How vulnerable is your supply chain? What can you do to protect it from disruptions, especially those you cannot anticipate? These questions take on more and more urgency in an age of complex global supply chains, where events in one region can disrupt the operations of businesses and their customers on the other side of the world.
In his new book, The Power of Resilience: How the Best Companies Manage the Unexpected, Yossi Sheffi examines what many companies have done—and are doing—to anticipate, prepare for, and respond to disruptions that can range from earthquakes to hurricanes to cyberattacks to issues with sourcing that could harm business reputations.
The book is Sheffi's second on the topic of resilience. His first, The Resilient Enterprise, was published in 2005 in response to the 9/11 attacks. In the intervening decade, much has changed in both the landscape of supply chain risks and the implementation of corporate resiliency programs, Sheffi says. The new book looks at what companies have learned since that time and at new threats that have arisen.
Sheffi, a professor at the Massachusetts Institute of Technology (MIT) and director of the MIT Center for Transportation and Logistics, discussed the new book and supply chain resilience Peter Bradley, the editorial director of CSCMP's Supply Chain Quarterly's sister publication, DC Velocity. This is an edited and condensed version of the interview.
Q: What led you to decide it was time for a second book on the topic of resilience?
A: The first book was motivated by 9/11, looking at what companies were doing to prepare for disruption. When I started work on that book, I figured I'd begin by seeing what had already been written about this topic and I found nothing on logistics, supply chain, and transportation—in academic writing, at least. Since I didn't have any literature to draw from, I did research. I talked to well over a hundred companies. That research, which took four years and involved 30 people, led to the first book.
Then, when I was out talking to companies a few years back, more and more people were telling me, "Look, it's time for a new book because the threats are becoming more serious and more frequent, but we're also becoming a lot better at a number of new activities and processes, and (business continuity planning) has been taken to a higher level in corporations." So I put together a team and starting working on the new book.
Q: You write in the preface that we shouldn't look at this book as a sequel or a new edition of the original, that it really is something different. Tell me how.
A: It looks at a whole new set of threats that I didn't cover very much in the first book. For example, think about cybersecurity problems. Ten years ago, we were just starting to hear about cybersecurity problems. Today, "cyber" is a weapon. Many physical systems are being run by digital means and can be attacked.
It also became very important to talk about social and environmental responsibility: (the factory fires) in Bangladesh; the conflict mineral issues, which forced Intel and Apple to go to this very deep level—10 to 12 tiers deep—in the supply chain to find out where these minerals were coming from. This became a real corporate reputational risk. And, of course, there have been things like the Japanese earthquake and tsunami that changed a lot of companies' views on risk and their own vulnerability to disruption.
In the new book, I also emphasize a point that I did not make and should have made last time that people always look at the top right corner [in a quadrant chart of possible disruptions and estimations of their likelihood and impact] where the probability (of an event) is high and the consequences are high, but that is the wrong place to look. Companies prepare for these events, and as a result, although the impacts could be severe, they are not that high because companies are ready for them. I point out the really worrisome quadrant is the high-consequence/very-low-probability corner because this is the "black swan." This is the 2008 financial meltdown. This is 9/11. This is Chernobyl. These are the things that nobody expected and nobody knew how to deal with. And the question is, how do you prepare for things that you cannot even imagine, things that you don't even know that you don't know. A lot of the issues in the book have to do with general preparation or general resilience for what you can't even imagine because it never happened to you, to your competitors, or to other people in the industry.
Another change that is introduced to this framework is what I call "detectability"—the time from when you know something is going to happen to the first impact. Think of the classic example, a hurricane. You know three days before we see the storm.
But you (also) have to prepare for something that you only find out about after the fact. Think about some sabotage, some people stealing trade secrets, some cyberbug in your system.
There are a lot of new software applications that didn't exist 10 years ago that are designed to alert you as soon as something happens and tell you what the implications are, what the value risk is, which customers and products will be affected, and what problems you're going to have. I cover some of these new software applications in the book.
Q: You talked a few minutes ago about how while the risks are higher today, we have also learned a lot. What have we learned over the last 10 years that we've been able to put to work to help mitigate risks?
A: In terms of things that you can point to, such as an earthquake in an area that's prone to quakes or floods, you have to prepare for things that have happened before and can happen again. What is the communication plan? How should you notify whoever it is: the customers, Wall Street, suppliers, whatever? Who should be notified? Who should be involved in making up the plan? How do you respond?
The other side is the completely unexpected situation where you don't know what to do beyond general resilience measures. For this, you first of all have to have an emergency response operation and you have to have all the communications lines. The number one thing is what I said: You have to know who to call. Who should be the people to man these emergency operations? In a manufacturing company, it should be basically two functions, supply chain management and engineering.
Supply chain management should focus on inventory—looking at how to acquire more supplies where needed and seeking alternative suppliers. Engineering should look for damage solutions. Can we replace a component with another part? How do we qualify another part and so forth?
In general, the response should be two-pronged and involve two separate teams. One team should deal with the people. What is the impact on people? How do we find everybody? How do we deal with our suppliers? The other team should deal with business continuity issues. Because otherwise, depending on the nature of the team, they pay too much attention to one or the other.
Q: Let me go back to risk assessment for a moment. You talked about Intel and how deeply it had to dig to find out where its minerals come from. How does a company find out the risk deep in its supply chain, in its tier three, four, or five?
A: Oh, there was talk about a tier 12 or something. Anyway, Intel learned that four metals used in electronic products might be "conflict minerals," metals that have been mined under conditions of coercion and violence, and mobilized a team to ensure that its operations were "conflict free." The first question was, "Are we using conflict minerals?" But nobody knew. So the company started going backward in the supply chain, and it realized that it had to go back to about level five or six. Beyond this, you cannot tell where a material is coming from because the supplier gets it from multiple sources and just mixes it all together.
Intel decided to focus on the smelters and make sure the smelters' brokers only bought from approved mines. The thought was the company was not going to buy anything from mines in the Democratic Republic of Congo, but that would just throw hundreds of thousands of people out of work in a very poor country. So it couldn't do that.
So then it went to the smelters and tried to convince them to do it, but the problem is, as big as Intel is, it is not a very big customer of the smelter. And the smelter says, "I am not selling to you. I'm selling to some broker who then sells to another customer, who sells it to some other company." So Intel put together an industry consortium [the Electronic Industry Citizenship Coalition]. And it paid the smelters to qualify certain mines so it knew where minerals were coming from. It took Intel years, by the way.
Q: One of the arguments you make in the book is that by looking at your risk, by preparing for risk, you actually strengthen the entire enterprise. Expand on that a bit.
A: For an example, there is Intel. It had to map its entire supply chain. Knowing who the people upstream are, you not only get risk protection—the sense that if something happened to one of them, you know what the implications are—but you also learn more about what's going on in the supply chain. You start understanding your own supply chain a lot better, which always brings good things.