In an average year, 134 strong earthquakes (magnitude of 6.0 to 6.9 on the Richter scale) and 17 major or great earthquakes (magnitude of 7.0 or greater) take place around the world.1 Although many strike remote and less-developed sections, some hit major centers of economic activity. When they hit, they expose the vulnerability of global supply chains.
In the predawn hours of a chilly winter morning—on January 17, 1995, at 5:46 am—the five and a half million residents of the bustling port city of Kobe, Japan, awoke in terror as the ground shifted violently beneath them. A major fault deep under an island in the Kobe Bay ruptured, shifting some seven to nine feet upward and laterally in 20 seconds of intense shaking. Older buildings with heavy tiled roofs collapsed, often damaging newer structures that had been built to modern earthquake-resistance standards.
Even before the shaking in Kobe stopped, more than 150 fires started. Ruptured gas lines, broken electrical lines, and overturned equipment started blazes in many parts of the city. Rubble-strewn roads, collapsed expressways, and damaged bridges stymied firefighters’ attempts to reach many of the burning buildings. When firefighters did reach the scene, they often found the fire hydrants dry; the quake had shattered Kobe’s network of water mains in 2,000 places. Had the winds been stronger that day, the entire city would have burned in a fire storm.
In all, the quake destroyed more than 88,000 buildings, injured at least 30,000 people, and killed almost 6,000. A million people lost electricity, 850,000 lost gas supplies, and 70 percent of Kobe’s water and sewer systems were destroyed.2 Even nine days after the quake, some 367,000 households and 190 factories had no water.3 Because of the thousands of broken pipes, it took months to restore water and gas to the affected areas.
The Kobe earthquake was measured at 7.2 on the Richter scale4—in the range of a “major” earthquake but short of the highest magnitudes recorded5 (such as Sumatra’s 9.0 on December 26, 2004,6 San Francisco’s 8.0 on April 18, 1906,7 and Alaska’s 9.2 on March 27, 19648). The full impact of the Kobe quake, however, would not be felt until days, weeks, even years afterward.
The earthquake damaged all the transportation links in and around Kobe. In particular, the world’s sixth-largest shipping port was virtually destroyed on that January morning, halting one-fifth of Japan’s export and import activities. The quake damaged all 22 of the massive loading cranes used to load and unload 2.7 million containers each year from transoceanic freighters,9 and along Kobe’s sprawling waterfront, only four of its 239 berths survived the morning unscathed.10
The port of Kobe took many months to recover, losing twothirds of its shipping volume in 1995. Even after two years, the port was still below its pre-quake levels of activity.11
Large-scale disruptions like earthquakes illustrate companies’ dependencies on a web of infrastructure connections. Phone lines, power lines, water lines, gas lines, rail lines, highways, and ports connect companies to critical services, suppliers, and customers. Damaged commuter rail systems, blocked roads, and personal needs brought high employee absenteeism in the days and weeks following the quake. Many employees just could not get to work or had to devote time to securing food, medical care, and housing for their families.
Japan’s leading companies rose to industrial prominence, in part, through reliance on their vaunted lean manufacturing systems—processes that produced high-quality products with a just-in-time flow of goods from suppliers to assemblers. Japanese companies, especially leading carmakers, minimized the inventory of parts stored in their plants by synchronizing their supply chains so that parts could be delivered just in time for them to be installed in the vehicles moving down the assembly lines. But the Kobe earthquake of January 17, 1995, exposed a vulnerability of this manufacturing paradigm.
Although the Osaka plant for Sumitomo Metal Industries wasn’t damaged by the quake, it lost gas and water supplies. This factory was the sole source for most of the brake shoes used by Toyota Manufacturing Company in all of its domestic cars. Because Toyota relied on lean manufacturing, it had no inventories of the parts. Lack of brake shoes halted production at most of Toyota’s car manufacturing plants all over Japan as these plants quickly exhausted their supplies. Toyota lost production of an estimated 20,000 cars (representing approximately $200 million of lost revenue) as a result of parts shortages. Other Japanese car makers—Honda, Mazda, Daihatsu, Mitsubishi, and Nissan—faced similar problems with suppliers or factories in the Kobe region. These other makers lost about 16,000 cars as a result of delayed and disrupted parts supplies.12 Even where the factories were intact, it took time to re-route truck and rail shipments around the area’s shattered infrastructure.13
The Kobe earthquake also demonstrated the connectivity of global industry. The Japanese economy is the third largest in the world and virtually all of the world’s global companies have operations there, many of them in Kobe. The quake directly affected companies such as Eli Lilly, Caterpillar, Texas Instruments, and IBM.14 Procter & Gamble suffered damage to its local headquarters and had to shut down and evacuate its factory after gas leaked at a neighboring company’s plant.
Because many suppliers to multinational companies were affected, even U.S. companies without a Kobe outpost felt the impact. For example, Apple had to slow down its production of PowerBook computers as a result of interrupted production of display monitors in Kobe,15 and Chrysler nearly had to shut down some U.S. production because of parts shortages.
A firm’s “vulnerability” to a disruptive event can be viewed as a combination of the likelihood of a disruption and its potential severity. Companies assess their vulnerabilities by answering three basic questions:
1. What can go wrong?
2. What is the likelihood of that happening?
3. What are the consequences if it does happen?
Figure 2.1 provides a way of thinking about the confluence of probability and consequences of events (the second and third questions above), such as the Kobe earthquake or the fire at the Philips plant. The vertical axis is the probability of the disruptive event and the horizontal axis represents the magnitude of the consequences.
Vulnerabilities are too varied and too nuanced, and the tools for measuring the factors are too blunt, to distill these factors easily into a single “expected vulnerability” metric. Such a metric would be the product of probability and consequences. Thus, each of the four quadrants of figure 2.1 has a specific meaning. Vulnerability is highest when both the likelihood and the impact are high. Similarly, rare low-consequence events represent the lowest levels of vulnerability.
But what might appear to be a set of modest vulnerabilities may have little in common for business planning purposes. These include disruptions that combine low probability and large consequences, on the one hand, and those characterized by high probability but low impact, on the other. High-probability/low-impact events are part of the scope of daily management operations, tending to the relatively small random variations in demand, unexpected low productivity, quality problems, absenteeism, or other such relatively common events that are part of the “cost of doing business.” Low-probability/high-impact events, on the other hand, call for planning and a response that is outside the realm of daily activity.
Different companies face different levels of vulnerability to each type of disruption. Consider, for example, a specific type of disruption, such as an anti-American sabotage or terrorist attack causing significant damage to a corporate asset. The likelihood of such an attack may be based, in part, on the extent to which the company is associated with the United States. The consequences of the attack are a function of the company’s resilience and depend on the company’s ability to insulate its customers from the disruption.
Using the two-axis framework, figure 2.2 depicts a hypothetical example of how different firms would have varying vulnerability to this type of attack.
As an airline with “America” in its name and flights to dozens of international destinations, American Airlines faces a relatively high likelihood of terrorist attack. In fact, two of its planes were hijacked on 9/11 and Richard Reid (the December 2001 “shoe bomber”) chose to try to down an American Airlines plane.
Any airline would face a severe impact from a terrorist attack. Although the loss of a single of its several hundred aircrafts may not be material to the assets of the company taken as a whole, the loss of life and the consequential impact on confidence among its customers can be devastating. The attacked airline could be perceived as a favorite target of terrorists, leading to a marked decline in the demand for its services, loss of support of financial markets, and possible bankruptcy.
McDonald’s also has an extremely prominent public profile as the global leader selling American-style fast-food around the world and is closely identified with the United States. Indeed, McDonald’s is a very popular target for those disaffected by America’s policies or concerned by the encroachment of American culture. Attacks and protests in places ranging from France and Canada to Indonesia and Turkey suggest that McDonald’s faces a higher probability of attack than firms less identified with the spread of “Americanism.”
But the consequences of an attack on a single (or even several) McDonald’s assets are not likely to be as severe as an attack on American Airlines because of the highly distributed structure of McDonald’s sprawling chain. The temporary loss of a single restaurant is not a serious blow to a company with over 30,000 outlets. Terrorists cannot even create a global food poisoning scare because each McDonald’s buys food from local sources. At worst, a food tampering attack would harm the company only in a small geographic region. Thus, an attack on one McDonald’s neither prevents the company from selling billions of burgers at tens of thousands of other locations nor is it likely to invoke fears by other customers that their neighborhood McDonald’s might be the target of a terrorist attack.
Clothing retailer Limited Brands exemplifies a business with a relatively low risk of occurrence but possibly highly adverse consequences. Limited Brands (which owns brands such as The Limited, Victoria’s Secret, and Henri Bendel) imports clothes from many countries and at one point in time used to distribute them through a single distribution center to its 4,000 retail outlets throughout the United States. Although it is difficult to imagine that terrorists would take pride in disrupting the flow of women’s apparel (hence the low probability), an attack on Limited Brand’s central distribution center would have disrupted the company’s operations and, consequently, could have caused significant losses.16
Because of the structure and nature of its business, Ace Hardware faces both a low likelihood of terrorism and minimal consequences from an attack. Disrupting the local supply of nails and batteries does not have any symbolic value and the chain itself does not seem to generate anti-U.S. sensitivities. Even though it operates 500 of its stores in 70 foreign countries including Kuwait, Saudi Arabia, and the United Arab Emirates, Ace Hardware is a dealers’ buying cooperative with a low profile. Like McDonald’s, Ace is highly decentralized. The network’s 5,100 retail outlets and dozens of distribution centers and cross-dock facilities are not vulnerable to a disruption in a single choke point. Thus, Ace is both highly unlikely to be attacked and, if an attack did take place, the consequences are not likely to be severe.
Figure 2.2 depicts the vulnerability of various firms to a terrorist attack. Clearly, different firms are vulnerable to different disruptions. For example, McDonald’s may be vulnerable to a Mad Cow disease outbreak that would infect the public’s attitudes toward hamburgers, but it is not vulnerable to industrial actions (such as strikes and slowdowns), because it uses franchisees rather than employees. Naturally, any firm employing union workers will be more susceptible to a labor action than a nonunion enterprise. Many large U.S. shippers (manufacturers, distributors, and retailers) routinely hedge their transportation procurement by including a nonunion, less-than-truckload motor carrier, such as Overnite Express, in the portfolio of their transportation carriers, in addition to companies such as Yellow Freight and ABF, whose workers belong to the Teamsters union. Shippers do this despite the fact that it is usually more economical to have a single lessthan-truckload carrier serving any given territory, rather than split the business among two or more carriers.
Thus, different companies will occupy different quadrants of the vulnerability map, depending on the type of disruption. When a company considers the low-probability/high-impact events to which it is exposed, there are several ways to classify the risk in order to start prioritizing what managers should focus on.
At General Motors, the largest automaker in the world, 360,000 employees build over 8.5 million vehicles each year. The company’s global operations span 53 countries and include vehicle sales in about 200 countries. With thousands of precision-engineered parts and electronic components in every car, and dozens of makes and models, GM procures parts through a deep, multi-tiered network from a myriad of suppliers. Managing such a large operation has put GM at the forefront of understanding the vulnerabilities of global supply chain operations. The responsibility for this process lies with GM’s Enterprise Risk Management Team.
To help categorize these disruptions, GM constructed a fourquadrant map of vulnerabilities, as shown in figure 2.3.17 The four categories include financial vulnerabilities, strategic vulnerabilities, hazard vulnerabilities, and operations vulnerabilities. The diagram also arranges the vulnerabilities on a radial, internal-toexternal dimension; vulnerabilities listed toward the center of the circle tend to come from within the organization, while those located at the periphery of the circle tend to arise from outside the company.
GM’s supply chain managers are most concerned with managing the lower two sectors: hazard vulnerabilities and operations vulnerabilities. Operations vulnerabilities include everything from supplier business disruptions to theft by employees. These are mainly disruptions to the means of production. Hazard vulnerabilities include both random disruptions (resulting from severe weather, earthquake, or accidents) and malicious disruptions, such as international terrorism and product tampering. Financial vulnerabilities include a wide range of macro-economic and internal financial troubles, from currency exchange fluctuations to credit rating downgrades to irregularities in the financial statements. (Naturally, every one of the disruptions in this map is likely to have a negative financial impact as well, but the emphasis here is on disruptions caused by the market, the economy, or GM’s own financial mismanagement.) Strategic vulnerabilities include everything from new foreign competitors to external public boycotts to internal ethics violations. The focus here is on disruptions that are possibly preventable with the right strategy. In all, GM documented more than 100 types of vulnerabilities scattered across the four sectors.
GM is planning to use such vulnerability maps to construct scenarios for training managers in crisis response. According to Debra Elkins, senior research engineer in manufacturing systems research at GM: “Hopefully, we’ll get to the point where we’ll be able to play things off-line and do scenario envisioning rather than having to deal with the real event.”18
After cataloging and categorizing the different vulnerabilities, the Enterprise Risk Management team showed GM managers the list of these types of “rare events” and asked the managers how many of these types of events actually happened in the past 12 months. Virtually every one of these events had affected GM in the past year. “We went through the list and checked off, ‘Yeah, we’ve had that one’ and ‘Yeah, we’ve had that one, too,’” said GM’s Elkins. A GM plant was even struck by a tornado in Oklahoma.
While the likelihood for any one event that would have an impact on any one facility or supplier is small, the collective chance that some part of the supply chain will face some type of disruption is high. Collecting the information across the vastness of GM gave the firm a picture of its vulnerabilities.
GM’s experience illustrates both why low-probability disruptions seem rare and why they are actually rather commonplace. “What we’re learning is that risk is part of our daily business and we need to be good at managing it,” said Elkins. Collecting the data from across the organization is the first step toward understanding how to recover and what types of plans are effective in which situation.
Learning from disruptions elsewhere does not need to be confined to disruptions within one’s own organization. The same idea is the heart of the chemical industry’s Safety Management Process. This process, developed in the aftermath of Union Carbide’s 1984 disaster in Bhopal, India, records accidents in chemical plants across the United States. The database allows individual companies and plants to learn from the experience of all plants across the industry. A similar method is used in “near miss” analyses conducted by air forces and airlines around the world.
Bad luck did not cause GM’s litany of misfortunes. The inevitability of disruptions, at GM and other companies, arises from these companies’ size, scope, and structure—the extent to which they are connected to the world and are therefore vulnerable to events throughout it.
Consider just one small part inside a GM automobile: the fine copper wire in the small electric power window motor inside the driver’s door of the vehicle. The wire starts as copper ore, then is smelted into pure copper, alloyed to create the right physical properties, cast into an ingot, formed into a bar, drawn into wire, coated in insulating varnish, wound inside the motor, combined into a door assembly, and mounted onto the car.
With copper mines in Chile, wire makers in China, motor makers in Japan, car door makers in Canada, and final assembly in the United States, each one of these steps involves different companies in different countries. After assembly into a vehicle, the car, with the wire in that little motor in the door, is shipped to one of GM’s worldwide network of 7,500 dealers for sale to the public. In all, the materials might travel tens of thousands of miles before the customer buys the car.
A disruption can strike any link in the chain—either a participant’s factory; the web of transportation services that move materials and parts from source to plants and products from plants to distribution centers and to retailers; or the network of computer and communication systems that support modern supply chain operations. For any company involved in this supply chain—be it GM, the electric motor maker, or the copper smelter—the chain has three main sections:
• The inbound or supply side of the chain includes all the processes and suppliers responsible for furnishing the company with materials and parts.
• The internal processes, or conversion part, include all the activities and manufacturing steps performed inside the company’s facilities.
• The outbound or customer-facing side of the chain includes all the distribution processes and customers of the company.
Disruptions can occur at any section of this inboundconversion-outbound chain of companies and processes that connect raw materials sources to the ultimate end-user of the finished product.
On the supply side, GM endured the consequences of disruptions not only to its suppliers but also to its suppliers’ suppliers deep inside the semiconductor industry when a chemical spill at a chip plant contaminated a clean room and shut down production. The disrupted chip company made the little chips that go inside automobile keyless entry systems. Without the chips, the next company in the supply chain could not make the little black key fobs for GM cars. Without the keys, GM couldn’t sell the cars.
Supply disruptions do not result only from disasters, however. In industries that grow very fast, capacity can be tight because of the time it takes to build new plants and bring new capacity on line. In 2000, for example, a shortage of the metal tantalum led to a three-fold price increase and a shortage of tantalum capacitors. Prized by electronics makers for their high capacity and compact size, tantalum capacitors are the capacitors of choice for cellphone and computer makers. The shortage hit these manufacturers at a time of booming demand. Lead-times of over one year meant that product makers could not get the parts they needed. Similarly, Nissan, Japan’s second biggest car maker had to suspend operations in three of its four Japanese plants at the end of 2004 because of a shortage of steel. This shortage was caused mainly by the huge demands created by the over-heated Chinese economy. Again, the shortage hit at a time of booming demand for Nissan cars following the introduction of six new automobile lines.19
The power blackouts of 2003 in the United States, Europe, and the U.K. illustrated the fragility of the power infrastructure. GM discovered that although the phone lines worked during the Midwest blackout of August 2003, because telephone companies had their own independent power supplies, GM’s office phones—like so many modern multifunctional office phones—required electricity to function and therefore could not be used.
Internal disruptions have a special dimension because in many cases they involve company personnel who are in harm’s way. For example, a powerful tornado hit the General Motors assembly plant in Oklahoma City, Oklahoma, on Thursday, May 8, 2003. The three-million-square-foot plant suffered extensive damage, leading to GM’s second quarter charges of $140 to $200 million related to lost production and facility repairs.
Internal disruptions also extend to the loss of people themselves. Akamai lost its cofounder and chief technology officer, who was on board one of the 9/11 planes. The bond trading company Cantor Fitzgerald experienced a disruption of a different magnitude when it lost 658 people in the collapse of the World Trade Center. In addition to the human toll, such tragedy involves the loss of the relationships with employees, customers, and suppliers that can be crucial to recovery efforts.
The increasing use of information technology creates vulnerability to computer viruses, software problems, and other technology outages. For example, SQL Slammer was a computer worm that spread directly to vulnerable computers on the Internet in January 2003.20 Needing no human intervention, Slammer infected 90 percent of vulnerable hosts within only 10 minutes of its first appearance. Hardest hit were Internet service providers in Asia. Slammer downed Seattle’s 911 call center, American Express’s customer service, and Continental Airline’s computerized reservation system. It also disabled almost 13,000 automated teller machines at Bank of America. In all, Slammer did an estimated $750 million to $1.2 billion in damage. Of course, information systems disruptions are not only internal; they affect companies’ communications with their suppliers and customers, as well.
Demand disruptions typically include massive, unexpected declines in the demand for a company’s products or services. These disruptions can be caused by technological changes, new competitors, disruptions to a major customer, or the sudden loss of customer confidence. In 1982, Johnson & Johnson (J&J) enjoyed a 37 percent share of the nonprescription market with its popular pain reliever, Tylenol. Then, in late September, seven people died when someone placed bottles of cyanide-laced Tylenol capsules on store shelves. Although the poisonings were confined to the Chicago metropolitan area, the company took no chances, pulling all 31 million bottles of Tylenol off the market. The news of the poisonings and the withdrawal of the capsule version of the product caused J&J’s share of the market to drop to 8 percent and its stock market capitalization to drop by 7 percent. Many analysts and advertising experts proclaimed that Tylenol would never sell again under that much-tainted brand name.
J&J kept the product off the market for more than a month—using the time to redesign the packaging to prevent tampering. This included switching from powder-filled capsules (that can be easily disassembled and refilled with a foreign substance) to solid caplets. The company also redesigned the bottles to add three tamper-evident layers of protection.21
By the end of the second quarter of 1983, within a few months of the reintroduction and with heavy promotions, Tylenol had regained its original market share.22 Nonetheless, J&J lost hundreds of millions of dollars because of forgone sales and added costs.23
A sudden, massive loss of customer confidence in a company’s products can, of course, be devastating. J&J countered this with its decisive response. By contrast, Firestone and Ford took months to acknowledge the problem with the Firestone tires on Ford Explorers in 2000, resulting in tarnished reputations and lost business for both companies (see chapter 3).24
Naturally, demand imbalances can also include unexpected spikes in demand, leading to lost sales, bad service, and even lost customers. Such disruptions, however, are rarely catastrophic for a company.
Given their complexity, modern supply chains can be disrupted in many ways. Each individual link in the chain is not likely to suffer a particular rare event, but the chances are that the chain as a whole will be disrupted somehow.
The challenge for managers is to understand and communicate this vulnerability to their colleagues and senior executives. Various graphic presentations can help managers visualize their company’s vulnerability. Each provides a different view onto vulnerability in terms of how much, where, and to whom.
Figure 2.2 used a two-axis framework of likelihood vs. impact to compare the vulnerability of various companies to specific disruptions. Similar, yet differently focused, enterprise vulnerability maps can be used to categorize and prioritize different possible disruptions for a given company. Although it may be quite difficult for any enterprise to estimate accurately the likelihood and consequences of each disruption, such maps serve to highlight the relative vulnerability along these two dimensions, leading companies to focus on the disruptions to which they may be most vulnerable. Figure 2.4 depicts such a map for a hypothetical manufacturing enterprise.
Multinational companies realize that many disruptions are tied to geography; floods, earthquakes, political upheaval, fluctuating exchange rates, and other potential causes of disruption are focused on certain geographical locations. GM is tracking the geographic content of parts to help understand the total enterprise risk of disruptions in particular parts of the world. To this end, GM follows the bill of material, which is a list of all the parts and quantities used in the manufacturing of each product (see chapter 5). Aggregating these data at the enterprise level helps paint the total exposure of the enterprise to countries and regions. At a minimum, a geographic vulnerability simply depicts which suppliers of what parts are located in each area of the world. Such a map can focus the company’s planning efforts on sensitive regions and help it spot a problem area at a glance and respond quickly. What most companies do not have is a complete vulnerability picture that includes their suppliers’ vulnerabilities.
A more advanced version of the geographic vulnerability map focuses on the connectedness of the supply chain to help understand interdependencies. Such a supply chain map highlights the flow of parts out of given regions, depicting who is involved and the plants in other parts of the world that are dependent on them. Such a map can become a tool for understanding the extent to which a flood in Brazil will affect production in Singapore or sales in Germany.
GM uses such supply chain vulnerability maps to simulate the impact of disruptions and the efficacy of proposed mitigation efforts. The data for these simulation models are taken from the bill of material for all GM products. But the data also include process maps depicting the dependency between various processes across the enterprise.
GM’s work on risk management offers benefits beyond dealing with disruption. Studying how the company is interconnected and how different processes affect each other helps the company improve day-to-day operations. “We’ve learned a lot about the enterprise as we’ve been working on this,” Elkins says.25 In particular, supply chain mapping can lead to identification of redundant processes, opportunities for consolidations (for example, when several divisions are buying parts from the same supplier and can aggregate their volume to achieve better procurement terms), coordination of logistics activities across plants and divisions (for example, using back-and-forth trucking services rather than one way), and many others.
The three questions posed in this chapter regarding low probability/high-impact disruptions are:
1. What can go wrong?
2. What is the likelihood it will take place?
3. How severe will it be?
The operating consequences of these questions are:
1. What should managers focus on?
2. What can be done to reduce the probability of a disruption?
3. What can be done to reduce the impact of a disruption?
There are two ways to look at what managers should focus on. The first is to list and prioritize events (such as earthquake, hurricane, strike, and sabotage) that can lead to disruptions. The second is to list disruptions (for example, reduced production capacity, shortage of a critical part, or a severed transportation link) and analyze their causes (and consequences). The first is more useful when thinking about reducing the probability of a disruption, since the relevant actions involve treating the source of the problem. The second is more useful when considering how to recover from a disruption, since the cause may be less relevant than the consequences and their severity at that point.
What is particularly important to realize is that high-impact disruptions are not as rare as they appear. Only when focusing on a single type of disruption, like an earthquake in a particular place, are the chances low. Taken as a whole, however, it is likely that some kind of disruption will hit somewhere almost routinely at a firm that depends on a global, large, and complex supply chain. As a result, companies should focus on supply chain designs, processes, and corporate cultures that are generally resilient, in addition to assessing the likelihood and the consequences of various disruptions, and investing in security.