Supply chain response to global terrorism: a situation scan

Download 62.8 Kb.

Date	16.04.2016
Size	62.8 Kb.
	#7497

SUPPLY CHAIN RESPONSE TO GLOBAL TERRORISM:

A SITUATION SCAN

Yossi Sheffi*, James B. Rice, Jr.*, Jonathan M. Fleck*, Federico Caniato°

* Center for Transportation and Logistics, Massachusetts Institute of Technology

° Department of Management, Economics and Industrial Engineering, Politecnico di Milano

ABSTRACT

After 9/11/2001 companies have faced unexpected disruptions in global supply chains due mainly to the reaction of the U.S. Government to the terrorist attack. As a response, the MIT Center for Transportation and Logistics has started a broad research project named “Supply Chain Response to Global Terrorism”. This paper is based on exploratory interviews and case studies, aimed at investigating the way companies are dealing with this new concern, focusing mainly on three issues. Firstly, how companies define and assess terrorism-related risk, introducing the concept of failure modes that are common to all the sources of risk affecting the supply chain. Secondly, how the supply chain can be protected, through higher levels of security. Finally, the various ways to achieve resilience, i.e. the ability to respond to unexpected disruptions. We conclude that companies can reduce and mitigate risk through different combinations of initiatives that can be equally effective if they are coherent with the specific context.

Keywords: Terrorism, Supply Chain Security, Resilience, Supply Networks, Disruption

INTRODUCTION

After the attack to the World Trade Center and the Pentagon on September 11, 2001, companies are starting to realize that the threat of terrorism is affecting their ability to operate and successfully carry on their business. Not only several firms have been directly hit by the destruction of the Twin Towers, having their offices inside those buildings, but almost every supply chain was affected by the closing of US airspace grounding of the planes and by the closure of the borders that immediately followed. Ford, for example, had to shut down five of its U.S. plants, partly because it could not get enough parts from suppliers in Canada. The result was a 13 percent drop in production in that quarter (Andel, 2002).

The U.S. Government response not only affected business operations in the aftermath of the attack, but it is still influencing international shipments through new regulations, thus extending the impact to global firms. The U.S. Customs is now strongly encouraging importers and freight carriers to certify their sources and assume responsibility for cargo security (Custom-Trade Partnership Against Terrorism).
To investigate the broad issue of how the threat of terrorism is affecting the supply chain, a comprehensive research initiative is currently in place at the Center for Transportation and Logistics of the Massachusetts Institute of Technology. The project, named “Supply Chain Response to Global Terrorism”, is very broad, and covers different areas: the manufacturing and distribution industry response, the risk management and insurance industry response, the U.S. Government response, the experience of past disasters, and the use of real options to evaluate flexibility.
This paper presents some preliminary evidence collected in the initial, explorative phase of the project, focusing in particular on how companies have been affected and are now reacting to the threat.
BACKGROUND

Research so far has focused on many issues that can help provide useful insights on how to deal with the threat of terrorism, but only a few authors have focused directly on this specific issue.

Within Supply Chain Management literature, a rich stream has dealt with the general issue of managing risk. Many authors have traditionally dealt with the uncertainty deriving from market volatility, ranging from the study of the amplification of fluctuations along the supply chain (the bullwhip effect, Forrester, 1961) to the development of solutions to manage this kind of risk (see e.g. Tsay et al., 1999 for a review of supply chain contracts).

However, market uncertainty is only one of the sources of risk for the supply chain. Zsidisin (2001) reminds that another relevant source of risk lies within suppliers and the supply market. These supply risks can significantly affect the ability of an organization to achieve financial success. For example, the Taiwan earthquake of 1999 created serious financial loss for many high technology firms because supply was constrained which caused factory slowdowns and missed market opportunities.

In particular, a disruption in supply can affect companies a long way down the supply chain, showing how important it is, today, to consider not only the risk of a single company, but also of the many links in the supply network (Souter, 2000).

From a broader perspective, consequently, supply chain risks can derive from many different sources and impact different parts of the supply chain. Lindroth and Norrman (2001) suggest a framework for assessing and positioning supply chain risk issues, according to three dimensions: unit of analysis (from the single logistics activities to the whole supply network), type of risk (operational accidents, operational catastrophes and strategic uncertainties), and risk handling focus (risk analysis, risk assessment and risk management).

A limited number of authors, however, address directly the issue of terrorism-related risk. Sheffi (2001) introduces the problem and presents a variety of issues that are described in terms of three themes: how to deal with the aftermath of a terrorist attack, how to operate under heightened security and how companies should collaborate with the public sector to face the threat.
Martha and Subbakrishna (2002) show how the effect on the supply chain of a large scale terrorist attack can be very similar to those of a natural disaster or a major accident, providing examples of successful and unsuccessful management in recent ones, such as the outbreaks of Foot and Mouth Disease (aka mad cow disease) in Europe in 2001 and the earthquake in Taiwan in 1999.
This last contribution provides a very useful insight: although terrorism is a new issue in supply chain management literature, the work done so far on other sources of risk can be valuable by illustrating how previous disruptions had been handled.
Companies however, besides identifying and assessing risk, need also suggestions on how to protect themselves. In particular, firms are looking for ways of increasing the security of their supply chains without jeopardizing their effectiveness. Applying the lesson of the quality movement, Lee and Wolfe (2003) suggest that it is possible to achieve “supply chain security without tears”, i.e. creating strategies that improve security while also strengthening productivity. In particular, the authors point out that a range of possible measures exists, and they can be split into two main categories. On the one hand there are all the initiatives aimed at preventing security breaches (e.g. inspections, information protection, international standards, etc.), on the other hand there are the measures aimed at mitigating the consequences of a disruption and enabling a prompt reaction (namely: total supply network visibility, flexible sourcing, balanced inventory management, product and process redesign, and demand based management).
This last group of initiatives is aligned with an already existing, but increasingly relevant area of research, aimed at creating resilient organizations. In order to suggest a way to acquire preparedness to unexpected disruption, Coutu (2002) introduces the concept of organizational resilience, which can be defined as “the ability to bend and bounce back from hardship”, adapting a concept developed by psychologists for people who survived to concentration camps.
The threat of terrorism and other risks, consequently, is not affecting only the “physical” supply chain, but also the organizational dimension of companies, to the point of affecting the whole corporate strategy. Shrader and McConnell (2002) discuss how security should be incorporated into corporate strategy, starting from securing the company people, considering then the business and finally protecting the networks and the flows of goods and information. The goal is shifting security efforts from being a source of additional costs to become the source of new benefits, increasing efficiency and providing competitive advantages, in line with the previously mentioned contributions.
The limit of all these contributions is the scarce use of empirical evidence: some of them are purely theoretical and others are based on examples of reaction to past events, but none of them investigates the current corporate response. There is still no clear idea about the actual preparedness of companies to supply chain disruptions, also because it is not yet clear what could be done to increase security and resilience.

RESEARCH OBJECTIVES AND METHODOLOGY

Objectives

The present paper aims to explore the current response of western corporations to the threat of terrorism, focusing not only on the single firms, but on the whole supply chain. The goal is to investigate how companies are perceiving the threat and what they are really doing to respond. In this way, it would be possible to provide empirical evidence to enrich the contributions already existing in the literature.

The main research questions are the following:

How do companies perceive the threat of terrorism and how are they assessing and evaluating the related risk for their supply chain?
How are companies protecting their supply chain in order to prevent security breaches?
How are companies strengthening their supply chain in order to make it more resilient, i.e. more capable of reacting to unexpected disruption?

Methodology

In order to investigate the above questions, an exploratory study has been undertaken. The most suitable methodology at this early stage of research appeared to be a qualitative one, based on interviews and case studies:

Interviews: After an extensive analysis of the literature, both scientific and managerial, and after a large number of discussions and informal colloquia with experts and practitioners, a semi-structured questionnaire has been developed, made mostly of open-ended questions, with the purpose of investigating a very broad range of issues. The questionnaire has been used in interviews conducted personally or over the phone with managers working on the issues of supply chain security and resilience.
Case studies: the situation scan allowed to identify a few companies that have articulated and comprehensive initiatives in place and have developed an original approach to the problem. These cases have been studied in greater detail, through on site visits and additional interviews, both in person and on the phone. The case studies have focused on a reduced set of issues, emerged from the first interview, and drilled down on those.

Sample

The companies selected for the interviews are medium to large companies with operations in the U.S., but also either subsidiaries or branches of the supply chain overseas. The sample was made of 20 companies from different industries, operating at different stages of the supply chain, ranging from global corporations to U.S. based firms that have limited transactions across the borders. This heterogeneous sample allowed to explore the various aspects of supply chain response to global terrorism in many directions, trying to identify issues not previously detected and to capture the different perceptions and approaches to the problem. The sampling has been conducted essentially through convenience criteria, i.e. exploiting existing relationships and the availability of people to participate to the interview. This was not a limitation since there was no purpose of generalization behind the investigation, and in this way it was possible to talk to very informed people within the organizations. A few companies, however, refused to participate, mostly for confidentiality concerns, although the names of the participating companies and any confidential information are not disclosed. The sample is described in Table 1.
Table 1. The sample

N°	Industry	N°	Industry
1	High Tech Machinery	11	Electronic manufacturing services
2	Electronics components	12	Automotive
3	Food and beverages	13	Telecommunication equipment
4	Consumer packaged goods	14	Apparel
5	Electronics products	15	Food and beverages
6	Pharmaceuticals	16	Electronics products
7	Telecommunication equipment	17	Consumer packaged goods
8	Aerospace	18	Medical equipment
9	Retail	19	Automotive
10	Freight broker	20	Toys

The respondents were generally either supply chain managers with responsibility for security and business continuity or security/business continuity managers with responsibility for the supply chain.

Companies number 1, 2 and 11 have been selected as case studies, consequently focusing on the electronics manufacturing industry, at different stages of the supply chain. This industry, and in particular the selected companies, provides very interesting examples of a serious concern for security and continuity that translates into a comprehensive strategy and proactive initiatives. We consider these three companies very insightful and in line with the explorative purpose of the research. The different characteristics of each company are coherent with the purpose of theoretical replication underlying the selection of the case studies (Yin, 1984).
Results are now discussed trying to answer the research questions presented above.
RISK

All the interviewed companies are somehow concerned with the potential risk related to the consequences of a terrorist attack on their supply chain, but there is a general sense of disorientation on how to deal with the problem. Managers with responsibilities for both supply chain and security/business continuity are well aware of the many interconnections that link their companies to many others and, consequently, expose them to the risk of suffering from disruptions happening far away. However, they also agree that terrorism can take the form of many different kinds of attack, and every time it is likely to be different from the previous ones. Besides, each single company has a very low probability to be directly impacted by an attack, but the damages due to the indirect consequences of an attack like the one of 9/11/2001 can be very serious. In synthesis, terrorism is seen as a low probability, high impact risk, which is very hard to foresee, but potentially disruptive. And the broader the supply network is, the more likely it is that, in a way or in the other, it will be hit.

However, terrorism is not the only concern for the supply chain: managers are worried also for many other sources of risk, like natural disasters, thefts, strikes, utility failures, cyber attacks, bankruptcies, etc. Again, it is very difficult to assign a probability value to many of these causes of disruptions, and even when it is possible, (e.g. in the case of earthquakes in seismic areas), it is very difficult to take into considerations all the implications on global supply networks.
Companies are looking for a way to deal with all these issues, and the explorative interviews allowed the research team to gain a relevant insight on how some firms are trying to manage supply chain risk. They basically shift the focus from the causes to the effects, under the rationale that what matters for a supply chain is the type of disruption, not its source. This means e.g. that the unavailability of a supplier has always the same relevance, no matter if it is due to an earthquake at his location, to a strike, to a bankruptcy or to a terrorist bomb. In synthesis, the important aspects for the supply chain are the possible failure modes, i.e. the limited ways in which the disruption affects the supply chain. Considering the problem from this perspective allows to identify a few, relevant issues to deal with, instead of considering a huge number of potential sources of disruption, which are very difficult to manage one by one, and moreover are constantly changing. The basic failure modes identified through our investigation, which are seen from the perspective of a single company, are shown in Table 2.
Table 2. Failure Modes

Failure Mode	Description
Disruption in supply	Delay or unavailability of materials from suppliers, leading to a shortage of inputs that could paralyze the activity of the company.
Disruption in Transportation	Delay or unavailability of the transportation infrastructure, leading to the impossibility to move goods, either inbound and outbound.
Disruption at Facilities	Delay or unavailability of plants, warehouses and office buildings, hampering the ability to continue operations.
Freight breaches	Violation of the integrity of cargoes and products, leading to the loss or adulteration of goods (can be due either to theft or tampering with criminal purpose, e.g. smuggling weapons inside containers).
Disruption in communications	Delay or unavailability of the information and communication infrastructure, either within or outside the company, leading to the inability to coordinate operations and execute transactions.
Disruption in demand	Delay or disruption downstream can lead to the loss of demand, temporarily or permanently, thus affecting all the companies upstream.

A direct implication of looking at the failure modes instead of trying to consider each single source of disruption is the ability to evaluate the consequences. Among the interviewed companies, those that considered the effects of disruptions were also able to gain the necessary commitment to increase security and resilience. For example, company 17 assesses risk in terms of how many days a disruption can be suffered before the customer is affected. Company 19 instead evaluates how many millions of US dollars every single day of disruption would cost to the company. The security manager of company 15, finally, gains internal commitment asking executives and managers if they would like to see the stores’ shelves empty of the company’s best selling products because of a disruption.

SUPPLY CHAIN SECURITY

In order to protect the supply chain from disruption, the interviewed companies are undertaking a series of initiatives, which can be classified in three groups: physical security, information security and freight security. For each group, we identified two levels of response, basic and advanced. The basic level corresponds to more traditional initiatives that today are almost a standard practice. The advanced level instead is made of more forward-thinking actions, put in place by a limited set of companies. However, we cannot conclude that every company should adopt advanced measures: the companies that have developed such initiatives are highly exposed to risk, but other companies could already be protected enough by basic measures. Table 3. synthesizes supply chain security measures.

Table 3. Supply Chain security measures

Area	Basic Initiatives	Advanced Initiatives
Physical security	Access control, badges, etc. Gates, guards, camera systems, etc.	Background checks Test of security by an external firm attempting to break in
Information security	Hardware: firewalls, dedicated networks, etc. Software: intrusion detection, antiviruses, passwords, etc.	Audits of partners’ IS security Education and training for IS security
Freight security	Inspections US Government initiatives Cargo seals	Procedures, audits and certification Industry initiatives GPS, RFID, e-seals, biometrics, smartcards, security sensors, etc.

SUPPLY CHAIN RESILIENCE

Security is a big concern for many companies, but even those that have developed a comprehensive security strategy and are undertaking an extensive protection program are aware that disruption is always possible. This is due to the fact that it is impossible to protect the entire supply chain from every source of risk, and even in that case a breach in the security system would always be possible.

Consequently resilience, i.e. the ability to resume and restore operations after a disruption, is seen as a critical capability that every company should develop. However, two main approaches emerged from the interviews: some companies consider resilience as a spontaneous attitude of a company when its survival is endangered, others proactively work to build this ability within their organizations.
The interviews highlighted two main areas of intervention to create a resilient supply chain: company organization and supply network design. They are now discussed in details.

Organization for resilience

The interviewed companies highlighted two actions required to achieve resilience within their organizations: developing contingency plans and performing specific training and education.
Contingency plans have traditionally been prepared for a very limited set of accidents, and by a limited set of companies, generally those highly exposed to well known risks. Today some companies have developed, or are starting to develop, a wider set of plans, covering the failure modes that they consider more relevant. These plans today include both a description of the procedures to follow and the definition of roles and responsibilities; besides, they go beyond the boundaries of the single company. Sometimes they consider disruptions originating in different parts of the supply chain, and in some cases other companies are even part of the plan.
But plans could be simply documents with no real effect, they really become ingredients for a resilient organization when they are translated into practice. For this purpose the most committed companies in our sample perform specific education activities, they periodically test their plans through simulations and drills, and they even involve other entities like local authorities or suppliers in their mock exercises. This activity is the only way to make an organization learn the plans and acquire resilience, and not only: simulations and wargaming allow also to identify unaddressed issues and improve the plans.

Supply network design

We already said that a large and complex network is somehow more vulnerable to disruption, since the probability that something happens to some node or connection is higher compared to a small and simple supply chain. However, a network is also more resilient by definition, in the sense that having multiple nodes and connections at every stage allows substitution for the missing ones - it is the same principle of the Internet. What does this mean for a specific company? How can the design of a supply network be a tool to increase resilience? We identified two basic principles: redundancy and flexibility.

Redundancy means duplicating resources to ensure the availability of a backup solution in case of disruption, or at least spreading the risk. Redundancy can be built increasing inventories, duplicating equipment and facilities, having multiple sources for the same component, etc. It is immediately clear that redundancy involves extra costs and some inefficiencies, in particular it is not aligned with the dominating principles of the supply strategies of the last decades. However, some of the interviewed companies have some degree of redundancy in their supply chains, and this is generally due to the need to be able to respond to many kinds of disruption, first of all market volatility.

The alternative to redundancy is flexibility, i.e. the ability to accommodate sudden fluctuations in the availability of resources. Supply chain flexibility can take many forms: suppliers able to modify volumes in a very short time, a production system that can scale up and down without losing too much efficiency, the ability to move operations from one site to another, etc. Flexibility appears more cost effective compared to redundancy, but it requires some investments to be achieved, and they should not be overlooked. Again, some of the companies in our sample have a very flexible supply chain, and it is generally the response to a very volatile market. However, such flexibility has proved to be very effective also to react to other kinds of disruption.
It is interesting to notice that companies can reach the same goal, i.e. resilience, through different paths, i.e. redundancy or flexibility. But more in general, companies select a certain mix of the two, according to the characteristics of their industry, their market and their supply chain.
DIFFERENT PATHS TOWARDS THE SAME GOAL

The case studies allowed the research team to investigate most of the above described findings, and to reflect on how the various tools available to manage risk, improve security and increase resilience can be combined.

All the three cases have an articulated and comprehensive approach to the problem, embedded in the company culture and definitely pre-existing to 9/11. All have suffered from some kind of disruption in the past and are used to a very volatile market, whose severe fluctuations are unpredictable, thus requiring high levels of flexibility. All of them operate in global supply chains and compete on global markets, although company 1 has a single manufacturing operations in the US, while the other two have plants all over the world.
Despite these similarities, many choices in terms of response to supply chain risk differ significantly, suggesting that there is not a single best way towards security and resilience, but instead different approaches can be equally valuable, if they are coherent with the company characteristics.
In particular, company 1 has many single and sole sources, while the other two have mainly multiple sources. Clearly multiple sourcing allows to spread the risk of a disruption in supply, but company 1 also manages risk very carefully. They do it through a very close relationship with suppliers, who are very committed to ensure continuity of supply. And if they consider a supplier too exposed to any kind of risk, they generally move to another one. They basically consider a single, very flexible and committed supplier to provide higher security and resilience, compared to two rigid and insecure suppliers, who can be more easily affected and anyway cannot backup for one another.
Another interesting difference is in the way supplier flexibility is achieved: company 11 requires it by contract, in very detailed way, while company 1 obtains it through informal agreements. They also perform regular capacity audits, in order to monitor the real ability of the suppliers to scale production.
In synthesis, we can conclude that every company undertakes a different series of initiatives, which are shown in Table 4., all aimed at the same goal of strengthening security and achieving resilience. The specific initiatives selected depend on the company characteristics, such as size, location, type of operations, type of goods shipped, etc. For example, company 2 ships many high value, small sized products, which are highly exposed to theft, hence freight security is a priority. Company 1 is less concerned with freight security, while it is concerned with its ability to ensure continuity of production, because it has a single plant worldwide.
Table 4. Comparison of the case studies.

Company 1	Company 2	Company 11
Consolidated relationships with flexible SME suppliers, personal contacts Many sole and single sources Capacity audits of suppliers Agreements with a supplier to shift production to his site Demand Flow Technology Flexible workforce and temporary employees Duplication of IS and training to restore operations Direct management of transportation in case of emergency Suffered from Icestorm that hampered transportation	Strategy of exact plant replication in different countries Multiple sources for every part Creation of an industry association Emergency Operations Centers in every plant coordinated from the HQ Extensive simulations and drills Company culture stressing the attention to details Physical protection of facilities Suffered from thefts and various SC disruptions Staff from FBI, MI5, MI6, Mossad, Irish Garda, Hong Kong police, etc.	Flexibility written into contracts (+25% 1 week, +100% 4 weeks) Multiple sources wherever is possible Agreements with equipment providers to restore assembly lines in 4 weeks Unique IS across the world, also in acquired facilities Collaboration with logistics providers to ensure continuity of transportation Suffered from major theft Military personnel

Conclusions

The explorative study conducted so far allowed to highlight that the threat of terrorism is actually considered by companies, although not all of them do really take action to protect themselves. The first important finding is that terrorism is considered together with many other risks affecting the supply chain, thus allowing to use the failure mode approach to manage the threat. We showed that progressive companies are responding in two, complementary ways: increasing the security of their supply chains and developing resilience. Both these actions can be performed in many alternative ways and there seems to be no single best way. Every supply chain and every company should identify the most effective and efficient way to protect itself, reducing the risk exposure without affecting cost effectiveness and without over-reacting to the disruptions suffered in the past. This is the agenda for the future development of our research project.

REFERENCES

Coutu, D.L. (2002), “How Resilience Works”, Harvard Business Review, May.

Forrester, J. (1961), Industrial Dynamics, MIT Press, Cambridge, MA.

Lee, H.L., Wolfe, M. (2003), “Supply Chain Security Without Tears”, Supply Chain Management Review, January-February.

Lindroth, R., Norrman, A. (2001), “Supply Chain Risks and Risk Sharing Instruments – An Illustration from the Telecommunication Industry”, Proceedings of the Logistics Research Network 6^th Annual Conference, Edinburgh September, 13-14, pp. 297-307.

Martha, J., Subbakrishna, S. (2002), “Targeting a just-in-case Supply Chain for the Inevitable Next Disaster”, Supply Chain Management Review, September/October, pp. 18-23.

Sheffi, Y. (2001), “Supply Chain Management under the Threat of International Terrorism”, The International Journal of Logistics Management, Vol. 12, No, 2, pp. 1-11.

Shrader, R. W., McConnell, M. (2002), “Security and Strategy in the Age of Discontinuity: A Management Framework for the Post-9/11 World”, Strategy+Business, www.strategy-business.com.

Souter, G. (2000), “Risks from Supply Chain also demand attention”, Business Insurance, Vol. 34, No. 20, pp. 28-28.

Tsay, A.A., Nahmias, S., Agrawal, N. (1999), “Modeling Supply Chain Contracts: a Review”, in Tayur, S., Ganeshan, R., Magazine, M., Quantitative Models for Supply Chain Management, Kluwer Academic Publisher, MA, pp. 299-336.

Yin, R.K. (1984), Case Study Research, Sage Publications, Beverly Hills, CA.

Zsidin, G. (2001), “Measuring Supply Chain Risk: an Example from Europe”, Practix, Best Practices in Supply Chain Management, June, pp. 1-6.

Download 62.8 Kb.

Share with your friends: