Global supply chains bring increased risks of disruption from events such as natural disasters. By understanding and planning for such risks, Cisco Systems has improved its supply chain resilience.

Many more companies now find themselves at increasing risk of supply chain disruption. A recent study by Aon Risk Solutions found that, on average, the percentage of global companies reporting a loss of income due to a supply chain disruption increased from 28% in 2011 to 42% in 2013.

At many companies, the resiliency of the supply chain has not kept pace with the continually rising level of logistical complexity. Most supply chain managers have yet to do much about this problem. A recent MIT Scale Network study found that even many large companies are unable to create contingency rules and procedures for operations during a complex, high-risk event. In fact, approximately 60% of the surveyed managers either do not actively work on supply chain risk management or do not consider their company’s risk management practices effective. These managers lack a framework to guide them in the deployment of their risk management practices. Many understand so little about their risks that they don’t even know what kind of framework would fit the particular supply chain dynamics they face.

The example of some companies that have more advanced risk management systems suggests that it doesn’t have to be this way. Cisco Systems Inc. is one of a handful of companies — others include Coca-Cola, Whirlpool and Procter & Gamble — that have tried to understand and measure the operational and financial vulnerabilities that could threaten the smooth operation of their supply chains. Supply chain managers at Cisco have learned to integrate supply chain design and supply chain risk management, balancing proactive mitigation capabilities with reactive capabilities in order to keep the company’s supply chain as resilient, efficient and profitable as possible. As John Chambers, chairman and CEO of Cisco Systems, commented, “In an increasingly networked world, supply chain risk management is top of mind in global organizations as well as a key differentiator for leading value-chain organizations.”

Reconfiguring the Supply Chain

Just nine years ago, Cisco coped with disasters the same way most companies do: with difficulty. When Hurricane Katrina hit the Gulf Coast of the United States in 2005, Cisco executives created a business continuity-planning dashboard to mitigate risks, but the dashboard only helped them to respond to the disaster as it occurred. The company could not maintain supply chain performance levels to cope with the sudden surge in orders for $1 billion of new equipment to replace telecommunications infrastructure damaged by the storm. Despite their best efforts, Cisco teams could not locate all of their products in their supply chain or understand the financial impact of these emergency sales.

Yet just six years later, when the Japanese earthquake and tsunami of 2011 struck, Cisco was prepared. Although that disaster represented one of the largest disruptions to global supply chains in modern history, with total economic losses of at least $217 billion, Cisco suffered almost no revenue loss from it. In just 12 hours, Cisco risk managers identified all of their suppliers in the region — from tier 1 suppliers to suppliers of raw materials — and assessed the impact of the disaster on more than 300 suppliers, listed more than 7,000 affected parts by number, assigned a risk rating to each part and charted a mitigation response. That same day, the Cisco risk managers selected which customer teams were best positioned to communicate with customers and fielded 118 inquiries. By the time March 11, 2011, drew to a close, Cisco had deployed a very solid supply chain resiliency program that addressed the impact of external vulnerabilities stemming directly from the tsunami as well as from the aftereffects it caused to the supply chain.

What had Cisco learned over the intervening six years that enabled the company to withstand a disruption that shook the supply chains of dozens of other world-class global companies? Based on what we have observed at Cisco and on the results of a global survey of 1,403 supply chain managers working in 69 countries, we think Cisco succeeded by executing a five-step process that it started shortly after Hurricane Katrina:

1. Identify strategic priorities.

Cisco executives first identified the competitive priorities for particular product categories and then tried to match those priorities with its supply chain capabilities. This required determining first whether cost or response time mattered more for a particular product line. Customers of Cisco’s optical services routers, for example, valued short lead times and quick responses to service calls, based on product customization and differentiation, more than low cost. Cisco engineers recognized that in this high-value product category, stockouts were expensive and service levels were quite important. They understood that this required a responsive supply chain — a network of specialized and flexible manufacturers capable of producing any of Cisco’s optical service routers at short notice. To improve the resilience of its optical router supply chain, Cisco converted its global “lean supply chain” to a system in which the products are mainly configured to order from partially assembled components.

The market for Cisco’s simple routers, on the other hand, tended to focus more on price. The demand for those products was more stable and did not require customization. More standardization meant that the supply chain could be designed to maximize cost efficiency, based on economies of scale, with products sourced from the low-cost factories. This suggested that, for simple routers, Cisco needed a tightly coupled system and a streamlined supply chain.

As with many global companies, Cisco’s success rests to a significant extent on a vast web of suppliers. The company’s competitive advantage depends in large part on its ability to match global opportunities to outsource production with global market opportunities — what the company calls the “Cisco Lean” model. But every complex system requires trade-offs, and Cisco’s supply chain for simple routers traded high efficiency for higher vulnerabilities than a system not optimized for cost.

2. Map the vulnerabilities of your supply chain design.

Today’s supply chains are vulnerable on many fronts, including political upheavals, regulatory compliance mandates, increasing economic uncertainty, rapid changes in technology, higher customer expectations, capacity constraints, globalized market forces and natural disasters. Understanding where a company’s vulnerabilities lie is therefore important.

Cisco, in its optical services routers business, focused on supporting a responsive global supply chain characterized by product differentiation (supporting a high number of SKUs), high value and high margins. The high levels of customization required by Cisco’s customers called for the deployment of flexible capabilities at various points in the supply chain. These slack nodes, such as second sourcing options or alternative site locations, permit a more flexible response to satisfy demand — and a faster reaction to operational changes.

In contrast, the simple router supply chain is also global but is focused on cost efficiency. Less product variation permits higher velocity, but at the same time lowers elasticity within the supply chain. This kind of supply chain can be less adaptive to operational changes. When a disruptive event happens, problems might ripple widely and rapidly through the system. By being aware of these vulnerabilities, Cisco knew how to implement mitigation measures to make this kind of supply chain more resilient, too.

3. Integrate risk awareness into the product and the value chain.

Cisco next worked to integrate risk awareness into the design of its supply chain. The company learned to balance proactive risk management capabilities, such as building in extra supplier options, with more reactive measures that enabled the supply chain officers to correct problems as they emerged. Such proactive mitigation capabilities resulted in a process that anticipates emergencies by protecting important segments of the supply chain with built-in resiliency and levers to pull when a disruption happens. Cisco engineers do this by introducing:

•Product Resiliency by Design Cisco’s product development teams and commodity management teams worked together to develop resiliency plans such as specifying alternate components in a bill of materials or creating buffer stocks of key components to mitigate risk. This allowed Cisco to design for resiliency upstream in the decision-making process. When an executive directs product designers to undertake collaborative, cross-functional actions to mitigate risk, management can more easily identify the risks inherent in overall operations and establish interoperable processes to mitigate those risks.

•Supply Chain Resiliency by Design Supply chain engineers undertook proactive efforts in the design and execution of the supply chain in terms of equipment, processes, manufacturing sites and external services, with a primary purpose of reducing the length of time and the extent of post-disaster recovery necessary. The supply chain resiliency team worked closely with manufacturing operations, suppliers, logistics and transportation service providers and other stakeholders to identify nodes and supply chain processes that were outside risk qualification tolerances acceptable to Cisco. Working with these partners, the company developed resiliency plans for the extended supply chain too, as a routine part of the supply chain design process.

4. Monitor resiliency.

To achieve effective transparency and resiliency, objective and comparable metrics were required. Cisco created an index to assess time-to-recover for all capabilities, including a supplier, product or particular supply chain design. This index comprises multiple categories: component (30%), supplier (20%), manufacturing (30%) and test equipment (20%). These scores are reported semiannually to senior management by the general managers. This monitoring system helps ensure that product designers think about resiliency as a product attribute and that operations executives are cognizant of suppliers’ resiliency gaps and address them.

5. Watch for events.

Of course, not every event can be anticipated. Over time, Cisco learned to take proactive steps to help integrate risk management warning signs. They learned how to evaluate the nature, magnitude and impact of a disruptive episode and to calibrate their responses accordingly. This enabled them to deploy two kinds of reactive tools designed to respond to every kind of significantly disruptive event:

•Incident Management This entails the 24/7 monitoring of worldwide events that may impact the company’s value chain. Anticipating the possibility of a tsunami, for example, Cisco developed robust, tried-and-tested crisis playbooks that allowed the deployment of cross-functional response teams, tailored to the disruption type and expected magnitude and aligned with local emergency operations centers. Thanks to these tools, Cisco supply chain managers knew about the tsunami within 40 minutes after the first waves struck — and within 57 minutes, the company’s board did, too.

•Business Continuity Management Cisco engineers assessed critical value chain partners to (1) identify key supply chain nodes where a disruption would have a particularly high impact, (2) evaluate risks based on likelihood and impact, using simulations, (3) map critical components to the sites that supply them and (4) evaluate and audit business continuity planning procedures for supply chain nodes. This monitoring action, combined with event-scenario planning and simulation, helped Cisco determine what corrective actions should be implemented first.

To conduct this assessment, Cisco developed a platform to collect, update and utilize critical supply chain node information. This platform enabled the company to illuminate potential vulnerabilities. When disaster struck in the Pacific, Cisco was able to use that platform to assess instantly the status and scope of the disruption’s impact.

Learning to Bounce Back

In a majority of companies today, risk management and supply chain logistics are often still separate. But that may soon change. In the near future, we expect that more companies will move risk management from a relatively static practice based on probability toward a dynamic response better suited to the tightly integrated supply networks that characterize today’s world economy. For example, Procter & Gamble planners have realized that in order to reduce the potential effects of vulnerabilities from an external dynamic global environment that is difficult to control, they must deploy reactive mitigation tools. P&G has installed monitoring tools to map the nodes and flows in the organization’s global supply chain, in order to increase threat awareness and activate warning systems.

P&G and Cisco are not anomalies. Learning to combine supply chain management and risk management within not only your company but your entire value chain will increasingly be a key factor for corporate survival in the face of a major catastrophe — whether the catastrophe is a market crash, a storm or a tsunami. As Gary Lynch, managing director of the supply chain risk management practice at Marsh, Inc., commented with respect to the laws of risk management, “If you don’t manage and lead change, you are going to have to surrender to it.”