Where are the greatest risks in your supply chain? Hint: All risks are not created equal.

Oftentimes, the first time you look at a problem, the bigger it looks. It's only after you spend some time analyzing it that you realize that you can break it up into bite-sized chunks and begin to attack it. (Sort of the same way you'd attack that 24oz New York Strip: First, skip the salad; second, just the right Cabernet; third, leave dessert for the vegans at the next table; fourth, where's that steak knife?...mmmmm...)

I'd argue that securing the supply chain is no exception. At first glance, it seems like an impossible task. How can we possibly ensure that we've secured all the factories, consolidators, ports and terminals, ocean carriers, etc., from penetration from a sophisticated and determined adversary?

That is a daunting task, but it's really not a useful exercise -- as it turns out, supply chains are not equally vulnerable everywhere. For a good illustration of supply chain risk areas, I'd point you to a study done by Unisys titled "The Secure Commerce Roadmap". (See graphic below)

The graphic does a great job illustrating what those involved in moving maritime containerzied cargo into the U.S. see everyday -- importers typically have the least amount of visibility and control over their goods as they move from overseas manufacturer to the foreign port. From the point that the container is loaded overseas at a factory or consolidator until it passes over the rail of an ocean carrier is the area of greatest vulnearbility with the fewest direct security controls -- in other words, the area of greatest risk (risk = threat + vulnearbility). If you think about it, this makes sense. Once the container is at sea aboard a vessel carrying 4,000 containers, how would you penetrate that? Answer: It's hard, so if you're a terrorist, you don't try and look elsewhere.

So how might a determined and sophisticated terrorist organization take advantage of this knowledge to either attack the supply chain or use it as a delivery vehicle to attack the U.S.? Two primary risk area scenarios emerge:

1. At point of stuffing: A terrorist organization penetrates the supply chain and introduces a weapon into the container at the point the container is loaded.

2. During inland drayage: After the container has been stuffed, a terrorist organization penetrates the supply chain as the container moves from manufacturer/consolidator to the foreign port, probably via an inland truck carrier.

So now that we have two scenarios, the problem gets a little easier to scope and address. To prevent penetration at point of stuffing, we need to know who our business partners are, what are their security practices (including hiring -- do they vet their own employees?), how do they handle containers before, during and after loading, etc. To prevent penetratioin during movement to the port, we need to know the same kind of information about those companies we hire for inland trucking. We also need to address how those movements are booked, and leverage overseas consolidators to help extend our reach (and our controls) deep into the supply chain.

So are these easy problems to address? No way. But by more realistically assessing risk areas to your supply chain, you decrease the chance that you waste your energy and resources on areas that aren't that risky after all. Because all risks are not created equal...

Dear Santa: My Supply Chain Security Wish List for 2008.

Dear Santa,

Truth be told, 2007 was a weird year on the policy side for supply chain risk managers. After passage of the bipartisan and relatively reasonable SAFE Port Act in 2006, a new Congress charged in and decided that they needed to mandate 100% overseas scanning of all cargo bound for the U.S. -- without waiting to see the results of pilot projects that were set to test whether this was even possible.

Customs and Border Protection (CBP) spent most of the year doing a good job engaging the Trade on development of the new Security Filing (colloquially known as '10+2' and adding new data elements importers need to provide to CBP to help them identify potentially high risk cargo). Then, in an apparent effort to undue all that effort, the Department of Homeland Security (DHS) went off on its own and decided to solicit bids to pilot a 'Global Trade eXchange (GTX)' without bothering to consult with anyone in the Trade industry as to how such a system might work, or whether it was even needed.

So, Santa, given the rather mixed year we've had, I'm going to be a little selfish for 2008 and ask that we try our best to spend finite time, energy and money where it would be most useful. Here are my four wishes:

1. A standing public-private forum to jointly set the supply chain security agenda: Since 9/11, the Department of Homeland Security and CBP have leveraged the Commercial Operations Advisory Committee (COAC) as a way to get input on supply chain security policy from the trade community. COAC's original raison d'etre was to provide private sector advice on customs activities when U.S. Customs was the second largest revenue generator for the U.S. government after the IRS. While this was a good temporary solution, it's time to set up a separate body to jointly set the supply chain security agenda. Why? Because now we have the Customs-Trade Partnership Against Terrorism (C-TPAT), the public-private partnership to secure the country's supply chain. No offense to any of the COAC members, but some of the companies represented aren't even in C-TPAT. One criticism against C-TPAT is that the benefits aren't worth the cost. One suggestion for a new benefit: C-TPAT companies would be allowed to rotate through a committee to jointly set the supply chain security agenda.


2. An executable recovery and restart plan: The average American might be surprised to learn that more than 6 years after 9/11, we actually don't have a plan to recover and re-start the U.S. supply chain in the event of a man-made disruption. As everyone probably recalls, after the 9/11 attacks, the U.S. government closed the borders and shut down all air travel. What people might not remember is the immediate impact on supply chains: Toyota, adhering to it's just-in-time philosophy, came within hours of shutting down an assembly line in Indiana as parts routinely supplied by air from Germany were delayed. In our 21st century flat world, supply chains are so integral to the U.S. and world economy, that we must have an executable recovery and restart plan to ensure our system is resilient. The Maritime Infrastructure Recovery Plan, or MIRP, is good if you have insomnia, but won't help us recover after disruption. We need something that we can actually exercise and implement.


3. A National Intelligence Estimate (NIE) on threats to the global supply chain: The average American might also expect that, what with all the hullabaloo surrounding port security, especially in the wake of the Dubai Ports World brouhaha (How about that? I used 'hullabaloo' and 'brouhaha' in the same sentence!), that the danger to U.S. ports and supply chain must be clear and present. It might be, but it might not -- we actually don't know, because we've not done an intelligence estimate to characterize the threat. The country's supply chain is part of our critical infrastructure, so is clearly a vulnerability worth protecting -- but we'd probably be a whole lot more efficient at protecting it if we did more analysis to better refine the realistic threat scenarios.


4. Intelligence sharing between the public and private sector: One reason we probably don't have an NIE on the global supply chain is that there are few if any experts on supply chains within the military or civilian intelligence community. But this doesn't need to be a showstopper. Let's use the example of another public-private partnership noone has ever heard of -- the State Department's Overseas Security Advisory Council (OSAC). OSAC analysts collect risk intelligence from Embassies and private sector companies overseas, then share that analysis between the public & private sectors -- and it's been working successfully for 20 years! OSAC does a great job assessing threats to people, facilities, and intellectual property, but doesn't focus on the supply chain. There are private companies - importers, consolidators, ocean carriers, terminal operators - that all can and do collect business-related risk intelligence, and many would be willing to share this information. We just need a mechanism to do it. So we can either give OSAC the mandate to cover the supply chain, or use the OSAC model to create a similar organization to connect with CBP. I'm not saying this would happen over night, but it's also not like we need to invent cold fusion -- the model exists, all we need to do is replicate it.

So, Santa, I know this is a lot to ask for, but I just think the supply chain is worth it. Oh, and if you can deliver on these, I could make it worth your while -- maybe even see if we could put together your own just-in-time supply chain so you wouldn't have to depend on all those darn elves, what with the rising cost of labor at the North Pole. So consider yourself a supply chain stakeholder, and if you're really good, we'll put in a good word with CBP and see if we can't get you in to C-TPAT. That oughta save you some time crossing into the U.S. on Christmas Eve.

Merry Christmas,

Big S

Think instability in Pakistan can't affect your China supply chain? Think again.

So who hasn't watched the Bhutto assassination and wondered where Pakistan is headed? Here's a country with a whole lot of anti-American sentiment and nuclear weapons. So as Pakistan teeters on the edge of a precipice, I'd bet that there are lots of supply chain professionals who are glad they don't source out of that particular high-threat origin, and instead put all or most of their eggs in a nice low-threat basket like China. I'd guess that many think that by avoiding the high-risk markets, they've mitigated their risk. Unfortunately, they'd be wrong. Why?

For the answer to that, I'd call on no less an authority than Ambassador/Admiral Bill Crowe. Admiral Crowe served as Chairman of the Joint Chiefs of Staff from 1985-89, then as Abassador to the United Kingdom during the Clinton Administration. In his book, The Edge of Disaster: Rebuilding a Resilient Nation, Stephen Flynn describes a conversation with Ambassador Crowe in September 2002. As recounted by Steve, Ambassador Crowe provided an important insight into how America needs to address the risks inherent in The Long War:

"You have to remember these terrorists are not supermen...these terrorists cannot destroy us. We are a country of three hundred million people with infrastructure spread across a nation that has the fourth largest landmass in the world. This is not thermonuclear war we are facing. The real danger lies not with what the terrorists can do to us, but what we can do to ourselves when we are spooked [emphasis added]."

The danger for the country is not just the initial terrorist attack, but also in our response to it. There is a real risk that, in our zeal to respond to the attack, we will inadvertantly overreact and do more damage to ourselves than the terrorists could ever have done on their own. In short, to summarize Ambassador Crowe: We have seen the enemy, and it is us.

And we've actually had a real-life example of how local, state and federal authorities, acting without the benefit of clear intelligence or resiliency planning, might cause greater damage trying to respond to an incident within the country's supply chain. Some may recall what has been called the "Lemon Incident:" In 2004, a ship bound for Port Elizabeth, New Jersey, was alleged to be carrying lemons laced with a biological agent. The ship was forced to sit off the coast for a week while local, state and federal authorities argued about what to do. Since 9/11, U.S. efforts have focused on creating a layered, defense-in-depth approach, pushing the U.S. borders out in an effort to prevent penetration of legitimate supply chains. Unfortunately, less effort has gone into efforts around response and resiliency to ensure that the system could be restarted in the event of a disruption.

So let's bring this back to Pakistan. If I only source out of low-threat China, why do I need to worry about high-threat Pakistan? Because our supply chain is only as strong as its weakest link. If a committed terrorist group penetrates a supply chain in a high threat origin and introduces a weapon of mass destruction into the network, the danger is not just the initial attack but our reaction to it. Given the small percentage of containers that are actually inspected, how will local, state and federal governments assure their various constituencies that cargo is safe? How do we reassure the American public that despite the fact that a container from a high-threat, low volume origin was penetrated, we should continue to allow cargo from low-threat, high volume origins (like China) move at it's normal pace? In a crisis situtation, would anyone really accept that?

It's time for the trade industry and our local, state and federal partners to jointly develop a national recovery and restart plan, to ensure the country's supply chain is resilient enough to withstand the worst.

Why care about supply chains? They make the world a flatter place.

So I guess at some point I have to answer the inevitable question: Why spend so much time writing about supply chains? And why do I have to answer this question? Actually, to be honest, the real reason I have to answer this question is because it comes from my wife (and if I don't answer it, she'll just keep asking me). You might not believe this, but she actually thinks supply chains are boring. I know, I know, I can't believe it either -- and thank God there's a few out there that agree with us (Though apparently we may be a little defensive if the blog titled "Who said supply chains are boring?" is any indication).

Apparently, however, my wife is actually in the majority in this one. Yup, it was hard for me to admit, but your average American not only doesn't know what a supply chain is, but (gasp!) could care less.

So why do I think supply chains are worthy of all this time? Because I agree with Tom Friedman when he refers to "supply chaining" as one of the Ten Flatteners -- ten trends that made the world flat. Friedman describes supply chaining as:

"a method of collaborating horizontally -- among suppliers, retailers, and customers -- to create value. Supply chaining is both enabled by the flattening of the world and a hugely important flattener itself, because the more these supply chains grow and proliferate, the more they force the adoption of common standards between companies (so that every link of every supply chain can interface with the next), the more they eliminate points of friction at borders, the more the efficiencies of one company get adopted by others, and the more they encourage global collaboration."

[Author's segue: I'll be honest, I'm a big fan of Friedman -- he has a great way of taking complex ideas and making them extremely simple. I had a chance to hear him speak in person and one nugget that struck me was his description of the power of naming a trend or idea. In his words, "As a columnist, in my world, if you can name an idea, you can own it." Clearly, this isn't rocket science -- people have been doing this for years in areas from from politics (see "Death Tax") to marketing (then again, maybe politics and marketing really aren't that far removed) -- but Friedman's simple description of the power of naming something stuck with me. Another book along the same lines is "Made to Stick" by Chip and Dan Heath. I saw Dan Heath speak -- great presenter with excellent content.]

Since I think most people aren't likely to remember Friendman's Ten Flatteners, I'd simplify the trends even more. Imagine globalization as a three-legged stool: one leg is air travel, which allows the fast movement of people; the second leg is the internet, which allows the efficient movement of information (including financial information); the third is the ubiquitous intermodal cargo container which allows the fast movement of goods. (The cargo container is affectionately know to those in the shipping industry as "the box" -- for anyone interested in a great read of how the shipping industry was revolutionized by a trucker from the southern U.S. check out "The Box" by Marc Levinson).

I'm betting that just about everyone could name Orville and Wilbur Wright as the inventors of controlled, powered human flight. Many people might even be able to identify Bob Kahn and Vint Cerf as the inventors of the Transmission Control Protocol (TCP) which moves data on the modern Internet. But how many people would put Malcom Mclean in the same category? How many people even know who Malcom Mclean was? Yet his contribution to globalization by vastly increasing the efficiency in which goods are moved around the world is arguably no less revolutionary than the Wright brothers or the many involved in developing and refining the protocols that make the internet possible.

So that, in a nutshell, is why I think supply chains are worthy of all this time, and why those of us who work with them and in them on a daily basis need to explain more to the average American about what they are, how they work, and why they're important. I'll even go farther and say supply chains are not only important, but they're sexy. Ok, maybe that's too much of a reach right now, but we all need something to strive for, right? Rember, if you can name something, you can own it. So now you'll have to excuse me while I pass the computer to my wife so she can read this post...

The risk-based approach: Prevent what you can, and improve resiliency.

So if you don't like this post, blame Steve Jobs (or you could blame fake Steve Jobs, since he's not real and is therefore less likely to seek retribution. Then again, he's Steve Friggin Jobs, how much time can he have for the little people?). Why? It all starts with my iPod. Yeah, I love that I can hold every album I've ever bought (and some that I just checked out from the library for a couple of hours -- that's ok, right?), but I have become a total podcasting geek. Every couple of days I'm checking iTunes for the latest podcasts by the Harvard Business Review, the Wall Street Journal, TED and Pop!Tech, the BBC Documentary Archive (a personal fave), and yes, occasionally The Economist. The Economist is a fantastic periodical, but I'm not as attached to their recent podcasts (though some of their older ones, particularly those on blogs and other social software like this one with Jerry Michalski, are probably to blame for the fact that I am now inflicting my opinions on you, gentle reader).

So yesterday as I'm driving to pick up takeout food (mmmmm, mexican) I listened to a podcast under their Democracy in America section on Homeland Security. They had a discussion with Jeremy Shapiro of the Brookings Institution. This is one that I feel like I have to comment on.

Now Jerry Shapiro is obviously very smart, and probably someone I'd get along well with socially, but his recommendation as discussed with The Economist misses on several counts. He recommends a threat-based approach -- focus homeland security resources only on those areas where we have specific threat information. According to Shapiro:

As far as I'm aware, there has never been a plot against a seaport. Well, why is that? It's because they're really not interested in blowing up seaports. They're not interested.... in attacking things that matter to us. They're interested in attacking things which matter to their constituencies: symbolic targets, civil aviation targets. From their perspective, the idea of blowing up a container ship, which wouldn't even be on television, is not the kind of thing they want to do.

Sounds reasonable, right? Except it's not. There's a couple of problems with this:

• This assumes that our current threat intelligence is airtight. I'm a former intelligence officer and in my opinion this is a big assumption. We never put the intel together on the 9/11 plot -- clearly intelligence capabilities and coordination has been improved since then, but I think even intelligence professionals would be hard pressed to guarantee that there are no gaps in our current assessment of the terrorist threat.
• And if you believe Nassim Nicholas Taleb, this problem is compounded by the fact that we're actually not very good at predicting the likelihood that something highly improbable, Taleb's 'black swan', will happen.
• Using the logic above (i.e., Al Qaeda will not attack a seaport in the future because they've never attacked a seaport in the past), I guess what we've learned from 9/11 is that Al Qaeda is very interested in blowing up the World Trade Center -- and now that that's gone we can all rest easy. Whew! (This reminds me of the logic used by Dana Carvey impersonating George H.W. Bush making a speech on the eve of the first Gulf War: "I can assure you that this will not be another Vietnam. Because we have learned well the simple lesson of Vietnam: (wait for it) STAY OUT OF VIETNAM!")
• What about the USS Cole in the Port of Aden? Ok, so that was a military vs. civilian target, but who doesn't remember the gaping hole in the side of the Cole as brave sailors worked to save it from going to the bottom. A port could make a compelling target.

Shapiro makes a good point that when resources are finite, you can't make everything invulnerable, nor should you try. So how does the private sector deal with this? Yes, you focus resources on threats that you know about, that happen all the time, whether that's once a day or once a year. But you also focus resources to address vulnerabilities or exposure, especially those low probability/high impact events where the impact would be so devastating that you'd lose the farm (or the firm) if something that calamitous came to pass.

You can't ignore vulnerability or exposure just because you lack specific, actionable threat information -- instead you set up tripwires to monitor the threat, you put mitigation measures in place to try to prevent it, and if you're really thinking you build either flexibility or redundancy into your operations to make your enterprise more resilient (thank you, Yossi Sheffi).

So, in sum...threat + vulnerability or exposure = risk. You can't do the calculation without considering both.

So, given the above, I'd argue that as part of the country's critical infrastructure, port and supply chain security fall into this high vulnerability category. We might not have specific threat info, but an attack on the country's supply chain would be so devastating, we have not choice but to manage the risk. So what kind of impact would an attack have? A wargame conducted by Booz Allen Hamilton and the Conference Board in 2002 involving a weapon of mass destruction in the supply chain was estimated to cost the U.S. economy $58 Billion. For a historical example, take a look at the 2002 West Coast port lockout -- everyone knew it was coming and the shutdown still cost $20 Billion. Let's say that again, we knew it was coming and the shutdown still cost us $20 Billion. Yeah, it's not the World Trade Center falling down, but you can't tell me that doesn't represent a vulnerability that's worth protecting.

To be fair to Mr. Shapiro, the rest of his recommended strategy to manage homeland security is sound, especially his focus on resiliency.

The Bottom Line: Supply chains are so integral to the U.S. economy that we can't afford not to protect them against natural or manmade disruptions -- protection both in the form of preventive security measures and system-level resiliency.

What is big "S" security? Be careful how you pronounce it.

Gotta give credit to Jim Rice at MIT's Center for Transportation and Logistics for this one (you can even check out the photos of Jim's cute kids at this link - sorry, Jim, couldn't resist). Jim and I collaborated on an article for MIT's Supply Chain Strategy publication on supply chain risk management. In the middle of writing it Jim and I were heading out to eat beignets at Cafe Du Monde in New Orleans (I was a beignet virgin at the time. Note to readers: There probably is a way to eat beignets while wearing a dark suit, but I have yet to develop the kama sutra-like flexibility required to execute this maneuver) and Jim said something along the lines of "You know, what we're really talking about is big "S" security." I misunderstood him and queried what the heck he meant by "big a** security"? His response: "You know, you're the second person who's said that, so I guess I'd better be careful about how I pronounce it."

As Jim and I talked about it, and as captured in the article, he called it "Big 'S' Security" because the influence of security in this type of company is big. This isn't your father's security force -- a bunch of knuckle draggin', cop wannabes of the guards, gates and guns variety. This is the new, post-9/11 security where professionals focus on identifying, assessing and mitigating risks to protect the company's key strategies and ensure its ultimate economic viability. This is the new security for a flat world where asymmetric threats are as likely to be directed against the private sector as they are the public one. Those are big a** risks, and that, friends, is why companies and governments now need to think about Big "S" Security.

How do you incent companies to secure their supply chain? Fatten the carrot...or the stick.

So what are the challenges that CBP still faces with C-TPAT? One of these is that according to CBP's figures, 45% of the cargo coming into the U.S. is imported by C-TPAT partners. Pretty good statistic, right? It is, except that means that more than half of the cargo coming into the U.S. is being moved by non-C-TPAT members -- companies whose committment to securing their, and the country's, supply chain is unknown. Sounds like a pretty big area of opportunity.

So why haven't more companies joined C-TPAT? My guess is that they don't see the carrot as being big enough...and they apparently aren't afraid of the stick either. According to CBP's data (these figures are dated -- they are from 2005, but this is the only data I've seen CBP release on C-TPAT vs non-C-TPAT inspection rates), non-C-TPAT companies have 1 in 47 containers inspected -- that translates to a security inspection rate of about 2.1%. C-TPAT companies experience 1 in 300 containers being stopped for a security inspection, for an inspection rate of about 0.3%. If you're a large importer focused on achieving economies of scale, "just-in-time" delivery, and driving down costs, the difference between 2.2% and 0.3% is significant and translates into speed-to-market. But if you're a small or medium sized importer, a 2.2% inspection rate probably doesn't even get your attention -- you're just trying to stay in business and figure out how to compete now that the world is flat. To these companies, the perceived costs and complexity of becoming a C-TPAT member may be disincentives to even applying to join the program.

An article in today's American Shipper seems to confirm this -- small to medium sized firms fail to see the benefits of joining C-TPAT. According to a recent survey:

• 55 percent of firms with less than 500 employees could not determine the benefits of participating in C-TPAT.
• 37 percent of companies cited either lack of time or money, or both, to devote to applying for C-TPAT status.
• More than 50 percent of those firms surveyed said they were either never invited by CBP or their customs brokers to become C-TPAT participants.

The only caveat I'd throw out here is that the number of responses seems fairly small -- the article cites "more than 100" and calls this a "snapshot" of small and medium sized importers. Mike Laden of Trade Innovations and the Trusted Trade Alliance is quoted in the article as saying that CBP should increase the exam rate for non-C-TPAT companies by 50% -- in other words, CBP should use a bigger stick. I know Mike, and he has a fair amount of experience with small and medium sized importers -- he's probably on to something.