Supply Chain Integrated Resiliency and Crisis Management

Royal Philips – Group Operations – New Boston, NH / United States of Americaroger.a.stearns@Philips.com / (O) +1 603-487-1464 / (C) +1 603-582-0883

Roger A. StearnsFBCI | CBCPSr. Global Manager Business Continuity Management

Introductions

Royal Philips – Group Operations – Eindhoven / Amsterdam – The Netherlandsrob.van.den.eijnden@philips.com / +31(0)6 2113 1633

Rob van den EijndenMBCI | CISA | CRISC | PMP | ISO22301LAGlobal Business Continuity & Resilience Leader

This is what most people think of

Philips…..

Roadmap

Our integrated Resilience Model

Supply Chain & Interdependencies

Crisis Management within our

value stream

Q&AInterpretingRisks

AdditionalInformation

Supply Chain & Interdependent Operations

Interdependent Operations (Services)

• Outsourced Operations• Installers• Resellers• Contact Centers• IT Support• IT Services

Integrated Supply Chain (Products)

• Manufacturing (Raw Materials to Finished Goods)

• Products• Chemicals/Compounds

• Distribution

Supply Chain – 101A cog in the life of a Product or Service

Raw Materials >Manufacturing Process> Finished Goods>

Distribution> CustomerSales > Support>Install

Supply Chain - Reality

Interdependency

Interpreting Risk

“In 1755 Jean-Jacques Rousseau first articulated the differences between disasters (processes) and hazards (events); He hypothesized that the Portugal earthquake which was made by “nature had not built [process] the houses which collapsed and suggested that Lisbon’s high population density [process] contributed to the toll”

The Origins of understanding Risks

EVALUATING & PREDICTING RISKS

BUTTERFLY EFFECT CHAOS THEORY CASCADING DISASTERS BLACK SWANS

SPIRAL DYNAMICS INFLUENCER & SHAPE SHIFTERS

COSO FRAMEWORK CUBE MURPHY’S LAW

Fire

Telecom

IT Services Power

Ransomware

HurricaneSupply Chain

Prop

abili

ty

Impact

Evaluating your Risks – Risk Matrix

Risk Assessments- 2 year cycle of evaluation- Multi disciplined team- Target highest risks 1st

- Assigned owners- Annual updates minimum

2019 Horizon Scan &

Supply Chain Resilience Report

Supply Chain Disruption

Natural DisastersTransportation FailuresGeo PoliticalPrice/Market FluctuationsCyber Attacks

2019 5 Major SC Disruptions

Disruptions are defined as major breakdowns in the production or distribution nodes that comprise a supply chain. These may include events such as a fire, a machine breakdown, an unexpected surge in capacity that creates a bottleneck, quality problems, natural disasters, customs delays, or any other number of different problems.

Definition

Other SC Disruptions

Loss of IT (more than 4 hours)Loss of SuppliersLoss of Utilities (Power)Data BreachesBlockchain, IoT & AI

Observation / OpinionRisks threaten the Integrated Supply Chain every day. However, they are reported in different ways. However, by definition Supply Chain is not just one thing or one impact on the value stream, and can materialize as a direct impact as well as an impact to Up and/or Downstream interdependent processes.

2019 Horizon Scan (BCI/BSI)

A

Black Swans

Source: https://www.thebci.org/resource/bci-supply-chain-resilience-report-2019.html

2019 Horizon Scan 2019 Horizon Scan

Top 10 disruptions

SC not in the top 10 Disruption

Top 10 Threats

2019 Horizon Scan (BCI/BSI)Threats vs. Disruptions

Source: https://www.thebci.org/resource/horizon-scan-report-2019.html

2018 Horizon Scan 2018 Horizon Scan

Top 10 disruptions

2018 Horizon Scan (BCI/BSI)Threats vs. Disruptions

2019 Horizon Scan (BCI/BSI)Likelihood and Impact – next twelve months

**Orange Alert (Low impact/high likelihood) – These are of moderate importance. Organizations should try to reduce the likelihood that they will occur.

*Yellow – These risks are low level; however, organizations should not ignore them.

***Red Alert – These are of critical importance and top priorities. Organizations must pay close attention to them.

**Orange Alert (High Impact/Low likelihood) – These are risks of high importance if they do occur, but they are very unlikely to happen. Organizations should do what they can to reduce the impact they will have if they do occur, and they should have contingency plans in place.

Black Swans

Past 12 mo.Next 12 mo.

N=411N=345

2019 Supplier Chain Resilience Report

A

Pg. 16

Source: https://www.thebci.org/resource/bci-supply-chain-resilience-report-2019.html

2019 Supplier Chain Resilience Report

Pg. 18

2019 Supplier Chain Resilience ReportPg. 21

ISO 45000/14000

Local/Site events & Incidents

ISO 22320

Telecommunications / Networks Cyber / IT Events

All company critical resources &

interdependenciesISO 22301

Planning & Management Spectrum

Ove

rall

Scal

e &

Impa

ct

Emergency Response Plan(s)

Crisis Management Plan(s)

Disaster Recovery Plan(s)

Business Continuity Management Plan(s)

Time Frame

Existential threats to the organization

Disruptive events impacting business operations

Vital technology infrastructure and systems

An immediate impact to Health and Safety (Chemical/Fire/Medical)

Best Practice of Integrated Resiliency

Our journey to an integratedresilience platform

Philips Global BCM Program1. The need to have BCM organized2. Philips Business Continuity

Management System (BCMS)3. Philips Global Resilience Platform

(PGRP)

25 Fusion RUG London 2019 & Philips CoE BCR | 4 November 2019 | v2.0

Numbers FIGURESLocations (Campus, Sites, Buildings 940*Workforce

91,500*FTE 69,000

Contingent 16,000Contractors 6,500

Suppliers 300,000Key/Critical 20,000

IT Global Applications

305*

Local Services 6,300** Changing variable

26 Fusion RUG London 2019 & Philips CoE BCR | 4 November 2019 | v2.0

Delivery of products and services at risk

The need of BCM organized – Lack of Real Time Information

The need of BCM organized - Real Time Information and Response

Royal Philips Business Continuity ambition

Quality Delivery DataIncrease business resilience, and continue delivery of products, services andsolutions to our customers, at acceptable predefined levels, in time of disruption

Organizing Business Continuity as the capability to resume and recover with minimum disruption and to maintain, align with and prepared for certification with ISO 22301

Implementing an exercise program that, over a period of time, leads to objective assurance that the business continuity plans will work as anticipated when required

Turn real time data into information, information into insight and insight into business decisions in time of peace or crisis

Governance Lean organized setup with global and local responsibilities

Core elements of the Philips Business Continuity Management System (BCMS)

Disciplines

All disciplines who needs to work

together

PDCA cycle

The ISO 22301 PDCA cycle applied to Philips

BCMS

Integrated BCMS Framework

The core elements of the foundation for an integrated certified

framework

Standardized BCM Model

Operationalized model to make BCM work

globally

The ISO22301 applied to the Philips Global Business Continuity Management System (BCMS)

GaggioMontano

Pune

Suzhou

Hamburg

Haifa

CoE BCR

Philips Business Continuity Management System (BCMS)

Philips Business Continuity Management System (BCMS) v2.0

Fusion

CoreElements

Key ProductsServices, andSolutions

Key Depended Resources

Information upload via multiple Master

Sources

Available, Acceptable, Accurate (AAA)

ManufacturingComponents

Manufacturing Technology

Service Business Processes

Scope of integrated resilience approach combined with Philips Global Resilience Platform (PGRP)

Our integrated resilience approach integrates with E2E Supply Chain to increase the operational business resilience

The Philips Global Resilience Platform (PGRP) Enables the integrated sharing of critical business data related to prevention, detection, respond and recovery of business

Dealing with dependencies –Using BCM to improve the resiliency of our Supply Chain

• Dependency Mapping to determine impact:

• Gap analysis of business requirements versus delivered

• Entity risk profile existing of domains in scope (Insurance, BCM, Security, Health & Safety, Supplier, Travel, IT Services, etc.)

Connecting the dots: going digital with turn data into information, information into insight and insight into business decisions out of the data lake

Real-Time visualization of dependencies per entity, supplier, or IT service

Plan ProductsServicesSolutions

Processes Resources

BCM risk capabilities aligned with Philips Enterprise Risk Management principles

Real-Time visualization of threats, including Philips entities, suppliers is part of our Early Warning Management System

Crisis Management

Emergencies not dealt with will likely escalate. Fire Fighters often say “all fires start small”

Events, Emergencies & Incidents

It is the emergency management teams proficiency that will dictate success and efficiency and ultimately determine the organizations reputation when a threat materializes and becomes a major event.

Source: https://www.amazon.com/Avoiding-Disaster-Business-Catastrophe-Strikes-ebook/dp/B000VZVZS0 $46.68/44.35

Managed Locally

Managed Locally with additional resources

Local/BU overwhelmed. Regional/Market/Corp

CMT

All company resource are brought to bare.

(Corp/Regional/Market) CMT)

Crisis Management Spectrum

Ove

rall

Scal

e &

Impa

ct

Incident

Crisis

Catastrophe

Disaster

Time Frame

Abnormal and unstable situation that threatens the organization’s strategic objectives, reputation or viability.

Situation where widespread human, material, economic or environmental losses have occurred which exceeded the ability of the affected organization, community or society to respond and recover using its own resources.

Occurs when a disaster's effects are widespread and its impact is so great that it overwhelms a community's ability to function.

Occurrence particular set of circumstances. Shorter term Root-cause to Restoration

An event which is not part of standard business operations which may impact or interrupt services and, in some cases, may lead to a crisis or disaster.

Event

ICS (Incident Command System)

Crisis Management Teams (CMT)

Incident Commander

SupportAdmin. & Finance

LogisticsIntelligence & PlanningOperations

FEMA EMI training coursesICS-100: Introduction to the Incident Command SystemICS-200: ICS for Single Resources and Initial Action IncidentsICS-300: Intermediate ICS for Expanding IncidentsICS-400: Advanced ICS for Command and General StaffIS-700: National Incident Management System, An Introduction

IS-701: NIMS Multiagency Coordination System (MACS)IS-702: NIMS Publication Information SystemsIS-703: NIMS Resource ManagementIS-706: NIMS Intrastate Mutual Aid – An IntroductionIS-800: National Response Framework, An IntroductionG-191: Incident Command System/ Emergency Operations Center InterfaceG-402 Incident Command System (ICS) Overview for Executives/Senior OfficialsG-775: Emergency Operations Center (EOC) Management and Operations

https://training.fema.gov/nims/

Also: All-Hazards Position Specific Courses

CRISIS MANAGEMENT TEAM - ENGAGEMENT

SITE CMT (LEADERSHIP TEAM) REGIONAL CMT

Multiple Location with same incident/Crisis

- Hurricane- Winter Storm

COUNTRY CMT

Multiple Site and Regions

- Terror Attack- Civil unrest

ORGANIZATION CMT

Partial or Entire company

- Product recall- Ransomware attack

Singular Location

- IT incident- Tornado- Chemical Spill- Fire

THE CMT PROCESS

INFORMATION ISSUES DECISIONS ACTIONS

LESSONS LEARNED AFTER ACTION REVIEW

Repeat for duration of event

CREATING A GENERATIVE CRISIS MANAGEMENT CULTURE

- Continual Review of your risks and mitigation steps

- View the Horizon for future risks and potential impacts to your organization

- Look to other industries and their impacts

- Creating response strategies that enable & support a resilient organization

- Engage with CMT members regularly

- Think out of the box

https://www.linkedin.com/pulse/how-continually-build-your-crisis-resilience-caroline-sapriel/

Increase the companies Crisis Management capabilities through practice. Include critical staff to ensuring mission critical operations are restored

CMT Testing & Exercising

• Conduct training with minimal impact on normal operations

• Review ROLES with the CMP & BCP

• Familiarize participants using assigned roles

• Practice as a Team

• Produce After Actions Reports (AAR), Hot Wash

• Track & assign Lessons Learned and Action Items