Flexible, Adaptable, Redundant and Secure: Strategies for a Resilient Supply Chain
This article was taken from the book Bold Leadership by Jim Tompkins.
Learn more or order a copy for 25 percent off - free shipping.By Jim Tompkins
In order to achieve a business resiliency plan that reduces disruptions, promotes safety and security, provides for redundancies in production, and makes your supply chain resilient, you need strategies that will make your company flexible, adaptable, redundant and secure.
A Case Study in Being Prepared: United Technologies
Consider the example of United Technologies, a global corporation. To monitor its extensive supplier network and critical parts, it uses a supplier tracking service. Scott Singer, the director of global supply management at United Technologies, describes the service as “An important tool for us, serving as an early warning system to alert us to possible problems with a supplier so that we can do proactive follow up.”
Recently the service, which is provided by Open Ratings, Inc., helped a United Technologies aerospace unit identify a supplier with a cash flow problem. Because United Technologies learned of the problem before it had profound effects, they were able to work out a solution.
United Technologies also maintains redundant sources for critical parts. It is Singer’s opinion that the biggest risk to the supply chain is two or three levels down in the supplier network. “At a plant level, we define those critical materials that would mandate a secondary source,” Singer says. He adds that it is crucial that they do so, despite the fact that finding secondary sources isn’t easy. 1
Very little is easy about business today, the least of which is making the time to create a business resiliency plan that is updated consistently. If you are just starting a plan or have one in place that needs to be dusted off and revamped, start now and include strategies that adhere to checks and balances through governance and compliance, emergency communications, reliability, business continuity and resumption, IT protection and information recovery, recovery of your business, and security and safety.
Governance and Compliance
A business resiliency plan needs a well-managed system of checks and balances that focuses on implementing resiliency goals in a structured and controlled environment. Otherwise, you cannot measure progress and investments against your goals.
Therefore, your business resiliency planning team must create a governance and compliance strategy that creates such an environment by defining specific metrics for service delivery, response, availability and other service levels and commitments. These metrics must mesh with your business goals and budgets and must also meet any compliance requirements for a specific industry.
The strategy should also define the organizational elements of the plan, quantify the objectives and metrics and set up the program for managing the plan. This includes setting parameters, measuring the work to be performed, tracking progress, analyzing the results and presenting status reports regularly.
Emergency Communications and Management
During a crisis, a communication breakdown can result in lost lives, lost business and the avoidable consequences of a poor response to an unplanned event. That is why an emergency communications strategy is an important part of a business resiliency plan.
Communication with critical information sources (such as first responders, civil authorities, facilities staff and utility providers) sets the stage for properly assessing an incident and its impact. Employee communication allows the flow of vital information to ensure safety, security and the proper response to the crisis. Keeping in contact with clients, business partners and stakeholders is key to preserving the enterprise’s reputation and marketability. Communicating with key vendors, outside service providers and other third parties is critical to establishing smooth continuation of business activities.
This strategy should include documented crisis and emergency response plans, because communications and response are top priorities in ensuring the safety of personnel and the viability of operations during and after an emergency.
Part of these plans should be a clear definition of who will take the leadership role in the management of the emergency. Inspirational leaders know how to handle emergencies. But it is best to establish a clear leader who will instill confidence and who those involved in the crisis can count on to make sure the right information is communicated to the right person.
Reliability
Business resiliency goals cannot be effective without individual strategies that specify how objectives will be achieved. The people and teams in charge of meeting the objectives need feasible, practical and documented strategies in place. Supply chain partners, key service providers and outsourcing providers must participate in this process to be capable of providing an appropriate response during a business interruption or unexpected surge in demand.
If you have already included representatives from these partners and providers, then creating this strategy is easier than if you wait to call on them until you are developing and documenting your strategy.
Reliability strategies can call for operational redundancy, or they may simply identify an alternate location from which to operate. In either case, it is critical that strategies, detailed plans, and measures be in place to assure that systems, data and personnel will be available to meet the objectives. Failing to develop and fund effective strategies, as well as failing to empower employees and teams to carry out the plans, can expose you to potentially excessive downtime costs and loss of opportunity.
Continuity and Resumption
Sustaining business operations during an unplanned event might require workarounds, alternate workspace or other special arrangements. Therefore, your business resiliency planning team must identify, prioritize and map business processes for all supporting functional requirements, including voice communications, fax, workspace requirements, applications technology and more.
They also need to devise and document procedures to account for operational activity between the time an incident occurs and the time when all the recovery activities are complete. These procedures should consider where to go, how to get there and what to do once you get there so that no further confusion occurs during an incident. All these requirements and activities should be documented in a business continuity plan, which must be properly maintained and periodically tested.
Information Management, Protection and Recovery
In today’s world, a company cannot operate without information and the hardware and software that stores and drives it. Information is the lifeblood of every corporation, and to be competitive, it is critical that companies have information available at all times.
Lost information cannot be recovered, and the older the information is, the more difficult it is to re-create. Regulatory agencies such the Department of Health and Human Services, NASD and the U.S. Securities and Exchange Commission have enacted regulations that affect the retention and availability requirements of data for certain businesses. These regulations, coupled with sound business practices, drive the need to protect information under normal working conditions, as well as in the event of a disaster.
Therefore, a business resiliency plan must have a strategy that makes sure that all data is available. This can include offsite backups, mirrored sites, multiplexes and sysplexes -- a series of servers set up to operate without interruption should another fail. If the corporate asset known as data is not properly protected with a clear, documented strategy, the business can lose revenue and be subject to substantial regulatory fines.
If information is the lifeblood of an organization, technology is the system of vessels and arteries needed to keep it flowing throughout the company. Most IT departments are managed as an internal service to the business. Typically, there are service level agreements by which users measure these departments. Service must be provided under normal conditions, as well as during emergency or disaster conditions.
Business application priorities will dictate the business recovery planning team’s technology redundancy, the recovery strategy and the level of investment to be made in the technology resiliency architecture.
Examples of such priorities are the amount of system downtime that can be tolerated from the point of disaster to functional recovery (recovery time objectives, or RTO) and the amount of data loss that can be tolerated during a system recovery (recovery point objectives, or RPO).
If your business is totally dependent on technology, a resiliency goal may be set that requires no single-point-of-failure in the support environment. For less technology-dependent businesses, next-day recovery is probably adequate. IT disaster recovery plans, then, should combine service continuity (fail-over) with restoration, accounting for all levels of RTO/RPO specified by the business.
The first step of the plan involves the people and tools required to maintain or restore the environment. The next step is the implementation guidebook, which details the order of steps, anticipated timeframes and interdependencies. Without these plans, a technology recovery attempt can result in problems that can negatively affect the ability to recover at all.
Business Recovery
Even the most well-prepared organizations and supply chains will experience some sort of business disruption. Therefore, a business resiliency plan must take that possibility into account and contain a documented business recovery strategy.
This plan should take into account what will be needed to restart production, how restored supplies will be distributed, how and when infrastructure will be repaired and how and when IT systems will be restored. Some strategies include raising production levels with overtime, suppliers and customer resources.
The issues your recovery plan should focus on are client notification, operations response and IT response. It should create and describe recovery teams, action plans and recovery options. It should also describe who is responsible for the plan, including who holds it and who is responsible for maintenance.
The business resiliency planning team must be realistic as it develops this strategy. Depending on the severity of the event and the disruption it has on your facilities, systems and business, recovery could take a significant amount of time.
Security and Safety
As we all know, not all business disruptions are caused by natural disasters that destroy distribution networks. Business disruptions can also be caused by people -- terrorists, disgruntled workers, labor union strikes and unstable governments. As a result, safety and security is an important business resiliency goal. To address both, your business resiliency planning team should develop a security and safety strategy that:
- Uses layered and balanced defense methods: Layered defense means having several measures in place so you do not rely solely on one method. Having a security guard, a security alarm and video cameras to protect a facility is a simple example. The methods used to protect defense information systems -- fail-over, clustering, site mirroring, provisioning -- are complex examples. It is important that you balance these methods. You need to know what threat is most likely to harm you the most, and make sure that it has a higher degree of attention than mitigating a risk that is not likely to occur.
- Separates threats from baseline activity: In a large company, you cannot always determine what is a threat and what is normal activity. For example, computer systems generate logs and logs of activity. An inexperienced person looking at those logs might see the word “error” and think there was a problem with the system, when in fact the error is a benign result of a test process. An experienced administrator knows what error messages indicate a true problem. Your security and safety strategy must do the same thing.
- Builds company and supply chain awareness and sensitivity to security and safety: Security is not achieved alone -- not for a company or a person. The global companies and supply chains of today mandate a high level of communication, collaboration and awareness both within the walls of a company and outside. Your supply chain partners and your employees all have a role to play in security and safety, and your security strategy must make them aware of that.
- Includes security and safety training and drills: If a company does not experience a threat or disruption for several years, it can become complacent. This is something that your safety and security strategy must address through training, tests, drills, reenactments and renewed company awareness to prevent complacency and keep preparedness levels high.
- Integrates security into business processes: When you wait until after an event to add security measures, or if you try to add them to mature business processes, you get a bandage that hides the wound but which does not go about healing it or preventing another. This is another reason why it is important to have representatives from all parts of your business on the resiliency planning team -- they can become advocates and contributors to re-structuring business processes that include security and safety measures.
Evaluation: Again and Again
I would like to stress here that it is not enough to evaluate your plan once or twice. In this business world of acceleration and speed, situations are subject to quick and sudden changes. Supply chains are much more fluid than they used to be, and so is business. That is why you must review and rank your operations periodically, as well as update your plans.
I recommend that your business resiliency planning team determine the number of times a year that they should meet to reassess vulnerabilities, compare company progress, changes in the environment and marketplace, and any shifts in demand. I also recommend that you involve your customers. Ask them how you’re doing, and ask them to tell you how you could improve. You should also do this on a regular schedule.
Conclusion
Resiliency isn't just important to your company. Take the example of Wal-Mart and Starbucks, companies that responded after Hurricane Katrina struck the Gulf Coast in 2005. Their logistics and supply chain operations were tested as they tried to get relief supplies and communication in and out of the region.
Wal-Mart used its emergency operations center, staffed 24 hours a day by people with access to all systems, to move goods into the area. Starbucks responded to a request for coffee donation after assessing how much it could donate to the region without affecting their own supply. Working to make your company's supply chain resilient is not only beneficial to the bottom line; it can also have a positive effect on the communities your company serves.
This article was taken from the book Bold Leadership by Jim Tompkins.
Learn more or order a copy for 25 percent off - free shipping.Sources: 1 Doug Bartholomew, “Supply Chains at Risk,” Industry Week, October 2006, pp. 55–60.
© Tompkins International, Inc., All rights reserved.
