a layered approach for business continuity risk assessments in the supply chain

Copyright © 2014 BSI. All rights reserved.

A Layered Approach for Business Continuity Risk Assessments in the Supply Chain– Case Study

Courtney FosterSupply Chain Solutions Manager – EMEA

2Copyright © 2014 BSI. All rights reserved.

BSI OverviewBSI Group• World’s first National Standards Body• BSI issues over 2,000 standards each year• Performed more than 150,000 assessments in over 150 countries last year• 64 offices and regional hubs in UK, Hong Kong and USA

BSI Supply Chain Solutions – Professional Services• Over 20 years of experience in assessing global supply chain risks, threats and trends• Leading provider of supply chain security, corporate social responsibility and business

continuity intelligence, data and analysis • Global auditor base to deliver second party audits in areas of quality, security,

GMP/GDP, corporate social responsibility, and business continuity• Sole provider of supply chain security intelligence to the US Customs security program

Copyright © 2015 BSI. All rights reserved


Why does Supply Chain Risk Matter?

03/05/2023


2014 BCI Horizon Scan Report Top ConcernsSupply Chain Disruption - #16

2015 BCI Horizon Scan Report Top ConcernsSupply Chain Disruption - #5

Supply Chain Disruption – Proof of Rising Concern

11 place increase44% of respondents stated that

“increasing supply chain complexity” was a trend on the radar for

evaluating business continuity implications

2015 BCI Horizon Scan Report


Importer

Vendor

Factory 1

Factory 2

Factory 3

Factory 1

Factory 2

Factory 4

Raw materials

Tier 2 Component

provider

Tier 2 subcontract

or2014

Complexity in Gaining Visibility into Multi-Tier Supplier Relationships

Agent

• Business Partner with factories in multiple countries

• Agents can be associated to multiple Business Partners, Locations, Subcontractors, etc

• Subcontracting partial production to other factories

• Raw Material providers to finished good factory

Tier 3 Raw material provider

Tier 2 Subcontractor provider

Tier 3 Raw material provider

Raw materials


Supply Chain Complexity is Increasing

Constant Changes• Facility locations• Supplier churns rates• Legal & other requirements

Fragmentation• Price pressure• Just in time shipping• Globalization• Capital flow

Lack of Strategic Connectivity • Internal departments• Multiple initiatives• Resources to manage

Complex Networks• Intermediaries• Subcontractors• Domestic importers• Wholesalers

2014


Inability to Deliver to Your Customers on Time

03/05/2023

25% of companies reported losses greater than $1 million due to supply chain disruption

in 2013

76% reported at least one supply chain disruption

$300 BILLION LOST GLOBALLY DUE TO POLITICAL INSTABILITY AND NATURAL DISASTERS IN 2013

28% said they have no business

continuity arrangements for

their suppliers


Automotive Industry Case Studies

Two examples of Business Continuity Disruption

1. Explosion at a factory in Germany

2. Natural Disaster wipes out key factory in Japan

8


Explosion at Germany Factory – Single Source

• Explosion and subsequent fire at a factory in Germany • Plant manufactured key component (Nylon 12) in a resin

used to make a specific plastic, which is then used in fuel and brake lines

• Suppliers for the major car companies all sourced from the factory and had no contingency plans for replacing the supplier

• Affected at least a quarter of worldwide supplies for the resin

• Shortage hampered finished auto production in the United States/Europe• Some alternate materials are available but had to be tested

and approved prior to substitution• Imposed indirect costs as companies thoroughly tested

alternative chemicals

Auto Companie

s

Supplier 1

Supplier 2Single PA12

Supplier

Supplier 3

Facts

Effects


Japan Tsunami – Single Source Paint Pigment Supplier• Factory in coastal town of Onahama severely damaged due

to Japan Tsunamni/Earthquake• Makes Aluminum-flaked Xirallic pigment that makes the paint

sparkle• Significant stock of that paint pigment kept at the single factory• 3-month disruption in production at factory before normal

operations resumed

Facts

• Automakers worldwide were forced to stop making cars of certain colours

• Customers with existing orders - asked to choose new colours• studies show customers will leave a dealership if it

doesn't have a vehicle in a particular hue – Significant brand problem

• Short term inaibility to find alternative pigment supplier• Procurement disruptions in standard buying practices• Awareness of need to increase visibility below Tier 1

suppliers

Effects


What did the Auto Industry do to Improve?

• Automakers and suppliers are:• Map out supply chain to gain visibility into Tier 2

and 3 single source• Double-sourcing more critical parts

• Moving facilities from high risk natural disaster areas

• Due to new efforts to understand macro, country risk

• Risk assess resiliency procedures for suppliers• Improving emergency plans for suppliers –

Corrective Actions

• Stockpiling bigger inventories at multiple sites


1. How many suppliers do you have?

2. How many are direct vs. indirect?

3. Do you actively verify the living profiles of your suppliers?

4. Have you conducted risk assessments of all your suppliers?

5. How many have you physically visited?

a. What are the issues and where?

b. What improvements have you made?

6. Does your supply chain adhere to your corporate values?

7. Can you tell your supply chain story?

Can you answer?

http://www.google.com/url?sa=i&rct=j&q=reputation&source=images&cd=&cad=rja&docid=jp76IwabdVoGfM&tbnid=WCy5GQQGaf-NzM:&ved=0CAUQjRw&url=http://www.forbes.com/sites/meghanbiro/2013/01/20/in-digital-we-trust-4-questions-to-keep-your-reputation-in-check/&ei=pZm0Ue-aCaPRyAGM4oDIDw&psig=AFQjCNEJtREuZPEZoU_0BCyskXFfuiQ5lQ&ust=1370876653446761


What good looks like – Risk Management Process

03/05/2023

1. Ensures Corporate values are aligned with Supply Chain, R&D, Procurement, Risk and Compliance, Sustainability. Avoid opposing forces.

2. Keep an active database of living and approved supplier profiles.

3. Conducts supplier risk assessments relating to product type, country, private label, critical items, economic or reputational risk issues.

4. Categorizes suppliers into risk profiles.

5. Allocate your resources, activities to areas of greatest risk.

6. Conducts on-site validation of critical or higher risk suppliers to verify profiles and measure if they adhere to corporate values.

7. Measures, monitors and improves the performance of suppliers and supports those that adhere to corporate values.


A Layered Approach to Supplier Risk Assessments

Case Study Example

03/05/2023


• Manual Supplier Self-Assessments

• No Geographic Risk Intelligence


• Supply Chain Geographic Risk Intelligence

• Automated Software for Supplier Self-Assessments

• Supply Chain Geographic Intelligence

• Risk Methodology for On-site Audits

• Corrective And Preventative Action Plans

SUPP

LIER

PER

FORM

ANCE

Entry Level Layer

Layer 1

Layer 2

Layer 3

INCREASED SUPPLY CHAIN VISIBILITY AND COMPLIANCE

2014

Progression Towards Maximum Compliance


Entry Level Layer



2014

Entry Level Layer


Objectives and Criteria Goals of Questionnaire• Social Responsibility• Business Continuity• Code of Conduct• Quality

Questionnaire Functionality Needs• Attachments needed?• Additional supporting text needed?• Weight of questions• Question scored in risk calculation?

Questionnaire Development


• Large attachments needed to be sent and received

• Digging through archives for supplier responses

• Inability to have multiple internal representatives send assessments

• Mass communication limitations

• Read receipts difficult to obtain for emails

• Tracking change requests for new supplier email points of contact

• Follow-up emails required- reminders not customized based on status

• Multiple points of contact for supplier

2014

Sending Assessments from Personal Email


Obstacle: • You have suppliers you wish to assess in foreign countries

who may or may not speak your native languageWithout an Automated Software Tool:• You send out an email with the assessment in English and

they may not understand the request• The supplier may not speak English very well, so they

may misunderstand the questions• They choose to translate the questions through Google,

causing information to be lost in translation• They choose to translate their answers through Google

back to English, which gives you a jumbled mess of words that may or may not be correctly translated

• They choose to answer the assessment all in their native language, leaving you to decipher their answers yourself

• They do not complete the assessment because they do not understand

2014

Language Barrier Between You and Your Suppliers


• Inability to understand where different suppliers are in completion process• More difficult to filter suppliers based on region, division, product type, SAP number• Tagging suppliers to specific buyers/agents more difficult• Hard to track number of reminders, date sent, and the wording of the different emails

Excel Spreadsheet Tracking Completed Assessments


Checklist Results:70% Compliant

Supplier “A”

Supplier “B”


• Assume suppliers are EQUAL risk based on their compliance scores from a simple checklist

• Single-focused self-assessments sent out manually from own email

• No geographic risk incorporated• No automation• Unsystematic, single-focused audits2014

Traditional Risk Assessment Approach


Business Trip AuditsOver-Auditing

Under-AuditingSingle-Focus Audits

2014

Unsystematic, Single-Focused On-Site Audits


Layer 1



2014

Layer 1


• This generic threat information gives an inaccurate assessment for issues related to supply chain • Much of it is not applicable to supply chain threats• This information does not assess threats in context to other threats in other areas• The information is dated and does not provide active monitoring for a changing world

You cannot look at traditional Travel Security or Political Stability risk and apply it to supply chain threats

Insufficient or incorrect

information

GOOGLE

2014

Analyzing the Geographic Threats to Supply Chains– The Minimum Approach

Government Tracking & Alert Websites


Generic Geographic Risk

Travel SecurityGuarded Risk

Political StabilityGuarded Risk

Supply Chain Specific Geographic Risk

Natural Disaster ExposureHigh Risk

Natural Disaster ResiliencyHigh Risk

Man-made DisruptionElevated Risk

Risk of Government DefaultElevated Risk

PERU

2014

Supply Chain Geographic Risk Intelligence


Country Number of Suppliers

Business Continuity Risk Rating

ARGENTINA 5 3AUSTRALIA 4 1AUSTRIA FUTURE ??

CHILE 1 1CHINA 52 5

COLOMBIA 6 3CZECH REPUBLIC FUTURE ??

DENMARK 8 1FRANCE 18 1IRELAND FUTURE ??MEXICO 12 3RUSSIA 6 4

SWITZERLAND FUTURE ??UNITED KINGDOM 10 1UNITED STATES 45 1

• Procurement comes to Supply Chain divisions to inquire about country risks in emerging markets and new business ventures• If you’re only assessing current source countries, no analysis readily available

• Manual analysis of country risk prevents the ability to view country risks in a context of a regional view

Country Risk Overview

27Copyright © 2014 BSI. All rights reserved. 2014

Supply Chain Geographic Risk Intelligence


Human Rights

Environmental

Working Conditions

Natural Disasters

Counterfeits

Supplier “A”

Philippines

Supplier “B”

TaiwanChecklist Results:70% Compliant

+ Supply Chain

Geographic Risk Variables


+Supply Chain

Geographic Risk Variables

Supplier Name Country Compliance Score- Overall

Geographic Risk –

Human Rights

Risk Factor – Annual Value of

SpendOverall Risk

Score

Taipei Machines Taiwan 70% Elevated Tier 1 3

Manila Parts Philippines 70% Low Tier 2 2

British Electronics England 90% High Tier 2 2

Incorporation of Supply Chain Geographic Risk Intelligence into Assessments


Many due diligence programs require “evidence of implementation” to show exactly how you approach the supplier risk assessment process. • Problems manually compiling all

of the information gathered on a single supplier

• Formatting of manual reports can be time-consuming

• Number of reports that need to be generated can be overwhelming

• May have to compile many reports on a daily basis if assessments are completed regularly

2014

Manual Generation of Supplier Risk Reports


Layer 2



2014

Layer 2


Best Practice Risk Algorithm Components

Copyright © 2016 BSI. All rights reserved.

Probability Vulnerability Impact/Consequence

Country Risk + Audit Results + Business Criticality Variables

Country risk variables based on specific risk area of concern

Questionnaire components

based on specific risk

area of concern

Overarching Business Relationship variables –

applicable to all risk areas


Commodity

Chain of Custody

Gaps

Compliance with

AssessmentAssessment Compliance

Annual Value

=Automated and

Holistic Risk Calculation for

Global Suppliers

HolisticRisk

Output

Country Intelligence

Industry-Specific

risks

2014

Automation and Customisation of Supplier Risk Assessment Process


Macro and Micro Views of Risk -all levels within organisation

03/05/2023

Assessment Report

Dashboard KPIs


Automation of Communication and Continuous Monitoring

03/05/2023

• Eliminating manual sending of communication to suppliers

• Eliminating the manual tracking of completion status

• Automatic reoccurrence of assessment intervals


Layer 3



2014

Layer 3


Identifying and Correcting Weaknesses - Corrective And Preventative Action (CAPA)

The CAPA process is designed to identify and correct weaknesses from a completed assessment

report

Biggest fault in risk assessment methodolog

y is forgetting CAPA step


Analysing and Reviewing Self-Assessment Results

03/05/2023

C4 - Business Governance

C5 - Employment Policies - Wage and Remuneration

C6 - Health and Safety

C8 - Environmental Management

C9 - Quality Management

A2 - Supply Chain Traceability

A4 - Equal Opportunity and Freedom of Association

A6 - Business Continuity Management

0% 20% 40% 60% 80% 100%

Business Continuity weaknesses identified

Deep Dive audit for Business Continuity issues


+ Supply Chain Geographic

Risk Variables

SupplierOn-SiteAudit

2014

Risk-Based On-Site Auditing


Financial spend

Refine Audit Strategy Using Risk-Based Methodology

Country Risk Intelligence

Self-Assessments

Corrective Actions & On-site Audits

100 Suppliers50 Suppliers

10 Suppliers










SUPP

LIER

PER

FORM

ANCE

Entry Level Layer

Layer 1

Layer 2

Layer 3

INCREASED SUPPLY CHAIN VISIBILITY AND COMPLIANCE

2014

Progression Towards Maximum Compliance


Contact Us

Courtney FosterSupply Chain Solutions Manager – [email protected]+44 7920 768383

03/05/2023

mailto:[email protected]


This presentation was delivered at a BCI forum event. For details of upcoming events please click here.

For details of BCI membership please click here.

http://www.thebci.org/index.php/upcomingevents/upcoming-events

http://www.thebci.org/index.php/membership/the-value-of-bci-membership