Managing Supply Chain Risks: The Current Challenges and Strategies for a Credible Solution

If you are a risk manager or management consultant working with a highly regulated industry, getting to grips with myriad supply chain risks is only part of the problem. Your role is also to articulate these risks in a way that makes decision-makers sit up and listen – and give the go-ahead for mitigation budgets and strategies.

Easier said than done. Perhaps some in the industry will relate to Cassandra, the Trojan priestess who was granted a double-edged power: the gift of prophecy and the curse of being believed by no one. And why would businesses release budgets for hugely costly mitigation strategies unless there’s a compelling case for action?

In this article, we’ll look at some of the most compelling current threats to supply chains for highly regulated industries such as life sciences, reinsurance and financial services. We’ll then look at factors that make managing supply chain risks and identifying areas for concern so challenging.

Finally, we’ll introduce a way to navigate the threat landscape more accurately. This can help you to present a case for mitigation that gets buy-in and protects your organisation and its profits.

Before starting, a final thought that we’ll address later. If you could put a plausible number on value at risk – backed up by convincing data – how much easier would it be to convince business leaders that mitigating actions make business sense?

7 Current Threats to Supply Chains

To start, we’ll look at risk using relatively recent developments as our examples. As we have pointed out in a post about enterprise risk management, these are not occasional interruptions but are becoming the new norm.

1. Offshoring and Consolidation

In the quest for cost reduction, some manufacturers – particularly those in pharmaceuticals – rely on a relatively small group of offshore suppliers. But cutting costs can cost you. Moving away from domestic or nearshore production increases risks of trade wars, weather risks and quality concerns. In 2021 – during the Covid pandemic – the European Parliament published a study on post Covid-19 value chains, and options for reshoring production back to Europe in a globalised economy. The message was clear – relying on distant nations, particularly in times of emergency – is something that shouldn’t happen again.

2. Regulatory Risks

A study led by Intersys with the Institute for Manufacturing at the University of Cambridge discovered that more than two-thirds of life sciences shortages were linked to Official Action Indicated Notices issued by the US FDA. Of note is that there was a higher prevalence of issues in China and India than in the US and Europe. From DORA Act compliance for financial services to the Mapping America’s Pharmaceutical Supply (MAPS) Act, suppliers falling foul of regulations can seriously affect your business operations.

3. Just in Time Manufacturing Models

Toyota’s pioneering approach was “Making only what is needed, only when it is needed, and only in the amount that is needed.” This was good for saving money on holding stock, but recent events have questioned the validity of this model when it comes to managing supply chain risks. When the container ship Ever Given, bound for Felixstowe from Malaysia, got stuck in the Suez canal for six days, it cost shipping traffic £730m. The effects were felt at one level by consumers waiting for Amazon deliveries and another by company leaders asking valid questions about the ‘just in time’ model in a fragile global trade environment. For some industries, it may be a useful model but for others – such as pharma –  just in time manufacturing may cause fundamental supply chain issues.

4. Extreme Weather Incidents

Regions where manufacturing is cheap frequently experience a disproportionate amount of weather disruption. The result is that many organisations are heavily exposed to weather-related risk. Overreliance on one region prone to extreme weather can seriously disrupt supply chains. For example, 92% of the world’s most advanced semiconductor manufacturing capacity is based in Taiwan, a country that – despite being technically one of the wettest places on Earth – in recent years has experienced supply chain disrupting drought. Insurers, in particular need to understand the true impact of climate change exposures to their portfolios. More widely, all organisations must ensure that they meet compliance rules concerning climate change.

5. Cyber Risks

A 2023 data breach report from IBM revealed that healthcare and pharmaceuticals breaches cost on average $4.82m – the highest in any sector. Pharmaceutical companies are increasingly working with third-party organisations in areas such as research and development, manufacturing, supply chains, trials and more. This increases vulnerability because these third parties will frequently have access to the parent company’s systems.

While healthcare and pharmaceuticals may suffer most, this is a widespread problem and particularly concerning for highly regulated sectors and those holding valuable intellectual property. Read our post about supply chain cyber security threats.

6. Consolidation Risks (Mergers and Acquisitions)

Managing supply chain risks may include eliminating any single source of product or service. But spreading your risk can be far more complicated than it appears at first glance. Mergers and acquisitions can have an insidious effect on good supply chain risk practices – unless you can keep up with industry developments. For instance, Company A acquires Companies B-F. Meanwhile, your several sources of crucial components become one source and your risk increases.

7. Transport and Logistics Problems

The further away your supply chain, the greater the risk of disruption and uncertainty due to transport and logistics issues. A large journey time can heighten problems associated with political upheaval, strikes, fuel price fluctuations, armed conflicts, compliance and customs regulations, and natural disasters. Quality control can also become an issue, particularly for temperature-controlled products. While Internet of Things devices can track product movements and temperatures to a granular degree, these can be targets for cyber criminals. 

If you work in pharmaceuticals, you might want to read our blog post 10 sources of risk in pharma supply chains.

Managing Supply Chain Risks: Common Solutions

Some of the most common solutions to managing supply chain risks include:

Diversifying suppliers. Ensuring there are multiple sources for critical components and geographically dispersed suppliers can help alleviate some of the most critical issues.

Inventory management. Strategically stockpiling critical materials or components  – and maintaining buffer stocks to manage short disruptions – can help to ride out a supply crisis.

Nearshoring. According to a supply chain article in Forbes, ‘… companies are progressively transferring part of their production to countries close to their markets and with similar time zones, in order to minimize the effects of disruptions in supply chains’. Supply chain risks associated with COVID 19, the Russia-Ukraine war and political and trade tensions between the USA and China are factors driving this emerging strategy.

Insurance and financial hedging. Insurance can transfer some supply chain risk and financial instruments can hedge against price volatility.

But… How Do You Deal with a Problem if You Don’t Know You Have a Problem?

Looking at solutions to supply chain problems may be jumping one step ahead. Before mitigating strategies can be implemented, supply chain risk managers must know that they have a problem in the first place. And that turns out to be a far more complex undertaking than it might appear to be at first glance.

Monitoring suppliers and supply chains is a fundamental function of a risk manager or business consultant. However, several common issues make understanding threats to an organisation – and making the case for mitigating budgets and strategies – extraordinarily difficult.

Firstly, risk managers often work within finance departments and do not intimately understand the manufacturing process. To put it bluntly, an advanced knowledge of risk modelling is not going to cover for that lack of understanding about how Industry A or B works at the granular level. This knowledge gap can be significant in terms of managing supply chain risks and lead to a failure to recognise critical dependencies within the manufacturing chain.

Furthermore, supply chains can be notoriously opaque. Tracing the full extent of their supply networks, especially beyond tier-one suppliers, can be tricky. Weak points lurk, unidentified, until the proverbial hitting-of-the-fan incident occurs. Even if supply chain oversight is fair or good, there’s no guarantee that supplier reporting will be. Incomplete or outdated information (particularly relevant to fast-moving situations such as wars or climate incidents), and different reporting standards and criteria can all lead to an incomplete and complex picture. Consolidating data into anything meaningful may become an impossible task.

The takeaway is that risk managers can find themselves lacking the experience and data to scrutinise potential areas of concern and develop a convincing case for mitigation.

All of these challenges occur in a climate where the case for mitigation must be unassailable. Because, while organisations may offer lip service to a need for supply chain resilience, they’re also likely to push back hard against the cost of mitigating measures – unless there’s an unimpeachable case for action.

There Are Solutions to Supply Chain Monitoring, But They Often Don’t Work

Risk managers or organisations who rely on spreadsheet data may realise this isn’t going to cut it and begin to shop for supply chain risk software. This is a step in the right direction but, in most cases, it’s going to present its own problems.

As the previous section reveals, supply chain mapping can be an incredibly complex and time-consuming problem. Inevitably, risk managers will do what they can and then expect the platform to fill in the gaps. It will, but perhaps not in the accurate and diligent way you require. In a phenomenon brutally described by software engineers as ‘rubbish in, rubbish out’, your outputs are only as good as the data you feed it. And, as we’ve seen, getting the right data can be notoriously difficult.

Essentially, if you don’t dig deeper into your supply chains, you’ll get the same poor-quality data dressed up in shiny user interfaces, colourful reports or next-generation AI analysis. And your case for managing supply chain risk will be swiftly picked apart by your CFO, COO and board of directors.

What SCAIR® Offers and Why It’s Different

At this point, we won’t suggest there’s a one-button solution to this incredibly complex problem. But we will show you how our supply chain risk software, SCAIR®, does something very different to many competitors to help you overcome the issues outlined above and create a powerful case for mitigation.

Launched in 2006 and the first pharma supply chain risk management software to go to market in the UK, SCAIR® can help you to visually map supply chains, assess threat impacts, stress-test supply chains and respond to threats.

SCAIR® is different from many competitors because it is more than a software solution. Our supply chain risk assessment software can help you to identify risks for both internal (owned sites) and external (suppliers and contract manufacturers) sites. We then provide an objective assessment process to help shape your business’ supply chain risk mitigation strategies.

In fact, SCAIR® software and consultancy is an opportunity to finally rethink your whole approach to managing supply chain risk and embrace a powerful new methodology. The outputs will become powerful cases for introducing budgets for risk-mitigating strategies and help you, finally, command the data you need to perform your role to the highest ability. You’ll:

It also does something few if any competitor products can: SCAIR® provides a credible value at risk figure. This can become the centrepiece of your risk mitigation analysis and a compelling motivator for action.

SCAIR® is used in highly regulated industries such as life sciences and financial services by supply chain risk managers, management consultants, insurance managers, business continuity managers, insurers, and procurement managers.

To find out how our supply chain risk management software and consultancy can help you in managing risk, get in touch to find out more.

Call us: +44 (0)20 3005 4440

Email support@supplychain-risk.com

Head Office: 1 Bourne Court, Woodford Green, Essex, IG8 8HD

Cambridge Office: 3 Laundress Lane, Cambridge, CB2 1SD

TCFD And Supply Chains: Why There's No COP Out for Businesses on Climate Disclosures

SCAIR® can quantify the impact of climate change on supply chains

Businesses can leverage existing technology to meet the requirements of the TCFD that live on.

Goodbye TCFD. Hello ISSB. Regardless, climate risk disclosure requirements aren’t going anywhere.

Cop28 saw all the drama we’ve come to expect from climate summits, culminating in either a “historic” deal or a missed opportunity – depending on your point of view. The headline was an international agreement to “transition away” from fossil fuels and to speed up action before 2030 with “ambitious” national emissions targets over the next two years.

Away from the headlines and targets, however, there was also stock-taking and housekeeping. Among these announcements during the summit was news from the Financial Stability Board – the international body promoting stability in the global financial system – that the work of the TCFD (the Task Force on Climate-Related Financial Disclosures) was done.

“[T]he work of the TCFD has been completed, with the ISSB's Standards marking the culmination of the work of the TCFD,” came the news.

A Short History of the TCFD

The TCFD was formed in response to the failings of the 2015 Paris Climate Accords by the G20 group of nations and the Financial Stability Board.

Recognising that climate presented systemic financial risks to the economy akin to those revealed by the 2008 banking crisis, the TCFD was tasked with creating recommendations for companies to inform investors about their efforts to address these risks.

As the TCFD put it: “Financial markets need clear, comprehensive, high-quality information on the impacts of climate change. This includes the risks and opportunities of rising temperatures, climate-related policy, and emerging technologies in our changing world.”

The recommendations provide a framework for disclosure across four pillars:

Initially voluntary, the recommendations have rapidly worked their way into national and international regulatory regimes.

The UK took an early lead, announcing in 2021 that it would become the first to mandate climate-related data disclosures for the country’s largest companies to align with the TCFD recommendations – spreading to all organisations by 2025.

Internationally, standards bodies such as the UN PRI (Principles for Responsible Investment) also require mandatory reporting from signatories.

TCFD and Supply Chains

Crucially, the TCFD recommendations go beyond existing regulations on reporting Scope 1 (direct) greenhouse gas emissions or Scope 2 emissions (from energy consumption). It includes collecting data on Scope 3 emissions (from organisations up and down its value chain), which has been voluntary to date and much more – encompassing all material risks and opportunities.

That includes physical risks (such as flooding and other extreme weather events) and transitional – the policy and legal, technology, market and reputational risks arising from the world’s efforts to tackle climate change.

Again, as the TCFD makes clear, risks should be considered (and disclosed) in terms of not just their effect on the organisation directly, but also where they impact the supply chain. “Physical risks may have financial implications for organisations, such as direct damage to assets and indirect impacts from supply chain disruption,” it noted.

Organisations’ financial performance may also be affected by changes in water availability, sourcing, and quality; food security; and extreme temperature changes affecting organisations’ premises, operations, supply chain, transport needs, and employee safety.

That applies equally to transition risks – such as policy and legal issues: “Organisations should assess not only the potential direct effects of policy actions on their operations, but also the potential second and third order effects on their supply and distribution chains,” the TCFD noted.

Gone but not Forgotten: TCFD Requirements Remain

While the TCFD might have been disbanded its recommendations live on; its work has been completed, but for many businesses their work has just begun.

According to the IFRS, the ISSB (International Sustainability Standards Board) Standards – IFRS S1 and IFRS S2 – launched in June 2023, fully incorporate the TCFD recommendations. The standards are, in fact, “the culmination of the work of the TCFD”, according to the FSB.

IFRS S1 provides a set of disclosure requirements designed to enable companies to communicate to investors about the sustainability-related risks and opportunities they face over the short, medium and long term.

References to governance, strategy, risk identification, and performance assessment will be familiar from the TCFD recommendations. IFRS S2 sets out specific climate-related disclosures and is designed to be used with IFRS S1. The TCFD recommendations’ influence is obvious again, with discussion of both physical and transition risks.

The standards are built on the concepts that underpin the IFRS Accounting Standard used worldwide, and the IFRS Foundation will take over the monitoring of companies’ progress on climate-related disclosures.

Consequently, the need to identify, evaluate and report on climate-related risks in the supply chain remains pressing– and not just in the UK.

New Zealand is another mandating disclosures, even ahead of the UK, while TCFD has regulatory backing across jurisdictions, from the European Union and Canada to Japan, Singapore, and South Africa.

SCAIR® and TCFD

There is, however, no need to reinvent the wheel. Much of the analysis required to satisfy the TCFD requirements can be performed by existing risk management technology that is the same or similar to that required for supply chain risk management.

In fact, for those using solutions such as SCAIR®, there is a significant risk of repeating work already done if organisations turn to consultants or others for help with TCFD/IFRS disclosures without first examining the information they already hold.

SCAIR® has long been more than TCFD ready. Watch this video on how SCAIR quantifies the impact of climate change on supply chains.

As part of its general loss estimate algorithms, it can generate mitigated and unmitigated figures across nodes, sites, and entire product portfolios.

Not only does it automatically calculate these figures in greater detail and with more nuance and confidence than consultants will achieve manually; it also does so according to a methodology accepted by the London Insurance Market.

That is a crucial point, given that standardisation and consistency in climate risk disclosures, as well as visibility, have been key aims of the FSB, TCFD and IFRS.

Using SCAIR®, businesses can quickly identify key exposures across different geographies to evaluate transition risks and get the most accurate data on natural catastrophe and climate change-related risks by tapping into Munich Re’s Location Risk Intelligence Suite , one of the most trusted names in location-based Natural Hazards risk intelligence.

With clear – and up-to-date – views on their own exposures through the supply chain, businesses can easily provide the required disclosures to investors, regulators and other interested parties.

More importantly, they can effectively manage the risks – to prepare for the future, whatever happens at the climate summits ahead.

New Business Interruption Insurance for Pharma

image of red and white capsules arranged to make up a world map

Crucial cover for pharma with new business interruption insurance

We’ve seen all too often the disruption events such as extreme weather can bring to pharmaceutical production, but it doesn’t always require a natural catastrophe to shut things down. The end-point of regulatory risk is also often lost production while businesses are forced to remediate problems by regulatory sanction or the threat of it.

And, while the hurricane season is geographically confined, businesses operating in possibly the world’s most heavily regulated sectors can be hit wherever they are. Enforced and pre-emptive shutdowns due to manufacturing deficiencies are estimated to have cost pharma businesses about $10 billion since 2001.

For the most part, it’s a cost they have had to bear alone.

Uninsured losses

image of black downward arrow against a backdrop of money showing business losses

Unlike fires, floods and storms, regulatory risks are not covered by standard business interruption (BI) policies related to property damage. For cover, the interruption usually has to be the result of insured risk, and insurance don’t usually help with regulatory fines as a matter of public policy.

Nor will the losses necessarily be picked up by other policies. As this post explains, one recent case saw a producer with suspected contamination at its manufacturing site unable to claim even under its business interruption cover for extortion property damage: With no actual extortion demand materialising, the interruption was solely the result of a regulatory order to suspend production until the site could prove a quality control process preventing tampering with capsule batches.

Likewise, Contaminated Products policies often have restrictions that prevent a claim for regulatory interruptions.

Introducing  non-damage business interruption (NDBI) 

It’s these gaps that a new Non-Damage Interruption Policy for the pharmaceuticals sector from Munich Re, which we’ve working with, seeks to address.

It covers the complete or partial shutdowns of production on the orders of regulatory authorities, and even instances where companies suspend production to pre-empt a forced closure and protect brand and reputation.

It’s another valuable tool in mitigating the risks that pharma businesses face – and plugging a gap in coverage that’s existed for too long. As with any insurance, though, to see its value and apply it properly, businesses first have to identify and understand their risks. As one of the first businesses to take up the policy explains in the Munich Re post, that means starting by modelling exposures and quantifying supply chain risks. And that, of course, is what we’re all about.

Major business interruption events challenge the robustness of global supply chains

2010 – a year of surprises? Or was it all pretty predictable?

2010 started uncomfortably for certain organisations with freezing Eurostar trains stuck in the Channel Tunnel and the threat of Pandemic flu still just lurking just over the horizon. April brought disruption for many more companies with the volcanic ash cloud casting an impenetrable shadow over the movement of goods and people in Europe. Car production lines came to a standstill when critical components were failing to arrive ‘just-in-time’.

Such headline grabbing events are always followed with the inevitable probing questions:
• Should these organisations have been better prepared for such eventualities?
• Where were their contingency plans?

The defence is invariably that “these acts of God were unforeseeable”. Is that acceptable in the current age of “if it can go wrong, it will”? After all, we live in a world that does not tolerate disruption – there’s no room for slippage in our modern, just- in-time existences.

This provided a topic for discussion on Radio 4’s ‘The Bottom Line’ a couple of weeks ago. Their general conclusion seemed to be plan for the ‘FORSEEABLE’ (aka freezing trains), but don’t waste your time planning for the UNFORSEEABLE (aka Ash clouds). If you don’t respond well to the Forseeable then you look silly - the Unforseeable you can get away with.

Well, there is a parallel argument that goes something along the lines of 'plan for the effect rather than the cause'. There is no point in trying to plan for every single unforseeable scenario (cause), but there is a great deal of value in planning for the impact of the unknown threat ( the effect). Analysing the impact focuses risk mitigating actions on the most exposed areas.

Supply Chain Interruption Software Demonstration

If you're a Risk Manager, Supply Chain Professional or just someone concerned with the health of your manufacturing functions, how can you be sure you have fully considered your supply chain vulnerabilities?

Our software, SCAIR: Supply Chain Analysis of Interruption Risks, helps you fully analyse the risks to your business, and ensured you have considered mitigating correctly against profit variations caused by Supply Chain Interruptions.

Click here for a walk through demonstration of the software.

For more information, call Catherine Geyman on 0845 094 8925 or contact us online.