TMCnet News
A Framework for Protecting Your Supply Chain(Supply Chain Management Review Via Acquire Media NewsEdge) Increased threats of terrorism require heightened awareness of company and supply chain security. In the past, firms may have considered only the potential threat to their firm when considering defense protection. However, given the interconnectedness of companies, products, and transportation infrastructure in today's high-speed global supply chains, there is growing concern that disruptions can reach beyond an individual firm, which leads to the need for a broader supply chain defense framework. As such, firms must proactively enhance their supply chain resiliency against terrorism. They need to enhance overall security as well, in order to protect customers, the public, and brand equity. This starts with understanding the five key potential adverse consequences of supply chain security failures: A terrorist attack against a firm's supply chain might cause widespread disruption to customer delivery capabilities leading to a loss of short-term revenue and creating a service failure. There could be reduced brand equity if customers believe the attack occurred because of a supply chain security failure resulting from neglect. Loss of revenue could lead to investor discontent with the firm's performance, and the subsequent sale of equity investments. This disruption could also increase regulatory scrutiny. A terrorist attack could result in significant legal liability. While the above are likely the primary consequences for the target firm, secondary consequences extending beyond the target firm to include other supply chain partners are also possible. If supply partners perceive the attack was due to the firm's insufficient security efforts, the supply chain relationship would suffer and could potentially be dissolved. Since supply chains are vulnerable to attack and security failures, supply chain defense has become an increasingly important issue for both practitioners and researchers. Unfortunately, a comprehensive framework for securing the supply chain has not been created. This article discusses such a framework that integrates supply chain security, disaster management, and criminal justice literature to guide practitioners in organizing security initiatives. The challenges associated with supply chain defense are significant, particularly in today's environment where numerous entities are involved in cross-organizational and particularly cross-border movement in which product changes hands multiple times. The number of parties involved in these exchanges creates significant challenges when one considers that defense efforts of one firm can be nullified by the inattention or inadequacy of a single supply chain partner. Several factors make most supply chains vulnerable to attack. Much of the supply chain is largely unguarded and only the most visible elements (such as individual facilities) are regularly protected. Furthermore, the magnitude and interconnectedness of the supply chain infrastructure makes total protection infeasible. Just consider the scope of infrastructure in the U.S.?the number of highways, rail track, waterways, airports, and pipelines. A major disruption in one mode stands to affect the capabilities of the others. Finally, the sheer magnitude of global commerce presents another significant hurdle. The vast majority of international imports are transported using cargo containers. Efficiently ensuring that these containers carry only appropriate cargo is a daunting task?not to mention the difficulty in securing the thousands of containers, trailers, and railcars used for domestic movement. Beyond the size and scope of the infrastructure, there are significant costs associated with protecting the supply chain. The cost of supply chain security is anticipated to exceed $151 billion annually.? In addition, reallocation of security funds may force governments and firms to spend less on initiatives that could improve long-term operational efficiency and effectiveness, such as infrastructure improvements. This could negatively impact delivery reliability and process variability resulting in increased supply chain inventory. Defining And Scoping Supply Chain SecuritySupply chain management security has been defined as: ?The application of policies, procedures, and technology to protect supply chain assets (product, facilities, equipment, information, and personnel) from theft, damage, or terrorism, and to prevent the introduction of unauthorized contraband, people, or weapons of mass destruction into the supply chain.? ? This definition implies that effective supply chain security management seeks to prevent supply chain assets from being a target of terrorism or used as a method to facilitate terrorism through effective application of management policies, procedures, and technology. A number of observations can be drawn from this definition. First, supply chain assets are defined as not only the equipment and facilities used to carry out supply chain processes, but also the product, information, and human resources required to operate the supply chain. Therefore, supply chain protection does not stop with securing a facility through gates and locks. It extends to the protection of products and people involved in supply chain activities, as well as the internal and external information flows across the supply chain. Second, supply chain defense is not simply a matter of ensuring the safety of these assets, but also preventing theft, damage, and unintended intrusions that could disrupt supply chain operations. A second important dimension of our definition is that it provides a platform to distinguish among unique, but interrelated constructs: risk, protection, and safety. A firm or supply chain implements security measures to protect against potential risks. A risk involves the assessment of the likelihood and magnitude of a possible event that could result in a loss for the firm. The supply chain literature has identified a number of risks including those that are internal to the supply chain?supplier facility destruction, supplier bankruptcy, labor disputes, and other factors, or external to the supply chain, such as natural disasters, acts of war, and acts of terrorism. These types of events can lead to supply chain disruptions, delays, and inventory loss. Supply chain security attempts to render a firm, or supply chain, less susceptible to risk. Most firms further develop plans to protect themselves and their supply chain against low-impact, frequently occurring risks, such as a machine breakdown. Fewer have proactively planned for and developed comprehensive response systems for high impact, low-likelihood risks, such as terrorist acts. Supply chain security management, as we've defined it, serves as a means to mitigate supply chain risk. Security initiatives protect a firm from terrorist activity and thereby protect its products and brand image from harm. Security initiatives may also ensure the safety of customers by protecting them from product defects/contamination while increasing the integrity of the supply chain by minimizing breakdowns or other low-impact failures. Reasons To Implement Security?Brand protection is a primary reason for enhancing security. Practitioners fear that product contamination may damage customer perceptions of their brand. Related to brand equity are the issues of brand piracy, gray markets, and product counterfeiting. Firms secure supply chain assets in order to reduce theft and provide product origin assurance for customers. Customer security requirements also drive security implementation. To protect themselves, firms now are requiring greater security from their suppliers. Whether this requirement comes in the form of quality certification programs, audits, or other security initiatives (like the Customs-Trade Partnership Against Terrorism, C-TPAT), firms need to be more vigilant about knowing who is involved in the manufacturing and/or distribution of their products and set requirements that can be regularly monitored. Government pressure is another significant driver. While many initiatives such as C-TPAT are voluntary, the government has also enacted regulatory measures. The Bioterrorism Act of 2002, for example, requires that firms engaged in food processing be able to trace raw materials and finished goods one step up, and one step down, the supply chain. While these drivers are prompting firms to be proactive in establishing security programs, many managers are still myopic regarding their firm's vulnerability and have been slow to initiate security programs. One possible explanation is that managers feel their firm will not be the target of a terrorist attack. Other managers may believe that their security obligations end when goods are transferred to another supply chain partner. Why Do We Need A Framework?A comprehensive supply chain security framework is needed for many reasons. While supply chain managers are greatly concerned about security, many are unsure about how to move forward with a comprehensive security plan. Part of the reason for this uncertainty is the preponderance of existing recommendations but few explicit standards. There are many lists of what to do, but limited practical guidance on how to do it. Furthermore, implementing these recommendations is a costly endeavor and research has shown that it's difficult to pass these costs on to customers. Adding to the complexity of ?what should we do? is the specificity of each terrorist opportunity. Each distribution center, each trailer, each firm, and, ultimately, each supply chain offers targets with different challenges associated with providing sufficient protection. To provide sufficient defense, firms and supply chains must carefully assess specific business policies and processes throughout the overall supply chain. The unique nature of each business/supply chain coupled with the specificity of each crime opportunity makes it difficult to offer broad defense advice that assures sufficient protection. Thus, the suggested framework characterizes the broad range of security initiatives to enable firms to apply elements of the framework within the unique attributes of their supply chain. The Security FrameworkOur framework extends the considerations regarding terrorism prevention into a broader supply chain perspective (see Exhibit 1). This framework identifies core competencies that firms must develop in order to protect themselves, their supply chains, and their customers. From the terrorist perspective, a successful incident requires the confluence of an offender, target, and location somewhere in the supply chain.4 As illustrated in the exhibit, the core supply chain members (manufacturer, distributor, and retailer) are interconnected by product and information flows, as shown by the circular pipe traversing through the diagram. In addition, service providers (carriers, warehouses, and third party logistics providers) may also link with core supply chain members. The supply chain members also share appropriate product and security information with federal, state, and local government agencies (public interface management) as well as through effective communication with consumers and the public. Within this framework, ten security competencies are required within and across each firm in the supply chain. Security competencies are created through the development of security capabilities such as infrastructure, processes, assets, and resources that achieve and maintain supply chain security. The following section discusses each competency. Exhibit 2 defines each competency while Exhibit 3 gives company examples of each competency. 1. Process StrategyImplementing an effective security environment requires strong executive commitment and a culture that puts a premium on security. Top management needs to encourage frank discussions regarding the importance of security, both for the safety of stakeholders and to maintain the value of the firm's brand. Top management must be visible in their commitment and dedication to implementing security initiatives. Some firms have created a ?chief security officer? position to provide additional structure to security initiatives. Additionally, through training and sharing of threat information, executives need to foster a culture that strongly emphasizes security. 2. Process ManagementProcess management describes the procedures and actions taken to ensure the security of each activity involved with the purchase, manufacturing, and distribution of raw material into a facility and finished product out of a facility. Process management also requires in-depth understanding of firm and supply chain processes in order to identify vulnerabilities that may cause disruptions. Process management includes the use of simulated incidents to test the integrity of procedures and processes. These simulated incidents often focus on a formalized disaster management process that includes planning, detection, response, and recovery procedures. 3. Infrastructure ManagementInfrastructure management addresses the manner in which a firm secures its physical premises and products. This includes employee/non-employee access control into facilities (or areas within facilities), employee background checks, empty and loaded trailers security before/during transport, and guards, among other measures. These are the most basic and common methods used to increase security as they serve to form a ?perimeter? guarding against unauthorized entry. 4. Communication ManagementFirms need to develop strategies to share potential threat and security information internally with employees and provide communication channels for employees to use when a potential threat exists or incident occurs. Threat awareness and security training programs need to be developed in this regard. Similarly, the working environment may need to be changed to identify and challenge unknown personnel in a facility. In this sense, communication management is related to process strategy. Communication management tools are used to implement a security culture. 5. Management TechnologyManagement technology is applied to detect a potential security threat or incident, and to share timely and reliable information internally and externally. Information systems provide a first-defense mechanism to understand trends in product contamination and missing shipments, as well as to identify the root causes of these occurrences. These information systems are also critical in obtaining and sharing information with suppliers, customers, third party service providers, and government agencies to identify potential problems or recovery actions at the intersection between firms. 6. Process TechnologyProcess technology involves the presence, use, and ability of information systems to track product movement and monitor processes internally and across the supply chain. Process technologies include the use of tracking technologies, such as RFID and smart-seals, and process improvements. Many firms have not progressed beyond implementation of physical security measures (gates, guards, and cameras) and thus have yet to gain the potential advantages that may come from tracking technologies. These advantages represent another avenue through which security may ?pay for itself? through, for example, enhanced labor productivity, reduced theft, and product/equipment recovery after theft. 7. MetricsSecurity metrics involves the continuous development, testing, application and redefinition of guidelines measuring security-related procedures, plans, and capabilities. Metrics might be implemented to comply with specific guidelines, such as those of a customer or government agency, or the metrics may be developed and captured by the firm to assure adherence to security guidelines. Similarly, a firm may conduct audits or have an external entity certify that current procedures and processes are in place to increase security. 8. Relationship Management and 9. Service Provider Collaboration ManagementThese competencies are critical to the discussion of supply chain security. The reason: a company cannot create a supply chain protection program alone; it must work collaboratively with other supply chain partners. Collaboration with external entities (customers/suppliers and service providers) is necessary to ensure that security procedures are communicated and followed. Global relationships present added security difficulties as the target firms are often unable to monitor these partners and protect against theft, contamination, or insertion of unauthorized counterfeit cargo. 10. Public Interface ManagementPublic interface management describes the security-related relationships and exchanges of information with the government and the public. Forging relationships with U.S. government agencies is a critical corporate capability to protect against terrorist acts. Firms may actively guide and participate in the development of government standards or security initiatives. Similarly, they should develop well-defined processes for systematically monitoring and synthesizing information coming from public entities regarding possible threats. At the same time, they need to develop processes to communicate with appropriate government officials and the public should an incident occur. Getting StartedThe logical question for supply chain practitioners is how to get started along this security framework. As a part of this research completed under the sponsorship of the U.S. Department of Homeland Security, the research team developed a spreadsheet benchmarking tool that is available online, at no cost, to allow firms to compare their practices both internally across their organization and divisions as well as to benchmark their practices against organizations demonstrating high security performance. The spreadsheet and the food research summary are available at http://www.bus.msu.edu/msc/SCMExecBrief/ . The spreadsheet provides a framework and a tool to allow a firm to complete both an internal assessment and an external benchmark. The internal assessment begins when individuals representing multiple functions and divisions within the firm complete the questionnaire. The questionnaire asks each individual to assess their firm's emphasis on the security initiatives contained in the framework. The spreadsheet then summarizes the perceptions of the multiple respondents by providing a minimum, mean, and maximum score. A review of the minimum, mean, and maximum score for each initiative and competency can stimulate substantial discussion regarding the consistency of perceptions across functions and divisions. The discussion is useful to synthesize a common perception regarding security initiatives that enhance the firm's ability to develop a common direction for enhancing security capabilities. Once the firm and/or division has developed a common perception of security activities, the second step in the external benchmark is to compare the firm's security capabilities to those of the highest performing firms from this research. The benchmark score is the mean score for an initiative or competency plus one standard deviation. The result is that only 15 percent of the firms report a score above the benchmark. The relative value of the industry average and benchmark for the initiatives and the capabilities provide insight into which security practices are being applied. While the benchmark in this instance is based on information from firms in the food industry, other industries can apply the benchmark standards with good results. When a firm or division uses the benchmark tool to compare their competency scores to those of the top performing food firms, the spreadsheet calculates the difference between the firm's response and the benchmark response. These differences, or gaps, for each competency can help identify those competencies that need the most attention. Frameworks play an important role in identifying key concepts and establishing conceptual boundaries for researchers and practitioners. The proposed framework is particularly useful in supporting both goals. The framework's multi-disciplinary development increases the likelihood that the critical concepts have been incorporated. Further, the careful definition of security relative to other key constructs ? risk and safety ? provides the conceptual clarity to distinguish the competencies identified in this framework from other concepts. Delineating the boundaries of which concepts are part of supply chain security and which are outside facilitates the quality, breadth, and depth of a robust security research stream. The combination of framework, questionnaire, synthesis of internal firm perceptions, and benchmarking provides the firm with a structured approach to determine its relative supply chain security competency. Importantly, the resulting gap analysis and the practices suggested can provide invaluable direction regarding future security initiatives. It is possible that supply chain security is nothing more than good business. It's hard to argue that firms should not hire trustworthy employees, lock their doors, share relevant information both internally and externally, track inventory, and protect their product and assets to ensure firms' long-term viability and the safety of their customers. Firms should use the framework presented here to build a security culture into their strategic and operational objectives?not just when it is legislated or required by customers, but because doing so stands to benefit all parties involved, particularly end consumers. This research was supported by the U.S. Department of Homeland Security (Grant number N-00014-04-1-0659), through a grant awarded to the National Center for Food Protection and Defense at the University of Minnesota. Any opinions, findings, conclusions, or recommendations expressed in this publication are those of the authors and do not represent the policy or position of the Department of Homeland Security. David Closs ( [email protected] ) is a professor of business administration at Michigan State University. Cheri Speier ( [email protected] ) is a professor of information systems at Michigan State University. Judith Whipple ( [email protected] ) is an associate professor of logistics at Michigan State University. M. Douglas Voss ( [email protected] ) is assistant professor of marketing and logistics at the University of Central Arkansas. References Russell, Dawn M. & John P. Saldanha, (2003), ?Five Tenets of Security-Aware Logistics and Supply Chain Operation,? Transportation Journal . 42(4), p. 44-54. Closs, David J. and Edmund F. McGarrell (2004), ?Enhancing Security Throughout the Supply Chain,? IBM Center for the Business of Government, available at www.businessofgovernment.org, pgs. 52. Adopted from Aberdeen Group (2004), ?How Supply Chain Leaders Protect Their Brands: A Benchmark Report on Regulatory Compliance and Product Safety Mandates for Food, Pharmaceuticals, Consumer Products, and Medical Devices,? September; and EyeforTransport Global Research (2004), ?North American Supply Chain Security ? An Analysis of EyeforTransport's Recent Survey,? July. Felson, M. and R.V. Clarke (1998), ?Opportunity Makes the Thief,? Police Research Series Paper 98, Policing and Reducing Crime Unit, Research, Development and Statistics Directorate, London: Home Office. Copyright ? 2008 Reed Business Information. All Rights Reserved. |