WillisWire Contact Author

Issue 07 / October 2015

Managing the political and cyber-related weak spots in your supply chain

At a glance
  • Companies’ preferred mitigation strategies offer little assistance for political and data-related risks
  • Critical to distinguish rhetoric from business reality and identify real threats to the supply chain
  • The integral role of technology to global business operations creates vulnerabilities when dealing with far-flung suppliers
How can risk managers support supply chain professionals to manage political and data-related exposures, asks Alice Underwood

Any mention of global supply chain risk may first bring to mind thoughts of natural disasters: flood, earthquake and tsunami. But as shown by the horrific Rana Plaza collapse in Bangladesh in April 2013, there are many risks for supply chain managers to consider, aside from natural disasters.

Every global company is to some extent a tech company – this creates vulnerabilities, especially when dealing with far-flung suppliers and partners.

More than 1,000 deaths and 2,500 injuries – attributed to shoddy construction, lack of management concern over warning signs such as structural cracks, and pressure to meet shipment deadlines – shocked the world.

The 29 global brands that sourced products from Rana Plaza factories faced not only monetary loss due to business interruption, but also reputational damage over widespread global condemnation of their supply chain practices. 

As reported in The Curious Capitalist, “such events have cost multinational brands billions of dollars, not to mention huge reputational downgrades, in recent years.”

How much attention are risk managers and supply chain executives giving to political risk and other ‘unnatural’ disasters?

Risks and mitigation

A 2014 survey conducted by the University of Tennessee and sponsored by UPS, Managing Risk in the Global Supply Chain, identified the risks of greatest concern to supply chain executives, and their preferred mitigation strategies.

Other than natural disasters, the list contains:

• Business risks: quality, inventory, economics, transit loss, new product delays

• Political risks: political instability, terrorism, customs delays

• Data-related risks: cyber security, intellectual property.

In our experience, it is the ‘business risks’ that are most in the comfort zone of supply chain professionals and risk managers, as evidenced by their preferred mitigation techniques. They seek to do business with the strongest suppliers, to address issues of quality and new product delays. 

Supply chain risks and mitigation strategies

Risk concerns

Risk mitigation strategies

More

They compress cycle times, improve logistics competency, employing predictive modelling techniques, and use expedited shipping when necessary to reduce inventory impacts. Strategies such as increasing the visibility of shipment status and near-sourcing can reduce the potential for transit losses.

But the preferred mitigation studies offer little assistance for the two other major drivers of ‘unnatural’ disasters: political risks and data-related risks.

Political risks: the human factor

Political violence – such as recent and ongoing events in North Africa, the Middle East and Ukraine – can threaten people, goods and transportation routes. But, as the Rana Plaza disaster showed, political risk can also manifest itself in the form of poor building codes and lax enforcement, draconian management practices, and substandard working conditions.

There are many other forms of political risk that can affect a company’s global supply chain. Governments may impose regulatory changes, establish state-supported competitors, expropriate assets or cash flows, or simply block access to ports. Transportation infrastructure may also be made inaccessible due to protests or strikes, making public sentiment another variable in the political risk equation.

Dealings with governments, businesses or even non-profit organisations can present the potential for bribery and corruption scandals. And, of course the sort of political risk we see around eurozone uncertainty was either wholly unexpected or perfectly predictable, depending on which pundit you ask.

A 2011 study by Accenture, Managing Political Risk: Controlling Loss, Finding Opportunity, found that most organisations take a somewhat fatalistic approach to political risks: either accepting such risks as inevitable, or forgoing opportunities because of the associated political risk.

However, there are many strategies that can be deployed to manage and mitigate political risks.

Managing your political hotspots

From the eurozone debt crisis, possible sovereign defaults in Latin America through to security threats in Russia and Ukraine

http://www.resilience.willis.com/articles/2015/04/28/are-you-managing-your-political-hotspots/

The first step is to understand the nature of the risk. Dialogue with local governments and influential non-governmental organisations can bring valuable insight; so can engaging with expert advisors and partnering or joint-venturing with local firms.

It’s critical to distinguish rhetoric from business reality, and identify those issues that could present true problems to the supply chain. To be clear, loss of the ‘social licence’ to operate can be every bit as damaging as loss of an official government licence. Community opposition can preclude hiring necessary talent, force changes in business practices or even force withdrawal from a region.

Among the preferred risk mitigation strategies, only near-sourcing and insurance offer much benefit in the context of political risk, as noted in the article Political Risk and the Supply Chain, published in Risk Management magazine.

Reducing political volatility

Depending on the specific situation, there may be many other ways to mitigate the risk to the supply chain. For example:

• Lobbying can be a legitimate and appropriate means of engaging policymakers in areas such as regulatory change. Relationships with politicians – at the local and regional as well as national level – are often seen to be extremely useful. However, lobbying activities can also be viewed negatively by some constituents, and may themselves give rise to complications if a perception of undue influence develops. For this reason it is crucial to adhere to both the letter and the spirit of local regulations and guidelines. Companies and their public policy advocates should be open about their motivations for supporting particular regulations and opposing others.

• Local outreach and social responsibility initiatives may allay concerns and help people to see the benefit of business operations for the community, preserving the social licence to operate. Positive relationships with local business organisations may establish stronger ties with the community. Ensuring good working conditions, fair wages and other opportunities such as education and healthcare for workers will not only stabilise the social licence in the local region, but also enhance the reputation of the brand and mitigate the potential for adverse publicity around the world. The best companies recognise the potential social impact of the work that they do, seeking opportunities to bring their distinctive skills and capabilities to bear against those social problems they are best able to help address.

Most organisations take a somewhat fatalistic approach to political risks.

• Strong codes of conduct and employee education can help to ensure standards of behaviour are upheld if staff members encounter corrupt practices in the local business environment. It is important for expats to know they are responsible for upholding standards and that it is unacceptable to violate codes of conduct because “that’s the way things are done here”. Educating local hires about what is expected of them – especially if historical business practices in the region may sometimes be at odds with company policies – is crucial. And, as in so many things, the tone at the top cascades far along the chain. There’s little value in a code of conduct when company leaders convey a ‘wink, wink’ attitude. Executives at the global, regional and local level must all clearly model the behaviours they expect of their employees.

• Contingency planning, including identifying alternate suppliers and transportation routes, will help to minimise the impact should the political situation take a turn for the worse. Scenario sets and company network analyses are two useful tools for identifying the most troublesome pressure points. Identify two or three alternatives for each potentially at-risk supplier and transportation route, and develop advance plans for shifting to those alternatives. 

Communicate those plans to those who will need to take action; give your team a chance to develop confidence through an annual table top ‘readiness exercise’. That will minimise the chance of deer-in-the-headlights inaction – or panicked and hasty action, which could prove even more damaging – should the need arise to implement a contingency plan.

Data-related risks

Cyber security has been in the spotlight for much of 2015. When large data breaches suffered by industry-leading firms, world-class educational institutions and powerful government agencies attract media coverage, it’s natural for supply chain managers to worry about potential disruptions to their business.

Could a hacker or a software virus take down a key supplier – or use their system as a back door into other systems? Might trade secrets be compromised when designs, processes or production plans are exchanged electronically?

The truth is every global company is, to some extent, a tech company. Not that their products need be technology focused – though, as the ‘internet of things’ becomes increasingly a ‘thing’, there are more ‘smart’ products than ever before – but technology is integral to the operations of any global business.

This creates vulnerabilities, especially when dealing with far-flung suppliers and partners. We take ease and speed of global communication for granted, which means any disruption or slowdown in those communications can wreak havoc with operations.

Moreover, the quality of the cyber security at vendors and other partners may vary. A cyber-breach that brings down a key supplier could be very damaging. And a vulnerability that’s not immediately apparent could inadvertently enable the creation of a new global competitor.

But technology also gives supply chain managers powerful new tools, which can be deployed more quickly than ever before through cloud platforms, enabling more effective deployment of current risk mitigation strategies and suggesting some new ones.

Global connectivity and the accelerating speed of information mean that supply chain visibility, the third-most-favoured risk mitigation strategy, can bring a powerful real-time or near-real-time view and enable swift action.

Supply chain professionals can operate seamlessly with colleagues around the world, accessing the same high-quality information. That enables further compression of cycle time (the secondmost-favoured strategy).

And the data generated via smart supply chain technology makes it possible to use predictive analytics not just to plan production to fit anticipated demand but also to proactively identify potential issues in the supply chain and even suggest courses of action.

Digital supply networks, as described in a recent Accenture paper, Supply chain management in the cloud: How can cloud-based computing make supply chains more competitive?, mean that “companies can now operate their supply chain networks at speed – successfully executing in the midst of permanent volatility”.

Borderless cyber threats

Why critical infrastructure is more exposed than ever to cyber attacks

http://www.resilience.willis.com/articles/2015/04/28/facing-borderless-cyber-threats/

Reducing cyber exposures

The Willis cyber team recommends the following strategies for minimising, mitigating, and managing cyber risk to the supply chain:

• Cyber training and governance: employees and key partners need to know about phishing and malware. “Don’t click the link” is one of the most powerful ways to reduce cyber risk, and yet it is commonly ignored. Hands-on training exercises that present employees with examples of the kinds of emails that can conceal malware are perhaps the most powerful way to get the point across. Furthermore, employees and partners must understand data encryption protocols and the IT staff must actually enforce them.

• Prioritise critical intellectual property: what are the ‘crown jewels’ of your company’s data – the most valuable trade secrets, intellectual property and information about strategic plans and sources of revenue? This will show you where to focus your efforts. 

• Identify vulnerabilities: the IT staff should know where data is stored, how it is accessed, and how and when it is transmitted. Those with access to important data and systems can include employees, vendors and service providers – as well as customers. Each of these links can present vulnerability for inadvertent breach or malicious infiltration.  It’s also important to review vendor contracts to verify who is responsible for identifying whom should a breach or business interruption event occur.

• Provide leadership with actionable information: after collecting and analysing information on vulnerability and threats, this often highly technical material must be conveyed to decision makers in a concise and understandable format. Business leaders need to understand the risks, their potential effects and the alternative courses of action. 

• Invest in adequate protection: there are numerous tools available to protect company systems and data, including firewall and encryption software and routines that prevent the use of unauthorised USB drives. Your access protocols can require two-step verification and strong passwords, as well as limiting the duration passwords can remain in effect; it’s also important not to make the requirements so onerous that individuals resort to writing them on easily found scraps of paper (which comes back to training). Going beyond these types of access measures, there are software packages that can provide active threat identification and monitoring. Establish guidelines for reviewing and upgrading all of these technological measures as needed, since the cyber landscape changes quickly.

Perhaps the most important step of all is to develop and test a response plan for cyber events. The playbook should outline steps to take in case of an event so that no one is left to make a rushed and unprepared decision, and practice exercises can identify ways to improve this plan as well as building skills to enable the most appropriate response.

Insurance as a strategy

A study of over 800 supply chain disruptions taking place between 1989 and 2000 (An Empirical Analysis of the Effect of Supply Chain Disruptions on Long-Run Stock Price Performance and Equity Risk of the Firm, produced by Production and Operations Management ) found that affected firms saw their shareholder returns decrease almost 40% while share price volatility increased by 13.5%. 

But, as the University of Tennessee paper points out, “While risk cannot be eradicated, it can be identified, assessed, quantified, and mitigated. Once a risk management plan is developed, it can become a competitive advantage because so few firms have one.” This seems an excellent reason to deploy all the favoured mitigation techniques – but there is another reason that was less favoured by supply chain professionals: insurance.

Insurance is much more than just a financial instrument. Insurance underwriters commonly work with their policyholders to reduce risk: reduced premiums offer a direct incentive for risk reduction, which also benefits the insurance company. And reduced risk benefits society: incrementally, it increases the standard of living for everyone in the supply chain.

Since insurance reminds companies to focus on the ‘unnatural’ disasters that threaten the supply chain, as well as natural disasters such as floods and earthquakes, it not only provides financial assistance to keep the economy moving – but also helps multinational companies and their regional suppliers reduce the likelihood of tragedies like the Rana Plaza collapse. That’s a link to a better future.

Find out more

Photo of Alice Underwood
Alice Underwood

alice.underwood@willis.com

Alice is an executive vice-president with Willis Re and leads the Analytics team for Willis Re North America, encompassing actuarial, catastrophe modeling, financial and rating agency advisory, and ERM services.

WillisWire
Tracking aviation’s journey: From a travel option for developed countries to a global economic tool
For the average traveller, booking a flight appears to have become a very simple process. Open a browser, select one of various travel search engines, select your preferred flight, time, price and airline, input your credit card details and pack …
Life after Brexit? Risks and Opportunities for U.K. Retailers
Rising inflation, less favorable exchange rates, higher import costs…these are but some of the challenges facing U.K. retailers in the post-Brexit world. As part of a series of updates on the effects of Brexit on various U.K. industries, Willis Towers …
Influencing risk culture within the transport industry
A fatal tram accident, online retailers’ accusations of dangerous driving practices, and a conviction following a fatal road collision have pushed fleet operators and their risk management practices into the spotlight in recent months. As well as the human cost, …
What a Hard Brexit Could Mean for U.K’s Transport Industry
The possibility of a “hard Brexit” from the European Union (EU) following the June 8 general election could change market dynamics for many transport companies, and spark questions about present business models. If conservatives retain power as current polls suggest, …
Photo of Alice Underwood
Alice Underwood

alice.underwood@willis.com

Alice is an executive vice-president with Willis Re and leads the Analytics team for Willis Re North America, encompassing actuarial, catastrophe modeling, financial and rating agency advisory, and ERM services.

Sign up to our newsletter

Willis

Willis Group Holdings plc is a leading global risk advisor, insurance and reinsurance broker. With roots dating to 1828, Willis operates today on every continent with more than 18,000 employees in over 400 offices. Willis offers its clients superior expertise, teamwork, innovation and market-leading products and professional services in risk management and transfer. Our experts rank among the world’s leading authorities on analytics, modelling and mitigation strategies at the intersection of global commerce and extreme events.

Find more information at our website, www.willis.com

About Resilience

Resilience is the risk management magazine from Willis for business leaders around the world. Each issue explores the latest trends and issues facing multinational businesses as they compete in an increasingly dynamic and interconnected threat landscape.

Subscribe today.