A tsunami in Japan and floods in Thailand in 2011 disrupted the electronics supply chain. Original equipment manufacturers (OEMs) were not able to get the electronic parts to produce products as planned. Many were taken by surprise. Any OEM and or supplier that take a reactive approach rather than proactive to dealing with natural disaster disruptions are taking a big gamble.
Labor unrest, electrical/nuclear blackouts, and counterfeit parts sneaked into ad hoc electronics supply chains. Some OEMs were not able to quickly identify their deep tier suppliers after the disruptions. In at least one instance, a third-tier supplier was discovered as the single source for multiple suppliers in the second-tier.
To better prepare for similar disruptions, many OEMs have turned to enterprise risk management (ERM) to proactively detect, prevent and mitigate risks in the supply chain with a focus on deep tier suppliers. While business continuity planning is an important part of ERM, it can also help to increase the globalization of electronics supply chain with alternate locations and transportation routes. The larger the globalization is, the more information flows though the supply chain and the more it is vulnerable to cyber attacks.
Progress has been made in standardizing ERM to allow OEMs to collaborate one another. ERM includes ISO 28000, the standard for security risk management system for supply chain, as well as other related ISO standards.
While different vendors have different strategies on implementing actionable electronics supply chain risk management plan, the best strategy is dynamic risk assessment plan. For example, LockPath's Keylight platform lets administrators conduct dynamic assessments to gain greater visibility into the risk and compliance landscape. The administrators can include questions, link assessments to controls, and configure follow-up or remediation tasks based on user responses.
Risk management plan consists of four key elements: assets, vulnerabilities, risks and safeguards/remediation.
Location is the most important asset. The organization should ascertain whether it is located in an industrial cluster. Contacts of OEM's emergency personnel should be readily available. Audit reports, disaster recovery and business continuity plans, Service Level Agreements and charts of how multi-tier suppliers are related to one another should also be considered important resources.
All electronics supply chain assets come with vulnerabilities. In many organizations, through growth or acquisition, supply chain warehouses have merged. Too often, single source n-tier suppliers are discovered only after a disaster or catastrophe. OEMs should also avoid using second sources within an single industrial cluster in a high-prone disaster area. Organizations should also consider its cyber vulnerability. Today's jackers are more sophisticated with biometric frauds and new types of attacks.
A dynamic risk assessment approach is more flexible than a static approach. Lockpath's Keylight platform, for example, contains Risk Manager, Audit Manager and Compliance Manager and four other applications. "The seven applications of the Keylight Platform are designed to be used individually or their power can be magnified by using them in combination with each other," said Sam Abadir, director of product management at LockPath, adding that "having an integrated view of risk across the supply chain will make OEM's business more resilient to risks and interruptions."
When safeguards cannot be implemented cost effectively, consider three ways of handling of residual (remaining) risks. First, get property insurance (from providers such as FM Global) that can be customized to the supply chain enterprise's business needs. Consider supply chain intelligence analytics (a wide variety of platforms such as FusionOps are on offer) to reduce the number of residual risks. Third, consider Electronic Industry Citizenship Coalition (EICC). This industry organization requires members to take an annual self-assessment to help identify the social, environmental, and ethical risks in their supply chains.
How has your risk management planning evolved over time? Let us know in the comments section below.