1. Page 1 Recording of this session via any media type is strictly prohibited. Page 1 Assessing Vulnerability of a Supply Chain: A Strategic Risk Approach

2. Page 2 Recording of this session via any media type is strictly prohibited. Randy Jouben, Director Risk Management, FIVE GUYS Enterprises, LLC Randy is responsible for leading the mission of protecting the tangible and intangible assets of Five Guys in the areas of risk management, safety, security, business continuity and compliance.

3. Page 3 Recording of this session via any media type is strictly prohibited. What to Expect To provide you with an understanding of the risk and vulnerabilities of a supply chain. Understand options available to asses risk in the supply chain Describe different ways you can integrate supply change management into the Strategic Risk management process

4. Page 4 Recording of this session via any media type is strictly prohibited. Uncertainty Increases Business Risk “Business managers regularly extrapolate from the past to the future but often fail to recognize when conditions are beginning to change from poor to better or from better to worse. They tend to identify turning points only after the fact. If they were better at sensing imminent changes, the abrupt shifts in profitability that happen so often would never occur. The prevalence of surprise in the world of business is evidence that uncertainty is more likely to prevail than mathematical probability.” “The evidence...reveals repeated patterns of irrationality, inconsistency and incompetence in the ways human beings arrive at decisions and choices when faced with uncertainty.” Peter L. Bernstein, “Against the Gods – The Remarkable Story of Risk”

5. Page 5 Recording of this session via any media type is strictly prohibited. Some Working Definitions Risk Risk Management Strategic Risk Management Supply chain vulnerability Robust Supply Change Management Supply Chain Risk Management Resilience 5

6. Page 6 Recording of this session via any media type is strictly prohibited. Risk In decision theory: a measure of the range of possible outcomes from a single totally rational decision and their values, in terms of upside gains and downside losses (e.g. gambling) 6

7. Page 7 Recording of this session via any media type is strictly prohibited. Risk A particular type of hazard or threat e.g. technological risk or political risk The downside only consequences of a rational decision in terms of the resulting financial losses or number of casualties Risk = probability of occurrence x consequences 7

8. Page 8 Recording of this session via any media type is strictly prohibited. Risk Management “Risk management is the process of measuring or assessing risk and then developing strategies to manage the risk. These strategies can involve the transference of risk to another party, risk avoidance or mitigation, and channel risk sharing.

9. Page 9 Recording of this session via any media type is strictly prohibited. Strategic Risk Management “Strategic Risk Management (SRM) is a business discipline that drives deliberation and action regarding uncertainties and untapped opportunities that affect an organization's strategy and strategy execution.”

10. Page 10 Recording of this session via any media type is strictly prohibited. Supply Chain Vulnerability We should strive to identify vulnerabilities by asking questions such as: o What has disrupted operations in the past? o What known weaknesses do we have? o What ‘near misses’ have we experienced? o What would be the effect of a shortage of a key material? o What would be the effect of the loss of our distribution site? o What would be the effect of the loss of a key supplier or customer? 10

11. Page 11 Recording of this session via any media type is strictly prohibited. Vulnerability vs. Risk Analysis A vulnerability analysis is not equivalent to a risk analysis. Risk Analysis focuses on human resources, on environmental and property impacts of an accidental event, A vulnerability analysis is focused on the system survival.

12. Page 12 Recording of this session via any media type is strictly prohibited. Vulnerability vs. Risk Analysis A vulnerability analysis is not equivalent to a risk analysis. The vulnerability analysis has a wider range with respect to the risk analysis. Particularly the first concerns the way to weaken the detected threats and restart the system after an accidental event.

13. Page 13 Recording of this session via any media type is strictly prohibited. Supply Chain Risk Management Supply Chain Risk Management (SCRM) is a discipline of Risk Management which attempts to identify potential disruptions to continued manufacturing production and thereby commercial financial exposure Focuses on the interdependences of the actors belonging to the same supply chain: sudden crisis, impacting one or more nodes inevitably creates disturbance which may destabilize the system as a whole

14. Page 14 Recording of this session via any media type is strictly prohibited. Robust SCRM “Strong in constitution, hardy, or vigorous” Enable a firm to manage regular fluctuations in demand efficiently under normal circumstances regardless of occurrence of a major disruption But does not in itself make a resilient supply chain 14

15. Page 15 Recording of this session via any media type is strictly prohibited. Robust SCRM A robust process can be defined as “a process able to deal with reasonable variability” A resilient supply chain can be defined as “a supply chain with the ability to recover quickly from unexpected events impacting supply chain performance” 15

16. Page 16 Recording of this session via any media type is strictly prohibited. Robust SCRM A robust process can deal with reasonable variability in input whilst maintaining good control over output variability. It has some resilience but is it capable of recovery from an event that causes exceptionally high levels of variability in input or output requirement? 16

17. Page 17 Recording of this session via any media type is strictly prohibited. Resilience “The ability of a system to return to its original [or desired] state after being disturbed” The core concept of resilience is: It encourages a whole system perspective It explicitly accepts that disturbances happen It implies adaptability to changing circumstances 17

18. Page 18 Recording of this session via any media type is strictly prohibited. Supply Chain Dynamics Throughout the 1990s, many firms strived to improve their financial performance by implementing various supply chain initiatives. These initiatives were intended to increase revenue, reduce cost (e.g., supply base reduction, online sourcing including e-markets and online auctions, offshore manufacturing, Just-in-Time inventory systems, vendor-managed inventory), and reduce assets (e.g., outsourced manufacturing, Information Technology, and logistics).

19. Page 19 Recording of this session via any media type is strictly prohibited. Supply Chain Dynamics These initiatives can be effective in a stable environment; however, as the number of supply chain partners increases, these global supply chains become “longer” and “more complex.” Long and complex global supply chains are usually slow to respond to changes, and hence, they are more vulnerable to business disruptions.

20. Page 20 Recording of this session via any media type is strictly prohibited. The Challenge Of Global Logistics PRODUCT LINE DIVERSITY MARKET CONCENTRATION

21. Page 21 Recording of this session via any media type is strictly prohibited. Global business : Singer Sewing Machines Body shells from USA Motors from Brazil Drive Shafts from Italy Assembled in Taiwan Sold around the world Page 21

22. Page 22 Recording of this session via any media type is strictly prohibited. How many countries does it take to make a coat

23. Page 23 Recording of this session via any media type is strictly prohibited. Categories of Supply Supply chains comprise nodes and links Nodes – organisational risk Links – network risk Page 23

24. Page 24 Recording of this session via any media type is strictly prohibited. Understanding the total costs of ownership Not just the purchase price, but ….. o Increased transport costs o Increased inventory financing costs o Increased uncertainty of supply o Longer lead-times o Less visibility and increased likelihood of “bullwhip” effect o Loss of control in quality o Longer development cycles for new products o Increased exposure to security risks Page 24

25. Page 25 Recording of this session via any media type is strictly prohibited. Changing Times & An Uncertain World In a complex inter-organizational supply chain it would be difficult if not impossible for anyone to identify every possible hazard or point of vulnerability. 25

26. Page 26 Recording of this session via any media type is strictly prohibited. Why Are Today’s Supply Chains So Vulnerable? Widespread adoption of ‘lean’ practices The move to off-shore manufacturing and sourcing Out-sourcing and reduction in the supplier base Global consolidation of suppliers Centralised production and distribution All of which combine to make supply chains vulnerable to disruption Page 26

27. Page 27 Recording of this session via any media type is strictly prohibited. Supply Chain Risk Perspectives

28. Page 28 Recording of this session via any media type is strictly prohibited. The Sources of Risk in Supply Chain Supply risk Demand risk Process risk Control risk Environmental risk Page 28

29. Page 29 Recording of this session via any media type is strictly prohibited. Location Of Risk In The Supply Chain Page 29 SUPPLY RISK PROCESS RISK DEMAND RISK NETWORK/ CONTROL RISK Environmental Risk

30. Page 30 Recording of this session via any media type is strictly prohibited. The Sources Of Supply Chain Risk Page 30 Loss of major accounts Volatility of demand Concentration of customer base Short life cycles Innovative competitors Dependency on key suppliers Consolidation in supply markets Quality and management issues arising from off-shore sourcing Potential disruption at 2 nd tier level Length and variability of replenishment lead-times Supply Risk Demand Risk Manufacturing yield variability Lengthy set-up times and inflexible processes Equipment reliability Limited capacity/bottlenecks Outsourcing key business processes Process Risk Asymmetric power relationships Poor visibility along the pipeline Inappropriate rules that distort demand Lack of collaborative planning and forecasts Bullwhip effects due to multiple echelons Network/Control Risk Natural disasters Terrorism and war Regulatory changes Tax, duties and quotas Strikes Environment Risk

31. Page 31 Recording of this session via any media type is strictly prohibited. Supply Chain Risk Is Systemic The biggest risk to business continuity may lie outside the company in the wider supply chain The complexity and inter-connectedness of modern supply chains increases their vulnerability to disruption Environmental risks are outside our control, but systemic risk is created through our own decisions Page 31

32. Page 32 Recording of this session via any media type is strictly prohibited. Supply chain risk (i) “The entire Japanese vehicle industry ground to a halt following an earthquake that stopped production of piston rings for engines provided by Riken, the industry leader in the domestic market. Toyota, in particular, was forced to stop operations at all 12 of its domestic plants.” – Financial Times, 24 July 2007 Page 32

33. Page 33 Recording of this session via any media type is strictly prohibited. Supply chain risk (ii) “A fire at a key Philips semiconductor factory in 2000 caused a worldwide shortage of the radio frequency chips used by both Nokia and Ericsson. Nokia immediately lined up another source and redesigned other chips so they could be produced elsewhere. However, Ericsson responded more slowly and lost an estimated $400 million in mobile phone handsets.” - MIT Sloan Management Review - Summer 2006 Page 33

34. Page 34 Recording of this session via any media type is strictly prohibited. Supply chain risk (iii) “Yesterday it emerged that ice-cream supplies may run short because Unilever’s only UK factory, based in flood-stricken Gloucester, has been closed for the past ten days. The company usually manufacturers five million ice-creams and lollipops a day at the plant. It has stocks in freezers but it could be days before normal production resumes. Industry insiders predict that there will now be an ice-cream war as rival brands attempt to exploit Unilever’s predicament and gain market share.” – The Times, 31 July 2007 Page 34

35. Page 35 Recording of this session via any media type is strictly prohibited. Changing Times & An Uncertain World ‘Known’ problems are only part of the picture Known Unknowns, Knowable Unknowns and Unknowable Unknowns Y2K: The Millennium Bug Creeping Crises (e.g. Foot and Mouth disease) Post 9/11 Security Matters Corporate Scandals, Operational Risk and Business Continuity 35

36. Page 36 Recording of this session via any media type is strictly prohibited. Known Unknowns We know that there exist uncertainties, which we know how to solve ‘Known known’ 36

37. Page 37 Recording of this session via any media type is strictly prohibited. Knowable Unknowns There are some uncertainties which we don’t know how to solve, We may choose ignore or face it 37

38. Page 38 Recording of this session via any media type is strictly prohibited. Unknowable Unknowns However, there are still uncertainties that we don’t know that we don’t know 38

39. Page 39 Recording of this session via any media type is strictly prohibited. Y2K: The Millennium Bug A ‘Known known’ example In the UK, the government encourage businesses to take the necessary measures to prevent system crashes, and engage in business continuity planning 39

40. Page 40 Recording of this session via any media type is strictly prohibited. Y2K: The Millennium Bug As a result, nothing happened and the government was delighted, believing the planning had saved the country from disaster But the non-event left many managers skeptical as to whether the costly preventive measures had really necessary? 40

41. Page 41 Recording of this session via any media type is strictly prohibited. Y2K: The Millennium Bug Y2K is one of the intractable problems about proactive measures to improve organizational and supply chain resilience If successful, mean nothing happens, but leads to questions of value or cost/benefits justification It is very difficult to make a business case for proactive ‘just in case’ measures to improve resilience 41

42. Page 42 Recording of this session via any media type is strictly prohibited. Creeping Crises The outbreak of foot and mouth disease(FMD) in British livestock herds in February 2001 resulted in damage to whole sectors of economy FMD was a known threat to livestock, albeit one that had not been seen in UK for a generation The impact is engaged in production and distribution of food 42

43. Page 43 Recording of this session via any media type is strictly prohibited. Creeping Crises But FMD also affected car manufacturers and fashion houses across Europe because of the shortage of high-quality leather All ‘knowable unknowns’ events could be the example of ‘creeping crises’ Creeping crises show the fact that supply chains are more than value-adding mechanisms underlying competitive business models Supply chains link organizations, industries and economies, they are part of the fabric of society 43

44. Page 44 Recording of this session via any media type is strictly prohibited. Post 9/11 Security Matters The events of 9/11 were so far out of risk managers’ field of reference, that they can be classed as “unknowable unknowns” The closure of US borders and the grounding of transatlantic flights dislocated international supply chains making supply chain vulnerability front page new 44

45. Page 45 Recording of this session via any media type is strictly prohibited. Post 9/11 Security Matters Post 9/11, new security measures were hurriedly introduced at US border posts, ports and airports, affecting inbound freight to USA, including: Container Security Initiative (CSI) o CSI looked to new technology to pre-screen ‘high risk’ containers before they arrived at US ports Customs-Trade Partnership (C-TPAT) o C-TPAT is a ‘known shipper’ programme, which allows cargoes from companies certified by US Customs to clear customs quickly 45

46. Page 46 Recording of this session via any media type is strictly prohibited. Corporate Scandals, Operational Risk and Business Continuity In the world of corporate risk management events(e.g. 9/11) were unfolding that would push ‘operational risk’ to the top of the corporate agenda The Enron Corporation collapsed in late 2001 o Once held up as a model of best practice corporate risk management o Another three companies quickly followed 46

47. Page 47 Recording of this session via any media type is strictly prohibited. Corporate Scandals, Operational Risk and Business Continuity New regulation, Sarbanes-Oxley Act(SOX) is noteworthy SOX requires full disclosure of all potential risks to corporate well-being within the business Board members have become more interested in identifying ‘knowable unknowns’ and have turned to risk management and to Business Continuity Management(BCM) 47

48. Page 48 Recording of this session via any media type is strictly prohibited. The Risk Management Challenge Page 48 High Low High Probability of Occurrence Consequence/ Impact Where can we reduce the probability? How can we reduce the consequence?

49. Page 49 Recording of this session via any media type is strictly prohibited. The Risk Management Challenge Decision Theory and Managerial Tendencies Objective Risk and Perceived Risk 49

50. Page 50 Recording of this session via any media type is strictly prohibited. Decision Theory and Managerial Tendencies Concerned paid little attention to uncertainty surrounding positive outcomes, viewing risk in terms of dangers or hazards with potentially negative outcomes Managers focus on the possible losses associated with plausible outcomes Decisions involving risk are heavily influenced by their impact on the manager’s own performance targets 50

51. Page 51 Recording of this session via any media type is strictly prohibited. Decision Theory and Managerial Tendencies In comfortable circumstances managers are likely to be risk-averse, but when staring failure in the face, researchers show that this tendency reverses and they become risk- prone There is unlikely to be a single unified attitude to risk taking within a large organization 51

52. Page 52 Recording of this session via any media type is strictly prohibited. Objective Risk and Perceived Risk A view of risk set out by the engineers and physicists of The Royal Society: ‘Objective risk’: determined by experts applying quantitative scientific means ‘Perceived risk’: the imprecise and unreliable perceptions of general public ‘Detriment’: the numerical measure of harm or loss associated with an adverse event 52

53. Page 53 Recording of this session via any media type is strictly prohibited. Objective Risk and Perceived Risk Social scientists contend that, where people were involved, objective and perceived risk become inseparable Risk is not a discrete or objective phenomenon Risk is an interactive culturally determined one Risk is inherently resistant to objective measurement 53

54. Page 54 Recording of this session via any media type is strictly prohibited. Objective Risk and Perceived Risk Engineering-derived ‘objective’ views lead to a business process engineering and control perspective Open interactive societal systems views offer a persuasive argument for perceived risk The global supply chain view illustrates that culturally determined perceptions of risk could vary greatly from one region to another Hence the forces of nature can demonstrate just how far removed from a controlled environment this all might be 54

55. Page 55 Recording of this session via any media type is strictly prohibited. Managing Supply Chain Risk Map the supply chain Identify the critical paths Utilise cause and effect analysis (TQM tools) Implement supply chain event management Adopt agile practices Formalise supply chain risk management Page 55

56. Page 56 Recording of this session via any media type is strictly prohibited. Identify The Critical Path(s) Critical paths are characterised by:- long lead-times no short-term alternative source of supply Bottlenecks high levels of identifiable risk (i.e. supply, demand, process, control and environmental risk) Page 56

57. Page 57 Recording of this session via any media type is strictly prohibited. Use cause and effect analysis How To. pareto analysis asking ‘why?’ five times fishbone charts failure mode and effects analysis Page 57

58. Page 58 Recording of this session via any media type is strictly prohibited. Pareto Analysis 80% of disruptions will share 20% of the causes

59. Page 59 Recording of this session via any media type is strictly prohibited. Asking “Why?” Five Times 1.Q.Why did the machine stop? A.There was an overload and the fuse blew. 2.Q.Why was there an overload? A.The bearing was not sufficiently lubricated. 3.Q.Why was it not sufficiently lubricated? A.The lubrication pump was not pumping sufficiently.

60. Page 60 Recording of this session via any media type is strictly prohibited. Asking “Why?” Five Times 4.Q.Why was it not pumping sufficiently? A.The shaft of the pump was worn and rattling. 5.Q.Why was the shaft worn? A.There was no strainer and metal scrap got in.

61. Page 61 Recording of this session via any media type is strictly prohibited. Asking “Why?” Five Times Repeating why five times like this can help uncover the root problem and correct it. If this procedure were not carried through, one might simply replace the fuse or the pump shaft. In that case the problem would reoccur in a few months. – Taiichi Ohno - Toyota Production System

62. Page 62 Recording of this session via any media type is strictly prohibited. Cause And Effect Analysis Page 62

63. Page 63 Recording of this session via any media type is strictly prohibited. Failure Mode And Effects Analysis (FMEA) Asks three questions: -What could go wrong? -What effect would this failure have? -What are the key causes of this failure? Provides an assessment of risk for each possible failure: S=severity of effect O=likelihood of occurrence D=likelihood of detection Page 63

64. Page 64 Recording of this session via any media type is strictly prohibited. Risk Analysis Scoring System Page 64

65. Page 65 Recording of this session via any media type is strictly prohibited. Risk Analysis Scoring System

66. Page 66 Recording of this session via any media type is strictly prohibited. Risk Analysis Scoring System

67. Page 67 Recording of this session via any media type is strictly prohibited. Supply Chain Risk and Risk Management Strategies

68. Page 68 Recording of this session via any media type is strictly prohibited. Creating a Resilient Supply Chain: Strategic Approaches

69. Page 69 Recording of this session via any media type is strictly prohibited. Creating a Resilient Supply Chain: Strategic Approaches

70. Page 70 Recording of this session via any media type is strictly prohibited. “It is not the strongest of the species that survive nor the most intelligent, but the one most responsive to change”. – Charles Darwin Page 70

71. Page 71 Recording of this session via any media type is strictly prohibited. Questions, Final Comments and Contact Information Thank You for Joining us Today! Randy F. Jouben, CPCU, ARM,CBCP, MBCI, AIC, AINS, Director, Risk Management Five Guys Enterprises, LLC 10718 Richmond Highway Lorton, Virginia 22079 Direct: 703-436-1959 rjouben@fiveguys.com