Businesses today outsource many operations to partners, many of whom may be critically exposed to extreme events and beyond of the control of the firm’s risk management programmes. By Marc Lehmann and Kenneth Travers

An earthquake in Japan results in a shutdown of major motor assembly operations for seven days, causing a loss of more than $500 million, because critical engine parts are unavailable. A fire in a semi-conductor plant, started by a bolt of lighting, costs a mobile phone manufacturer more than $600 million, because of the loss of key components. Hurricane Katrina shuts down the Port of New Orleans interrupting imports and exports, resulting in billions of dollars of lost revenue.

There will be many similar examples in the future. Low frequency, high consequence events like earthquakes, cyclones, floods, explosions, fires and terrorist attacks will cost unprepared businesses billions of dollars.

Fortunately, there are new ways to understand and manage this risk. We cannot prevent the events, but we can mitigate some or all of the financial impact. It requires that we identify major risk sources, quantify the risk and select the appropriate strategy from available risk mitigation and transfer alternatives.

A study of 500 financial executives conducted by the insurer FM Global found that supply chain disruption was their second most significant revenue risk concern after competition. This reflects the way businesses operate in today’s environment, in multiple countries, outsourcing operations to partners, many of whom may be significantly exposed to extreme events and beyond the control of the firm’s risk management programmes.

Just-in-time product delivery systems, supply chain management, outsourcing and in-sourcing have also contributed to an increase in the fragility of supply chain networks to extreme events. These risks are often difficult for firms to quantify, creating uncertainty in how best to protect their business and optimise risk management efforts.

Historically, as Table 1 below shows, extreme events such as earthquakes, tropical cyclones, fires, floods and terrorism have had significant effects on organisations’ assets and operating environments, including supply chain networks. Hurricane Katrina in August 2005 is an example of the wide reaching impact of a major catastrophe on economic activity.

Katrina made landfall in Louisiana with significant wind and storm surge damage along the US Gulf coastline. Heavy rainfall from the storm, combined with failure of critical sections of the New Orleans flood defence system, resulted in catastrophic damage to homes and businesses within the city and in surrounding area, and great disruption to trade and business.

This storm also resulted in a shutdown of much of the Gulf of Mexico oil and gas downstream production for weeks. Approximately 11% of the gasoline and 24% of the US natural gas production is linked to the Louisiana and Texas Gulf region, and this production capacity depends upon a unique supply chain comprised of offshore platforms and on-shore refining production.

Katrina also shut down the Port of New Orleans for several weeks. This prevented manufacturers and agricultural producers in the Midwest from moving their products to domestic and overseas markets, and impeded the import of steel, rubber and other raw materials. The physical damage to the port was around $160 million, but the related business interruption losses from disruption to the movement of goods has been estimated in the multiples of billions of dollars.

The impact of uncertainty

One of the greatest supply chain concerns businesses face is uncertainty in quantifying the potential financial impact from extreme events. The problem is complex and cannot be solved by a simplistic scenario analysis. It requires risk managers to make assumptions or conduct an exhaustive and costly effort to implement business continuity planning, buy insurance or apply other risk management strategies.

The inability to quantify effectively the likely business interruption and contingent business interruption implications can result in difficulties with insurance capacity and pricing, and lead to a situation in which the enterprise may under or over protect the risk. This uncertainty may also distract from mitigating risk through an optimised strategy of asset strengthening, targeted business continuity planning, service agreements and multiple supplier options.

Quantifying and managing

The solution to quantifying and managing supply chain risk is an integrated, multi-step process that identifies critical assets (owned and non-owned) and key nodes within the supply chain network, and then simulates the operational aspects of the network using a supply chain model. This determines a base operational case. An optimised approach that we use embodies the following methodology:

Hazard assessment

The first step in the process is to identify and quantify the extreme hazards that can have a significant impact on a supply chain by means of recognised catastrophe models. The models probabilistically simulate the natural hazard events that can affect a given location or region and the supporting infrastructure. The results enable managers to understand the probable frequency and the severity of the hazards.

Vulnerability analysis

“Just-in-time product delivery systems, supply chain management, outsourcing and in-sourcing have also contributed to an increase in the fragility of supply chain
networks to extreme events

This element involves the identification of key vulnerabilities within the supply chain that could lead to significant business interruption. It is segmented into three components:

1. Owned assets, such as manufacturing facilities or warehouses

2. Non-owned assets, including those belonging to suppliers, sub-suppliers or customers

3. Critical infrastructure, such as power, communication or transportation networks

Owned and non-owned asset vulnerabilities are determined though damage functions embedded in the catastrophe models. These vulnerability functions are based on extensive field investigations of actual catastrophic events, calibrated through engineering judgment and billions of dollars of insurance claims data. These functions take into account site variables, such as building materials, structural systems, height, age and occupancy type. When site-specific data are not available, default functions are used that reflect country-specific data on building codes and regional inventories that provide the best representation of risk given the available information.

The vulnerabilities within external infrastructure systems such as power, water, gas and transport networks are generally beyond an enterprise’s control, but natural catastrophes and man-made events, such as terrorism, can cause significant damage and disruption to power and communication lines, rail networks, roadway bridges, ports, etc.

The infrastructure vulnerabilities are assessed by use of catastrophe models that reflect information gained from field experience and engineering surveys.

Supply chain risk simulation

This phase incorporates several components originating with the configuration of a facsimile of the identified network using a probabilistic supply chain simulation model. This process considers key assets and nodes within the network, throughputs and capacities, average inventories of critical components and/or products, multiple path resiliency and redundancies and infrastructure constraints. Once the network has been configured, an operational base case is then conducted with key performance metrics, including production, revenue, inventory levels, net income, etc., assuming no extreme events.

The next component involves “disrupting” the network configuration with sampled high consequence stochastic events from the probabilistic hazard model(s) to quantify the outcome of each event impact on the supply chain.

These simulations consider the operational dynamics of the network, as well as any mitigating or exacerbating conditions, to produce operational results at identified timeframes for each simulation. These operational impacts are then converted to financial impact metrics (i.e. revenue reduction, loss of profit). The financial results are combined probabilistically to produce loss exceedance results for business interruption and contingent business interruption for the respective supply chain, enabling loss estimation at critical return period levels (50, 100, 250, 500 year returns) and identification of existent “chokepoints” in the current network.

The final component comprises identifying and simulating potential mitigation or risk management strategies in the supply chain model, to arrive at adjusted operational and financial benefits of each strategy and their requisite cost/benefit.

Case study

This process was developed for a major electronics manufacturing company in Germany which was concerned about their natural hazard exposure following global expansion of operations over the previous five years. Raw materials were now coming from low cost suppliers in Asia and finished products from Germany were transported to newly acquired warehouse facilities throughout Europe.

The supply chain risk simulation process identified several critical chokepoints, which estimated their maximum potential business interruption exposure that would result from an earthquake affecting key infrastructure and two main suppliers in China or a major windstorm in Europe had now developed in excess of 300 million and 250 million euros respectively.

Several risk mitigation strategies were proposed and simulated in the model, including the selection of alternative suppliers outside the affected region and the strengthening of several key existing owned facilities.

The results of the effort demonstrated that a marginal investment cost (12 million euros) to implement the recommendations would reduce the business interruption and contingent business interruption exposure at the 100 year return period by 175 million euros thus helping to protect business continuity and company reputation.