Gary Lynch: Getting supply chain risk management right
For most of us, we’re experiencing unprecedented economic challenges. The implications to the supply chain management profession are profound. We’ve gathered some of the industry’s brightest minds to discuss these challenges and seek innovative solutions. We hope you enjoy the Kinaxis Supply Chain Expert Series as we challenge these experts on these issues.
Global Leader, Supply Chain Risk Management Practice
Mr. Lynch is Global Leader of Marsh’s Risk Intelligence Strategies and Resiliency Solutions practice. He is responsible for developing the organization’s risk intelligence capabilities and offerings, as well as aligning and enhancing the firm’s various risk strategies, supply chain, and business continuity offerings. Additionally, he is responsible for developing thought leadership around emerging issues such as pandemics and terrorism.
Mr. Lynch has 28 years of experience in the IT & operational risk management profession. He served as the business continuity and information security executive-in-charge at The Prudential and Chase Manhattan Bank (now called JPMorgan Chase). As a partner at Booz Allen Hamilton, he was responsible for the operational resiliency and Information assurance practice. He also served as research director and industry analyst at the Gartner Group and was responsible for launching one of the firm’s most successful service offerings.
You can also listen to a podcast of this interview at “Getting supply chain risk management right.”
Kinaxis: Is there a supply chain risk management maturity model? If so, can you describe it and explain how organizations have generally matured in this regard?
Gary: From my perspective, unlike some other disciplines — quality, even continuity as an example — there tends to be a lack of a mature or widely accepted maturity model. Theoretically, there are different models — for example, some of the guides that are issued in the SCOR (Supply Chain Operations Reference) model are certainly gaining some acceptance—but by no means is there a globally accepted model. To be globally recognized, the fourth element of any market – clients must reference one another – must be satisfied.
I think how we’ve seen the topic of supply chain risk management mature is interesting because there seems to be two schools of thoughts. Those in the risk profession have seen an evolution with regards to low probability, high impact events: catastrophic recalls, catastrophic natural hazards – event-driven if you will. That kind of risk management tends to try and tackle these events through extensive business continuity, emergency planning and crisis management.
And then you have the other camp at the transactional level —which is your operations, logistics, procurement, sourcing executives, even your operations finance executives and CEO for that matter—who are looking at the capital invested in the business, the return on that capital and the daily risk associated with managing the business and many suppliers.
So you have two schools that are maturing the discipline at a very accelerated rate. But it is only within the last three to five years where we have seen acceleration.
One area in particular where we have seen some great strides is greater risk management around the supply base and the suppliers themselves, both at the event and transactional levels. We’ve seen common criteria really coming forward for evaluating and setting expectations with suppliers, and insisting on greater transparency upstream the supply chain. Unfortunately, the majority of the industry is still viewing supply chain risk management as management of just the suppliers and not of the entire value chain.
Another area where we have seen some maturing is around managing risks to the physical assets and the risk to those physical assets, such as a facility, inventory, and/or key pieces of equipment.
One of the gauges of maturity is if the discipline matures to the point where it can be measured. Then you have the financial markets interested in underwriting that risk, whether it is catastrophic bonds or whether it is contingent business interruption or business interruption insurance. And we are seeing this today.
Kinaxis: At the day-to-day transactional level, how do you separate out risk management from day-to-day operations? What is the elemental difference between managing your business and managing it from a risk perspective?
Gary: I think the short answer is – you don’t. But that’s easier said than done. Efficiency practices along the lines of lean thinking, or quality practices along the lines of a six sigma, became successful, or had some level of success, when they were fully integrated and began with the demand side of the equation. I don’t think you can separate the two, nor should you, but at times you do need emphasis and isolation. You do need to create criteria to identify a specific issue, get to a point of concentration where many are looking at the problem, and a dedicated “temporary” organization is driving the initiative with the goal of getting it integrated into the workflow itself.
Kinaxis: So integration is a sign of the level of maturity—being able to integrate it into day-to-day practice, rather than having it as a stand-alone practice?
Gary: Absolutely, and I think some of the industries that have executed on that thinking and have integrated it, or have begun to integrate it well, are the high tech and auto industries. Industries where we have not seen it as well integrated are the life sciences, retail, food services and construction as examples.
Kinaxis: In terms of the size of organizations, do you find that there is more emphasis on supply chain risk management in large organizations, less in little? Or do you find that all sizes of organizations are fairly well focused on supply chain risk management at this point?
Gary: We find that there certainly is a lot of discussion and veneer around supply chain risk management and there is a tremendous amount of discussion around managing the risk of suppliers in particular, but from the execution side, I would say across the board it still seems to be a very light practice unless some other initiative is driving it. So for example, in managing supply chain risks, whether it be from disruptions or environmental implications, we are seeing a lot done in that area, but a lot of it is driven by the opportunity to reduce costs; transportation costs, load costs, things like that.
In terms of a real focus on managing specific risks to the extended supply chain, all the way upstream and downstream — there are few organizations that are applying that discipline as a whole and trying to overlay it on their supply chain management practices.
I think the organizations that have had the greatest interest and are making the greatest demands are those organizations that face the customers— the hospitals, the retailers — those that are actually on the front end that are touching the customers are the ones that are turning around and setting the demands and expectations of those that are providing them with the goods and services.
Again, I think very little is done in a concentrated way in this space.
Kinaxis: I was interested in your comment that retailers and healthcare are focusing more attention. Do you think that that’s because of the immediacy of the demand? In retail, if it’s not on the shelf, you don’t’ sell it. And in an emergency healthcare situation, if you don’t have the medication or the equipment you cannot serve that patient.
Gary: Absolutely, the competition is just absolutely too fierce. I think it’s really about the pressures; it’s the pressures of added stock conditions, it’s the pressure of poor product quality as we’ve seen over and over again. At the end of the day, you have to look at who’s really taking the heat, not only from a brand perspective but from a financial perspective. The retailers that have been more conscious and more active are certainly gaining some advantage in that space.
Kinaxis: You’ve mentioned that there’s a difference between dealing with long term or occasional risk and transactional level risk. Do you find in this period of volatility there is more emphasis in one area rather than another?
Gary: It’s an excellent question and the answer is yes. I believe there is certainly a lot more emphasis on the transactional level, and in many cases, one-off risk issues. What I find amazing is that if we would have had this conversation a year or eighteen months ago, we would have been talking about rising commodity prices, rising availability to commodities, and are certain nations such as China capitalizing on that opportunity, and hording commodities? Our conversation would have been about rising energy costs, transportation, do we move factories because transportation costs have risen so high. What I find so interesting is that we seldom have those conversations now. The conversation is about the issues around credit, letters of credit, trade credit, trade disruption and to some degree, demand.
Kinaxis: Particularly in discrete manufacturing, people have used inventory as a way of mitigating risk, especially on the demand side. But lean practices have reduced inventory tremendously so they don’t necessarily have the alternative to use inventory as a way of to handle day-to-day disruptions.
Gary: In that case, I think that it puts more pressure on those in the risk profession to ensure that they are really focusing on the metrics and measurement. If they are going to create the business case for additional inventory they are going to have to be precise as to whether that inventory should be work-in-progress, finished goods or raw materials and why.
Again, I think in all cases, the volatility forces greater measurement both from an impact and an investment standpoint.
Kinaxis: Where do you see technology playing a role in supply chain risk management?
Gary: I think the area most important right now where technology can play a key role is certainly in the visibility of the supply chain — providing some ability to have the correct information to make informed decisions about threats and vulnerabilities along the supply chain. With technology that’s used to collect the data, understand impact and the implications of the parts, one can look at the whole of the supply chain.
I also think certainly the technology that’s already in use in many cases — whether it’s global positioning or RFID technology — again, the data that’s collected provides some great inputs from a modelling perspective. Having information more quickly, knowing whether the impacts are large or small, knowing quantities, knowing sources, knowing alternatives; those kinds of issues can be critical but are absolutely worthless without the technology driving it.Google+