Supply Chain Risk Management Framework Supply Chain Risk

Supply Chain Risk Management Framework Supply Chain Risk Leadership Council Cisco Case Study Jan 2008 Confidential – Do Not Forward Outside SCRLC Confidential 1

Supply Chain Risk Framework Cisco Case Studies Theoretical Cisco SC risk events Commodity Supplier Bankruptcy L ICA YS PH ESS OC PR AL ON UTI TIT INS Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring Your Company First-tier Supplier Risk management components Risk Management is an iterative process X-Tier Supplier Objective Setting Primary Customer Internal Environment Downstream Customer Factory Site Risk Types of risk are not mutually exclusive Types of risk n hai C ly pp ope u S Sc Includes links (logistics and electronic transfer of information) between supplier, your company, and customer Confidential 2

Risk Management Components Confidential 3

Cisco’s Interpretation of the Risk Management Components SCRLC Framework Components Cisco Risk Components Internal Environment Corporate Commitment Objective Setting Strategic Intent Event Identification Relevant risk identification Risk Assessment Modeling and Analytics Risk Response Risk mitigation and response Control Activities Verification and audit Information & Communication Metrics, Crisis Response Monitoring Metrics, Supply Chain review Confidential 4

Cisco’s Interpretation of the Risk Management Components SCRLC Framework Components Cisco Risk Components Internal Environment Corporate Commitment Objective Setting Strategic Intent Event Identification Relevant risk identification Risk Assessment Modeling and Analytics Risk Response Risk mitigation and response Control Activities Verification and audit Information & Communication Metrics, Crisis Response Monitoring Metrics, Supply Chain review Confidential 5

Cisco - Internal Environment (Corporate Commitment) “Business Continuity is extremely important. My commitment to our Business Continuity is complete…it has to be. …Business non-Continuity is an unacceptable option for Cisco customers. ” John Chambers, CEO Monthly Risk Review Quarterly Functional Review Confidential Biannual Investment Committee Risk Review Annual Board Risk Review 6

Cisco - Internal Environment (Corporate Commitment) Risk Assessments Sales ERM SOX Quality CSPO Legal Risk Review Group Corporate Finance & Tax Brand Protection ICS Supply Chain IT Risk Mgmt Confidential Coordinated approach to prioritize and drive initiatives Risk Review Group Governing cross-functional body (monthly meetings) Risk Data Base Risk categorization for management and tracking of risk activities. 7

Cisco - Internal Environment (Corporate Commitment) CEO CFO COO GSCM GBO GRM ERM BR Treasury GRIM SCRM Confidential 8

Cisco - Internal Environment (Corporate Commitment) üGlobal Supply Chain Management (GSCM) leadership embraces risk management o Challenges remain with: o Internal adoption/change management o Embedding risk into every decision (DNA) o Legacy suppliers, technology, products and sites Confidential 9

Cisco’s Interpretation of the Risk Management Components SCRLC Framework Components Cisco Risk Components Internal Environment Corporate Commitment Objective Setting Strategic Intent Event Identification Relevant risk identification Risk Assessment Modeling and Analytics Risk Response Risk mitigation and response Control Activities Verification and audit Information & Communication Metrics, Crisis Response Monitoring Metrics, Supply Chain review Confidential 10

Cisco - Objective Setting (Strategic Intent) üMission is to protect continuity of supply during a supply chain disruption üSCRM targeting biggest risks first identified through data analysis and/or hot issues o Specific site, supplier, technology, and product thresholds are pending Confidential 11

Cisco’s Interpretation of the Risk Management Components SCRLC Framework Components Cisco Risk Components Internal Environment Corporate Commitment Objective Setting Strategic Intent Event Identification Relevant risk identification Risk Assessment Modeling and Analytics Risk Response Risk mitigation and response Control Activities Verification and audit Information & Communication Metrics, Crisis Response Monitoring Metrics, Supply Chain review Confidential 12

Cisco - Event Identification (Relevant Risk Identification) üMultiple processes in place to identify and categorize SCRM risks ü Event inventories ü Scenario analysis ü Internal analysis ü Loss event data methodologies ü Escalation or threshold triggers ü Facilitated workshops and interviews Sample Risks • EMS supplier failure ü Process flow analysis • Order entry holds • Component markets • West Coast earthquake • Gulf Coast Hurricane • Enterprise SW upgrade • Memory supplier failure • Supplier ERP transition o Leading event indicators - pending o Interdependencies – pending • o Process to identify risk that provide opportunities Confidential 13

Cisco’s Interpretation of the Risk Management Components SCRLC Framework Components Cisco Risk Components Internal Environment Corporate Commitment Objective Setting Strategic Intent Event Identification Relevant risk identification Risk Assessment Modeling and Analytics Risk Response Risk mitigation and response Control Activities Verification and audit Information & Communication Metrics, Crisis Response Monitoring Metrics, Supply Chain review Confidential 14

Cisco - Risk Assessment (Modeling & Assessment) Risk Engine Discussion Agenda § What it is and how it works. § Risk Engine Framework. § Inputs into the Risk Engine § How Simulation Works § How we use it § Next Steps. Confidential 15

Cisco - Risk Assessment (Modeling & Assessment) § What is the Risk Engine? …The Risk Engine generates thousands of scenarios of potential supply chain disruptions and calculates the amount of revenue that can be impacted. How it works… § Identifies possible supply chain disruptions § Likelihood of occurrence § Range of possible scenarios and severity § Randomly makes different disasters occur § Calculates revenue impacted in the worst disasters Confidential 16

Cisco - Risk Assessment (Modeling & Assessment) Risk = Likelihood x Impact Probability / Frequency x Severity Time to Recover (TTR) Capacity Loss % Revenue Confidential 17

Risk Engine v 5 Framework Inputs Integrated Model Outputs Disruptions / Events Annual Rev @Risk ($ in Millions) Revenue @ Risk (E 2 E, Prod, Site, Component) Frequency/Probability (Site, Region, Component) 8/13/07 $BASELINE Q 4 FY 06 - Q 1 FY 07 - Q 2 FY 07 - Q 3 FY 07 - Q 4 FY 07 FY 08 OCT 05 ASIC Policy C 750 ASIC Crisis Mgmt Facility Impr Estimated Avg of ALL Scenarios ACTUALS Capacity/SC Impact Avg of Worst 5% FORECASTED Sensitivity Analysis identifying risk drivers Time to Recover (Site & Supplier) Inventory and Capacity Upside Capacity Loss - Severity (Site & Supplier) Redundancy (Product) BOM & Component Suppliers • Excel Based Model • Off the shelf Simulation Engine • Simulates 1000 s of scenarios • ~4300 Individual Input Parameters What-if Analysis Financial Impact Revenue Enabled (Site & Component) Confidential 18

Cisco - Risk Assessment (Modeling & Assessment) In Scope for RE § Catastrophic events occurring infrequently but with potential for massive disruptions. § Business Continuity Revenue Impact Out of Scope for RE § Ongoing operational disruptions – ECOs, purges, line stops due to quality issues, component supply disruption etc. § Capacity issues § Ongoing demand fluctuations § Competitive strategies § Cost and Lead time impact of disruptions Confidential 19

Cisco - Risk Assessment (Modeling & Assessment) üProbabilistic modeling identifies potential impact of site risk, e. g. , fire, and supplier bankruptcy Factory Site Risk Commodity Supplier Bankruptcy Confidential 20

Cisco’s Interpretation of the Risk Management Components SCRLC Framework Components Cisco Risk Components Internal Environment Corporate Commitment Objective Setting Strategic Intent Event Identification Relevant risk identification Risk Assessment Modeling and Analytics Risk Response Risk mitigation and response Control Activities Verification and audit Information & Communication Metrics, Crisis Response Monitoring Metrics, Supply Chain review Confidential 21

Cisco – Risk Response (Risk Mitigation & Response) üPossible Proactive Responses: ü Avoidance ü Reduction ü Sharing ü Acceptance o Proactive risk response process in GSCM is not yet institutionalized Confidential 22

Cisco – Risk Response (Risk Mitigation & Response) üReactive response process in place: ü Corporate Crisis Management Team (CCMT) ü Theater Crisis Management Team (TCMT) ü Manufacturing Crisis Management Team (MCMT) Confidential 23

Cisco’s Interpretation of the Risk Management Components SCRLC Framework Components Cisco Risk Components Internal Environment Corporate Commitment Objective Setting Strategic Intent Event Identification Relevant risk identification Risk Assessment Modeling and Analytics Risk Response Risk mitigation and response Control Activities Verification and audit Information & Communication Metrics, Crisis Response Monitoring Metrics, Supply Chain review Confidential 24

Cisco – Control Activities (Verification & Audit) § Cisco conducts Crisis Team drills quarterly and is conducting 10 additional partner BCP Validation exercises in H 1’ 08 § Alternate internal and external process and capabilities: - Internal Pandemic and Datacenter Failure Response - Partner Typhoon and Tornado Response § Drills focus on - Verifying Time To Recover (TTR) commitments provided by partners - Developing working relationships between Cisco and partner Crisis Response Teams - Practicing internal communications and response procedures - Identifying areas for improvement Confidential 25

Cisco – Control Activities (Verification & Audit) üSupplier Business Continuity Plans (BCP) ü Annual BCP evaluation top 100 suppliers ü Biannual BCP Light program to collect BCP data from all suppliers Includes 600 suppliers of Cisco Collect BCPs, Recovery Times, Factory Locations, Emergency Contacts Refresh data every 6 months On-line, automated allowing for data mining and analysis üNew BCP Validation exercises @ 10 sites in FY 08 üAnnual site inspection by insurer of CMs and 3 PLs generate site risk reports shared with Cisco and supplier Confidential 26

Cisco – Control Activities (Verification & Audit) The BCM Framework Outlines the Partnership Between Global Risk Management BCM and Every Business Organization to Respond and Bounce Back from Any Business Interruption by Embedding BCM into Their Operations BCM Program Initiation Assessment Business Continuity Plan Development Table Top Testing Embedding BCM Report Metrics Global Risk Management Embedding BCM Update BIAs BCM Ongoing Operations Maintain Plans Ongoing Training Confidential BCM Training Manufacturing Sales Ongoing Testing Business Functions Customer Service and Support Etc. 27

Cisco’s Interpretation of the Risk Management Components SCRLC Framework Components Cisco Risk Components Internal Environment Corporate Commitment Objective Setting Strategic Intent Event Identification Relevant risk identification Risk Assessment Modeling and Analytics Risk Response Risk mitigation and response Control Activities Verification and audit Information & Communication Metrics, Crisis Response Monitoring Metrics, Supply Chain review Confidential 28

Cisco - Information & Communication (Metrics, Crisis Response) ü Risk metrics presented regularly within manufacturing and to ERM council ü Ongoing external communication with suppliers via BCP process ü Crisis notifications distributed as needed to appropriate audience o Internal roadshow on process & procedures pending Confidential 29

Cisco’s Interpretation of the Risk Management Components SCRLC Framework Components Cisco Risk Components Internal Environment Corporate Commitment Objective Setting Strategic Intent Event Identification Relevant risk identification Risk Assessment Modeling and Analytics Risk Response Risk mitigation and response Control Activities Verification and audit Information & Communication Metrics, Crisis Response Monitoring Metrics, Supply Chain review Confidential 30

Cisco – Monitoring (Metrics, Supply Chain Review) ü Ongoing SCRM monitoring activities include: üBCP process üPhysical site inspections identify critical risks üSupplier scorecards identify supplier financial concerns ü Ad hoc escalations, e. g. , commodity manager escalate on financial concerns or identifies site risk while on a site visit ü Quarterly metrics review and top 10 -15 lists of projects/risks o Ad hoc risk analysis by functional teams o Development of Manufacturing Crisis Dashboard underway to post immediate risks Confidential 31

Risk Mitigation Effects – Cisco Examples Recovery & Response Plans Required Risk Map Before Response / Controls 1 2 3 4 7 5 6 Revenue at Risk Likelihood Limit Of Risk Tolerance Pending for Cisco 8 Impact 2 Factory Site Risk Confidential 5 Commodity Supplier Bankruptcy 32

Risk Mitigation Effects – Cisco Examples § Site Risk Recovery & Response Plan - Annual insurer report shows key risk at a legacy site - SCRM analyzes expected revenue impact, TTR of worse case scenario event - Request quote to fix from supplier - If ROI justifies, pursue gap mitigation - New inspection should remove key risk - If ROI does not justify, accept site risk and explore other mitigation options Confidential 33

Risk Mitigation Effects – Cisco Examples § Supplier Bankruptcy Recovery & Response Plan - Quarterly internal financial assessment shows declining financial health - Further research verifies poor finances and/or potential bankruptcy - Start withholding new business - Identify and develop feasible alternate sources - If dual sourcing not available, explore other mitigation options Confidential 34

Risk Mitigation Effects – Cisco Examples Risk Map After Response / Controls Recovery & Response Plans Complete 1 7 Revenue at Risk Likelihood Limit Of Risk Tolerance Pending for Cisco 3 2 6 5 4 8 Impact 2 Factory Site Risk Confidential 5 Commodity Supplier Bankruptcy 35

Supply Chain Risk Framework Cisco Case Studies § Questions? Confidential 36