How Risk ManagementCan Secure YourBusiness Future

BY JAMES B . R I C E , JR . AND WI L L I AM TENNEY

WHEN U.S. CUSTOMS AND BORDER PROTECTION issuednew Customs-Trade Partnership Against Terror-ism (C-TPAT) security criteria for importers in

March 2005, many companies worked aggressively to gaincompliance. Soon they asked, “are we finally secure andready to respond to disruptions?”As it turns out, this is thewrong question.Too often executives define security and risk manage-

ment in terms of only physical asset protection or guardingagainst unlikely disruptions, instead of recognizing thatboth are central to protecting the firm’s economic viability.As a result,most companies miss opportunities to increasetheir competitiveness and are vulnerable to dramatic busi-ness failures.A few pioneering firms have adopted a more enlight-

ened approach to security and risk management. Learningfrom them, and synthesizing the work done at Target andthe MIT Center for Transportation & Logistics, we havedeveloped a supply chain risk management maturity

continued on page 2

model that instead focuses on protecting — i.e., actuallymaintaining — the firm’s economic viability that may beused as a strategic roadmap.

The case for economic viabilitySecurity in the U.S. is frequently associated with the 9/11terrorist attacks. However, while the attacks were tragic,they impacted a relatively small number of firms: mainlythose in impact zones or highly dependent on just-in-timeimports. Consequently, many companies don’t recognizethat such incidents endanger their economic well-being,and fail to protect their businesses from security breachesand supply chain disruptions.Unfortunately, the aggregateof these risk-exposed firmsmakes the entire import supplychain less secure andmore vulnerable.Yet there are a number of key reasons thatmake the case

for protecting the economic viability of risk-exposed sup-ply chains.

Compliance: Governments, the U.S. in particular, haveattempted to reduce national vulnerabilities through variousvoluntary and regulatory requirements and programs forfreight system security (e.g., C-TPAT). These initiatives offerbenefits such as reduced inspections and faster border cross-ings in return for guaranteeing enhanced security withintheir supply chain. These benefits are not yet fully delivered,but they are significant and offer potential competitiveadvantages for companies thatmake the effort to comply.

Reduced Losses: For some companies the threat offinancial loss provides motivation to make supply chainssecure. In 2003, Intel lost $10 million worth of Pentium 4

supply chainstrategyA newsletter from the MIT Center for Transportation & Logistics

June/July 2007 // Volume 3 // Number 5

Fujitsu’s Direct Line to Energy SavingsAs the name suggests direct-ship eliminates the touch points that hinder quick delivery – it alsodelivers big energy savings as Fujitsu Computer Systems Corporation has discovered. See page 5.

7 ............. Five Stepping Stones to Successful Change ManagementHere’s a five-point strategy formaking changes without alienating the people you rely on.

10 ........... How to Shine in an Expanding Supply Chain UniversePaul Gaffney, former Staples senior executive, points the way up the corporate ladder.

12 ........... Keep Your Customers by Keeping Your WordMaking an order promise is easy - fulfilling it is another matter.

© Copyright 2007. Larstan Business Reports. All rights reserved.

I N S I D E

chips when a van carrying the product was stolen atHeathrowAirport. In late 2002 Cisco lost $3million worthof routers when a truck was broken into in Santa Clara andthe contents stolen. These are but two of the more than$60-75 billion cargo losses estimated each year.

Resilience: The destruction wrought by HurricanesKatrina and Rita underlines why firms must manage cor-porate risk by developing business continuity plans for dis-ruptions. Ultimately, the most significant risk to eachbusiness — and to a country’s economy and livelihood—is the risk of catastrophic business failure. The economiccost of such calamities can be staggering; even the fullyexpected U.S. West Coast Port lockout in October 2002cost an estimated $20 billion. The impact from full system-wide disruptions will likely be higher. In a simulated PortSecurityWar Game conducted by Booz Allen Hamilton in2002, the estimated impact on the U.S. economy totaled$58 billion,with an estimated 52-day backlog at U.S. ports.Admittedly this is a worst case scenario; even so,waiting 52days for your product could mean “game-over” for thosecompanies that fail to prepare and protect.

Brand Protection: The seven charter members of C-TPAT — Ford, General Motors, Daimler-Chrysler, Target,Sara Lee, Motorola and BP America — share a commoninterest: to protect invaluable brands. For these organiza-tions a crucial reason for managing supply chain risk is toprotect and even enhance the company’s brand and repu-tation. This includes protecting against the rampant coun-terfeiting of branded products. Fake products can causeinjury and even fatalities, expose organizations to productliability claims, and harm the image of their brands.Even when high-profile companies such as retailers are

not moved by the threat of cargo losses through theft (thevalue of their containerized merchandise is relatively low

2 | supply chain strategy www.MITsupplychainstrategy.com

supply chain strategyEditor: Ken Cottrill

Associate Editor: Anne Saita

Publisher: Jennifer O’Grady

Advisers: Yossi Sheffi, Professor of Engineering Systems and of Civil and Environmental

Engineering atMIT, and CTL research staff

Editorial

Chief ExecutiveOfficer: Larry Genkin

EditorialDirector:Anne Saita

Circulation&FulfillmentManager: Stan Genkin

ArtDirector:RobHudgins

www.larstan.comLarstanBusinessReports is an independentnewsagencyheadquartered inWashington,DC.Larstan’s edito-rial services include:newsletters,bookpublishing,whitepapers,market researchandmedia syndication.

Articles in this journal draw on a variety of sources, including published reports, interviews with prac-ticingmanagers and consultants, and research bymanagement scholars, some but not all of whom areaffiliated with Larstan Business Reports,MIT and the Center for Transportation and Logistics.Articlesreflect the views of the author.

TheMITCenter for Transportation& Logistics (CTL) is a world leader in supply chain managementeducation and research, ranking consistently as number one. CTL contributes to the academic knowl-edge in the field and helps companies gain competitive advantage from its cutting edge research. TheCenter’s graduates occupy senior supply chain management positions in almost every industry andcontinue to use the Center’s resources to update their knowledge and skills.Web: http://ctl.mit.edu.Tel:617-253-5320.

Subscription InformationSubscription price is U.S. $295 (10 issues); single copy: U.S. $37.50. To subscribe to Supply ChainStrategy, call 800-890-6263 for US and 914-962-6292 for outside the US.Web:www.MITsupplychainstrategy.com

Letters andReader FeedbackLetters, editorials, ideas for articles, and other contributionsmay be submitted to Ken Cottrill,editor, at SupplyChainEditor@larstan.net.

Services,Permissions, andBack IssuesSupply Chain Strategy is published 10 times a year by Larstan Business Reports at 209 CanterburyCourt, Blue Bell, PA 19422. POSTMASTER: Send address changes to Supply Chain Strategy, POBox 23,ShrubOak,NY 10588. To resolve subscription service problems, please call 800-890-6263 forUS and914-962-6292 for outside theUS.

Copyright 2007 by Larstan Business Reports.Quotation is permitted with attribution to Supply ChainStrategy (www.MITsupplychainstrategy.com).Otherwise,material may not be republished, quoted orreproduced in any formwithout permission of Larstan Business Reports. To order article reprints orrequest permission to copy, republish or quotematerial, please call 800-890-6263 forUS and 914-962-6292 for outside theUS.Or send an email to SCScustomerservice@larstan.net.

and insurable), they are concerned about protecting theirbrand. For these enterprises, the real risks are less aboutsomething being removed from their supply chain andmore about something being introduced into their supplychain. Imagine the impact if one of their containers wasfound to contain narcotics or illegal immigrants. Even ifthey were able to escape themedia scrutiny, they would losetheir C-TPAT benefits resulting in more inspections andhigher inspection and inventory costs.As these scenarios demonstrate, the risk of serious dis-

ruptions to individual companies and even economies isstultifying — and it is only a matter of time before yourorganization is impacted to some degree. Security mustinclude securing the future of the firmby enabling it to con-tinue tomaintain its economic activities in crisis situations.

Follow the cow pathHow do firms protect their economic viability? Ourstudies suggest that there is a traditional path from non-compliant (vulnerable and exposed) to risk-managed,secure and resilient. There are many variants of the path-way, but we believe that a select group of pioneeringcompanies has blazed a trail that other organizationsshould consider as they plan their own routes (see Sup-ply Chain Risk Management Maturity Levels page 3).In the same way that the streets of Boston basically fol-

MIT Center forTransportation& Logistics

How Risk Management Can Secure Your Business Future (continued)

» Supply chain security is more than fencing off assets or avoidingdisruptions; it should be part of your organization’s DNA. Embeddingsecurity in this way strengthens the company and safeguards itseconomic future

» There is no standard blueprint for attaining the highest levels ofsupply chain security. However, some market leaders have createdpathways to the top that others can follow[ K

eyTa

keaw

ays]

lowed the old cow paths that weaved in and out of the city’shills, so too can companies model their approach after theleaders that have progressed from pre-compliant to com-pliant, secure and resilient supply chains to protect eco-nomic viability.Beware — following the path will not guarantee C-

TPAT compliance. Also, it ought to be considered more ofa journey than a destination. The leaders do not limit theirview to incremental improvement or cost containment,but instead recognize compliance and security as part of away to enhance the broader competitiveness of the firm.Consider also the ramifications outside your organiza-

tion. It’s not enough to focus internally as companies mustunderstand the public relations implications of theiractions and the actions of other enterprises in their indus-try. Within Target, for example, the interconnectedness of

June/July 2007 | 3

the country’s trade industry is clearly recognized. Putanother way: “If something blows up inside a Target con-tainer, it would be really bad. But if something blows upinside aWal-Mart container, it’s still really bad,” relates theapproach taken at Target.

The pathway — definitions of maturity levelsAs suggested our respective research has revealed a com-mon path with four stages to achieving economic viability.While this is not a definitive model, it does provide a basicroad map that can be used to assess your current positionand help you progress towards higher levels of security andresilience.

Level 1 — Pre-compliant: Pre-compliant companies arenot yet meeting C-TPAT security or other compliance cri-teria, or have no established supply chain security preven-tion or response standards or practices. In some cases,limited prevention measures such as personnel checks andfreight protection practices are in place. The firm’s eco-nomic viability is at risk. The probability of a business dis-ruption is high, as is the likely impact, and these firms areless competitive than their C-TPAT-compliant rivals.

Level 2 — Compliant: C-TPAT-compliant companiescarry out security or other mitigation measures as aresponse to externally imposed regulations. Aside frombeing compliant, companies at this level are primarily reac-tive, and see security as a cost of doing business. There is alower risk of compliance violation, but still high probabilityand impact of disruptions. These firms may enjoy C-TPATbenefits of lower inspections and shorter border delays, butthey are not leveraging their security investment.

Level 3 — Secure: Secure companies see externallyimposed security standards as inadequate, and have insti-tuted a more rigorous approach to protect the brand,employees, physical assets and shareholders. At this levelthe focus is on preventing a disruption from occurring.Security is seen as part of the business model. These firms

Mapping by level of progress and key process areaKKeeyy PPrroocceessss AArreeaass LLeevveell 11 LLeevveell 22 LLeevveell 33 LLeevveell 44aanndd FFooccuuss PPrree--CCoommpplliiaanntt CCoommpplliiaanntt SSeeccuurree RReessiilliieenntt

Leadership » No risk focus » Program compliance » Prevention, security » Response for advantage

Internal Integration » None » Reactive coordination » Proactive coordination » Integrated teams manage security, resilience, risk

External Partnership » No defined partners » Limited interaction » Partners involved in security only » Partners in risk management, resilience

Visibility » Limited to no visibility » Some system visibility » Partner visibility » End-to-end visibility

Risk Management » No standards » Nascent security standards » Partners pre-screened » Partners help manage risk

Risk Detection » None » Some reactive procedures » Some proactive procedures » Procedures to ID emerging risks

Training » No training » Internal training » Security training for vendors » Full scenario & contingency exercises

Communication » No plans » Reactive » Proactive » Response and recovery plans

Culture » No awareness » Compliance only » Security and compliance » Actions affecting security, resilience

Supply Chain Risk Management Maturity LevelsLow probability and

consequences ofdisruption; ultimateeconomic viability

Low probability ofdisruption but high

consequences

Not disadvantagedbut not leveraging

potential; high prob-ability and conse-

quence of disruption

High probability andconsequence of

disruption, disadvantaged

versus compliantcompetitors that

enjoy C-TPAT benefits

» Not C-TPATcompliant OR

» No establishedsupply chainsecurity pre-vention orresponse stdsor practices.

» Response toregulations orstandardsimposed fromoutside.

» Security is costof doing busi-ness.

» Transbordermovements fordaily opera-tions

» Outside stan-dards are seenas insufficient.

» Greateremphasis onsecurity & pre-vention to sup-port companyvision & strate-gies, protectbrand / reputa-tion, TMs,guests, physi-cal assets, &shareholders.

» Security isseen as part ofthe businessmodel.

» A comprehensivebusiness strategythat leverages SCand securityinvestments thatenable a com-pany to increasecompetitiveness.

» Firms see disrup-tion as inevitableand add focus onrebounding froman incident.

» Firms add flexi-bility and/orredundancy in SCfor detection andresponse, ensur-ing productmovements,business conti-nuity, and serviceto customersin/post disruption.

» Resilience usedas competitiveadvantage.

Transborder& Resilient

Secure

Compliant

Pre-Compliant

MIT Center forTransportation& Logistics

4 | supply chain strategy www.MITsupplychainstrategy.com

are leveraging their C-TPAT investments and are workingwith suppliers and customers to understand the systemrisks and vulnerabilities. However, the impact of a disrup-tion is still high.

Level 4 — Resilient: Resilient companies see risk man-agement as an element of a business strategy that changesthe way the enterprise operates and increases competitive-ness. Recognizing that disruptions are not entirely pre-ventable leads to additional focus on rebounding quicklyfrom incidents. The company adds flexibility and, wherenecessary, redundancy in the supply chain to detect andrespond proactively to potential risks and crises. Thesefirms have reduced their risk of non-compliance, are lessprone to security breaches and have mitigated the conse-quences of disruptions. They are leveraging their securityinvestments, and security plays an integral role in servingthe business purpose. As such, these firms have preparedthemselves for ultimate economic viability.

Plotting your routeThere is no standard pathway to security and resilienceand companies have to make trade-offs to arrive at thepath that best suits them. The choice depends on manyfactors including business strategy, cost structure and thetype of industry. Enterprises might have to make a choicebetween security and resilience investments, for instancewhen a security initiative to protect information hinders aresilience initiative to create flexibility via supplier collab-oration. Despite this path uncertainty, we have observedsome common capabilities that leaders have which practi-tioners can consider in mapping their own path: » Internal Integration of planning and operations, and

response coordination of logistics, sourcing,government affairs, compliance, security and legal.

» External Partnerships with business-critical externalstakeholders such as vendors/factories, ocean carriersand all cargo handlers

» Risk Management that is exercised via standards to allsupply chain business partners, identifying andassessing threats and vulnerabilities

» Risk Detection systems for “early warning” of potentialor actual supply chain disruption

» Education and Training — education for awareness andtraining for response

» Pre-event Communication protocols for sharingbusiness-relevant supply chain information amonginternal and external partners

» Security and resilience culture that permeates the firmand recognizes risks as well as key design choices thataffect both security and resilience

The maturity model is by no means the final word on sup-ply chain security, but a starting point in an ongoing con-versation with other importers. It is only through this typeof synthesis that companies, economies and countries willdevelop the necessary resiliency to rebound from the nextdisruption. �

James B. Rice, Jr. is director of the MIT Integrated Supply Chain

Management Program. He can be contacted at jrice@mit.edu.

William Tenney is Group Manager, Business Intelligence and Interna-

tional SC Security at Target Corporation. He can be reached at

William.Tenney@target.com.

Reprint #P0706A

How Risk Management Can Secure Your Business Future (continued)

Our research indicates that there are several “enlightened”firms that are leveraging their security operations to protectthe firm’s economic viability and in some cases, help createcompetitive advantage. These include Intel, Target, IBM,UPS, Nike, Maersk and APL. One hint as to how progressivea firm is in this sense can be found in stated objectives of thesecurity operations — do the goals focus on asset protectionor serve the corporate strategy and objectives (i.e. serve cus-tomers)? Target Corporation’s stated supply chain securityobjectives provide a good example of how such considera-tions play a critical role in serving the organization’s corporategoals — and ultimately its guests.Target Supply Chain Security Operation’s Objectives1. Safeguard Target’s direct import strategya. Support speed to market, be in stockb. Rebound from disruption

2. Protect the brand and assets

a. Prevent infiltration by terrorist or criminal groups3. Ensure regulatory compliancea. Meet C-TPAT criteria

As these objectives suggest, Target seeks to deliver busi-ness value through its security operations by paying atten-tion to ensuring that product is available, and by protectingits brand image, with C-TPAT compliance as a supportinggoal and a means to achieve these ends. In this case securityis effectively managing risk to protect economic viability. Weconsider this to be “Big ‘S’ Security” because security’s roleis big. Most companies however, are not so progressive andare in need of some guidance to find their way to leveragesecurity. In these firms managers must show how securityfunctions support the firm’s core business; they must inte-grate security into the decision-making process and busi-ness operations.

LOOK FOR A MESSAGE