Securing the Supply Chain

July 23, 2009
William Tenney, Group Manager of Global Security for Target Corp., has helped to develop a maturity model to craft a risk management strategy

The phrase “supply chain” calls to mind a simple chain or line of cargo carriers, going from one point to another. Supply chain security could then be pictured or envisioned as putting the correct security measures in place at various points on that chain, starting with the suppliers and ending with the customers who receive the product.

The correct picture would actually be more like a three-dimensional spider web, where each point in the web had its own 3-D web. After all, your suppliers can have suppliers. Your customers can have customers. Some of your customers can be suppliers, and some of your suppliers can also be customers.

It quickly goes beyond what can be easily envisioned. This raises the question: How can you secure something that you can hardly get your wits around?

Supply Chain Management
Given the size and complexity of a major supply chain, it should be no surprise that supply chain management is not a small subject. As of June 1, there were more than 49 million Google results for the term supply chain, a term which came into use relatively recently (in the 1980s).

The following definition is from Wikipedia:
A supply chain is the system of organizations, people, technology, activities, information and resources involved in moving a product or service from supplier to customer.
Such a definition, while seeming somewhat obvious, is still valuable because it helps to categorize the elements involved. These are all elements that have to be managed. From the management perspective, the above definition leads us to organizational management, HR, IT, operations and logistics — all corporate functions that manage particular aspects of the supply chain. A good perspective on the scope of supply chain management is provided by a short video on the home page of the Supply Chain Management Institute, at www.scm-institute.org.

Competing vs. Common Interests
The Wikipedia supply chain article explains, “Many of the exchanges encountered in the supply chain will therefore be between different companies that will seek to maximize their revenue within their sphere of interest, but may have little or no knowledge or interest in the remaining players in the supply chain.”
This is the problem that Supply Chain Management (SCM) seeks to address. The basic idea behind SCM is to have companies and corporations involve themselves in a supply chain by exchanging information (for example, relating to market fluctuations and production capabilities) for their mutual benefit. Instead of companies operating blindly and independently with regard to the other companies involved in the supply chain, the idea is to optimize the entire supply chain rather than to sub-optimize parts of it based on local interests.

Supply Chain Risk
Companies are highly dependent on their supply chains. According to the Global Supply Chain Council, studies show that one-third of companies that experience disruption of supply suffer loss of business, lower stock returns and damage to its brand. Procurement and sourcing executives are on the front line in the struggle to identify the specific supply-chain risks their companies face and to plan mitigation strategies.
Supply chains have a very high level of operational risk (see the sidebar, Operational Risk and Security Risk, page 22). Security risk is a part of that risk picture; thus, Supply Chain Risk Management is the context within which supply chain security is implemented.

Supply Chain Risk Management is now viewed as a critical discipline due to the business need for global sourcing strategies, increasingly complex contract manufacturing relationships, and the greater number of natural and political events that can disrupt the supply chain. Additionally, the U.S. Customs and Border Protection’s Customs-Trade Partnership Against Terrorism (C-TPAT) initiative raised the need for establishing a high degree of manageability in addressing supply chain risk.

As a result, Supply Chain Risk Management has become an increasingly important part of the operations of many manufacturers and retailers.
This is why William Tenney, Group Manager of Global Security at Target Corp., and James B. Rice, director of the MIT Integrated Supply Chain Management Program, put their heads together to develop a roadmap for implementing a sustainable supply chain risk management program. The objective was to develop a model that focuses on protecting — which means actually maintaining — the company’s economic viability.
Building on the work done by a few pioneering firms, such as Intel, Target, IBM, UPS, Nike, Maersk and APL, plus the work done at Target and the MIT Center for Transportation and Logistics, Tenney and Rice developed a risk management maturity model for supply chains that serves as such a roadmap. While it is a valuable tool for establishing C-TPAT compliance, it also applies to the full spectrum of Supply Chain Risk Management.

Capability Maturity Models
A Capability Maturity Model, or just “maturity model” for short, addresses a common organizational challenge that many business functions, including security, face: how to move from an initial less-established state to a more stable well-established state (no backsliding) that includes ongoing improvement. The concept of a Capability Maturity Model (CMM) was developed at Carnegie Mellon University in its Software Engineering Institute (SEI), and funded by the U.S. Air Force, in response to its need to assess the capabilities of companies developing critical defense systems to consistently deliver a product of acceptable quality on schedule.
Capability maturity models are collections of best practices that help organizations improve their processes. The SEI has taken the process management premise, “the quality of a system or product is highly influenced by the quality of the process used to develop and maintain it,” and has defined CMMs that embody this premise, beginning with a CMM for software development. Since then, several additional CMMs have been developed by the SEI, and several dozen have been developed by other organizations for various domains including architecture, human resources, information security, construction and project management.
The purpose of a maturity model is not to guide your actions (i.e. provide step-by-step instructions), but to guide your thinking in a way that leads to actionable ideas for stable improvement.

Supply Chain Risk Management Maturity Model
Figures 1 and 2 (on page 22) depict the basic elements of the Supply Chain Risk Management Maturity Model: the maturity levels and the key process areas. The maturity levels provide a stepping-stone path to achieving higher supply chain security and resilience, with a resulting higher level of economic viability for your company.

The maturity levels (described below) are general enough to apply to any company, yet specific enough that any company’s position can be clearly identified. Instead of defining specific processes, maturity models identify key process areas to be addressed using processes refined, defined or developed as appropriate for the specific business.

Level 1 — Pre-compliant: Pre-compliant companies are not yet meeting C-TPAT security or other compliance criteria, nor have they established supply chain security prevention or response standards or practices. In some cases, limited prevention measures such as personnel checks and freight protection practices are in place. The firm’s economic viability is at risk. The probability of a business disruption is high, as is the likely impact — and these firms are less competitive than their C-TPAT-compliant rivals.

Level 2 — Compliant: C-TPAT-compliant companies carry out security or other mitigation measures as a response to externally imposed regulations. Aside from being compliant, companies at this level are primarily reactive and see security as a cost of doing business. There is a lower risk of compliance violation, but still high probability and impact of disruptions. These firms may enjoy C-TPAT benefits of lower inspections and shorter border delays, but they are not leveraging their security investment.

Level 3 — Secure: Secure companies see externally imposed security standards as inadequate, and have instituted a more rigorous approach to protect the brand, employees, physical assets and shareholders. At this level, the focus is on preventing a disruption from occurring. Security is seen as part of the business model. These firms are leveraging their C-TPAT investments and are working with suppliers and customers to understand the system risks and vulnerabilities; however, the impact of a disruption is still high.

Level 4 — Resilient: Resilient companies see risk management as an element of a business strategy that changes the way the enterprise operates and increases competitiveness. Recognizing that disruptions are not entirely preventable leads to additional focus on rebounding quickly from incidents. The company adds flexibility and, where necessary, redundancy in the supply chain to detect and respond proactively to potential risks and crises. These firms have reduced their risk of non-compliance, are less prone to security breaches and have mitigated the consequences of disruptions. They are leveraging their security investments, and security plays an integral role in serving the business purpose. As such, these firms have prepared themselves for ultimate economic viability.

Using the Maturity Model
Using the maturity levels, you can identify where your supply chain’s current level of maturity is. No organization’s supply chain is 100-percent at a single level only. Usually, some processes are at a higher or lower level of maturity than others; however, a general determination can be made as to which maturity level best represents the state of supply chain security.
One way to use the maturity model is to identify the gap between the current maturity level and the next level up, for each key process area. For example, this could mean identifying what must be accomplished to move from the Pre-Compliant to the Compliant level.

However, it is important to note that the maturity model is not intended to restrict or limit process improvement to “the next level up” if a critical process belongs at a high maturity level — regardless of the levels of other processes. The value of the model in such an instance is that it provides a perspective by which to understand the relative state of specific processes in relation to others. This facilitates the consideration of related or supporting processes that may also need to be advanced as well. Without such a framework for thinking, capability gaps (and their related vulnerabilities) could remain unseen.

Financial Benefits
The 2002 West Coast port labor dispute is an example of the economic impact of widespread supply chain delays. While the dispute remained unresolved, cargo ships lined up in the Pacific for as far as the eye could see, unable to offload their goods. The resulting impact to American companies has been estimated to have reached $2 billion a day.

Barry Brandman is president of Danbee Investigations (www.danbeeinv.com), a Midland Park, N.J., company that provides investigative, loss prevention and security consulting services to many of the top names in the logistics industry. He is the author of “Security Best Practices: Protecting Your Distribution Center From Inventory Theft, Fraud, Substance Abuse, Cybercrime and Terrorism.” Danbee’s clients have found that implementing supply chain security — and particularly C-TPAT compliance — has significant financial benefits.

“Many of America’s largest importers have embraced the C-TPAT program and strengthened their supply chain security,” Brandman says. “Not only has this reduced their exposure to smuggling and cargo theft (itself a multi-billion dollar problem annually), but most C-TPAT-certified companies have also reaped significant financial benefits. To begin with, their risk of shipment delays caused by security inspections has dropped drastically. In addition, their participation in C-TPAT makes them eligible for expedited clearance via Customs’ FAST (Free and Secure Trade) program at the Mexican and Canadian borders, and has given them added leverage in negotiating insurance premiums.”

Two-Minute Assessment
If you haven’t already done so, take a look at the maturity levels in Figure 1 and assess where your supply chain security program currently stands. It shouldn’t take more than a minute or two. Armed with that assessment, what thoughts do you have now about improving the state of your company’s supply chain security?

Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), providing security consulting services for public and private facilities. (www.go-rbcs.com). For the rest of Mr. Bernard's bio, please see Convergence Q&A on page 14.

William Tenney is Group Manager of Global Security at Target Corp. He can be reached at [email protected]