nissan

The Nexus of Supply Problems, Part Three: Executing a Supply Chain Risk Management Process

interosblog Leave a comment

Prioritizing risk shouldn’t be an ad hoc process. Just as we discussed how lower-tier suppliers can sometimes prove pivotal to an entire process once every step in the chain has been analyzed, so too we can take a data-based approach to examining which steps in the chain could have the greatest impact on a business should calamity strike — and ideally, conduct cost comparisons as well, so decisions makers can understand what’s best for their bottom line.

Take Sony, for example. In 2011, a major breach in the PlayStation Network, which linked to the popular PS3 game system, cost the company some $170 million to fix. Execs took the whole system off-line, brought in forensic analysts and offered customers free games and identity theft protection, according to Computer World magazine. Fast forward three years, and another data breach, this time targeting the motion picture arm of Sony’s mega corporation, flooded gossip rags with days’ worth of fodder about the inner workings of the studio.

The first hit has been tied a lawsuit the company brought against an American hacker, while the more recent incident, from November, looks like a North Korean attempt. At least one expert has said that the breach was so sophisticated, 90 percent of the Internet’s defenses would have probably been just as vulnerable. But it has also raised questions as to how serious Sony takes the confidentiality of data, given that major hacks occurred just a few years apart.

Clearly data security is a major potential problem in the supply chain that Sony uses to bring entertainment of various forms to customers. While the firm spent $170 to mitigate the 2011 attack, the 2014 version begs the question of whether the company was shortsighted in not spending even more — and eventually lost out a second time.

Truth is, there’s no perfect system. But planning can make all the difference.

“The unfortunate reality of today’s complex global marketplace is that not every security compromise can be prevented beforehand,” writes Steve Durbin, managing director of the Information Security Forum (ISF). “But being proactive now also means you, and your suppliers, will be better able to react rapidly and intelligently when something does happen.”

In previous posts we’ve discussed how to adopt an SCRM program, and how to get started. It takes some effort, such as evangelising to make sure everyone is on board. But it’s all about making informed choices. Thorough, thoughtful analysis of a chain, be it one delivering data or physical goods, allows management to assess the cost of risk, and decide where to invest to head off the worst — and how to plan for the inevitable.

Take the Sony example. One story suggested that the company had let go some security personnel in between breaches. We don’t know why that occurred, but consider a firm that might, for example, need to shrink payroll and decide IT security has some extra positions. But a supply chain risk assessment might have found that keeping a few more employees might have been worth it in the case of a costly hack attack.

Which would you rather be — a Sony putting out multimillion dollar fires, or a Nissan lauded for smart planning in a crisis?

The Nexus of Supply Problems, Part Two: Understanding What’s At Risk

interosblog 1 Comment

Lower-tier suppliers in your chain can pose unexpected risks, and those risks may lie in unexpected places, as we discussed in our previous blog post.

But let’s also talk about the other end of that equation — the fallout to your business, and your business’ reputation, when those risks are allowed to occur.

First, your brand and reputation can suffer. Imagine if you’re Apple, and there’s a problem with the second tier supplier that provides key components to a cell phone, that are then shipped to another factor that builds the actual phone, then ships it to American consumers. Customers start complaining that their new phones don’t work, and suddenly a very high-profile company has a very high-profile problem that could severely damage their reputation.

And it’s not just physical goods that can suffer hiccups enough to damage a company.

  • Automated inventory systems: These systems can form of the crux of a supply chain, but if the second-tier supplier who makes the software miscalculates, it can lead to major business failures. Some of the biggest supply chain disasters were tabulated by Supply Chain Digest in 2006. While almost a decade old, the lessons still stand — firms from Toys R Us to Nike and Adidas tooks severe hits to their reputation. They needed years to recover in some cases, if they recovered at all.
  • Customer data profiles: Many mid-sized or smaller firms have a third party process online orders, for example. If that third party has a data breach that compromises buyers’ private information, it’s the original company that has to break the bad news — and take the hit to its brand and reputation. This could come from a hacker, from malware, from intentional or unintentional breaches — anywhere there’s a weakness that can be exploited. According to Information Age, “55% of the 2,000 respondents stated that they were ‘not at all likely’ or ‘not very likely’ to do business with an organisation that had suffered a data breach involving credit or debit card.” Not all breaches involve payment information, but that’s an example of the potential impact.
  • Local crisis: Congolese mining firms that violate human rights, or an Asian firm that pollutes the environment, could cause major reputational headaches for Western companies, enough to negatively impact their reputation and brand. “Suddenly, you are an unknowing criminal in the web of globalization,” writes one executive. This may come from not fully vetting lower-tier sections of the supply chain.

And most firms aren’t prepared to deal with these kinds of potential issues throughout their supply chain, according to a 2013 study by MIT and PriceWaterhouseCoopers. They found that 59% of firms surveyed had “immature” supply chain management. Maturity is based on seven categories, quoted below:

  1. Risk governance;
  2. Flexibility and redundancy across the value chain;
  3. Alignment between partners in the supply chain;
  4. Upstream and downstream supply chain integration;
  5. Alignment between internal business functions;
  6. Complexity management/rationalization; and
  7. Data analytics.

Companies that had made those assessments suffered profit dips of less than 3 percent when a problem arose.

A positive case proves the point too. Nissan could have suffered a major blow after a historic earthquake hit Japan in 2012, and shuttered the vast majority of the country’s manufacturing — including those that supplied goods to the international car manufacturer. But Nissan had analyzed their supply chain and braced themselves for disruption to such an extent that they now serve as a textbook case, cited by the MIT study, of the benefits of doing supply chain analysis right, and why it’s worth doing so.

We’ve discussed what’s at stake when key nexus suppliers fail, and how it’s not just things but also data and your firm’s reputation. In a third post, we’ll discuss how to mitigate problems you do find.