Prior to the attacks on September 11, 2001, many logistics and supply chain managers understood that we were, in fact, quite vulnerable. But only now are we beginning to truly recognize our own specific vulnerabilities-and the sheer volume of debilitating business disruptions that can come in tow.
The one area in particular that's been exposed is our interdependence on all parties in the supply chain network, including government agencies that deal with freight flows and infrastructure. We can now vividly see that the failure of one party in the supply network has a momentous impact on the rest.
For many progressive companies, this harsh reality acted as a wake up call, urging their logistics and supply chain teams to broaden the scope of their security efforts well beyond the physical to include the entire supply network, partners, information technology, intellectual property (process and product), and corporate risk management planning.
While many companies have become proactive in their approach to security, a vast majority have yet to react to the wake up call. Sadly, a conversation I had recently with a global carrier illustrates the significant vulnerabilities that exist in many firms today. The logistics executive spoke about the importance of business continuity to the firm and to their customers. But despite this recognition, he went on to say that there were no documented plans for emergency response or business continuity-instead they depend on "institutional wisdom" to guide the firm.
After our brief discussion about the new risks, he told me that he was surprised they hadn't created a focused initiative to standardize their business resilience systems. Is this the case with your organization? If so, it's time to broaden your security thinking well beyond the physical.
Traditionally, security thinking has focused on physical site protection, personnel checks, and incident investigations, with a primary concern on physical asset protection cost containment. Today, security in the most progressive companies is viewed as a central element in delivering value and can be used to create competitive advantage. I'll discuss the actions these companies have taken later in this section.
A central element to installing progressive security initiatives demands that you view the entire supply network as the full scope of concern. It's becoming trite to say that "you're only as strong as your weakest link," however, there isn't a more accurate statement in the supply chain security discussion.
When Pan Am Flight 103 went down over Lockerbie, Scotland, in 1998, it plainly exposed what can happen when there's a weak link in the supply network. Pan Am's security system and processes, in fact, did not fail in permitting the bomb onto their aircraft. It was Malta Airlines' security system that failed and permitted the bag carrying the bomb into the baggage handling system. Pan Am had depended on this extended network to fully screen for safe baggage.
Successfully securing the entire network-finding the weakest links-entails vetting upstream suppliers and downstream customers for their supply network security processes. This ought to be an ongoing process where upstream and downstream parties are planning and coordinating for secure movements and resilient systems.
Aside from improving the security practices of your partners, this helps "socialize" security with your partners so that, in due time, this will be commonly recognized as an important central business function-rather than a secluded auxiliary compliance or cost-reduction subgroup. In practice, this upstream and downstream collaboration should include contractual requirements for secure systems, with a logistics "standards of care" defining security conditions for shipment movements. Ideally, these "standards of care" are developed together by shippers and carriers to take best advantage of their relative expertise and interests. For example, specific low-theft routes may be defined for specific product movements, with stops limited to previously-approved high-security locations for limited periods of time. As the saying goes, freight at rest is freight at risk; so these standards often call for limiting stops and downtime on freight hauls.
Collaboration in securing the supply network should also extend to include law enforcement officials in security planning, simulation training and drilling, and incident investigation. Groups such as the Los Angeles County Sheriff's Cargo Criminal Apprehension Team (popularly known as the Cargo CATS) work with the various parties handling and responsible for cargo-including insurers-to reduce theft, recover stolen cargo, and develop critical information to increase conviction rates and inform the public about the risks. Additionally, U.S. Customs and Border Protection (CBP) runs several programs and initiatives, which are mentioned in the next section, to increase cargo security in conjunction with industry, offering faster customs clearance rates for those participating in the programs.
In the course of studying security practices of the most progressive industrial firms, we have observed four different levels of response that outline a progressive pathway towards a high-functioning, secure, and resilient security system.
Our studies also indicate that there are several different paths to the same end objective. While there is no one path that is optimal for all, firms may find this useful as a stepping stone to compare progress against and to guide future system development. While these observations will not guarantee results, they appear to be the practices that leaders adopt and therefore warrant study and potential reapplication to those interested in learning from leaders.
Firms often take actions to improve their security and resilience only to develop a false sense of security. Logistics and supply chain professionals struggling to get their arms around better security must remember that focusing on the access control of your physical premises does not secure your network. On top of that, mere compliance in programs such as C-TPAT doesn't automatically improve security.
As the four levels of security leadership illustrate, the path to true security leadership has many stages. Arguably, this is a pathway with no defined endpoint. There will likely be a never-ending challenge to secure the supply chain.
Yet, by being humble and practicing what the leaders do in developing an intertwined secure and resilient supply network, firms will be well on the way to protecting their ability to maintain economic viability.
Corresponding research - James B. Rice, Jr.
"Supply Chain Response to Terrorism: Creating Resilient and Secure Supply Chains," by James B. Rice, Jr. and Federico Caniato, August 8, 2003.
"Investing in Supply Chain Security Investments: Collateral Benefits," by James B. Rice, Jr. and Philip Spayd, The IBM Center for the Business of Government, May 2005.
Show me the Money
What happens when a firm makes a successful supply chain security investment? If you didn't blurt out your answer, then you've answered properly-the answer of course: "Nothing."
When a supply chain security investment prevents a loss, a breach or other disruption; basically, nothing happens. While this is the target and means good news, it's difficult to calculate an ROI where you can't show the cost that was avoided.
It may be possible to show an ROI if the initial investment does result in a lower loss rate; but this only applies in the first year of implementation. Beyond that, investment will still be required, even though there may not be any additional loss reduction, since that investment is protecting the improved loss level.
This presents a predicament for security groups in gaining financial support for initiatives that are effectively preventative in nature. Ultimately, the security investment that does not show ROI does not make a compelling business case.
There is promise, however, in identifying potentially useful "collateral benefits" from security investments. By this, I mean the unanticipated operational benefits that may come from making security investments. For example, security investments in asset tracking may provide useful information about inventory location which may reduce the uncertainty in the supply chain.
With lower uncertainty in the system, it may be possible to reduce inventory stock levels and therefore free up working capital since inventory is often used as a buffer to offset uncertainty.
In the words of one automotive firm executive I've interviewed, "Ultimately, you need to tie risk [of attack, disruption] to business performance."