Supply Chain Risk Management Ken Lawlis Supply ChainProject

Supply Chain Risk Management Ken Lawlis Supply Chain/Project Management Professional

Agenda 1. 2. 3. 4. 5. 6. 7. 8. Introduction University of Bath Video – Supply Chain Risk Management (duration 4: 38) Canadian Professional Logistics Institute – Risk and Resilience Conference Threat, Vulnerability, Risk & Resilience – Defined Practical Guide to Risk Management (Pw. C) Kirov’s Supply Chain Risk Register – Overview Kirov’s Tools for Risk Assessment From Risk to Resilience – Deloitte’s Model for Identifying, Assessing and Mitigating Supply Chain Risk 9. Conclusions - Tom Teixeira, Supply Chain Risk in a Global Economy (duration 4: 19) 10. Suggested/Further Reading 2015 -06 -24 2

INTRO – Biographical Data – Ken Lawlis • • • 40 years in Supply Chain Management (Coca-Cola, National Grocers/Loblaws, CSC, PSC, AARLIS Consulting Inc. , CIHI – have returned to private consulting Most of my career has been focussed on Public Safety Masters candidate in IPIS – (sponsored by Department of Civil and Environmental Engineering and the Norman Paterson School of International Affairs at Carleton University) PMP MCPM – Masters Certificate in Project Management P. Log. Member of: APICS, Canadian Professional Logistics Institute, PMI, Project Management Association of Canada (PMAC), Canadian Public Procurement Council, Canadian Advanced Technology Alliance (CATA) – Cyber Crime Cyber Terrorism Working Group Graduate Studies in the MA program in Public Policy & Administration BA (Hons) Political Science – focus: Economics and International Affairs Executive training – Queen’s University, Carleton University, the Canadian Professional Logistics Institute, Public Works and Government Services Canada (Procurement, EDP Project Management, Negotiations, Strategic Planning) 2015 -06 -24 3

Supply Chain Risk Management Video https: //youtu. be/cq 1 PL 1 eo 4 ZU Professor Brian Squire, Information, Decision and Operations Group, Supply Chain Risk Management – University of Bath – September 6, 2013 – duration 4: 38 2015 -06 -24 4

National Conference on Supply Chain Risk and Resilience The Logistics Institute – April 16, 2015 -06 -24 5

National Conference on Supply Chain Risk and Resilience The Logistics Institute – April 16, 2015 -06 -24 6

National Conference on Supply Chain Risk and Resilience The Logistics Institute – April 16, 2015 -06 -24 7

National Conference on Supply Chain Risk and Resilience The Logistics Institute – April 16, 2015 -06 -24 8

National Conference on Supply Chain Risk and Resilience The Logistics Institute – April 16, 2015 -06 -24 9

Presentation Materials • The presentation materials from the Canadian Professional Logistics Institute’s April 16, 2015 Conference on Supply Chain Risk & Resilience may be accessed at: http: //www. loginstitute. ca/event-risk-and-resilience-conference. html 2015 -06 -24 10

Threat The presence of a hazard an exposure pathway - threats may be natural or humaninduced, either accidental or intentional (source: Federal Emergency Response Plan (2009) – Public Safety Canada) 2015 -06 -24 11

Vulnerability A characteristic or attribute of an asset which renders it susceptible to the effects of an incident. Vulnerability informs both the likelihood and consequences of an incident (source: Risk Management Guide for Critical Infrastructure Sectors, Public Safety Canada) 2015 -06 -24 12

What is Risk? Risk refers to the uncertainty that surrounds future incidents and outcomes. It is a function of the likelihood and consequences of an incident – the higher likelihood and/or the greater the consequences, the greater the risk (source: TBS Integrated Risk Management Framework) 2015 -06 -24 13

Risk Management …is systematically setting the best course of action under uncertainty by identifying, assessing, understanding, acting on and communicating risk issues (source: TBS Integrated Risk Management Framework) 2015 -06 -24 14

Resiliency Resilience is seen as the ability to accommodate abnormal threats and events, be they terrorist attacks, or perturbations from climate change, or natural disasters such as earthquakes or floods, or economic shocks. Most definitions, particularly those involving individuals, communities and organizations also refer to identifying, assessing and communicating the risk from such threats and events. http: //torrensresilience. org/resilience-and-risk 2015 -06 -24 15

Risk & Resiliency The traditional definition of risk is a measure that reflects the probability and the magnitude of an adverse effect. More recently a broader and more balanced definition has been adopted by the risk management community which recognizes that individuals and organizations take risk to achieve potential benefits. Individuals, communities and organizations which are prepared and ready for an abnormal event, tend to be more resilient. Understanding the probability and the magnitude of potential threats enables an organization to make decisions on how best to reduce the probability and/or impact of such threats, to transfer the risk by taking out adequate insurance, or indeed to do nothing and be ready to accept the potential consequences. http: //torrensresilience. org/resilience-and-risk 2015 -06 -24 16

Risk Mitigation It will never be possible to completely remove the probability of a disruptive event. Supply Chain leaders are expected to have processes which aim to identify, analyse and evaluate risks and through consultation, agree upon levels of residual and tolerable risk, and to take decisions on mitigating the risks. If risk mitigation is conducted in a formal and open manner, organizations are much more willing to accept the consequences of a disruptive event as people are then aware that all reasonable action was taken to reduce the probability and/or impact. In such circumstances, businesses/organizations will more readily recover and return to normality. They are more resilient. http: //torrensresilience. org/resilience-and-risk 2015 -06 -24 17

Simple Graphical Representation of Resilience 2015 -06 -24 18

Pw. C Risk Response Strategies 2015 -06 -24 19

Risk Assessment Methodology 2015 -06 -24 20

Kirov’s Risk Register Acknowledgement • Krasimir Kirov holds a Master Degree in Industrial Management and is a Certified Supply Chain Professional (CSCP) and member of APICS. He is a certified Lean Six Sigma Black Belt and certified in Sales and Operations Planning by the S & Op Institute. His book, entitled: Supply Chain Risk Management: Minimize Disruptions, Reduce Risk and Make Your Supply Chain Resilient is a great read. The risk register that follows was provided gratis to those who purchased his book, along with a wide variety of tools to characterize, identify and mitigate SC risk. 2015 -06 -24 21

Kirov’s Risk Register External, End to End Supply Chain Risks 1. Natural Disasters • Epidemics • Earthquakes • Tsunamis • Volcanoes • Weather disasters (hurricanes, tornados, storms, blizzards, floods, droughts) 2015 -06 -24 22

Kirov’s Risk Register External, End to End Supply Chain Risks 2. Accidents • Fires • Explosions • Structural failures • Hazardous spills 2015 -06 -24 23

Kirov’s Risk Register External, End to End Supply Chain Risks 3. Sabotage, Terrorism, Crime, and War • Computer attacks • Product tampering • Intellectual theft • Physical theft • Bombings • Biological and chemical weapons • Blockades 2015 -06 -24 24

Kirov’s Risk Register External, End to End Supply Chain Risks 4. Government Compliance and Political Uncertainty • Taxes, customs, and other regulations • Compliance issues • Regulatory financial reporting (e. g. , Sarbanes. Oxley) • Operations • Logistics / Trade • Regulatory Approvals - Marketing Approvals 2015 -06 -24 25

Kirov’s Risk Register External, End to End Supply Chain Risks 4. Government Compliance and Political Uncertainty • • Public Health Environmental requirements Trade restrictions (e. g. , Buy American Act) Regulatory Audit history Currency fluctuations Political unrest Boycotts 2015 -06 -24 26

Kirov’s Risk Register External, End to End Supply Chain Risks 5. Labour Unavailability and Shortage of Skills • Availability • Quality • Cost • Unrest • Strikes and slowdowns 2015 -06 -24 27

Kirov’s Risk Register External, End to End Supply Chain Risks 6. Industry-wide (i. e. , Market) Challenges • Capacity constraints • Unstable prices • Lack of competition • Entry barriers • Capital requirements • Specific assets 2015 -06 -24 28

Kirov’s Risk Register External, End to End Supply Chain Risks 6. Industry-wide (i. e. , Market) Challenges • Process patents • Shrinking industry • Low supplier profitability • Certification • Cost trends • Recessions/Inflation 2015 -06 -24 29

Kirov’s Risk Register External, End to End Supply Chain Risks 7. Lawsuits • Environmental • Health and safety • Intellectual property 2015 -06 -24 30

Kirov’s Risk Register External, End to End Supply Chain Risks 8. Technological Trends • Emerging technologies (pace/direction) • Obsolescence • Other technological uncertainty 2015 -06 -24 31

Kirov’s Risk Register Supplier Risks: External, Contract Manufacturers or Internal Business Unit 1. Physical and Regulatory Risks • Key Suppliers Located in High Risk Areas • Material Unavailability/Poor Planning – Raw materials – Other materials • Legal Noncompliance / Ethical practices – – – 2015 -06 -24 Labour practices Safety practices & performance Environmental practices History & outcomes of lawsuits Tax practices 32

Kirov’s Risk Register Supplier Risks: External, Contract Manufacturers or Internal Business Unit 1. Physical and Regulatory Risks • Regulatory Noncompliance – Customs/trade – Security clearance requirements – History & outcomes of regulatory audits – Regulatory certification requirements (e. g. , Food & Drug Administration, Federal Aviation Administration) – Critical disclosure – International Traffic & Arms Regulations 2015 -06 -24 33

Kirov’s Risk Register Supplier Risks: External, Contract Manufacturers or Internal Business Unit 2. Production Problems • Capacity – Too little, too much, or diminishing – Order and shipping times – Out of stock (i. e. , no/low inventory) – Performance history, equipment age & downtime (manufacturing & testing equipment) – Repair cycle time 2015 -06 -24 34

Kirov’s Risk Register Supplier Risks: External, Contract Manufacturers or Internal Business Unit 2. Production Problems • Inflexible Production Capabilities (Long setup times) • Technological Inadequacies or Failures – Incompatible information systems – Slow adoption of new technology 2015 -06 -24 35

Kirov’s Risk Register Supplier Risks: External, Contract Manufacturers or Internal Business Unit 2. Production Problems • Poor Quality – Defects / contamination in manufactured product – Mislabeling of items – Lack of training or knowledge • Lead Times – Backlogs – Unresponsive – Unreliable – Variable 2015 -06 -24 36

Kirov’s Risk Register Supplier Risks: External, Contract Manufacturers or Internal Business Unit 3. Financial Losses and Premiums • Degree of Competition/Profitability – Downstream integration or too much competition – Little/no competition - sole source – Mergers & Acquisitions • Financial Viability – Inability to sustain in a downturn – Bankruptcy – Withdrawal from the market 2015 -06 -24 37

Kirov’s Risk Register Supplier Risks: External, Contract Manufacturers or Internal Business Unit 4. Management Risks • Inadequate Risk Management Planning – Lack of business continuity plans – Lack of requirements for supplier's supplier business continuity plans • Management Quality – High turnover – Dishonesty – Poor labour relations – Poor metric scorecards 2015 -06 -24 38

Kirov’s Risk Register Supplier Risks: External, Contract Manufacturers or Internal Business Unit 4. Management Risks • Substituting inferior or illegal materials/parts – Failing to perform required treatments/tests – Submitting inaccurate/false invoices • Lack of Continuous Improvement – Unwillingness – Cost escalation – Opaque processes – Opportunistic behavior 2015 -06 -24 39

Kirov’s Risk Register Supplier Risks: External, Contract Manufacturers or Internal Business Unit 4. Management Risks – Inflation of purchase costs • Dependence on One or a Few Customer(s) • Poor Communication – Internal – External – Transparency of data & operations 2015 -06 -24 40

Kirov’s Risk Register Supplier Risks: External, Contract Manufacturers or Internal Business Unit 5. Upstream Supply Risks (i. e. , Subcontractors and their Subcontractors) • Any of the above external/supplier risks • Lack of visibility into subcontractors • No or poor relationships with subcontractors • Diminishing sources of supply • Transition “costs” for new suppliers 2015 -06 -24 41

Kirov’s Risk Register Distribution Risks/Disruptions: Inbound or Outbound 1. Infrastructure Unavailability • Roads • Rails • Ports • Air capacity/availability 2015 -06 -24 42

Kirov’s Risk Register Distribution Risks/Disruptions: Inbound or Outbound 2. Assets - Lack of Capacity or Accidents • Containers • Trucks • Rail cars • Ships • Airplanes 2015 -06 -24 43

Kirov’s Risk Register Distribution Risks/Disruptions: Inbound or Outbound 3. Labor Unrest/Unavailability • Truck drivers • Rail operators • Longshoremen • Pilots 2015 -06 -24 44

Kirov’s Risk Register Distribution Risks/Disruptions: Inbound or Outbound 4. Cargo Damage/Theft/Tampering • Physical damage • Theft and other security problems • Tracking the damage • Environmental controls (e. g. , temperature, humidity) 2015 -06 -24 45

Kirov’s Risk Register Distribution Risks/Disruptions: Inbound or Outbound 5. Warehouse Inadequacies • Lack of capacity • Inaccessibility • Damage • Environmental controls (e. g. , temperature, humidity) • Lack of security 2015 -06 -24 46

Kirov’s Risk Register Distribution Risks/Disruptions: Inbound or Outbound 6. IT System Inadequacies/Failures 7. Long, Multi-Party Supply Pipelines • Increased chance of all problems above • Longer lead time 2015 -06 -24 47

Kirov’s Risk Register Internal Enterprise Risks 1. Operational Risk • Loss of Inventory (damage, obsolescence) • Equipment loss, mechanical failures • Process Issues – Process reliability – Process robustness – Lead time variability – Inflexible Production Capabilities (long set up times, etc. ) 2015 -06 -24 48

Kirov’s Risk Register Internal Enterprise Risks 1. Operational Risk • Capacity • Too little, too much, or diminishing • Order and shipping times • Out of stock (i. e. , no/low inventory) • Performance history, equipment age & downtime (manufacturing & testing equipment) • Repair cycle time 2015 -06 -24 49

Kirov’s Risk Register Internal Enterprise Risks 1. Operational Risk • • • Poor Quality Defects in manufactured product Failure to maintain equipment Lack of training or knowledge Environmental performance to permits / other 2015 -06 -24 50

Kirov’s Risk Register Internal Enterprise Risks 2. Government Compliance and Political Uncertainty • • Taxes, customs, and other regulations Currency fluctuations Political unrest Boycotts 2015 -06 -24 51

Kirov’s Risk Register Internal Enterprise Risks 3. Demand Variability/Volatility • Drawdown of the stockpile • Exceeding maintenance replacement rate • Shelf life expiration • Surges exceed production, repair, or distribution • Shortfalls 2015 -06 -24 52

Kirov’s Risk Register Internal Enterprise Risks 4. Personnel Availability/Skills Shortfalls • Sufficient number • Sufficient knowledge, skills, experience • Union contract expiry • High turnover rate 2015 -06 -24 53

Kirov’s Risk Register Internal Enterprise Risks 5. Design Uncertainty • Changes to requirements • Lack of technical detail • Lack of verification of product • Changes to product configuration • Poor specifications • Reliability estimates of components • Access to technical data • Failure to meet design milestones • Design for supply chain (e. g. , obsolescence, standardization, and commonality) 2015 -06 -24 54

Kirov’s Risk Register Internal Enterprise Risks 6. Planning Failures • Forecast reliability/schedule availability • Planning data accuracy • Global visibility of plans & inventory positions • Competition/bid process • Acquisition strategy • Manufacturability of a design • Program maturity • Subcontracting agreements 2015 -06 -24 55

Kirov’s Risk Register Internal Enterprise Risks 7. Financial Uncertainty/Losses • Funding availability • Work scope/plan creep • Knowledge of supplier costs • Strategic risk 2015 -06 -24 56

Kirov’s Risk Register Internal Enterprise Risks 8. Facility Unavailability/Unreliability/ Capacity • Facility breakdown • Mechanical failures • Sites located in high risk areas • Adequate capacity 2015 -06 -24 57

Kirov’s Risk Register Internal Enterprise Risks 9. Testing Unavailability / Inferiority / Capacity • Unreliable test equipment • Operational test qualifications • Operational test schedule • Integration testing • Transition from first test to mass production 2015 -06 -24 58

Kirov’s Risk Register Internal Enterprise Risks 10. Enterprise Underperformance/Lack of Value • Customer satisfaction/loyalty • Liability • Cost/profit • Customer demand • Uniqueness • Substitutability • Systems integration • Other application/product value 2015 -06 -24 59

Kirov’s Risk Register Internal Enterprise Risks 11. Supplier Relationship Management (SRM) Use • Contract/supplier management availability and expertise • In-house SRM expertise • Lack of internal and external communication/coordination • Supplier development and continuous improvement 2015 -06 -24 60

Deloitte’s Risk Model 2015 -06 -24 61

Video - Conclusion https: //youtu. be/-z. Iy. Gp. Rar 24 Tom Teixeira, Supply Chain Risk in a Global Economy – Willis TV – November 18, 2013 – duration 4: 19 2015 -06 -24 62

Suggested Reading/Bibliography APICS. Dictionary 14 th Edition, the Essential Supply Chain Reference, Chicago: APICS, 2013. APICS. Certified Supply Chain Professional (CSCP) Learning System, 2012 version, Chicago: APICS, 2012. CACI International Inc. (CACI) and the U. S. Naval Institute. Cyber Threats to National Security: Countering Challenges to the Global Supply Chain, A summary of personal remarks made by participants at the March 2, 2010 symposium. http: //asymmetricthreat. net/docs/asymmetric_threat_4_paper. pdf, accessed March 23, 2015. Canada, National Strategy for Critical Infrastructure, Her Majesty the Queen in Right of Canada, 2009. Carleton University. Welcome to Big Data: Introducing Carleton University’s Institute for Data Science, personal notes and recollections of Ken Lawlis who attended Data Day as a Representative of the CATA Alliance and MIPIS, Data Day was held, April 1, 2015. Committee of Sponsoring Organizations of the Treadway Commission (COSO), by Dr. Patchin Curtis and Mark Carey, Deloitte & Touche LLP, Thought Leadership in ERM, Risk Assessment in Practice, COSO: October 2012. https: //www 2. deloitte. com/content/dam/Deloitte/global/Documents/Governance-Risk-Compliance/dttl-grcriskassessmentinpractice. pdf 2015 -06 -24 63

Suggested Reading/Bibliography Deloitte Development LLC. Supply Chain Resilience: A Risk Intelligent Approach to Managing Global Supply Chains, New York: Deloitte Development LLC, 2012. Department of Homeland Security website, http: //www. dhs. gov/critical-infrastructure-sectors, accessed March 23, 2015. Findlay, Valarie. Cyber-Threats, Terrorism and the Counter-Terror Model Research Study, University of St. Andrew’s, The Handa Centre for the Study of Terrorism and Political Violence, vaf 2@st-andrews. ac. uk / vfindlay@humanled. com, May 2014. Fernandez, Pascal. Supply Chain Collaboration Maturity - What Difference Does it Make? A presentation to APICS/Supply Chain Council on October 2, 2014. IBM Global Technology Services. IBM Security Services 2014 Cyber Security Intelligence Index: Analysis of Cyber Attack and Incident Data from IBM’s Worldwide Security Operations, Somers, NY: IBM, June 2014. IBM Global Technology Services. Resilience in the Era of Enterprise Cloud Computing: Design Considerations for Forward Thinking Organizations, Somers, NY: IBM, July 2014. Manners-Bell, John. Supply Chain Risk: Understanding Emerging Threats to Global Supply Chains, London: Kogan Page Ltd. , 2014. 2015 -06 -24 64

Suggested Reading/Bibliography ISASA. An Introduction to the Business Model for Information Security, Rolling Meadows, IL: ISACA, 2009. Kirov, Krasimir. Supply Chain Risk Management: Minimize Disruptions, Reduce Risk and Make Your Supply Chain Resilient, self-published, purchased on amazon. ca, April 8, 2014. http: // operationalexcellencetraining. com/ (Operational Excellence Series Book 6) (Kindle Locations 3 -7). Kindle Edition. Maleski, Mark, et. al. , Cyber Threat Metrics, Sandia Report, SAND 2012 -2427, Albuquerque, NM: Sandia National Laboratories, March 2012. http: //www 2. gwu. edu/~nsarchiv/NSAEBB 424/docs/Cyber-065. pdf , accessed March 23, 2015. Marchese, Kelly and Jerry O’Dwyer. From Risk to Resilience: Using Analytics and Visualization to Reduce Supply Chain Vulnerability, Deloitte Review, Issue 14, 2014. http: //dupress. com/articles/dr 14 -risk-to-resilience/, accessed March 23, 2015. MLA Handbook for Writers of Research Papers, 7 th Edition, New York: The Modern Language Association of America, 2009. 2015 -06 -24 65

Suggested Reading/Bibliography Norman, Thomas L. Risk Analysis and Security Countermeasure Selection, Boca Raton: CRC Press, 2010. Peck, Helen. Supply Chain Vulnerability, Risk, Robustness & Resilience, Power. Point Presentation, a synopsis of Mangan, Lalwani and Butcher’s work published in: Global Logistics and Supply Chain Management, Hoboken, NJ: John Wiley & Sons, 2008. Ponemon Institute. 2014 Cost of Data Breach Study: Global Analysis, Benchmark research sponsored by IBM and independently conducted by Ponemon Institute LLC. , Traverse City, MI: 2014. Pw. C. A Practical Guide to Risk Assessment: How Principles-Based Assessment Enables Organizations to Take the Right Risks, Pw. C: December 2008. http: //www. pwc. com/en_us/us/issues/enterprise-risk-management/assets/risk_assessment_guide. pdf Pw. C. From Vulnerable to Valuable: How Integrity Can Transform a Supply Chain – Achieving Operational Excellence Series, Pw. C : December 2008. http: //www. pwc. com/en_US/us/supply-chain-management/assets/pwc-sci-112008. pdf Rice, James B. and Spayd, Philip W. Investing in Supply Chain Security: Collateral Benefits, Washington, DC: IBM Center for the Business of Government, May 2005. Schuh, Christian. , et al. , Supplier Relationship Management: How to Maximize Vendor Value and Opportunity, New York: A. T. Kearney Inc. , 2014.   2015 -06 -24 66

Suggested Reading/Bibliography Schuh, Christian. et al. , The Purchasing Chessboard: 64 Methods to Reduce Cost and Increase Value with Vendors, New York: A. T. Kearney Inc. , 2009 (Kindle Locations 2 -4). Kindle Edition. Telecommunications Industry Association (TIA). Securing the Network: Cybersecurity Recommendations for Critical Infrastructure and the Global Supply Chain, Portable Document File (pdf) document on the TIA website, date of publication: July 20, 2012. http: //www. tiaonline. org/sites/default/files/pages/TIA%20 Cybersecurity%20 White%20 Paper. Critical%20 Infrastructure%20%26%20 Global%20 Supply%20 Chain_0. pdf, accessed March 23, 2015 -06 -24 67

Supply Chain Risk Management Videos https: //youtu. be/bb. Zi. GYm. Tbcw Emeritus Professor Martin Christopher, Marketing and Logistics, SCM Key Challenges – Cranfield University School of Business – duration 8: 31 https: //youtu. be/l. TAb. Pviv. Dxs Peter Foster, Cyber Breach Response Plans – Willis TV – June 19, 2015 – duration 2: 54 https: //youtu. be/ISrj. WW 9_O 0 I Sharon Lindstrom, Managing Supply Chain Disruptions: How are Manufacturers Today Viewing Supply Chain Risk – Protiviti Risk and Business Consulting – November 12, 2012 – duration 3: 14 https: //youtu. be/cq 1 PL 1 eo 4 ZU Professor Brian Squire, Information, Decision and Operations Group, Supply Chain Risk Management – University of Bath – September 6, 2013 – duration 4: 38 https: //youtu. be/-z. Iy. Gp. Rar 24 Tom Teixeira, Supply Chain Risk in a Global Economy – Willis TV – November 18, 2013 – duration 4: 19 https: //youtu. be/Ql. Z 6 Ty. Ua. Ypw Professor Richard Wilding, Supply Chain Risk Reduction – Cranfield University School of Business – June 16, 2008 - duration 5: 57 https: //youtu. be/9 Ab. Cu. Aex. Ug. U Joe Yacura, Supply Chain: Understanding Risk Factors – Information Systems Group (ISG) – duration 7: 58 for segment on cyber security (play 15: 17 to 23: 15) – total duration 28: 45 2015 -06 -24 68