Friday, March 9, 2012

New Developments in Supply Chain Security Strategy

By Craig H. Allen

Supply chain security was the subject of renewed international and national attention in the opening weeks of 2012. On January 25, 2012, the White House released its new National Strategy for Global Supply Chain Security, shortly after the World Economic Forum distributed its Global Risks 2012 report and a second report titled New Models for Addressing Supply Chain and Transport Risk. Although much of the concern over supply chain security has historically focused on the system’s vulnerability to terrorist attacks or misuse and criminal activities, the cascading tragedies that followed the 2011 earthquake in Japan loomed large in the more recent analyses. In fact, Global Risks 2012 includes a special report on The Great East Japan Earthquake that should be required reading for risk managers.

Post-9/11 Supply Chain Security

In the immediate aftermath of the September 11 attacks on the World Trade Center and Pentagon in 2001, concerns over the use of shipping containers to smuggle weapons of mass destruction or radiological dispersal devices (RDDs or “dirty bombs”) into the US reached a near fever pitch. An Italian port authority’s discovery of Amir Farid Rizk (soon nicknamed “Container Bob”), who had concealed himself in a well-stocked shipping container bound from Egypt to Canada in October 2001, demonstrated the gravity of the global container security deficit. Containers were soon depicted as potential “Trojan horses” or the “poor man’s missile.” Senior US Coast Guard leadership labeled global trade as the nation’s “Achilles heel.”

The potential for catastrophic disruption by even the mere threat of an RDD incident was brought home to security planners through a 2002 Department of Homeland Security simulation. In the simulation, two devices containing radioactive cesium wrapped around thirty pounds of C-4 explosive were “discovered” (as a part of the drill) in shipping containers in California and Georgia. Additional intelligence led officials participating in the exercise to suspect the two incidents might be part of a larger coordinated attack involving containers in other ports. In response, the department simulated the temporary closure of all of the nation’s seaports to permit them to conduct a thorough search. The economic losses that would have resulted from a nation-wide port closure, perhaps lasting up to 45 days, were estimated by the exercise participants at $66 billion, demonstrating the RDD’s potential as a “weapon of mass disruption.”

After examining aviation security risks, the 9/11 Commission concluded in its 2004 final report that the “opportunities to do harm are as great, or greater, in maritime or surface transportation.” The commissioners went on to report, “initiatives to secure shipping containers have just begun.”

Governments, intergovernmental organizations and industry responded to the post-9/11 risk assessments with a plethora of port, vessel and cargo security enhancement measures. Those measures included the International Ship and Port Facility Security Code (ISPS Code) developed by the member states of the International Maritime Organization in 2003. The World Customs Organization also adopted a series of measures aimed at better securing the international trade supply chain. Within the U.S., the Customs-Trade Partnership Against Terrorism (C-TPAT), Container Security Initiative and the 10+2 importer security filing requirement (so named for the 10 data elements that must be filed with US Customs and Border Protection 24 hours before arrival) were added.

One of the more controversial requirements imposed by Congress called for overseas scanning of all shipping containers before they are placed on US-bound vessels. Those inspections are to employ both radiation-detection and non-intrusive inspection equipment in order to detect nuclear materials or other contents of concern.

A 2005 report by RAND expressed a widely-shared belief that a 100 percent container scanning requirement would not be cost-effective, given the probability and magnitude of the risks posed and the available scanning technologies. Nevertheless, Congress’ 2006 Security and Accountability For Every (SAFE) Port Act required that, by 2007, 100 percent of US bound containers being shipped from the 22 largest foreign ports be scanned. The 2007 Implementing Recommendations of the 9/11 Commission Act, enacted by the new 110th Congress, went even further, requiring 100 percent scanning of all in-bound containers by July 1, 2012, despite serious misgivings by both trading partners and the US regulatory agencies charged with maritime security.

Congress recognized, however, that its container scanning requirement might prove unworkable. It therefore authorized the Secretary of Homeland Security to extend the deadline for up to two years if the agency concluded the 2012 goal was not achievable. The extension could also be renewed in two-year intervals. In June of 2011, DHS Secretary Janet Napolitano announced, during a visit to European ports, that her department intended to delay full implementation of the scanning requirement. Relaxation of the rule was supported by key legislators who had earlier insisted on the 100 percent rule. For example, Senator Mary Landrieu (D-Louisiana), chair of the Senate Homeland Security appropriations subcommittee, publicly explained in August 2011 that, “I voted to have every single container screened, but we’re going to have to step back from that position because the impact on trade and transportation in terms of delays would be very detrimental.” In 2011, Senator Patty Murray (D-Washington), one of the authors of the original SAFE Port Act, co-sponsored a bill that would authorize the Secretary to waive the 100 percent inspection requirement for any one of five grounds set out in the bill. The bill has been pending before the Senate Committee on Homeland Security and Governmental Affairs since April 14, 2011.

The 2006 SAFE Port Act also directed the president to develop a federal strategy to address global supply chain security. In response, the Bush Administration promulgated a detailed, 130-page Strategy to Enhance International Supply Chain Security in 2007. At roughly the same time, the International Organization for Standardization released its ISO 28000:2007 series of standards. Those voluntary ISO standards specify the requirements for a security management system to ensure safety in the supply chain and enhance the system’s robustness.

National Strategy for Global Supply Chain Security

On January 25, 2012, while in Davos, Switzerland, Secretary Napolitano announced the release of a new National Strategy for Global Supply Chain Security (SCS Strategy). The 2012 SCS Strategy, signed by the president on January 23, sets out two goals: to promote the efficient movement of goods and to foster a resilient supply chain. It then closes with an eight-bullet “path forward.” Like the 2011 Joint US-EU Statement on Supply Chain Security Secretary Napolitano signed in Brussels last June, the new strategy calls for greater international cooperation.

In a statement accompanying the release of the new SCS Strategy, Christa Brzozowski, Director for Supply Chain Security at the National Security Council, made it clear that the administration’s concerns extended beyond terrorism threats:

“As a number of recent events remind us, this system is dynamic and complex but also vulnerable to numerous threats. These threats, such as pandemics, natural disasters, or attacks involving weapons of mass destruction could undermine the continuity of the global supply chain system as a whole. Also, because of the interconnectedness of the system, even smaller, localized events could escalate rapidly and cause significant disruptions.”

The six-page SCS Strategy document, which was reportedly two years in the making, is probably best characterized as a commitment to confer and study the problem, rather than a true strategy to achieve the desired level of security for global supply chains. It assigns no specific supply chain security responsibilities or timelines (other than a one year reporting deadline) and, so far, lacks any provisions for assessing progress toward the stated goals. Somewhat surprisingly, it does not mention any of the current US cargo security initiatives by name or directly address the ongoing container security controversy. Apparently, however, the strategy document was not meant to serve as actionable guidance. For example, the “path forward” section states that implementation “priority action areas” will be identified “during the development of the Strategy,” suggesting this is a work in progress. Presumably, therefore, federal maritime security specialists looking for actionable guidance will continue to draw on the 2007 Strategy to Enhance International Supply Chain Security, together with the other maritime security strategies prepared under the framework established by the 2005 National Strategy for Maritime Security.

New Models for Addressing Supply Chain and Transport Risk

The World Economic Forum (WEF) describes itself as an independent international organization committed to improving the state of the world by engaging business, political, academic and other leaders of society to shape global, regional and industry agendas. WEF is perhaps best known for the location of its annual meetings in Davos, Switzerland. Risk analysts and managers often begin their annual professional reading with the WEF’s annual Global Risks reports, distributed each January to coincide with the Davos meeting. For the past seven years the Global Risks project has studied and reported on fifty global risks that are grouped into five categories: economic, environmental, geopolitical, societal and technological. Using creatively designed graphics, the annual report ranks and plots global risks by a combination of their probability of occurrence and consequences. Increasingly, the report also analyzes linkages between and among the risks.

The Global Risk 2012 report included, for the first time, an examination of what the drafters term risk “centers of gravity” (COGs). The COGs are described as those risks of greatest systemic importance and which should therefore be the focal points for strategic interventions. A particularly sobering finding in the report that came out of its analysis of the 2011 Japanese disaster concerned the potential for global linkages between large scale destructive events (e.g., earthquakes, tsunamis, hurricanes) and two of the critical centers of gravity: critical systems failures (like the Fukushima meltdown) and governance failures. Those same linkages might well serve as pathways for a WMD or RDD attack to trigger critical systems and even governance failures.

Citing the 2010 volcanic eruption in Iceland, the 2011 Japanese earthquake and the massive floods in Thailand that same year (which inundated seven of that nation’s major industrial estates with 10 feet of water) as “recent examples of global disruptions that have tested the robustness of the supply chain and transport systems – and tolerance of uncertainty by organizations,” the Global Risks 2012 report drew attention to the WEF’s recently completed report on New Models for Addressing Supply Chain and Transport Risk. Like the 2012 Obama SCS Strategy, the WEF report on supply chain and transport risk highlighted the need to mitigate risk and build system resilience. The report identified five priority measures for mitigating supply chain and transport risk: (1) developing expert networks across business and government, (2) defining and measuring risk quantification to support effective decision making, (3) implementing effective legislation and incentives, (4) improving data and information sharing and (5) extending uses of scenario planning. The fifth measure – extending uses of scenario planning – is worth singling out for attention.

Extending Uses of Scenario Planning

Scenario planning was ranked as one of the top two enterprise risk management improvement priorities in the WEF report on supply chain and transport risk. Scenario planning has been practiced in at least some quarters since the 1950s. Royal Dutch Petroleum Company (Shell Oil) was one of the first major corporations to employ the tool. The Coast Guard has practiced scenario planning for some twenty years in what is today referred to as the Evergreen strategic planning process. In 7 Deadly Scenarios, Andrew Krepinevich describes early uses of scenario planning in the US Department of Defense.

Scenario planning pioneer, Peter Schwartz, author of The Art of the Long View, describes scenarios as “what-if” stories – “stories that can help us recognize and adapt to changing aspects of our present environment.” According to Schwartz, scenarios “form a method for articulating the different pathways that might exist for you tomorrow, and finding your appropriate movements down each of those possible paths.”

Although approaches and applications vary, scenario planners typically construct a collection of “scenario worlds” that, as a set, represent the broadest practicable variety of plausible futures for the organization. Planners then work with the organization’s leadership to prepare strategies adapted to each future scenario. The scenario-specific strategies are then circulated among the other scenario groups, with the goal of developing a single “robust” strategy that will be effective, or at least acceptable, across all of the future scenarios.

The 2012 WEF report on supply chain and transport risk observed that scenario planning is already being used effectively at the operational level. The drafters argue, however, that scenario planning has the potential to also play an integral role in reducing systemic risk across networks. They further urge that in an increasingly networked and interdependent world, scenario planning efforts must include multiple stakeholders, reaching across global, regional and sector levels.

Effective use of scenario planning by the Swiss energy and automation conglomerate ABB was held out as an exemplar in the WEF report. Scenario planning was credited with enabling ABB to identify the future risk of earthquakes in Japan and political upheaval in Egypt. To prepare for those possible future scenarios, the company trained its in-country management teams in crisis management and took part in simulations to test their systems, communications and teamwork against the scenarios – all well before the actual events occurred.

Concern for the security of global supply chains shows no sign of abating. The Obama Administration strategy document makes it clear that our concerns, and therefore our planning efforts, must extend beyond the more commonly discussed threats of terrorist attack or criminal activities. Natural and accidental technological disasters, armed conflicts and even large-scale political upheavals must be considered as well. The ubiquity of “global” supply chains (or, perhaps more accurately, global supply “networks”) means that proximity to the incident counts for little. A disaster in Japan or Indonesia can shut down assembly lines in Detroit and North Charleston, South Carolina.

Scenario planning can be a powerful tool for supply chain and transport risk managers at both the operational and strategic levels. Well-crafted scenarios can reveal the enterprise’s vulnerabilities and suggest countermeasures to enhance the system’s resilience. To invoke a familiar proverb, in an era when a kingdom might indeed be lost for want of a nail, the global economy can ill afford to overlook a planning tool that can help identify resiliency measures necessary to ensure the crucial nails will always be available. Supply chain risk managers will therefore want to closely study the WEF report, to learn how scenario planning might help them more effectively prepare for disruptions to the system that could cripple their organization.

Craig H. Allen is the Judson Falknor Professor of Law at the University of Washington. For the 2011-2012 academic year he is serving as a visiting professor at the US Coast Guard Academy and at Yale Law School. The views expressed are the author’s alone.