Disaster-EventWhen the norm for computer operations was locating all computing resources within a single location IT concentrated on maintaining frequent and accessible backups to the company data. Copies of the backup were moved offsite. Some organizations even created replication sites where they installed duplicate (but usually smaller) systems that could be brought online by restoring the offsite backup in the case of a local disaster that rendered the main facilities unavailable. For a lot of companies, the process and practice has changed... mostly for the better.

For those of us involved in the supply chain, the definition of disaster is very different from what many companies consider to be disasters. When problems occur with our trading partners in different parts of the world they cause a ripple effect that can be just as damaging to business as can a local flood or power outage. So even if our company has migrated its operations to cloud based infrastructure in which little if any computing infrastructure is located within our physical walls, disasters that are more like flash-floods can surprise us and cause significant problems for our businesses.

Becky Partida, research specialist at APQC reported in Spend Matters about s study APQC performed last year. Most of the report confirms what seems intuitively correct: 

  • 83% of the respondents had at least one supply chain disruption in the previous 2 years. 
  • 78% of those had disruptions that were serious enough that top management needed to get involved.

What surprised me about the results was that only 5% of the respondents had not performed any security assessments of their supply chain. I would have expected the number to have been much higher simply because of the complexity of the tasks. This is not a simple process of testing the backup plan to verify it is viable. Rather it involves working through the downstream supply chain and asking for verification of each of the significant suppliers, and understanding the threats they may encounter.

Of course the next step is at least as complex and filled with possible problems - understanding and planning for contingencies. But from the way I read the report, few manufacturers ever get to that point, making the finding much grimmer than would be indicated by the 5% number. In order to have a contingency or backup plan, the evaluation of the risk needs to have a reasonable depth of analysis as to the ability of the downstream supplier network's resiliency. But that isn't what the report shows.

Instead of deep and verifiable analysis APQC reports that 48% use "informal risk assessments such as site inspections and conversations with suppliers' managers." And those managers probably don't have significant incentives to accurately disclose issues they know about, much less the nightmares they have about less likely issues. But it gets worse. "The second largest group (40 percent) relies on the judgment of procurement and operating professionals to determine potential risks." I take that to mean simple guesswork by the manufacturer's own professionals - devoid of actual facts. I don't mean to imply the company's staff are trying to make light of issues. It's simply that they are giving their best guesses based on incomplete investigation.

My take away is that our global supply chain is at significantly more risk than anyone wants to understand, and that while there are some efforts under way to assess the risk, those efforts are half-hearted and lack significant will (and funding) to not only understand the risks, but to develop remediation plans. The results of supply chain breakdowns could be as simple as causing a delay in the latest delivery of the next smartphone or the next year's car model. Or results could be as serious as delaying vaccines and emergency equipment during the next natural disaster.
Pin It