Emergency Notification • Incident Management
Overcoming Operational Glitches:
Recovery is a Competitive Capability The need to design and plan for supply-chain risk mitigation and recovery, and how to go about it Professor Alan Braithwaite, Cranfield University and LCP Consulting
NS
Recovering From ‘Glitches’: Recovery is a Competitive Capability
Introduction About the Author Professor Alan Braithwaite, Cranfield University and LCP Consulting Alan has been working with Cranfield’s Centre for Logistics and Supply Chain Management since 1987. He is widely published, and a regular speaker at conferences around the world. He is also Chairman of LCP Consulting, a leading independent consultancy in supply chain and logistics, which he founded in 1985. LCP Consulting provides supply chain design for optimum planned performance and for resilience.
Table of Contents 1.
Introduction
2. The Global Economy and the Implications of Extended Supply Chains 3.
Introducing a Supply Chain Risk Management Framework—Design for Resilience and Mitigation
4.
Supply Chain ‘Glitches’ Destroy Shareholder Value
5.
Case Studies of Supply Chain Risks: What We Can Learn from Experience
6. General Principles of Risk Mitigation and Recovery
© Copyright 2008-2011, LCP Consulting and MissionMode Solutions. All rights reserved.
The old management adage goes, “Failing to plan is like planning to fail”. But in today’s volatile and interdependent economy, even the best planned and organized companies are being caught by events that are beyond their control, or which are the result of plans and designs not working as expected. These events are sometimes referred to as glitches, which on occasion may be a euphemism for an incident or full-scale crisis. Long before the birth of the Internet, Marshall McLuhan coined the term ‘global village’ to convey the power of communications around the world. Today we take that for granted and the commentary has moved on to the inter-dependence of the global economy. Companies, organizations and communities are profoundly vulnerable to all manner of events that are outside their immediate span of control. Increasingly, the term ‘supply chain’ is being used to describe these extended links and dependencies. Until recently the effort to manage these extended chains has concentrated on achieving better stability. But the increasing rate of experience of shocks, surprises and unpredictability has added supply chain risk management and recovery to the boardroom agenda. Boards’ obligations of corporate social responsibility and compliance (CSR) are bringing into sharp focus the requirement to design operations for improved resilience. But anticipating and designing out vulnerability is not enough; the unexpected still happens. Based on the proven correlation between supply chain ‘glitches’ and shareholder value, companies are now also planning and designing a structured approach to recovering from shocks, which cannot all be mitigated by design. And supply chain incident and crisis management is not restricted to physical goods organizations; all industries now have labyrinthine dependencies, which are the result of new business models and technology. Investment banks rely on pricing and trade data feeds, other financial institutions rely on third party product distribution channels. Service providers rely on third parties to contribute service components. Port and airport operations depend totally on the seamless interaction between many companies. Complexity and dependency is so high that disruptions, large and small, will happen. Recovery is therefore a capability and the speed of recovery is a competitive advantage. The maxim is becoming “in future we must anticipate the unexpected”. The capability must be in place to respond in real time, without a full prior understanding of the specifics of the event and its impact. This white paper draws on established case material and supply chain risk management principles to show the need to design and plan for risk mitigation and recovery and how to go about it.
Page 2
Recovering From ‘Glitches’: Recovery is a Competitive Capability
Business success may depend on a process to deal with events that cannot be designed out and for which the full impacts cannot be anticipated or predicted. Response and recovery in a global business involves parties working remotely to a common process with fast communications, ensuring consistent information and actions on short lead-times. Boards now recognize that their supply chain is their business and external dependencies and risks are built in at every step. Since it is impossible and very costly to plan and design for every contingency, recovery is a strategic capability. Key to successful recovery is the ability to communicate seamlessly throughout the supply chain.
“If a man presumes certainty, he shall end with doubts, but if he will be content with doubts, he will end with certainties”. Francis Bacon 1561-1626
The Global Economy and the Implications of Extended Supply Chains The global economy for world merchandise trade has been expanding at a rate that is between 2 and 4 times the rate of GDP. The figures from the WTO are illustrated in Figure 1. (i) Figure 1: Growth in the World Merchandise Trade
It has been one of the most pronounced and remarkable economic trends of the last 40 years. It has both fueled and enabled the growth in GDP of most developed countries. The risks and rewards of this change have been the subject of increasing academic and journalistic analysis and commentary from a variety of perspectives.
Page 3
Recovering From ‘Glitches’: Recovery is a Competitive Capability
Rosabeth Moss Kanter (ii) identified that communities develop a critical mass of capability to take leadership in specific industries where the symbiotic connections of education, culture, research and commercial skills build a powerful platform. These communities then feed on their success. She introduced the idea of the three C’s: concepts, capabilities and connections. Competitive advantage is about being able to initiate leading concepts: have the capabilities to deliver them: supported by the connections from an extended network. These connections enhance the core capability with skills that do not exist inside the firm or organization itself. Implicit in this simple idea is that the skills required to be successful are so diverse that no one organization can sustain them at the required level. In simple terms, a business is its supply chain – the dependency on others is total: covering relationships with government, regulators, education, research and suppliers of products, services and logistics. This extended chain has been identified by many authors as being a major source of risk to sustainable business performance. Braithwaite and Hall in 1999 (iii) pointed to the increasing awareness of vulnerability arising from anticipating the millennium bug. Recent work at Cranfield on supply chain risk and vulnerability (iv) created Figure 2, which highlights the risk profile of the extended supply chain. Every link is liable to fail and, even through the individual statistical probability is very low, the impact of such a failure cascaded through the supply chain may accumulate into a major disruption further down (or up) the line. Figure 2: Risk is present at every point in the supply chain
The economic dependence of a business on its suppliers is massive; the rule of thumb is that external purchases for materials, components, services and indirect supplies are 55% to 60% of revenues. In some cases this will be very much higher and can exceed 90%.
Page 4
Recovering From ‘Glitches’: Recovery is a Competitive Capability
The drive for globalization has been driven by the development of low cost sources of supply, giving significant economic advantage to buyers; they have been able to increase profits directly or reduce prices in order to drive market share, volume and hence profits. The consequence of this dash for lower cost has been to increase the endemic risk profile in the supply chain. Supply chain theory has its roots in industrial dynamics and control science which shows that extended response times create an intrinsically less stable system. Cutting lead times is good, extending them is bad. The implication of the growth shown in Figure 1 is that less and less business is purely “local for local” and risk will increase. The supply chain risks of global sourcing have now been widely discussed; Wilding and Braithwaite at Cranfield (vi) and Sheffi (vii) at MIT provide useful references for further reading. In essence, the conclusion is that the dollar value of international sourcing is compelling but the risks can be substantial and may not always have been addressed. Figure 3 illustrates the greed-to-risk relationship; the financial motivation has generally been the winning driver in strategic terms. Figure 3: The greed-to-risk relationship
It is wrong, however, to think that risk is exclusively associated with global sourcing and trade; rather it is global sourcing and supply that has brought the issue into sharp focus. The underlying theme is burgeoning complexity in our supply chains. For example: • Channels of customer demand with internet trading and e-fulfillment expanding rapidly alongside heritage routes to market • Product and service variety increasing exponentially and creating, in turn, additional complexity and risk arising from conflicting demands on capacity • Outsourcing of logistics and supply, with companies engaging a wider variety of services • Consolidation and specialization of sourcing and supply taking place to secure economics increasing, irrespective of whether it is off-shored or global
Page 5
Recovering From ‘Glitches’: Recovery is a Competitive Capability
Introducing a Supply Chain Risk Management Framework—Design for Resilience and Mitigation The economic pressure described in the previous section is inexorable; it is forcing companies to increase customer choice and service while at the same time reducing cost. The question is how does a company assess, internalize and mitigate the associated risks? Work at Cranfield on behalf of a British Government Department (v) developed a classification of the types of risk to which a business is exposed. Risk was classified into those external to the firm, through demand, supply and environmental factors, and those which are internal, and potentially self-inflicted, through processes, controls and lack of risk management. This concept is illustrated in figure 4, which contains a brief description of the types of risk in each segment. Mitigation is the most crucial segment in this model since it introduces the idea that risks can be identified and managed, down if not out, through design of the chain and the way in which it is set up and operated. A workbook was created to support the process of identifying risks and is a helpful resource in this process.
Figure 4: The dimensions of supply-chain risk
The workbook invites management teams to consider their supply chains in a structured way in order to identify their risks and vulnerabilities in terms of the scale, cost, duration and recovery actions that would be needed should risk turn to reality. This provides a cost and time estimate for each potential failure irrespective of its probability which, by definition, is low. Alongside this estimate the process invites the team to consider the mitigating actions through which they can design out the risks together with the costs of such measures.
Page 6
Recovering From ‘Glitches’: Recovery is a Competitive Capability
There are a number of important insights from such work that are somewhat counter-intuitive. • Mitigating measures tend to converge for a number of risks – doing some things differently will catch a lot of the potential problems • The cost of these measures is often very small and certainly insignificant in relation to their consequences, were they to occur. So this is about organization, governance and careful planning in order to have the benefits while reducing the risk • The consideration of probability is a natural tendency but totally unhelpful. The probabilities are, by definition, very small; otherwise they would have been designed and managed out as ‘known issues’ • In the terms of Donald Rumsfeld, we are interested in the ‘knownunknowns’ and the ‘unknown-unknowns’. A good process of discovery can help to turn many of these into ‘knowns’ where mitigation and responses can be planned; they may be remote but they are more predictable than was originally thought • This means that the self honesty of the process is critical to its success and, in the context of any organization’s power vortex, is difficult to achieve • Even when many unknowns are converted to knowns, there will still be events that cannot be anticipated; it’s wise to have a robust recovery process to deal with them as they arise, which is also mitigation Given the evolution of tools and structures, it’s clear that failing to plan is like planning to fail, and in the future, we must anticipate the unexpected. The questions that arise from the analysis so far are: • What do glitches really cost? Is it worth the effort to plan for them? • What can we learn from the experience of others? • What general principles can be drawn from those experiences? • How should a company organize to be able to recover from problems? • How can the MissionMode platform with LCP’s expertise support accelerated recovery?
Supply Chain ‘Glitches’ Destroy Shareholder Value Glitches cost a lot more than might be imagined. The impact can be huge as experienced in terms of share price and shareholder value. These events also hit executives’ bonuses and share incentive schemes. At the extreme they are career limiting. The basis for this statement is provided by some formative research by Singhal and Hendricks (viii) who analyzed a sample of 861 profit warning announcements from publicly quoted companies linked to supply chain difficulties.
Page 7
Recovering From ‘Glitches’: Recovery is a Competitive Capability
They coined the term ‘glitches’, which in many cases is a euphemism for a full-scale disaster. They found that announcement of these problems was associated with an 8.62% market adjusted reduction in shareholder value; if a period of 60 days before and after the announcement is included the effect is about minus 20%. This finding is illustrated in Figure 5. Supply chain problems for the purpose of their research were classified as including: parts shortages; changes by customers; ramp and roll out problems; production problems; development problems; quality problems. These so-called ‘glitches’ are occurring frequently and for a wide range of causes; it is clear that such issues are not isolated problems. They erode shareholder value to an extent that must be stomach churning for the CEOs involved. Figure 5: The effect of ‘glitches’ on shareholder value
They affect the company, customers and suppliers alike, often with serious consequences. What is more, supply chain value is perishable; any ‘problem’ will have a recovery period during which the performance of the organization is sub-optimized in terms of either or both revenue and cost. Capacity and performance is lost forever. Boards, therefore, are having to start to make more structured choices about the exposure to risk that they will mitigate through design and that which they elect to deal with ‘if it happens’. It was not always this way; the profit motive and investor short-termism has been such that “profit today” was better than “sustainability in the future”. But governance and sustainability are now the watchwords; compliance and transparency are dictating the need for new approaches to risk management. As the following examples show, the risk agenda is a matter of corporate and executive survival. The unexpected is lying in wait at every junction. “A business is its supply chain—risk and dependency is built in.” Page 8
Recovering From ‘Glitches’: Recovery is a Competitive Capability
Case Studies of Supply Chain Risks: What We Can Learn from Experience There has been major publicity for many cases of supply chain failure. Two examples from a few years ago are: • British Airways for its disastrous implementation of Terminal 5 at London’s Heathrow • Bear Stearns, and others, who lost their independence as a result of investing in sub-prime derivatives. These incidents may not immediately appear to be supply chain related, but closer inspection should change that view British Airways commissioned a new factory (terminals process passengers, not unlike chickens) and failed to test adequately and get a secure handover on schedule. As a result they have admitted that it will cost them tens of millions of £ Pounds and add to their existing profit warning which has distracted from a record profit announcement at the same time. In Singhal and Hendricks terms this is a ramp and roll out problem Bear Stearns effectively bought bad inventory in the form of mortgage securities on which there was no redress against the suppliers. In Singhal and Hendricks terms this was a supplier quality problem. Attempting to conceal the problem simply made it worse; if you keep bad food in the fridge, it eventually taints everything. In the more prosaic industrial world, the case material is building on how supply chains go wrong and their financial impact. Sheffi and Wilding documented many well-known examples from several years earlier, such as: • Ericsson losing its handset business as a result of a fire in a microchip factory because Nokia read the situation better and responded faster • The impact of the earthquake in Kobe, Japan on a range of industrial producers and the response of Toyota • The effect of a foot-and-mouth outbreak in the UK that had disastrous consequences for a wide range of industrial producers. They might equally have described the: • The catastrophic effect on Sainsbury’s supermarkets as a result of supply chain change • The impact of bio-fuel growth on food production • Land Rover losing its supply of vehicle bodies due to supplier financial collapse • Coca-Cola losing its bottled water business in the UK as a result of contamination. • $Billion write-down of inventory at CISCO in the wake of the Y2K and technology downturn
Page 9
Recovering From ‘Glitches’: Recovery is a Competitive Capability
This list could be yet more extensive as Singhal and Hendricks’ research indicates through their profit warning analysis. But these are just the events that hit the headlines and where the consequences get measured and reported. Organizations around the world are experiencing incidents and crises (glitches) each and every day; which impact on the ability of the organization to operate effectively. The challenge is to plan and anticipate better and then deal effectively with events as they occur. On this basis, Nokia and Toyota are clearly in the best in class league. In both cases they showed an ability to recover from events where disruption might have been generically anticipated but the specifics could not. Nokia recognized the event faster, understood its implications and mobilized to capture remaining global capacity of chips well before Ericsson. As a result Ericsson experienced long term interruption to its ability to supply and lost its market position Toyota rapidly engaged its network to move tools and re-start production of crucial components – losing only 2 to 3 weeks of assembly which was a gap it was able to make up. Recovery is clearly a strategic competence for which corporations should put in place well rehearsed routines and support mechanisms.
General Principles of Risk Mitigation and Recovery A series of generalizations emerge from this analysis of risk events that can be summarized in the bullets following. • Many events are capable of a greater level of anticipation for which planning and design would reduce the risk of occurrence and/or the consequences. For example: o Keeping a plant on an earthquake fault line, in a cyclone area or adjacent to a high hazard facility requires contingency planning o Ramp and roll out of products, facilities and anything technological requires appropriate project governance and control • Vulnerability is accentuated when a combination of events occurs, one of which on its own would not have caused the catastrophe but when combined were fatal o Some of these events will be the result of poor controls and operational compliance o They are easy to fix and are only a surprise because all the signals were ignored • A few events are so difficult to anticipate in their specific form that they cannot be specifically planned and mitigated: o They are usually outside the immediate control of the firm o Their consequences are generally the same as the two previous points and so the recovery plan can draw on how to correct for other consequences. Page 10
Recovering From ‘Glitches’: Recovery is a Competitive Capability
• The keys to risk management are a controlled and governed process of planning, mitigation design, rapid detection and accelerated response and recovery o These are critical capabilities covering detection, response development and managed recovery o High performance requires real time visibility and communications together with the skills to manage the situation All of these generalizations require the right questions to be asked during planning and then during the event if one occurs. The importance of developing and maintaining an integrated capability through the phases of recovery is emphasized in Figure 6. This diagram overlays response modes and horizons on the graph of the impact on share price of a ‘so called’ glitch. The timing of this overlay is not exactly right as a business would hope that detection and recovery would have been achieved and initiated at the minus 60 day point to achieve the best recovery. How should a company organize to be able to recover from problems? For the purpose of the balance of this paper, the assumption will be that the company has designed and planned for operational resilience. The main vulnerabilities have been identified to the best of the company’s ability and, where the business case justified, resilience measures have been put in place. This can be done using the framework illustrated in Figure 4 and the workbook referred to earlier. But that is not enough to ensure operational resilience; events will still happen from short term disruptions lasting just a few days to major events where the impact will be felt for weeks or months. It is almost impossible to point specifically to the likely impact of any event on the business before it happens.
Figure 6: The effect of detection, response and recovery
Page 11
Recovering From ‘Glitches’: Recovery is a Competitive Capability
For example: • An earthquake or tsunami, while a long term catastrophe for the residents, can permanently disrupt a supply chain or have an effect of only a few days • Industrial disruption can be short lived and wildcat or it can stop a particular operation for months • Quality issues can be either short term, or damage yields for long periods • Terrorist actions may take out a critical capability for good or lead to quite a short disruption. And, it is important to recognize that one operation’s disaster may be just a minor irritation for another. While normal operations and even anticipated disruptions can be proceduralized, when un-anticipated events strike there is an important shift towards free-form teamwork and collaboration. This transition can be a subtle one as the business moves from standard process to accelerated and extended collaboration (incident management or crisis management), characterized by increased communication between participants and agility in response. It is well known that when a crisis hits, communication becomes of paramount importance because only through communication can the correct actions be determined and delivered (ix). Working in a supply chain where there may be many organizations active (see Figure 2) makes communication even more important. So, organizations need to have in place a phased process and communications structure through which they can mobilize their response for the supply chain crisis management. The acronym DEDReC-M is a convenient way to remember the sequence. • Detect – identify and alert the business to an event that may have a serious impact on business performance • Evaluate – evaluate the implications for the business in terms of scale and duration in order to guide decision making and response • Decide – determine the appropriate actions to guide the business through the event and speed recovery • Recover – mobilize the recovery actions that have been decided • Coordinate – coordinate the actions of players in the chain both inside and external to the business – directing the recovery • Monitor – monitor the recovery program to ensure that the situation moves from a status of ‘intensive care’ through ‘release to normal’ The controlled transition through this phased process requires centralized visibility and direction, instant communications and rapid feedback. Since most companies are now widely dispersed across many operating locations, the process requires a “virtual” command center approach with secure and universal communications to all the players
Page 12
Recovering From ‘Glitches’: Recovery is a Competitive Capability
who may be involved. It is virtual in the sense that there is no physical location where all players come together to work on the problem. From a status of ‘business as usual’ to full scale crisis management can be a matter of minutes or hours. As described earlier in this paper, the speed of response may make all the difference to the outcome. There will not be time to bring people together in a single place and established communications methods may not be fully functioning. Indeed, people should often be located closest to the areas where they can direct the local response rather than in a remote crisis center far away from where things need to happen. It is simply unrealistic to expect that representatives from the whole supply chain can gather in one physical location. The command center needs to be able to receive situation reports from many locations under different communications modes that can be logged to provide a single picture of the situation. From this the leadership team, who may also be acting remotely, need to be able to assess the implications, determine and then direct and monitor the response across all the stakeholders.
Figure 7: The command center, using different modes
This command center approach is illustrated in Figure 8, with a combination of alerting to mobilize and collaboration to drive the response forward to a successful conclusion. The communications through the command center are crucial to the detect, evaluate, decide, recover, coordinate and monitor (DEDReC-M) crisis management process. However, the planning, testing and exercising are the first step and equally important. To manage recovery, the business must have well-rehearsed and documented crisis management plans that, accepting the uncertainty of the event itself, prepare the business for the type of disruption.
Page 13
Recovering From ‘Glitches’: Recovery is a Competitive Capability
The preparation, case scripts and exercising are a major investment by the firm to anticipate the issues and build a state of readiness with a team that can be mobilized at any time. If the crisis team is well rehearsed and can work together effectively using a command center, they will be well placed to deal with any event, prepared for or not. The ability to run the command center in a decentralized way requires that there is total information visibility of the situation that is in line with the crisis management plans for the situation. The combination of different times and locations is key to the command center approach. It is the only way to run a continuing situation across many locations and time zones. This is shown in figure 9 with a diagram from MissionMode.
Figure 9: MissionMode combines different times and locations using different modes
The control center can be accessed through a range of screens as shown on page 16. From the moment the situation is detected and an alert issued, the log can follow the information and analysis as the situation is managed through. Requests and instructions can be issued to key people and the feedback logged. Because the ‘A’ team will have exercised on the scripts and lines of communication, and leadership is clear, the process is designed to work well from the first moment. The team can come together for conference calls as required and they’ll all be working from the same information base. If specialist advice and information or particular skills are required, then these can be bought in and the people patched into the system. Of particular importance is the ability to keep private information private, yet share that information which should be shared. Following the exercise or real crisis, the command center log can be used to analyze the effectiveness of the response and recovery and improve the business processes between all parties in the supply chain.
Page 14
This white paper is brought to you by
Emergency Notification • Incident Management
MissionMode’s web-based emergency notification and incident management solutions simplify your response to any type of incident, from routine operational issues to major natural disasters. Industry-leading organizations around the world trust MissionMode to reduce the time and cost of returning to normal business operations.
Emergency Notification The Notification Center™ eliminates the guesswork of what message to send, who to contact and how. The right message is sent to the right people through the right devices. The system is smart enough to adapt to constantly changing situations, yet it’s so easy to use that alerts can be sent in as little as ten seconds. A realtime dashboard confirms delivery of each message and the responses, such as “on-site in 30 minutes.”
Incident Management After alerts are sent, our Situation Center™ provides the tools to remedy the incident. This simple-to-use virtual command center brings together your plans, people, communications and resources. No matter where they’re located, your staff can contribute vital information, monitor tasks, track people’s status, and access needed files. From the start, teams are equipped with the resources they need for that type of incident, ensuring a consistent response. The Situation Center gives you an accurate common operating picture for making informed decisions, and ensures that no detail is overlooked.
Online tools that are easy to implement, cost-effective, and require minimal training.
Contact us to learn more or schedule a demonstration North America Toll-free: 877.833.7763 Phone: +1 312.445.8811 20 W Kinzie St., Suite 1220 Chicago, IL 60654 USA
info@missionmode.com
International Phone: +44 1494 837198 High Tor, Lee Common Great Missenden HP16 9LA, UK
www.missionmode.com
“With MissionMode, we feel like we are their only customer.” Director of Corporate Crisis Management at a major global logistics company
Page 15
The MissionMode Situation Center A secure hub for communications, collaboration and control—anytime, anywhere
1
4
2
3
4. Users share information and come to informed decisions
“MissionMode radically reduces the time it takes to get an overview of an incident and take appropriate action to minimise its impact.� 2. Monitor and assign tasks
Bob Graham, Group Business Risk Manager, TBI
1. Team status at a glance 3. Access plans, procedures and any type of file
Page 16
Recovering From ‘Glitches’: Recovery is a Competitive Capability
References i.
World Trade Organisation – www.wto.org
ii.
Moss Kanter, R (1997) World Class: Thriving Locally in the Global Economy, Simon & Schuster Ltd
iii. Braithwaite, A. & Hall, D. (1999) “Risky Business? Critical Decisions in Supply Chain Management”, Supply Chain Practice, Vol. 1, No. 3, pp. 44-56. iv. Hall, D. & Braithwaite, A. (2001) “The Development of Thinking in Strategic Supply Chain & Logistics Management” in Handbook of Logistics and Supply Chain Management, (ed) Brewer, A., Button, K. & Hensler, D., Oxford: Pergamon, pp. 81-98. v.
Cranfield 2003 for the Department for Transport, Supply Chain Vulnerability ~ A Self-Assessment Workbook
vi. Braithwaite, A. & Wilding, R. (2006) “The supply chain risks of global sourcing” in Managing Business Risk, (ed) Reuvid J, Simmons & Simmons vii. Sheffi, Y, (2005) The Resilient Enterprise: Overcoming Vulnerability for Competitive Advantage, Massachusetts Institute of Technology viii. Singhal, V.R. and Hendricks, K. Supply Chain Management Review, January/February 2002. ix. Sapateiro, C, & Antunes, P (2008) Crisis Management: A collaboration model for unstructured activities Institute for Complexity Science: 1st ICC Workshop on Complexity in Social Systems, ISCTE Lisbon, January 2008
112811
Page 17