What Every Procurement Professional Should Know About Supplier and Supply Chain Risk

IBM Global Procurement Louis Ferretti Product Environmental Compliance & Supplier Chain Social Responsibility

www.sig.org/eval What Every Procurement Professional Should Know About Supplier and Supply Chain Risk

photo of the "Ital Florid by NASIM4248

photo of the "Ital Florid by NASIM4248

Louis Ferretti, IBM Global Procurement Project Executive, Product Environmental Compliance & Supplier Chain Social Responsibility ferretti@us..com October 27-29, 2015 Abstract

Businesses today are ever more depend on their supply chain partners for goods and services which make up a significant portion of the solutions they provide to their clients. Correspondingly globalization has introduced the opportunity to do business with suppliers the world over, allowing greater access to a host of untold products and services - that can provide a competitive advantage to the OEM, which enables them delivering increased value to their clients. Nevertheless, a global sourcing strategy has introduced a set of risks well beyond what was typical in the traditional suppler chain. The question is how does a company engage in global sourcing and yet gain the benefits while weighing and managing risks. Beyond assessing the risk of a supplier and their supply, there are opportunities to collaborate and assess a supplier's level of resiliency, and where appropriate engage in actions of remediation.

3 Business Continuity Planning & Supply Chain Risk – An Overview

Managing Risk is an imperative for Business Continuity Planning

RISK is one of the SIX mega-trends impacting IBM Chief Supply Chain Officer Study Identified The enterprises around the world Top Five Challenges Major factors affecting the enterprise today Risks, both operational and financial, is the #2 1. Globalization Redefined 4. Risk Complexity concern of supply chain executives worldwide 2. Technological Progress 5. Sustainability Imperative 3. Population Migration 6. Informed Customer

• Managing market and political uncertainty is more complex than ever • Accelerating global shifts pose new risks; resiliency/responsiveness differentiate • Evolution to a holistic view of risk

management Complexity Risk • Risks can be hedged through intelligence

Supply chains have become increasingly more global and complex, bringing with them greater Risk Management System challenges and risks

• Japan earthquake / tsunami On-going Risk Risk Risk • Thailand Flooding Mitigation Assessment Monitoring • Hynix China Fire Planning • Philippines Typhoon and Control • Thailand State of Emergency/Martial Law • Ukraine Political Unrest • Manage risks within the extended supply chain based on • Russian Sanctions continuous risk assessment • Gaza Bombings • Utilize a collaborative and structured approach • Reduce vulnerability, increase resiliency and ensure supply continuity via mitigation planning 4 4 Supply Chain Risks

Currency

Fuel Costs Social Responsibility

Intellectual Property

Labor Disputes Brand Impact Responsiveness Product Safety Political

Taxes Cyber Security Regulatory Compliance Environmental

Labor Costs Geophysical Attrition Rates 5 Supplier Failure 5 How “Risky” is the Supply Chain ?

Supply chain failures continue to be the top concern for US and Canadian business leaders. …

The CHUBB Multinational Risk Survey finds that . ….. Businesses cite supply chain failure as the top concern. … . ……[only] 56% of the companies report having a business continuity plan.. … The lack of continuity plans … is disturbing

From Inside Supply Management – June/July 2014 Global Trends – news in a changing world

6 6 IBM Enterprise Risk Management

IBM has developed a robust Risk Management program – and Supply Chain risk management is an important focus area

Leadership Report Communicate . A systematic approach to Identify, Assess and Address risk Risk . Enterprise-wide view Management Program Effectiveness Competitive and Practices Advantage . Focus on both hazards and missed opportunities . Improve business results and drive competitive advantage

Monitor Implement Enablement

External Environment Executive Low Medium-Low Medium-High High

. Sample . Sample . Sample

. Sample . Sample High Interviews . Sample Business Strategy Senior . Sample . Sample . Sample . Sample Medium . Sample

Board / Audit - Emerging Leadership High

Committee . Sample . Sample . Sample . Sample Medium Operational Model Approval and Impact . Sample . Sample

- Risks Review Low

Ownership . Sample . Sample Reputation Low External Likelihood Research Financial Model Relationship with critical suppliers: Ability to manage the end-to-end supply chain, including the dependency on critical suppliers

7 7 Setting the Context

Executive Direction

c. 2009

….. will initiate a broad piece of work to evaluate the risks in our extended supply chain….. will prioritize based upon known or anticipated issues.

. The gas supply . …. Israeli situation . …. ongoing issues in Thailand . …..effects of a lower economic growth rate on political and social stability . And many other risks including but not limited to transportation costs/climatic/political/economic/social/environmental/health, etc...

. …. globalizing our supply chains have introduced additional risks

8 Key ingredients necessary to

- successfully uncover and manage supplier and supply chain risk

. Well defined “on boarding” check list and tool

. Risk profile assessment

. Documented process, line ownership and management system

. Data base / tool to house data and perform computations

. Impact / likelihood weighing algorithm

. Risk ranking methodology

. Mitigation and business continuity plans

. Real time alerts

. Experienced cross functional, multi cultural core team

9 Initial and On Going Risk Compliance – to legal and internal policies

. Ethics, Bribery and Corruption

. Import / Export & Embargoed Country Restrictions

. Environmental, Product Safety, Electromagnetic Compatibility (EMC)

. Chemical Management and clean up

. Quality and defective products reporting, corrective action and recalls

. Diverse business relationships

. Data security

. Sustainability and code of conduct

. Financials

. Supply chain risk / business continuity planning

10 Uncovering and Managing Supplier / Supply Chain Risk Our objective is not to eliminate risk, because without risk there is no progress. Instead it is to ensure we can manage and mitigate risks.

Managing market and political uncertainty is Risks can be hedged through intelligence and holistic view of more complex than ever risk management Supply Chain Supplier Total Risk Tool & Process Risk Management Tools 1. Incorporating key information about global supply chain from market Social On-going Listening intelligence Risk Risk Risk communications Mitigation Assessment Monitoring 2. Augmenting existing Planning and Control Business information not available via current Analytics market intelligence • Comprehensive risk assessment Social • Ongoing mitigation and Market processes Environmental Intelligence 3. Listening for Leadership Solution Protections against loss of sentiment and revenue and profits by minimizing trends for critical likelihood and severity of supply items and events chain disruption Recognition Key Benefits • Uncovers multiple risks, assesses likelihood & impact of each • IBM Outstanding Innovation Award • Addresses risks with formal mitigation plans • Patent for impact likelihood algorithm • Provides consistent risk management approach across brands/commodities • CSCMP finalist Award for Supply Chain Innovation • Trends and patterns are revealed by systematic risk analysis

11 Highlights - Risk Process and Management System

. 2 x year complete Supply Base Assessment . Country / Hub / Supplier / Supplier Site / Commodity . Based on External and Internal Market Intelligence . 4 x year Finanical Assessment – top critical suppliers

. Real Time Alerts . Critical elements of the Supply Chain for Countries, Hubs, Suppliers, Sites, Commodities . External and Internal Market Intelligence . Additional Market Intelligence Feeds and Actions . White Paper, Advisories, Weekly Reports . Bi-Weekly Updates to the Management Team . Quarterly Briefing to IBM‘s Chief Risk Officer . Central Repository (aka community) for all Risk Related Topics . Outputs from Social Listening tool . External Data Source focusing on selected growth market countries and hubs . Providing specialized alerts . External Data Source Provider searching upstream supply chain, e.g. . Conflict minerals, rare earth metals

12 Total Risk Tool and Process Landscape Council Lead Complemented by

Real Time Alerts from External Data Source Provider Supplier & – anytime, re. potential disruption threats External Data Commodity Source Provider Questionnaires Commodity Country & Hub Lead Questionnaires Uncover Analyze Mitigate Supplier-Site & Pandemic Manage Questionnaires Risk Market Intelligence

Country & Hub Questionnaires

Total Risk Cognos Business Assessment Tool Intelligence Reporting Supplier Financial Risk (Determines Risk Rating for • Risk ratings by … Assessment (SFRA) Tool combination of all entities and risks) Country Hub Supplier Output of from Supplier Site Business Continuity Planning Social Listening tool Commodity Supplier Assessment Ratings Reports Generated … Risk Mitigation Plans Risk - Global View (via Lotus Notes database) Identified - Supply Chain Report Supply Chain Social .Plans formulated to address - Questionnaire Report Responsibility Audit identified risk Compliance Reference .Plans reviewed and approved by management 13 Categories and Types of Risk Evaluated

Categories Supplier Site Supplier Commodity Country Hub Pandemic  Production Stoppage, Raw Material War and Civil Shut Down Disaster Pandemic related related Unrest related related Communication &  Cooperation Environment &    Natural Hazards Economic /   Financial HR   Infrastructure,     Logistics & Energy  Includes Labor & Health Pandemic Political, Legal &    Social Product & Market  Requirements Quality  Security  Strategic  Importance

14 Impact / Likelihood Assessment

Supplier Risk Assessment

100.000%

90.000%

80.000%

70.000%

60.000%

I 50.000%

40.000% Impact

30.000% High Risk Low Risk 20.000% Medium Risk 10.000%

0.000% 0.00% 20.00% 40.00% 60.00% 80.00% 100.00%

LikelihoodL y = 1 / (10 * (x + 0,05)) + 0,1 y = 1 / (10 * (x + 0,20)) - 0,1 Supplier

15 Case Study 2011 Japan Earthquake / Tsunami and Thailand Flooding - Demonstrated value of tool and process

• Real time alerts from External Data Source Provider of specific aspects as events unfolded provided an assessment damage and how quickly supply could be restored

• Based on tool out put, immediately knew number of suppliers in Japan, which categories affected (e.g. commodities, logic, memory) and what tier supplier impacted

• Able to immediately contact suppliers and understand - Extent of damage - Whether in exclusion zone or not - Ability to produce / maintain measure of supply continuity - Supplier contingency plans - Mitigation Actions (e.g. moving manufacturing to alternative locations)

• Can look for supply continuity down through multiple levels of supply chain where IBM has qualification / sourcing relationships with sub tier suppliers - Through use of related tool and process

• 12-24 hour head start in securing supply and implementation of mitigation actions

16 Pro-Active Elements of Risk Management

. Supplier Sourcing . Consider Supplier Risk in Sourcing Process . Use as decision support tool to award business

. Business Continuity Planning . Consider BCP Readiness into Supplier Risk . Inadequate BCP Readiness require Mitigation Action to Improve Risk Score

. Risk of Flooding Multiple input parameters like topography, historical weather pattern, soil type, ... . Selected Countries . GPS tagging of Supplier Location . Publicly Available Data Maps . Views provided to Sourcing teams

. Use of Mobile Communication (under development) . Bi-directional Communication with Suppliers . Share Risk Events

17 Factoids

. Likelihood Impact Model . Risk = Probability of Risk Event x Impact to Business . Heat Map with modified Thresholds . Thresholds set to capture 10 – 15% High Risk Supplier

. ~95%+ Spend Coverage ($5bn) . ~450 High to Low Impact Suppliers

. ~2400 Supplier Site-Commodity Combinations . Main driver Component and Memory . Subtier Supplier include certified Fab locations . Differentiation between Fab, Assembly and Test . Components, Logic, Microcomponents, test

. ~ 60 Commodities Tracked . From finished Boxes to Assemblies to Chip Families

. ~50 Country and Regions Tracked . All Growth Markets covered

. ~50 Key Transportation Hubs Tracked . ~ Main Country Entry and Exit Transportation Points

. ~3000 Supply Chains captured

18 Assessment of Major Risk Events

Past (examples) . Bangkok Political Unrest 2009 / 2010 . Russia – Ukraine Gas Dispute 2009 / 2010 . Japan Tsunami and Reactor Melt Down 2011 . Thailand Flooding 2011 / 2014 . Super Typhoon Haiyan – Philippines 2013 . Hynix Wuxi, China DRAM plant fire 2013 . Thailand State of Emergency 2014 . Ukraine political unrest 2014 . Madagascar hurricane 2014 Source http://en.wikipedia.org/wiki/Typhoon_Haiyan . Chilean earth quake and tsunami 2014 . Mexico City earth quake 2014 . WTO ruling and China Appeal re. Rare Earth Metal ruling . Export of ore restrictions 2014 . Continued Focus on Youth Unemployment in Europe . Youth Unemployment trigger to Social Unrest 2013/5 . Russian Sanctions 2014/5 . Vietnam roits against Chinese businesses 2014 . Thailand Martial Law/New Regime 2014 . Ukraine 2014/5

. Argentina Bond Repayment 2014 Source http://www.abc.net.au/news/2014-01-10/fresh- . Greece and EU 2014/5 protests-at-rio-expulsions2c-demolitions/5193272

19 Our vision is to create the most transparent supply chain in the world: predictive, social, real-time, and global

Key Benefits TSC Functions Real time order Effective supplier status visibility and collaboration exception alerts . Reduced inventory levels . Credibility and reliable and operations cost information . Improved sharing of demand information and . Increased customer Global Level KPIs satisfaction levels Client collaboration with drill downs Business Suppliers Partners Cloud Analytics Transparent Supply Chain Mobile Social Transparent operations Improved visibility management into finished goods IBM . Issues / risks identification Mobile App for alerts inventory and correlation to assess . Better service level impact to supply chain commitments . Next best action initiation . Order status . Alert / exception driven notifications (mobile & web) model . Single version of truth Intelligent Operations & Resolution Center Geo spatial & other visualizations 20 Transparent Supply Chain – Geospatial Map Alerts - Possible Supplier/Supply Chain Opportunities for Disruptions

21 “Risk Rover” – Project Z Predicting Risk with Certainty - The Genesis

March 11, 2011 – Japanese earth quake, tsunami and nuclear reactor melt down

Critical single sourced component sourced with supplier inside the “exclusion zone” – no access to parts/building

- Led to expedited qualification – development, engineering, procurement and suppliers

Sept 4, 2013 – SK Hynix Memory Factory Explosion and Fire

Sep 4, 2013 - A huge fire at an SK Hynix component factory in Wuxi, China, has highlighted supply chain vulnerability. DON'T PANIC says Hynix, China fab explosion is no big deal www.theregister.co.uk/.../ dont_panic_says_hynix_

Sep 4, 2013 - Fears that an explosive fire at SK Hynix's Chinese fabs in Wuxi will cause a spike in chip prices are unfounded, says the company. Update: Hynix plant fire leaves memory shipments on hold ... www.computerworld.com/.../update--hynix-plant-fire-lea...

Sep 4, 2013 - The Korean press reports that a fire in Hynix's fabrication plants 1 and 2 in China may put DRAM shipments on hold for the foreseeable future. Hynix FABs on fire after chemical explosion | KitGuru www.kitguru.net/.../faith/hynix-fabs-on-fire-after-chemical-explosion/

Sep 4, 2013 - World DRAM prices are set to rocket as news comes in that Hynix FABs ... in Hynix's Wuxi fab in China was NOT the chemical explosion but ... Hynix DRAM plant erupts in flames, entire industry affected www.tweaktown.com › News › BREAKING STORY

Sep 4, 2013 - Two Hynix DRAM production facilities in Wuxi, China destroyed in massive chemical explosion and resulting fires. China fire rattles world chip supply chain | Fox News www.foxnews.com/.../china-fire-rattles-world-chip-su...

- Led to an immediate approval to purchase and pull in inventory ~$1m

22 “Risk Rover” – Watson Project

Predicting Risk with Certainty

Domain: Risk team receives many reports and updates re. threats (man made and natural) that can impact supply continuity. In spite of the threat of a supply chain disruption, most do not come to fruition. Taking preemptive actions such as qualifying another source, pulling inventory and/or moving the business to another supplier, when threatened, and then if the threat does not materialize, these actions produce a measure of distraction, lost time and wasted effort by the sourcing teams and others.

Concept: Search past/recent past social, political, economic unrest events, including climatic events to determine if they: a) do come to fruition as forecasted, and if they do, b) was there an impact to in country commerce, aka disruptions to transportation, roads, airports, workforce etc.? Evaluation of data can show what is the likelihood of an event a) coming to fruition (eg disruption) and b) if it does come about as forecasted, what is the likelihood that supplier’s business will result in interruption of supply and/or services?

Data Sources: Collect and analyze vast array of news reports of social, political, economic unrest events as well as climatic events – over last x years.

Benefits / Opportunity: Procurement, Engineering and Supplier resources conserved and only expended when situation indicates a high likelihood of an event materially impacting the supply chain.

23 A New Way to Manage IBM and Supplier Supply Chain Risk

Risk Rover (RR) uses: Watson Content Analytics, DB2 Cloud Managed Services (CMS) Risk Rover Bluemix with Dev/Ops (Agile), Java, Cloudant Social Media Analytics (SMA), Twitter data on climatic events and and US Navy: storm tracking

An Extreme Blue™ Project: May – Aug, 2015 covered by the Smarter Innovation fund RR API available at end of project http://en.wikipedia.org/wiki/Typhoon_Haiyan

IBM Risk Rover Team Extreme Blue Developers . Thomas Ward – ES • BS Computer Science from Texas A&M, architecture and maps. . Chester Karwatowski – CIO • BS Computer Eng. from Syracuse, strong Java specialist. . Hans-J Eickelmann – Proc • MS Carnegie Mellon, Machine Learning, BS CS from Oregon State. . Jason Horner – Proc • BS USMA at West Point, MBA at Fuqua/Duke. Global Logistics. . Patrick Gibney - ES . Rahul Nahar - ES Executive Sponsors . Ramesh Alagsen – ES . Ross Grady* - HR • Tim Humphrey . Louis Ferretti - Proc • Josie Romualdi • Mike Meaden * IBM RTP Extreme Blue Lab Manager • Bob Murphy 24 Risk Rover using Watson Content Analytics (WCA)

• Project funded via IBM internal Venture Captial • Sole Supply Chain Project nominated in 2015 for Extreme Blue™ • Extreme Blue™ is IBM's incubator for new Talent and Technology • Analyse Climatic Risk Events using WCA utilizing – Social Listing – Analytics & Big Data – Mobile – Cloud • Top Talent Developers selected to support 12 week event • IBM Risk Team consists of technical and business mentors • Project’s 3 Objectives – Minimum - Proof of Concept Validation – Target - Expand to additional predictive analytics – Stretch - Expanded into Watson Q&A type insights

25 Risk Rover Epidemics Protests Storms Manual Event Monitoring • Costly Today: How do we monitor Strikes Conflict • Time Consuming threats to our global supply • Lacks Precision Supply Droughts Floods chain? Chain • Not Standardized

The Vision with Risk Rover on Watson

Social Media Analytics Text Analytics Visualization TSC Identify, Predict Assess Geo Spatial Mapping of event Events that impact IBM to IBM Supply Chain

Big Event Data API Watson Content Social Listening Tool Analytics Alerts

US Navy Weather forecasts

26 The Interface

22 Corporate-wide Supply Chain Risk Assessment - viewed as the right strategy and vision, key to global growth and a differentiator

Executive Interest and Support

Vice President and Controller –

. In response to the IBM Board of Directors Audit Committee Meeting, acknowledged our current work is the right strategy and vision. “The Data Analytics presentation was very well received by the Audit Committee. I walked them through our strategy, … and wrapped up by outlining the impact of Analytics on the Enterprise Risk Map. The Audit Committee was very engaged throughout the presentation and acknowledged that this was the right strategy and vision” IBM Vice President & Chief Risk Officer -- .“I personally reference the tool internally and externally as a prime example of IBM's use of Analytics to support risk management initiatives which clearly underscores our thought leadership in this area. ” IBM Corporate Office, Director, Global Risk and Insurance Management –

.“This tool has been a huge differentiator for IBM when we present our risk profile to the property insurance underwriting community. Business Interruption and Contingent Business Interruption are ever expanding exposures to an organization and not only can impact income to the organization but also our ability to meet our commitments to our customers.” IBM VP & Chief Procurement Officer –

.“Managing and reducing risk in the supply chain … will be key to IBM’s global growth in the future”

28 Supplier / Supply Chain Risk Management – Key Takeaways

• Risk management is a fundamental building block to a supply chain strategy

• Supply Chain Leaders are integrating process controls in their logistics and operations, supplier compliance programs and planning process

• Procurement can deliver true value using an intelligent and comprehensive risk assessment program with suppliers

• A strong supplier / supply chain risk management program, can - demonstrate to clients that IBM can be a reliable supplier, and - be a key factor in preserving and growing revenue - be featured to insurance underwriters as rationale for reduced premiums

• Objective of these processes is not to eliminate risk - without risk there is no progress - instead it is to ensure we can manage and mitigate risks

• “Managing and reducing risk in the supply chain … will be key to IBM’s global growth in the future” - John Paterson, (former) IBM VP & CPO

29 Contact Info

IBM Louis Ferretti Project Executive, Product Environmental Compliance & Supply Chain Social Responsibility [email protected]

30 Evaluation How-to:

Why? How?

Option 1: App . Your feedback drives 1. Select Schedule SIG Event content 2. Select Schedule by Day . By signing and 3. Select Day 4. Select Session submitting your 5. Scroll to Description evaluation, you are 6. Click on the Evaluation link automatically entered Option 2: Browser into a prize drawing 1. Go to www.sig.org/eval 2. Select Session (#20)

COMPLETE & SUBMIT EVAL Session #20 www.sig.org/eval

What Every Procurement Professional Should Know About Supplier and Supply Chain Risk

IBM Louis Ferretti Project Executive, Product Environmental Compliance & Supply Chain Social Responsibility [email protected]

Download the App: bit.ly/SIGCAapp Tweet: #SIGfall15