key: cord-1037081-xiwsk0rm authors: Sheffi, Yossi title: Modeling Risks in Supply Chains date: 2018-09-28 journal: Finance and Risk Management for International Logistics and the Supply Chain DOI: 10.1016/b978-0-12-813830-4.00003-4 sha: 5d8465c31b2ac7f410aa07470c3670362e708307 doc_id: 1037081 cord_uid: xiwsk0rm This chapter discusses ways to identify, categorize, and assess risks in supply chains. It pays particular attention to the often hidden risks that can lurk deep within global supply chains. Using case studies, the chapter shows how companies assess and prioritize supplier risks, and it explains the underlying factors that give rise to deep-chain risks. The sweep of examples in the chapter shows that companies can model the likelihood and impacts of a wide range of risks to their facilities, suppliers, and logistics infrastructure. mapping such disruptions according to their likelihood and potential impacts, so planning can be prioritized. The third section is focused specifically on supply risks, including explanation of modern alert systems. The fourth section describes the concept of value-at-risk in terms of the importance of certain suppliers and customers to the company. The fifth section characterizes supply-chain structure in terms of the potential risk they pose and the last section portrays industry trends in terms of their impact on supply-chain risks. Before organizations can model risks for purposes of risk management, they need to examine the gallery of possible risks. Supply chains, with their complex global connections and diverse stakeholders, can have many failure modes. Disruptions might be tied to natural, negligent, or intentional causes. Disruptions might involve suppliers, workers, customers, competitors, the built environment, the natural world, governments, and nongovernmental organizations (NGOs). Root-cause events may strike a company directly, or they may strike a deep-tier supplier or a customer's customer. Ash from a volcano in Iceland in 2010 grounded air traffic across the European Union and, consequently, devastated fresh food and flower exporters in Africa. A 2011 flood in Thailand inundated 877 factories (Baker & Lui, 2012) , halted 30% of the hard-disk manufacturing industry (Punter, 2013) and caused billions of dollars in losses for the PC industry. A drought in the US Midwest in 2012 damaged crop yields, sent crop prices soaring, and hit food producers, especially meat and dairy producers (Taylor, 2012) . Each year, nature can thwart companies dependent on the smooth operations of their global supply chains. In total, natural disasters created $380 billion in losses in 2011 (Losses, 2012) . That year saw an especially severe litany of floods, hurricanes, earthquakes, and tsunamis. These events killed people, damaged property, disabled logistics infrastructure, and upended the lives of citizens and employees, and entire industries. Annual surveys of businesses (Business Continuity Institute & Zurich, 2009À2013) in 2009À2013 found that 50% of companies suffer supply-chain disruption from adverse weather in any given year. Weather is consistently the first or second most common cause of disruption. In addition to disruptions from adverse weather, about 20% of companies experience a supply-chain disruption from an earthquake or a tsunami in any given year. Disruptive accidents, often caused by lax safety measures, run the gamut from massive conflagrations to simple failures in critical pieces of equipment. An explosion at a German chemical factory, for instance, caused carmakers around the world to suddenly face potential disruptions of thousands of different parts used on every vehicle they made (Trudell, Kishan, & Naughton, 2012) . When a barge on the Rhine River capsized, the river was closed for 20 days, delaying 450 barges and hindering the 170 million metric tons of goods shipped on the river annually (Havoc, 2011) . In a third example, a toymaker suffered a highly publicized recall of 1.5 million lead-tainted toys after a paint supplier to a contract manufacturer had to find a second source for pigments but did not have time for testing (Mattel's, 2007) . Such accidents and safety violations can disrupt logistics infrastructure, manufacturing equipment, and the flow of goods or parts, undoing many years of reputation building and brand loyalty. Counterfeits and fraudulent substitutes also bedevil some supply chains. In January 2013 the Food Safety Authority of Ireland shocked Europe with an analysis of 27 hamburger products, 10 of which tested positive for horse DNA and 23 that tested positive for pig DNA (Smith-Spark, 2013) . Electronics for the US military have likewise suffered from thousands of cases of counterfeit electronic components (Carson, 2011) . In civilian aviation, about 520,000 counterfeit or unapproved parts make their way into planes each year, according to the Federal Aviation Administration (American Institute of Aeronautics and Astronautics, 2008) . Whereas natural disasters occur regardless of the preparations and vigilance of companies, disruptions such as accidents, violations, and counterfeits are less likely for companies that become well prepared and attentive. Utilizing safety programs, intensive quality control, and prudence can reduce the likelihood of these problems. Nonetheless, the connectivity of supply chains and companies' dependence of shared resources such as key raw materials or key transportation lanes implies that even the most careful company can be disrupted by the imprudence and bad luck of others. Intentional disruptions come in many forms. In November 2012, for example, 400 office clerks walked out on their jobs at the ports of Los Angeles and Long Beach, thereby halting the movement of $760 million a day worth of goods. The 8-day strike held up an estimated $6 billion in shipments (What is, 2012). In 2010, to protest the destruction of tropical forests for the farming of palm oil, Greenpeace raided Nestle's annual shareholders' meeting; activists dressed as orangutans stood outside Nestle's headquarters in Frankfurt, Germany, while other activists unfurled a banner inside the meeting itself (Greenpeace, 2010) . Intentional disruptions include attacks on a company's assets or processes, with the goal of disrupting its operations or robbing it. These disruptions comprise criminal acts like cyber-disruptions (such as denial-ofservice attacks and theft of customer data), cargo theft, extortion, kidnapping, embezzlement, sabotage, and corporate espionage, as well as legal actions such as labor strikes, management lockouts, and activist boycotts and protests. Intentional disruptions are fundamentally different from natural disruptions or accidents because they specifically target the least protected entity at the worst possible time. For example, in 2005, terrorists attacked the lightly guarded London subway and bus system rather than the more heavily secured Heathrow Airport. Beginning with Apple's iPhone in 2007, the rise of touchscreen smartphones coupled with app stores decimated the sales of previous mobile phone industry leaders such as Nokia, Blackberry, and Motorola. In the 1980s the fruits of the Toyota Production System outcompeted American carmakers on cost and quality (Pollack, 1994) . In his groundbreaking book, The Innovator's Dilemma, Christensen (2011) lists many other examples of new products and business processes that disrupted existing ones, from the transistor radio to LCD TVs to steel minimills. Such innovations cause existing firms to cede their market leadership, lose profits, and even disappear. In 1997 a crash in the price of the Thai currency created a financial contagion that swept through Asian economies (IMF, 1998) and caused crises in financial markets in the United States, Europe, Russia, and Latin America (Timeline, 1997) . In 2008 a housing bubble led to a foreclosure crisis that threatened to collapse the world financial system like a house of cards. Marked contractions in credit supply and consumer demand triggered a global bullwhip as imports plummeted, causing contractions and bankruptcies throughout global supply chains. Nor are financial contagions the only causes of global crises. In 2003 severe acute respiratory syndrome appeared in Asia and rapidly spread to more than two-dozen countries on the wings of global air travel (CDC, 2003) . Ten years later, health officials began monitoring a related disease, the Middle East respiratory syndrome (CDC, 2013) . And in 2014 governments around the world took steps to stop the spread of the Ebola virus (Sun & Fairfield, 2015) . Each year, health officials also worry that new strains of flu threaten to reenact the 1918 Spanish Flu pandemic that killed 50À100 million people worldwide (World Health Organization, 2013) . In addition to the potential human toll, epidemic diseases threaten to curtail the free movement of people and goods that underpin global supply chains (Mass, 2003) . Last, there are internal and external political upheavals. A dispute between the governments of China and Japan over the ownership of a group of uninhabited islands led to a Chinese boycott of Japanese goods, resulting in a 17% drop in value of Japanese exports to China between June and November 2012 (Perlez, 2013) . Following a 2014 decision by China to move an oil rig into disputed waters with Vietnam, Vietnamese mobs ransacked foreign factories, causing manufacturers around the world to halt production (Sevatopulo, Peel, & Grant, 2014) . In 2011, Spanish fruit and vegetable exporters lost h200 million/week after a food poisoning scare caused Germany to ban Spanish cucumbers (BBC, 2011) . The growing interconnectedness of the global economy makes it increasingly prone to contagion. The preceding anecdotes and surveys of business disruptions illustrate two key points that affect how companies prioritize risk management efforts. First, different disruptions have different degrees of impact. For example, a tsunami that sweeps a factory into the sea is more serious than a shortage of some part. Second, different disruptions occur with different frequencies or likelihoods. Adverse weather occurs more frequently than do major fires, epidemics, or disruptive innovations. Thus, many risk experts categorize potential disruptions by their impacts and their likelihoods, such as shown in the 2 3 2 matrix in Fig. 4 .1. This stylized example shows where various hypothetical types of disruptions might lie on the four quadrants of impact and likelihood. The figure depicts events defined by causes (e.g., flood, wind damage, recession) as well as events defined by their supply-chain disruption (e.g., loss of key supplier, IT failure, and downed transportation link). Companies can estimate the impacts and likelihoods of disruptions using a range of historical, analytic, or subjective methods. The potential impact can be estimated in terms of days of sales, dollars of revenue loss, operating income reduction, brand diminution, stock price reduction, and/or loss of market share. Although the impact of a downed plant or supplier disruption may be the same regardless of the cause, estimating likelihood entails examining the possible causes of the disruption and the chances of each of them occurring. For any given business location, data and models regarding seismic activities, hurricanes, tornadoes, wind, and floods can be used to estimate a statistical distribution of frequency and severity of natural disasters for that location. Actuarial models of fires, accidents, crime, and other damage claims offer insight into the diverse risks to property and equipment in different geographies. Analysis of political, social, and economic risks can elucidate some of the relative risks linked to facilities in different locations. Overall, these spatial models of risk can help estimate the chance of particular facilities in particular locations being damaged or impaired by any of a wide range of natural or man-made hazards. These locationbased risk estimates underpin the organization's geographic risk footprint. In the absence of good data and rigorous estimates of impact and likelihood, however, some companies use more subjective scoring methods. For example, a large beverage company divides impact and likelihood each into five levels, creating a 5 3 5 matrix (rather than the 2 3 2 matrix shown in Fig. 4.1) . Furthermore, they assign nonlinear numerical values to the levels. The company assigns a relative numerical score of 1, 3, 7, 15, and 31 to the five levels of impact (the horizontal axis) and a relative numerical score of 1, 2, 4, 7, and 11 to the five levels of likelihood (the vertical axis). The rationale for this pattern of levels is that impacts (e.g., "What happens if Supplier X can't ship for 2 months?") are often easier to assess than likelihoods ("What is the probability that something will disrupt Supplier X?") and therefore are given a higher weight. The company then multiplies the impact and likelihood numerical scores to compute a total risk score, which can range from 1 (for insignificant risks with both low likelihood and low impact) to 341 (for perceived "worst-case" risks with both high likelihood and high impact). This number is, in fact, a mathematical expectation of the damage from a disruption, and the assumption is that the higher the expectation, the more resources should be directed toward mitigation and resilience. The design of the scales also means that high-impact/low-probability events will have a higher risk score than high-probability/low-impact events. As discussed later in this chapter, however, the worst-case disruptions may not be the highest-expected-value disruptions. Although Fig. 4 .1 depicts each type of event such as "earthquake" as having a specific likelihood and impact, actual events range across a spectrum of likelihoods and impacts. In the average year, seismologists tally about 1300 earthquakes of magnitude 5À5.9, which are strong earthquakes capable of causing damage. They also detect an average of 134 earthquakes of magnitude 6À6.9, which are quakes that have 32 times the destructive energy but are about one-tenth as likely to occur than the magnitude 5À5.9 quakes. Finally, seismologists record about 15 quakes of magnitude 7À7.9, which are another 32 times more energetic and approximately another one-tenth as likely (USGS, n.d.) . This multiplicative mathematical pattern of increasing destructive magnitude and decreasing likelihood is known as a power law distribution. The power law distribution is also known popularly as the 80/20 law, which posits that 80% of the damage comes from 20% of the events. As it turns out, many types of disruptive events-including earthquakes, volcanoes, hurricanes, tornados, floods, landslides, forest fires, power outages, and even man-made events such as terrorist activities, cybercrimes, wars, and commodity price volatility-generally follow a power law. Fig. 4 .2 presents, for example, the cumulative number of events for earthquakes, hurricanes, and floods in the United States over a 90-year period versus the loss per event on a logÀlog scale (Ayyub & Amin, 2007) . The overall priority of each risk depends on both impact and likelihood. As mentioned earlier, risk managers typically prioritize risks based on the expected value of the loss, which is impact multiplied by likelihood. In Fig. 4 .1 quadrant terms, the upper right corner high-impact/high-likelihood risks have the highest priorities, the lower left corner low-impact/ low-likelihood risks have the lowest priorities, and both high-impact/ low-likelihood and low-impact/high-likelihood risks have intermediate values. Expected value, however, may give a biased view on risks. Well-known high-impact/high-likelihood risks are often ones for which the organization has experience and well thought-out "playbooks." Each year, the Atlantic Basin brews up an average of 12 named tropical storms, including six hurricanes (Landsea, n.d.) . The 600 manned oil platforms in the Gulf of Mexico face a high chance of disruption every year and have well-rehearsed procedures for shutting down production and evacuating personnel (Henry, 2012) . Organizations plan for the expected (e.g., hurricane seasons) because their likelihood is historically high or they have seen them hit before. But the irony of using expected losses to prioritize risk is that it leaves the company open to high unexpected losses. Although airfreight companies in Europe had contingency plans for handling the shutdown of any airport in Europe, they did not expect the 2010 Eyjafjallajökull volcanic eruption that closed down almost every airport in Europe, disrupting a wide range of imports and exports such as green asparagus from the United States, fresh fruit from Italy, French cheeses to Asia, and car parts for global manufacturers. Thus, high-impact/low-likelihood may be more dangerous than their expected value implies because companies are less prepared to deal effectively with them. Of course, the term high-impact/low-likelihood is relative. As the power law indicates, the likelihood of specific very high-impact events may still be very small. Yet globalization has increased the length, breadth, and complexity of supply chains. Although low-likelihood events are individually unlikely, global enterprises are now exposed to large numbers of unexpected events through all their complex and lean networks of suppliers. In other words, the probability that a specific disruption will take place in a specific supplier's facility on a specific day may be very small. Yet, the probability that something significant will happen somewhere in a global supply chain sometime during a given year may be quite high. "I have 14,000 suppliers. I guarantee that with 14,000 suppliers, at least one of them is not performing well today," said Tom Linton, chief procurement and supply-chain officer at Flextronics (personal communication, July 30, 2012). Supplier risk assessment can use the same models of likelihood and impact but evaluates these models on each of a company's suppliers, their facilities, and their inputs to the company. As mentioned earlier, disruption likelihood can be estimated using models based on past data for natural disasters, as well as qualitative estimates of political risks, labor relationships, and other man-made disruptions. The likelihood of disruption of a given supplier or supplier facility depends on the combined likelihoods of causes such as earthquakes, fires, labor strikes, and so forth. Supplier risk models also include two additional types of risks not typically modeled for the company's own facilities: bankruptcy risks and reputation risks. First, suppliers can go bankrupt. Macroeconomic changes such the 2008 recession changed how companies model and monitor supplier risks. A manager at an energy company noted that, "Before the financial crisis, we didn't have a very professional assessment of our suppliers' financials; now we have a very good system working" (Blome & Schöenherr, 2011) . In the case of suppliers that are listed on the stock market, quarterly financial reports offer data on financial conditions. In the case of smaller, private suppliers, third-party assessments and supplier surveys provide such data. Specific functions within an enterprise may handle specific suppliers' risk assessment tasks, in collaboration with procurement professionals. For example, the finance department typically assesses the financial health of suppliers to estimate the risk of bankruptcy-by using methods similar to the financial risk scoring of customers-in order to decide appropriate payment and credit terms. Second, a different kind of supplier-related disruptive risk hits companies that operate on the demand side more so than the supply side. Even suppliers with a low likelihood or low impact of supply disruptions can still present significant risk if the supplier's actions (e.g., child labor, toxic emissions) can damage the reputation of the company. Reputation risk arises from a company's exposure to any supplier's corporate social responsibility (CSR) transgressions. For example, in 2007 Greenpeace attacked Unilever, Nestle, Kraft, and others over the use of palm oil linked to deforestation and loss of habitat for orangutans in Indonesia and Malaysia (The campaign, 2010). In 2010, ForestEthics began a campaign against US brand-name retailers and consumer goods companies, to pressure them to boycott fossil fuels derived from Canadian tar sands or oil sands (McDonnell, 2011) . After the collapse of the Rana Plaza garment factory killed 1130 workers in Bangladesh in 2013, labor activists and NGOs renewed criticisms of Western apparel makers and retailers over suppliers' labor practices (Ross, 2015) . As a type of intentional disruption, a company's risk of being attacked depends on the attackers' perception of the company's vulnerability to attack. Consumer-facing companies are especially sensitive to brand reputation issues, which is why activists typically attack large consumer brand companies rather than the suppliers or middle-tier business-to-business companies that may be guilty of perceived social responsibility misdeeds. More importantly, unlike risks of supply disruption-which can be mitigated by using more suppliers-risks of reputation-related demand disruption grow as more suppliers are added. Although some supplier risk models assign a lower risk to dual or multisourcing because the chance of both or all suppliers being disrupted is lower than the chance of a single supplier being disrupted, at least two types of risks increase in likelihood if the company adds more suppliers. First, both Intel and GM are somewhat ambivalent, even circumspect, about dual sourcing because second sources can increase product quality or manufacturing yield risks even as they reduce supply disruption risks. Intel alluded to a kind of alchemy that enables unique, sole-sourced chemicals to do their magic. The chipmaker noted that second sources are never identical, which increases the risks of yield or quality problems. Similarly, GM likened the casting of metal to an art rather than a common process, which motivates GM to sole-source certain parts despite the risk. Second, CSR risks also worsen under multisourcing. The more suppliers a company has, the higher the chance that one of them (and it only takes one wayward supplier to create a problem) might get caught in a CSR scandal involving issues such as environmental damage, child labor, worker rights, or political issues. The UN IDO (2002) noted that larger companies often rationalize their supply chains to a smaller number of large suppliers that are easier to monitor. Tighter relationships with smaller numbers of suppliers can also help control other kinds of disruptive risks, making sole source less risky than a simple risk model might predict. A supply chain's geographic risk map includes more than just the factories and warehouses of the company and its suppliers. Another significant geographic risk for global supply chains occurs in the logistical connections between geographically dispersed nodes of the company, its suppliers, and its customers. Although, in theory, shipments between any two points could take any of a large number of routes-creating a risk-reducing diversity of options-the economics of conveyances and distribution favor more concentrated hub-and-spoke topologies. The statistical distribution for the size of sea ports, for example, also follows a power law (Bichou, Bell, & Evans, 2014) , implying that a small number of large ports carry an outsized fraction of all trade and create an outsized risk of disruption. The effects of an April 2010 eruption of a modest-sized ice-capped volcano in southern Iceland illustrate the diverse impacts of logistical disruptions. The eruption's resulting ash cloud forced the closure of major airfreight hubs such as Heathrow, Amsterdam, Paris, and Frankfurt for up to 5 days (Volcanic, 2010) . In the United Kingdom alone, airfreight handled 25% of all imports (Wray & Wearden, 2010) and 55% of exports to non-EU countries (Lee, Preston, & Green, 2012) . The disruption of these logistical linkages propagated to both suppliers and customers dependent on EU airfreight. In Kenya, during the 6 days of airport closures, thousands of tons of fresh flowers rotted in storage units and warehouses, representing a loss to the Kenyan economy of $3.8 million per day (Lee et al., 2012) , which represented about 3% of Kenya's daily GDP (CIA, n.d.) . Italian exporters of mozzarella and fruit lost about $14 million each day that flights were grounded. The Federation of Hong Kong Industries said hotels and restaurants in Hong Kong had shortages of Belgian chocolates and Dutch fresh-cut flowers (Iceland volcano, 2010) . Migros, the Swiss supermarket chain, noted disruptions in inbound supplies from Southeast Asia (tuna). Three BMW plants in Germany could not get inbound parts from Asia (Iceland volcano, 2010). And an inability to ship transmissions out of Europe disrupted production at BMW's US factory (Bell, 2010) . Airfreight is not the only vulnerable mode and volcanoes are not the only risk that can disrupt bottleneck transportation hubs or routes. The Rhine River carries 16% of Germany's trade (Transatlantic Outreach Program, n.d.) . Recurring droughts (More misery, 2009), an overturned barge in 2011 (Associated Press, 2011) , and finding unexploded bombs from WWII (Day, 2011) have all created constrictions in freight volume on the river. In the United States, a quarter of all rail traffic and half of all intermodal rail traffic pass through Chicago, which ground to a standstill during a 1999 blizzard. "We basically waited for the spring thaw," said David Grewe, a supervisor for Union Pacific Railroad (Schwartz, 2012) . Modeling these disruptions involves understanding the accidental, intentional, and weather-related seasonal factors that impede the flow of goods through key locations between facilities. Many risk models for both natural and man-made disruptions have a strong geographic component, which means the locations of supplier's facilities are a prerequisite for modeling risk. One challenge with assessing location-related supply risks is that supplier master data in SAP, Oracle, or other enterprise requirement planning systems generally includes only the suppliers' administrative addresses or headquarters-not the more crucial operational facilities. A second challenge is the dynamic nature of supply chains, with constant turnover in the supply base as well as the locations used by suppliers for any particular part. Mapping becomes even more challenging as a company tries to estimate risks from suppliers-of-suppliers and deeper tiers. "We're trying to understand the subsupply chain wherever it is possible and where our suppliers will share that information," said Jackie Sturm, Intel's vice president and general manager of global sourcing and procurement. A major challenge is the natural reticence of suppliers, because the identity of a supplier's suppliers, the materials they procure, and the relationships between the companies are proprietary and are part of the supplier's competitive advantage. Moreover, as more companies attempt to map their supply chains, suppliers face administrative costs for responding to multiple requests for information. Risk-alert companies such as Resilinc, Elementum, Razient, and MetricStream represent a new generation of supply-chain software and services companies addressing these risk mapping issues. These companies survey a client company's suppliers to map them, and they keep suppliers' proprietary business data secure. The surveys cover risk management issues such as supplier facility locations, subsupplier locations, business continuity planning, recovery times, emergency contact data, conflict minerals, and other concerns. Then the service uses the client's bill-of-material data and value-at-risk (VaR) estimates (a measure of the potential loss to the company) for each product to cross-reference parts with mapped locations and identify high-risk parts. The software uses data on the supplier locations producing each part, the parts in each product, and the financial contributions of each product to estimate the VaR of each supplier location. These service providers can reduce the costs of supplier mapping and updating because the survey data can be pooled among multiple customer companies, which often have overlapping sets of suppliers. To systematically aggregate all this supply risk data, some companies use a multielement risk assessment or scorecard. For example, Boston Scientific Corporation, a manufacturer of advanced medical devices, uses what it calls a Risk Wheel to score event risks and aggregate them into an overall supplier risk probability index. The outer ring of the Risk Wheel lists potential disruptions such as service problems, delivery problems, quality problems, labor strikes, changes of ownership, bankruptcy, natural disasters, and so forth. The company scores each supplier on each risk using a qualitative five-level spectrum from green (very low risk) to red (very high risk). The middle concentric ring organizes risks into broader categories of disruptions-such as performance, human resources, financial-with a risk score aggregated from the risk scores of the events in the outer ring. For example, potential quality, delivery, and service problems in the outer ring are aggregated into a "performance" category of risks in the middle ring. The center is the aggregate risk score, called a risk probability index (Boston Scientific Corporation, 2007) . This probability index is combined with the revenue-at-risk (described in the next section) for that supplier to determine the total exposure of the company to the supplier under consideration. Insurance company Zurich's supply chain risk assessment includes 23 risk grading factors, most of which reflect supply-side risks at three levels: (1) the supply-side industry, (2) the supplier, and (3) the supplier facility. Zurich's assessment uses a detailed risk evaluation of each key supplier. The evaluation includes 77 in-depth questions focused on seven areas: the relationship to the company, quality systems, risk management practices, labor and skill levels, operations details, physical environment, and the supplier's own supply chain. Given that large companies can have thousands of suppliers providing tens of thousands of different subassemblies, parts, materials, software and services, many companies focus their risk modeling and risk management efforts on "key" or "critical" suppliers, defined by some metric. Supplier prioritization metrics can include the importance of the material to the company, the availability of alternative suppliers, the speed with which a change (in supplier or material) could take place, total "spend" (total amount of money given to that supplier in a time period), supplier location, or a more formal analysis of the supplier's financial contribution to the company's business. The vast majority of supply-chain risk managers within the companies surveyed by the Business Continuity Institute (81%) say they have identified all or almost all of their key suppliers, which is the first step in such an analysis (BBC, 2011). "Some supply chain professionals measure the importance of a supplier by the 'spend'," said Nick Wildgoose, global supply-chain product manager for Zurich Financial Services Group. Yet Gerry Smith, senior vice president of global supply chain at Lenovo said, "Companies shouldn't overlook the risk of losing a vendor that makes basic yet essential parts. The loss of either could result in a significant supply chain disruption" (Economist Intelligence Unit, 2010). For example, when the 2010 Iceland volcanic eruption closed European airports, Nissan's inability to fly $30 air pressure sensors from Ireland to Japan kept the carmaker from producing $30,000 Nissan Murano SUVs (BBC, 2011). Thus Wildgoose advises a supplier risk assessment "driven from a top-down approach: what is our most profitable product or service and which suppliers do we rely on to drive that" (Zurich, 2011) . One such example is Cisco's Global Component Risk Management (GCRM) process. Cisco makes more than 10,000 products from more than 60,000 parts sourced from more than 1000 suppliers. Only a relatively small number of these products, however, generate the majority of the company's revenue. These are the most critical products. By extension, some parts-and thus some suppliers-are more critical than others because they are used in those top products or in multiple Cisco products, which are together responsible for a significant fraction of Cisco's revenue. GCRM periodically assesses the risk of each such part based on its sourcing status (single vs multisourced), quality history, technology status (legacy vs new) and life cycle (new, continuing, end of life) (Harrington & O'Connor, 2009 ). The analysis is used to prioritize and prepare risk mitigation strategies for the risky parts. This notion of the link between suppliers and products gives rise to supplier disruption risk models based on VaR that estimate the financial damage to the company from a supplier disruption. This method uses data from the Bill of Materials and Enterprise Resource Planning system to determine which products might be affected by a given supplier disruption, the fraction of production affected (if the supplier is not sole source), and the daily value of those products to the company as measured by metrics such as revenue, margin, market share, and so forth. Multiplying the duration of the likely supplier disruption in days times the daily value of impacted production (or sales) computes the likely financial hit from a disruption of that supplier. Highly quantitative risk models such as VaR require a fair amount of data about products and suppliers, including estimates of the likelihood and duration of disruptions for each supplier. For some types of risks, a simple proxy can estimate the likelihood or potential impact and support prioritization. To quickly prioritize the risk of supplier bankruptcies during the financial crisis of 2009, Boston Scientific Corporation identified which components in its product portfolio came from sole source, single source, dual source, or multisource suppliers. The company defined "sole source" as meaning there were no other readily available sources of supply, which may be due to intellectual property issues, technology, a joint venture, or a contract (Boston Scientific Corporation, 2009). It defined "single source" as meaning there were other suppliers available but the company was currently buying from only one supplier for economic or convenience reasons. More restrictive sources were considered to be of potentially higher impact to the company. The nature of the supplied part can modulate company's estimates of impact because some parts are easier (or harder) to procure from alternative suppliers in the event of disruption of the primary supplier. Some materials are simple to procure, such as diesel fuel for trucks or 6061 aluminum alloy bar stock, because they are widely available commodities with standardized specifications and multiple suppliers. Such materials (and their suppliers) may be considered of lower risk, although examples later in this chapter will show how commodities can also be high risk. In contrast, some inputs require much more complex procurement cycles due to coordination with the supplier, engineering time for customized parts, lead time for tooling, costly validation of samples, auditing of the supplier, and so forth. Supplied inputs such as custom-molded parts, specialized machine tools, ultra-high purity chemicals, semiconductor chips, and branded ingredients may be expensive, time-consuming, or impossible to second source. In some cases, intellectual property issuessuch as a trademarked ingredient or patented component-preclude a second source, forcing a company to reengineer its product to use another supplier's part. Such products and their suppliers have higher risk because the duration of a disruption may be especially long if the company is forced to seek a second source. Another procurement-related risk issue is the company's importance to the existing or alternative suppliers. If the supplier suffers a disruption, the supplier will likely to prioritize its customers for resumption of supplies, and some customers may be low priority, creating a pecking order of customers defined by spend or strategic priorities. For example, both GM and Verifone depend on a variety of electronics industry suppliers. But, many of those technology suppliers pay more attention to cell phone and computer makers who tend to use the latest high-margin products. In turn, other vehicle-making companies such as Caterpillar (construction vehicles) and Deere (farm equipment) feel they play second fiddle to the large automakers who are more important customers to vehicle component suppliers. Even the cell phone makers have a pecking order. For example, cell phone maker HTC "has had difficulty in securing adequate camera components as it is no longer a Tier 1 customer," one unnamed HTC executive told The Wall Street Journal (Luk, 2013) . In essence, every company is a minor customer to some supplier, and that low-spend or low-priority situation adds to the likely impact of disruption. Overall, given these diverse sources of supplier risk, companies use multifaceted models for modeling risk and prioritizing suppliers for risk mitigation. For example, Philips buys directly from about 10,000 Tier 1 suppliers and 30,000 service providers; therefore, it needs to focus its supplier risk assessment efforts. To this end, it classifies suppliers based on spend, and procurement complexity, measured by factors such as geography, type of relationship, and business risk. In 2012, Philips identified 497 product and component suppliers and 97 service providers as "risky" using these parameters. These are the suppliers that Philips audits routinely (Philips, 2012 ). Yet modeling supply-chain risks on a supplierby-supplier basis may miss certain kinds of very serious deeper risks. Models enumerating the risks to a company's facilities and its direct suppliers underestimate the total risk exposure of the company. A company's total exposure to risks of natural and human-made disasters-its total geographic risk footprint-extends far beyond these direct risks to its own facilities and direct commercial partners, including both suppliers and customers. Most manufacturers have visibility to their Tier 1 and possibly some Tier 2 suppliers, but they have little visibility into deep-tier suppliers. Typically, they do not even know who those suppliers are. A 2011 case example shows that these risks may be more pervasive than they appear. The effects of the 2011 Japan earthquake on General Motors illustrate the significant risks lurking in the deeper supply chain. The March 11, 2011, magnitude 9 earthquake, tsunami, and Fukushima reactor disaster devastated the northeastern regions of the Japanese mainland. Although no GM facility was directly affected by the quake, the company was immediately concerned about potential disruptions to its 25 Japanese suppliers (out of a total of 18,500 Tier 1 suppliers), which GM's crisis team predicted could impact some 390 parts. The deeper the team dug, however, the greater the number of disrupted parts they found. After only 1 hour following the first meeting of GM's crisis team, they found another 100 disrupted parts from other suppliers, because some of GM's non-Japanese suppliers had Japanese suppliers. And some of GM's non-Japanese suppliers had other non-Japanese suppliers who had Japanese suppliers. And so on. "The list kept growing. And every day, it went up. It was a moving target for us," said Rob Thom, manager, global vehicle engineering operations at GM (personal communication, August 2012). From the original 390 affected parts on March 14, the number grew to 1551 parts on March 24, to 1889 on March 29, and to a staggering 5329 on April 13. During the month after the quake, GM discovered an average of 160 disrupted parts each day. GM's extensive use of electronics-sensors, microprocessors, displays, and actuators-in its cars made the company dependent on Japan's extensive electronics industry. Although a dashboard assembly or antilock brake module might be made in America, some of the components may have come from Japan. Yet electronics were not the only items containing "made in Japan" components or materials. GM soon discovered that almost every type of part on many different vehicles required something from Japan. Xirallic, a sparkly additive made by Merck and used in the paint for the Corvette came from Japan. Special body trim plastics, rubber seals, and gaskets came from Japan. High-tech chrome plating on turbochargers came from Japan. Cooling fans, radiator caps, air conditioner compressors, and many more parts had some tie to Japanese suppliers. And each missing part raised the specter of halting production somewhere in GM's system. Many companies use second sourcing or multisourcing to diffuse risk. Computer hard disks use standardized interfaces, making the items easy to procure and to second source (low procurement complexity). Moreover, in 2011, the hard disk industry had five large competitive suppliers to handle the volume (Arthur, 2011) . But then torrential rains hit Thailand. Above-normal monsoons plus five tropical cyclones inundated the lowlands of central Thailand, displacing more than 2 million people, flooding 7510 factories, and damaging 1700 roads, highways, and bridges (Aon Benfield, 2012) . The disaster also proved that second sourcing does not always mitigate risks. Central Thailand had become an economic cluster that was making 45% of the world's hard disks and their components (Shah, 2011) . Four of the five top suppliers of drives had facilities or key suppliers in Thailand that were disrupted by the flood. As a result, the global PC industry faced a 35% shortfall in disk supplies in the fourth quarter of 2011. The flood even affected Intel's sales of microprocessors because without enough disk drives, PC makers were forced to cut production, illustrating that a company's full supply-chain risk model might include its customers' other suppliers. Economic clusters arise from a combination of natural economic feedback loops and government economic policy. (The mechanisms and impacts of these clusters are described in Logistics Clusters (Sheffi, 2012) ). From a risk modeling perspective, clustering increases the vulnerability of companies that rely on products created by cluster members as suppliers or customers. The reason is that many types of disruption can have regional impact, which hits many suppliers in the same industry at the same time, making it more difficult to find alternative sources of supply when so many industry players are scouring the globe looking for the same things. "The floods in Thailand in the fall of 2011 showed us how dangerous it is when a component that is needed at manufacturing facilities around the world is mainly procured from only one region," said Martin Bellhäuser, head of governance framework at Siemens. "Many organizations are more or less forced to put all eggs in one basket because of the clusters of suppliers for various goods around the globe," said Damien Pang, regional manager, claims, at Allianz Global Corporate & Specialty Asia/Pacific (Allianz Global Corporate & Specialty, 2012) . North Korea's belligerent stance toward South Korea threatens 78.5% of the global DRAM market (Eadicicco, 2013) . Similarly, Japan makes 100% of the world's supply of protective polarizer film for LCD displays, 89% of aluminum capacitors, and 72% of silicon wafers (Marsh, 2011) . Four companies in Japan have a near-monopoly on digital compasses, which are the tiny magnetic field sensors that sit inside almost every new phone, tablet, laptop, and navigation system device (Global MEMS, 2011). That a disaster the magnitude of the 2011 Japan quake had such far-reaching indirect disruptive effects is not surprising. Clearly, many companies depended on Japanese suppliers for many components. Yet some supply chains contain a very specific, deeply hidden indirect risk. On March 31, 2012, a tank filled with highly flammable butadiene exploded in Evonik Industries' cyclododecatriene (CDT) plant in Marl, Germany, killing two workers (Reisch, 2012) . CDT sounds like an obscure chemical, and the fact that it is used to synthesize cyclododecane, dodecanoic acid, and laurolactam may mean nothing to most readers. But CDT is a key ingredient in making PA-12, also known as nylon-12, used for automotive parts, solar panels, athletic shoes, ski boots, optical fibers, cable conduits, and flame-retardant insulation for copper wire. CDT is also a key precursor for making many other chemicals, such as brominated flame retardants, fragrances, hot-melt adhesives, and corrosion inhibitors. Whereas Japan's 2011 earthquake, tsunami, and nuclear reactor disaster devastated a region, directly impacted thousands of businesses, and dragged on for weeks, the Evonik fire damaged only one part of one factory and the fire was extinguished in half a day. But the Evonik explosion destroyed almost half the world's production capacity for CDT. Worse, at the time of the explosion, CDT supplies were already tight due to its use of nylon plastics in the booming solar panel industry. Because Evonik was so deep in the supply chain, many users of PA-12, such as automakers, were initially unaware of the event. Yet the effect of the Evonik fire would prove to be very large-jeopardizing supplies of 2000 parts at GM, which was one-third the number of parts that had been disrupted by the far larger Japanese disaster. The impact of Evonik was so large because GM (and other automakers) used PA-12 plastic for a wide range of parts such as fuel lines, brake lines, plastic gears, and housings. The average light vehicle in 2011 used more than 46 pounds of nylon, up from just 7 pounds in 1990 (American Chemistry Council, 2016) . The typical diagram of a supply chain shows original equipment manufacturers (OEMs) perched at the top of a pyramid supported by a fan of suppliers, with more suppliers below them and a reassuring broad base at the bottom. Yet the Evonik example shows that although companies may have many suppliers, some parts of the supply base may converge to a single key supplier at a deeper layer-forming a diamondshaped supply-chain pattern. The 2011 Japan quake revealed many of these supply-chain diamonds in esoteric but essential chemicals such as bismaleimide triazine (epoxy resin for chip making) (Gartner, 2011) , polyvinylidene fluoride (in lithium ion batteries) (Sanchanta, 2011) , and ethylene propylene diene monomer (rubber gaskets and seals). "What we've found is that in Tiers 3 and 4, the convergence of underlying raw material supply starts to become really significant," said Intel's Sturm (personal communication, July 31, 2012). Economies of scale can drive consolidation of supply sources deep in the industrial base of supply chains. A company's commercial connections extend all the way to raw natural resources. Thus, a company's geographic risk footprint depends on the geographic distribution of these natural resources, such as minerals, agricultural products, and fossil fuels. Although many natural resources have a broad base of supply, some key materials are not so widely sourced. For example, rare earth elements are a set of 17 metals that play a crucial role in many automotive, electronic, and high-tech applications. Rare earths go into iPhones, electric cars, wind turbines, solar cells, jet engines, fiber optics, hard-disk drives, compact fluorescent bulbs, and many other products (Cho, 2012) . China produces 95% of these elements and in July 2010, the country restricted exports of them, which cut off many companies that make products using these materials (Bell, 2012) . China's 2010 rare earth export policy was but one of many examples of what is called resource nationalism, in which governments restrict the availability of commodities produced within their borders. Besides export restrictions, special taxes on mining are another kind of resource nationalism. Countries that announced or enacted increases to taxes or royalties during 2011 and 2012 include major producers such as Australia, China, Democratic Republic of Congo, Indonesia, Ghana, Mongolia, Peru, Poland, South Africa, and the United States (Ernst & Young, 2012À2013) . Some 33% of companies in a 2011 World Economic Forum survey ranked "export/import restrictions" as "most likely to provoke significant and systemic effects on supply chain or transport networks" (World Economic Forum, 2012) . Although the scarcity of rare earths or precious metals may not be surprising, other base metals such as aluminum, titanium, manganese, and cobalt could see worsening imbalances of supply and demand in the future (Kirchain, 2012) . Such imbalances may create disruptions because some countries' supply chains can be heavily dependent on imports. For example, the United States is more than 90% import reliant for many key minerals such as manganese (100%), bauxite for aluminum (100%), platinum (94%), and uranium (90%) (Humphries, 2013) . Other material scarcity stress points in global supply chains include indium (used in computer display panels), silicon (chips and solar power), and wood fiber (paper, furniture, biofuel) (Kirchain, 2010) . "The world is so connected that the feedback loops are more intense. Our supply chains are global. Our financial markets are global. So uncertainty in one part of the world infiltrates all parts of the world. These days, there are things that just come shooting across the bow-economic volatility and the impact of natural events, like the Japanese earthquake and tsunami-at much greater frequency than we've ever seen," said Ellen Kullman, CEO of DuPont (Kirkland, 2012) . Modeling risks in supply chains include some consideration of the trends that might drive risks higher or create new and unexpected risks. A leading driver of this growing vulnerability is the rapid growth of global trade. Global merchandise exports surged from $7.38 trillion in 2003 to $18.49 trillion in 2014, implying that more companies are dependent on geographically distant suppliers and customers (World Trade Organization, 2015) . Rapidly declining costs of communications and growing efficiency of logistics are enabling all this trade, with the resulting spatial spreading of supply chains. Companies can more readily work with geographically dispersed facilities, suppliers, and distribution centers on the other side of the world (and become exposed to all the risks associated with those remote locations). Meanwhile, their suppliers are pursing similar outsourcing and global business strategies, exponentially expanding the total geographic risk footprint of every company. A second driver of spreading geographic risks is in the growing complexity of products. For example, automobiles now contain between 30 and 100 microprocessors, with each subsystem of the car having its own controller and software (Charette, 2009; Turley, 1999) . And new technology means more than just electronics; products now rely on a growing variety of engineered materials, additives, pigments, and treatments that enable high efficiencies, performance, and market acceptance. "Twenty or thirty years ago electronics were being made with 11 different elements. Today's computers and smartphones use something like 63 different elements," explained Thomas Gradael, a professor of geology and geophysics at the Yale School of Forestry & Environmental Studies (Paramaguru, 2013) . With product complexity comes the need to use more suppliers, who, in turn, may use more suppliers, leading to more complex supply chains. Companies often have little knowledge of these deep-tier suppliers and, in most cases, have almost no influence over them to demand more resilience or adherence to any code of conduct. This trend causes the geographic risk footprint of a company to expand beyond its own facilities to encompass the facilities of distributors and customers downstream in the supply chain as well as to suppliers-at multiple tiers-upstream. Accordingly, significant supply-chain disruptions are inevitable. The historical statistics of big, rare events hide a curse. No matter how bad the last "big one" was, a bigger one is inevitable. As history rolls onward, the list of major disruptions grows skyward. The next "bigger one" may take a long time to materialize, or it could happen tomorrow; but, unfortunately, the unlikely is not the impossible. With a growing global population and a growing global economy, the biggest disaster will always lie somewhere in the future. Taleb (2007) popularized the concept of very large and unexpected disruptions called "black swans." These events arise and shock everyone, especially the experts, who are blinded by flawed reasoning about seemingly unprecedented events. The central fallacy that creates black swans is that a lack of evidence of a possible disruption does not constitute evidence of lack of that possible disruption. Events such as the 9/11 terrorist attacks and the 2008 financial crisis are often cited as examples of these kinds of disruptions. By definition, the likelihood and impacts of a black swan are underestimated (or never estimated) under the mistaken belief that the event cannot happen or is not even conceived of its possibility. Black swans reflect a deeper kind of uncertainty than standard likelihood models because experts misjudge the likelihood of a black swan risk to be zero when, in fact, it is not. In essence, even the most thorough risk model misses some risks. The sweep of examples in this chapter shows that companies can model the likelihood and impacts of a wide range of risks to their facilities, suppliers, and logistics infrastructure. Yet the examples also highlight the limitations of these models in terms of availability of fine-grained data on suppliers, especially those with no direct relationship with the company. Nonetheless, even if exact quantitative models are not practical, companies can understand and prioritize risks at a qualitative level. A company can understand such risks through a deeper understanding of the company's dependency on particular categories of deep supply-chain structures such as those related to natural resources (geographic concentrations, price volatility, environmental reputation risks), labor in developing countries (geopolitical and reputation risks), and technological or specialty materials produced by a very narrow or clustered supply base. Although black swans cannot be pinpointed, their nesting spots in the global economy can be considered, enabling companies to think about both obvious and less obvious risks. Long-term trends such as climate change, political upheaval, new technologies, urbanization, and many others mega-trends mean that the world can expect many more significant disruptions. At the same time, companies and government are beefing up their defenses and their planning. Thus the research community has to keep up with both the risks and the responses (as well as the business opportunities hidden in many disruptions), helping laggard companies be better prepared. An area which can benefit from further research is the development of risk metrics and indices, helping companies assess suppliers, regions, network nodes, and customers in terms of the risk they pose. Such metrics have to be continuously updated, automatically, based on the ever-changing environment. Managing disruptions Plastics and polymer composites in light vehicles Dealing with counterfeit and malicious hardware Thailand floods event recap report Thailand devastating floods are hitting the PC hard drive supplies, warn analysts. The Guardian Acid tanker capsizes on Rhine in Germany Handbook of energy efficiency and renewable energy Thailand flood: A case study Spain seeks compensation for E. coli blame China's rare Earth metals monopoly needn't put an electronics stranglehold on America Volcano disrupts BMW supply chain to SC. The State Risk management in port operations, logistics and supply chain security Supplier risk management program. Presentation at northeast supply chain conference Managing supply chains during turbulent times. Presentation at MIT CTL's crossroads 2009 conference. Cambridge, MA. Business Continuity Institute and Zurich Supply chain resilience: BCI survey report Supply chain resilience 2012 Supply chain resilience Bogus U.S. military parts traced to China About severe acute respiratory syndrome (SARS) Middle East respiratory syndrome (MERS) This car runs on code Rare earth metals: will we have enough? The innovator's dilemma The world fact book War bombs cause chaos on Rhine Korean conflict could nuke your next phone, experts say. Laptop Magazine Resilient supply chains in a time of uncertainty Business risks facing mining and metals Japan earthquake will cause shortage of BT resin in electronics supply chain Global MEMS industry is relatively unaffected from Japan quake aftermath Greenpeace protests at Nestle shareholder meeting How Cisco succeeds. Supply Chain Management Review Hurricane Isaac shuts down oil production in the Gulf Rare earth elements: The global supply chain. Congressional research services report for Congress World economic outlook: The Asian crisis: Causes and cures Building supply chains that deliver sustainability. Presentation at MIT CTL crossroads 2010 conference Supply chains in transition. Presentation at MIT CTL crossroads 2012 conference Leading in the 21st century: An interview with Ellen Kullman How many tropical cyclones have there been each year in the Atlantic basin? National Oceanic & Atmospheric Administration FAQs Preparing for high impact, low probability events: Lessons from Eyjafjallajokull Worldwatch Institute HTC delays launch of new phone Industry left high and dry. Financial Times Mattel's Fisher-Price recalls 1.5M toys There's no hiding from tar sands oil More misery for Rhine shippers as drought continues Rethinking our risky reliance on rare earth metals As dispute over island escalates, Japan and China send fighter jets to the scene Annual report Japan to end restraints on auto export to U.S Explosion at German chemical plant kills two Bringing labor rights back to Bangladesh. The American Prospect Chemical reaction: iPod is short key material Freight train late? Blame Chicago Vietnamese mobs ransack foreign factories in anti-China violence. Financial Times Thailand floods hard-drive shortage makes small PC makers hike prices The resilient enterprise: Overcoming vulnerability for competitive advantage Logistics clusters: Delivering value and driving growth The power of resilience: How the best companies manage the unexpected Meat industry under scrutiny as horsemeat scandal spreads How the speed of response defined the Ebola crisis The Black Swan: The impact of the highly improbable The drought of 2012. The Atlantic The campaign against palm oil: The other oil spill PBS frontline Germany's Transport System Auto supplier warns of resin shortage disrupting output Embedded processors by the numbers. Embedded Systems Programming Corporate social responsibility: Implications for small and medium enterprises in developing countries What is the economic impact of the Los Angeles/Long Beach port strike? New models for addressing supply chain and transport risk International trade statistics Flight ban could leave UK short of fruit and veg. The Guardian Avoiding the pitfalls of supply chain disruptions. Insights: Supply Chain Risks