Enhancing Supply Chain Security Dr. Omar Keith HelferichDr. Judith M. Whipple Supply Chain FacultyAssociate Professor Central Michigan UniversityMichigan State University July 31, 2007 – Foundation For Strategic Sourcing

Objectives  Define Supply Chain Security  Identify status of supply chain security initiatives  Identify competencies and capabilities that firms are using to enhance supply chain security  Discuss benchmarking tool for improving supply chain security This research was supported by the U.S. Department of Homeland Security (Grant number N ), through a grant awarded to the National Center for Food Protection and Defense at the University of Minnesota. Any opinions, findings, conclusions, or recommendations expressed in this publication are those of the author (s) and do not represent the policy or position of the Department of Homeland Security.

Definition of Supply Chain Protection and Security  The application of policies, procedures, and technology to protect supply chain assets (product, facilities, equipment, information, and personnel) from theft, damage, or terrorism and to prevent the introduction of unauthorized contraband, people, or weapons of mass destruction. Closs and McGarrell (2004), “Enhancing Security Throughout the Supply Chain,” IBM Center for the Business of Government –

Secure Supply Chain Requirements  Preventing any biological, chemical or unauthorized agent to be incorporated into the product  Preventing any illegal commodity to be intermingled with the shipment  Preventing transportation assets or a shipment’s contents to be used as a weapon  Preventing unauthorized access to the product and/or supply chain network  Preventing disruptions of the supply chain network/infrastructure

Supply Chain Security Impact: A State of Transition  From Corporate security Theft prevention Inside the company Vertically integrated supply chain with 1 st tier suppliers Country or geographic Contingency planning Reactive  To Cross functional team To include anti-terrorism End-to-end supply chain Business model that includes 2 nd and 3 rd tier suppliers Global To include crisis management Proactive

Security Expectations: A Changing Future  Secure supply chains – containing advanced security processes and procedures  Resilient supply chains – able to react to unexpected disruptions quickly in order to restore normal operations Rice and Caniato (2003), “Building a Secure and Resilient Supply Network,” Supply Chain Management Review, September/October.

Industries Under Investigation  Food – National Center for Food Protection and Defense (A Department of Homeland Security Center of Excellence)  Electronics and Pharmaceuticals (IBM Research Grant)  Hazardous Material (Dow Chemical Grant)

Potential Supply Chain Risk High Low Potential # of Incidents Range of Security Strategies SafetySecurity Management Integrated Supply Chain Security UnintentionalIntentional Unintentional Range of Security Strategies

Key Considerations: Capabilities and Competencies  Capability – the infrastructure, processes, systems, assets, and resources to develop a specific competency  Competency –the broad set of skills, knowledge, and aptitude that create and sustain a secure supply chain Competency 1 Capability 1 Capability 2 Capability 3

Outcomes of the Food Supply Chain Benchmarking Research  Provide industry with in-depth understanding of the capabilities that form competencies in supply chain security  Define competencies and understand their impact on security performance  Compare capabilities, competencies and performance across firms in the food supply chain  Create benchmarking process and tool to assist in extended and future comparison and evaluation

Team Members Jean Kinsey, Ph.D. Robert Kauffman, Ph.D. Theodore Labruzza, Ph.D. Jon Seltzer, Ph.D. David Closs, Ph.D. Cheri Speier, Ph.D. O. Keith Helferich, Ph.D. Dan Lynch, Ph.D. Ed McGarrell, Ph.D. Robyn Mace, Ph.D. Judy Whipple, Ph.D. Doug Voss, RA Alan Erera, Ph.D. Chip White, Ph.D. Steven Morris, RA

Competency Assessment Supply Chain Security Practice Competencies Supply Chain Security Performance Firm Demographics Size Channel location Organizational responsibility What practices are used? Which practices are more effective? How do they differ?

Competency Performance Drives Security Performance Management Technology (MT)Process Technology (PT)Process Management (PM)Food Supply Chain SecurityMetrics/Measurement (MM)Communications Management (CM)Relationship Management (RM)Infrastructure Management (IM)Public Interface Management (PIM)Process Strategy (PS)Service Provider Management (SPM)

Definitions of Competencies  Process Strategy (PS) – executive commitment to security and the institution of a culture of security  Process Management (PM) – the degree to which specific security provisions have been integrated into processes managing the flow of products, services and information  Infrastructure Management (IM) – security provisions that have been implemented to secure the physical infrastructure  Communications Management (CM) – internal information exchange between employees, managers, and contractors to increase security

Competencies (Continued)  Management Technology (MT) – the effectiveness of existing information systems for identifying and responding to a potential security breach  Process Technology (PT) – specific technologies implemented to limit access and trace the movement of goods  Metrics/Measurement (MM) – the availability and use of measurement to better identify and manage security threats

Competencies (Continued)  Relationship Management (RM) – information sharing and collaboration between supply partners  Public Interface Management (PIM) – the security related relationships and exchanges of information with the government and the public  Service Provider Management (SPM) – information sharing and collaboration between the firm and its logistical service providers

Performance Measures  Ability to detect security incidents  Reduction in the number of security incidents  Increased resilience in recovery  Changed risk profile  Changed firm and supply chain cost, shrink, injuries, and turnover  Improved security relative to competitors  Improved ability to meet security requirements

What Capabilities (Practices) Create a Competency? One Example Communications Management Defined communication protocols Information preventing incidents Information detecting incidents Information responding to incidents Information regarding recovering from incidents Information protocols in case of contamination Reporting protocols in case of incident

Research Process  In-depth company interviews 15 manufacturers 13 retailers 7 transportation providers  Questionnaire Development  Overall Survey Response (total respondents = 239) Food Products Association (134 – 58%) Michigan Department of Agriculture (83 – 9%) ASIS International (22 – 10%)  Respondents’ Scope of Responsibility Quality Management (101 – 42%) Supply Chain Management (36 – 15%) Security Management (25 – 10%) Other (57 – 24%) Not Defined (20 – 8%)

Who Responded to the Survey – Size of Firm? Size of FirmManufacturer/ Wholesalers < $20 M59 $20 - $100 M44 $100 - $500 M29 $500 M - $1 B10 > $1 B64 Not Defined32

Initial Research Questions  Where are firms focusing their efforts?  Is there a difference between large and small manufacturers in competency focus?  Where are firms seeing results?  Is there a difference between large and small manufacturers in security performance?

Where are Manufacturers/Wholesalers Focusing Their Efforts? Score of 5 Indicates Strong Activity

CompetencyMean Score (Large) Mean Score (Small) Process management * Management technology * Communications management * Infrastructure management Metrics/Measurement * Process strategy * Public interface management * Service provider management * Process technology * Relationship management * * Indicates statistically significant difference in mean Is There a Difference Between Large and Small Manufacturers/Wholesalers?

Where are Manufacturers/Wholesalers Seeing Results? Score of 5 Indicates Significant Change (SC)

Is There a Difference Between Large and Small Manufacturers/Wholesalers? Performance MeasureMean Score (Large)Mean Score (Small) Detect incidents inside firm Detect incidents across SC * Decreased incidents inside firm * Decreased incidents across SC Increased firm resilience Increased SC resilience Improved firm risk profile Improved SC risk profile NOTE: Scale anchors: Significantly Increased – No Change – Significantly Decreased * Indicates statistically significant difference in mean

Performance MeasureMean Score (Large)Mean Score (Small) Firm reduced operating cost Firm reduced loss/shrink Firm reduced insurance cost Firm reduced personal injury Firm reduced employee turnover SC reduced operating cost SC reduced loss/shrink SC reduced insurance cost SC reduced personal injury SC reduced employee turnover NOTE: Scale anchors: Significantly Increased – No Change – Significantly Decreased Is There a Difference Between Large and Small Manufacturers/Wholesalers?

Perceived Performance Results for Manufacturers/Wholesalers  The positive results are Increased detection within firm and across supply chain Increased firm and supply chain resilience Decreased personal injury  However, there has been an increase in firm and supply chain operating cost

Further Research Questions  Do some firms consider security as a high strategic priority?  What do these firms do differently than low priority firms?  Do high priority firms have better performance results than low priority firms?

Strategic Security Construct  Our firm's senior management views supply chain security as necessary for protecting our brand or reputation.  Our firm has a corporate level strategy to address security concerns.  Our firm’s senior management views supply chain security as a competitive advantage.  Our firm’s senior management views supply chain security initiatives as a necessary cost of doing business.  Our firm’s senior management supports food supply chain security initiatives. 127 firms classified as high priority; 72 as low priority.

Internal Security MeasureMean Score (High) Mean Score (Low) Information systems provide timely information for response * Information systems provide valid information for response * Information systems allow us to quickly share information * Our firm uses RFID to effectively track products Our firm incorporates prevention information into training * Our firm incorporates detection information into training * Our firm incorporates response information into training * Our firm incorporates recovery information into training * Our firm’s information systems are secure * NOTE: Scale anchors: Strongly Disagree – Strongly Agree Is There a Difference Between High and Low Strategic Priority Firms? * Indicates statistically significant difference in mean

External Security Measure (across the supply chain)Mean Score (High) Mean Score (Low) Information systems provide timely information for response * Information systems provide valid information for response * Information systems provide actionable information * Our SC partners uses RFID to effectively track products Our firm has processes in place to prevent a SC incident * Our firm has processes in place to detect a SC incident * Our firm has processes in place to respond to a SC incident * Our firm has processes in place to recover from a SC incident * Our SC partners’ information systems are secure * NOTE: Scale anchors: Strongly Disagree – Strongly Agree Is There a Difference Between High and Low Strategic Priority Firms? * Indicates statistically significant difference in mean

Performance Measure – “Our firm’s security investment has significantly reduced/significantly increased…” Mean Score (High) Mean Score (Low) Our ability to detect security incidents inside our firm * Our ability to detect security incidents across the supply chain * Security incidents inside our firm Security incidents across the supply chain Our resilience in recovering from security incidents inside our firm * Our resilience in recovering from security incidents across the supply chain * Do High Strategic Priority Firms Perform Better than Low Strategic Priority Firms? * Indicates statistically significant difference in mean NOTE: Scale anchors: Significantly Increased – No Change – Significantly Decreased

What Measures Impact Detection/Recovery for High Strategic Priority Firms?  Internal Timely information to respond Prevention information in employee training Recovery information in employee training  External Processes in place to recover from an incident in our supply chain Our supply chain partners’ information systems are secure

The Creation of an Assessment and Benchmarking Tool  Survey for internal company use  Summary of results from company use  Benchmark of company results by item, competency, and total score

Example of a Firm’s Diagnostics Results Food Supply Chain Security Firm World Class Scale: Disagree Agree MeanBenchmarkGap 1 Process Management (0.56) 2 Process Strategy (0.99) 3 Infrastructure Management (1.93) 4 Communication Management (0.25) 5 Management Technology (0.05) 6 Process Technology (0.02) Public Interface Management (0.05) Metrics/Measurement (0.58) Service Provider Management Relationship Management (0.52) Overall Score (4.79) * Large gaps indicate problem areas * World Class is the sample mean plus 1 standard deviation

Conclusions  Food supply chain firms are increasingly interested in protecting their supply chains to protect their customers and brand names.  Firms must develop a broad range of competencies to achieve supply chain protection.  Firms have seen performance improvements in detection and resiliency.  In general, firms embarking on supply chain security initiatives will, at least initially, increase firm and supply chain operating cost.  Better performance is linked to extended supply chain security efforts throughout the supply chain.