The cyber supply chain risk

In a digital world, cyber risks are an increasing concern for businesses – as our colleagues within the InterSys technical group are well aware. This deals with the findings of the government’s Information Security Breaches Survey 2015, which shows both the prevalence and impact of cyber breaches. There’s a lot more businesses can be doing, they note.

There are obvious implications for the supply chain, too. As research by Standard Chartered (picked up by the FT) highlighted, technology has transformed the global supply chain, bringing massive benefits. Radio-frequency identification (RFID) technology and the Internet of things, for example, have made it much easier to track and monitor orders and shipments through the supply chain. Similarly, technology facilitates much greater coordination between businesses.

“Supplier companies can be completely integrated in managing the supply chain. Instead of an ordering department sending orders to suppliers, everybody can be linked directly to inventory management systems,” the report states.

While the benefits of that are obvious, so too are the risks. Increased connectivity, if not properly handled, brings the potential for increased vulnerabilities. Moreover, the reliance on technology exacerbates the potential problems in cases where a breach does occur (one reason, possibly, why the government survey shows the average cost of security breaches soaring).

The other, and related, point is that a company cannot afford to look just at its own cyber security. As delegates heard at the Infosecurity Europe event where the Security Breaches survey was launched, businesses need to work not just on their own procedures and practices, but also with their suppliers.

Experts are urging businesses to work with suppliers to raise the level of their “cyber hygiene” – encouraging them to follow principals such as those laid out by the government’s the Cyber Essential Scheme. The view is based on a number of cases where attackers have targeted suppliers to circumvent big firms’ security.

“Try to be an intelligent customer,” Jon Townsend, head of cyber intelligence and response at the UK’s Department for Work and Pension (DWP), advised the audience. “And if you think suppliers are not meeting your information security requirements, instead of beating them up with the contract, work with them to put it right.”

That’s good advice. As a first step, though, businesses need to have visibility of the supply chain to identify where the potential vulnerabilities are, and identify who has what information. Fortunately, that’s an area where technology can help as well, with the growing market for supply chain management software.

Directing investments in a globalised market

Supply chain risks are once again close to all-time highs, according to the Chartered Institute of Procurement and Supply. The group’s Risk Index assesses risks in 132 countries across a range of categories to calculate the global supply risk score. Only five countries saw operational risks improve in the last quarter.

The index, which runs from 0 (no risk) to 100, is now at 78.7 – up from 23.7 in 1994.

The variety of factors that have driven it up, including political turmoil in Europe and economic slowdown in China, will impact each business differently. However, it is also the result of more general and longer-term trends that have more universal applicability.

As CIPS economist and Cranfield School of Management senior economist John Glen told reporters, supply chain complexity is a big factor: “Supply chains have become a lot more complex in the past 20 years. It’s not necessarily the case that there is more risk out there but that our supply chains touch them more.”

There are no “safe havens” for international supply chains, Glen added.

A lot of businesses accept this. Nevertheless, many companies decide to invest in potentially riskier geographic regions to gain access to emerging market places, where the reward is judged to outweigh the operating risks. In doing so they face challenges such as infrastructure reliability and water scarcity issues, which are becoming critical in many areas. In Latin America, for example, Brazil has suffered a historic drought coupled with a dependency on hydroelectric power, resulting in its regional risk score deteriorating in Q1 2015.

In this context, as we’ve noted, there is the potential to gain competitive advantage from more resilient supply chains. However, businesses face a number of challenges in seeking to build resilience. The first is to know in what areas of the business, skills and solutions to invest, given the complexity of the supply chains, and the fact that innovations aimed at supply chains can be a little hit and miss. Moreover, it is not always easy to address deficiencies even once this is established.

Securing skilled personnel falls firmly into this category. The growing skills gap in supply chains is increasingly acknowledged, and was a key theme in Deloitte’s most recent Supply Chain Survey. Fewer than four in ten (38%) of the executives it surveyed thought their organization had the competencies around supply chains required. Only a slightly higher proportion (43%) considered their supply chain was strong when it came to strategic thinking and problem solving.

Supply chain technology needs to address both these challenges: offering solutions that are proven and that can also deliver answers to skills shortages and the complexity of modern supply chains. For those that accept the importance of the supply chain and the need for investment, such criteria should be central to how decisions to address it are made.

 

The positive case for supply chain resilience

Courier group Fedex and researchers at Frost & Sullivan have published an interesting report looking at the importance of supply chains to competiveness for medical device, pharma and biotech manufacturers, among others.

The study opens by noting the supply chain’s importance and also reports encouraging findings from a poll and interviews with 39 high-level healthcare industry executives. These showed 78% recognised that an effective supply chain would be vital to their company’s ability to compete in the next decade.

Despite this, however, the focus of strategic growth in healthcare companies has generally been on acquisitions, restructurings and, particularly, product development.

“[H]ealthcare products companies have sought to gain competitive advantage by leveraging R&D and technology to create superior products and by capitalizing on their marketing prowess… They have often neglected to create a more comprehensive solution for their customers that would plant the seeds for nurturing a true strategic relationship,” the report states.

This is where the supply chain could play a key role, it notes. Companies need to move beyond just thinking about the supply chain in terms of efficiencies; they should also consider its ability to drive growth through developing relationships.

All this reinforces old lessons: The pressure to reduce supply chain costs has in the past threatened, and at times undermined, resilience when applied in a manner that is not proportionate to the risk exposure. Cost reduction has meant closing plants, removing redundancy from the supply chain and reducing stock. Meanwhile, the industry’s focus on mergers and acquisitions hasn’t always helped either, being a contributory factor in a number of cases of drug shortages.

The point is that the cost savings of a leaner supply chain have to be set against the risks. They also have to be set against the competitive advantage gained from a well-publicised, generous finished stock policy for critical drugs that minimizes the risk of vulnerable patients being exposed to product shortages.

This is not an easy balance to strike, but the issue won’t go away. In fact, it’s almost certain to grow. Others have noted the potential impact on pharmaceutical supply chains of medical apps and technology recently introduced by volume providers such as Apple and Google. Furthermore, the growth of the home healthcare market is expected to see the pharmaceutical logistics market increase almost 10% a year to 2019, according to one recent analysis, as companies review their supply chains.

There are no easy answers, but the questions do at least make clear the importance of supply chain resilience – not just in terms of risk mitigation, but also as a potential driver for growth.

Supply Chain Visibility Moves up the Management Agenda

There are an increasing list of reasons for Senior Management Teams to understand the risks inherent all tiers of their supply chains.

Intersys was invited to speak at a leading re-insurer’s conference on Contingent Business Interruption Insurance (earnings protection against failure of 3rd party dependencies to the layman). The attached paper examines the themes presented; the challenges of End to End Supply Chain Risk Management from the perspective of the manufacturing company.

Regulators Push Drug Manufacturers to Proactively Manage Supply Vulnerabilities

The last three years have seen an unprecedented rise in drug shortages in both Europe and America. The number of shortages in the US has been growing steadily from 70 in 2006, peaking at 276 in 2011 . However this is not limited to the US, it is a global pandemic; in 2011 a Belgian pharmacy journal listed 21 countries that were experiencing supply shortfalls .

Action is being taken by regulators in both Europe and America to minimise any future impacts on patients. In October 2011, the US Food and Drug Administration (FDA) issued a review of their approach to Medical Product Shortages and last month the European Medicines Authority (EMA) followed suit by issuing a reflection paper, discussing the scale and origins of the problem and detailing their plans to manage the situation in the future.

Whilst the root causes of each individual product shortage will differ, many had their origins in problems at the manufacturing facilities (accounting for 43% of cases investigated by the FDA in 2011) . The frequency of these ‘manufacturing problems’ has been strongly influenced by industry wide trends, most notably:

• Generic players struggling with manufacturability of complex products whilst trying to keep their cost base to a minimum (in particular injectables such as propofol, chemotherapy agents and nutrition products)
• Regulators taking more punitive action to combat systemic quality systems failings and manufacturers who are sensitive to this more stringent regulatory environment, taking their own pre-emptive actions (voluntary plant shut downs, precautionary recalls).
• Consolidation of the outsourced supply base resulting in single incidents further up the supply chain impacting multiple downstream companies (e.g. mould contaminated intravenous antibiotics sourced from Claris triggered a recall for 5 different companies in the US)
• Progressive outsourcing to less well regulated countries with less regulatory oversight (“Today, about 70% of all APIs consumed in Europe are imported from China and India, where their factories are rarely inspected for compliance with EU standards by EU authorities” European Fine Chemicals Group)

These factors have combined to create an industry wide crisis, which has forced Regulators to redefine their own rules, including:

• Fast tracking the approval of alternative new therapies (e.g. in the US, Shire’s drug for the treatment of Gaucher disease was fast tracked in the wake of contamination at a Genzyme facility)
• Allowing imports of drugs not specifically licensed for a country (e.g. in the last month, as the result of a shortage of the Novartis rabies vaccine Rabipur, an agreement between the MHRA and Department of Health has allowed Sanofi Pasteur MSD to import the unlicensed Verorabvaccine).
• Where product scarcity already exists, recalls or production shut downs will not necessarily be enforced, even when substandard products are known to be in the market place

In the US, the FDA is coming under increasing pressure from Congress to directly intervene less and collaborate more with manufacturers to resolve manufacturing deficiencies.

In Europe, the EMA has reflected on its own role in recent shortages and issued an action plan to improve inter-regulator collaboration, early warning systems, and more importantly from a manufacturer’s perspective, putting the responsibility for supply chain resilience firmly in the hands of the Manufacturing Authorisation Holders themselves.

Actions outline the need for better and more proactive risk management of production processes supported by evidence of identified weakness and corresponding contingency plans. Industry is invited to propose solutions by Q2 2013 and implementation planned for Q1 2014.

Are the vulnerabilities in your production processes (both internal and external) fully understood, prioritised and appropriately mitigated? A quantative approach to supply chain risk management highlights the most exposed links in your supply chain and allows you to evaluate the potential cost to your business of doing nothing to mitigate that loss.

The Hardening Attitudes of Reinsurers to Unspecified Suppliers

Contingent Business Interruption Risk Coverage

Natural disasters across the Globe in 2011 (the Japan Tsunami in March last year, and the Thailand Floods from July to December) have had a far-reaching and lasting impact on businesses small and large world-wide, particularly computer companies for whom Japan and Thailand-based component manufacturers and exporters serve as vital links in their supply chains.

The negative effect of these disasters (on business) has also created a hardening in the attitude of reinsurers who now seek much more detailed information on clients’ suppliers, before agreeing to provide catastrophe insurance cover. The insurance market is now insisting upon greater transparency.

The approach of Europe’s biggest and perhaps best-known reinsurers to catastrophe cover, Munich Re and Swiss Re are being reported in the financial press as hardening. In addition to raising prices for catastrophe insurance cover, reinsurers are setting an 18-month deadline on risks being quantified in detail by clients.

How it works…
A large manufacturing company will have any number of direct or indirect suppliers which represent a critical exposure to the business. Until now, insurance could be bought for all such suppliers without declaring each by individual location.

However, where a group of suppliers supplying a specific industry sector cluster in a certain geographic region, the impact of a natural catastrophe in that area can seriously damage the profitability of the sector. Where re-insurers have a large book of nat cat business in such a sector, the accumulated impact on their balance sheet can be significant. The pain is particularly acute where the suppliers have not been named (prior to the event) and re-insurers have large, unquantified accumulations.

How SCAIR can help take the pressure off
If you are concerned about the effect this hardening of attitude from reinsurers could have on your business, the discipline promoted by SCAIR is your best option when it comes to softening that impact..

The SCAIR tool (see product details here) can lead your company to identify and understand your supply chain exposures in greater detail, thus enabling you to “tick re-insurers’ boxes”, to continue to buy the insurance coverage that you currently enjoy, in the most cost-effective way.

The big advantage of SCAIR (over other supply chain tools) is that it enables you to identify exposures and to quantify them for a range of different scenarios from physical damage, such as fire, earthquake and flood to non-physical damage, such as supplier insolvency and regulatory shutdown – quickly, effectively and affordably.

Thailand Floods Devastate Hard Disk Drive Supply Chains

The impact of the recent floods in Thailand upon hard disk drive (HDD) production in the fourth quarter of this year means retailers world-wide are bracing themselves for PC shortages in the run up to Christmas.

This HDD availability issue won’t pass quickly
Production at two of the world’s largest HDD makers – Western Digital and Seagate – has been badly hit by the flooding (the worst in the country for more than a century), and it could be well into 2012 before they fully recover to normal output.

Toshiba and the HDD motor supplier Nidec have been affected too, with Nidec’s manufacturing facilities being inundated with water.

(Note: 60% of Western Digital’s HDD production is located in Thailand, along with 50% of Toshiba’s. Thailand is second only to China in HDD production.)

The HDD shortage is set to hit Notebook PC assembly/production the worst – sourcing HDDs from other suppliers will result in inevitable price rises.

Key questions to ask
The floods in Thailand have caused short-term price increases for all types of PCs, and will create shortages when manufacturers’ strategic stock runs out.

But

  • Could these shortages and the resulting supplier or sub-assembly supplier workarounds have been avoided?

And…

  • Did the PC manufacturers really understand the magnitude of their individual and collective dependency on one HDD supplier?

It’s the whole IT industry being impacted; those PC manufacturers who were most prepared with their contingency planning should be the ones that will fair best.

For some computer manufacturers and media player, set-top box and stand-alone hard drive producers, performing a supply chain risk analysis and quantifying the exposure (by sensibly investing in contingency planning/mitigations) before the floods will be feeling like their smartest business move ever now; acting on analysis findings will be providing them with a real competitive advantage.

Risk assessment and supply chain analysis is surely a ‘no brainer’ now?
Granted, the challenges facing companies in the technology industries (re: building resilience in their supply chains) are huge, with many firms claiming that, the speed of innovation is so steep, they never really have the time or resources to build true redundancy into their chains.

But surely the lesson from the Thailand flooding catastrophe is that making time to risk assess and analyse supply chains (by using a simple and effective tool like SCAIR, which helps to make sense of a complex area of risk) has to be at, or near, the very top of every type of aforementioned manufacturers’ ‘jobs to get done’ priority list from now on? Or at least well before the first raindrop of next summer’s Southeast Asia monsoon gently falls?

Sources:
www.channelregister.co.uk
www.digitaltrends.co.uk

Could the Impending ‘Solar Max’ be the Next Disaster to Hit Global Supply Chains?

Compared to sudden economic downturns, terrorist attacks, floods, earthquakes, tsunamis and the like, the next potential disaster to hit global supply chains could be pretty left-field. It’s all to do with the cyclic behaviour of the sun…

The sun’s magnetic field experiences cyclic changes that peak every 11 years (known as the ‘Solar Maximum’ or ‘Solar Max’). This is when the sun is at its most active and when severe space weather events can occur. The next Solar Max peak periods are due in 2011/12 and are predicted to be the most intense for 50 years.

The strongest solar activity was recorded in1957-8, when the world was on the verge of a technical revolution, having just catapulted Sputnik into space. Back then the US experienced a radio blackout that cut it off from the rest of the world, and voltages in electrical telegraph circuits exceeded 320 volts in Newfoundland. On that basis, the impact of the stronger activity that is predicted for 2012 is almost incomprehensible.

During a Solar Max, violent solar flares (atomic explosions) blast out from the sun at high velocity. Emissions from the flares (charged particles that form an ash cloud) produce intense bursts of radio noise that can disrupt GPS satellite navigation. Aircraft navigation systems can be particularly affected. And with the impending Solar Max having the potential to completely drown out GPS signals, the commercial aviation industry is understandably worried.

GPS is also used for emergency rescues and to synchronise power grids and mobile phone networks. Electrical disturbance and damage to power grids (caused by solar activity) can also result in closures of businesses, schools, hospitals, government buildings, etc. as well as disrupting countless domestic homes.

Returning to commercial aviation, although planes can fly without GPS, power outages can force air traffic controllers to increase the distance between aircraft, and to slow take-offs and landings, causing (massively expensive) flight delays.

Who would have thought that an ash cloud could create so much havoc!

The good news is that the potential threat of a Solar Max can be effectively risk managed. For any Risk Management/DR Specialist worth their salt, a Solar Max represents the ultimate challenge, in fact. A risk management expert will thrive on advising and guiding business infrastructure managers on the best ‘solar flare-proof’ steps to take, such as the implementation of:

  • A back-up generator supply – to ensure critical systems can be powered
  • Financial exposure/loss minimisation strategies – data system and software back-up plans to maintain uninterrupted customer-related operations (customer-facing operations, customer-service provision, etc.) 
  • Uninterrupted communication systems – for communication between management and staff, staff and customers…

These (and other safeguards) could mean the difference between a company continuing to trade as normally as possible during a Solar Max, or even going out of business altogether.

For any company, having a tailored contingent business-interruption plan in place well before the Solar Max is prudent. But understanding how resilient your global supply chains are to potentially catastrophic scenarios is paramount. With the next Solar Max drawing closer by the day, it’s essential for infrastructure managers to ACT NOW

Sources:
http://www.universetoday.com/14645/2012-no-killer-solar-flare/
http://www.newscientist.com/article/dn10189-solar-flares-will-disrupt-gps-in-2011.html
http://www.mekabay.com/infosecmgmt/solarmax.pdf
http://www.solarstorms.org/SRefStorms.html

Five Months On: The Japanese Tsunami’s Impact on Global Supply Chains

The tsunami in Japan in March this year caused a dreadful loss of life and unquantifiable human suffering. It also damaged the country’s economy and its industrial base. The full impact (in a broader, global sense), is more difficult to assess.

Five months on, has the predicted disruption to global supply chains (caused by the tsunami) really been as bad as initially forecasted? Or has it been ‘business as usual’ for the most part world-wide?

It all really depends upon just how much of a global ‘driving force’ Japan was at the time of the tsunami – how much sway Japan had on the world economy in the first place.

About Japanese car and steel production

The truth is that at the time of the disaster Japanese influence upon global supply chains overall was not as strong as one would think1, given the nation’s track record and reputation for being incredibly work-orientated, seemingly industrious to an almost inexhaustible level!

Granted, interruptions to Japanese car and steel production have, to an extent, impacted upon global supply chains, but this hardly constitutes a severe body blow to the world economy. In fact, the disruption to Japanese supply chains (for steel products and cars) may serve to create opportunities for suppliers in America, Europe and indeed other parts of Asia2.

What about the electronics industry?

Almost one fifth of all global technology products are made in Japan. And although some major importers of electronic products and components have other suppliers primed to ‘step in’ should their Japanese supply chain suddenly be interrupted, those without a good continuity plan have felt the frighteningly far-reaching effect of the tsunami. Significant supply chain interruptions were caused by the closure of several major Japanese ports and the temporarily closure one of the few silicon wafer foundries.

As a result of delays in the arrival from Japan of electronic components (semiconductors, silicon wafers and memory chips) and goods (digital cameras, music devices, laptops and televisions, etc)2, some manufacturers’ and retailers’ reputations across the Globe have been eroded, their sales have significantly dropped (with their profits plummeting in tandem, of course), and perhaps worst of all, once loyal customers are now buying their ‘must have’ video games, digital cameras, iPads, and widescreen TVs, etc., elsewhere.  Never to return?

Sony’s Troubles Mount
The natural disaster hit Sony hard in an already declining market and a period of unfavourable exchange rates. Sony’s Q1 results reported costs totalling $66m for restoration, loss of inventory and production downtime4. Additionally, Sony’s CPS and PDS segments saw a drop in sales due to the restricted availability of some components for certain product lines and decreased production capacity due to damaged manufacturing equipment.

Further supply chain problems were experienced in the UK on 8th August when Sony’s compact discs and DVDs warehouse in Enfield was burnt down during the UK riots. The warehouse was reported to be Sony’s only content products depot in the UK5. This certainly isn’t a good time for Sony, which is still reeling from the Play Station cyber-attacks that shut down parts of their network from April until July 2011.

References/Sources

1&2 Movehut / The Impact of the Japanese Tsunami

3 Freightwatch / Japan Earthquake and Tsunami and the Impact on the Electronics Supply Chain Industry

4 http://www.sony.net/SonyInfo/IR/financial/fr/11q1_sony.pdf

5 http://www.theregister.co.uk/2011/08/09/sony_warehouse_london_riots/