ISJ Exclusive: Building resilience into the supply chain

Matthew Horrox, Director, Continuity Strategy explores a range of strategies that can help organisations better manage supply chain business disruption risks.

2022 is proving to be a challenging year for businesses. Whilst many firms are enjoying greater demand in the wake of COVID-19, they are struggling to meet that demand due to a series of supply chain dislocations – which means their business is being disrupted, lead times are lengthening, costs are rising, customers are frustrated and executives are under stress.

As economies bounce back from COVID-19, the demand for goods and services has surged. This should be a good news story, but this is happening at the same time as supply is disrupted like never before. The war in Ukraine and associated sanctions on Russia have resulted in all kinds of issues, not least, global energy and grain shortages – as well as sky-rocketing costs.

The long tail of COVID-19 still has a sting, with infrastructure providers (including ports and airports) experiencing staff shortages following redundancies and the Great Resignation. If this wasn’t enough, firms are having to grapple with strikes and labour disputes in the wake of below-inflation wage settlements. And, all this is on top of new trade frictions imposed by Brexit. No wonder many firms are struggling.

Organisations that are resilient are better able to anticipate, monitor, respond and adapt to, and then recover from, all kinds of dislocations, including supply chain disruptions. Never has the case for organisational resilience been made more strongly than in the last few years and never have resilience programmes been tested more robustly.

What factors drive supply chain risk?

It’s not just about ‘events, dear boy, events’, although external events are a major contributor to supply chain risk. No, there are number of facets to it, many of which are within our control; recognising that is the first step to managing risk effectively and bringing a degree of control.

Firstly, there are the decisions we ourselves have taken that have increased our supply chain risk. Many organisations have, over time, outsourced more and more – be it the manufacturing of core products or the provision of key support functions and process steps. This has become normal and is indisputably a necessary strategy to remain cost competitive. But, in doing so, we have increased our dependency on third parties.

Oftentimes, as we have outsourced functions or capabilities, we have done so entirely with no retained inhouse capability or knowledge. We have sought to create a streamlined just-in-time production model, with deliberately minimal slack in the system, which in days gone by might have been available to absorb shocks. We have rationalised our supplier bases, introducing concentration risks – both geographic concentrations and placing too much dependency on single large suppliers.

As we have done these things, in the name of efficiency and cost-saving, we often haven’t really understood, let alone managed the risks. Risk management has been seen as a box-ticking activity, not something integral to strategy and decision-making.

All too often we have not considered the best supply or outsourcing strategy. We have not undertaken due diligence on critical providers we will later be entirely dependent on. We have placed feeble or no obligations for resilience and continuity in our contracts. We do not have – let alone manage – service level agreements and key performance or risk indications.

We do not work with our suppliers to conduct audits on their operations and in many cases we don’t have audit rights set out in our contracts. Our business continuity teams don’t get involved with our suppliers, critical or otherwise, focusing instead exclusively on the internal parts of the organisation, rather than the full, extended operation. And, despite this internal focus, often we don’t have continuity plans in place for supplier failure – placing the expectation entirely on our supplier to manage the disruption.

Then there are the risks that our suppliers bring to us. While inadequate cybersecurity or ESG risks are well-focused on, resilience or business continuity failures are often not. Risks can arise from poor financial health or the decision-making of the supplier; under-investment in systems, premises and equipment may in-turn lead to outages.

Risk from high staff turnover and absence rates, or reputational considerations resultant from poor employment practices, could impact on our business operations. Or, our supplier(s) themselves could be dependent on a fourth party, perhaps one that we are unaware of.

And finally, there are events. These are often triggers for an outage and may be global events such as wars, natural hazards or pandemics; alternatively, something much more localised such as a flood, fire, accident or terrorist incident. But, as I have argued, events are only a constituent part of supply chain risk and this should be reflected in the controls we put in place.

How can we effectively manage supply chain business disruption risks?

Firstly, it’s necessary for firms to acknowledge and understand that they have supply chain business disruption risks. This sounds obvious, but very often, risk registers are light in this area.

While we might generally acknowledge supply chain risks or business disruption risks, most firms cannot say exactly where their supply chain business disruption risks are or how effectively these are being managed. Awareness and knowledge is key. Associated with this, organisations need to understand and accept that events happen and should therefore be mature about this.

Suppliers will fail, supply chains will become disrupted. This needs to be acknowledged when a decision is being made to outsource something. Disruption is a fact; it cannot be controlled directly. However, organisations can control how ready they are to manage foreseeable disruption scenarios. To this point, it is necessary to build a framework and capability internally to anticipate, monitor, respond and adapt to, and then recover from, both short term and permanent dislocations. You cannot outsource the management of risk.

The good news is that the 80/20 rule often applies to risk management – much of the risk comes from a small number of critical suppliers or contracts and, therefore, by focusing we can efficiently and materially reduce our exposure. To focus, we first need to understand our business. This sounds easy, but many firms don’t distinguish between high value suppliers and suppliers that are critical. We need to know what are we dependent on, which third parties are critical. We need to know what the most impactful failure scenarios would be. By doing a bit of analysis up-front, we can target our efforts and work much smarter.

An interesting consideration is the supply/demand characteristics of products and services we provide and the characteristics of the input components they depend on. In the event of an incident, will our product be in greater demand (people want more and want it quickly) or will demand drop off rapidly? Insurance claims management is an obvious service in high demand immediately after an incident, while, depending on the scenario, demand for travel might drop away. This understanding should inform our supply chain disruption risk management strategy.

When the time comes to decide to outsource a particular process or let a contract for supply of product, it is important to have a sourcing strategy. Firstly, and most importantly, we need to answer the question: Should we outsource at all? After all, lower cost doesn’t always mean best value. Have we considered the resilience/efficiency and control/efficiency trade-offs? Perhaps a dual source arrangement with (some) retained internal capability is best.

Then we need to consider geographic and concentration risks. Sometimes shorter, more local supply chains, with fewer nodes, bring less risk.

Another cliché, but also often very poorly done, is to work closely with critical suppliers. It’s a partnership after all – or it should be. Building trust requires engagement and clarity of communication about expectations and problems. Supplier relationship owners need to have good lines into their supplier to solve emerging issues together. The introduction of SLAs, KPIs, KRIs and governance meetings can have a material effect, provide valuable foresight and build response and adaptive capabilities.

Then we need a plan. If we were to suffer a dislocation, what is our plan to respond and manage in the short term and longer term? Short term, we may be able to switch from supplier A to B or bring some key tasks back in-house. Or, we may be able to absorb a shock through the erosion of inventory or stock, but only if we have taken the decision to run with a buffer stock of critical inputs and/or finished product.

To get an optimal resilience/efficiency trade-off, we need to determine the level of inventory we need in the system, where it should be held and our capability to rapidly divert resources or stock around the world. In short, we need to build an elastic organisation capable of absorbing and adapting to shocks.

For permanent or longer-term disruption scenarios, alternate suppliers of critical services or products should have been identified, with their readiness/capacity to step-in kept under review and contracts warm and ready to go. To facilitate a rapid switch over, all the necessary knowledge, specifications, how-to, systems and data need to be held in-house and ready to be transmitted to the new supplier.

Crucially and finally, effective supply chain business disruption risk management requires a positive risk culture as well as foresight, insight and hindsight. It requires foresight into emerging problems to allow early mitigation. It requires insight to know what’s important and where to focus. It requires honesty and transparency and a constructive approach when things start to go wrong. And it requires hindsight to enable learning and continuous improvement.

Building resilience into the supply chain

In summary, managing supply chain business disruption risk is about taking a mature and a pragmatic view of the organisation and the world around us. It’s about accepting that disruptions occur and being prepared for when they do.

It’s about building an elastic organisation, particularly for the delivery of critical services and products. It’s also about monitoring risks but, most importantly, acting early and deploying tested strategies to absorb and adapt when necessary.

For more information, visit: continuitystrategy.com

This article was originally published in the August edition of International Security Journal. To read your FREE digital copy, click here.