Rethinking Supply Chain Security

Focusing on the access control of your physical premises does not secure your supply chain

- Director or Chief of Security. Firm created executive level positions with resources and responsibility for ensuring security.

- Ex-federal or ex-military personnel. A number of firms have actively sought or retained employees with prior government, military, law enforcement, or intelligence agency experiences.

- Structured risk assessment. Firms used formal and comprehensive approaches to analyze and understand their exposure to risk.

- Advanced cyber security. Firms used intrusion detection systems, relocated information systems in secure buildings, physically separated the internal network from the Internet, audited partner practices.

- Business continuity plan. Firms developed plans to address primary failure modes, including supply, transportation, freight, facilities, and communication, often developed in collaboration with logistic providers.

- Participation in industry supply chain and security groups. Firms became aware of and provided input on the development of industry-wide common policies, standards; supported or advocated government actions.

Advanced Initiatives: This highest level includes firms that exhibited industry leadership by going well beyond the initiatives of Proactive Initiatives. Sadly, the number of firms at this level appears to be comparatively small. Advanced initiatives include:

- Customer-supplier collaboration. Firms developed flexible contracts, joint continuity plans with suppliers and customers, alternative sources.

- Learning from past disruptions. Firms built on past experiences to make their organizations stronger.

- Formal security strategy. Firms developed a comprehensive, documented strategy, which includes all initiatives to increase supply chain security and resilience.

- Supply chain drills, simulations, and exercises. Firms performed training or exercises that include simulations of supply chain disruption, stress testing security measures, and business continuity plans for a variety of possible disruptions.

- Emergency control center. Firms implemented a predetermined facility and set of procedures to manage and coordinate the response to unexpected disruptions.

- Cost/benefit analysis. Firms understood (quantitatively when possible) the actual or expected costs and benefits of different alternatives.

Firms often take actions to improve their security and resilience only to develop a false sense of security. Logistics and supply chain professionals struggling to get their arms around better security must remember that focusing on the access control of your physical premises does not secure your network. On top of that, mere compliance in programs such as C-TPAT doesn't automatically improve security.

As the four levels of security leadership illustrate, the path to true security leadership has many stages. Arguably, this is a pathway with no defined endpoint. There will likely be a never-ending challenge to secure the supply chain.

Yet, by being humble and practicing what the leaders do in developing an intertwined secure and resilient supply network, firms will be well on the way to protecting their ability to maintain economic viability.

Corresponding research - James B. Rice, Jr.

"Supply Chain Response to Terrorism: Creating Resilient and Secure Supply Chains," by James B. Rice, Jr. and Federico Caniato, August 8, 2003.

"Investing in Supply Chain Security Investments: Collateral Benefits," by James B. Rice, Jr. and Philip Spayd, The IBM Center for the Business of Government, May 2005.

Show me the Money