Think instability in Pakistan can't affect your China supply chain? Think again.

So who hasn't watched the Bhutto assassination and wondered where Pakistan is headed? Here's a country with a whole lot of anti-American sentiment and nuclear weapons. So as Pakistan teeters on the edge of a precipice, I'd bet that there are lots of supply chain professionals who are glad they don't source out of that particular high-threat origin, and instead put all or most of their eggs in a nice low-threat basket like China. I'd guess that many think that by avoiding the high-risk markets, they've mitigated their risk. Unfortunately, they'd be wrong. Why?

For the answer to that, I'd call on no less an authority than Ambassador/Admiral Bill Crowe. Admiral Crowe served as Chairman of the Joint Chiefs of Staff from 1985-89, then as Abassador to the United Kingdom during the Clinton Administration. In his book, The Edge of Disaster: Rebuilding a Resilient Nation, Stephen Flynn describes a conversation with Ambassador Crowe in September 2002. As recounted by Steve, Ambassador Crowe provided an important insight into how America needs to address the risks inherent in The Long War:

"You have to remember these terrorists are not supermen...these terrorists cannot destroy us. We are a country of three hundred million people with infrastructure spread across a nation that has the fourth largest landmass in the world. This is not thermonuclear war we are facing. The real danger lies not with what the terrorists can do to us, but what we can do to ourselves when we are spooked [emphasis added]."

The danger for the country is not just the initial terrorist attack, but also in our response to it. There is a real risk that, in our zeal to respond to the attack, we will inadvertantly overreact and do more damage to ourselves than the terrorists could ever have done on their own. In short, to summarize Ambassador Crowe: We have seen the enemy, and it is us.

And we've actually had a real-life example of how local, state and federal authorities, acting without the benefit of clear intelligence or resiliency planning, might cause greater damage trying to respond to an incident within the country's supply chain. Some may recall what has been called the "Lemon Incident:" In 2004, a ship bound for Port Elizabeth, New Jersey, was alleged to be carrying lemons laced with a biological agent. The ship was forced to sit off the coast for a week while local, state and federal authorities argued about what to do. Since 9/11, U.S. efforts have focused on creating a layered, defense-in-depth approach, pushing the U.S. borders out in an effort to prevent penetration of legitimate supply chains. Unfortunately, less effort has gone into efforts around response and resiliency to ensure that the system could be restarted in the event of a disruption.

So let's bring this back to Pakistan. If I only source out of low-threat China, why do I need to worry about high-threat Pakistan? Because our supply chain is only as strong as its weakest link. If a committed terrorist group penetrates a supply chain in a high threat origin and introduces a weapon of mass destruction into the network, the danger is not just the initial attack but our reaction to it. Given the small percentage of containers that are actually inspected, how will local, state and federal governments assure their various constituencies that cargo is safe? How do we reassure the American public that despite the fact that a container from a high-threat, low volume origin was penetrated, we should continue to allow cargo from low-threat, high volume origins (like China) move at it's normal pace? In a crisis situtation, would anyone really accept that?

It's time for the trade industry and our local, state and federal partners to jointly develop a national recovery and restart plan, to ensure the country's supply chain is resilient enough to withstand the worst.

Why care about supply chains? They make the world a flatter place.

So I guess at some point I have to answer the inevitable question: Why spend so much time writing about supply chains? And why do I have to answer this question? Actually, to be honest, the real reason I have to answer this question is because it comes from my wife (and if I don't answer it, she'll just keep asking me). You might not believe this, but she actually thinks supply chains are boring. I know, I know, I can't believe it either -- and thank God there's a few out there that agree with us (Though apparently we may be a little defensive if the blog titled "Who said supply chains are boring?" is any indication).

Apparently, however, my wife is actually in the majority in this one. Yup, it was hard for me to admit, but your average American not only doesn't know what a supply chain is, but (gasp!) could care less.

So why do I think supply chains are worthy of all this time? Because I agree with Tom Friedman when he refers to "supply chaining" as one of the Ten Flatteners -- ten trends that made the world flat. Friedman describes supply chaining as:

"a method of collaborating horizontally -- among suppliers, retailers, and customers -- to create value. Supply chaining is both enabled by the flattening of the world and a hugely important flattener itself, because the more these supply chains grow and proliferate, the more they force the adoption of common standards between companies (so that every link of every supply chain can interface with the next), the more they eliminate points of friction at borders, the more the efficiencies of one company get adopted by others, and the more they encourage global collaboration."

[Author's segue: I'll be honest, I'm a big fan of Friedman -- he has a great way of taking complex ideas and making them extremely simple. I had a chance to hear him speak in person and one nugget that struck me was his description of the power of naming a trend or idea. In his words, "As a columnist, in my world, if you can name an idea, you can own it." Clearly, this isn't rocket science -- people have been doing this for years in areas from from politics (see "Death Tax") to marketing (then again, maybe politics and marketing really aren't that far removed) -- but Friedman's simple description of the power of naming something stuck with me. Another book along the same lines is "Made to Stick" by Chip and Dan Heath. I saw Dan Heath speak -- great presenter with excellent content.]

Since I think most people aren't likely to remember Friendman's Ten Flatteners, I'd simplify the trends even more. Imagine globalization as a three-legged stool: one leg is air travel, which allows the fast movement of people; the second leg is the internet, which allows the efficient movement of information (including financial information); the third is the ubiquitous intermodal cargo container which allows the fast movement of goods. (The cargo container is affectionately know to those in the shipping industry as "the box" -- for anyone interested in a great read of how the shipping industry was revolutionized by a trucker from the southern U.S. check out "The Box" by Marc Levinson).

I'm betting that just about everyone could name Orville and Wilbur Wright as the inventors of controlled, powered human flight. Many people might even be able to identify Bob Kahn and Vint Cerf as the inventors of the Transmission Control Protocol (TCP) which moves data on the modern Internet. But how many people would put Malcom Mclean in the same category? How many people even know who Malcom Mclean was? Yet his contribution to globalization by vastly increasing the efficiency in which goods are moved around the world is arguably no less revolutionary than the Wright brothers or the many involved in developing and refining the protocols that make the internet possible.

So that, in a nutshell, is why I think supply chains are worthy of all this time, and why those of us who work with them and in them on a daily basis need to explain more to the average American about what they are, how they work, and why they're important. I'll even go farther and say supply chains are not only important, but they're sexy. Ok, maybe that's too much of a reach right now, but we all need something to strive for, right? Rember, if you can name something, you can own it. So now you'll have to excuse me while I pass the computer to my wife so she can read this post...

The risk-based approach: Prevent what you can, and improve resiliency.

So if you don't like this post, blame Steve Jobs (or you could blame fake Steve Jobs, since he's not real and is therefore less likely to seek retribution. Then again, he's Steve Friggin Jobs, how much time can he have for the little people?). Why? It all starts with my iPod. Yeah, I love that I can hold every album I've ever bought (and some that I just checked out from the library for a couple of hours -- that's ok, right?), but I have become a total podcasting geek. Every couple of days I'm checking iTunes for the latest podcasts by the Harvard Business Review, the Wall Street Journal, TED and Pop!Tech, the BBC Documentary Archive (a personal fave), and yes, occasionally The Economist. The Economist is a fantastic periodical, but I'm not as attached to their recent podcasts (though some of their older ones, particularly those on blogs and other social software like this one with Jerry Michalski, are probably to blame for the fact that I am now inflicting my opinions on you, gentle reader).

So yesterday as I'm driving to pick up takeout food (mmmmm, mexican) I listened to a podcast under their Democracy in America section on Homeland Security. They had a discussion with Jeremy Shapiro of the Brookings Institution. This is one that I feel like I have to comment on.

Now Jerry Shapiro is obviously very smart, and probably someone I'd get along well with socially, but his recommendation as discussed with The Economist misses on several counts. He recommends a threat-based approach -- focus homeland security resources only on those areas where we have specific threat information. According to Shapiro:

As far as I'm aware, there has never been a plot against a seaport. Well, why is that? It's because they're really not interested in blowing up seaports. They're not interested.... in attacking things that matter to us. They're interested in attacking things which matter to their constituencies: symbolic targets, civil aviation targets. From their perspective, the idea of blowing up a container ship, which wouldn't even be on television, is not the kind of thing they want to do.

Sounds reasonable, right? Except it's not. There's a couple of problems with this:

• This assumes that our current threat intelligence is airtight. I'm a former intelligence officer and in my opinion this is a big assumption. We never put the intel together on the 9/11 plot -- clearly intelligence capabilities and coordination has been improved since then, but I think even intelligence professionals would be hard pressed to guarantee that there are no gaps in our current assessment of the terrorist threat.
• And if you believe Nassim Nicholas Taleb, this problem is compounded by the fact that we're actually not very good at predicting the likelihood that something highly improbable, Taleb's 'black swan', will happen.
• Using the logic above (i.e., Al Qaeda will not attack a seaport in the future because they've never attacked a seaport in the past), I guess what we've learned from 9/11 is that Al Qaeda is very interested in blowing up the World Trade Center -- and now that that's gone we can all rest easy. Whew! (This reminds me of the logic used by Dana Carvey impersonating George H.W. Bush making a speech on the eve of the first Gulf War: "I can assure you that this will not be another Vietnam. Because we have learned well the simple lesson of Vietnam: (wait for it) STAY OUT OF VIETNAM!")
• What about the USS Cole in the Port of Aden? Ok, so that was a military vs. civilian target, but who doesn't remember the gaping hole in the side of the Cole as brave sailors worked to save it from going to the bottom. A port could make a compelling target.

Shapiro makes a good point that when resources are finite, you can't make everything invulnerable, nor should you try. So how does the private sector deal with this? Yes, you focus resources on threats that you know about, that happen all the time, whether that's once a day or once a year. But you also focus resources to address vulnerabilities or exposure, especially those low probability/high impact events where the impact would be so devastating that you'd lose the farm (or the firm) if something that calamitous came to pass.

You can't ignore vulnerability or exposure just because you lack specific, actionable threat information -- instead you set up tripwires to monitor the threat, you put mitigation measures in place to try to prevent it, and if you're really thinking you build either flexibility or redundancy into your operations to make your enterprise more resilient (thank you, Yossi Sheffi).

So, in sum...threat + vulnerability or exposure = risk. You can't do the calculation without considering both.

So, given the above, I'd argue that as part of the country's critical infrastructure, port and supply chain security fall into this high vulnerability category. We might not have specific threat info, but an attack on the country's supply chain would be so devastating, we have not choice but to manage the risk. So what kind of impact would an attack have? A wargame conducted by Booz Allen Hamilton and the Conference Board in 2002 involving a weapon of mass destruction in the supply chain was estimated to cost the U.S. economy $58 Billion. For a historical example, take a look at the 2002 West Coast port lockout -- everyone knew it was coming and the shutdown still cost $20 Billion. Let's say that again, we knew it was coming and the shutdown still cost us $20 Billion. Yeah, it's not the World Trade Center falling down, but you can't tell me that doesn't represent a vulnerability that's worth protecting.

To be fair to Mr. Shapiro, the rest of his recommended strategy to manage homeland security is sound, especially his focus on resiliency.

The Bottom Line: Supply chains are so integral to the U.S. economy that we can't afford not to protect them against natural or manmade disruptions -- protection both in the form of preventive security measures and system-level resiliency.

What is big "S" security? Be careful how you pronounce it.

Gotta give credit to Jim Rice at MIT's Center for Transportation and Logistics for this one (you can even check out the photos of Jim's cute kids at this link - sorry, Jim, couldn't resist). Jim and I collaborated on an article for MIT's Supply Chain Strategy publication on supply chain risk management. In the middle of writing it Jim and I were heading out to eat beignets at Cafe Du Monde in New Orleans (I was a beignet virgin at the time. Note to readers: There probably is a way to eat beignets while wearing a dark suit, but I have yet to develop the kama sutra-like flexibility required to execute this maneuver) and Jim said something along the lines of "You know, what we're really talking about is big "S" security." I misunderstood him and queried what the heck he meant by "big a** security"? His response: "You know, you're the second person who's said that, so I guess I'd better be careful about how I pronounce it."

As Jim and I talked about it, and as captured in the article, he called it "Big 'S' Security" because the influence of security in this type of company is big. This isn't your father's security force -- a bunch of knuckle draggin', cop wannabes of the guards, gates and guns variety. This is the new, post-9/11 security where professionals focus on identifying, assessing and mitigating risks to protect the company's key strategies and ensure its ultimate economic viability. This is the new security for a flat world where asymmetric threats are as likely to be directed against the private sector as they are the public one. Those are big a** risks, and that, friends, is why companies and governments now need to think about Big "S" Security.

How do you incent companies to secure their supply chain? Fatten the carrot...or the stick.

So what are the challenges that CBP still faces with C-TPAT? One of these is that according to CBP's figures, 45% of the cargo coming into the U.S. is imported by C-TPAT partners. Pretty good statistic, right? It is, except that means that more than half of the cargo coming into the U.S. is being moved by non-C-TPAT members -- companies whose committment to securing their, and the country's, supply chain is unknown. Sounds like a pretty big area of opportunity.

So why haven't more companies joined C-TPAT? My guess is that they don't see the carrot as being big enough...and they apparently aren't afraid of the stick either. According to CBP's data (these figures are dated -- they are from 2005, but this is the only data I've seen CBP release on C-TPAT vs non-C-TPAT inspection rates), non-C-TPAT companies have 1 in 47 containers inspected -- that translates to a security inspection rate of about 2.1%. C-TPAT companies experience 1 in 300 containers being stopped for a security inspection, for an inspection rate of about 0.3%. If you're a large importer focused on achieving economies of scale, "just-in-time" delivery, and driving down costs, the difference between 2.2% and 0.3% is significant and translates into speed-to-market. But if you're a small or medium sized importer, a 2.2% inspection rate probably doesn't even get your attention -- you're just trying to stay in business and figure out how to compete now that the world is flat. To these companies, the perceived costs and complexity of becoming a C-TPAT member may be disincentives to even applying to join the program.

An article in today's American Shipper seems to confirm this -- small to medium sized firms fail to see the benefits of joining C-TPAT. According to a recent survey:

• 55 percent of firms with less than 500 employees could not determine the benefits of participating in C-TPAT.
• 37 percent of companies cited either lack of time or money, or both, to devote to applying for C-TPAT status.
• More than 50 percent of those firms surveyed said they were either never invited by CBP or their customs brokers to become C-TPAT participants.

The only caveat I'd throw out here is that the number of responses seems fairly small -- the article cites "more than 100" and calls this a "snapshot" of small and medium sized importers. Mike Laden of Trade Innovations and the Trusted Trade Alliance is quoted in the article as saying that CBP should increase the exam rate for non-C-TPAT companies by 50% -- in other words, CBP should use a bigger stick. I know Mike, and he has a fair amount of experience with small and medium sized importers -- he's probably on to something.

The largest public-private partnership you've never heard of.

It wasn't long after planes struck the twin towers and the pentagon before people asked the question, "What's the next target? Where are we vulnerable?" The global supply chain popped to the top of the list. Millions of uninspected cargo containers entered the U.S. every year. Drug cartels had exploited this vulnerability for years, but now the stakes were measurably higher. (I used to work for a 3-star General at the Defense Intelligence Agency who back in the mid-1990s was asking the question, "If you want to smuggle a weapon of mass destruction into the U.S., where would you put it?" He'd answer his own question: "At the center of a ton of cocaine...because that's getting in...").

Governments and private industry both realized that neither could do this alone, and so the Customs-Trade Partnership Against Terrorism, or C-TPAT, was born. C-TPAT is a voluntary (italics are mine) public-private partnership between the trade industry and U.S. Customs and Border Protection (CBP). The grand bargain is that in exchange for members of "the trade" ensuring a certain level of security within their supply chains, CBP grants benefits, primarily in the form of reduced security inspections when goods arrive in the U.S. The fundamental premise of this was to create a "known shipper" program so CBP could reduce the size of the haystack they were required to search -- now they could focus finite resources on the "unknown," and less on the known.

So why do I put "voluntary" in italics? Because for companies that are large importers, that believe in being good corporate citizens, and have a brand to protect C-TPAT isn't voluntary, it's necessary. Companies that find themselves in this situation also realize that the global supply chain is only as strong as it's weakest link -- so they have a vested interest in ensuring that everyone else's supply chain is at least as secure as theirs.

Today more than 10,000 companies have applied to become C-TPAT members, and more than 6,000 have been accepted into the program -- CBP claims this membership makes it the largest public-private partnership ever, and I've yet to hear anyone refute the claim. C-TPAT is by no means a perfect program, but it's a good start. In a future post I'll give you some of my thoughts about how the program should evolve.

Security to support commerce at the Port of Los Angeles.

Heard a great piece on NPR's Weekend Edition Saturday on the Port of Los Angeles and Long Beach. The piece highlights a key vulnerability of the U.S. -- the risk that one of the nearly 12 million cargo containers that enters the U.S. every year might contain a weapon of mass destruction. The reason this is such a big deal is that the easy movement of goods around the world by container is arguably one of the key pillars that makes the global economy grow.

Full disclosure: I work for a large importer and am responsible for supply chain security, so am neck deep in this issue. I also know one of the commentators personally -- Stephen Flynn wrote both "America the Vulnerable" and "The Edge of Disaster: Rebuilding a Resilient Nation" and is looked upon as an expert on supply chain and homeland security.

Flynn and Port Director John Holmes hit two key points during this presentation:

1. Securing the nation's economic viability is not just about securing our ports -- as Dr. Flynn says, the ports are really the last line of defense. Ports are merely a throughpoint for global supply chains, so in order to secure the country you really have to take a look at the entire system back to the point of origin, understand the different players and stakeholders, as well as the process.
2. As John Holmes indicates, security efforts taken by the port are really about "resiliency" as much as anything. At some point, the twin ports of Los Angeles and Long Beach are going to get hit by either an act of God (Earthquake? Storm?) or an act of man (Terrorism? Longshoreman's strike?) that will slow down or shut down their operations. The key to maintaining their, and the country's, economic viability, will be how fast they can rebound from this kind of low probability/high impact disruption.
   

But who owns the supply chain? Governments? Not really. U.S. Customs and Border Protection is responsible for facilitating trade and ensuring that contraband cargo doesn't enter the U.S. Importers? Sort of. Supply chains operate at their behest, but goods are moved by entities that importers sometimes have limited visibility into. The bottom line is that the only way to address this kind of vulnerability is through the cooperation of business and government -- a public private partnership to protect the interests of all stakeholders. More on that next time...