The biggest problem in supply chain risk management

What do supply chain risk management and SatNavs have in common?

I’ll tell you a story that I am sure will resonate. It didn’t happen to me but it might have. And to you as well. Or maybe it has!

A tourist ended up on a five-and-half-hour drive halfway across Iceland after the GPS he used led him to the wrong address.

Noel Santillan, from New Jersey, had just flown in from the US and was supposed to be staying at a hotel in Reykjavík. However, the instructions on the GPS took him 266 miles (428km) away to Siglufjörður, a tiny fishing village in the north of the country.

According to The Reykjavík Grapevine, the mistake came about because Santillan inputted the address for Hotel Fron, which is located in Laugarvegur, Reykjavík.

Coincidentally, the village of Siglufjörður also had a road named Laugarvegur - the destination that he was directed to. This meant that the journey, which should have taken just under an hour, ended up being five-and-half-hours long.

I would have done the same, all those random consonants are very confusing.

What’s this got to do with Supply Chain risk?

Believe it or not, this type of data mishap is one of the biggest problems risk managers, brokers and insurers face when trying to come up with a solution for managing and transferring supply chain risks.

Supply chain risk assessment starts with supply chain mapping. Supplier locations need to be correctly reported and desk-top assessed to make sure weak links and obvious exposures are identified.

A classic example is mapping your key suppliers to determine the potential for aggregation of natural catastrophes exposures.

Once you have a list of accurate addresses, you can, for example, plot the locations on maps to establish whether or not there are potential exposures from flood, earthquake, hail and other perils.

The key word in the sentence above is “accurate”.

”Supply chain risk assessment starts with supply chain mapping.”

How well do you know your suppliers? Do you know them all, deep down in the chain, across all the tiers?

Having a list of company names and addresses is a good start, but is this list reliable? Under how many different names does the same supplier appear in your register?

Let’s assume you have also carried out a supply chain business impact analysis, where you have mapped your key revenue streams and key products and identified a few key suppliers or third-party contract manufacturers that are driving the majority of your revenues.

Say, for instance, you now know that a particular supplier is responsible for £50 million of your company’s revenues.

As a risk manager, you may feel safe because you checked the address they have provided and you know it’s not in a flood or hurricane-prone area.

You have decided that you want your insurer to visit it (actually you want to go there yourself to establish whether their risk management programmes are up to scratch) but you think this can wait a few months.

”How well do you know your suppliers? Do you know them all, deep down in the chain, across all the tiers?”

The problem though, is that they have reported their headquarters office address rather than the address of their manufacturing plant. And you have allocated those £50 million to a bunch of computers on the 32nd floor of a skyscraper in New York, rather than where that money is actually generated.

Not only that: you have also provided your insurer with the same information, so they covered the same bunch of computers and desks for £50 million, but not the plant, for which there is only a nominal, “unscheduled locations” cover which excluded natural hazards.

And as you realise this, the plant is being battered by high winds and leaking everywhere. Because it’s in Puerto Rico.

Like Noel, you have ended up miles away from the right spot in your risk management journey.

Never mind suppliers, these considerations are actually also valid for your own organisation’s locations. Think about when you are collecting values for your annual insurance renewal.

”Don’t take data for “granted”. Do your own due diligence.”

Another classic example is multiple entries for the same location. You may fail to identify a large revenue-generating location because it was reported as 4 different entries with 4 different addresses, for example, the 4 side entrances of a large, rectangular building.

The values may have been reported under 4 different names, representing different subsidiaries or divisions of the same company.

While the addresses may be correct this time, partial business interruption values may be allocated to each of such entries, so this location would fail to show when sorting the locations by value.

So accuracy, consistency and reliability of data is the most important thing.

“Data” is the plural of “Datum”, a Latin word that means “given”. Something that is given to you to use, something that is “granted”.

But here’s the advice: don’t take data for “granted”. Do your own due diligence.

You can use the most powerful AI tools on the planet, but remember: your analysis is as good as your data. Garbage in means garbage out.

Adriano Lanzilotto helps risk managers, CROs and insurance buyers assess and manage their property risks, optimise their risk transfer strategies, raise their profile within their organisations and make their businesses more resilient.