property issues, technology, a joint venture, or a contract,2 while “single source” means that other suppliers are available but that buying from only one supplier was done for economic or convenience reasons.

“Some supply chain professionals measure the importance of a supplier by the ‘spend’,’” said Nick Wildgoose, global supply chain product manager for Zurich Financial Services Group. “Instead, it should be driven from a top-down approach: what is our most profitable product or service and which suppliers do we rely on to drive that.”3 One such example is Cisco’s global component risk management (GCRM) process. Although Cisco sells a vast variety of products, a relatively small number of products generates the majority of the company’s revenue. These are the most critical products. Cisco makes more than ten thousand products from more than sixty thousand parts sourced from more than one thousand suppliers. Yet some parts—and thus some suppliers—are more critical than others because they are used in those top products or in multiple Cisco products, which are together responsible for a significant fraction of its revenue (or value-at-risk, to use the term defined in chapter 3). GCRM periodically assesses the risk of each such part based on its sourcing status (single vs. multi-sourced), quality history, technology status (legacy vs. new) and lifecycle (new, continuing, end of life).4 The analysis is used to prioritize and prepare risk mitigation strategies for the risky parts.

Impact, Detectability, and Likelihood

As mentioned in chapter 1, most manufacturers have visibility to their 1st tier and possibly some 2nd tier suppliers, but they have little visibility into deep-tier suppliers. Typically, they do not even know who those suppliers are. Thus, when a deep-tier supplier is disrupted, it takes some time before a company realizes that it has a problem. This is mitigated somewhat, however, by the fact that it will also take time for the disruption to affect the company. Just as the impact of a fracturing fault line ripples outward from the epicenter to more distant locations, the impact of a disrupted supplier ripples outward from the supplier to more distant customers. Parts shipped before the disruption—as well as inventories in every intermediate tier, work-in-process in factories, in transportation conveyances, and finished goods inventories—all mean that the deeper in the supply chain the disruption is, the longer it will take for the company’s customers to experience the impact.

Furthermore, once the disrupted supplier recovers, it takes less time to resume production because of accelerated efforts by the supplier and expedited shipping. Thus, the supply chain fills more quickly during recovery than it drained during the disruption. This explains why some of GM’s Japanese chip suppliers were down for months following the Fukushima disaster but GM never stopped selling cars.

Detecting deep-tier disruptions quickly is essential. It gives the company time to assess the problem and mitigate the disruption—by finding alternative suppliers, qualifying new materials, or helping the deep-tier supplier to recover. It also gives the company a leg up on competitors in securing supplies. A new breed of software alert tools, such as Resilinc,5 Razient,6 and SourceMap,7 are designed to help companies quickly detect that they have been disrupted somewhere around the globe, and to quantify the potential impact of such a disruption (see chapter 8).

The likelihood of disruption of a given supplier or supplier facility depends on the combined likelihoods of causes such as earthquakes, fires, labor strikes, bankruptcy, and so forth. Boston Scientific uses a risk wheel to score event risks and aggregate them into an overall supplier risk probability index. The outer ring lists potential disruptions such as service problems, delivery problems, quality problems, labor strikes, changes of ownership, bankruptcy, and natural disasters. The company scores each supplier on each risk using a qualitative five-level spectrum from green (very low risk) to red (very high risk). The middle concentric ring organizes risks into broader categories of disruptions—such as performance, human resources, financial—with a risk score aggregated from the risk scores of the events in the outer ring. For example, potential quality, delivery, and service problems in the outer ring are aggregated into a “performance” category of risks in the middle ring. The center is the aggregate risk score, called a risk probability index.8 This probability index is combined with the revenue-at-risk (similar to the daily impact described in chapter 3) for that supplier to determine the total exposure of the company to the supplier under consideration.

As mentioned in chapter 2, disruption likelihood can be estimated using models based on past data, as well as qualitative estimates of political risks, labor relationships, or indicators of financial distress. For its own geographic site selection decisions, Intel also looks at the response times of firefighters and police, which may affect the likelihood of larger losses.

One challenge with assessing location-related supply risks is that supplier master data in SAP, Oracle, or other enterprise requirement planning (ERP) systems generally include only the suppliers’ administrative addresses or headquarters. Risk assessment requires knowing the actual operational locations of production facilities, warehouses, and distribution centers. To this end, companies such as Cisco and Intel, as well as third-party alert services, collect data on the suppliers’ operational locations, not just on administrative locations.

Why No Supplier Is “Low Risk”

Even suppliers with a low likelihood or low impact of supply disruptions (having, for example, multiple plants or short time-to-recovery), can still present significant risk. This risk arises from the company’s exposure to any supplier’s corporate social responsibility (CSR) transgressions that could impact the company’s brand. In 2010, Greenpeace attacked Nestle with a video parody of the company’s KitKat “give me a break” candy bar ads.9 The video implied that Nestle was killing orangutans by buying palm oil from suppliers who were destroying Indonesian rain forests.10 The activist organization launched a boycott of Nestle despite the fact that Nestle does not buy palm oil from any specific plantation but rather in the commodity market and, in the words of Jose Lopez who was responsible for Nestle’s manufacturing, “you would have to ‘look through a microscope’ to find the palm oil in the snack.”11

Consumer-facing companies are especially sensitive to brand reputation issues, which is why activists typically attack consumer brand companies rather than the suppliers or middle-tier B2B companies that may be guilty of perceived social responsibility misdeeds. For example, Forest Ethics has a long-running campaign to force companies to avoid buying diesel fuel supplied from Canada’s tar sands.12 Although many of the targeted manufacturers and retailers buy no diesel fuel directly because they rely on trucking companies to move their wares, consumer-facing companies are more susceptible to public pressure, demonstrations, and boycotts. “The trucking companies care more about what their customers want than what we want,” explained Forest Ethics’s US campaign director Aaron Sanger.13 This issue is discussed in greater depth in chapter 11.

Specific Risk Analysis for Specific Risks

Specific functions within an enterprise may handle specific suppliers’ risk assessment tasks, in collaboration with procurement professionals. For example, the finance department typically assesses the financial health of suppliers to estimate the risk of bankruptcy—by using methods similar to the financial risk scoring of customers—in order to decide appropriate payment and credit terms. A manager at an energy company notes that, “before the financial crisis, we didn’t have a very professional assessment of our suppliers’ financials; now we have a very good system working.”14 Similarly, A. Schulman Inc., an international supplier of custom compounds and resins, gave more finance training to purchasing people so they could incorporate financial measures into supplier evaluations. Boston Scientific created a vendor health program specifically to assess the risk of financial insolvency of Tier 1 suppliers.

A different set of specialists assess suppliers’ potential for causing reputation risks resulting from CSR practices, including environmental sustainability, working conditions at factories, the use of forced overtime, the use of child labor, unsafe working conditions, contributions to water and air pollution, and clear-cutting forests. In companies such as Patagonia, where corporate social responsibility is a mission as well as a key element of the brand, the social and environmental responsibility group wields veto power over supplier selection. According to Cara Chacon, director of social & environmental responsibility at Patagonia, during the screening process of 18 new factories that suppliers wanted to utilize in 2013, five were approved, eleven more were approved conditionally (subject to certain commitments for improvements), and two were rejected by Patagonia’s CSR group.

Supplier Risks in New Products

Cisco reduces some procurement-related risks in the design stage, before engineers have made final decisions about the materials and manufacturing of a new product. “The resiliency of the product design, and all the elements of the value chain—components suppliers, manufacturing locations, logistics—are being taken into consideration early in the new product introduction process, as early as 18 to 24 months before the customer sees the product,” said Cisco’s John O’Connor, director of supply risk management at the time.15 A scorecard-based tool analyzes the proposed bill of materials for 17 risk factors, such as the supplier’s time to recover, single-sourced parts, end-of-life parts, the maturity of the supplier’s risk management processes, and the robustness of the bill of materials. The tool provides an overall score for the new product as well as specific mitigations that could improve product resilience. The results give development engineers time to consider alternate or more resilient suppliers before the design is finalized.16

Cisco treats each new product resiliency analysis as guidance rather than as a mandate. Business reasons might justify using an end-of-life component to create a simple extension of a popular product line. Or Cisco might use a young sole-source supplier for an innovation that can differentiate Cisco’s products. Thus, Cisco balances trade-offs between the risks of supply disruption against the growth goals of the company (in other words, the risk of impeding growth). “Thinking about risk early in the product life cycle allows us to take a more aggressive posture about how to control its destiny throughout the product life cycle,” said Kevin Harrington, Cisco’s vice president of global business operations at the time.17

Supplier Risk Scorecards

Some companies pull all these factors together into a multidimensional scorecard. In addition to its risk probability index described above, Boston Scientific Corporation uses ten indicators related to delivery, audits, and quality. The company monitors both absolute levels and rising/falling relative values of these indicators to track trends in the riskiness of key suppliers. Boston Scientific continuously surveys suppliers about their capacity, employee turnover, and the like. The company also uses D&B records to monitor financial problems such as liens, bankruptcies, or judgments against a supplier. Because 90 percent of the medical device company’s suppliers are privately held companies, Boston Scientific uses third-party data related to financial risks of suppliers, including PayDex, financial stress score, and commercial credit score. According to Mike Kalfopoulos, senior manager, global sourcing at Boston Scientific, the company uses this scorecard system with only 57 core suppliers, which together affect 75 percent of revenue.18

Insurance company Zurich’s supply chain risk assessment19 includes 23 risk grading factors, most of which reflect supply-side risks at three levels: 1) the supply-side industry, 2) the supplier, and 3) the supplier facility. Zurich’s assessment uses a detailed risk evaluation of each key supplier. The evaluation includes 77 in-depth questions focused on seven areas: the relationship to the company, quality systems, risk management practices, labor and skill levels, operations details, physical environment, and the supplier’s own supply chain.

Complexity vs. Spend

Many different risk dimensions can affect procurement strategy, including financial impact, likelihood of disruption, time-to-recovery, and product profit margins. Yet two additional dimensions that are linked to the nature of the supply base offer a useful way to look at the intersection of supply risk and procurement strategy. The first is spend—the amount of money spent per year (or any other time period) on a given part or with a given supplier. A high-spend input could be a bulk commodity or a high-tech, high-value product such as the touchscreen display panel for a cell phone. Low-spend parts might be the screws that hold the product together or be the pressure sensor in a car wheel. Note, however, that value-at-risk can be independent of spend—engine parts costing a few dollars each can halt the production of cars costing tens of thousands of dollars each.

Spend affects the cost-effective or feasible procurement strategies available to a company, owing to two factors. First, spend reflects the cost of inventory—protecting against one week of disruption costs proportionally more with a high-spend material. Second, and most important, the level of spend is a proxy for a metric that is more difficult to estimate: the importance of the company’s business to the supplier(s) of the input under study. The company’s importance to the supplier affects the suppliers’ willingness to mitigate risks or reduce the impacts of disruptions to the company through preferential allocation or expedited recovery processes. Suppliers with whom a company spends a significant amount of money are more likely to collaborate with that company and to take risk-reducing steps, to adopt the company’s guidelines for business continuity and CSR, and to give the company priority in the event of a disruption.

The second dimension is the complexity of procuring that input in terms of the effort required to secure second sources of materials or cope with the total loss of the primary supplier. Some materials are simple to procure, such as diesel fuel for trucks, PC hard disks, or 6061 aluminum alloy bar stock, because they are widely available commodities with standardized specifications and multiple suppliers. In contrast, some inputs require much more complex procurement cycles because of coordination with the supplier, engineering time for customized parts, costly validation of samples, auditing of the supplier, and so forth. Inputs such as custom-molded parts, specialized machine tools, ultrahigh purity chemicals, semiconductor chips, and branded ingredients may be expensive, time-consuming, or impossible to second-source. In some cases, intellectual property issues—such as a trademarked ingredient or patented component—preclude a second source, forcing a company to re-engineer its product to use another supplier’s part.

These two dimensions are depicted in figure 7.1. The procurement complexity on the vertical axis ranges from “simple” to “complex” inputs. The horizontal axis is the “spend” on that item or with that item’s supplier. The 2 × 2 matrix defines four categories of procurement conditions: tactical buys (simple-procurement, low-spend), leveraged buys (simple-procurement, high-spend), critical buys (complex-procurement, low-spend), and strategic buys (complex-procurement, high-spend).

Figure 7.1
Spend/Risk Procurement Matrix

Philips buys directly from about 10,000 Tier 1 suppliers and 30,000 service providers, which motivates the company to prioritize its supplier risk assessment efforts. To this end, it classifies suppliers based on spend, and procurement complexity, measured by factors such as geography, type of relationship, and business risk. In 2012, Philips identified 497 product and component suppliers and 97 service providers as “risky” using these parameters. These are the suppliers that Philips audits routinely.20

Simple to Procure Items

The procurement of simple items includes both tactical buys of low-spend common items and leveraged purchasing of high-spend generic items. In both cases, second sources may be easily obtained. Thus, the main objective during the procurement process is to lower the costs.

Tactical buys refer to common items with low volume and ready availability. Because the volume is low, transaction costs as a percentage of spend are relatively high. These costs can be lowered by using procurement cards, electronic ordering, and consolidation of transactions. Sometimes, common items are managed with supplier-managed-inventory, so that the supplier can spread transaction and delivery costs across several customers.

To both minimize transaction costs and maximize volume discounts of low-spend items, companies may be less likely to second-source common items. They may simply depend on the ease of finding a second source if the first one is disrupted. If the low-spend, simple-to-procure item has a high value-at-risk or a high likelihood of disruption with any given supplier, then companies may hold some additional inventory to cover the modest lead-time required to start deliveries from another source. The inventory costs for a low-spend item will often be lower than the administrative costs of maintaining two simultaneous suppliers.

Leveraged buys refer to high-spend commodities. The main strategy for lowering the costs of such generics is to minimize the total landed costs, namely the cost of the items, including all the associated costs of delivery, service, administration, and so forth. To achieve this, companies leverage the purchasing volumes across all divisions and locations and may even join a buying consortium. If the company has any concerns about the time-to-recovery for a generic item, then it is more likely to pursue second sourcing rather than hold extra inventory. The administrative overhead of a second source may be less than the costs of holding the large amounts of inventory required to cover even a short disruption duration.

Strategic Buys: Fragile Geese That Lay Golden Eggs

“We’ve got a couple of suppliers where on purpose we have chosen to go mono-source because of innovation capability, price, and business continuity planning, where they can support us from different factories if one goes down,” said Klaus Hofmann, senior vice president, global purchasing, at Reckitt Benckiser PLC, a UK manufacturer of household and healthcare products.21 Some suppliers are “worth the risk” because of the unique products, processes, or services that they bring to the relationship.

Strategic buys are typically items or services that provide a competitive advantage. Companies frequently enter into long-term, deep partnerships with such key suppliers, involving several levels of contact between the organizations. In addition to collaborating on innovation, efficiency, and supply chain performance, these partnerships include joint work on mitigating risks of their codependency. Cisco, for example, works with its top suppliers on “get-well plans” that mitigate a supplier’s risks and reduce time-to-recovery. Suggestions to the supplier might include second sourcing in Tier 2, opening alternative manufacturing sites, relocating to lower-risk regions, or accelerating equipment buys so the supplier can recover at an alternative site. “It’s not just ‘here’s the exposure,’ but ‘here’s five ways to diffuse that exposure,’” said Cisco’s Harrington.22 Similarly, Jackie Sturm of Intel said, “We stay very closely connected and so we develop practices and processes together, but we also say that these are going to be preferred suppliers.”

Such close relationships involve long-term contracts, sometimes with gain sharing; joint product development and innovation sharing; and even co-investment. At the same time, companies monitor these key suppliers for signs of trouble—the proverbial “putting all the eggs in one basket and then watching that basket very carefully” strategy. “We quickly find out what we can do to help,” added Whirlpool’s Brian Hancock, referring to the key vendors that Whirlpool monitors.23

Critical Buys: Linchpin Makers

“Companies shouldn’t overlook the risk of losing a vendor that makes basic yet essential parts. The loss of either could result in a significant supply chain disruption,” said Gerry Smith, senior vice president of global supply chain at Lenovo.24 Low spend is risky with essential materials, especially if it means the company is not an important customer of the supplier.

For example, both GM and Verifone depend on a variety of electronics industry suppliers. But, many of those suppliers pay more attention to cell phone and computer makers who tend to use the latest high-margin products rather than to other users of chips. In turn, vehicle companies such as Caterpillar (construction vehicles) and Deere (farm equipment) feel they play second fiddle to the large automakers who are more important customers to vehicle component suppliers. Even the cell phone makers have a pecking order. Cell phone maker “HTC has had difficulty in securing adequate camera components as it is no longer a Tier 1 customer,” one unnamed HTC executive told the Wall Street Journal.25 In essence, every company is a minor customer to some of its suppliers, and that low-spend situation adds to the risk of disruption.

The obvious risk mitigation strategy for critical, low-spend, hard-to-procure items is to keep high inventory. “We now keep some inventory of critical parts, especially electronics, on hand because it’s such a long supply chain. In the past, we might have told Mister Supplier to keep all the inventory of little footpads on washing machines, but no longer,” said Whirlpool’s Hancock.26 Inventory carrying costs are, by definition, low for low-spend materials, and the strategy does not require supplier cooperation. Furthermore, as the risk varies over time, companies can adjust inventories in sync with the level of risk, such as Medtronic’s “hurricane factor” for safety stocks (see “A First Line of Redundancy: Extra Inventory” in chapter 6). The use of inventory to mitigate risk, however, is limited by the shelf-life of the material.

Strategically, critical buys are the riskiest. Dual sourcing may not be viable as a result of the lack of alternatives and the high cost involved relative to the spend. Thus, mitigation efforts should be focused on changing engineering specifications (to avoid uniqueness), thus reducing the complexity and moving the item to the “tactical” quadrant. Cisco, for example, tries to standardize parts, where possible, using its new-product resiliency index. A different mitigation effort can be focused on consolidating procurement in three ways. First, companies can reduce the variety of parts, funneling more business to a critical supplier. “In the old days, 20 washers could have 20 different controls,” said Whirlpool’s Hancock. “Now you might have only four different controls for 20 models.”27 Second, companies can consolidate buying of the critical part by all product divisions across the company to the same supplier, and also combine the procurement efforts with other companies, creating a buying consortium—thus increasing the spend and the attention paid by the supplier to the company. Third, companies can direct the procurement of other, non-critical parts and materials to the critical supplier, thus making the company a more important customer. All three initiatives serve to move the critical part and its supplier to the “leverage” quadrant. Companies can also couple these approaches with investment, equity stakes, joint innovation initiatives, and other such approaches, thereby moving the supplier to the strategic quadrant.

Long-term supplier agreements help to create commitments for collaboration and mutual survival, according to Lenovo’s Gerry Smith.28 When PC makers faced shortages of disk drives after the Thai floods (see “Highest Bidder” in chapter 3), many of them entered into long-term agreements with Seagate, Western Digital, or both, thus treating them as strategic suppliers. The move was aimed at guaranteeing access to disk drives, even though the long-term agreement curtailed the ability of the PC manufacturers to extract future price concessions.

Similarly, Whirlpool pursued this tack during the 2007–2009 financial crisis. Rather than bidding out freight to get the lowest rates, the company gave more business to a smaller group of transportation carriers and strengthened its connections with them. “In the midst of all this volatility in the housing market and the retail landscape, we can’t control the banks, we can’t control the economy, but we can control supplier relationships,” said Hancock.29

Multi-sourcing

“We can’t rely on one source. We can’t tie our future to one solution,” said GM’s CEO Dan Akerson about GM’s chip supply in the aftermath of the Japan tsunami.30 Yet, multi-sourcing is not always effective, can be costly, and can even increase certain risks. The main alternative is to keep a single supplier and invest significantly in the relationship and monitoring. Relationship investments can include embedding representatives at the suppliers, analyzing the supplier’s financial situation in detail, conducting frequent audits, and having a say in the choice of Tier 2 and even deeper-tier suppliers. Sometimes the relationship extends to influencing the choice of the supplier’s senior personnel. Deep relationships are typically justified with strategic and, sometimes, critical suppliers. But such deep relationships are expensive; therefore, many companies choose to dual- or multi-source when the option exists, especially with non-strategic products.

Don’t Put All the Baskets in the Same Floodplain

Hard disks would seem to be extremely easy items to procure and to second-source. They adhere to well-known mechanical, electrical, and software standards. Although drives do vary somewhat in performance and reliability, they are generally interchangeable for all but the most demanding applications. Moreover, in 2011, the hard disk industry had five large competitive suppliers to handle the volume.31 But then the rains came.

In March 2011, all regions of Thailand experienced heavy rains of up to ten times the normal level of monthly rainfall. These rains caused local flooding, saturated the ground, and pushed river and reservoir levels to above normal. And that was before the rainy season. Between late June and early October 2011, above-normal monsoons plus five tropical cyclone systems struck Southeast Asia and dumped heavy rains in the highlands of Thailand. Runoff totaling more than a billion cubic meters began draining toward the lowlands of central Thailand. Over a period of weeks, the waters rose, displacing more than two million people, flooding 7,510 factories, and damaging 1,700 roads, highways, and bridges. Some factories were underwater for more than five weeks.32

The disaster proved that second sourcing doesn’t always mitigate risks. The industrial parks in central Thailand had become a cluster for making hard disks and their components. Four of the five top suppliers of drives (Western Digital, Seagate Technologies, Hitachi Global Storage Technologies, and Toshiba) all had facilities or key suppliers in Thailand. And all four suffered substantial decreases in production capacity after the Thai floods.33 In aggregate, Thailand provided 45 percent of worldwide hard-drive production, and the 2011 floods disrupted much of that production.34 As a result, the PC industry faced a 35 percent shortfall in disk supplies in the fourth quarter of 2011.35

Concentrated geographic risks can also extend to transportation. Walmart has over 100,000 suppliers well distributed across hundreds of cities in dozens of countries, but the bulk of its imports previously flowed through a very small number of ports on the West Coast, such as the port complex of Los Angeles/Long Beach. The 2002 West Coast port lockout36 demonstrated the problem of relying on too few ports of entry. Since that time, Walmart diversified its import network to include major facilities at Houston, Savannah, Norfolk, Chicago,37 and other ports. By 2010, Walmart had configured its inbound shipping so that no more than 20 percent of the company’s imports entered through any single port.38 Moreover, shifting volumes to multiple ports during periods of normal operations enables a faster response during a disruption. A pre-established relationship in the port and having “known shipper” status with local customs authorities helps Walmart push higher volumes through the ports when necessary.

Validating a Second Source: Just-in-Case vs. As-Needed

Whether a company decides to second source “just-in-case” or wait to validate another source as needed depends on the tradeoffs between paying up-front validation costs versus facing potential validation delays during a disruption. The costs of finding and validating a second source may not be trivial. In some industries, such as automotive or medical products, a second source requires regulatory approval. This might require safety tests, such as a series of air bag crash-tests required of one UK carmaker—costing £30,000 ($48,000) for each crash test—simply because the auto maker replaced the source of the leather in the car’s interior.39 Furthermore, companies may not always have the freedom to decide on the matter. As Tim Griffin, general manager of Flextronics’ Milpitas Operations mentioned: for contract manufacturers to add a second source may require approval by customers (the OEMs).40 Sometimes, as Mike Lypka, GM’s director of powertrain/GMCH (GM Corporate Holding) supply chain commented, an OEM might make a directed buy, instructing the Tier 1 supplier to use a specified Tier 2 part, limiting the choices of that Tier 1 supplier.41

Other validation tests or regulatory approvals take time, implying that the time-to-recovery could be very long if the company waits until a disruption. For example, testing nylon fuel lines for long-term reliability and safety calls for soaking the candidate plastic tubing in hot fuel for 5,000 hours (seven months) to simulate decades of exposure to fuel.42 Medical products makers such as Boston Scientific face a 12- to 24-month process for regulatory approval of a supplier’s manufacturing facilities. However, many companies found that internal validation processes can be accelerated during a disruption by working overtime and delaying other engineering tasks. After the 2011 quake in Japan, Cisco had to undertake over 900 new manufacturing qualifications related to disrupted parts from 65 suppliers and performed these activities in one-third of the usual time.43

Intel’s risk management approach uses five levels for analyzing and implementing dual sourcing that help the company modulate just-in-case vs. as-needed tradeoffs. The first level is a paper study that simply assesses the feasibility of using a dual source in case of a disruption. The second level identifies specific potential second sources and evaluates samples from these potential sources. For the third level, the factory samples the potential second sources over time to ascertain their consistency. The fourth level pilots a second source in production. Only the fifth level is a full implementation of dual sourcing that can directly reduce the initial impact of the primary supplier’s disruption. The other four levels reduce risk by shortening the company’s time to recovery.

Dual- or multi-sourcing didn’t help in the case of the Evonik chemical plant explosion (see chapter 4) because no second source in the world had the capacity to make up for the loss at Evonik, which was producing 40 percent of the global volume of nylon-12. High global demand for nylon used in plastic components, carpets, solar panels, and other products meant tight supplies even before the Evonik fire. As mentioned in “Other Kinds of Redundancy” in chapter 6, however, capacity can increase beyond “100 percent” during a disruption through the use of overtime, deferred maintenance of machinery, expedited activities, reformulations, and related actions.

Double-the-Sources, Double-the-Headaches

Both Intel and GM are somewhat ambivalent, even circumspect, about dual sourcing because second sources can increase some risks even as they reduce supply disruption risks. Intel alluded to a kind of alchemy that enables unique, sole-sourced chemicals to do their magic. The chipmaker noted that second sources are never identical, which increases the risks of yield or quality problems. Similarly, GM described the casting of metal as more of an art than a common process, which motivates GM to sole-source certain parts despite the risk.

Chrysler had to recall 30,000 Jeep vehicles because of problems created by its response to the shortage of nylon-12 associated with the Evonik fire. The shortage spurred Chrysler to substitute closely related nylon 6-12 for fuel tank tubes in Jeeps. But the replacement plastic proved incompatible with the existing manufacturing process. Fuel tubes made from the substitute nylon sometimes crimped during use, causing stalls, and even caused one accident.44

Second sources, if not identical, also complicate product lines and after-sales support. When the Japan quake cut off supplies of Xirallic, a sparkly paint additive, Hyundai opted to use mineral mica as a similar-looking second source alternative. “It’s a more readily available component, not single-sourced as Xirallic,” said John Krafcik, Hyundai North America’s chief executive. But Xirallic and mica don’t look the same. That complicates Hyundai’s supply chain and after-sales service. “We actually have to go and rename, recode, and re-specify every paint,” Krafcik said. Hyundai dealers and repair shops now must stock both the Xirallic and mica formulations of body paint, increasing the required inventory levels of these paint SKUs.45

Corporate social responsibility (CSR) risks are also likely to worsen under multi-sourcing. The more suppliers a company has, the higher the chance that one of them (and it only takes one misbehaving supplier to create a problem) might get caught in a CSR scandal involving environmental, worker rights, or political issues. Avoiding increased CSR risks from multi-sourcing implies adding even more costs to monitoring and compliance. Pharmaceutical maker Pfizer consolidated suppliers because of these compliance reasons: “If you are dealing with several thousand suppliers in 150 countries and you haven’t got those controls in place, then your risk as a business increases enormously,” said Colin Davies, senior director of procurement at Pfizer.46 The United Nations Industrial Development Organization noted that larger companies often rationalize their supply chains to a smaller number of large suppliers that are easier to monitor.47 Supplier relationships require careful management; the more suppliers, the higher the cost of managing those relationships. The intended benefits of diversification of supply sources may decline if the companies are not able to carefully select and monitor each new supplier.

Supplier Relations: Sowing the Seeds for Responsiveness

The 2011 Thai floods had a significant impact on the small electric motor industry and illustrate the benefits of good supplier relationships. Verifone, a maker of credit-card processing equipment for retailers, faced a shortage of the small motors used in its credit-card receipt printers. The company attributed getting the part allocations that it needed to its good relationships with its suppliers.48 In times of disruption, companies often rely on suppliers for surge capacity, expedited deliveries, additional allocations of inventory, or special services such as re-engineering a component to work around a disrupted supply of a deep-tier raw material. Although suppliers certainly have every incentive to recover quickly, they may prioritize their recovery efforts or allocate limited inventory or capacity to different customers. The customer’s historic relationship with the supplier (as well as the spend and the importance of the customer) affects the supplier’s choices. Thus, good supplier relationships can make a difference in times of need.

Fears of Tier 2 Tears: Cascading Requirements

Recall that shortly after the 2011 Japan earthquake and tsunami, GM estimated that only about 390 parts might be disrupted based on GM’s knowledge that it had two dozen Tier 1 suppliers in the damaged area. Yet the actual number of affected parts was nearly 6,000, owing to hidden impacts on deeper-tier suppliers into which GM, like many companies, had poor visibility. Similarly, Intel’s Sturm said, “We’re trying to understand the sub-supply chain wherever it’s possible and where our suppliers will share that information.” One major challenge is the natural reticence of suppliers because a supplier’s suppliers, the materials they procure, and the relationships between the companies are proprietary and are part of the supplier’s competitive advantage.

Rather than try to extract sensitive commercial information about the deeper-tier suppliers, some companies are encouraging their Tier 1 suppliers to manage their Tier 2 risks with the intent that Tier 2 suppliers will manage the Tier 3 risks, and so on. Boston Scientific trains Tier 1 suppliers on its supplier scorecard system so they can use the system for their own suppliers. According to Tim Harden, AT&T’s president of supply chain and fleet operations, the company “requires Tier 1 suppliers to ensure that they are protected against Tier 2 suppliers’ failure.” During both the Japanese earthquake and the Thai floods, AT&T avoided disruption because its Tier 1 suppliers had geographically dispersed the next tier of suppliers. Likewise, Tanya Bolden, program manager for the Auto Industry Action Group, said that “auto makers are relying on their large, direct suppliers to ‘cascade training on safety and other workplace issues to their subcontractors.’”49

Tim Hendry, Intel’s vice president, technology and manufacturing group and director of fab materials said, “We’re trying to get our suppliers to work with their sub-suppliers on their resiliencies, sitting down and discussing their business continuity plans.” Intel’s expectations for suppliers’ business continuity planning (BCP) include deeper-tier risk assessment by asking suppliers to consider the following questions:50

• Have you discussed business continuity with your critical suppliers?

• Do you have contingency plans in place if they cannot deliver to you?

• Are secondary sources available for critical suppliers? How quickly could these be activated during an emergency?

• Do your inventory and spare parts strategies allow sufficient buffer to ensure operations are not disrupted?

• Are engineering workarounds an option for extended supplier outages?

Intel’s contracts with suppliers stipulate downtime, process flow, and security requirements,51 and the company publishes its expectations for supplier BCP.52 Similarly, to ensure it has the relevant information, Cisco surveys approximately 700 of its top suppliers and partners twice a year on BCP issues.53

How to Ensure Less Force Majeure

Many supply contracts include “force majeure” clauses to cover events in which one party fails to perform as a result of natural and unavoidable catastrophes that are beyond its control. A declaration of force majeure lets a supplier avoid breach of contract penalties when faced with so-called acts of God or other overwhelming events. The number of companies reporting force majeure invocations was one in ten in 2009.54 By 2011, almost a quarter of the companies surveyed had experienced a force majeure disruption in the preceding 12 months. Within the manufacturing sector, the 2011 rate was 44 percent.55

Yet companies don’t want force majeure to be an easy excuse for suppliers’ failures to manage risks. Cisco’s contracts, for example, have time-to-recovery requirements that supersede force majeure.56 And Cisco is not alone; a 2011 BCI survey found that 40 percent of companies were using business continuity issues to negotiate greater specificity in force majeure contract clauses.57 They are asking their suppliers to use BCP, to commit to recovery times, and are negotiating the types of events excluded or included in force majeure. Even if the disruption is beyond the control of the supplier, customers might expect and require the supplier to recover quickly.

Under applicable contract law and intellectual property rights laws, a customer normally has no rights to make, say, a proprietary chemical or part, even if the supplier were disrupted, bankrupt, or simply decided to stop making the material. To avoid these kinds of situations, Intel negotiates “have made” rights with certain suppliers so that Intel could take the proprietary methods to a second source or use them internally if need be. Although Intel has never had to exercise these rights, such contract terms help motivate the supplier to manage risks more effectively, according to Intel’s Sturm. Similarly, Cisco has manufacturing rights agreements with certain suppliers if strategies such as last time-buys (in which the company makes one last buy of all the parts it might need for the life of a product relying on that part or until it can find another source of supply) are not feasible. Under these agreements, if the supplier’s financial strength falls below a certain threshold, regardless of the reason for it, Cisco can take control of the operation with other subcontractors.58

Becoming a Customer of Choice

“The customer is king” does not prevail in all industries. Powerful companies who previously browbeat suppliers for price concessions are seeing a changing world. “We’re operating in a world where suppliers are very powerful. There aren’t too many places we can get spare parts for Rolls-Royce engines,” said Paul Alexander, head of procurement at British Airways (BA).59 “Airlines are heavily fragmented—BA has about 2.5 per cent of the industry—and the supply base is often heavily consolidated or monopolistic,” Alexander continued.60 “We’re moving into a world of scarcity, particularly because of the growth of India and China.” Instead of seeing competition between suppliers, he added, “my biggest challenge is competing with other buyers.”61

BA’s solution is to become the “customer of choice,” so that BA gets the best possible treatment. “We aspire to enter a relationship with our suppliers where they value us, where they really want to work with us.” BA’s goal in an environment of strong suppliers is to “do our very best to make sure that [vendors] know we care, know we value what they do for us and that they actually have a place in fulfilling our customer proposition.”62

Consumer-facing companies have contributed to the rise of strong suppliers. As consumers rose in power in the supply chain, competition among retailers intensified. Large retailers, such as Walmart and Target, wielded cost-cutting mandates that induced a wave of mergers among consumer packaged goods suppliers, such as Procter & Gamble’s acquisition of Gillette in 2005. The same trends took place in the automotive and other manufacturing industries, creating “super suppliers.” The driving force was the suppliers’ desire to increase their bargaining power with the retailers and OEMs. It was also motivated by the OEMs consolidating their buys in order to better manage their procurement.

Many companies make a point of helping suppliers when possible, in order to cement their relationships. This tactic depends on the supplier’s willingness to reveal its problems and its suppliers to the customer, as well as on the customer’s relationships with other suppliers. For example, a Ft. Wayne, Indiana, supplier of wheels for GM’s full-size pickup trucks ran into trouble with its Siemens logic controllers on the manufacturing line while starting production of a new truck model. The supplier needed to fix the problem and begin production by 10:30 p.m. on a Sunday night to ensure a smooth start. But the small supplier couldn’t get timely help from Siemens.

So the supplier called GM for help. Although GM does not use much Siemens equipment in its North American plants, it does in its European plants. Using its strong European relationship with Siemens, GM got help for the wheel supplier, and the problem was fixed. Fred Brown, director, assembly and stamping plants at GM, said “We try to help our suppliers, because it’s a win-win. They can’t do it alone. In many cases, we do have a lot of influence that we can use to our advantage and their advantage. So, everybody wins.”

The irony of multi-sourcing as a risk management tactic is that it may not even reduce supply disruption risks as much as expected because dividing the spend among suppliers reduces the company’s importance to those suppliers. “‘Customer of choice’ is partly about supply security, so you want to make sure that in a crisis situation you are fairly high up in the food chain,” said Klaus Hofmann, senior vice president, global purchasing, at Reckitt Benckiser, a maker of household and healthcare products referred to earlier.63 A Corporate Executive Board survey of senior sales executives validates the merits of the “customer of choice” strategy for risk management, innovation, and cost reduction. The survey found that 75 percent of suppliers say they regularly put most-preferred customers at the top of allocation lists for materials or services in short supply. And 82 percent say that these customers consistently get first access to new product or service ideas and technologies. Moreover, a resounding 87 percent of suppliers offer unique cost reduction opportunities to their most-preferred customers first.64 A 13-year analysis of supplier relations in the automotive industry found a positive correlation between supplier relations and profits.65

A Genuine Problem with Fakes

In January 2013, the Food Safety Authority of Ireland shocked Europe with an analysis of 27 hamburger products, 10 of which tested positive for horse DNA and 23 tested positive for pig DNA.66 Food, however, isn’t the only industry dealing with counterfeit goods. A 14-month US congressional investigation uncovered thousands of cases of counterfeit electronic components for American military equipment.67 In civilian aviation, about 520,000 counterfeit or unapproved parts make their way into planes each year, according to the Federal Aviation Administration.68

Misery over Mystery Meat

Irish officials traced the counterfeit hamburger meat to three suppliers, which led to recalling 10 million burgers from the shelves of prominent European retailers. “Mystery meat” may be an age-old issue, but the rise of low-cost DNA testing threw a bright light on the dark corners of the European beef supply chain. The scandal ensnared name-brand companies at all levels of the food supply chain, affecting at least 28 companies in 13 countries.69 Consumer packaged goods makers such as Nestle70 and the Iglo Food Group (maker of Iglo and Birds Eye brands)71 had to recall products. Horsemeat was found in private label products of retailers such as the UK’s supermarket giant Tesco,72 in IKEA’s iconic meatballs,73 and at Switzerland’s Co-op grocery chain, which prided itself on organic, locally-sourced food.74 It also affected European outlets of fast food chains Burger King75 and Taco Bell.76 “It is already clear that we are dealing with a Europe-wide supply network,” Owen Paterson, the British environment secretary, told the British parliament.77

More disconcerting was the poor visibility that companies—and even food sellers—had over their supply chains. Outsourcing and globalization had created a complex assemblage of middlemen between livestock producers and retailers, making it impossible to track sources, quality, ingredients, and other product aspects that consumers may care about. (The problem is even more acute with CSR practices, as explained in chapter 11.)

In the case of frozen foods maker Findus, the horsemeat originated four or five tiers deep in Europe’s food supply chain, making the exact point of fraud hard to determine. The horses were legally processed by abattoirs in Romania but then the meat went through a dealer in Cyprus on behalf of another dealer in Holland, which sent the meat to a plant in the south of France which sold it to a French-owned factory in Luxembourg, which made it into frozen meals sold in supermarkets in 16 countries.78,79 Somewhere along the chain, someone changed the label from “horse” to “beef.”

Romanian officials defended the safety and security of their meat industry—horsemeat being a legal food product in Romania, France, and other countries. The prime minister of Romania, Victor Ponta, stated “the data we have right now do not indicate any violation of European rules by Romanian companies or companies operating in Romania.”80 Sorin Minea, head of Romalimenta, the Romanian food industry federation, said, “They delivered the meat to someone in Cyprus,” insinuating that the fraud may have occurred with the middlemen traders further along the supply chain.81 In other cases, horsemeat was traced to suppliers in Poland82 and Wales.83

The affected companies had to conduct large-scale recalls. Ikea, for example, pulled the potentially affected meatballs from shelves and store cafeterias in several countries and did not restore meatball sales until a month later after it identified the Polish source and changed suppliers. The impact was significant because Ikea sells 150 million meatballs a year. To deal with the reputational damage, IKEA donated 3.5 million servings of “clean” meatballs to European food banks. IKEA spokeswoman Ylva Magnusson emphasized that the meat pulled from the shelves that contained horsemeat “became bio gas.”84 The company also strengthened its standards for all its food suppliers, increased its requirements from suppliers and started unannounced audits of these suppliers.

Flying Fakes, a Herculean Problem

Modern aircraft use so-called glass cockpits with computer display panels to present pilots with a wide range of critical data, such as the heading, attitude, vertical speed, yaw, rate of climb, engine performance, fuel use, route plan, weather, and various warnings. In 2010, a cockpit display panel failed in flight on a C-130J Hercules military cargo aircraft during active duty. The plane’s maker, Lockheed, returned the failed display to the supplier, L-3 Display Systems in June 2010. L-3 engineers determined that a Samsung video memory chip had failed, which seemed like an isolated event. Yet five months later, L-3 engineers detected that the in-house failure rate for display panel memory chips—the same chip that failed in flight—had climbed to 27 percent.85

L-3 sent the failed chip and inventory samples to an independent lab, which discovered “multiple abnormalities.” In particular, someone had “blacktopped” the chips by removing the original markings, repainting the top of the chip, and adding new markings.86 Further analysis suggested the chips were originally manufactured more than 10 years before, then used, recycled, and remarked as new chips.87 When asked about the reliability of these old chips, Samsung said simply, “One cannot expect such parts to function properly, or at all.88’’ No one knew the reliability of these old chips because no one knew how the chips had been handled in the intervening decade. Failure of the video memory chips could cause a degraded image, blank display, and loss of data.89

L-3 discovered that all of the chips had come from Global IC Trading Co. in California, which had bought the chips from Hong Dark Electronic Trade Co. in Shenzhen, China.90 The suspect chips went into 400 display units used in C-130Js, C-27J tactical transport aircraft, C-17 cargo aircraft, and CH-47 Marine Corp helicopters.91 Two other part numbers used in other defense aerospace programs and being supplied by Hong Dark were also found to be fakes. In total, L-3 had bought 30 shipments of electronic parts totaling 28,000 pieces from Hong Dark.92 Half were suspected counterfeits and the other half had not been tested at the time of Senate hearings on counterfeit parts.93

Other defense contractors had bought chips from Hong Dark, too. A total of 84,000 suspect counterfeit Hong Dark electronic parts made it into the Department of Defense supply chain, including chips used in aircraft collision avoidance systems.94 Nor was Hong Dark the only supplier of bogus parts. A 2012 US Senate Armed Services Committee investigation uncovered 1,800 cases of counterfeiting totaling one million parts. “Our committee’s report makes it abundantly clear that vulnerabilities throughout the defense supply chain allow counterfeit electronic parts to infiltrate critical US military systems, risking our security and the lives of the men and women who protect it,” said US senator John McCain.95

“The global supply chain has resulted in significant efficiencies, but it has also created vulnerabilities to counterfeiters,” said Michelle McCaskill, spokeswoman for the US Defense Logistics Agency.96 Fake electronic components made their way into many types of military equipment, including targeting systems for helicopter-launched Hellfire missiles, mission computers for interceptor rockets, and crucial ice-detection sensors for naval patrol aircraft.97 “Counterfeit microcircuits put at risk weapon systems and personnel safety,” McCaskill said.98

Counterfeiters “are starting to be very, very good,” said Dr. Simard-Normandin of MuAnalysis, a testing lab in Ottawa. One recent shipment seemed legit. “When we received those chips for analysis, they looked absolutely brand new,” she said. But when examined under a special acoustic microscope, “we find they are all cracked and damaged inside. These are chips that have been removed from boards and essentially cleaned up and repainted and resurfaced, and they put a new [serial] number on them, and they are sold as new,” Dr. Simard-Normandin explained. “Eventually, they will fail. They are on average of very poor quality.”99 Thomas Valliere of San Francisco-based Design Chain Associates concluded, “There is a huge incentive for unscrupulous people to counterfeit, especially when it is hard to identify counterfeit parts just by looking at them.”100

Disruptions and End of Life Mean the Beginning of Counterfeits

The majority (57 percent) of counterfeit-part reports from 2001 through 2012 involved obsolete or end-of-life (EOL) components.101 “The issue of counterfeit parts is just a symptom of a supply/demand imbalance,” said Tyler Moore, director of supply assurance at Arrow Electronics.102 “Obsolete parts have the highest degree of demand and supply imbalance, and because of that imbalance, counterfeiters move into that space,” Moore said.103

“Obsolete parts are unavoidable, and represent a major element of counterfeit part detection and avoidance,” added Rory King, director of supply chain product marketing at IHS Inc..104 “Industry figures suggest that a single incident of an obsolete part can cause as much as 64 weeks of down time and $2.1 million to resolve,” King said.105 Although many incidences of counterfeit parts might involve less downtime, an important element of risk management is to understand and manage these worst-case scenarios.

When the EU implemented RoHS (Restriction of Hazardous Substances Directive) in 2006,106 it forced suppliers to discontinue many products. Suppliers cited the RoHS “environmental compliance” as the reason for at least 20 percent of all product discontinuation notices in 2006 and for at least 25 percent of them in 2007.107 Suppliers found it cost-prohibitive to redesign older parts to eliminate the six RoHS materials: lead, mercury, cadmium, hexavalent chromium, polybrominated biphenyls, and polybrominated diphenyl ether. “If a product is 20 or more years old, you simply can’t avoid obsolete parts, which are prime breeding ground for counterfeits,” King said.108 In this case, as in many others, actions (regulatory action in this instance) intended to reduce one kind of risk can increase other kinds of risks.

“The Japan crisis exposed multiple companies in many more industries than ever before to the risks of counterfeit and obsolete parts,” King said.109 Following the earthquake, some disrupted suppliers accelerated end-of-life (EOL) notices rather than spending resources to restore production of aging product lines. And customers, in seeking emergency second sources for disrupted supplies, were forced into the arms of less-known suppliers. “The earthquake showed that any time there is a supply disruption, supply chain behaviors change dramatically, and risk can increase very quickly for all companies,” King said.110 “They (counterfeiters) can operate very quickly. We’ve seen a lot of reports where they can get these counterfeit products out as quickly as a week,” added Chris Gerrish, copresident of Rochester Electronics.111 “For simple re-marking of devices from one manufacturer to another or from a lower specification to a better part, the technology to do this is easily available and can happen anywhere,” said Lim Cheng Mong, RS Components head of electronics marketing for Asia Pacific.112

Suppliers Mark the Genuine

To combat the rise of counterfeit parts, the US military started using a marking scheme called SigNature DNA.113 The process coats microcircuits used in weapon systems with a layer containing supplier-specific sequences of plant-based DNA. The marks cannot be replicated or transferred to other objects. Lab tests can then verify the provenance of the parts.114

Marking technologies like SigNature DNA can also be used to link criminals to stolen goods. For example, banks use SigNature DNA in their ink bombs. “In one case, police tracked down a criminal and found loads of money under the floorboards of his home,” he says. “Because the money was marked with SigNature DNA, they were able to track it back to about 23 different bank robberies and convicted the man for all of them.”115 Other anticounterfeiting technologies include holographic labels, serialized barcodes, radio frequency identification, tamper-evident seals, and special chemical taggants.116

Customers Test for Fakes

After Europe’s horsemeat scandal, companies vowed to increase testing. Nestle said it was “enhancing our existing comprehensive quality assurance program by adding new tests on beef for horse DNA prior to production in Europe.”117 Similarly, Birds Eye announced that “going forward we are introducing a new ongoing DNA testing program that will ensure no minced beef meat product can leave our facilities without first having been cleared by DNA testing.”118

The higher risks of counterfeits among end-of-life and disruption-related procurement suggest the need for more testing of any new second sources in these cases. “If you desperately need parts and you buy them with no reason to trust what they are, you will have to test them both for functionality and for material content,” said Michael Kirschner, president of Design Chain Associates.119 Yet as the Mattel example (see chapter 2) showed, the time pressures of disruption-related procurement also forestall extra testing. That places a premium on prearranging trusted second sources (as discussed in the section titled “Multi-sourcing” earlier in this chapter).

“The safety of products bearing Disney characters and other intellectual property is of crucial concern to us,” said John Lund, senior vice president, supply chain management at Disney.120 The company ensures the safety of its products and the security of its brand with a multifaceted program. “Contractually, Disney requires that licensees and manufacturers comply with all applicable legal and regulatory safety requirements and that they have procedures in place to verify such compliance,” Lund said. “Our Product Integrity professionals monitor and confirm that manufacturers and licensees are conducting safety tests by independent, certified third-party testing laboratories or equivalent procedures. They also seek to verify that product manufacturers are complying with and keeping abreast of current and changing product safety standards,” he added.121