Risk Insights
April 18, 2019

Managing Supply Chain Risks

A truck leaves a ferry in Portsmouth, United Kingdom, on Jan. 8, 2019
LEON NEAL/Getty Images)

With the launch of Stratfor Worldview Enterprise, business leaders from a variety of backgrounds share their opinions on geopolitical risks and business strategies.

In this column, Kenneth Senser shares his experience and perspective on managing supply chain risk. Senser established Senser Consulting Group LLC in April 2019 after his retirement from Walmart. He is a subject matter expert in a variety of disciplines, including leadership; security program governance, structure, operations and effectiveness; crisis management; and organizational and personal resilience.

Starting and operating a business is difficult. This is particularly true for a small business. According to the U.S. Small Business Administration, roughly half of all establishments will fail within the first five years of operation and two-thirds will cease operations within 10 years. The reasons for business failures are varied.

Poor supply chain management is one factor that contributes to business failures. The supply chain is composed of many elements that function, in combination, to take raw material or information inputs and develop these into products that are delivered by a business to its customers. The specific makeup of the supply chain can be unique to different industries or businesses.

However, one commonality across all supply chains is that there are key elements within the chain that, if not appropriately protected, add risk to the business. Therefore, when considering all the different ways businesses might fail, experienced leaders manage risk within the supply chain, enhancing the probability that a business will not only survive, but thrive.

Assessment of Risks in the Supply Chain

Before you can manage supply chain risk, you need to identify where it exists. This is accomplished by conducting a risk assessment. The first step in the risk assessment is mapping the complete supply chain.

The supply chain will vary depending on the specific industry and business. Start with a comprehensive mapping from the acquisition of raw materials or the development of the initial intellectual property and trace the processes all the way through the delivery of the final products to the customers. This is often the most difficult part of the assessment and can appear overwhelming at first.

If the supply chain map is too large or complex to tackle in total, you can break the flow into logical parts for assessment. There are often points in the flow that serve as natural breaks, such as material or product hand-offs to different vendors, unique manufacturing processes, or movement of goods or information via traditional transportation modes or information technology networks.

There are a number of risk assessment methodologies in use by businesses and governments. Any methodology with which the organization is comfortable can typically be applied to the supply chain risk assessment.

Essentially, risk assessment methodologies all have a similar goal. That is, to identify the likelihood that an asset will be lost or compromised, and if that occurs, to identify the impact suffered by the organization.

To successfully conduct the risk assessment, it is necessary to understand the reasons that an asset could be vulnerable, the types of threats to the asset, who is threatening the asset, the probability that the threat will be successful and the value of the asset to the organization.

Application of these factors to the various supply chain elements and the flow of materials or information through the chain will allow you to identify and prioritize concerns. The assessment will also highlight where the continuity of the supply chain could be compromised from different hazards, such as a natural disaster, geopolitical upheaval or the scarcity of raw materials.

The ultimate goal of the assessment is to provide business leaders with a decision-making framework. Understanding what the business stands to lose when facing likely loss scenarios allows leaders to invest an appropriate level of resources to mitigate the potential loss.

Risk Mitigation

The organization can consider many ways to lower the supply chain risk and improve the chances that a business will successfully deliver to its customers what it promised. The universe of potential actions includes, but is not limited to, ensuring that there has been an effective due diligence process applied to crucial business partners or vendors; that contracts and purchase orders appropriately define expectations for quality, timeliness, cybersecurity protections and business continuity measures; that manufacturing facilities, warehouses, transportation modes and distribution channels have effective physical security countermeasures; and that threats from "trusted insiders" are understood and addressed.

Businesses can also engage in procurement practices such as "blind buys" to lower the risk of supply chain compromises. When conducting a blind buy, the supplier has no idea who is purchasing the materials and has no incentive to compromise them. These types of measures are only necessary in high-security contracting environments and typically are used to protect against nation-state adversaries or other sophisticated threat actors. Mitigating supply chain risk in high-security environments, such as with U.S. government contractors, can be particularly challenging.

The alleged compromise of Supermicro server components publicized in fall 2018 is an excellent example of a potential vulnerability that is beyond the capability of most businesses to mitigate. Efforts are underway to utilize various technologies such as blockchain to improve security within the supply chain.

There are also process-related and regulatory approaches to managing supply chain risk, such as the Customs-Trade Partnership Against Terrorism (CTPAT) and corollaries within other countries, including the authorized economic operator (AEO) schema. Both CTPAT and AEO serve as public-private partnerships between governments and the international trade community. Through collaboration, the international supply chain is strengthened, and security processing time is reduced at ports of entry.

Conclusion

A chain is only as strong as its weakest link. The same is true for the supply chain. A thorough supply chain risk assessment will help a business identify potential weaknesses, allowing it to develop and apply mitigating action. Mapping the supply chain, conducting a risk assessment and applying mitigating strategies is not a one-time event. Effective management of supply chain risk requires constant evaluation and vigilance.