S+B: Describe the state of corporate risk management today.
SHEFFI: Risk management is where some other corporate functions used to be in the ’80s. It’s a stand-alone, with people working in three separate parts of most companies. First, there are the business continuity people who, once every so often, come up with a plan that then sits on some shelf until it’s called for. Second, there are the security staff, who are basically the “guns, fences, and dogs” people. They decide who needs a pass to get in and out of the building, and when employees go to certain countries, they make the travelers read the CIA country reports and the latest State Department warnings.
Third, there is the information technology piece — securing firewalls, updating antivirus software, and recovering data if there is a disaster. Any modern corporation that loses its financial records, customer records, or transaction records will probably go out of business. But risk management strategists never had to spend a lot of time on this, because there’s an easy fix — build redundancy into information technology — and most companies have done it already. After 9/11, for example, most of the financial-services companies that were housed in and around the Twin Towers were able to start operating when the Exchange reopened a few short days after 9/11. They already had fully functioning trading floors and access to their records on the other side of the river, in New Jersey, with phones and computers, and they just went to work.
What worries me is that these three stand-alone functions are not incorporated in corporate strategies, not integrated with the business, and therefore not treated with respect within the corporation. They’re not a traditional way station on the path to the CEO office.
S+B: Why is that a concern? Why shouldn’t security be treated like any other overhead function?
SHEFFI: Because the traditional definition of security and business continuity is but a small part of true resilience. A real strategy to mitigate risk doesn’t just mean having better dogs and guards and electronic passes or business continuity plans in case disaster hits. It means that the entire company is more flexible up and down the supply chain. It means that suppliers, customers, the trucking companies they use, the forwarders they use, the custom brokers, and every vendor to every part of the business is being fully integrated with the enterprise and able to respond fast to changes.
To accomplish this, a company may have to redesign its products, redesign its processes, and keep doing it. It’s not a one-time event. We know that companies have to continuously look at the risks that they face, and that they need better tools to do it. Certain supply chain designs provide better flexibility and agility, and can respond more effectively when conditions change.
All of this requires people who are seen as critical within the company and potential leaders of the whole enterprise. They have to be business professionals who don’t just push for more investment in resilience, but who can balance security and resilience needs with the other goals of the enterprise.
S+B: You say that there are better supply chain designs. What do they look like?
SHEFFI: One important feature is interchangeable parts. Companies should avoid using parts that are engineered to purpose. Of course, that’s heresy to an engineer like me. We get our satisfaction from designing something that is 0.003 percent better than the other guy’s design, that is specifically designed for a specific purpose and does its job perfectly. But being “good enough” creates many benefits. It’s better if a part can be used for multiple products, because then it is easier to forecast the need for parts, since the manufacturing process depends less on the vagaries of the demand for any single product. Parts can be sourced from several suppliers because so many are needed, or they can represent a crucial business for a single supplier who will give greater attention to the company’s needs. The inventory turns for such interchangeable parts are higher, allowing for higher availability; and any problem with one of the products does not cause the company to be “stuck” with a special-purpose part that has no other use.