The Technology Asset Protection Association (TAPA) is another example. Millions of dollars in Intel chips were routinely stolen as they were being shipped through airports. So a group of about 500 companies — Intel, Sun Microsystems, and others — formed TAPA to share their wisdom on freight and cargo security. They looked for better ways to audit truck lines, steamship lines, and other transportation suppliers. It started with antitheft, and after 9/11 it became antiterrorism. TAPA worked closely with local authorities in Great Britain to nail the gangs that were orchestrating the Intel chip heists. It’s thanks in part to TAPA that Heathrow Airport is no longer known as Thiefrow.
The U.S. Bureau of Customs and Border Protection actually adopted TAPA’s 70-point security checklist when it came up with its Customs-Trade Partnership Against Terrorism program. C-TPAT asks companies to comply with certain guidelines and share certain data in exchange for moving their shipments through U.S. ports faster. Using that information, C-TPAT seeks to identify outliers from certain established patterns of shipment. C-TPAT–certified companies agree to implement certain security processes themselves and to demand that their suppliers do the same. The rewards for certification are significant: It can cut the pass-through time for companies from two weeks to two days. That in itself was enough of a draw for fashion companies, like Limited Brands (the parent of Victoria’s Secret and other brands), to be active partners with the government.
S+B: You’ve described where we are now in terms of risk management. What does the ideal state look like?
SHEFFI: In an ideal world, risk can be quantified. The quantification of risk will always involve uncertainty, because we’ll only be able to point to the probability of something going wrong. But having metrics that are continuously updated to reflect the state of the world will lead to better-informed decisions. You won’t decide to go to China just because your competitor’s going there. You’ll do your analysis, understand how such a move will increase your risks, and maybe put some reserves against it or increase your safety stock.
I’ll give you an example. In 1998, Hurricane Mitch destroyed Unilever’s Q-tip plant in Puerto Rico, which was responsible for half the Q-tip supply to North America. Unilever decided not only to rebuild that plant, but, to cut costs, to move 100 percent of their production there. They realized that they were taking on more risk, so they increased their inventory. Now they keep 10 percent more safety stock in the United States. Accounting for the increased risk means more inventory, which means higher costs, but in the final analysis Unilever deemed the move justified.
That kind of decision is based on the kind of holistic analysis that you usually don’t find in corporations. You know why? In many cases, manufacturing and inventory management are two separate functions in the organization.
I’d like to see organizations doing holistic analyses of the total risk to the enterprise more often. Because, in many cases, mitigating one risk creates another. For example, companies may disperse operations in order to avoid a concentration risk where a single point of failure can shut down the entire enterprise. This creates another risk: increasing reliance on communications, which creates vulnerability to communication system failures.
Ralph Lauren pushes all its garments for the North American and European markets through a distribution center in High Point, North Carolina. The garments might go from China through the port of Los Angeles, on to North Carolina, and then back to a store in L.A. They do this to protect the brand by ensuring that all stores get a new product on exactly the same day. But if something happens to this distribution center, the company may find it difficult to recover quickly. So while they worry about managing reputation risks, they create another kind of vulnerability. Companies often push risk from one division to another and from one type of operation to another, rather than try to have a holistic understanding of it throughout an enterprise or supply chain.