For many companies in North America, Europe, and Japan, September 11 did not “change everything.” In fact, it changed very little. The MIT study of corporate response to the potential of large-scale disruptions found that most companies are still not thinking systematically about managing supply chain risks and vulnerabilities. The exceptions (which was true even before 9/11) are companies that have suffered disruptions in the past, ranging from kidnapped executives to sabotage at their overseas plants. While these companies were taking steps to increase their security and resilience, many companies that have not suffered from past attacks were, at best, just “going through the motions.”
And, for the most part, that holds true not only for intentional disruptions, such as terrorist attacks, but also for large-scale accidents and random disruptions caused by weather or earthquakes. Companies that have experienced high-impact disruptions of any kind are more likely to invest in avoiding and mitigating future disruptions.
A case in point is Nokia, whose response to the Philips fire was chronicled in chapter 1. In 1995, five years before the Philips fire, Nokia was experiencing a supply-demand imbalance resulting from the combination of poor delivery performance and a relatively weak product line. Inventory was piling up and the company was hemorrhaging cash at a dangerous rate. Fixing the problems entailed linking production control to demand fulfillment, as well as launching a collaborative planning process involving key suppliers. Just as important, the company installed a monitoring process that could move from weekly to daily frequency when the system was stressed.1 These processes served Nokia well in March 2000, as it responded to the Philips fire.
This book is a call for action. It is not, however, a call to start spending large amounts of resources on turning every plant into a fortress and stockpiling mountains of inventory. Instead, it is a call for systematic analysis of vulnerability, for learning from other people’s experience, for increasing supply chain flexibility, for focusing on resilience as much as on security, and for effective use of resources designed to get business benefits out of investments in security and resilience.
One of the most important lessons of this book is that by reducing vulnerability to high-impact/low-probability disruptions, a company will reduce its vulnerability to day-to-day market fluctuations as well, and therefore improve its general performance. To reduce vulnerability, companies should consider the following:
organizing for action,
assessing the vulnerabilities,
reducing the likelihood of disruptions,
collaborating for security,
building in redundancies,
designing resilient supply chains, and
investing in training and culture.
Companies that are risk-aware have a chief security officer to coordinate the company’s defenses. In that action they mirror the government, focusing on security. But such an approach tackles only one part of the problem—avoiding (or reducing the likelihood of) a disruption. It does not consider resilience—increasing the ability of the enterprise to bounce back from disruptions. To this end companies should be thinking not of a chief security officer but of a chief risk management officer. This officer’s responsibility should include not only security but also the continuing effort to build in the flexibility to recover quickly and to isolate the company’s customers as much as possible from a disruption.
The standard approach to resilience is to have a “business continuity plan.” Often, this plan is a document collecting dust in a backroom in headquarters. At best, it is a plan that is occasionally updated and used to guide employee training in disruption response. While business continuity plans are an important element in the approach advocated in this book, they are but a small part of it. Security and resilience considerations have to be taken into account in designing the supply chain and woven into the fabric of business decision making.
An ongoing effort to build flexibility may involve redesign of operational processes, transformation of corporate culture, changes in product design, organizational changes within the company, and different relationships with customers, suppliers, and other stakeholders. The chief risk management officer should be a business person who is intimately familiar with the company’s operations, since risk factors should be considered whenever strategic decisions are taken. Decisions involving centralizing operations, using offshore suppliers, entering foreign markets, labor negotiations, mergers and acquisitions, new infrastructure investments, new product introductions, new organizational structures, and many other strategic decisions should pass through the filter of vulnerability assessment: Which risks increase and which decrease? Can the risks be quantified? Can processes for early detection of specific risks be developed? Can the risks be mitigated? Do the business benefits of a planned course of action outweigh the increased risks?
Some companies are already moving in this direction. IBM’s security executive is a member of its Global Trade Council and Gillette’s security executive is represented on its Executive Operating Committee. Nike uses cross-functional leadership teams to evaluate security and business continuity best practices. Furthermore, in many companies security is becoming part of the responsibility of each process owner, rather than the security personnel.
Given the day-to-day pressures of running any modern business, the ultimate responsibility for asking the tough vulnerability questions lies with the board of directors. Most metrics used to motivate senior management, such as stock options and grants based on economic value added (EVA),2 reward executives for economic gains, without taking into account the level of risk the firm takes on to realize these gains.3 Consequently, it is the board that should insist on proper analysis of risk when undertaking strategic projects.4
To assess business unit vulnerability, the three basic questions are:
What can go wrong?
What is the likelihood that it will happen?
How severe is the possible impact likely to be?
The use of vulnerability maps lets managers place possible disruptions in a likelihood/consequences framework that focuses on the disruptions with the highest likelihood and the most severe potential consequences. Such vulnerability maps should be updated continuously because each significant company action may introduce or eliminate vulnerabilities and change their overall likelihood or potential severity. The risk management team should also update vulnerability maps in response to decisions taken by other companies (including trading partners and competitors) and general external conditions (such as the geopolitical climate, new laws and regulations, or long-range weather forecasts).
Assessing the likelihood of a disruption differs according to its nature, be it a random event, an accident, or an intentional attack. The probability of an earthquake, flood, or tornado can be estimated from publicly available data. The probability of large-scale accidents can be developed and updated from incidences of near misses, coupled with industry-wide data about the relationships between near misses and significant disruptions. Intentional disruptions require a different type of assessment, since corporate actions may affect the likelihood of occurrence; “hardening” one area of operations may increase the probability of a disruption elsewhere. The assessment of such a threat requires imagination (often best accomplished by simulations and “war games”) and monitoring of relevant events at other companies.
Assessing the severity of accidents and random events can be based on statistics and industry experience. Low-probability/high-impact events also involve public fear, that may lead to two phenomena that exacerbate the disruption: The first is hoarding of critical resources, be it gasoline during a fuel shortage or antibiotics during an Anthrax scare; the second is government overreaction, motivated by the need to show a firm hand and restore confidence. Both phenomena should be regarded as part of the disruption and companies should account for them in estimating severity.
An important element to remember when assessing either security or resilience is that no company lives alone—it is a citizen of its supply chain. Consequently, each member of the supply chain is only as secure and as resilient as the chain’s weakest link. In order to understand their own vulnerability, many companies therefore audit their suppliers’ security on an ongoing basis.
Standard accounting practices highlight another potentially risky situation: when a large part of a company’s output is sold to a single customer. This situation is disclosed in financial statements in order to alert investors that such a customer may exert undue price pressure or even abandon the company for a competitor. Another danger, however, is that such a customer may experience a disruption of its own, which will reverberate immediately to its supplier.
Once the various threats have been prioritized, effort should be focused both on reducing the likelihood of a disruption and on improving the organization’s ability to bounce back, thus reducing the severity of a disruption, should one take place.
Many companies have long been working to increase safety, thereby reducing the likelihood of accidents and the impacts of random events. Intentional disruptions, which get an increasing level of attention at many firms, call for an additional set of tools and approaches.
The first challenge is to detect a disruption quickly and recognize it for what it is. The focus should be on separating the “abnormal” activity from the “normal” baseline activity—deciding which containers should be checked; which employees warrant special attention; which passengers should be searched before entering an airline terminal; what concentration of doctor visits indicates a possible spread of a biological agent; or how many product failures per period may indicate sabotage. The tools to develop such “sensing” are based on statistical process control, a well-developed body of knowledge. But when dealing with the potential for an intentional disruption, such as terrorism or sabotage, detection must be complemented by trained human screeners who can review suspicious outliers.
Security and safety measures should be “layered,” since the alternative may be prohibitively expensive. A single defensive mechanism guaranteed to prevent a disruption, if possible at all, may cost more than the value of the asset being protected. Properly layered security measures, woven together, reduce the combined probability of all of them failing to very low levels. Furthermore, early detection and layered defenses may also increase the company’s resilience, as they may help keep any disruption that does occur contained and relatively small.
In general, there is no “bright line” separating security and resilience. Reducing the probability of a disruption may be considered a security activity, while keeping a small disruption from becoming a devastating one may be considered resilience. Many of the other methods for increasing security, such as collaboration, cultural changes, and training, are also effective at increasing resilience.
Collaboration allows companies to reduce their vulnerability before they suffer from a disruption that “brings home the message,” since they learn from others’ experience. Industry bodies such as TAPA, the American Chemistry Council, the Toy Industry Association, and many others have developed standards of safety and security. Such groups allow participants to exchange knowhow and enable cross-company benchmarking of processes.
Collaboration has many other dimensions. Companies can collaborate with their own employees, making sure that they are motivated and trained to watch for anomalies in the environment and report them. Such a “citizen watch” approach can be extended to the surrounding community, whose members know who belongs in the vicinity of a facility and who does not. Collaboration also extends to cooperation with the government on two fronts: complying with security requirements, even when they are voluntary; and advising the government on the proper application of security standards so that the cost to commerce is not too high. Some companies, such as FedEx, are even encouraging their employees to spot would-be terrorists and report them directly to the DHS via a special computer link.
One of the most straightforward methods for creating resilience is building in redundancy. Clearly, multiple suppliers, extra inventory, spare capacity, added workers, and low utilization can help a company recover quickly from a disruption. But the enormous productivity gains of the last quarter of the twentieth century were based, in large part, on lean manufacturing and lean supply chain operations—doing more with less. Just-in-time inventory management freed capital tied up in safety stock; outsourcing of manufacturing was used to create flexibility to ramp production up and down; auction methods were used to whipsaw suppliers against each other in pursuit of the lowest costs; and employment rolls were cut as information technology fueled a surge in productivity.
Such lean operations, however, also created brittleness in supply chains. With no redundancy to fall back on, operations can shut down quickly once a disruption takes place. Hence, a tight supply chain, by itself, may be an indication of danger; when too many “redundant” employees are let go, when capacity utilization is “too high,” and when procurement is focused on a single supplier, risk management alarms should go off. This does not mean that the processes should change or that decisions should be reversed, just that the company should be aware of the risk and plan for it.
In many cases, limited operational redundancies, or surpluses, make sense, since they give a disrupted company some “breathing room” to keep operating while looking for a permanent solution. As a long-term strategy, however, surpluses are expensive. Their cost, in fact, is higher than the straightforward direct expense; the major insight from the adoption of lean manufacturing and supply chain methods is that product quality and service to customers are all significantly higher under lean operations. The real hidden cost of abandoning lean business processes is that quality and service are likely to deteriorate, leading to lost sales.
In one area of operations, however—information technology—there is little doubt that redundancy is the preferred approach. Most modern corporations depend on their information technology infrastructure. Fortunately, once that infrastructure is built, the cost of redundancy, including back-up sites, back-up data, and back-up applications, is relatively small.
Instead of relying solely on supply chain redundancy and its inevitable costs, a well-managed firm should develop resilience, by building flexibility that can be used to “bounce back” from disruptions, even with limited redundancy. Instead of being a dead weight on the company,5 flexibility is a clear and present asset when managing daily problems of matching supply and demand. To this end, one should look for relevant ideas at companies in highly uncertain demand industries such as computers, consumer electronics, and fashion.
Because short component and product life cycles, as well as fickle consumers, make for difficult forecasting challenges, leading companies in these industries adopt agile supply chain designs. They use risk pooling, so that parts, subassemblies, and products can be moved from surplus areas to deficit areas. They shorten the time to the market by using postponement and build-to-order methods, thus committing to a specific product only when the demand is better known or even certain (in the case of build-toorder). They share data and collaborate extensively in times of product introduction and promotions (when demand is most difficult to predict). They engineer their products so that each part can be used in many products, creating parts interchangeability and reducing the total number of different parts. And they maximize the use of standard parts, rather than custom-made and engineered-to-order parts, so that these parts can be procured from many sources.
On a basic level, supply chain design involves relationships with suppliers on one hand and customers on the other. When choosing vendors, companies have to align their procurement strategy with their choice of suppliers. Many companies believe in working with a single supplier for each part or family of parts. Such “single sourcing” strategy is viable if it is accompanied by deep partnership with that supplier, since that supplier becomes as crucial to the company as its own manufacturing capacity. Staying away from close relationships and continuous monitoring of suppliers is also a viable approach, but it requires multiple vendors and the ability to move the procurement from one to another.
Clearly, strong relationships with customers are an important asset in terms of managing disruption risk. If major customers “stick with the company” during a disruption, that can send a vote of confidence to other customers and the financial markets and give the company more time to recover.
Sometimes the trite is true: The most important assets of most companies are their employees. Cross-training and shifting assignments help people understand the operations of large organizations. It also means that there are many employees who can perform each job—a capability that can be used both during disruptions and during peak times.
Communicating with employees on a strategic level (regarding the mission and the strategy of the company), a tactical level (the main hurdles and main initiatives this quarter and this month), and an operational level (the current status of the production, shipments, cash flow, inventories, and commitments) keeps everybody “on the same page.” Coupled with empowering employees to take actions when necessary, such extensive communications allow them to contribute efficiently to flexible operations.
A large part of investment in people involves training. Teams trained to morph quickly as the rules of the game change respond better not only to demand fluctuations, but also to unexpected disruptions. In the context of disruption management, hectic environments may actually condition an organization to manage disruptions well. Examples include Zara’s continuously changing product designs, Dell’s stretch goals, and UPS’s continuously exposed operations. These environments help “sensitize” employees to the demands imposed by high-impact disruptions.
In addition, many companies invest significant amounts in specific disruption training—developing and practicing emergency processes as well as simulating disruptions so that employees can learn to react. Repeated exercises are hardly popular, but they can make a difference. Rick Rescorla, the vice president of corporate security at Morgan Stanley, was a decorated Vietnam veteran. After the 1993 World Trade Center bombing, he created an evacuation plan for the company that was exercised, often begrudgingly, many times by its employees. The plan was put into action on September 11, 2001, with Rick Rescorla helping 2,700 welltrained Morgan Stanley employees evacuate the towers. As a result, only six Morgan Stanley employees perished that day. Unfortunately, Rick Rescorla was one of them.
In addition, such training aims to “socialize” security and resilience so that all employees are conditioned to notice and respond to threatening situations. It also brings security and resilience to managers’ attention so they are a part of any decisionmaking process.
Finally, highly flexible organizations seem to exhibit a culture characterized by passion for the work and the company. Such culture means that employees are treated with respect and are given information and training, yet they are expected to go beyond the call of duty and “go through walls” to achieve corporate goals. Such attitudes not only characterize high-performing organizations in general, they are likely to be the difference between making it or not making it during a disruption.
This book does not suggest a new fundamental terminology, original algorithms, or new processes. Rather, its primary message is a two-sided coin: The best way to achieve supply chain resilience is to create flexibility; flexible companies are top marketplace performers on a day-to-day basis.
The good news is that this introduces a framework for creating the business case for change. One of the difficulties in dealing with the risks of disruptions is that it is not easy to measure the economic benefits of cost avoidance, since avoided disruptions do not show up as revenues, costs, profits, assets, or in any other form on the company’s financial statements; only the costs associated with disruption avoidance show up. Consequently, it is difficult to develop and justify the business case for avoiding and mitigating disruptions—particularly those that are difficult to pinpoint—even though there is a definite likelihood that they will occur.
The approach for justifying such investments should be twofold:
Security investments should be justified both by their contribution to avoiding disruptions (even when not all the benefits can be quantified) and by the collateral benefits they provide.
Resilience investments should be primarily justified by their contribution to flexibility—creating a competitive advantage for the company.
The return on security investments comes from the following separate but inter-related sources:
Insurance Security investments constitute true insurance. First, they are there to prevent a loss rather than compensate for it. Second, while insurance payments may cover financial losses, they rarely cover the loss of customer confidence and tarnished reputations. Furthermore, many insurers have raised substantially the costs of terror insurance and in some markets it is not available at all. Consequently, it may be more costeffective to invest in avoidance than in financial insurance.6
Cost Avoidance To demonstrate the value of investments in security and disruption avoidance, companies should benchmark others in their industry and related industries. While such benchmarking may not be relevant to low-probability/highimpact disruptions, detection and security measures are likely to deter or minimize even minor, more common disruptions such as pilfering, counterfeiting, gray market diversions, warranty fraud, and minor embezzlements. A cross-company comparison of security investments vs. disruption frequency will often demonstrate that security investments do yield benefits that outweigh the investments’ costs. At the same time such benchmarking can provide a gauge of how much should be invested.
Operational Speed With the United States and other countries instituting stringent security measures, companies that choose not to upgrade their security and not comply with voluntary standards are likely to find their shipments spending more time going through ports and customs. Companies operating timesensitive supply chains, such as The Limited and Seagate, do not require any other justification for joining C-TPAT, certifying their suppliers for security, and upgrading their own.7
Public Responsibility With most of the infrastructure in the United States, and more and more in Europe and Japan, now held in private hands, companies have a societal responsibility to protect their assets and operations, not only for their own sake, but for society’s sake—avoiding the loss of products, services, and jobs that people depend on. As disruptions and terrorism may become more prevalent throughout the world, companies are likely to be required to demonstrate that they have taken every reasonable precaution to avoid a disruption, even if it is the result of a terrorist act. The public and the political desire to find scapegoats after the fact—already evident in product failure cases, the 9/11 commission, and medical malpractice suits—is likely to assert itself in the aftermath of terrorist acts as well; executives may have to answer to orphans, grieving spouses, ruined investors, and their lawyers regarding the actions taken and actions not taken.8
Some companies consider their safety and security processes as a competitive advantage, and will not share them. Alan Fletcher, group manager of global operations and investigations for Target Stores said: “You can’t help but realize that this [security] is a competitive advantage. It’s not a lead weight around somebody’s neck. It actually does give us some advantage over our competition.”9 According to Rick Dufour, GM’s associate administrator for Executive Protection and member of its Global Security Staff, General Motors has developed a set of metrics for use in managing security. Despite outside interest GM does not sell those metrics to companies who learn about it through benchmarking, since GM regards its security management practices as a competitive advantage.10
Some investments in preparedness should be taken because their cost is relatively low and they can provide immense benefit in case of disruptions. Most companies already invest in redundant information technology infrastructure and back up their data, applications, and processes frequently.
Going beyond business continuity planning, this book argues that security has to be built into the enterprise, following the practices used for safety and quality management, rather than added after the fact. The point is even more compelling when the challenge is to build in resilience, since that requires building flexibility (rather than increased redundancy) into the organization.
Building flexibility not only requires participation from all parts of the firm, it may require fundamental changes in the ways the firm conducts its business. These include product and process redesign, as well as a certain style of leadership and culture. But even more modest changes such as standardization of parts or a reduction in the number of elements used in products will increase the firm’s resilience.
The value of increased resilience may be difficult to measure directly. But the general business benefits of flexibility show up in better matching of product availability with demand patterns, leading to lower costs and higher customer service at the same time. Similarly, operational improvements such as production monitoring and shipment visibility systems increase detection sensitivity, allowing managers to anticipate and even avoid disruptions. They also improve day-to-day flexibility to respond to demand changes.
The need to build more flexibility into supply chain operations has been increasing continuously over the last decade or two, mainly because of the increased uncertainty about demand for products. Some of the reasons for the increased uncertainty, which makes forecasting so challenging, include:
the explosion in the varieties of most products—meaning that each is sold in relatively low quantities, not allowing for risk pooling
the shortening of product life-cycles—so that new products with little history are continuously introduced into the marketplace
increasing customer expectations—requiring high availability of product, while tougher competition in most markets drives prices down
globalization—leading to increased supply lead times and long distribution networks
information and communications connectivity, which introduces positive correlations across global markets.
Businesses constantly explore the building of supply chains that can respond to such uncertainty. U.S. automobile companies, for example, have benchmarked their operations against Dell, rather than against each other, in their quest to move to a build-to-order system for automobiles.
The volatility of demand is not the only reason to build in flexibility. Supply (and other) disruptions are also becoming more common as a result of the increased length and complexity of global supply chains, coupled with geopolitical tensions. But as companies move to build flexibility in order to respond to demand and supply volatility, they are also building in resilience.
Because of the dual nature of such investments, specific resilience projects should be made with an eye toward increasing flexibility and agility. For example, when considering an extra supplier in order to mitigate the risk inherent in sole-sourcing, it is advantageous to add a different type of supplier, creating a “portfolio” of different suppliers rather than just duplicating capabilities. A low-cost offshore supplier may be supplemented with a local supplier that has reactive capacity and can respond quickly to market changes. Such capacity can supplement the offshore supplier not only when that supplier is disrupted but also during volatile periods such as new product introduction and during the phasing out of products.
Thus, important investments in security and resilience are often the same investments that companies should be making in any case. Putting an emphasis on increasing resilience may simply accelerate investments in projects that would be beneficial for reducing costs and improving customer service.
An important activity that should allow companies to respond quickly and even benefit from a disruption (in the sense that they may be able to respond before their competitors do and control the information flows) is the preparation of disruption response centers. Companies such as Intel and General Motors operate central as well as regional “crisis centers” or “emergency centers” whose function is to collect intelligence for disruption avoidance and to coordinate the response in case a disruption takes place. A large part of these centers’ function, in case of a disruption, is to find out the facts and to be able to communicate to the outside world the company’s version of events and its recovery actions. Having accurate, up-to-date information and being ready to communicate it will increase the confidence of customers and suppliers that the company is on top of events.
Many of the characteristics that make for successful firms in today’s uncertain marketplace are the same characteristics that make them resilient. The same advanced supply chain designs that let companies respond flexibly to demand and supply fluctuations also help them react decisively to disruptions. The same corporate culture that allows them to succeed in a tightly competitive environment can be counted on to encourage employees to rise to the challenge posed by a disruption. And the same collaborative, risksharing relationships with trading partners that allow companies to move faster into new markets and introduce new products ahead of the competition are likely to be the source of strength and recovery resources in the aftermath of a disruption.
Security and resilience efforts can generate significant “collateral benefits,” helping avoid pilferage, tightening processes, and increasing flexibility. In a different realm, discussions about security and resilience can serve as a common ground between labor and management, among competitors, and between the private and public sectors. Such discussions can bring about benefits in cooperative relationships that extend beyond safety and security.
But even when a disruption takes place, prepared and resilient companies may be in a position to take advantage of the situation and turn the disruption into an opportunity. Such companies can use a disruption to demonstrate to their stakeholders (in particular their customers and the financial community) their resilience and ability to bounce back quickly. When a disruption hits many companies at once, or affects a whole region, prepared companies may be able to take advantage of the reduction in market capacity to enter new markets and serve new customers; they may be able to help other companies in trouble, thereby cementing long-term partnerships; and they can use the opportunity to demonstrate to the communities in which they operate their commitment and good will.
* * *
Thinking about what can go wrong is unpleasant for most people. In particular, mulling the idea that others would want to harm and destroy the place they work for, the communities they live in, and the society they are part of, is no one’s idea of fun. The normal human tendency to see the world as we want it to be, rather than as it is, stands in the way of preparedness.
But thinking about disasters as opportunities and using disaster preparedness to increase resilience are the essence of making lemonade from lemons. Enhanced security measures that lead to tightened processes, and the advantages of flexible supply chains, create the case for directing corporate attention to and investing in resilience. The advantage of creating resilience is that unlike the important activities of security enhancements and business continuity planning, resilience does not start with analysis of specific threats. Instead, it is a characteristic that gives enterprise buoyancy in the wake of any disruption, increasing its day-to-day flexibility to respond to a world that is changing fast and becoming ever less certain.