Rethinking Supply Chain Security

May 22, 2007
Focusing on the access control of your physical premises does not secure your supply chain

Prior to the attacks on September 11, 2001, many logistics and supply chain managers understood that we were, in fact, quite vulnerable. But only now are we beginning to truly recognize our own specific vulnerabilities-and the sheer volume of debilitating business disruptions that can come in tow.

The one area in particular that's been exposed is our interdependence on all parties in the supply chain network, including government agencies that deal with freight flows and infrastructure. We can now vividly see that the failure of one party in the supply network has a momentous impact on the rest.

For many progressive companies, this harsh reality acted as a wake up call, urging their logistics and supply chain teams to broaden the scope of their security efforts well beyond the physical to include the entire supply network, partners, information technology, intellectual property (process and product), and corporate risk management planning.

While many companies have become proactive in their approach to security, a vast majority have yet to react to the wake up call. Sadly, a conversation I had recently with a global carrier illustrates the significant vulnerabilities that exist in many firms today. The logistics executive spoke about the importance of business continuity to the firm and to their customers. But despite this recognition, he went on to say that there were no documented plans for emergency response or business continuity-instead they depend on "institutional wisdom" to guide the firm.

After our brief discussion about the new risks, he told me that he was surprised they hadn't created a focused initiative to standardize their business resilience systems. Is this the case with your organization? If so, it's time to broaden your security thinking well beyond the physical.

Find the weakest link

Traditionally, security thinking has focused on physical site protection, personnel checks, and incident investigations, with a primary concern on physical asset protection cost containment. Today, security in the most progressive companies is viewed as a central element in delivering value and can be used to create competitive advantage. I'll discuss the actions these companies have taken later in this section.

A central element to installing progressive security initiatives demands that you view the entire supply network as the full scope of concern. It's becoming trite to say that "you're only as strong as your weakest link," however, there isn't a more accurate statement in the supply chain security discussion.

When Pan Am Flight 103 went down over Lockerbie, Scotland, in 1998, it plainly exposed what can happen when there's a weak link in the supply network. Pan Am's security system and processes, in fact, did not fail in permitting the bomb onto their aircraft. It was Malta Airlines' security system that failed and permitted the bag carrying the bomb into the baggage handling system. Pan Am had depended on this extended network to fully screen for safe baggage.

Successfully securing the entire network-finding the weakest links-entails vetting upstream suppliers and downstream customers for their supply network security processes. This ought to be an ongoing process where upstream and downstream parties are planning and coordinating for secure movements and resilient systems.

Aside from improving the security practices of your partners, this helps "socialize" security with your partners so that, in due time, this will be commonly recognized as an important central business function-rather than a secluded auxiliary compliance or cost-reduction subgroup. In practice, this upstream and downstream collaboration should include contractual requirements for secure systems, with a logistics "standards of care" defining security conditions for shipment movements. Ideally, these "standards of care" are developed together by shippers and carriers to take best advantage of their relative expertise and interests. For example, specific low-theft routes may be defined for specific product movements, with stops limited to previously-approved high-security locations for limited periods of time. As the saying goes, freight at rest is freight at risk; so these standards often call for limiting stops and downtime on freight hauls.

Collaboration in securing the supply network should also extend to include law enforcement officials in security planning, simulation training and drilling, and incident investigation. Groups such as the Los Angeles County Sheriff's Cargo Criminal Apprehension Team (popularly known as the Cargo CATS) work with the various parties handling and responsible for cargo-including insurers-to reduce theft, recover stolen cargo, and develop critical information to increase conviction rates and inform the public about the risks. Additionally, U.S. Customs and Border Protection (CBP) runs several programs and initiatives, which are mentioned in the next section, to increase cargo security in conjunction with industry, offering faster customs clearance rates for those participating in the programs.

Follow the leaders

In the course of studying security practices of the most progressive industrial firms, we have observed four different levels of response that outline a progressive pathway towards a high-functioning, secure, and resilient security system.

Our studies also indicate that there are several different paths to the same end objective. While there is no one path that is optimal for all, firms may find this useful as a stepping stone to compare progress against and to guide future system development. While these observations will not guarantee results, they appear to be the practices that leaders adopt and therefore warrant study and potential reapplication to those interested in learning from leaders.

Basic Initiatives: This first level of security response showed firms engaging in multiple efforts that are important but focused. These firms have mainly beefed up existing security initiatives. Basic initiatives include:- Physical security measures. Added access control, badges, guards, camera systems.- Personnel security. Conducted criminal, credit, and background checks on potential employees.- Standard risk assessment. Put added consideration of risks such as fire, flood, vandalism, utility disruptions.- Basic cyber security. Added anti-virus software, firewalls, passwords.- Continuity plan. Produced for internal purposes and small-scale incidents as well as how to recover within one's own operations. - Freight protection. Conducted employee background checks, added cargo seals, tracking technologies, and sensors.Reactive Initiatives: This second level showed firms that went beyond Basic Initiatives and illustrated a deeper understanding of their vulnerabilities as evidenced by their actions. These firms added supply chain security initiatives since September 11. Reactive initiatives include:- Larger security, risk, or business continuity organizations. Firm increased commitment either through reallocation of human or capital resources. - C-TPAT compliance. Firm filed an application for compliance, perhaps as a result of internal leadership or government pressure.- Analysis of supply base. Firm better understood supplier capabilities in the event of disruption. - Supply continuity plan. Consequences of September 11 and the threat of a new disruption in supply lead to the development of dedicated continuity plans.- Limited training. Firm selected employees to receive training or education on what our research group has termed Level 1 and Level 2 initiatives. Proactive Initiatives: This third level went beyond Reactive Initiatives and added new initiatives that expanded beyond the firm to include suppliers, customers, and law enforcement officials on improving supply network security. Proactive initiatives include:- Director or Chief of Security. Firm created executive level positions with resources and responsibility for ensuring security.- Ex-federal or ex-military personnel. A number of firms have actively sought or retained employees with prior government, military, law enforcement, or intelligence agency experiences.- Structured risk assessment. Firms used formal and comprehensive approaches to analyze and understand their exposure to risk.- Advanced cyber security. Firms used intrusion detection systems, relocated information systems in secure buildings, physically separated the internal network from the Internet, audited partner practices.- Business continuity plan. Firms developed plans to address primary failure modes, including supply, transportation, freight, facilities, and communication, often developed in collaboration with logistic providers.- Participation in industry supply chain and security groups. Firms became aware of and provided input on the development of industry-wide common policies, standards; supported or advocated government actions.Advanced Initiatives: This highest level includes firms that exhibited industry leadership by going well beyond the initiatives of Proactive Initiatives. Sadly, the number of firms at this level appears to be comparatively small. Advanced initiatives include:- Customer-supplier collaboration. Firms developed flexible contracts, joint continuity plans with suppliers and customers, alternative sources. - Learning from past disruptions. Firms built on past experiences to make their organizations stronger.- Formal security strategy. Firms developed a comprehensive, documented strategy, which includes all initiatives to increase supply chain security and resilience.- Supply chain drills, simulations, and exercises. Firms performed training or exercises that include simulations of supply chain disruption, stress testing security measures, and business continuity plans for a variety of possible disruptions.- Emergency control center. Firms implemented a predetermined facility and set of procedures to manage and coordinate the response to unexpected disruptions.- Cost/benefit analysis. Firms understood (quantitatively when possible) the actual or expected costs and benefits of different alternatives. Look over your shoulder

Firms often take actions to improve their security and resilience only to develop a false sense of security. Logistics and supply chain professionals struggling to get their arms around better security must remember that focusing on the access control of your physical premises does not secure your network. On top of that, mere compliance in programs such as C-TPAT doesn't automatically improve security.

As the four levels of security leadership illustrate, the path to true security leadership has many stages. Arguably, this is a pathway with no defined endpoint. There will likely be a never-ending challenge to secure the supply chain.

Yet, by being humble and practicing what the leaders do in developing an intertwined secure and resilient supply network, firms will be well on the way to protecting their ability to maintain economic viability.

Corresponding research - James B. Rice, Jr.

"Supply Chain Response to Terrorism: Creating Resilient and Secure Supply Chains," by James B. Rice, Jr. and Federico Caniato, August 8, 2003.

"Investing in Supply Chain Security Investments: Collateral Benefits," by James B. Rice, Jr. and Philip Spayd, The IBM Center for the Business of Government, May 2005.

Show me the Money

What happens when a firm makes a successful supply chain security investment? If you didn't blurt out your answer, then you've answered properly-the answer of course: "Nothing."

When a supply chain security investment prevents a loss, a breach or other disruption; basically, nothing happens. While this is the target and means good news, it's difficult to calculate an ROI where you can't show the cost that was avoided.

It may be possible to show an ROI if the initial investment does result in a lower loss rate; but this only applies in the first year of implementation. Beyond that, investment will still be required, even though there may not be any additional loss reduction, since that investment is protecting the improved loss level.

This presents a predicament for security groups in gaining financial support for initiatives that are effectively preventative in nature. Ultimately, the security investment that does not show ROI does not make a compelling business case.

There is promise, however, in identifying potentially useful "collateral benefits" from security investments. By this, I mean the unanticipated operational benefits that may come from making security investments. For example, security investments in asset tracking may provide useful information about inventory location which may reduce the uncertainty in the supply chain.

With lower uncertainty in the system, it may be possible to reduce inventory stock levels and therefore free up working capital since inventory is often used as a buffer to offset uncertainty.

In the words of one automotive firm executive I've interviewed, "Ultimately, you need to tie risk [of attack, disruption] to business performance."