How to Manage Risk to the Supply Chain

Feb. 19, 2013
The adage “cargo at rest is cargo at risk” is just the beginning

Historic and recent events have proven the need to identify and manage supply chain risks. A single event — such as the 2011 earthquake and subsequent tsunami off the coast of Japan — can have potentially catastrophic impacts on a number of supply chain attributes, including critical infrastructure, communications, logistics, supply, manufacturing and distribution.

Successful supply chain risk management programs are able to anticipate, prevent, protect, manage, respond and ultimately recover from these potentially undesirable and disruptive incidents.

Risk Factors to Consider

Understanding risk factors as they relate to the transporting or storing of goods — domestically as well as internationally — is the first step in any supply chain risk assessment process. It is critically important to identify and rank, in order of importance, the risk factors that are of most concern/value in developing any proprietary risk mitigation program.

Below is a list of some very basic factors worthy of consideration. In the creation of a risk-based “matrix,” any or all of these factors might fit a particular shipping scenario — and could be based on the given product, the region it will travel through or be stored in, as well as the means by which it will reach its ultimate destination.

* Mode of conveyance/storage: All modes of transportation — air, sea, rail and trucking — each presents different forms of risk based on the methodology used in each unique circumstance; thus, what works at sea may not work in the air. Certain types of storage scenarios, particularly when things like environmental conditions are factored in, may or may not fit your supply chain security requirements.

* Routing of freight: Through what area does your supply chain flow? Which of these areas pose a greater risk from a criminal element, natural events and/or availability of logistics support?

* Logistics Service Provider: What types of logistics service providers are you planning to use to ship and store your products, and what precautions do they take to ensure the security and integrity of your goods?

* Duration of a shipment: The duration of shipping window must also be weighed, depending on the potential exposure of a shipment to high-risk areas. Longer shipments potentially mean more hand-offs and possibly more stops — and more opportunities for undesirable parties to gain access to the shipment. A very common phrase used in the supply chain security discipline is “Cargo at rest is cargo at risk.”

* Attractiveness of freight: Different types of goods, based on popularity and ease of liquidation, pose different levels of risk. A cargo container full of consumer electronics would obviously be a bigger target than a less-desirable shipment.

* Market impact: A basic premise of a risk program is to protect the product; however, if that fails and your security protocols are breached, what would the impact be to your company’s ability to meet market demands based on such a loss?

Four Components of a Risk management Program

Critical to the successful implementation of a supply chain risk mitigation strategy is top management’s endorsement, which would include the nomination of a project owner as well as an implementation team. As with any enterprise leadership, mandate and commitment comes from the top — in the form of resources, engagement, support and guidance.

An integrated and engaged upper management team should communicate a clear mandate within the organization. They should also help to identify risks, decide on strategies to mitigate those risks, as well as participate in process review and improvement.

The next most critical implementation component is to have a documented plan — a company strategy and list of written program guidelines and operating procedures relating to your supply chain security initiatives. Having a documented program not only helps define your objectives, but also aids in making them accountable both to internal employees and your external supply chain partners.

Thanks to the advantages organizations have found in using strategies such as globalization, outsourcing, supply-base rationalization, supplier consolidation and lean inventories, risk management for external supply chain partners is vital for organizations that rely on those methods for successful extended operations. While these strategies can offer numerous benefits in efficiency and effectiveness, they also tend to make supply chains more risk prone and can increase the possibility of a disruption.

Thus, the third critical implementation component is to know, as thoroughly and completely as possible, who you are actually doing business with. Modern-day Federal government supply chain risk mitigation programs, such as the U.S. Customs Trade Partnership Against Terrorism (C-TPAT) and the Transportation Security Administration’s Certified Cargo Screening Program (CCSP) emphasize the need to fully understand and appreciate ALL the components of your supply chain — from supplier, to transporter, to those that might store your goods, to those that might ultimately sell them.

This leads to the fourth critical component, a hallmark of the Federal programs just mentioned, and that is to document how your risk assessments are conducted. In other words, the building of a system to audit the various facets of your supply chain program. Audits validate the initiatives that you are striving to achieve and ultimately add credibility to your program — particularly in the eyes of government-related regulatory agencies.

Once audits are completed a documented method of “follow-up” needs to be in place to ensure that the findings and recommendations are both shared among all interested parties and enacted as required. Much like in any quality assurance or quality control program, modern-day risk mitigation initiatives require the same type of management and process/document control to remain both valid and effective.

Build Relationships

Intelligence sharing is another attribute that cannot be overlooked. For obvious reasons, you are not alone in developing this type of risk mitigation program for a company — many have in the past and will in the future. Organizations such as the American Society of Industrial Security (ASIS), the Transported Asset Protection Association (TAPA), the Overseas Security Advisory Council (OSAC) and several others are there to help you add value to your program design without having to “re-invent the wheel.”

Supply chain risk management must always be viewed as an evolving process. Thanks in part to threats like Organized Retail Crime (ORC), the challenges faced by organizations and their supply chains today are constantly changing; therefore, risk mitigation needs to be treated as a dynamic discipline.

For example, within the pharmaceutical industry, where I currently reside, we view risk mitigation in essentially five (circular) steps: the conducting of risk assessments; the assessing and quantifying of all credible threats; the development and implementation of responses to those threats; monitoring the results of those efforts, refining our strategies and then — the most important part of all — conducting the same process all over again, perpetually.

From prior experience in both law enforcement and the military, I have learned that those who desire to disrupt your supply chain are not static entities. When one method of disruption won’t work, these nefarious individuals or groups will quickly move to another. We, as stewards of our respective supply chains, must always be prepared to defend against such efforts. And if those efforts are predictable — which they should be with a credible, validated, risk management program — then it only stands to reason that it can be preventable.

Charles Forsaith is Director of Supply Chain Security for Purdue Pharma Technologies Inc. He is also the Chairman of the Pharmaceutical Cargo Security Coalition (PCSC). He joined Purdue Pharma in 2001, after 21 years of service as both a New Hampshire municipal and State Police officer. Forsaith also directed security operations for a United States military installation.