Costs Climb as Companies Move to Mitigate Supply Chain Interruptions

Some 70% of companies have experienced at least one supply chain interruption during the past year, with an unplanned IT or telecommunications outage the leading cause, according to the eighth edition of the Business Continuity Institute’s (BCI) Supply Chain Resiliency Report, produced in association with Zurich Insurance Group.

Covering 526 respondents in 64 countries, the report studies the causes, costs, and frequency of such events while also looking at companies’ progress in responding to supply chain interruptions and mitigating further occurrences.

While 70% of respondents reported at least one supply chain interruption during the past 12 months, only 17% said they have had no supply chain disruptions, with 13% saying they did not know. Perhaps more alarming is the increase to 13%—from 3% previously—of respondents reporting more than 20 such incidents.

Also alarming is the upward trajectory of costs associated with supply chain disruptions. The portion of respondents reporting cumulative losses of more than € 1 million ($1,058,171.30) resulting from supply chain interruptions jumped to 34% in this year’s survey from just 14% previously.

An unplanned IT or telecommunications outage was the leading cause of a supply chain disruption for the fifth consecutive year, followed by a loss of talent or skills, which jumped to second place from fifth, and then cyberattack or data breach, which dropped to third place from second. Despite this drop, the portion of respondents which said that cyberattacks and data breach had a ‘high impact’ on their supply chains increased from 14% to 17%.

Reaching the top 10 for the first time was terrorism, which moved to ninth from eleventh, while currency exchange rate volatility had the largest move up the list of event causes, jumping to seventh from 20th last year and cracking the top 10 for the first time since 2012. Insolvency in a company’s supply chain also reentered the top 10 for the first time since 2012, moving from 14th to 10th.

Lost productivity (68%), increased cost of working (53%), and customer complaints received (40%) were listed as the top three consequences of a supply chain interruption by respondents. The perception of such incidents can also hurt a company, with damage to brand reputation/image (38%), shareholder/stakeholder concern (30%), and share price fall (7%) all named by respondents as consequences of a supply chain disruption.

“It is crucial to note that the percentage of organizations reporting reputational damage as a result of supply chain disruption is at its highest level since the survey began. As this coincides with greater media scrutiny and social media discussions related to organizations, this result might be a good opportunity to reflect on reputation management and how supply chain disruptions might translate into adverse publicity for a given organization,” said the report.

As threats and costs grow, there appears to have been at least some progress in more closely addressing the issue.

While the percentage of respondents without firm-wide reporting of supply-chain incidents remains high at 66%, the portion of those using firm-wide reporting has grown steadily across the past five reports, rising from just 25% of respondents in 2012 to 34% in the 2016 report, the latest. Similarly, the portion of respondents which employ no reporting has declined steadily from 39% in 2012 to 28% in 2016.

As reporting is on the rise, so too is the complexity of interruption incidents as external supply chains cause more incidents. The portion of respondents which said the majority of their interruptions came from external supply chains jumped to 24% from 9% previously, and the portion attributing at least a quarter of interruptions to external suppliers more than doubled to 34% from just 15% previously.

Even with reporting on the increase, however, insurance uptake appears to be declining. Just 4% of respondents said they were fully insured against supply chain losses, down from 10% previously, with small and medium-sized enterprises more likely to be uninsured, at just 39%, than large organizations at 62%.

“These variations in insurance uptake may indicate a need to revisit business continuity arrangements and risk transfer strategies pertaining to supply chain disruptions,” according to the report.

Supply Chain Disruption Hits 76% of Businesses a Year

Almost a quarter of businesses reported annual cumulative losses of at least $1.05 million (CAD $1.4 million) due to supply chain disruptions, and 76% of businesses reported at least one instance of supply chain disruption annually, according to a survey conducted by the Business Continuity Institute and Zurich. The top causes of supply chain failure among businesses surveyed were ones that will likely get even more frequent in the coming years: unplanned IT outages, cyberattacks, and adverse weather.

As the supply chain continues to grow ever longer, adding more potentially disruptive risks along the way, businesses are learning some painful lessons about the financial and reputational damages that can result from failures to ensure supply chain resilience.

Check out the infographic below for some Zurich’s top insights on supply chain visibility, including the biggest sources of damage and key steps to mitigate losses:

zurich supply chains infographic

Study Lists Most and Least Resilient Countries

Businesses are more dependent on their supply chains than ever, with supply chain disruption one of the leading causes of business instability. To thrive, companies need to be resilient, and part of that is their location and the location of suppliers. According to FM Global’s 2015 FM Global Resilience Index, Norway tops the list of resilient countries, with Switzerland in second place.

The study’s purpose is to help companies evaluate and manage their supply chain risk by ranking 130 countries and regions in terms of their business resilience to supply chain disruption. Data is based on: economic strength, risk quality (mostly related to natural hazard exposure and risk management) and supply chain factors (including corruption, infrastructure and local supplier quality).

According to the study:

1. Norway retains its top position in the index from last year, with strong results for economic productivity, control of corruption, political risk and resilience to an oil shock. The country’s management of fire risk offers opportunity to improve still further.

2. Despite its massive oil reserves, Venezuela ranks 130, placing it at the bottom of the index, and reflecting the many challenges South America faces, ranging from economic and political to geological, with its west coast on the Pacific ‘Ring of Fire’.

3. Taiwan has jumped the most in the index – 52 places in the annual ranking to 37; more than any other country. Its rise is due mainly to a substantial improvement in the country’s commitment to risk management, as it relates both to natural hazard risk and fire risk. Given the country’s location at the western edge of the Philippine Sea plate, this is a welcome development.

4. Ukraine, ranked 107, and Kazakhstan, ranked 102, dropped more places this year than any other country; a fall of 31 places each. Unsurprisingly, for Ukraine, the worsening political risk, combined with poorer infrastructure, was to blame. The fall for Kazakhstan this year reflects a poorer commitment to natural hazard risk management in the region.

5. In the European Union (EU), Greece fell from position 54 to 65. The recent victory of the anti-austerity Syriza party almost certainly will usher in a period of greater friction and turbulence with its EU partners.

6. France, ranked 19, trails Germany at 6, the leading EU nation. France has slid down the index in recent years reflecting a rising risk of terrorism – evidenced tragically in Paris – and deteriorating perceptions of both infrastructure and local suppliers. Also exposed to terrorism risk is the United Kingdom, which nevertheless held steady at 20 for the third year running, aided by its relative resistance to oil shocks.

New to the top 10 this year are Qatar, ranked 7, and Finland, ranked 9. Qatar benefits from its macroeconomic stability, efficient goods and labor markets and high degree of security. The country owes its rise of 8 places to a considerable improvement in commitment to fire risk management in the region. Finland’s strengths derive from its innovative capabilities, a product of high public and private investment in research and development, strong links between academia and private sector companies, and an excellent record in education and training, according to the study.

In 10th place is U.S. Region 3, the central region of the United States. While this part of the country is subject to a variety of natural hazards, there is less exposure than states on the east or west coasts of the country. Belgium, ranked 11, and Australia, ranked 14, dropped out of the top 10–barely–and both countries retain high positions in the 2015 index.

 

 

Risk Management and Business Continuity: Improving Business Resiliency

Preparing for and responding to negative events, from the mundane to the catastrophic, from the predictable to the unforeseen, has become a fact of life for businesses and governments around the world. We don’t have to look any further than the seemingly daily reports of cyberattacks on governments, corporations and individuals to comprehend the severity of the problem.

Tackling these risks requires an integrated and holistic framework with the capability to identify, evaluate and adequately define responses to the circumstances. For more and more organizations, this means adapting an enterprise risk management (ERM) model. ERM seeks to identify all threats—including financial, strategic, personnel, market, technology, legal, compliance, geopolitical and environmental—that would adversely affect an organization. This holistic approach gives organizations a better framework for mitigating risk while advancing their goals and opportunities in the face of business threats. But in order to implement and continuously manage this enterprise-wide model there is a critical need for closer integration of two typically distinct roles within the organization—business continuity management (BCM) and risk management. Together, these two vital elements make up a robust ERM plan and have a tremendous impact on an organization’s ability to contend with interruptions to the execution of organizational activities.

Put in the simplest terms, risk management is concerned with minimizing the probability of and destruction caused by negative events. Operational risk management, as the name implies, must cope with interruptions at the operational level. Recognizing that there are inherent imperfections in systems, people, facilities and general operational functions, the essence of operational risk management is to negate or reduce the probability of an incident occurring. Focusing upon incident-specific, site-specific analysis of potential causes of interruptions, risk managers seek to preclude incidents from occurring. If elimination of the risk is not possible, the focus moves to minimizing the results of the negative event.

For example, suppression systems reduce the risk of operational disruption caused by fire damage. Redundant equipment decreases the possibility of operational interruption resulting from machine breakdown and redundant communications help maintain connectivity. By analyzing past events and examining known hazards (defined flood plains, hurricane-prone areas, construction sites, earthquake areas and terrorism-prone areas) operational risk management seeks to avoid the occurrence of negative destructive events.

But creating strategies to minimize the probability that an event will impact an organization certainly will not prevent the incident from taking place. No degree of preparation can stop a tornado, tsunami or other massively destructive event. So understanding that every incident is not preventable, our other line of defense is to minimize the impact. That’s where BCM comes in. BCM is concerned with minimizing the impact upon the entity after an event occurs and restoring the organization to its normal operations and delivery of products and services as quickly and safely as possible. In short, BCM helps maintain the viability of an entity under duress.

Because it is event-neutral, BCM is able to categorize effects into four distinct categories:

  • Effects on facilities, making them inaccessible or unusable
  • Effects on operational capability, such as supply chain interruptions, processing errors or staff unavailability
  • Effects on technology
  • Effects on the organization itself, ranging from financial problems to intellectual property rights.

When an event inevitably does occur, the optimal goal is to make any business interruptions imperceptible to those outside the affected organization. Here’s an example of how risk management and business continuity management, working together, enabled an organization to achieve that goal:

One of the world’s most important foreign exchange dealers realized that, as an occupant of a high rise building, it could not control the consequences of all incidents that might impact its ability to service its customers, which were some of the largest financial institutions in the world. A review by the company’s risk manager determined that there was a likelihood of an interruption in service as a result of construction work in the surrounding area. To reduce the risk, it was recommended that they install redundant lines and route them through alternative conduits into the building. So they undertook building redundancy in their telecom network. In addition, the risk of server failure was similarly high and so mirroring was implemented to duplicate all transactions and ensure that no data would be lost in the event of a failure of the building’s infrastructure.

Despite all the precautions to reduce risk, what risk management couldn’t control was an East Coast blackout that terminated power to its operation. Recognizing the impact that a loss of power could have, including the loss of use of the facility, the business continuity professional determined that a robust contingency plan was required.

The business continuity plan included a strategy that automatically forwarded incoming calls to another facility outside the U.S. and also provided connectivity to its back-up technology center. When the blackout hit, the business continuity plan worked exactly as tested. Phones were switched, systems were accessible and, best of all, customers never knew the difference. The company was actually more prepared than many of its customers who failed to provide similar capabilities and had to cease trading.

The combination of risk management and business continuity provides the level of resiliency that most organizations must achieve in light of the uncertainty that exists today. The blend will reduce uncertainty and promote a more stable operating environment.