CHAPTER 13

Business Continuity and Supply Chain Security

Business interruptions can take many forms: natural disasters, such as the earthquake and ensuing tsunami in Fukushima, Japan; labor stoppages similar to the occurrences on U.S. West Coast docks, a health crisis where segments of a population are required to be quarantined, or social unrest and wars.

These types of events are growing in numbers as well as increasing in severity. In an ideal world, incident response is the execution of a well-thought-out, focused, and rehearsed plan that engages the entire team that will manage the future crisis.

Resiliency is the capacity to recover quickly from difficulties, a toughness. It is also the ability of an object to spring back into shape, or elasticity.

Regardless of the type of business interruption, the fundamental role of a manager in business continuity is to protect the brand and company by resuming “normal” operations as quickly as possible with a minimum of disruptions to the company.

When a business continuity plan is implemented, vital resources such as cash, people, and facilities are being diverted in unusual ways to ensure the long-term viability of operations. Therefore, it is much easier to have these discussions prior to the emotion of a developing or ongoing disaster when a business is in the thick of protecting itself.

The subject is vast and entails literally every aspect of a company. For many, the only experience with managing in this environment comes as an exercise of survival when disaster strikes. Others have had to learn the practice from repeated incidents over time.

The first step for building a business continuity process is to do a self-assessment, starting with examining the company’s tolerance for risk through its people, processes, and tools:

 

•What defines a crisis that would trigger the formation of a response team?

•Who would be on this team?

•How does the team communicate and to whom do they report the details of their activities?

•If a disaster occurred would the company be resilient and keep going, or limit its losses via insurance and/or just pick up and move?

•Finally, are the systems agile and scalable to support changes in operations, or is the business back in manual mode?

From here, a basic framework can be created for managing under crisis.

 

Disaster Preparedness

There is nothing worse than trying to quickly find contact information for team members and suppliers during a crisis. A dynamic contact document must be updated regularly; it is necessary to create one at the outset of a business continuity process. Call logs should be kept, with meeting minutes and status checks sent after all meetings, so that information is understood and shared by all participants. There are no secrets—everyone is in the crisis together. All activities are updated and distributed at least once per day.

Two types of communication are provided as a business continuity plan is administered:

 

•Technical experts and practitioners managing the process

•Leadership updates

 

Leadership

Too often companies do not have the time or resources to foresee the impact that a disruption may have on their business. Rather they wait until an event or disturbance occurs, and then reactively manage the resulting situation. This lack of preparation can turn what might be a small disruption into a full-fledged crisis. A business may have the processes and tools to manage through a crisis, but if the leadership team is not actively engaged and/or is constantly second-guessing the frontline managers’ ability to execute the plan, then all could be lost rapidly.

The fundamental role of the business leader is to support the team by providing time, money, and manpower. More important, the leader provides the cover for the team to remedy the crisis. Specifically, this would be to:

 

•Distribute accurate information as quickly as possible

•Respond to incorrect information in a timely manner

•Trigger appropriate processes to keep employees, the public, and shareholders informed on an ongoing basis.

Finally, in order to be able to make these tough decisions in a timely manner for the mere survivability of the business, a leader must have previously built trust within the organization.

 

Supply Chain Security

When I would attend industry meetings, people would often ask, “What keeps you up at night?” My answer was always consistent—I was afraid someone would load something into a container of ours that would go “Boom” in the Port of Los Angeles.

With all the advancements in globalization, supply chain security has become an increasingly vital element of doing business. One incident of unwittingly transporting illegal substances, smuggling, or aiding a terrorist organization can have a dramatic impact on the P&L, as well as on working capital. Failure to adhere to minimum standards can lead to fines, penalties, and/or longer lead times due to suspension of the business’s ability to move goods around the world. There is no plausible deniability.

The benefits of operating a compliant supply chain security program are:

 

•Maintaining a good corporate citizenship that reduces risk in its supply chain

•Providing a safe and secure environment for employees, suppliers, and customers

•Reducing cycle time and operating costs by operating a lean supply chain with proper business controls.

A secure supply chain is the visible demonstration of a business’s commitment to employ processes that emphasize a commitment to a safe and secure environment for its employees, customers, products, facilities, and the communities in which they serve.

Furthermore, it is a routine way of doing business that enhances the commitment to regulatory compliance, meets customers’ delivery requirements, and exceeds productivity goals. These fundamental principles are linked by using lean processes that are supported by the leadership team, employees, and supply chain partners.

Everyone has responsibilities as shown in the following figure:

Business leadership’s role is to be visible by embracing security, perform periodic self-assessments, provide continuous improvement that remediates assessment exceptions, proactively engage the business on the subject of security, and provide clear communications with escalation paths.

Furthermore, employees are expected to escalate all concerns or observations to management while remaining vigilant and aware of the security processes. They should ensure there are no deviations from procedures while incorporating the supply chain security practices into the daily work routines

Fundamentals of a supply chain security program include the following.

 

Customer Care/Order Management

•Prevention of misuse of products by customers

•Requirement for an original power of attorney (POA)

•Keeping all customer information current

•Management to prevent unknown customers

•Use of external resources to screen customers and orders

•Refusal to receive goods from unknown locations and parties.

 

Manufacturer/Supplier

•Adoption, awareness, and adherence to the supply chain security program

•Execution of the segregation of roles and responsibilities to ensure that one individual does not control all aspects of the supply chain.

 

Facilities

•Established perimeter with efficient electronic surveillance and lighting

•Segregated shipping and receiving areas

•Effective access control, including visitor screening, driver control, and so on

•Incident reporting.

 

Sourcing

•Overall ownership of processes to communicate requirements to suppliers

•Holding the sourcing and suppliers teams accountable for supply chain security

•Ensuring contracts have a supplier code of conduct

•Refusal to accept goods from unknown locations and parties

•Collaboration between sourcing, logistics, and trade on supplier selection

•Use of external resources to screen suppliers’ orders

•Management of noncompliant business partners

•Provide documentation of memberships of other supply chain security programs—customs-trade partnership against terrorism (C-TPAT) or authorized economic operator (AEO).

 

Logistics Providers

•Creation of written procedures for bidding, selecting, and contracting processes

•Maintaining good standing in global supply chain security programs

•Provide background checks for all carriers and personnel as allowed by law

•Prohibit subcontracting without prior approval

•Immediate notification of supply chain security issues, exceptions, or violations

•Adherence to container/trailer security procedures.

 

Regulatory Partnerships

As discussed earlier, programs like C-TPAT in the United States are an example of voluntary programs implemented for trade participants to partner with Customs. The purpose is to adopt procedures and best practices to secure global supply chains. These programs include the establishment of minimum security requirements, the implementation of security best practices, and a validation assessment performed by Customs. Upon successful enrollment, participants are categorized into tiers relative to benefits versus demonstrated practices:

Tier 1—for certified members but not yet validated. This immediately reduces inspections

Tier 2—certified and validated. Targeting scores for Customs exams are lowered

Tier 3—exceeds minimum standards and has demonstrated best practices. The Green Lane at a border becomes available with no security inspections and infrequent random inspections. If inspected, the business is moved to the front of the line.

The benefits for these programs are reduced inspections and faster clearance time across borders and a priority processing for inspections. In addition, there is a reduced overall risk for the supply chain and a visible component of good corporate citizenship.

 

Cybersecurity

Cybersecurity is the process of protecting the confidentiality, integrity, and availability of a business’s IT assets (systems, data, and networks).

Conversely, compliance is the minimum a business does to meet the regulatory requirement or an industry standard. Compliance involves checklists, whereas security involves a discussion with the business about their tolerance for risk. In compliance, both the regulators and businesses are slow to acknowledge new threats, as well as slow to implement change. On the other hand, cybersecurity requirements move quickly at the pace of the market, threats, and risk profile of the business.

Resilience of a business’s crown jewels and processes is a key topic. Since cyber threats are generally not a matter of if but when, a resilience program’s objective becomes fourfold:

 

1.To maximize visibility

2.To minimize impact

3.To maximize speed to recovery

4.To continuously improve.

 

Cybersecurity is focused on a business’s critical assets first and then applied elsewhere to the next most important resources. The elements of a cybersecurity program include:

 

•Network security

•Security architecture

•Data security

•Security awareness and training

•Cyber investigations

•Malicious content management.

Many businesses elect to invest in security only after a significant event. The downside of this from a cash standpoint is that suppliers of these type of services are acutely aware of when a customer is in crisis, which is then reflected in the price. Compounding the issue is that expensive third-party professional services to implement new controls on aggressive timelines are often required during a crisis. Therefore, the best strategy is to build the process before a business’s weakness are evident.

As a rule of thumb, large corporations will spend 3 percent of revenue on IT, with small businesses doubling that. Cybersecurity can be benchmarked as a percentage of IT spend and will depend on several factors, including the risk tolerance of the company and the maturity of the cybersecurity function. Investment in cybersecurity will likely range from 2 to 10 percent of the IT budget. It is also important to note that cyber budgets are increasing now, whereas IT budgets are decreasing.

Finally, many businesses have concluded that shifting inventory back to a supplier by use of supplier portals is an effective way to manage working capital. However, this method of ensuring against threats increases a company’s risk and cost profile.

 

Final Words on Supply Chain Security

As a supply chain leader, I’ve had to develop a keen sense for detecting when a security or crisis plan is needed. I’ve also been blessed to have had a tight partnership with the security group of my company over the years. They’ve been vital in keeping us out of trouble, as well as in preventing us from getting into it!

Since the late 1980s I’ve had to implement a number of crisis management processes for a variety of incidents and subjects.

 

Public Health Emergencies

•Mexico—2009 Swine Flu Quarantine

•Hong Kong and China—2013 H1N1 Virus

•Hong Kong and China—2003 SARS.

 

Labor Disruptions

•Port of Los Angeles—multiple times

•French Warehouse and Transport Workers—burning tires in front multiple times.

 

Natural Disasters

•1989 Loma Prieta, San Francisco Bay Area, with collapsed freeways and infrastructure

•The Flood of the Century—1993 Midwestern United States

•Bali Tsunami—2004

•Fukushima Earthquake, Tsunami, and Nuclear Disaster—2011

•Icelandic Volcano—2010.

 

Civil Unrest and Wars

•LA Riots—1992

•September 11—2001

•Iraq and Afghanistan Invasions—2002

•Arab Spring and Possible Suez Shutdown—2011

•Drug Wars in Mexico—2008 to 2012.

Through benchmarking, I came to understand the following points for building and executing the process needed to manage a crisis:

 

•Don’t wait until crisis hits to build a plan

•Respond in a timely manner—the longer you wait, the more damage can be done

•Build a war room (physical or virtual)

•Build a mindset that supply chain security is everyone’s job—no exceptions

•Don’t react—be quick, but be fact-based and remember that nothing is off-the-record

•All communications should go through one channel, with a spokesperson to represent the organization throughout the crisis process

•Express empathy and concern for the victims

•Never hide anything—all problems will eventually come to the surface.

Finally, I want to emphasize the importance of the first and last points: