Once companies become "self aware" and have the means to effectively identify and prioritize the potential risk events they should be concerned with and then determine appropriate risk response strategies, the next step (which rarely occurs) is to periodically test contingency plans, monitoring and detection controls, mitigation and prevention strategies. Many companies take for granted that a plan on paper will always work as intended or designed. Stealing from the audit community, there is a difference between control design effectiveness (e.g., is the control effective based on how it is designed or intended) and control operating effectiveness (e.g., does it operate as designed). To complete this task, companies need to test their supply risk response strategies just as they would their IT business continuity or disaster recovery plans.
Here's a real-life example: a biotech client of mine went through a rigorous supply risk assessment project. The driver for the project was several "near misses" that would have caused significant supplier interruptions and impacted revenue, which put a scare in upper management, and they wanted to make sure those near misses didn't actually happen. Through the multi-phase project, we identified critical risks associated with supply interruption across several marquee product lines. The project was focused on quantifying the impact of risks (in terms of potential supply outage and impact to revenue), identifying current controls in place and control effectiveness, determining probability of risk occurring and having an impact on product supply, and developing and prioritizing mitigation strategies focused on internal and external supply assurance. The client had a clear vision and strategy, made the investment in technology and consulting dollars, and dedicated a full time internal team to the effort.
During our assessment, we identified the "cold chain" network for a particular product line that was temperature controlled with a wide-spread distribution network as a source if high likelihood/ probability and high impact. Discussions with the Logistics and Warehousing team identified an advanced temperature monitoring system at every point in the supply chain, both storage and in transit, with multiple monitors, alerts, and back-ups.
It was the holiday season and the project paused for a two-week period while people were out for vacation. I couldn't have staged what happened over the next two weeks any better if I tried. A particular cold storage warehouse in the EU carrying a significant amount of inventory for European distribution that had the same monitoring systems, multiple backup generators, etc. that we discussed with the logistics team suddenly became the center of executive discussion in late December. The warehouse had people monitoring the systems, alarms, and notifications. In the event of a cooling system failure, a backup generator was in place and a notification would be sent to the operator responsible for monitoring the system at all times. What they did not account for was essentially the perfect storm: the cold storage system failed over the Holidays. There was a power outage and the backup generator did not start as the system was designed. The tertiary generator was a pull start model and the person responsible for monitoring the system was on vacation, thereby not in town to get the alert or to pass it on to his team for action. Thus, when the first and second backup systems failed, no one was aware that millions of dollars in temperature-sensitive inventory slowly crept over the acceptable temperature range. The end result was a series of events layered on one another that no one had imagined. Approximately $20M in inventory had to be destroyed.
The lesson to be learned is that even if you have specific risk events identified and responses in place, unless you have tested the critical responses, you are still not covered. Not everything needs to be tested, but it is important to remember that not only does the design effectiveness of supply risk response strategies be assessed, but the operating effectiveness for critical controls needs to be tested periodically.
-- Chris Monk, Director, Supply Chain, Protiviti Consulting