Homeland Resilience: Operational Risks in the Supply Chain...

The U.S. Homeland Security Intelligence (HSI) priorities, are good indicators of what the private sector can expect for government intelligence focus, coordination, cooperation and collaboration.

Operational Risks to business operations in the United States, are ever more so complex and increasingly tied to the supply chain security of the Homeland.

In many cases, the private sector has the answers, that can pave the way for improved relevancy and accuracy of information for the government. This translates to greater Operational Risk Management (ORM) insight, that would not previously be known.

It also enhances the clarity of the insights already known, by our Homeland Security Intelligence mechanisms.

Here are a few of the top of mind categories, that the Private Sector and the Public Sector could be forging new partnerships and strategies together:

• Global Maritime Shipping
• International Banking & Finance
• New and Developing E-Commerce & Artificial Intelligence Technologies
• Application and Use of Social Media - Charting Cultural Topography
• Modeling Human Behavior - Patterns and Applications of Usage
• Nanotechnology
• Robotics and Automation - New and Developing Technologies and Uses

Why should the private sector be working on these and sharing what they know with the appropriate channels in the U.S. Government? For one, to reduce your own Operational Risks, as you run your business operations across the country and as you operate on a more global basis. Overall, Homeland Security is reliant on a Resilient "Global Supply Chain".

International trade has been and continues to be a powerful engine of United States and global economic growth. In recent years, communications technology advances and trade barrier and production cost reductions have contributed to global capital market expansion and new economic opportunity. The global supply chain system that supports this trade is essential to the United States’ economy and is a critical global asset.

Through the National Strategy for Global Supply Chain Security (the Strategy), we articulate the United States Government’s policy to strengthen the global supply chain, in order to protect the welfare and interests of the American people and secure our Nation’s economic prosperity.

Our focus in this Strategy, is the worldwide network of transportation, postal, and shipping pathways, assets, and infrastructures by which goods are moved from the point of manufacture until they reach an end consumer, as well as supporting communications infrastructure and systems. The Strategy includes two goals:

Goal 1: Promote the Efficient and Secure Movement of Goods – The first goal of the Strategy is to promote the timely, efficient flow of legitimate commerce while protecting and securing the supply chain from exploitation, and reducing its vulnerability to disruption.

Goal 2: Foster a Resilient Supply Chain – The second goal of the Strategy is to foster a global supply chain system that is prepared for, and can withstand, evolving threats and hazards and can recover rapidly from disruptions.

One of the vital linchpins for these goals to occur, will be a converged and globally accepted management system for supply chain resilience. This blog has discussed ISO 28000 in the past and the U.S. White House has published the policy direction for this and is a private sector imperative:

ISO 28002 Standard for Resilience in the Supply Chain

ISO 28002:2011 specifies requirements for a resilience management system in the supply chain to enable an organization to develop and implement policies, objectives, and programs, taking into account legal, regulatory and other requirements to which the organization subscribes; information about significant risks, hazards and threats that may have consequences to the organization, its stakeholders, and on its supply chain; protection of its assets and processes; and management of disruptive incidents.

For those private sector organizations that are for some reason not familiar with the ISO 28002, you should be.

It is the path towards creating a more resilient private sector, that will have the lions share of responsibility for keeping the supply chain operating after any significant disruption, whether physical, cyber or both.

So what?  So what does all of this mean for the Operational Risk Management Professional of a U.S. business today?

It means that you have to take it up a notch. Gather the heads of your risk silos from Finance, Information Technology, Corporate Security, Human Resources and your Crisis or Continuity of Operations section.

Look at ISO 28002 as a team and begin the process of digesting what it means to your organization.

How could you internalize and even operationally collaborate to increase your level of resilience from 36 hours to 72 hours?  The clock is ticking...

Information Threat: Battle for Superiority...

What continues to be the greatest economic threat to your organization? Is it "Internal" or "External" to your institution? Could it be both?

Insiders rarely work alone and therefore the nexus with some outside influence, whether it be a person, life factors or some other entity are typically in play.

Is an engineer in R&D copying precious intellectual property information from within the enterprise company, that could be worth hundreds of thousands or even millions to the highest competitive global bidder? Could your small business have an accounting supervisor that has been diverting funds to a private bank account for the past two years?

Would it be possible that a supplier or 3rd party partner is capable of inflating the number of billable hours on a project?

Whether it's IP Theft, Fraud or other white collar corporate malfeasance, these Operational Risks are real and growing at a double-digit percentage rate annually. The greatest economic threat to your organization could be complacency or an apathetic staff, who works without adequate resources and little communication with the Executive "Powerbase".

The compliance and oversight mechanism's are in full swing from the federal governments around the world as highly regulated critical infrastructure organizations are implicated in a myriad of corruption, scandal, ethics and criminal matters.

Litigation is an Operational Risk that many organizations have realized the necessity for more robust internal teams to address the continuous requests for information from the government.

There is one common denominator across all of the insider threats, external forces and other vectors that seem to be attacking our institutions night and day. That common denominator is "Information".

And underlying this is the data and meta data that all to often ends up being the key or clue to finding the "Smoking Gun" and the source or person(s) associated with the scheme or attack on the organization.

Managing information in a mobile and interconnected planet is a major issue in any global company. Providing the tools and the right information faster and more accurately than the competition can be the difference in your own survival on the corporate battlefield.

So how does the CxO suite even begin to address the risks, opportunities and resilience in our demanding "Information-centric" environment?

They believe in having a strong culture of ethics, training and continuous monitoring of employees, systems and their supply chain. They understand the importance of providing the vital resources to the people on the front line of risk management and to make sure that their early warning systems and methods are not compromised.

This breed of CxO's are the new breed of organizational management, that are leveraging information to their most significant advantage:

Whether you are trading in a marketplace, analyzing assets on a map or manufacturing widgets and selling them to qualified buyers, operational risk management begins and ends with information. Managing that information effectively and more accurately than your competition is the name of the game. What have you done today to insure your survivability in the face of the next crisis?

Operational Risk: The Pursuit of Trusted Information...

Operational Risk is about Performance Management and Business Resilience.  CEO's and the Board of Directors realize the road to eliminating fear in their organization and the marketplace, is through trusted information.

Being agile, ready and capable of a quick recovery is what competitiveness is all about, on the field, on stage or around the table in the Board Room. Working towards control and protection while "fear" builds in the back of your mind makes you stiff, depletes your energy, confidence and creates doubt.

And when you are operating a business or standing on the tee of your first sudden death hole on any PGA weekend, you better have resilience.

The business equivalent to homeland security and critical infrastructure protection is Operational Risk Management (ORM)—a domain that many executives see as the most important emerging area of risk for their firms. Increasingly, failure to plan for operational resilience and crisis readiness can have “bet the firm” results.

There are numerous examples of how errors, omissions and glitches have brought down the reputations of many a Fortune 500 companies. What do they all have in common that was clearly absent and that led to their demise?

"A trusted reservoir of economic and business resilience to remain competitive in the marketplace."

Even beyond natural disasters and information security hacks, the threat of "Tort Liability" and the loss of organizational reputation is top of mind these days, with every major global company executive.

The threat is continuous and increasing at a faster rate than many other real operational risks to the enterprise. Litigation from regulators, class actions and competitors has given the term "Crisis Readiness Team" a new emphasis and meaning.

Once corporate management understands the need for a continuous "resilience" mentality in place of a "protection" mental state, a new perspective is found. Investing in the vitality, agility and competitive capabilities of the organization, sounds and is more positive.

It alleviates the fear of doom and gloom and inspires new found innovation. The future of your organizations longevity and in it's adaptability, can be achieved with a new bold perspective.  Compete or die.

Crisis Readiness could be enabled or suppressed in your enterprise by the amount of power you give your leadership. Do they have the ability to make an autonomous $1M decision or just $10K decisions when it comes to investing budgeted capital into their business unit operations?

Do they manage risk on a level where they are the most informed and the most knowledgeable about the business?  Or is the "Mother Ship" back at the home office HQ dictating the way they spend or the way they invest?

The ability to know how to manage risk at the point of creating new information, is the nexus of several disciplines and requires substantial training. Every minute that goes by with people not performing and behaving correctly, puts the enterprise at greater risk to lost performance opportunities.

All these issues can be summed up in a single concept:  Trusted Information. Simply accessing data is no longer enough.

CEOs, CFOs and knowledge-workers must be able to reliably track the information they use for decisions, back to the original source systems, in order to ensure its timeliness, accuracy and credibility.

Over the last decade, organizations have invested millions of dollars in systems to collect, store and distribute information more effectively.  Despite this, information users at all levels of the organization, are often uncomfortable with the quality, reliability and transparency of the information they receive.

Today's organizations rarely have a "single view of the truth." Executives waste time in meetings debating whose figures and policies are correct, rather than what to do about the company's issues.

Additionally, they worry about the consequences of making strategic decisions, using the wrong information, directly impacting the long-term survival of the organization.

The search for trusted information is a continuous pursuit for commanders in the "Mission Ready Room" and the "Corporate Board Room".

So how do you achieve the level of assurance that's required to make the "Bet the Firm" risk management decisions in your enterprise...

Supply Chain: Interdependencies Risk...

In the U.S., it is now less than 30 days away from the next cyclone season.  One thing is for sure. You are in complete control of your readiness factor.

In what countries do you operate? Do you source raw materials from politically unstable regions of the globe for your end products? Are you subject to a myriad of taxes, tariffs and duties including new security measures in our ports? How complex are your sales and distribution channels?

At the end of the day. the big question is: What is my financial, operational and economic risk exposure in the event of a disruption in our external supply-chain?

The risk of external supply-chain interdependencies has been talked about for many years. Monte Carlo simulations, scenario analysis and other methods have been effective in the determination of what the magnitude of a loss event may look like. Once the dollar analysis is done and you know that your exposure is $XXM. or $XB., then what do you do with that information?

Much of the outcome of this exercise may go into the next strategic planning phase on who you need to partner with or create an alliance with in order to satisfy certain future contingencies. Once you realize that you need more than one source for a raw material or a key service to run your business, then the real analysis begins. Who and where do I find the best alternatives for this vital component in my global supply-chain?

If you begin your due diligence now on the top 10 vital components in your supply-chain contingency planning exercise, you might have these all completed, through the legal department and signed within a few months time. If you are lucky. Then you must really test the new supplier or source for your product or service to determine how smooth they operate when you pick up the phone or send the "Alert".

The ultimate architecture requires an "Adaptive Supply-Chain" that will provide cross-border agreements and resilient mutual-aid partners to assist in times of crisis. Just shifting production from one country to another may not be enough to mitigate the disruption in a vital component of the manufacturing process or delivery of services.

Having a reflexive and responsive supply-chain is only one of many contingencies in a robust Business Crisis and Continuity Management plan.

When was the last time you reviewed your key suppliers and sourcers plans for continuous operations and their record for testing these plans? This will be the place you find your greatest weakness in external supply-chain management.

And your readiness factor, is directly proportional to your interdependencies in your supply-chain.