Steps to Secure and Mitigate Risk for the Global Supply Chain
This article presents some ideas on the concepts of protective security and the use of the measures that are being taken to safeguard goods and material as it moves around the globe. It does not attempt to describe the intricacies of current supply channel activities, but does, from a personal perspective, speak to what the author has learned about the similarities between the protection of both assets and personnel.
In today’s competitive environment, lean manufacturing and streamlined processes are valued disciplines. One of the few remaining areas where there is still an opportunity for cost savings and improved service is in a company’s supply chain operations. Today, the market will no longer tolerate non-delivery of the product. To survive and compete, companies can no longer simply “write off” product loss or accept unavailability as a cost of doing business.
For an increasing number of companies, security needs to assume equal importance with other critical elements in supply chain management. Many companies are now looking to third-party experts, including knowledgeable third-party alliances, to go beyond costly, reactive security procedures and to develop proactive security solutions that can reduce losses to their multi-billion-dollar supply chains.
Exact figures of supply chain losses vary greatly, with some estimates in the region of billions of dollars annually. A study by Michigan State University suggests that supply chains have become increasingly fragile. In today’s environment of reduced visibility, the actions of all supply chain actors, reduced controls and today’s “lean” practices do not bode well for future loss containment.
Whatever the loss figure may be, the threat to product availability or its diversion, substitution or loss is significant and of sufficient order to demand immediate and ongoing attention.
Assessing Risk and Addressing It
Risk management plays an essential role in helping visualize the risks inherent in today’s complex supply chain operations, a role that not only considers process weaknesses and vulnerabilities, but the overall cost outcome. But supply chain failures have increased in a world in which customer expectations are high and the consequences of failure unforgiving. Direct and indirect costs include customer dissatisfaction, steps to counter a possible loss of business, replenishment, and other time-consuming actions to determine causes, accountability or the lack of it. Further costs in time and effort for an organization can be experienced with loss investigations, law enforcement involvement, determining liability and constructing countermeasures to address the possibility of yet another threat. All these steps must take place in a dynamic environment that offers no respite or pause.
Therefore, the need to design, develop and enact workable, proactive steps to avoid, halt or “transfer a potential threat elsewhere” has never been greater. To do so, actions must be sufficient to dissuade criminals from their intended path and to redirect their focus somewhere else, actions that may afford them similar rewards, less risk and possibly less effort.
Cargo thieves often emulate the steps taken by criminals during a kidnapping who conduct meticulous due diligence and surveillance of the intended victim.
Countermeasures can be effective in either scenario if they are sufficient to convince assailants that the risk is less, and the rewards will be the same by selecting a target elsewhere.
Protecting people has its own challenges, but the “transfer the risk” concept in personal and executive protection is a primary “requisite” that can help protect people from harm by taking steps to distance the threat from a target. The risk assessment is used to analyze the modus operandi of previous threats and the current threat, the known possibilities and, most importantly, what can be surmised or imagined.
A similar approach is recommended to protect supply chain operations from criminal attack.
Some would decry this approach as self-interested, since it has the effect of penalizing the less protected. Improved security, together with higher operational efficiency, are differentiators in the marketplace. The quest for security efficiencies will allow those players who are committed to keep their employees safe, solidify their relationships with their customers and avoid debilitating insurance or litigation costs. They will be able to rise on the tide of enhanced measures to achieve additional positives to their marketplace strategy.
In today’s complex operating environment with the velocity of actions needed to fulfill customer needs and expectations, the methods used throughout all materials and product handling must be analyzed, examined, risk assessed, modified as necessary and “hardened”. Nowadays, any single point of pipeline weakness can trigger a cascade of failures throughout supply chain operations and dependencies.
The design and deployment of technological countermeasures and the necessity for human oversight to strengthen preparedness have done much to enhance the goal of “on time, every time” deliveries.
Vehicle tracking, human oversight and training, tamper-evident detection and notification systems have made significant strides, but over-reliance on protective technology can itself create vulnerabilities since it is unwise to underestimate the ingenuity and persistence of those engaged in high-reward crime. Technology has provided the greatest benefit as an essential part of comprehensive and wide-ranging security programs that acknowledge risk and successfully integrate all the protective measures available to them.
But for the less vigilant or prepared, losses will continue.
“Barriers” and “Layers” - Concentric Layers of Protection
A concept or philosophy for the mechanics of security, equally relevant over the years, is called “protective barriers” and its accompanying notions of awareness and preparedness. In its most basic form, the driver behind this concept is the need to put as much distance between a possible threat and its target. The approach is useful to protect people and goods as well as buildings or any other entity from a possible threat. A Special Forces’ stated mission is to “put off the day when something bad happens”, and the requisites of protection are used to accomplish this goal.
These barriers, among others, describe the basis for protecting anything or anyone from harm. In practice, they constitute an integrated blend of physical, technical or procedural - and in some cases psychological - measures that range from a factory fence or wall to the ability to monitor and protect cargo worldwide with extraordinary precision.
A a parallel example of this concept, the measures to protect U.K. dignitaries, U.S.-based executives and others as they traveled the world are as relevant today as they were in the past. Their use and the need to not relinquish them - or unnecessarily give them away - is an essential component of this approach. If an attacker has gained access to a protected person or other target, the measures taken beyond close protection are assumed be breached, thus leaving an emergency response as the last resort - no doubt resulting in “if only” regrets later.
Whatever or whoever is being protected, the primary “requisite of protection”, together with others, is the need to accept that a threat against a particular target, operation or process is a possibility, one which can be made less likely or damaging with intelligent and appropriate countermeasures.
Total Security Strategy (TSS)
A useful proactive and overall strategy is for the pipeline owner and supporting partners to develop a “Total Security Strategy” for all supply chain activities. A number of supply chain partners (3PLs, etc.), have adopted this unified approach as it defines overall leadership and accountability and the benefit of value-added security solutions to their end users. Implementation of TSS is straightforward but made more difficult by both volume and velocity of modern supply chain activities.
The strategy of the TSS can be encapsulated in a simply-worded goal or mandate (as has been used in the pharmaceutical industry) can be to: “Ensure that raw materials and finished goods remain in their intended channel of manufacturing and distribution.”
And additionally, to: “Ensure the secure hand-over of product from one area of responsibility to the next (by means of accountability and responsibility at the points of transfer).”
The objective of TSS strategy is to proactively reduce customer losses by emphasizing supply chain accountability, management, leadership and involvement. When successfully implemented, its benefits cannot be overstated.
At the highest level, the strategy should specify Security Policy (Operations, Assets and Personnel, Information Technology), Industry-Specific Guidelines (Continuous Business Security Improvement) Global Best Practices and Repeatable Practices such as protecting personnel, product, facilities, modes of transportation, and emergency response.
The approach should be applied throughout, notwithstanding that the various players in the overall logistics system - company operations, 3PLs, etc. - will need to mirror and enact the strategy throughout their own logistics systems. A company may not necessarily have direct control over its transportation providers’ actions, but TSS provides the framework for roles, responsibilities, methods of performance measurement, process ownership and accountability, irrespective of the transfer of title or ultimate liability.
This unified approach can have the effect of re-orientating the company/alliance partner relationships in a mutually beneficial way, especially since the best alliance partners emphasize both their global expertise in supply chain management and proactive security measures as important differentiating qualities. Partner relationships can offer a wide range of specialized security solutions to customers who may not have access to in-house resources.
As part of TSS, visioning of operations and systems is an essential tool used to understand and visualize complex processes, determine their functions and dependencies and identify weaknesses that need to be addressed.
In practice, oversight by persons unfamiliar with a specific activity or process may be better able to identify needed security improvements or question the relevance and effectiveness of a well-intentioned protective approach. Visioning needs to take place in regular sessions to forge an understanding of current security risks and their planned or actual countermeasures.
Business Impact Analysis (BIA)
A Business Impact Analysis (BIA) is a useful approach that is used to identify issues that could have the most impact on continuing operations.
There are various definitions of the BIA process. BIA is generally aligned to risk assessment within the broader concept of Business Continuity Planning. The BIA approach is used to develop a hierarchy of possible outcomes and to quantify their impact on both the organization and its ongoing operations. In a dynamic environment, in which business activities are subject to change and adaptation, the process will need to be an ongoing mission.
In the security context, BIA is the process by which all aspects of an operation are examined to assess the possible outcome and impact of each identified risk. Since activities are based on the interface between physical and electronically-driven actions, a complete understanding of both, along with their dependencies is a necessity. The BIA may be less concerned with the likelihood or occurrence of a potentially damaging event or activity, but instead focuses on a possible impact that could damage dependencies or the organization itself.
Once the risks have been identified and quantified, steps can be taken to manage them down to an acceptable level to better insulate continuing operations.
From the physical and technology perspective, protective measures have reached a level of sophistication and maturity that could not have been foreseen just a few short years ago. Previously, the protection of shipments largely relied on human actions such as reporting to attest to the ongoing security status of vehicles, loads, seals. But in some cases, innovation and applied technology has had the effect of distancing protective measures from human oversight. Automated communication systems report anomalies alongside global location tracking with a high degree of accuracy, but human involvement to monitor, assess and respond to reports remains essential.
Conclusion
The development of supply chain protection plans, such as the Total Security Strategy, are useful for identifying existing supply chain weaknesses and enhancing protection for each function, process and the logistics system as a whole. The various TSS components mentioned are some of many that that can be used to visualize and assess potential outcomes, and to develop policy, guidelines, procedures and emergency plans. Given the overall costs of product theft, diversion, damage, counterfeit or substitution, and the risk to human life that can accompany criminal acts, a protective supply chain security policy should be one of a company’s core directives. Such an approach should gain senior management buy-in that will permit the company and its providers to take leadership roles and drive effective security solutions.
Sources: “A Risk Management Approach to Business Continuity” - Julia Graham & David Kaye, “Logistics & Transportation Security” - Maria G. Burns.
About the Author: Christopher Hagon is the Co-Owner and President, Incident Management Group Inc. He is a former police superintendent with London's Metropolitan Police and a personal protection officer to senior members of Britain’s Royal Family. Other past assignments include Director of Corporate Security for Miami-based Ryder System. In 1995 Hagon co-founded Incident Management Group, Inc., a consultancy that provides a wide spectrum of proactive and response services to corporate America.