Copyright © 2014 BSI. All rights reserved.
A Layered Approach for Business Continuity Risk Assessments in the Supply Chain– Case Study
Courtney FosterSupply Chain Solutions Manager – EMEA
2Copyright © 2014 BSI. All rights reserved.
BSI OverviewBSI Group• World’s first National Standards Body• BSI issues over 2,000 standards each year• Performed more than 150,000 assessments in over 150 countries last year• 64 offices and regional hubs in UK, Hong Kong and USA
BSI Supply Chain Solutions – Professional Services• Over 20 years of experience in assessing global supply chain risks, threats and trends• Leading provider of supply chain security, corporate social responsibility and business
continuity intelligence, data and analysis • Global auditor base to deliver second party audits in areas of quality, security,
GMP/GDP, corporate social responsibility, and business continuity• Sole provider of supply chain security intelligence to the US Customs security program
Copyright © 2015 BSI. All rights reserved
3Copyright © 2014 BSI. All rights reserved.
Why does Supply Chain Risk Matter?
03/05/2023
4Copyright © 2014 BSI. All rights reserved.
2014 BCI Horizon Scan Report Top ConcernsSupply Chain Disruption - #16
2015 BCI Horizon Scan Report Top ConcernsSupply Chain Disruption - #5
Supply Chain Disruption – Proof of Rising Concern
11 place increase44% of respondents stated that
“increasing supply chain complexity” was a trend on the radar for
evaluating business continuity implications
2015 BCI Horizon Scan Report
5Copyright © 2014 BSI. All rights reserved.
Importer
Vendor
Factory 1
Factory 2
Factory 3
Factory 1
Factory 2
Factory 4
Raw materials
Tier 2 Component
provider
Tier 2 subcontract
or2014
Complexity in Gaining Visibility into Multi-Tier Supplier Relationships
Agent
• Business Partner with factories in multiple countries
• Agents can be associated to multiple Business Partners, Locations, Subcontractors, etc
• Subcontracting partial production to other factories
• Raw Material providers to finished good factory
Tier 3 Raw material provider
Tier 2 Subcontractor provider
Tier 3 Raw material provider
Raw materials
6Copyright © 2014 BSI. All rights reserved.
Supply Chain Complexity is Increasing
Constant Changes• Facility locations• Supplier churns rates• Legal & other requirements
Fragmentation• Price pressure• Just in time shipping• Globalization• Capital flow
Lack of Strategic Connectivity • Internal departments• Multiple initiatives• Resources to manage
Complex Networks• Intermediaries• Subcontractors• Domestic importers• Wholesalers
2014
7Copyright © 2014 BSI. All rights reserved.
Inability to Deliver to Your Customers on Time
03/05/2023
25% of companies reported losses greater than $1 million due to supply chain disruption
in 2013
76% reported at least one supply chain disruption
$300 BILLION LOST GLOBALLY DUE TO POLITICAL INSTABILITY AND NATURAL DISASTERS IN 2013
28% said they have no business
continuity arrangements for
their suppliers
8Copyright © 2014 BSI. All rights reserved.
Automotive Industry Case Studies
Two examples of Business Continuity Disruption
1. Explosion at a factory in Germany
2. Natural Disaster wipes out key factory in Japan
8
9Copyright © 2014 BSI. All rights reserved.
Explosion at Germany Factory – Single Source
• Explosion and subsequent fire at a factory in Germany • Plant manufactured key component (Nylon 12) in a resin
used to make a specific plastic, which is then used in fuel and brake lines
• Suppliers for the major car companies all sourced from the factory and had no contingency plans for replacing the supplier
• Affected at least a quarter of worldwide supplies for the resin
• Shortage hampered finished auto production in the United States/Europe• Some alternate materials are available but had to be tested
and approved prior to substitution• Imposed indirect costs as companies thoroughly tested
alternative chemicals
Auto Companie
s
Supplier 1
Supplier 2Single PA12
Supplier
Supplier 3
Facts
Effects
10Copyright © 2014 BSI. All rights reserved.
Japan Tsunami – Single Source Paint Pigment Supplier• Factory in coastal town of Onahama severely damaged due
to Japan Tsunamni/Earthquake• Makes Aluminum-flaked Xirallic pigment that makes the paint
sparkle• Significant stock of that paint pigment kept at the single factory• 3-month disruption in production at factory before normal
operations resumed
Facts
• Automakers worldwide were forced to stop making cars of certain colours
• Customers with existing orders - asked to choose new colours• studies show customers will leave a dealership if it
doesn't have a vehicle in a particular hue – Significant brand problem
• Short term inaibility to find alternative pigment supplier• Procurement disruptions in standard buying practices• Awareness of need to increase visibility below Tier 1
suppliers
Effects
11Copyright © 2014 BSI. All rights reserved.
What did the Auto Industry do to Improve?
• Automakers and suppliers are:• Map out supply chain to gain visibility into Tier 2
and 3 single source• Double-sourcing more critical parts
• Moving facilities from high risk natural disaster areas
• Due to new efforts to understand macro, country risk
• Risk assess resiliency procedures for suppliers• Improving emergency plans for suppliers –
Corrective Actions
• Stockpiling bigger inventories at multiple sites
12Copyright © 2014 BSI. All rights reserved.
1. How many suppliers do you have?
2. How many are direct vs. indirect?
3. Do you actively verify the living profiles of your suppliers?
4. Have you conducted risk assessments of all your suppliers?
5. How many have you physically visited?
a. What are the issues and where?
b. What improvements have you made?
6. Does your supply chain adhere to your corporate values?
7. Can you tell your supply chain story?
Can you answer?
13Copyright © 2014 BSI. All rights reserved.
What good looks like – Risk Management Process
03/05/2023
1. Ensures Corporate values are aligned with Supply Chain, R&D, Procurement, Risk and Compliance, Sustainability. Avoid opposing forces.
2. Keep an active database of living and approved supplier profiles.
3. Conducts supplier risk assessments relating to product type, country, private label, critical items, economic or reputational risk issues.
4. Categorizes suppliers into risk profiles.
5. Allocate your resources, activities to areas of greatest risk.
6. Conducts on-site validation of critical or higher risk suppliers to verify profiles and measure if they adhere to corporate values.
7. Measures, monitors and improves the performance of suppliers and supports those that adhere to corporate values.
14Copyright © 2014 BSI. All rights reserved.
A Layered Approach to Supplier Risk Assessments
Case Study Example
03/05/2023
15Copyright © 2014 BSI. All rights reserved.
• Manual Supplier Self-Assessments
• No Geographic Risk Intelligence
• Manual Supplier Self-Assessments
• Supply Chain Geographic Risk Intelligence
• Automated Software for Supplier Self-Assessments
• Supply Chain Geographic Intelligence
• Risk Methodology for On-site Audits
• Corrective And Preventative Action Plans
SUPP
LIER
PER
FORM
ANCE
Entry Level Layer
Layer 1
Layer 2
Layer 3
INCREASED SUPPLY CHAIN VISIBILITY AND COMPLIANCE
2014
Progression Towards Maximum Compliance
16Copyright © 2014 BSI. All rights reserved.
Entry Level Layer
• Manual Supplier Self-Assessments
• No Geographic Risk Intelligence
2014
Entry Level Layer
17Copyright © 2014 BSI. All rights reserved.
Objectives and Criteria Goals of Questionnaire• Social Responsibility• Business Continuity• Code of Conduct• Quality
Questionnaire Functionality Needs• Attachments needed?• Additional supporting text needed?• Weight of questions• Question scored in risk calculation?
Questionnaire Development
18Copyright © 2014 BSI. All rights reserved.
• Large attachments needed to be sent and received
• Digging through archives for supplier responses
• Inability to have multiple internal representatives send assessments
• Mass communication limitations
• Read receipts difficult to obtain for emails
• Tracking change requests for new supplier email points of contact
• Follow-up emails required- reminders not customized based on status
• Multiple points of contact for supplier
2014
Sending Assessments from Personal Email
19Copyright © 2014 BSI. All rights reserved.
Obstacle: • You have suppliers you wish to assess in foreign countries
who may or may not speak your native languageWithout an Automated Software Tool:• You send out an email with the assessment in English and
they may not understand the request• The supplier may not speak English very well, so they
may misunderstand the questions• They choose to translate the questions through Google,
causing information to be lost in translation• They choose to translate their answers through Google
back to English, which gives you a jumbled mess of words that may or may not be correctly translated
• They choose to answer the assessment all in their native language, leaving you to decipher their answers yourself
• They do not complete the assessment because they do not understand
2014
Language Barrier Between You and Your Suppliers
20Copyright © 2014 BSI. All rights reserved.
• Inability to understand where different suppliers are in completion process• More difficult to filter suppliers based on region, division, product type, SAP number• Tagging suppliers to specific buyers/agents more difficult• Hard to track number of reminders, date sent, and the wording of the different emails
Excel Spreadsheet Tracking Completed Assessments
21Copyright © 2014 BSI. All rights reserved.
Checklist Results:70% Compliant
Supplier “A”
Supplier “B”
Checklist Results:70% Compliant
• Assume suppliers are EQUAL risk based on their compliance scores from a simple checklist
• Single-focused self-assessments sent out manually from own email
• No geographic risk incorporated• No automation• Unsystematic, single-focused audits2014
Traditional Risk Assessment Approach
22Copyright © 2014 BSI. All rights reserved.
Business Trip AuditsOver-Auditing
Under-AuditingSingle-Focus Audits
2014
Unsystematic, Single-Focused On-Site Audits
23Copyright © 2014 BSI. All rights reserved.
Layer 1
• Manual Supplier Self-Assessments
• Supply Chain Geographic Risk Intelligence
2014
Layer 1
24Copyright © 2014 BSI. All rights reserved.
• This generic threat information gives an inaccurate assessment for issues related to supply chain • Much of it is not applicable to supply chain threats• This information does not assess threats in context to other threats in other areas• The information is dated and does not provide active monitoring for a changing world
You cannot look at traditional Travel Security or Political Stability risk and apply it to supply chain threats
Insufficient or incorrect
information
2014
Analyzing the Geographic Threats to Supply Chains– The Minimum Approach
Government Tracking & Alert Websites
25Copyright © 2014 BSI. All rights reserved.
Generic Geographic Risk
Travel SecurityGuarded Risk
Political StabilityGuarded Risk
Supply Chain Specific Geographic Risk
Natural Disaster ExposureHigh Risk
Natural Disaster ResiliencyHigh Risk
Man-made DisruptionElevated Risk
Risk of Government DefaultElevated Risk
PERU
2014
Supply Chain Geographic Risk Intelligence
26Copyright © 2014 BSI. All rights reserved.
Country Number of Suppliers
Business Continuity Risk Rating
ARGENTINA 5 3AUSTRALIA 4 1AUSTRIA FUTURE ??
CHILE 1 1CHINA 52 5
COLOMBIA 6 3CZECH REPUBLIC FUTURE ??
DENMARK 8 1FRANCE 18 1IRELAND FUTURE ??MEXICO 12 3RUSSIA 6 4
SWITZERLAND FUTURE ??UNITED KINGDOM 10 1UNITED STATES 45 1
• Procurement comes to Supply Chain divisions to inquire about country risks in emerging markets and new business ventures• If you’re only assessing current source countries, no analysis readily available
• Manual analysis of country risk prevents the ability to view country risks in a context of a regional view
Country Risk Overview
27Copyright © 2014 BSI. All rights reserved. 2014
Supply Chain Geographic Risk Intelligence
28Copyright © 2014 BSI. All rights reserved.
Human Rights
Environmental
Working Conditions
Natural Disasters
Counterfeits
Supplier “A”
Philippines
Supplier “B”
TaiwanChecklist Results:70% Compliant
+ Supply Chain
Geographic Risk Variables
Checklist Results:70% Compliant
+Supply Chain
Geographic Risk Variables
Supplier Name Country Compliance Score- Overall
Geographic Risk –
Human Rights
Risk Factor – Annual Value of
SpendOverall Risk
Score
Taipei Machines Taiwan 70% Elevated Tier 1 3
Manila Parts Philippines 70% Low Tier 2 2
British Electronics England 90% High Tier 2 2
Incorporation of Supply Chain Geographic Risk Intelligence into Assessments
29Copyright © 2014 BSI. All rights reserved.
Many due diligence programs require “evidence of implementation” to show exactly how you approach the supplier risk assessment process. • Problems manually compiling all
of the information gathered on a single supplier
• Formatting of manual reports can be time-consuming
• Number of reports that need to be generated can be overwhelming
• May have to compile many reports on a daily basis if assessments are completed regularly
2014
Manual Generation of Supplier Risk Reports
30Copyright © 2014 BSI. All rights reserved.
Layer 2
• Automated Software for Supplier Self-Assessments
• Supply Chain Geographic Intelligence
2014
Layer 2
31Copyright © 2014 BSI. All rights reserved.
Best Practice Risk Algorithm Components
Copyright © 2016 BSI. All rights reserved.
Probability Vulnerability Impact/Consequence
Country Risk + Audit Results + Business Criticality Variables
Country risk variables based on specific risk area of concern
Questionnaire components
based on specific risk
area of concern
Overarching Business Relationship variables –
applicable to all risk areas
32Copyright © 2014 BSI. All rights reserved.
Commodity
Chain of Custody
Gaps
Compliance with
AssessmentAssessment Compliance
Annual Value
=Automated and
Holistic Risk Calculation for
Global Suppliers
HolisticRisk
Output
Country Intelligence
Industry-Specific
risks
2014
Automation and Customisation of Supplier Risk Assessment Process
33Copyright © 2014 BSI. All rights reserved.
Macro and Micro Views of Risk -all levels within organisation
03/05/2023
Assessment Report
Dashboard KPIs
34Copyright © 2014 BSI. All rights reserved.
Automation of Communication and Continuous Monitoring
03/05/2023
• Eliminating manual sending of communication to suppliers
• Eliminating the manual tracking of completion status
• Automatic reoccurrence of assessment intervals
35Copyright © 2014 BSI. All rights reserved.
Layer 3
• Risk Methodology for On-site Audits
• Corrective And Preventative Action Plans
2014
Layer 3
36Copyright © 2014 BSI. All rights reserved.
Identifying and Correcting Weaknesses - Corrective And Preventative Action (CAPA)
The CAPA process is designed to identify and correct weaknesses from a completed assessment
report
Biggest fault in risk assessment methodolog
y is forgetting CAPA step
37Copyright © 2014 BSI. All rights reserved.
Analysing and Reviewing Self-Assessment Results
03/05/2023
C4 - Business Governance
C5 - Employment Policies - Wage and Remuneration
C6 - Health and Safety
C8 - Environmental Management
C9 - Quality Management
A2 - Supply Chain Traceability
A4 - Equal Opportunity and Freedom of Association
A6 - Business Continuity Management
0% 20% 40% 60% 80% 100%
Business Continuity weaknesses identified
Deep Dive audit for Business Continuity issues
38Copyright © 2014 BSI. All rights reserved.
+ Supply Chain Geographic
Risk Variables
SupplierOn-SiteAudit
2014
Risk-Based On-Site Auditing
39Copyright © 2014 BSI. All rights reserved.
Financial spend
Refine Audit Strategy Using Risk-Based Methodology
Country Risk Intelligence
Self-Assessments
Corrective Actions & On-site Audits
100 Suppliers50 Suppliers
10 Suppliers
40Copyright © 2014 BSI. All rights reserved.
• Manual Supplier Self-Assessments
• No Geographic Risk Intelligence
• Manual Supplier Self-Assessments
• Supply Chain Geographic Risk Intelligence
• Automated Software for Supplier Self-Assessments
• Supply Chain Geographic Intelligence
• Risk Methodology for On-site Audits
• Corrective And Preventative Action Plans
SUPP
LIER
PER
FORM
ANCE
Entry Level Layer
Layer 1
Layer 2
Layer 3
INCREASED SUPPLY CHAIN VISIBILITY AND COMPLIANCE
2014
Progression Towards Maximum Compliance
41Copyright © 2014 BSI. All rights reserved.
Contact Us
Courtney FosterSupply Chain Solutions Manager – [email protected]+44 7920 768383
03/05/2023
42Copyright © 2014 BSI. All rights reserved.
This presentation was delivered at a BCI forum event. For details of upcoming events please click here.
For details of BCI membership please click here.
Top Related