Presentation for the Bio Supply Management Alliance webinar "Identifying Risks in the
Biotech Global Supply Chain:
TECHNIQUES AND CHALLENGES"
This webinar was presented on June 18, 2009. The sponsors for the webinar were Marsh, Deloitte, and APICS Golden Gate Chapter
This Webinar was presented on Thursday, June 18, 2009.
The audio can be found on http://www.biosupplyalliance.org/identifying-risks-webinar.html
Duration: 110 Minutes
2. About Rita Mulcahy, PMP
• Founder and CEO of RMC Project Management, Inc.,
one of the fastest-growing project management
training companies in the world
• Founder and CEO of RMC Publications, Inc.
• An internationally recognized expert on project
management
• 15 years and $2.5 billion worth of hands-on project
experience
• Products and classes have helped hundreds of
thousands of project managers world wide
2
10. Biotech Supply Chain Academy
Risk Identification: Improving the Health of your Supply Chain
June 18, 2009
- 10 -
11. A Risk Intelligent Approach
Recognizes and manages the full spectrum of risks the organization faces
Minimizes “siloed” behavior that can obscure an integrated view of risk
Allocates proportionally more resources to the most strategic and pertinent risks
Considers effective risk management to be an organization-wide responsibility
and competency
Anticipates and prepares integrated responses to risks
Manages risk with a view toward maximizing the upside of strategic decisions
while minimizing the downside
Acknowledges the need to take intelligent risks to create value
- 11 -
13. Scope of Supply Chain Risks
Risk Intelligence
Strategy & Operations /
Governance Compliance Reporting
Planning Infrastructure
Supply Chain
Planning Sourcing Production Delivery Returns
Inaccurate demand / Inability to procure Inefficient production Unreliable 3PL service Poorly defined /
supply forecast goods / raw materials planning process providers unenforceable return and
cost effectively and credit policies
Inadequate capacity Inadequate quality control Failure to optimize lead
constrain volatile
planning measures time for supplies / Inefficient return handling
material costs
distribution processes
Inaccurate costing Inability to control
Inadequate supplier
considerations variations in production Inappropriate network Poor forecasting / trend
selection process
design analysis of returns
Inability to determine and Inability to manage third
Inadequate quality of
maintain optimal safety party manufacturers Inefficient order Inadequate planning for
goods and raw materials
stock management and reverse logistics
Lack of operational
Over-reliance on sole verification process
SKU proliferation uniformity across Inefficient recall
source vendors
production facilities Inefficient inventory and management processes
Inability to manage channel management
Inefficient warehousing / Inadequate chargeback
contract compliance and processes
inventory management reconciliation processes
sustain sourcing savings
processes Breakdown in cold chain
integrity
Lack of manufacturing
flexibility to react to Product diversion
disruptions
- 13 -
14. Impact of Life Events on a Company’s Risk Profile
Pipeline
1. Search and Development
Supply Chain Risk
2. Product Commitment
1 Clinical supply risk
Life Events
3. Scale Manufacturing Capability
2 Raw material quality
4. Commercialization
3 Managing contract manufacturers
4 Forecast accuracy
5. Merger, Acquisition & Divestiture 5 Supply chain integration
6 Cold chain integrity
* 6. Unexpected Occurrences
Growth
Stage
- 14 -
16. Supply Chain Health-Check
ILLUSTRATIVE Sourcing Health-Check Survey:
Supply base profile
- To develop baseline spend and
supplier profile data
- Identification of risk factors, nature,
and degree of risk factors
- Historical supplier failures
Supplier management practices
- Gain an understanding of existing
supplier selection, tracking, and
control mechanisms
- Identify weaknesses and areas of
“risk leakage”
Risk management practices
- Risk ownership and organizational
structure
- Existing risk controls and monitoring
practices
- 16 -
17. Risk Assessment Matrix
ILLUSTRATIVE
Managing Contract Manufacturers
High
3
1
4
2
Medium
Impact
Size reflects Speed of Onset:
Low
Medium
Low
High
Low Medium High
Vulnerability
Vulner- Speed of
Stakeholder Group Impact
ability Onset
1 Executive Team 72 68 60
2 Business Unit / Product Lead 65 51 57
3 Supply Chain Manager 79 71 83
4 Legal / Compliance 70 59 55
- 17 -
20. Webex Document
Best Practices
Supply Chain Risk Identification
Gary S. Lynch, CISSP
Marsh
Global Leader & Managing Director
Supply Chain Risk Management Practice
212 345 6053
gary.lynch@marsh.com
Marsh- All Rights Reserved
www.marsh.com
21. Today’s Discussion focuses on one element of
Supply Chain Risk Management - Risk
Identification
Risk Risk Risk Pricing, Risk Prevention,
Segmentation/ Identification, Measurement, Mitigation,
SKU Analysis, & & &
Rationalization Evaluation Modeling Financing
Alignment
Priotization
Impact Modeling
Electronics
Machinery
Services
Manufacturing
& Service
Products
Marsh 21
22. Supply Chain Risk Identification has
traditionally been performed on a static and/or
historical view… failures
Supplier
(financial,
production, design,
etc.) Spoilage
Delivery delays
Raw Materials
Poor packaging
Price,
currency, and
Improper
interest rate
Manufacturing handling
fluctuations
Unanticipated Counterfeiting/diversion or cargo
supply placement
constraints,
allocation,
Filling & Packaging
price Diversion/
increases gray market Unanticipated
Distribution demand surge
Political Center or drop-off
upheaval
Natural hazards Wholesaler
Infrastructure
outages (fire in Work
plant, power grid Theft Consumer
Pandemic stoppages
down, etc.)
Labor
disputes
Source: Marsh
Marsh 22
23. …and typically applied to the latest event
(Risk De Jour)
Volatility
– Energy
– Foreign exchange
– Commodity pricing
Trade credit issues
Pandemic threat
Regulatory change
– Nationalization
– Customs
Information and cyber-based
CHANGE…COMPLEXITY…SPEED…VARIABILITY
Marsh 23
24. Economic & Financial Political & Social Brand/Org Reputation Weather Environmental &
• Economic collapse • Government policy and/or attitude change • Product & service • Hurricane, typhoon, tropical cyclone Man-Made
• Currency devaluation • Confinement or imprisonment of • Liability, recall & failure • Rising water, wind, projectiles
employees/family • Chemical, biological, radioactive, and/or
• Labor disputes, strikes or unrest • Obsolescence • Earthquake nuclear
• Lawlessness & hostile demonstration
• Labor shortage • Counterfeiting • Tornado & waterspouts • Fire and/or explosions
• Regulatory change
• Major decline in stock price, earnings or • Organization • Rising water (flood, tidal wave, tsunami - • Water/soil contamination
significant volatility • Civil unrest non hurricane caused)
• Government or regulatory • Public utility failures
• Major market fluctuations • Government expropriation or renegotiation investigation • Wildfire
of royalty streams • Asbestos & mold
• Decline in major earnings • Special interest group (NGO) protest • Mudslides
• Government change in tax regime or inquiry • Emissions levels & waste clean-up
• Cash flow/liquidity crunch • Extreme heat
• Unfavorable dividend & share sale proceed • Community action as a result of • Noise/dust pollution
• Hostile takeover • Extreme cold
transfer organization’s product, people and/or
• CO2 and/or other hazardous gas and liquid
• Bankruptcy technology • Climate change
• Military coup emissions
• Other financial: derivatives, investment, • Human rights abuses
• Unilateral expropriation • Liquefaction
credit, interest rates, transfer velocity,
• Rumors, gossip & hoaxes
collateral • Nationalization • Building, mine, facility collapse or
• Libel & slander condemned
• Poor customer satisfaction • Water leaks and/or floods
• Marketing blunder • Insect infestations
Strategy
Psychopathic, Criminal & Terrorist
Many organization’s risk
• Unanticipated competition
• Product tampering
• Product misplacement
• Terrorist acts
• Disintermediation
identification process is about
• Arson & explosion
• Poor marketing strategy
• Industrial/economic espionage
• Poor sales strategy
• Sabotage
• Failure to innovate
• Kidnap
looking for a particular threat
• Extortion
• Fraud
• Theft
in a complex supply chain
• Terrorist using product or materials as
weapon
• Workplace violence
network
• Suspicious mail/package
• Counterfeiting
Source: Gary S. Lynch, “Single Point of
Failure”, Wiley 2009
Informational Technology Operational Compliance & Governance Health
• Loss of proprietary and/or confidential • Technology hardware failure • Project management failure • Non-compliance (labor, environment, • Epidemic or pandemic (e.g. TB, SARS,
data (e.g. privacy, trade secrets) security, safety, quality, etc.) Avian Flu)
• Technology software failure (rogue code, • Out of stock
• Information integrity and quality issues viruses, poor quality) • Legal • Long-term health issues
• Sourcing failure
• Loss of key customer, supplier, marketing, • Capacity issues • Regulatory
production, and/or financial data • Pricing misalignment
• Performance issues • Statutory
• Change control failure
• Other malicious acts • Contractual
• Transportation/logistics accident
• Technology obsolescence and/or lack of • Class action or mass tort lawsuits
relevance • Walkouts, slowdowns & strikes
• Corporate governance issues and
• Disruptions, delays (piracy, seizure) whistleblowers Labor
• Leakage • Executive misdeeds, bribes, offenses,
• Restricted access security and/or code of conduct violations • Human resource failures
• Infrastructure deterioration or • Oversight, over-extended authority, • Defections & resignations
obsolescence accidents, errors, & commissions
• Inability to attract/retain talent
• Labor & skills shortage
• Sexual harassment, workplace
discrimination, wrongful dismissal
Marsh 24
25. However, this approach can be quite
challenging, limiting and inefficient
Risks are identified:
Based on what’s known and/or past performance
Usually within narrow boundaries instead of across the entire
scope of the supply chain
And impacts are usually presented quantifiably rather than a
combination of quantified and qualified
But the identification is only as good as the “third party” that
conducted review
But a provision for the impact of constant, rapid change is not
considered
Marsh 25
26. Best practices today are moving away from
the static or historical view…
Static methods (today)
– Audit
– Assessment
– Simulation
– Actuarial and similar quantitative techniques
– Benchmarking
– Monte Carlo
Marsh 26
27. … and evolving into a more proactive and
integrated model
Dynamic &
Integrated
Intelligence
based (learning) Anticipatory,
Instinctive &
Transparent
Predictive
(collective intuition)
Trigger & Proactive
Demand Driven
Static Reactive
Passive
Marsh 27
28. These risk identification are then applied to
the extended supply chain, at a detailed
(resource) level
T3 T2
Mill S S
T3 T1
T3 T2
Mill
Mining Auto
OEM Buy/Sell S S
Co. T3 S T1 OEM
T2
Mill
S T3
Mining T1
S
Co. Mill
T3
T2
S T3 T2
Mill
Source: Marsh, Inc.
Technology & Physical
People Relationships
Processing Assets
Marsh 28
29. But all identification techniques must support
and feed the entire risk management “system”
Preparation, risk management, before the risk is triggered
Reaction, risk management, when the risk is realized
Maintenance, risk management, when the risk is being monitored,
measured or validated
Optimization, risk management, when measuring the efficiency and
effectiveness of the program
Marsh 29