19/03/2010

Roundtable discussion: Supply chains

Tuesday February 3rd 2010

Panel:

Chairman:
Tim Cracknell - partner, Jardine Lloyd Thompson and IRM deputy chairman

Steve Agg - CEO, Chartered Institute of Logistics & Transport UK
Kevin Devoy - manager, procurement and supplier management, Centrica
Paul Howard - head of group insurance and risk management, J Sainsbury and chairman of AIRMIC
Adrian Jolly - senior risk and business continuity manager IFDS Group
Ian Searle - vice president, risk management - emerging markets, Deutsche Post/DHL
Phil Wall - senior account engineer, ACE European Group

Cracknell: For me, supply chain risk is a wide-ranging subject. Different organisations have different takes on how they view and manage supply chains. It's a risk area that's become a top three subjects for boardrooms. There are three main aspects; supply chains, supply chain management and supply chain risk management. Each is slightly different, although ideally all three should be integrated.
The outsourcing model emerging in both the public and private sector can only grow further. That produces two questions; firstly is risk increasing or diminishing as it is spread around the world? Secondly, do third party organisations that are relied upon and fall outside management control present a worse risk than handling these activities in-house?
As an opener, how do organisations define supply chains? My company, JLT - as well as IRM which is developing a specialist module on supply chains for the diploma qualification - looks at the very widest interpretation, from research and development right through to customer delivery.
Other organisations have a different take. How do you define supply chains, what do you see as the main drivers and do you expect this to become a more complex issue going forward?

Agg: I've been in the logistics and supply chain industry all of my working life; my background is in the food industry and supplying the grocery trade. I was disappointed when the 'supply chains' phrase was adopted; I prefer 'supply tube', as links in a chain imply weaknesses. I also believe that anyone who is employed and does any meaningful work is involved in the supply chain.
Each of us performing a task in our working life receives something, then passes it on - hopefully after adding something of value, whether it's information, making a product , or providing a service. So which participants and activities add value and which don't? Supply chain management is about reducing waste and inefficiencies.
Recently people have talked about supply chains being important in light of the relief efforts in Haiti and particularly humanitarian logistics. In our everyday lives we normally don't think too much about the issues; customers simply expect products to be there and to be provided with choice.
But the issue is becoming more important both to individuals and boardrooms, although they're still not doing enough. In many businesses, it's still not a boardroom issue. To cite a couple of recent issues, the Toyota motor recall has spread to affect other brands made in the same factory in Czechoslovakia
Another example of risk and risk complexity is the Boeing Dreamliner, with components and sub assemblies sourced from many countries. The company saw outsourcing as the means of spreading risk and development costs, as well as spreading employment and engagement with potential customers. But the complexities involved in manufacturing different parts all over the world and not being able to control the supply chain has added to the risk and delayed the project. So opportunity can quickly transform into a negative.

Howard: In that way it's similar to any sort of outsourcing decision. But it's not an abdication of risk; you still need to control your supply chains. Your 'invisible' subcontractors are those who could have an impact; while you probably know the people who you deal with, you don't know the ones who deliver to their particular operations.

Wall: I take the point on 'supply tubes', but in the right context 'supply chains' conjures up a useful image as it's similar to a critical path analysis on a project. It shows that certain things have to happen at a certain time to deliver to the customer promptly. Many functions within a supply chain benefit from flexibility or additional capacity, which can absorb disruptions within the supply chain with the end customer being unaware of any problem. However, some functions will be critical to delivering products or services on time. So 'supply chains' is a useful term that enables you to identify key "suppliers" within the business process, both internal and external.

Jolly: In the finance sector there is significant focus on third parties. Supply chains are a necessary part of today's world, and are seen as part of the mitigation of risk. However, at the end of the day it's the owner of the relationship who maintains accountability for that risk.

Searle: Outsourcing is very much a choice and often attracts that phrase 'value added'. In some cases a company will conclude 'that's not our core activity', and supply chain management lends itself to such decisions.
People go through these phases and it's interesting to look at the impact of the economy over the past few years. Companies such as Woolworths and MFI changed their philosophy on supply chain and product sourcing in the years before they failed. It would be fascinating to unpick the decisions and see whether they made bad calls. The latter case obviously did, by choosing to dilute the quality of the product, raise prices and change their markets.
You also have to look at how the world has changed over a short period of time. Change in supply chain technology is a whole subject in itself. The size of technology, the quality and quantity of data that sits on a laptop or a Blackberry shows the change.
It's a brave decision to move away from undertaking supply chain management in-house- and then to an extent turn your back on the issues. My take is that the more successful companies haven't entirely done so. They've decided 'this is an activity I don't really want to be involved with - but I do understand the risks and I'm going to work with the supplier to create something that adds value'.

Devoy: My organisation has a particularly large upstream operation, so is focused on supply chains and key components. In the past couple of years we've devoted more time to supplier relationships. So probably we've not been getting too scientific about supply chains per se, but understanding more about what the supplier does and the issues they face in bringing a product or service to market. Then having a debate with them over the key issues - and the potential 'kinks' - in that chain.
We started a programme last year, which is beginning to focus heavily on supply chain analysis but not getting into huge detail - rather getting an overview of key issues and breaking the supply chain into two main areas. These are what the key characteristics of each supply chain are and how we use it specifically; then looking at the inherent risks of that supply chain per se. We aim for a balance between these two aspects and how we assess the risk.

Cracknell: That brings us to supply chain vulnerability. One issue that comes to the fore in recession is the insolvency of organisations. I know of a building products company where 14 significant suppliers went bust, yet it has survived through its risk management techniques and carried on its business without major interruption. What's Ace's take on vulnerability?

Wall: On the issue of the recession, late last year we carried out research with the Economist Intelligence Unit. We asked around 500 senior executives of global companies in Europe, Asia and North America what they regarded as key factors affecting exposures within their supply chains.
A surprising finding was that recession-related issues were coming to the front of the queue, replacing operational issues, which had emerged as key in a similar survey 24 months earlier. So things like unpredictability of demand - which 62% said had become a main issue - exchange rate changes (59%), energy price volatility (51%), and insolvency of suppliers (39%) were now top of the pile.
We asked about the ability of management teams to cope with these new threats. Over 50% felt their executives and board members were aware of the emerging risks, but not doing enough to combat them.
A high proportion had been able to negotiate lower prices from suppliers. But what are the consequences of this huge pressure to cut costs? We see companies cutting corners, running their equipment harder, faster and longer than before to meet demand and cost-cutting to a level where they can compete and win contracts. Another trend has been to outsource to cheaper parts of the world and move into new territories where the approach to loss prevention is potentially less well understood and also exposing their business operations to new natural hazards.

Howard: If you look at the wider context of risk management, there's an upside to outsourcing which counters the negativity. It's a global market, so organisations seek to bring together their best efficiencies. They may change their margins somewhat. They'll have a certain amount of fixed costs; once these are covered they can move their prices around. It doesn't necessarily have to involve lowering standards, and companies may win more business if they can be more nimble.

Jolly: The reason that outsourcing is there is because you're going to centres of excellence. By outsourcing to a group within that particular sector that does its job well you're almost assuring a better service for clients.

Wall: Nevertheless, there is evidence that some companies are reducing loss prevention budgets and restructuring supply chains to remain competitive - not necessarily improve quality of service.
The company you outsource too may avoid investing in installing automatic sprinklers at their main distribution centre, on the understanding that the expense may lose them the contract as they must ultimately pass that cost on to customers. So they may make a short-term decision that it's uneconomic for them to protect that warehouse; instead they'll take that risk.

Howard: Cost is certainly one example, although not the only one. For instance, with clothing you can secure cheap sources of supply provided you don't look too closely at their integrity of the supply chain or whether they employ child labour.
However, if you want to protect your brand values and maintain the integrity of the organisation you may opt to pay a little more. So cost isn't always inevitably a factor.

Agg: But it's the case in modern times. Once we considered cost and service, but efficacy and environmental issues have become a major factor. Another issue which the recession has brought out is capability. Can you get the right people with the right skills for the job? Transferring to centres of excellence, and to people who know what they're doing - providing a superior level of service - is a very positive step.

Devoy: Certainly in the downstream activities where I work we have outsourced more over the past five years, as have most companies. That's spurred us to take a closer look at how we manage those contracts going forward and develop process and methodology to identify and manage risk
We've also realised that different streams of work activities within our business are related; corporate responsibility, business continuity planning and our supplier risk programme. There are a lot of inter-relationships and we've thought hard about how we bring these different strands of work together, to optimise the streams of market intelligence information as well as the ongoing interactions with out suppliers, particularly around the audit process.
For me, that's what the recession and other elements have brought to the party - a more co-ordinated approach to supply chain risk rather than carrying out activities in silos.

Searle: We're working on a partnership basis with customers and see vulnerability particularly centred on the economy. However, "adding value" comes in many forms.
DHL has a key differentiator as a logistics provider - we looked at corporate social responsibility, such as green issues, and realised that in the current environment there isn't much on the scene to create shareholder value and attract interest. Corporate social responsibility is one issue that does, particularly in the parent's large German market. So we focus on the upside and engaging with people who act responsibly - although whether customers are prepared to pay for it is a separate issue, as this is still a relatively immature concept outside Germany. Inevitably, a number just look at the bottom line.

Cracknell: Moving from vulnerability to experience of real incidents; mundane events can interrupt supply chains. To reference an old JLT case study: we were involved with a downstream technology giant in the Nordic region and looked at the consequences of a lightning strike and minor fire at the computer chip plant owned by Philips at Albuquerque, New Mexico. It caused a major issue in the insurance market. The financial consequences were huge and it acted as a catalyst in the way supply chain issues are considered, particularly the wisdom of putting your eggs in one basket.

Searle: Many seemingly small events develop into major supply chain issues, as well as some mega ones! In the UK there are frequent cases of vehicle hijackings that don't reach the public profile. The guy that has 92 separate staged and fraudulent motor accidents makes News at Ten, but not regular incidents where thieves rip open the sides of vehicles to steal mobiles. These fraudsters tap into technology and the supply chain network, so know where goods are being transported. It's hard to identify where they access their information.
There are now minor incidents like this daily, while at the other end of the scale we have Haiti where poor logistics makes it impossible to establish a proper framework and people starve.
From a practical angle, concentration of risk is obviously the big one. A couple of years back Primark lost a major warehouse; that impacted on it significantly. The Kobe earthquake in 1995 affected the supply of chips for PCs due to a concentration of risk. Even regular events like electronic funds transfer enable opportunist thieves to attack weaknesses in the IT supply chain and, over time, surreptitiously take money from the system.
The task for risk managers is to take on board this available information and spot similar weaknesses in their businesses.

Howard: The point is to learn from these lessons and ensure they are well publicised, because sometimes you can get sidestepped into 'business as usual' mode. There are many examples you can use that really make a difference; people can then ask 'could it happen here?'

Searle: The attacks by Somalian pirates are an example. There is an alternative to transporting goods through those territories. But it's costly, so it's up to those who want the products to decide whether they're willing to take the risk and reduce their supply chain costs. Some companies have decided it's too risky.
That example has quickly morphed. No longer is it just a rag bag collection of individuals with guns. They now access a certain amount of intelligence and ransoms are being paid. That fuels the fire and they seek better targets - individuals, oil companies, even governments who they know are likely to pay ransoms.

Cracknell: It's good to talk about such incidents and the positive effects. Too often risk management is regarded in a negative light. If we can show the good effects of conducting risk management and give it a positive spin, then the discipline will have greater mainstream appeal.
Wall: There was, of course, the now infamous Scandinavian mobile phone company where the difference between success and failure hinged on maintaining good communications with key suppliers.
Another notable example involved an Italian car manufacturer. A supplier provided the group with brake balancing valves - a very small and relatively cheap piece of equipment, but one that had to be fitted into every vehicle. The factory supplying these valves suffered a catastrophic loss, with a huge effect on the manufacturer and their ability to continue supplying.
From my own experience I previously worked in the pulp and paper industry, which was closing plants in Western Europe and buying up existing ones in Eastern Europe to reduce costs. There was a rush to buy these factories, but management didn't always realise the loss prevention and cultural issues they were also buying into.
One more example; a major warehouse fire affected one of the country's major retailers, caused by problems associated in the control of aerosols.

Howard: That last example also led to new standards being set for aerosol protection though; so while painful for the company overall, the incident led to advantages for the industry.

Wall: We're learning as we go and it's a rapidly changing market from a supply chain perspective. There are many emerging risks coming through; the question is can we recognise them quickly enough before they catch up with us and cause a major loss? Ace strives to use our loss prevention engineering services to help our customers identify these potential exposures and avoid damaging losses.
Searle: There was a big reaction - and it took a long time to bottom out - by companies on the issue of composite panels. Supply chains faced huge additional costs to remedy "defects", yet they couldn't raise additional funds from customers. It took years to resolve as there were so many conflicting opinions. It involved a huge amount of money and insurance companies were pivotal

Howard: There was a knee-jerk reaction initially, which was 'we won't cover this' until it became clear that would take out the entire food industry. So instead the view became 'let's take a look at this and how people are actually managing it - what general housekeeping standards could make this an acceptable risk?'

Agg: The difference now is that inventory is focused in a smaller number of mega warehouses, with more just-in-time deliveries, which has changed the risk. The trend has been driven by the retail sector, to drive down costs. This has brought with it incidents such as Asos's problems at Buncefield. So while we might learn lessons, they can too often be lost over time as cost pressures re-emerge.

Cracknell: Possibly not enough is done to publicise the positive aspects of effective risk management when events occur. Perhaps that goes against what is regarded as newsworthy. There appears to be a move away from good news stories and a focus on the negative with emphasis on where risk management failed.
For example, a retail company that suffered an IT failure didn't know the locations of thousands of items in a large central warehouse. This had a major impact on restocking their hundreds of stores and became a big media story. It also had to be disclosed to the investor community, so bad news spread further.

Jolly: Without commenting on specific cases, I feel the impact has generally been positive. It has made us look more closely at our third parties and understand how they impact organisations, although I agree lessons learned can soon be lost again. Our role is to ensure that it stays top of peoples' agendas.

Cracknell: Perhaps we need more by way of British risk management-related standards, so companies raise their game.

Wall: At Ace we've seen a trend towards cutting budgets allocated to security and maintenance staff. Yet many losses come from kids breaking into an unoccupied site and setting fire to combustibles stored close to buildings. That's a regular loss event - a simple one, but nonetheless causing problems.

Cracknell: We've mentioned that different organisations look at supply chains in different ways and that it's not always regarded as a boardroom activity. So what are the key challenges going forward? At JLT the supply chain studies we carry out with clients show that a major difficulty - particularly with FTSE 100/FTSE 250 companies - is getting to the right people to address the issues.

Jolly: The key challenge lies in understanding the chain from both an upstream and a downstream perspective, and the impact on you as a company. Does that service involve data confidentiality and integrity issues? What's the availability; if they're not there can you do your job? If you can't have products delivered, then you can't sell.
From understanding the impact of the supply chain, then work out how you manage and mitigate risks. What levels of due diligence do you want? What's your risk appetite? What sort of business continuity plans do you have, and what do you expect your suppliers to have? When you've contracted to a supplier, who has he outsourced to in turn? So tightening up the contracts is a key issue.

Agg: The fundamental word is 'communication'. Do I know whether my supplier has problems? Will he tell me? This brings in trust issues. Free availability of information - which, for example, allows Sainsbury's to see over Heinz's supply chain - means there's much greater supply chain visibility. The logistics provider is at the heart; able to look both upstream and downstream.

Howard: On another point, when you carry out a scenario analysis how many 'stupid' things do you take into consideration? For example, would you have imagined the Gate Gourmet episode having such an impact on BA?

Agg: This past winter is another example. A small amount of snow stops the whole country. Did we have enough salt? Probably. Did we always know where it was situated? No chance! And no-one seemed able to get a process going of getting it to where it was needed.

Howard: You had similar issues with the oil refineries blockade. There was only a few days' supply available, which sparked panic buying.

Cracknell: Should we then have greater tolerance to events such as snowfall, fuel shortages and pandemics?

Howard: Again it comes down to the issue of communication. We're in the media age so there are regular 24-hour reports on such events. Anyone with a camera phone can take pictures - so a fuel queue immediately gets publicised.

Cracknell: It sounds as though Centrica has a good process in place for understanding and assessing risk, and a mapping process as well. Is that something that's been powerful within the senior management team?

Devoy: The challenge of raising the profile of this issue is still there. We've certainly focused on it in the past year, although we have more work to do. We're setting up a supply governance group within the business to regularly review key risks, and look at how we can exploit synergies and achieve consistency.
The other major challenge relates to resourcing. I benchmark with other organisations; in some cases one individual tries to pull everything together, while other organisations have thought more about it and invested in appropriate resource and systems.
We're still a few years from where we want to be in terms of tracking supply risk. It doesn't mean that for every high-risk supplier there's a cast-iron contingency plan; sometimes they simply don't exist. But there are various types of mitigation you can consider, from pre-qualifying suppliers to looking at internal processes. That debate now has clear visibility within the business.

Cracknell: JLT has a software application to enable organisations to track and manage supply chain risks. When a business has blockbuster products with tiered suppliers, the programme comes into its own as it extends across the supply chain, including the so-called 'invisible' supplier, who may feature in the third tier across several key products.

Agg: Although the point is that they shouldn't be invisible. That's the real weakness.

Devoy: So how to achieve that visibility? There are points during the supply life cycle, where you have increased leverage, allowing more opportunity to gain information from your partners. Risk can occur - or be identified - at numerous milestones, not just when you sign the contract. Having a conversation about the supply chain from a supplier's perspective isn't always easy; many suppliers, trying to protect commercial advantage, want to keep that information close. Building the right relationship with your suppliers is key to facilitate that debate.
Benchmark suppliers in the same category areas. It might help identify differences in the supply chain between certain suppliers in that particular category - and what potential weaknesses are inherent.

Wall: That approach requires resource and the lead needs to come from the top. The EUI survey found in many organisations those resources are lacking - 50% of respondents said they were happy with resources available to address these issues, but 50% said they were not. It's a time-consuming process to map out the supply chain and understand where those critical points are.

Cracknell: There's a good example from Baxter Healthcare, which had a major problem with the drug Heparin. They took a knock when it emerged that a supplier was producing one component in really poor conditions. This led to a huge amount of publicity when there was a product contamination issue, loss of market share and loss of shareholder value.
But you do question whether it's a step too far to go back within your supply chain and understand all of it. Take the extreme of producing an aircraft engine; a process that can involve hundreds of suppliers. Can you look at every one? That's a huge logistical problem.

Wall: The salmonella contamination that affected Cadbury's is another example. It was a major issue.

Cracknell: Are DHL's clients asking about the supply chain risk and how they can map it?

Searle: We're in a strong position. We know warehousing and transportation isn't core to our customers, so we take on their whole logistics requirement. And communication between customer and supplier is good.
From a risk management perspective we're focusing - because there is vulnerability - on ensuring that communication between customer and supplier is ongoing. Aiming to add value in the supply chain can mean that the original contract morphs and becomes unrecognisable, or quickly fails to mirror the actual activity undertaken.
So the real challenge is contract governance. In a perfect world the contract should reflect the activity, and we're spending much time and effort in ensuring that loophole is closed. Communication is vital, so everyone takes time to check 'is that what the contract says?'

Cracknell: Does Sainsbury's pay close attention to its supply chain? Or is it the case that, with thousands of suppliers, if one product doesn't make it to the shelf you're not too concerned?

Howard: As a retailer we possibly have it easier than, say, the aircraft manufacturer mentioned earlier as we don't actually manufacture products - we just buy them in. It comes back to the point of where we get that product from. If, say, Heinz experiences supply problems then we're not the only organisation affected. So we tend to look at it slightly differently depending on whether it's an own-brand or a proprietary product.
Another difficulty that has arisen is consumers' growing preference for local and regional products. We're a national company, so whereas once there would be the same things available in most stores, we now might deal with a small dairy in the West Country that produces particular yoghurt available in no more than five or six stores. That doesn't mean we can't concentrate on working with that supplier.
A key area is in working through partnerships, which requires buyers to determine who your key suppliers are. We expect them to work with us in developing contingency plans. Those suppliers' own suppliers - and so on - are still an issue, but in some areas we're lucky to have a ready source of alternative products, or alternative suppliers, available.

Cracknell: From an Ace perspective are you seeing an upturn in enquiries about supply chains and are studies being developed?

Wall: Yes, we've seen an increase in enquiries and we have products to help customers analyse their supply chains and identify potential exposures. As it's a 'top three' issue, we see that awareness at management level is increasing.
Specifically within Ace our products include supply chain mapping, and natural hazard reviews for companies that plan to move into new territories and may not understand exposures such as earthquakes they're potentially opening themselves up to. Prequalification visits review loss prevention standards at facilities our customers are considering purchasing.

Howard: The current economic environment provides plenty of opportunities for acquisitions that maybe didn't present themselves before. It may appear a cracking purchase on paper, but how well do you carry out due diligence on that particular supply chain? That's an area where some organisations perhaps don't do a robust enough job.

Wall: We present ourselves as a service, to help clients with that due diligence process. So we'll complete flood studies, look at natural hazards, review the culture towards loss prevention, the existing human element procedures and how loss prevention is managed at the site - all this hopefully before they sign on the dotted line. It's frustrating when the deal is done and you're then asked to review loss prevention standards.

Cracknell: Turning again to communication, what are the cultural issues? As an example, the earthquake in China two years ago saw a lack of information from a supplier with plant in the affected zone. The parent company resided outside the range of that earthquake, but the flow of news was particularly poor.

Jolly: Doesn't this come down to your supplier management and your relations with them? Are you being diligent in your process of meeting the right people? Do you know precisely who they are and where they are and, if so, do you talk to them regularly? It's a case of building up rapport, so it's not just a 'you're working for me' relationship but good supplier management where you're working together to an end goal.

Agg: Let's say you subcontract your manufacturing - you might be well advised to subcontract management of your supply chain as well, giving it to someone with specialist knowledge and expertise that enables you to mitigate the risk of cultural issues.

Searle: DHL prides itself on having global representation in all bar two countries. The company also has a disaster relief team - we currently have people on the ground in Haiti. They publicise that fact as it's good press, but it also demonstrates good corporate social responsibility. Not everyone can afford to have representatives in 257 different countries and that's the strength and resilience of the business! You have to be a global player to effectively manage the supply chains of global customers. As mentioned, the more you sub-contract - and your sub-contractors in turn sub-contract - the weaker the chain becomes. That's the reason for mapping your supply chain and identifying critical areas.

Cracknell: Moving on to mitigation, for many risks it's possible to achieve much through risk management, but there's still a remaining degree of exposure. If you have a blockbuster product, the values at risk are enormous. So in addition to risk management, such a business often looks to have risk finance or an insurance solution in place.
New triggers of interest that go beyond typically insured areas include supplier insolvency, IT infrastructure and network failure, either your own or a supplier's plant being closed by the regulator, faulty specification or materials, product recall including due to counterfeit product issues, risk of loss of key intellectual property rights and trade disruption.
Across all these arise 'crisis management' costs which must be incurred to get a particular problem fixed quickly and salvage the situation. You need a strong bench of advisors, from PR to legal, to give the right steer for the situation. So at the far end there are insurance solutions, but are there specific high-level risk management recommendations that we can put forward?

Howard: I'd question whether insurance offers much of a solution. It provides a backstop for a limited amount of risk, but unless you also manage the risk it's never going to provide everything you require. Many surveys are issued about risk and, of those that usually rank as the 'top ten', no more than a couple are insurable.
So mitigation needs to come from the management side. Better quality decision making comes from organisations that consider risk not necessarily only from a risk management perspective.

Cracknell: Insurance is useful to have from the profit and loss viewpoint. You've always got analysts looking over your shoulder, expecting certain returns.

Howard: Certainly it's got a part to play, but not a huge one. The key is the reputation of the company - you're looking to manage that as you see fit.

Jolly: It's about understanding the impact to you and what's acceptable to you as a company. By understanding the impact that third party has on you, you are able to plan which risk mitigation actions you wish to employ - is it through contractual arrangements, contingency planning, due diligence etc?

Cracknell: Do we think that contracts could be too loaded in favour of one party? Are risks being counterproductively loaded on those with weaker bargaining positions to the detriment of the larger organisations' supply chain continuity?

Howard: We'd obviously say not. But it comes back to the point that contracts tend to be negotiated, with operating agreements setting out how things are going to work on the ground. The contract might cover the basic details. The other area you'll look at is counterparty risk. If you're going into different jurisdictions, how will that contract stand up?

Agg: I don't know what the maturity level of risk management is as regards supply chains, but it seems to be a relatively new topic for senior managers to get involved with. They may look at what would constitute a disaster, but few scenarios that fall short of disaster. Many companies take the view that they'll look at risks when they have more time.

Searle: We said every employee needs to be a supply chain manager, but they also need to be a risk manager to some extent. Risk mapping logs all involved in the supply chain and becomes an audit tool. It ensures continuity of supply through constant refreshing and review - something the risk manager can contribute to.
Health and safety, security; all need to be put on the table as routine issues to be considered. So if they are breached someone, hopefully, puts their hand up and says 'we don't do that!'

Howard: Provided they know why they should be doing that - it's the 'would you do this at home?' approach.

Cracknell: Is sufficient investment made in mitigation?

Devoy: There's always this balance of probability versus the amount of investment put in. My overall impression is that there hasn't been sufficient investment and there's some way to go. That's not to say that you throw money at it wholesale - one way is working smarter.
Tools, techniques and templates; a toolkit is needed by which companies can assess risk and ensure it is embedded in the governance framework going forward. So there's much you can do in increasing peoples' skills to gain that awareness, even at minimal cost towards.

Howard: And of course you give people the eyes; for example this would include giving them regular briefings on competition law.

Devoy: We've started what we call a 'risk refresher' course, focused on evaluating financial issues. But there are non-financial indicators you can look out for and which can be your eyes and ears - such as contract management community and/or business continuity.
It's all down to constant reinforcement and increasing awareness. It's about tracking or reporting where issues have come through and how you've dealt with them. And it's about consolidating learning into best practice, so if somebody learns to do something right in one part of the business then let's share it with others.

Cracknell: Do we spend too much time worrying about major events at the expense of the smaller, more likely ones?

Wall: There's a tendency to look at the largest exposures. Going back to communication, we mentioned the seemingly huge task in establishing relationships with vast numbers of suppliers, the suppliers of those suppliers etc.
That misses the point. The first task is to identify key players in the supply chain and concentrate on these few individuals and those relationships. Mapping the chain and understanding what can hurt you allows you to concentrate resources on those critical areas. When you find a weak point, establish relationships with potential alternative suppliers. And if other suppliers are limited, ensure that you've literally done everything possible to engineer that risk out - automatic fire protection, 'best of class' human element procedures etc.
But it's not always the obvious major events that can cause problems. I once worked with a customer where a component of one of their most profitable products was manufactured in a small building with very low property values. This was where they made the printed circuit boards for the finished product, and it was a highly specialised manufacturing programme not duplicated elsewhere within the organisation and with no technology enabling it to be replicated.
A small fire in that building wouldn't register as a big ticket issue from a property damage standpoint. But the potential downstream business interruption was catastrophic. Once they identified the exposure, they duplicated that facility to ensure a reliable supply.
The key is to go through the supply chain and highlight all aspects that could have a significant impact - be they major warehouses or small, single-source production facilities.

Cracknell: An example of mitigation I came across was in the pharmaceuticals sector. One particular key component for a life saving drug, selling for a few dollars, comes from a sole source in the US with long lead times to reinstate should the facility and process be destroyed. The company mitigated the risk by buying three years' supply and maintain a rolling stockpile to ensure that that ingredient is always available. So there are ways and means around supply chain risk, and inventory building has a role.

Agg: It plays a significant part - pharmaceuticals and also aerospace are key industries in this respect; prepared to finance inventory where other less profitable businesses are more reluctant to.

Cracknell: Turning to the economic outlook, the next few years will see the financial squeeze continue. We can expect the more frequent issues to continue, such as strikes affecting the transport systems and there will probably be more bouts of severe weather. I see these factors arising in the supply chain. You know in theory they'll only last days and we can live with that - but anything more significant will cause problems. What do you see coming up on the horizon?

Devoy: In our sector - and several others - there are continuous commercial pressures on businesses to open up to more outsourcing, and thus a greater focus on supply chains and how risk is mitigated. The challenge going forward is what organisations need to do, from a framework and methodology perspective, to get the supply chain risk agenda hard-coded into their DNA?
There's a balance in doing that the right way and in a smart way, without also increasing costs. Equally if you went back to your board and said 'risk is a big issue - I want half a million to sort it out', there is likely to be a reaction. There will always be ongoing debate over risk versus mitigation - and the likelihood of failure.
It feels as though the focus on supply chain management and risk has taken on a new emphasis in recent years. It also seems that in many organisations the subject is sitting outside the main risk framework. Organisations will have to work hard to ensure it is identified and embedded as part of overall risk governance.

Agg: It's not just the big things that happen infrequently, it's also about small everyday things such as congestion. There's a danger that under constant pressure, cutbacks in public funding and poor investment - because there won't be much available for maintenance - the basic infrastructure we rely on will deteriorate badly. If and when we pull ourselves out of recession this could crumble even more quickly.

Howard: As a London cyclist, I'm already well aware of the problem! But stuff always happens - there will always be things occurring that, by and large, industry will be deal with. But specific issues such as population growth and energy security will inevitably have an impact.
But they're the big picture items. Another issue with significant impact - and which could prove quite revolutionary in managing risk and supply chains - is the use of open source software. We haven't really even begun to contemplate the potential issues that could emerge from using some of these shareware solutions.

Agg: The collaboration issue will also have much more of a significant impact.

Jolly: Outsourcing will increase because of the nature of where we are today, as it cuts costs and mitigates risk on multiple levels. But it will be subject to greater scrutiny than before due to recent events.
The key is that magic word 'culture'. As mentioned, we should all become risk managers in understanding what risk is, its impact and in ensuring you have the required governance to escalate that, so those who are really accountable for the service understand when risk may be realised.

Wall: Protectionism is another issue we hear about with increasing regularity. If you're a global company, there are potential exposures caused by countries battening down the hatches to help local businesses. The G20 has set out anti-protectionist guidelines, although a recent survey by Global Trade Alert identified that many members break them almost daily.
Fuel price volatility is another issue. Every $50 on a barrel of oil can impact the bottom line by about 3%. Predictability of demand is another key issue - are we coming out of recession or not? Will we face a double dip recession, or just grind along with limited economic growth for some time? People don't know what the demand for their products will be; this has huge implications for decisions taken now to re-engineer supply chains.

Searle: And they are ultimately driven by customer spend. If that spending stops there will be a decline in demand for the supply chain. So much depends on how the global economies develop or stall.

Cracknell: So supply chains are getting more complex and we see a move towards external centres of excellence. Good risk management should generally get organisations through, but despite this there will inevitably be difficult and damaging events. The concept of total 'security', in the supply chain in the broadest context, is not economically viable for most businesses but we must undertake due diligence.
We mentioned risk assessment processes and risk mapping benefits. Where possible, the closer businesses get to their relationships with suppliers the better and the ability to hold on-site audits is an ideal much more powerful than self-completed supplier questionnaires.
The mitigation discussion raises the issue of whether we invest enough. We cited cutbacks on fairly simple things that can lead to a lowering of standards. Arguably, the further that the corporate social responsibility agenda and ethical considerations can be pushed, the better.
We questioned some contractual issues and long-term thinking in this respect. Too often the burden is placed on one party over another, according to the size and scale of the organisation.
The idea about building supply chain resilience 'into the DNA' and embedding this whole process into the local framework is important. What's worrying is something bolted on that doesn't quite fit into the main framework.
Culture, collaboration and building relationships came out as important, so if things go wrong you're better positioned to deal with it. Communications are key - getting dialogue flowing and being more open, although where the protectionism issue arises, this threatens to slow this down.
Overall, we've recognised that a host of issues must be dealt with simultaneously if you're really going to manage your supply chains effectively.