From Risk to Resilience: Learning to Deal With Disruption
To prosper in the face of turbulent change, organizations need to improve how they deal with unexpected disruptions to complex supply chains. Companies can cultivate such resilience by understanding their vulnerabilities — and developing specific capabilities to compensate for those vulnerabilities.
In an interconnected, volatile, global economy, supply chains have become increasingly vulnerable. Disruptions — even minor shipment delays — can cause significant financial losses for companies and substantially impact shareholder value. Globalization has made anticipating disruptions and managing them when they do occur more challenging. The potential risks of disruptions are often hidden, and the potential impacts may not be understood. This often results in “black swan” events that can be understood only after the fact. As author Nassim N. Taleb has warned, “Our world is dominated by the extreme, the unknown, and the very improbable … while we spend our time engaged in small talk, focusing on the known and the repeated.”1
Although companies originally moved production offshore to countries such as India and China to take advantage of lower labor costs, events like Iceland’s 2010 volcanic eruption and the Japanese tsunami in 2011 have shown that the vulnerabilities of extended supply chains are real and serious. For example, according to the U.S. Federal Reserve, 41% of Minnesota manufacturers said that Japan’s tsunami had affected them negatively.2 As a result, many manufacturers have reevaluated their sourcing options, and some are shifting operations back to their home markets. While these companies perceive other advantages to reshoring, including improved responsiveness and domestic job creation, reducing their exposure to risk has been an important driver.
The reality is that supply chain practices designed to keep costs low in a stable business environment can increase risk levels during disruptions. Just-in-time and lean production methods, whereby managers work closely with a small number of suppliers to keep inventories low, can make companies more vulnerable due to the lack of buffer capacity. For example, many companies that followed the lean inventory model were severely impacted by Japan’s tsunami: Within a week, General Motors Corp. temporarily shut down its Chevrolet Colorado and GMC Canyon plant in Shreveport, Louisiana, because it lacked components supplied from Japan.3
Supply chain practices designed to keep costs low in a stable business environment can increase risk levels during disruptions. Just-in-time and lean production methods, whereby managers work closely with a small number of suppliers to keep inventories low, can make companies more vulnerable.
While companies tend to focus on the supply side of their operations when scanning for potential risk factors, they also need to pay attention to the customer side. Increasing demand volatility is an important factor that can affect a company’s operations and ultimately its revenue. For example, in March 2013 Cardinal Health Inc., a distributor of pharmaceuticals and medical products based in Dublin, Ohio, announced that its contract with the drugstore chain Walgreens would not be renewed. Walgreen Co., based in Deerfield, Illinois, had been one of Cardinal Health’s largest customers, accounting for more than 20% of revenue for 2012. The news caused Cardinal Health’s share price to plummet by 8.2%.4 However, the company was able to recover quickly and continue its growth thanks to deliberate efforts to expand and diversify its customer base.
Coping With Supply Chain Risks
Traditional methods for coping with supply chain risks are based on the notion of stability as the “normal” state of affairs: Events such as explosions or floods are seen as unwanted deviations from the norm. In recent decades, most large private enterprises adopted systematic approaches to managing their risks, notably through insurance and active mitigation of supply chain risks. The importance of risk management was elevated by a number of high-profile disasters, including the deadly release of poisonous gas from a Union Carbide plant in Bhopal, India, in 1984, which resulted in thousands of deaths. Further motivation came from standards set by nongovernmental organizations such as the International Organization for Standardization and from government legislation, including the U.S. Securities and Exchange Commission’s requirements for disclosure of “material” business risks and the German “Law for Control and Transparency in Business Entities.”5
A more integrated approach to risk management, called “enterprise risk management (ERM),” became popular in the mid-1990s and has been widely adopted by large corporations.6 It gives company executives a detailed and comprehensive view of the risks associated with different business activities, enabling managers to make more informed decisions about how to manage risk portfolios. Another risk management process, known as business continuity management (BCM), incorporates elements from disaster recovery planning and crisis management, including how to respond to disruptions and maintain backup capacity for operational systems.7
While processes such as ERM and BCM can help companies avoid supply chain disruptions and recover normal operations quickly, they also have serious limitations. To begin with, they rely too heavily on risk identification. In a complex and turbulent global supply network, many of the risks that a company faces are unpredictable or unknowable before the fact. These “emergent” risks are often triggered by improbable events whose causes are not understood, and their potential cascading effects are difficult to understand a priori. Clearly, it would be impractical for companies to identify and investigate all the potential risks that may be hidden in their global supply chains.
Second, ERM and BCM depend on statistical information that may not exist. Risk assessments are limited by the quality and credibility of the assumptions upon which they are based, and faulty assumptions or data can lead to misallocation of resources. Of particular challenge are low-probability, high-consequence events for which there is little empirical knowledge; managers may underestimate the probabilities of these events or the magnitudes of their consequences because they have never experienced them.8
Third, the traditional ERM process of risk identification, assessment, mitigation and monitoring is based on a simplified, “reductionist” view of the world. Each risk is identified and addressed independently, and hidden interactions are seldom recognized. This procedural approach can lull organizations into a false sense of complacency that could be shattered by an unexpected event (for instance, an oil spill in the Gulf of Mexico). The complex, dynamic nature of global supply chains requires constant vigilance to discern systemic vulnerabilities, as well as exceptional agility and flexibility when disruptions occur.
Finally, traditional risk management is predicated on the goal of returning to a stable operating condition; risks represent potential deviations from this “normal” state. However, a more realistic view is to recognize that every disruption represents a learning opportunity that may suggest shifting to a different state of operations. For example, a company that anticipates increased flooding in Southeast Asia might migrate its supply base elsewhere. Identifying latent opportunities in the risk landscape will enable a company to exploit those opportunities faster than its competitors.
The Need to Cultivate Resilience
We believe that organizations need to improve how they deal with supply chain complexity and unexpected disruptions so that they can prosper in the face of turbulent change. Organizations tend to become less resilient as they grow more complex. However, they can cultivate resilience by understanding their supply chain vulnerabilities and developing specific capabilities to cope with disruptions. They can try to emulate some of the behaviors seen in natural systems — tolerance for variability, continuous adaptation and exploitation of opportunities created by disruptive forces. Resilient systems don’t fail in the face of disturbances; rather, they adapt. Depending on the type of disturbance, the adaptation can be rapid or gradual.
A decade ago, authors Gary Hamel and Liisa Välikangas described the quest for resilience as seeking “zero trauma.”9 Few corporate managers believe that zero trauma is a realistic goal today, but some now recognize that resilience can be an important success factor that complements their traditional risk management processes. We define resilience as “the capacity of an enterprise to survive, adapt and grow in the face of turbulent change.”10 In practical terms, resilience means improving the adaptability of global supply chains, collaborating with stakeholders and leveraging information technology to assure continuity, even in the face of catastrophic disruptions. Resilience goes beyond mitigating risk; it enables a business to gain competitive advantage by learning how to deal with disruptions more effectively than its competitors11 and possibly shifting to a new equilibrium.
A classic example of supply chain resilience occurred in 2000 when one of Finland-based Nokia’s key cellphone part suppliers suffered a major fire. By identifying the crisis quickly, Nokia was able to secure alternative supplies and modify the product design to broaden its sourcing options. By contrast, Swedish multinational Ericsson, which was reliant on the same supplier, lost about $400 million in sales due to its slowness in crisis response and eventually exited the cellphone business.12 (However, Nokia subsequently made serious missteps in its efforts to compete in the smartphone market and ultimately sold its devices business to Microsoft Corp.)
Supply Chain Vulnerabilities and Capabilities
Our SCRAM (supply chain resilience assessment and management) framework enables a business to identify and prioritize the supply chain vulnerabilities it faces as well as the capabilities it should strengthen to offset those vulnerabilities.
Over the past seven years, we have worked with a number of companies, including fashion retailer L Brands Inc. (formerly known as Limited Brands), Dow Chemical, Johnson & Johnson and Unilever to develop a comprehensive framework for assessing supply chain vulnerabilities and addressing them through enhanced resilience capabilities. (See “Supply Chain Vulnerabilities and Capabilities.”) To develop our taxonomies of vulnerabilities and capabilities, we studied existing literature and also conducted interviews and focus groups with managers and employees at Limited Brands and other companies that had experienced supply chain disruptions.13 Subsequently, we identified linkages between specific vulnerabilities and capabilities, enabling us to suggest proactive strategies for improvement, and we developed an assessment tool for business use.14 The resulting framework, which we call supply chain resilience assessment and management (SCRAM), is based on an explicit characterization and prioritization of an organization’s vulnerabilities and capabilities. (See “About the Research.”)
Identifying Resilience Factors and Linkages
Based on our research, we identified six major types of supply chain vulnerabilities, which we define as “fundamental factors that make an enterprise susceptible to disruptions.” A frequently cited factor was turbulence. In the context of our framework, turbulence is defined as changes in the business environment that are beyond a company’s control, including shifts in customer demand, geopolitical disruptions, natural disasters and pandemics. Another category of vulnerability is deliberate threats, such as theft, sabotage, terrorism and disputes with labor or other groups. Additional vulnerabilities came from external pressures that create constraints or barriers (such as innovations, regulatory shifts and shifts in cultural attitudes); resource limits that have the potential to constrain a company’s capacity (such as availability of raw materials or skilled workers); the sensitivity and complexity of the production process; and the degree of connectivity in the company’s supply chain, which implies a need for coordination with outside partners. Finally, supply chains are vulnerable to disruptions that could affect their multiple tiers of customers and suppliers. (See “Supply Chain Vulnerability Factors.”)
Supply Chain Vulnerability Factors
Our framework includes six major vulnerability factors, each broken into subfactors. Vulnerabilities are typically inherent to the business and difficult to avoid.
In addition to helping us formulate the list of vulnerabilities, focus groups also helped us define a list of capabilities that companies can call upon to respond to their particular vulnerability patterns. In all, we identified 16 relevant capabilities, which we define as “factors that enable an enterprise to anticipate and overcome disruptions.” These are: (1) flexibility in sourcing, (2) flexibility in manufacturing, (3) flexibility in order fulfillment, (4) production capacity, (5) efficiency, (6) visibility, (7) adaptability, (8) anticipation, (9) recovery, (10) dispersion, (11) collaboration, (12) organization, (13) market position, (14) security, (15) financial strength and (16) product stewardship. (See “Supply Chain Capability Factors,” for explanations of these 16 capabilities.) Using the lists of vulnerabilities and capabilities as a template, we tested them at eight companies to understand their interrelationships, with the goal of creating a managerial tool for improving performance. We identified 311 separate “linkages” whereby specific capabilities can counteract specific vulnerabilities.
Supply Chain Capability Factors
The framework includes 16 capability factors, each of which is broken into subfactors. Companies can strengthen appropriate supply chain capabilities to offset the vulnerabilities they have.
Our resulting SCRAM framework provides a general methodology for companies to identify their most important supply chain vulnerabilities and to set priorities for capabilities that need to be strengthened. For example, a company that faces unpredictable market demand could strengthen a number of capabilities: flexibility in manufacturing to satisfy surges in demand; accurate, up-to-date visibility of demand status to support timely decision making; early anticipation and recognition of market changes to enable strategic responses; and close collaboration with customers and suppliers to ensure coordinated action. Similarly, a company concerned with dependence on a complex supply network could work on flexibility in sourcing by identifying alternative sources, flexibility in manufacturing by reducing lead times, and anticipation by recognizing early warning signals of possible disruptions. Based on the results of their SCRAM analysis, managers can develop a portfolio of capabilities to address important resilience gaps and strengthen overall competitiveness.15
Putting the SCRAM Framework to Work
Although similar organizations are likely to share some similar features, different companies — and even business units within companies — will have their own distinct profile of vulnerabilities and capabilities. An organization with high vulnerabilities that does not have adequate capabilities will be overexposed to risks; in response, it should invest resources in improving the particular capabilities in question. Conversely, an organization that faces low vulnerabilities but invests heavily in capabilities may be eroding its profits unnecessarily. (See “Finding the Zone of Balanced Resilience.”) Clearly, there is no “one-size-fits-all” approach. Organizations need to pursue a balanced resilience strategy by developing the right portfolio of capabilities to fit the pattern of vulnerabilities that they face.
Finding the Zone of Balanced Resilience
As vulnerabilities increase, companies may be exposed to undue risks and need to improve their corresponding capabilities. However, overinvestment in capabilities can erode profits, so companies need to find the zone of balanced resilience where their portfolio of capabilities is matched to their pattern of vulnerabilities.
One company that has incorporated the SCRAM framework into its way of doing business is the Dow Chemical Co. Since 2010, Dow has implemented this framework at more than 20 of its global business units, achieving significant business benefits. For example, after applying the SCRAM process to its P-Series family of glycol ether products, Dow identified several disruption scenarios, including a production site shutdown, a raw material supply outage and an internal raw material allocation shortage. The company developed a simulation model to test the consequences of these scenarios and was able to confirm a 95% service level with its existing capabilities. Moreover, the analysis revealed opportunities for reduction of fixed assets and working capital, resulting in $1.1 million in annual savings.16 Another Dow business used SCRAM to improve its resilience to raw material supply shortages and identified more than $1.5 million in preventable losses.
The SCRAM approach represents a systems view of supply chain dynamics, helping companies to understand the inherent vulnerabilities that could lead to disruptions and the capabilities that are within their control. By learning from experience and developing a better understanding of their vulnerabilities and capabilities, companies can reduce the frequency of disruptions and the severity of their impacts, resulting in increased customer satisfaction and reduced supply chain operating costs. While reducing inherent vulnerabilities may be difficult, there are many options for improving capabilities. The cost of the improvements must be balanced against the expected supply chain performance benefits.
Early adopters of resilience thinking have already demonstrated how they can augment traditional risk management practices with new capabilities that help them to anticipate, prepare for, adapt to and recover from disruptions. In some cases, they are able to treat disasters as opportunities for gaining competitive advantage. For example, before the 2010 eruption of the Eyjafjallajökull volcano in Iceland grounded millions of air cargo shipments, DHL, the international shipping company, had an emergency plan in place. It was thus able to rapidly redirect 100 flights from its hub in Leipzig, Germany, to destinations in southern Europe that were less affected, and also to shift many deliveries to ground vehicles. Ultimately, DHL was able to avoid significant financial impact while strengthening customer loyalty.17
Early adopters of resilience thinking have already demonstrated how they can augment traditional risk management practices with new capabilities that help them to anticipate, prepare for, adapt to and recover from disruptions.
Building resilience is not a substitute for other methods of ERM. Rather, it is an ongoing process that enables companies to embrace change in a turbulent and complex business environment by expanding their portfolio of capabilities. The field of supply chain resilience is still young, and there is a great need for additional research, both to understand the resilience of complex industrial systems and to develop innovative methods and technologies for improving enterprise resilience.18 This research will benefit from drawing upon multiple disciplines, from ecology to social sciences to systems engineering. From a management perspective, executives need to understand the cost-benefit trade-offs associated with building capabilities in order to judge the return on their resilience investment; this will require additional empirical research. Finally, there is a need to expand resilience thinking into other aspects of enterprise management, such as organizational resilience and behavior change. Establishing a culture of resilience will help companies to thrive in an age of turbulence.
1. N.N. Taleb, “The Black Swan: The Impact of the Highly Improbable,” 2nd ed. (New York: Random House Trade Paperbacks, 2010).
2. U.S. Federal Reserve Board, “The Beige Book” (April 13, 2011), www.federalreserve.gov/monetarypolicy/beigebook.
3. S. Ray and T. Black, “The Downside of Just-in-Time Inventory,” Mar. 24, 2011, www.businessweek.com.
4. C. Burritt, “Walgreen Drops Cardinal Health for AmerisourceBergen Deal,” Mar. 19, 2013, www.bloomberg.com.
5. G. Dickinson, “Enterprise Risk Management: Its Origins and Conceptual Foundation,” The Geneva Papers on Risk and Insurance 26, no. 3 (July 2001): 360-366.
6. Committee of Sponsoring Organizations of the Treadway Commission, “Enterprise Risk Management — Integrated Framework” (September 2004).
7. B. Herbane, D. Elliott and E. Swartz, “Contingency and Continua: Achieving Excellence Through Business Continuity Planning,” Business Horizons 40, no. 6 (November-December 1997): 19-25; and B. Herbane, D. Elliott and E.M. Swartz, “Business Continuity Management: Time for a Strategic Role?,” Long Range Planning 37, no. 5 (October 2004): 435-457.
8. H. Kunreuther, “Risk and Reaction: Dealing with Interdependencies,” Harvard International Review 28, no. 3 (fall 2006): 37-42.
9. G. Hamel and Liisa Välikangas, “The Quest for Resilience,” Harvard Business Review 81, no. 9 (September 2003): 52-63.
10. J. Fiksel, “Sustainability and Resilience: Toward a Systems Approach,” Sustainability: Science, Practice, & Policy 2, no. 2 (fall 2006): 14-21.
11. Y. Sheffi and J.B. Rice, “A Supply Chain View of the Resilient Enterprise,” MIT Sloan Management Review 47, no. 1 (fall 2005): 41-48.
12. H. Peck, “Resilience — Surviving the Unthinkable,” Logistics Manager, Mar. 01, 2004, 16-18.
13. T.J. Pettit, J. Fiksel and K.L. Croxton, “Ensuring Supply Chain Resilience: Development of a Conceptual Framework,” Journal of Business Logistics 31, no. 1 (spring 2010): 1-22.
14. T.J. Pettit, K.L. Croxton and J. Fiksel, “Ensuring Supply Chain Resilience: Development and Implementation of an Assessment Tool,” Journal of Business Logistics, 34, no. 1 (March 2013): 46-76.
15. Additional information about SCRAM tools can be obtained from the Center for Resilience at the Ohio State University. See http://resilience.osu.edu.
16. J. McIntyre and S. Hemmelgarn, “How One Business Made Its Supply Chain More Resilient” (presented at the Annual Global Conference of the Council of Supply Chain Management Professionals for the 2011 Supply Chain Innovation Award, Philadelphia, Pennsylvania, Oct. 4, 2011).
17. “A High-Performance Network Even During a Crisis,” Deutsche Post DHL press release, Nov. 05, 2010, www.dpdhl.com.
18. J. Fiksel, “Designing Resilient, Sustainable Systems,” Environmental Science & Technology 37, no. 23 (December 1, 2003): 5330-5339.