Supply Chain Related Standards for Increasing Resilience

Supply Chain Related Standards ISO 31000: Risk Management PD 25222: Supply Chain Continuity ISO 28001: Supply Chain Security Management ©2012 ICOR ALL RIGHTS RESERVED

ISO 31000 Risk Management Standard A risk assessment is performed when management needs to understand the organization’s potential to loss or vulnerabilities The purpose of RM is to reduce the impact of the risks and exposures identified in the RA Impossible to identify all threats and estimates of probability are often guesswork ISO 31000:2009 sets out principles, a framework and a process for the management of risk that are applicable to any type of organization in public or private sector. It does not mandate a "one size fits all" approach, but rather emphasizes the fact that the management of risk must be tailored to the specific needs and structure of the particular organization. Purpose of the Risk Process A Risk Assessment would be performed when management needs to understand the organization’s potential to loss or vulnerabilities. The purpose of a Risk Assessment is to reduce the impact of the risks and exposures identified during the Risk Assessment. Once these have been identified controls need to be evaluated and recommended to prevent or minimize the effects of the potential loss. As a part of this process, a cost-benefit analysis would be completed to justify the investment in the recommended controls. In the context of BCM, a Risk Assessment looks at the probability and impact of a variety of specific threats that could cause a business interruption. By prioritization it may be possible to implement measures to reduce the likelihood or mitigate the impact of these threats. It is recognized that the Risk Assessment has serious shortcomings in evaluating catastrophic operational risks because it is impossible to identify all threats and estimates of probability are guesswork or based on historic and sometimes inaccurate information. However, by focusing on the most urgent functions as identified in the BIA, the scope of the Risk Assessment can be reduced to a more manageable scope. The Risk Assessment may identify unacceptable concentrations of risk and what are known as ‘single points of failure’. These should be highlighted to the business continuity sponsor at Executive or Senior Management level at the earliest possible opportunity along with options for addressing the issue. The strategic decision to mitigate, transfer or accept the risk should be formally documented and signed off. In some countries and sectors the use of Risk Assessment is mandated. Purpose of the Risk Assessment Determine vulnerabilities Address vulnerabilities Maximize $ spent on risk mitigation ©2012 ICOR ALL RIGHTS RESERVED

Risk Management Outcomes Identification and documentation of: Single points of failure Prioritized list of threats to the organization or to the specific business processes analyzed Information for a risk control management strategy and action plan for risks to be addressed Documented acceptance of identified risks that are not to be addressed The outcomes from a Risk Assessment include the identification and documentation of: • Single points of failure • Prioritised list of threats to the organisation or to the specific business processes analysed • Information for a risk control management strategy and action plan for risks to be addressed • Documented acceptance of identified risks that are not to be addressed ©2012 ICOR ALL RIGHTS RESERVED

Management of Risk Increases Resilience Increases the likelihood of achieving objectives; More aware of the need to identify and treat risk throughout the organization; Improves the identification of opportunities and threats; Complies with relevant legal and regulatory requirements and international norms; Improves mandatory and voluntary reporting and governance; Establishes a reliable basis for decision making and planning; Improves controls; Effectively allocates and uses resources for risk treatment; Improves operational effectiveness and efficiency; Enhances health and safety performance, as well as environmental protection; Improves loss prevention and incident management; Minimizes losses; and Increases organizational resilience. When implemented and maintained in accordance with this International Standard, the management of risk enables an organization to, for example: ⎯ increase the likelihood of achieving objectives; ⎯ encourage proactive management; ⎯ be aware of the need to identify and treat risk throughout the organization; ⎯ improve the identification of opportunities and threats; ⎯ comply with relevant legal and regulatory requirements and international norms; ⎯ improve mandatory and voluntary reporting; ⎯ improve governance; ⎯ improve stakeholder confidence and trust; ⎯ establish a reliable basis for decision making and planning; ⎯ improve controls; ⎯ effectively allocate and use resources for risk treatment; ⎯ improve operational effectiveness and efficiency; ⎯ enhance health and safety performance, as well as environmental protection; ⎯ improve loss prevention and incident management; ⎯ minimize losses; ⎯ improve organizational learning; and ⎯ improve organizational resilience.. ISO 31000 ©2012 ICOR ALL RIGHTS RESERVED

Framework for Managing Risk ©2012 ICOR ALL RIGHTS RESERVED

Risk Management Process ©2012 ICOR ALL RIGHTS RESERVED

ISO 31000 Risk Management Process What may happen and why? What are the consequences? What is the probability? How to mitigate or reduce probability of the risk? ©2012 ICOR ALL RIGHTS RESERVED

Drivers of Risk Management According to this graphic by the Institute for Risk Management (IRM), Supply Chain Risk Management falls under the category of managing external Infrastructure Risks. It would be one aspect of the organization’s overall risk management strategy. The Institute for Risk Management (IRM) in its paper, A Structured Approach to Enterprise Risk Management, have identified 4 drivers or categories of enterprise risk management: Financial risks Marketplace risks Reputational risks Infrastructure risks While Supply Chain risks fall under the category of infrastructure risks, we also understand that if the supply chain is interrupted it has other impacts such as reputation and contractual. ISO 31000 ©2012 ICOR ALL RIGHTS RESERVED

Risk Assessment Techniques ©2012 ICOR ALL RIGHTS RESERVED

Risk Description ©2012 ICOR ALL RIGHTS RESERVED

Risk Management Assignments ©2012 ICOR ALL RIGHTS RESERVED

PD 25222: 2011 Business Continuity Management – Guidance on Supply Chain Continuity Goal: Obtaining assurance of suppliers’ own continuity arrangements. Audience: Supply procurement Focus on key suppliers & dependence on key customers Use of a risk-based approach It is important for an organization to implement a process of supply chain continuity management as there are occasions where the organization relies on key suppliers to deliver critical products/services on time. To that end, this Published Document (PD) gives guidance on continuity management within the supply chain, including obtaining assurance of suppliers’ own continuity arrangements. It is intended primarily for the supply procurement community (anyone buying a product or service necessary to an organization’s critical products or services, whether or not part of a dedicated procurement department), rather than dedicated business continuity managers. While the PD focuses primarily on key suppliers, it acknowledges that vulnerabilities might also arise from dependence on key customers so that it is necessary for an organization to consider the implications of disruptions to such customers. ©2012 ICOR ALL RIGHTS RESERVED

Promotes the Classification of Suppliers Uses a “tier” approach Tier 3 Tier 2 Tier 1 Supplies to tier 2 supplier Supplies products and services to tier 1 suppler Direct contractual relationship The PD covers the supply of products and services, both internally and externally, to service level agreements (SLAs) under any type of ongoing supplier relationship, though it might also cover certain one-off relationships. In so doing, the PD promotes the classification of suppliers according to “tier”, the importance/criticality of the product/service they supply to the organization, and “layer”, their “distance” from the organization (i.e. a layer 1 supplier has a direct contractual relationship with the organization, while a layer 2 supplier supplies products and services to a layer 1 supplier). The focus is on layer 1 suppliers, with other suppliers addressed as resources permit. ©2013 ICOR ALL RIGHTS RESERVED

Critical Scope of Standard Activities Customers Suppliers Supplies 3.3 critical activities those activities which have to be performed in order to deliver the key products and services which enable an organization to meet its most important and time-sensitive objectives 3.4 critical customer customer the loss of whose business would jeopardize the survival of the organization 3.5 critical supplies products/services obtained from a supplier whose loss would quickly disrupt the organization’s critical activities 3.6 critical supplier provider of critical supplies NOTE This includes an “internal supplier”, which is a supplier that is part of the same organization as its customer. 3.10 supply chain network of organizations that are involved, through upstream and downstream linkages, in the different processes and activities that produce value in the form of products and services in the hands of the ultimate consumer (Christopher 1998 [1]) 3.11 supply chain continuity management (SCCM) application of business continuity management to the supply chain Activities Customers Suppliers Supplies ©2013 ICOR ALL RIGHTS RESERVED

Potential Types of Supplier Relationships Recurring product/service suppliers: Providing components, raw materials, financing, property rental, essential fixed asset maintenance, etc. One-off or infrequent product/service suppliers: Perhaps to provide a new piece of capital equipment. There is also a range of potential supplier relationship types, including: 1) recurring product/service suppliers (providing components, raw materials, financing, property rental, essential fixed asset maintenance, etc.); 2) one-off or infrequent product/service suppliers (perhaps to provide a new piece of capital equipment); 3) outsourced or contracted out (off-site service or business process providers, such as payroll bureau, IT services, contact centre, logistics or distribution); 4) strategic partners (such as franchises, distributors and joint ventures); and 5) cooperative relationships or interdependencies between suppliers. ©2013 ICOR ALL RIGHTS RESERVED

Potential Types of Supplier Relationships Outsourced or contracted out: Off-site service or business process providers, such as payroll bureau, IT services, contact centre, logistics or distribution). Strategic partners: Such as franchises, distributors and joint ventures. Cooperative relationships or interdependencies between suppliers. There is also a range of potential supplier relationship types, including: 1) recurring product/service suppliers (providing components, raw materials, financing, property rental, essential fixed asset maintenance, etc.); 2) one-off or infrequent product/service suppliers (perhaps to provide a new piece of capital equipment); 3) outsourced or contracted out (off-site service or business process providers, such as payroll bureau, IT services, contact centre, logistics or distribution); 4) strategic partners (such as franchises, distributors and joint ventures); and 5) cooperative relationships or interdependencies between suppliers. ©2013 ICOR ALL RIGHTS RESERVED

Supply Chain Relationship Impact Factors People: personal relationships; Formal agreements: contracts, work orders, service level agreements, operating level agreements, etc.; Information: electronic or paper; purchase orders, design specifications; Processes: workflow; product/service creation and delivery; Infrastructure: transportation systems, Internet; Culture: business networks, trading relationships; Environment: political, meteorological, economic (e.g. foreign exchange rates), etc. In addition to customers and suppliers, other stakeholders might be involved in and impacted by supply chain interruptions, including local communities (for example, from which personnel are drawn), informal community network members, trade bodies, contracted consortium partners, partial competitors or “buddies” with reciprocal arrangements, etc. Supply chain relationships may be based on a number of factors, including: i) people: personal relationships; ii) formal agreements: contracts, work orders, service level agreements, operating level agreements, etc.; iii) information: electronic or paper; purchase orders, design specifications; iv) processes: workflow; product/service creation and delivery; v) infrastructure: transportation systems, Internet; vi) culture: business networks, trading relationships; and vii) environment: political, meteorological, economic (e.g. foreign exchange rates), etc. NOTE These are examples only and not intended to be exhaustive. ©2013 ICOR ALL RIGHTS RESERVED

Supplier & Contract Lifecycle 4.3.3 Supplier and contract lifecycle Suppliers and contracts exist within a lifecycle of supply and service acquisition, operation and discontinuation. The point of entering into a new contract or renewing an existing contract presents the organization with some opportunity to influence future supplier behaviour, through contractual content and service levels, which might give rise to potential “moments of change” that could be exploited. Conversely, longer-term contractual commitments and high supplier switching costs can shift the balance of power between the organization and its supplier, creating resistance to changing future supplier behaviour. SCCM should take the supplier and contract lifecycle into consideration. ©2013 ICOR ALL RIGHTS RESERVED

Who Owns the Risk? The organization owns the risk and must manage supply chain risk and respond to supply chain interruptions 4.3.4 Who owns the risk? The relationship between organization and supplier in a supply chain involves the supplier delivering its products (supplies) or services to the organization. The organization needs these supplies to deliver its own products or services to its customers. If the supplier is unable to deliver then it risks losing revenue and its customers, but this might be the limit of the supplier’s risk. The fact that the organization might be unable to deliver its products or services to its customers as a consequence is a supply chain risk that the organization itself retains. The onus is therefore on the organization to manage the supply chain risk and respond to supply chain interruptions. Customers expect the organization to take responsibility for its supply chains and are likely to hold the organization (rather than its suppliers) responsible for failure to deliver products or services. In addition, the organization might be responsible under legislation for poor delivery, even if the issue lies within the supply chain. Therefore, an organization’s brand is at risk of damage in the event of a problem in its supply chain or by the actions of a supplier. In addition to the supplier and customer directly involved, there are many other potential stakeholders with an interest in a supply chain transaction: a) banks/creditors, who might be concerned that their money is at risk; b) investors/analysts, who might question whether the organization is a good investment; c) insurers, who want to understand the risk of a claim that the organization represents; d) employees, who depend on income from the organization; e) the wider community, which needs the organization’s contribution to its economy while minimizing risk to the environment and life safety; f) other customers, who could be let down; g) other suppliers, who need to be assured that the organization is a reliable source of revenue; and h) other suppliers, who might need assurance if interdependencies between suppliers exist. In some extreme cases, a supply chain disruption might adversely affect an industry, market sector or the wider economy, government and public ©2013 ICOR ALL RIGHTS RESERVED

Supply Chain Continuity Management Key benefit of effective supply chain continuity management is the mapping of supply chain results provides a better understanding of where and how to improve the organization’s supplier management which should increase efficiency and reduce the likelihood and impact of supply chain disruptions. 4.4 Benefits of effective SCCM Potential benefits arising from effective SCCM include: a) the mapping of supply chain results gives a better understanding of where and how to improve the organization’s supplier management, which in turn can increase efficiency and reduce the likelihood and impact of supply chain interruptions; b) improved response to supply chain interruptions, including more effective collaboration with suppliers and customers; c) more frequent identification and mitigation of supply chain risks before they happen or before the organization is impacted; d) improved business-as-usual supplier management, planning, due diligence, assurance and working relationships with suppliers; and e) the organization can gain new customers by distinguishing itself from competitors who do not have in place effective SCCM arrangements. ©2013 ICOR ALL RIGHTS RESERVED

Challenges Scale and complexity of supply chain Distance and visibility of suppliers Existing contractual relationships Lack of structured approach Lack of business case Lack of embedded responsibility across stakeholder functions 4.5 Challenges to effective SCCM Supply chain continuity management presents a number of challenges, including: a) scale and complexity (especially large organizations that can have many thousands of suppliers); b) distance and visibility of suppliers in the supply chain (geographic separation and number of links up or down the chain); c) existing contractual relationships might present infrequent “moments of change” when the service is open to alteration; d) lack of structured approach (to determine where to start, how to proceed and overcome apathy or inertia); e) lack of business case, top management commitment and necessary resources, including trained people; f) defining and embedding responsibility for SCCM across stakeholder functions within the organization, and between organizations in the supply chain; g) striking a balance between the expense of supply chain risk reduction that pays off over a longer time period and the short-term financial rewards of lower supply chain capital and operating costs in “business-as-usual”; h) differences in risk tolerance/appetites between individuals, organizations and cultures; i) international cultural and legal differences; j) balance (or lack) of power in the supply chain (such as a small organization dealing with a much larger supplier with multiple customers); k) obtaining firm and meaningful product or service supply continuity commitments from suppliers (might a supplier divert supplies to another more important customer in times of shortage?); l) difficulty identifying indirect impacts: the loss of one supplier can make another critical; and m) difficulty understanding the full cost of disruption. ©2013 ICOR ALL RIGHTS RESERVED

Challenges Striking a balance between expense of risk reduction & short term financial rewards Differences in risk tolerance/appetites International cultural and legal differences Lack of power for smaller suppliers Obtaining firm and meaningful service commitments Difficulty identifying indirect impacts Difficulty understanding full cost of disruption 4.5 Challenges to effective SCCM Supply chain continuity management presents a number of challenges, including: a) scale and complexity (especially large organizations that can have many thousands of suppliers); b) distance and visibility of suppliers in the supply chain (geographic separation and number of links up or down the chain); c) existing contractual relationships might present infrequent “moments of change” when the service is open to alteration; d) lack of structured approach (to determine where to start, how to proceed and overcome apathy or inertia); e) lack of business case, top management commitment and necessary resources, including trained people; f) defining and embedding responsibility for SCCM across stakeholder functions within the organization, and between organizations in the supply chain; g) striking a balance between the expense of supply chain risk reduction that pays off over a longer time period and the short-term financial rewards of lower supply chain capital and operating costs in “business-as-usual”; h) differences in risk tolerance/appetites between individuals, organizations and cultures; i) international cultural and legal differences; j) balance (or lack) of power in the supply chain (such as a small organization dealing with a much larger supplier with multiple customers); k) obtaining firm and meaningful product or service supply continuity commitments from suppliers (might a supplier divert supplies to another more important customer in times of shortage?); l) difficulty identifying indirect impacts: the loss of one supplier can make another critical; and m) difficulty understanding the full cost of disruption. ©2013 ICOR ALL RIGHTS RESERVED

Supply Chain Mapping NOTE This map shows that the organization depends on three suppliers, two of whom are critical. These two suppliers are in turn dependent on four suppliers in the next layer. The organization serves four customers and is dependent on two distributors to reach two of these customers. ©2013 ICOR ALL RIGHTS RESERVED

Impact of Loss of Critical Supplier NOTE This map demonstrates the disruption to the supply chain caused by the loss of a critical supplier to the organization. Business continuity “requirements” should be established for each category of suppliers (using, for example, BS 25999) and suppliers’ conformity with these requirements assessed using appropriate examples, sources of evidence (not just questionnaires) and levels of detail. Simply asking suppliers if they have a business continuity plan is not adequate. Questions need to establish suppliers’ capability in given situations, the service level to be expected and their RTOs for critical supplies. Suppliers should be asked to follow SCCM guidance. Indeed, a supplier should conduct a risk assessment if it is dependent upon one customer. The organization may also implement a process for evaluating the way in which a supplier audits a) its own BC process, and b) its suppliers’ BC capability. The evidential approach to assessment of suppliers should include such processes as: 1) documented BIAs, risk assessments and business continuity plans; 2) documented processes for maintaining and updating suppliers’ continuity plans; and 3) documented exercise plans and post-exercise and post-incident reports. ©2012 ICOR ALL RIGHTS RESERVED

BCM Assurance & the Risk Portfolio To implement a BCM assurance programme, the following need to be defined. The organization’s criteria for the BCM capability of each tier of suppliers. The organizational process from procurement to business-as-usual operation, including BCM consideration at all stages of implementation. The process of assurance itself, including management of subsequent remediation 8.5 The place of BCM assurance in the risk portfolio BCM assurance should cover operational, financial, regulatory/legal and reputational risk. The assurance process allows the organization to identify any “hidden” risks with its critical suppliers in the event that they suffer a disruption. Assurance has to facilitate the alignment of suppliers’ RTOs and SLAs with those of the organization, and the suppliers’ strategies have to provide a return to Supply within the tolerance of the organization. 8.6 Implementing a BCM assurance programme To implement a BCM assurance programme, the following need to be defined. a) The organization’s criteria for the BCM capability of each tier of suppliers. b) The organizational process from procurement to business-as-usual operation, including BCM consideration at all stages of implementation. This may be simply a set of checkpoints to ensure that the key BCM aspects have been considered and satisfactory solutions found. c) The process of assurance itself, including management of subsequent remediation (see Figure 6 for an example). ©2013 ICOR ALL RIGHTS RESERVED

ISO 28000 Security Management Systems for the Supply Chain (October 2007) Provides requirements and guidance for organizations in international supply chains to Develop and implement supply chain security processes Establish and document a minimum level of security with a supply chain or segment of a supply chain Assist in meeting the applicable authorized economic operator (AEO) criteria set forth in the World Customs Organization Framework of Standards and conforming to national supply chain security programs ISO 28000 defines a set of security management requirements. If your organization is part of a supply chain, ISO 28000 expects you to establish a security management system (SMS) that complies with these requirements. It then expects you to use this system to protect people, products, and property. A SMS is a network of interrelated and interacting elements that combine to resist, fend off, or withstand unauthorized acts that are designed to cause intentional harm or damage to a supply chain. These elements include a security management policy as well as the many objectives, targets, programs, procedures, plans, practices, processes, controls, documents, records, roles, relationships, responsibilities, authorities, and resources that are used to implement this policy. ©2011 ICOR ALL RIGHTS RESERVED © 2007 The International Consortium for Organizational Resilience

Security of Cargo Cargo Management – Protecting cargo during all steps of manufacturing, shipping and transport processes: Efficient prevention, detection and reporting of shipping process anomalies (routes and schedules continuous review; alerts management) Adequate inspections during the shipping process (in points where liability changes, to packaging materials and vehicles before being in contact with cargo). SUPPLY CHAIN SECURITY MANAGEMENT: AN OVERVIEW Juha Hintsa, Dr. Philippe Wieser, Ximena Gutierrez, Dr. Ari-Pekka Hameri HEC University of Lausanne, Ecole Polythecnique Fédéral de Lausanne Cross-border Research Association (CBRA), Lausanne, Switzerland Multiple types of responses and actions have been undertaken by different governmental organisations, international organisations and businesses to enhance global supply chain security. These reactions range from country specific operational regulations to global research programs. They have different originating agents and they target specific goals. However, a closer analysis of the concrete security measures promoted by each initiative showed that there are several areas in which they overlap or at least are interconnected. For instance, it was observed that the practical SCSM measures proposed by various initiatives typically fall into the following five intuitive categories (for more details see Gutierrez et al. 2006). It was observed that Cargo management is emphasised by most of the prevailing security initiatives. Facility management and Human resources management are mainly mentioned in supply chain security programs created either to enhance Customs administrations security control capacity or to reduce specific industry/geography vulnerability. It was noted that practical measures falling into Information management category are a very important component of the efforts to enhance Customs administrations control capacity. For instance the 24 hour advance manifest rule and 96-hr notification of vessel arrival are part of the few existing mandatory measures, and consist of managing the information flow on cargo in such a way that the risk can be detected before the physical flow arrives at the border. Finally, the fifth category provides the broadest view of SCSM. Measures that fall into this category appear to be less straightforward to implement. There might be multiple potential good ways to implement them and different criteria to decide upon the required security level for a company, depending on its specific situation. In addition, it is highly probable that the implementation of these measures will require changes at strategic levels. ©2013 ICOR ALL RIGHTS RESERVED

Security of Facilities Facility Management – Guaranteeing the security of the facilities where goods are manufactured and cargo is stored and handled. Optimal warehouse/terminal layout design (entry/exit controllability; clearly marked control areas; sufficient light conditions) Efficient facility monitoring (24hr camera system, security guards, filming activities of loading containers, picking ). ©2013 ICOR ALL RIGHTS RESERVED

Security of Information Information Management – Protecting critical business data and exploiting information as tool for detecting illegal activities and preventing security breaches. High protection of business information/data (management procedures and storing methods designed to protect information from unauthorized access and usage). Accurate and complete recordkeeping of shipping information for potential security audits (improved recordkeeping methods; quality control of records, error correction). 3. Information management: Protecting critical business data and exploiting information as tool for detecting illegal activities and preventing security breaches. • High protection of business information/data (management procedures and storing methods designed to protect information from unauthorized access and usage) • Accurate and complete recordkeeping of shipping information for potential security audits (improved recordkeeping methods; quality control of records, errors correction etc.). ©2013 ICOR ALL RIGHTS RESERVED

Security of Personnel Human Resources Management – Guaranteeing trustworthiness and security awareness of all personnel with physical or virtual access to the supply chains. Professional employee hiring / exit process (background checks; interviews for leaving or fired employees). Efficient information dissemination process (internal and external publication of the company security policies). 4. Human resources management: Guaranteeing trustworthiness and security awareness of all personnel with physical or virtual access to the supply chains • Professional employee hiring / exit process (background checks; interviews for leaving or fired employees etc.) • Efficient information dissemination process (internal and external publication of the company security policies). ©2013 ICOR ALL RIGHTS RESERVED

Security of Company Company Management Systems – “Building security” into internal and external organizational structures and company management systems, including supplier, partner and client management processes. Adequate business partners evaluation system (selection of low risk and high security compliant suppliers, clients and subcontractors). Complete company security management system (defined security processes, defined and controlled security indicators, internal and external audits). 5. Company management systems: “Building security” into internal and external organizational structures and company management systems, including supplier, partner and client management processes • Adequate business partners evaluation system (selection of low risk and high security compliant suppliers, clients and subcontractors) • Complete company security management system (defined security processes, defined and controlled security indicators, internal and external audits, etc.) ©2013 ICOR ALL RIGHTS RESERVED

Vulnerability Map A vulnerability map categorizes the relative likelihood of potential threats to an organization and the company’s relative resilience to such disruptions. Such maps can then direct management attention and prioritize the planning. ©2013 ICOR ALL RIGHTS RESERVED

Mapping by Key Process Area & Readiness SCRM Maturity Model pdf. ©2013 ICOR ALL RIGHTS RESERVED

SCRM Maturity Levels ©2013 ICOR ALL RIGHTS RESERVED

In Summary Using the management system described by ISO 31000 to manage risks across the supply chain can mitigate risks and minimize supply chain interruptions. An organization’s procurement specialists need to understand the importance of different suppliers and provide assurance that contracted services can be provided even during a disruptive incident. Supply chains also face risks related to security logistics. These also need to be managed. ©2013 ICOR ALL RIGHTS RESERVED

Questions? Lynnda Nelson President, ICOR Lynnda@theicor.org 866-765-8321 North America +1630-705-0910 International www.theICOR.org ©2013 ICOR ALL RIGHTS RESERVED