Managing Risk: An Interview with Gary Lynch
Gary S. Lynch, CISSP, is an Author, Managing Director and Global Leader of Marsh’s Supply Chain Risk Management Practice.
June 22, 2010
Q: Why is supply chain risk management so important today?
A: Along the supply chain, threats are more pervasive, impacts more extreme and vulnerabilities are more relevant to organizations that operate globally and are interdependent on others to create and deliver value to the markets they serve. Many of these vulnerabilities exist outside the scope of control of the organization, many layers removed (beyond wholesalers, distributors, 1st tier suppliers) up or downstream in the supply chain.
Supply chain risk and supply chains mirror what role supply chain has taken on in business—and in many cases, in the role of commerce in a country and the success of the country. You look at the way supply chain has morphed from that of an operational issue of things that we had to do in order to bring value to our customers, to now being a strategic issue, and a political issue in many cases. Now introduce this whole concept of global interdependency as well. The reality is that threats are more pervasive, and they seem to be more impactful these days—whether it’s larger hurricanes or typhoons or earthquakes as we’ve seen.
Q: How is risk management different for a company that runs a mostly domestic operation, as opposed to a company that has many partners around the globe?
A: The first question I would have is, are you really domestic? You believe that you’re contained, even if you’re a local coffee shop, and then you start to dissect your so-called business chain, your supply chain. And you realize, okay, well the coffee lids are coming from here, the cups are coming from there. Even the utilities I rely on. Look at energy as an example, which is necessary to keep my business going. It is something that no longer exists in my so-called “small, domestic environment.” It’s something I’ve contracted and is being sourced from elsewhere, and I need to understand what are my key external dependencies.
And if you are domestic, the way that it’s different goes back to that definition of how to look at risk, or measure risk, and that is, can you identify uncertainty? If you’re domestic and truly very, very local, you probably better understand what drives uncertainty and you can probably better measure your exposure to uncertainty.
Q: We had an article recently which very bluntly said that companies that don’t change, like Digital Equipment Corporation or Circuit City or Chrysler, become companies that are unfortunately famous for another reason. Is change a key part of risk management?
A: Change is probably the number one or two most important issue in risk management. And that puts such a burden on the organization to ensure that they develop the systems and the standards from a risk management standpoint to deal with change. So embracing change, building the systems and standards, are even more important and more relevant today. And change happens at so many levels, all too often I hear that an organization has acquired other organizations and that years later the systems that support the flow of information and goods have not been integrated. Information is rekeyed, intermediary systems are put in place to handle the transition of information between two disparate ERP systems. And at a macro level, the change and risk associated with the strategic footprint of the placement of suppliers, manufacturing, and distribution centers must be considered.
Q: If, in fact, change management is the way to survive economic problems like the recession, and smart companies have accepted that idea, does that make the concept of risk management easier or harder for them?
A: I think it makes it harder. When we look at the reality of today’s situation, everyone is so tuned into their own function, their own incentives, their own boundaries. Quite frankly, that’s not the way clients or customers look at the products they get. They don’t care whether the transportation failed or the warehousing was a problem. They just want the products when they want them and where they want them. The big challenge now, from a risk management perspective, is how do you get people to look beyond their functions and at what’s needed to create, deliver and service value? You’re asking for a cultural change, a behavioral change. How do you get them to look beyond their functional roles at a time when, quite frankly, many of them are worried about either their jobs or their company surviving through the economic crisis.
Q: In your book, you talk about the concept of supply chain management touching everything and everybody in the company. Yet siloing can be a problem in some companies. What’s your key to getting through the silos so that people can understand that everybody is at risk?
A: Well, depending on whether your audience is internal or external partners, obviously you want to put the pressure on in different ways. I think those who have succeeded have really done a good job of putting a system in place to measure the risk, both from an impact standpoint, and also from an investment standpoint. Where they had the greatest success is trying to measure the impact to a particular revenue stream, cash flow, product, set of SKUs. In building their impact and investment argument, they started to look at something that was a lot more tangible than the so-called organization. Just as I said in the book, everybody is part of the chain. You have to articulate that through getting the product managers on board first, and getting them to acknowledge that their revenue is potentially being threatened.
Q: It seems that any major initiative like this should come from the top down, but what happens when you run into an obstinate CEO who just doesn’t want to embrace risk management?
A: I’m going to give you two thoughts on this. The reality is, I think in some cases, it’s a hopeless cause, meaning that you will just have some individuals who will just be totally unconscious, or ignorant, to risk and ultimately lead organizations into destruction. And actually, when I was working at one organization, my boss, a senior executive, decided to categorize our executive managers as it relates to risk into three categories: They were either considered risk-takers, which was the majority; the enlightened, which were the ones that considered risk early in their business decisions; or the ignorant or brain-dead. The reality is you can do a lot to try to change those that are brain-dead. But at the end of the day, if those are the people that are leading your organization, you might want to think about working for another organization.
Now, that’s said in extreme. The other option is to really understand the motivations for why they are ignoring the risk. And if it truly is pressures around margins or survivability at the company, or because they haven’t felt the pain, I think that’s where and when you’re managing supply chain risk.
Q: Your book describes ten different laws of risk management. Which are the most important?
A: Two stand out. One we’ve already talked about, which is the change law: if you don’t manage and lead change, you’re going to have to surrender to it. The other one was the “laws of the law,” which we talk about in the book’s preface, when you look at the precepts about everyone being part of the supply chain. No risk strategy is a substitute for bad decisions. It’s all in the details, and people operate from their self-interest. That really represents the behavioral and the management aspects of the problem. If we don’t tackle those things, or we don’t understand and acknowledge and address those issues, then it doesn’t really matter what we do from a mechanical standpoint in any of the other laws.
Q: Talk about the technology that is leading the way these days when it comes to risk management.
A: One significant trend is an expansion of the tracking systems that are in place, whether they’re specific technologies, whether it’s GPS or RFID, which is used to obviously track the efficiency. It’s also taking things that are used in the logistics industry, expanding that to incorporate some of those risk factors beyond what is perceived as the daily tolerance for problems. Predictive analysis tools are then used to better forecast risk, such as security and shrinkage. So those types of systems and the expanded use of those systems or other applications to track and to be part of a trade-recovery or a commerce-recovery process if you have failure.
Q: So it is possible to take an existing system and maybe add modules to it rather than having to rip everything out and start from scratch?
A: Absolutely. And some of the architecture really has to be challenged. So if you’ve got an ERP system that’s looking at things in a modular fashion, then instead of designing the risk elements into each of the modules, you need the capability to look across multiple modules. You need to be able to look at the flow of the product, the information, and the cash to see again where you are going to have the greatest risk.
Q: You also believe demand should trump supply when it comes to risk management. Your book talks about healthcare and vaccinations for H1N1. But demand is so volatile, especially with something like that. You can go for months without needing anything and then all of a sudden you need millions of doses right now. How do you handle that kind of volatility without building up massive inventory?
A: I think it starts with the fundamentals. As we’ve seen before, we need systems. The tendency when looking at the demand side, especially through a risk lens, is to look at the threats to the demand. In other words, threats as they relate to the buyers, threats as they relate to the market itself. Now, that’s OK, but there are just too many variables there. So from the demand side, that means understanding the impact of demand significantly changing or being volatile, and translating that into looking at failure of demand or looking at a huge uptick in demand, and then starting to understand what each inflection point translates into from a risk standpoint. What is your threshold or tolerance before the risk becomes a real concern? Doing all that requires you to understand all the variables in the supply chain that supports that product.
So for, say, a bottle of water. If the demand at a particular threshold is going to tax your ability to get a hold of certain resins, it really starts to change the decision about how you manage risk, how you manage the supply chain for that particular bottle of water. But when you do the analysis and you start to say, well, I’ve now been able to look at these thresholds, plot all these different impacts that you have at different levels. As you plot these things on a chart, you can see what parts of the product are going to cause you more pain or less pain. It could be products that are used in the production process, such as certain gases, or it could be availability of materials that are actually part of the product.
Q: Is it possible to go overboard with risk management and, if so, where do you draw that line?
A: It’s absolutely possible to go over the top from a risk-management standpoint where you find out that the risk management has slowed your speed or slowed your service or impacted your ability to innovate. That’s why I think it certainly needs to be layered in and integrated, and most importantly measured. The challenge is doing that, trying to get to the point of the balance.
But in answer to your question, yes, I think we can over-control the risk. That happens when the measures and the metrics aren’t in place where you’re not measuring impacts, where you’re trying to chase different threads and you believe a particular thread is more important than another thread. When you take the shortcuts on the measurement side from an impact and investment standpoint, I think that’s where you really start to get in trouble and you get out of whack with the ultimate decision process. And when you do that and you measure it, the person that’s conducting the analysis is not the decision-maker, and they have to bring that data forward so that the real decision-makers can do what they do every day in business.
Q: So talking about the leaders in supply chain and risk management, who’s leading the pack? What industries?
A: The ones that really jump out are some of the larger high-tech manufacturing companies, especially those that are in the hardware manufacturing business. Certainly, some of the global energy and mining companies who have been almost perfectionists at trying to measure and manage the financial risks are now spending a lot more time on managing the product risks, and certainly the cash risks as well. So I’d say the energy industry, oil and gas in particular. However, on the refinery side, it doesn’t seem to be as strong as those companies, so I want to be careful there.
A few of the larger mining companies that I’ve worked with certainly have a good system for managing the broad set of risks—labor, environmental, all part of their supply chain. There are some companies that are very good in managing the innovation risk, their innovation chain. Those are some of the more visible consumer-based electronics companies, high-tech companies. And then believe it or not, there’s one or two automakers. They do a really good job in managing the third parties, not just from a quality standpoint, but a broader set of risk criteria, and there are so many companies that are trying to do a better job at managing third-party or supplier risk, depending on how you want to define it, they are just struggling. That, to me, is the number one issue that these companies are really trying to address: figuring out better ways to manage the supply area risk.
Q: For companies seeking to get on the path to sound risk management, what are the initial steps they should take?
A: Well, with supply chain risk management more than anything else, you need a hook and/or a success story. My suggestion would be to, as your target, use what is significantly going to change in the next few months—whether it’s a major platform change on the technology side, whether it’s a new product offering, a new product line, whether it’s an acquisition, an integration of that company.
If you start with that as your target, something that’s already changing, then you start to defuse that first bomb that’s going to hit you, which is the corporate political bomb of “We’re doing everything right, why are you challenging us?” Use change as your hook and then, as you look to manage the risk, you look to the fundamental elements of prevention and response. In order to do prevention, you need to identify it, you need to assess it, you need to assess the impacts to it, you need to measure it.
Then you could look at solutions, whether they’re solutions to mitigate the risk, insure or finance the risk, or monitor the risk, realizing there’s not much you can do. But you can respond quickly if something goes wrong. Or if it’s a systemic failure at a particular port, shipping lane, cargo facility, make sure you have already thought through that scenario and can move quickly on it. I think those are the places to start to build that capability on the reaction and response side as well.
Subscribe to Logistics Management magazine
entire logistics operation. Start your FREE subscription today!