Supply Chain Security Management (SCSM) and Business ... - ecr-uvt

Supply Chain Management for Efficient Consumer Response 

Conference 

31 May 2012 

Valahia University of Targoviste, Romania 

SCM 4 ECR 

Supply Chain Security Management 

(SCSM) and 

Business Continuity Management(BCM) 

Virgil Popa 

Valahia University of Targoviste

Typical Disruption Framework 

© SCM 4 ECR Conference 2013 Virgil Popa

Supply chain disruption 

A supply chain disruption is an unintended , 

untoward situation, which leads to supply chain risk . 

For the affected firms, it is an exceptional and 

anomalous situation in comparison to every-day 

business . Supply chain disruption can materialize 

from various areas internal and external to a supply 

chain . Consequently , their nature can be highly 

divergent. 


Supply chain risk 

It is defined as the negative deviation from the 

expected value of a certain performance measure , 

resulting in negative consequences for the focal firm. 

Hence , risk is equated with the detriment of a supply 

chain disruption. The authors explicitly adopt the 

notion of risk as purely negative as the one that 

corresponds best to supply chain business reality. As 

a, consequence they do not consider either ‘happy 

disasters’’ nor the situation where managers 

intentionally ‘gamble’ on risk. 


Supply Chain Risk examples 

Potential Risks to an Organization and Its Supply Chain 

External, End-to-End Risks 

• Natural disasters 

• Accidents 

• Sabotage, terrorism, crime, war 

• Political uncertainty 

• Labor unavailability 

• Market challenges 

• Lawsuits 

• Technological trends 

Supplier risks 

• Physical and regulatory risks 

• Production problems 

• Financial losses and premiums 

• Management risks 

• Upstream supply risks 

Distribution Risks 

• Infrastructure unavailability 

• Lack of capacity 

• Labor unavailability 

• Cargo damage or theft 

• Warehouse inadequacies 

• IT system inadequacies or failure 

• Long, multi-party supply pipelines 

Internal Enterprise Risks 

• Operational 

• Political uncertainty 

• Demand variability 

• Personnel availability 

• Design uncertainty 

• Planning failures 

• Financial uncertainty 

• Facility unavailability 

• Testing unavailability 

• Enterprise underperformance 

• Supplier relationship management 


Supply chain risk management framework 


How to create a resilience supply chain 

Mapping & 

critical path 

analysis 

Supply Chain 

risk registrer 

Real options 

thinking 


understanding 


desing 

principles 

Efficiency 

vs 

redundancy 


Reengineering 

Resilient 

Supply 

Chains 

Sourcing 

decissions & 

criteria 

Collaborative 

planning 

Supply base 

strategy 


Collaboration 

Supplier 

developement 


intelligence 

Establish supply 

chain continuity 

teams 

Create a Supply 

Chain risk 

management culture 

Board-level 

responsibility 

& leadership 

Agility 

Factor risk 

considerations 

into decision 

making 

Visibility 

Velocity & 

Acceleration 


Resilient company 

A resilient company is able to better support the 

unpredictability of the global trade obtaining a 

competitive advantage, being able to make up more 

quickly than the competitors when a catastrophe hit it. 


Supply chain collaboration 

A high level of collaborative working across supply chains can help significantly to 

mitigate risk. The challenge is to create the conditions in which collaborative working 

becomes possible. Traditionally supply chains have been characterized by arms-length, 

even adversarial, relationships between the different players. There has not been a 

history of sharing information either with suppliers or customers. More recently 

however there have been encouraging signs that a greater willingness to work in 

partnership is emerging in many supply chains. In the fast moving consumer goods 

(FMCG) industry there is now significant collaboration between manufacturers and 

retailers in the form of Collaborative Planning, Forecasting and Replenishment 

(CPFR) initiatives. 


Supply Chain Security Management 

Security of the supply chain has always been a concern of 

transport, logistics and manufacturing companies. Concerns about 

theft, damage and shipment integrity intensify as the value per pound of 

cargo increases. Add the threat of organized crime, piracy and terrorism, 

and security pf the supply chain becomes critical to business survival. 

Security, its demands and constraints, constitute obstacles (logical 

and physical barriers) in the flow of supply and distribution. These “barriers” 

created by a perceived increased need for security, or political reasons, 

reduce the reaction capacity and the physical and economical 

performance of the company. Integrating the security dimension into the 

logistics strategy, organization and operations has become a new challenge 

for supply chain management. 


Protecting and Securing the Supply Chain 

Supply chain security is essential from two perspectives: 

First, firms need to prevent loss from theft or damage. 

Second, they need to prevent unauthorized intrusion into 

shipments that could enable insertion of contraband (drugs, 

weapons, bombs, human trafficking, counterfeit goods, etc), 

loss of intellectual property or technology contained in the 

shipments, and tampering (insertion of harmful elements such 

as poisons or "Trojan horses" in computing goods). 


Physical security. Suppliers, shippers, and logistics partners 

should have physical-security deterrents to prevent unauthorized 

access to their facilities and all cargo shipments. Such features may 

include perimeter fencing, controlled entry and exit points, guards or 

access controls, parking controls, locking devices and key controls, 

adequate lighting, and alarm systems and video-surveillance 

cameras. 

Access controls. Access controls must prevent unauthorized 

entry to facilities, maintain control of employees and visitors, and 

protect firm assets. They should include the positive identification of 

all employees, visitors, and vendors at all points of entry and use of 

badges for employees and visitors. Firms should have in place 

procedures to identify, challenge, and address unauthorized 

persons. 


Personnel security. Enterprises and their partners should 

screen prospective employees (in ways consistent with local 

regulations) and verify employment application information prior to 

employment. This can include background checks on educational 

and employment background and possible criminal records, with 

periodic subsequent checks performed for cause or sensitivity of an 

employee’s position. Firms and their partners should also have 

procedures in place to remove badges, uniforms, and facility and ITsystem 

access for terminated employees. 

Education and training. Firms and their partners should 

establish and maintain a security-training program to educate and 

build employee awareness of proper security procedures. Best 

practices include training on the threat posed by criminals, terrorists, 

and contraband smugglers at each point in the supply chain as well 

as on ethical conduct and the avoidance of corruption, fraud, and 

exploitation. 


Procedural security. As noted above, firms and their partners 

should establish, document, and communicate procedural security 

measures to employees. Such documentation may include a 

security manual, published policy, or an employee handbook. 

Documentation should include procedures for issuing accessing 

devices, identifying and challenging unauthorized or unidentified 

persons, removing access for terminated employees, IT security and 

standards, reporting of security incidents or suspicious behavior, 

inspection of containers before packing, and managing access and 

security to shipping containers. For shipping, such procedures 

should include security for shipment documentation, shipping and 

receiving, and packaging. 

IT security. IT security measures should ensure automated 

systems are protected from unauthorized access and that 

information related to shipment routing and timing is protected. This 

should include password protection (including periodic changing of 

passwords) and accountability (including a system to identify any 

improper access or alteration). 


Business-partner security. A supply-chain security program 

must ensure that any supply chain partner, as well as any further 

sub-contracted suppliers or logistics service providers, employ 

practices to ensure the security of all shipments. Any partner used in 

the manufacturing, packaging, or transportation of shipments must 

have documented processes for the selection of sub-contractors to 

ensure they can provide adequate supply-chain security. Suppliers 

should ensure that any parties handling shipments be 

knowledgeable of and able to demonstrate through written or 

electronic communication that they are meeting security guidelines. 

Conveyance security. Transportation, particularly drayage 

(inland truck support), may be the most vulnerable point of the 

supply chain. Procedures that suppliers and shippers should follow 

include inspection and sealing of containers (cf. ISO 17712:2010 on 

sealing containers), storage of containers, and shipment routing 

through freight forwarders or carriers who are certified in a 

recognized supply-chain security program or who otherwise 

demonstrate compliance with a firm’s SCRM guidelines. 


By SCSM, we mean enhancing and embedding the 

traditional security management aspects into holistic 

management of integrated supply chains, especially within a 

global context. 

SCSM has roots in multiple fields: Supply Chain 

Management; International Trade, Logistics and Cross-border 

Operations Management; Supply Chain Resilience 

Management; Quality Management; Risk Management; 

Insurance Policies and Instruments; and Customs Policies, 

Procedures and Reforms. 

Since 2001 governments, Customs administrations, 

international organizations, researchers, and businesses have 

carried out diverse actions, and delivered different types of reports, 

and articles on the topic. The first pure SCSM paper was published 

at MIT (Sheffi, 2001), a few months after the infamous terrorist 

attacks in September 2001. Since then, researchers and industrial 

practitioners have organized and published SCSM conference and 

journal papers, primarily in the US but also in Europe and other 

continents. 


• Most of the researchers, presently contributing to building SCSM theory, 

have mainly been active in research fields such as Transportation and 

Logistics (i.e. Sheffi & Rice) 

• 2003), Supply chain Management (i.e. Lee & Wolfe, 2003) and Supply chain 

risk and vulnerability (i.e. Christopher & Peck, 2004). The existing 

literature on SCSM, is somehow adding a layer of security to each 

researcher’s own expertise domain. Some of the discussed principles 

are presented in the following paragraphs. 

• Sheffi (2001) presents the need for companies to simultaneously operate 

under heightened security environments and the need to prepare for rapid 

recovery after terrorist attacks. In addition he establishes seven supply 

chain design trade-offs that management will face when designing secure 

supply chains: 

i) Repeatability vs. unpredictability 

ii) The lowest bidder vs. the known supplier. 

iii) Centralization vs. dispersion. 

iv) Managing risk vs. delivering value. 

v) Collaboration vs. secrecy. 

vii) Redundancy vs. efficiency and 

vii) Government cooperation vs. direct shareholder value. 


Supply chain security (SCS) Good Practices 

As stated by Menzer et al (2008), ´Supply Chain 

encompasses the planning and management of all activities 

involved in sourcing and procurement, conversion, demand 

creation and fulfillment, and all logistics activities´. 

The aim of security and operational management is to create 

and maintain systematic, coordinated, and cost effective activities 

and practices in order to prevent exploitation of supply chains for 

criminal purposes, and to enable quick response in case of a 

security breach. 

Crimes of interest include (among others): theft, counterfeiting, 

customs law violations, organized immigration crime, terrorism, and 

sabotage. Crimes can have intra and/or inter-organizational impacts. 


The Strategy includes two goals 

Goal 1: Promote the Secure and Efficient Movement of Goods 

Goal 2: Foster a Resilient Supply Chain 


The White House 

Washington 

January 23, 2012 

“Through the National Strategy for Global Supply Chain Security, we seek to 

strengthen global supply chains in order to protect the welfare and interest of 

the American people and secure our Nation*s economic prosperity.” 

Barak Obama 


National Strategy for Global Supply Chain Security (the 

Strategy) 

Through the National Strategy for Global Supply Chain 

Security (the Strategy), we articulate the United States Government’s 

policy to strengthen the global supply chain in order to protect the 

welfare and interests of the American people and secure our Nation’s 

economic prosperity. Our focus in this Strategy is the worldwide 

network of transportation, postal, and shipping pathways, assets, 

and infrastructures by which goods are moved from the point of 

manufacture until they reach an end consumer, as well as 

supporting communications infrastructure and systems. 


Components 

This Strategy is focused on those components of the 

worldwide network of transportation, postal and shipping 

pathways, assets, and infrastructures by which goods are 

moved until they reach an end consumer. 

This includes the points of manufacturing, assembly, 

consolidation, packaging, shipment, and warehousing as well as 

supporting communications infrastructure and systems. 


ISO 28000:2007 – Specification for security management systems 

for the supply chain, offers a framework for providing effective 

physical security management through a system that identifies 

security threats, assesses risk, establishes objectives for 

implementing controls and continuously improves the physical 

security of the organization. 


SECURITY MANAGEMENT SYSTEM ELEMENTS 

There are five key elements that are critical to the development of a 

Security Management System (SMS): 

- Security Management Policy 

- Security Planning 

- Implementation & Operation 

- Checking & Corrective Action 

- Management Review & Continual Improvement 


COMPONENTS OF A SECURITY MANAGEMENT 

SYSTEM USING ISO 28000 


SECURITY MANAGEMENT POLICY 

A conformant physical security management system (SMS) requires 

the organization to have an overall security management policy, authorized 

by executive management. The SMS must also have a process for 

assessing the security environment in which it operates and for determining 

if adequate security measures are in place. This examination of the 

operational environment includes regulatory requirements as well as the 

physical, natural and human hazards and specific industry requirements. 

ISO 28000 articulates a strategy for assessment of risk and determining 

countermeasures as a core component of providing physical security for the 

organization. 


ISO 28001 

Specific guidance for implementation of a security 

management system for the supply chain is provided in ISO 

28001:2007 – Best practices for implementing supply chain 

security, assessments and plans – Requirements and guidelines. 

ISO 28001 is intended to assist organizations in establish 

reasonable levels of security and make better risk-based decisions 

for protection of the supply chain. Organizations that are in 

compliance with the WCO SAFE 

Framework of standards4 are also in compliance with ISO 

28001. In the absence of SAFE Framework compliance, 

ISO 27001 is an auditable standard containing requirements of 

a supply chain security process (General 

Requirements 4 – 5) and guidance for implementing a supply 

chain security process 


Joint statement on supply-chain security – EU 

The European Union and the United States face 

similar challenges and share a common approach to the 

security of the supply-chain. 

The terrorist threat must not be allowed to impair 

international trade and economic development. Security 

policies should be risk based, cost-effective and should 

facilitate as well as secure transport operations. 

We also share the view that national supply-chain 

security policies will be ineffective unless they are 

supported by enhanced international cooperation to 

guarantee their coherence, compatibility and cost 

effectiveness. 


Cooperation effort should be applied in multilateral 

fora as well as in bilateral EU-U.S. relations. A robust 

response should aim to: 

• Prevent the unlawful transport of dangerous and illicit 

material throughout the supply chain; 

• Protect critical elements of the supply chain system 

from attacks and disruptions; 

• Facilitate and expedite the smooth flow of legitimate 

international trade through the use of multilayered risk 

management tools; 

• Reduce the costs of security controls by recognising the 

high standards of controls that each performs for cargo 

security; 

• Build the resiliency of the supply chain. 


To attain these goals, we support the work of multilateral 

organizations with responsibilities for components of the system 

such as the World Customs Organization (WCO), the 

International Civil Aviation Organization (lCAO), the 

International Maritime Organization (IMO), and the Universal 

Postal Union (UPU) in order to: 

• Support the building of bridges and networks between these 

international organizations to enhance collaboration and reduce 

system vulnerabilities; 

• Push forward the adoption of international standards, develop 

and adopt new security measures and controls and advance 

global best practices and guidelines to deliver both security and 

trade facilitation at all stages of the supply-chain; 

• Encourage an integrated, intermodal approach to ensure that 

measures and standards developed within these international 

organizations for all modes of transport within the supply-chain - 

air, land, and sea - are compatible; 

• Promote and support capacity building 


The ‘Container Security Initiative’ 

The US Container Security Initiative (CSI) was among the first 

initiative to be implemented. It provides for the identification of high-risk 

containers, a non-intrusive inspection (x-ray) of suspicious containers, as 

well as the introduction of so-called ‘smart containers’. 


Recommendations for Government and Business 

1. Improve international and interagency compatibility of resilience 

standards and programmes 

2. More explicitly assess supply chain and transport risks as part of 

procurement, management and governance processes 

3. Develop trusted networks of suppliers, customers, competitors and 

government focused on risk management 

4. Improve network risk visibility, through two-way information sharing 

and collaborative development of standardized risk assessment and 

quantification tools 

5. Improve pre- and post-event communication on systemic 

disruptions and balance security and facilitation to bring a more 

balanced public and private sector discussion 


Business Continuity Management (BCM) 

BCM is a management process with the goal of detecting 

serious risks that endanger the survival of an organization early and to 

implement safeguards against these risks. To ensure the operability, and 

therefore the survival, of a company or government agency, suitable 

preventive measures must be taken to increase the robustness and 

reliability of the business processes as well as to enable a quick and 

targeted reaction in case of an emergency or a crisis. Business continuity 

management consists of a planned and organized procedure for 

sustainably increasing the resilience of (time-)critical business processes 

of an organization, reacting appropriately to events resulting in damages, 

and enabling the resumption of business activities as quickly as possible. 

BSI – Standard 100-4 


Risk Management and Business Continuity Management Interface 

BCM Guidelines – Western Australian Government 


Business continuity management systems 

• Business continuity 

strategic and tactical capability of the organization to plan for and 

respond to incidents and business disruptions in order to continue 

business operations at an acceptable predefined level 

• Business continuity management 

holistic management process that identifies potential threats to an organization 

and the impacts to business operations of those threats, if realized, 

might cause, and which provides a framework for building 

organizational resilience with the capability for an effective response that 

safeguards the interests of its key stakeholders, reputation, brand and 

value-creating activities 

• Business continuity management system BCMS 

that part of the overall management system that establishes, implements, 

operates, monitors, reviews, maintains and improves business continuity 

Societal security – Business Continuity Management Systems – Guidance 

(ISO / DIS 22313) 


Business Continuity Management Process 

BCM Guidelines – Western Australian Government 


This process involves the following activities: 

a. BCM programme management 

This includes: 

• assigning responsibilities for implementing and maintaining the BCM 

programme within the council 

• implementing business continuity in the council – including the design, build 

and implementation of the programme 

• the ongoing management of business continuity – including regular review 

and updates of business continuity arrangements and plans. 

b. Understanding the organisation 

The use of business impact and risk assessments (see below) to identify critical 

deliverables, evaluate priorities and assess risks to service delivery. 

• Business Impact Analysis (BIA) – identifying the critical processes and 

functions and assessing the impacts on the council if these were disrupted 

or lost. BIA is the 

• crucial first stage in implementing BCM, and helps measure the impact 

disruptions on the organisation 

• Risk assessment – once those critical processes and functions have been 

identified, a risk assessment can be conducted to identify the potential 

threats to these processes. 


c. Determining BCM Strategy 

The identification of alternative strategies to mitigate loss, and assessment of 

their potential effectiveness in maintaining the council’s ability to deliver 

critical service functions. 

• The council’s approach to determining BCM Strategies will involve: 

• implementing appropriate measures to reduce the likelihood of incidents 

occurring and/or reduce the potential effects of those incidents 

• taking account of mitigation measures in place 

• providing continuity for critical services during and following an incident 

taking account of services that have not been identified as critical. 

d. Developing and implementing a BCM Response 

Developing individual service responses to business continuity challenges and 

overarching 

• Business Continuity Plan to underpin this. 

• This Business Continuity Plan ensures that actions are considered for: 

• the immediate response to the incident. 

• interim solutions or maintaining an emergency level of service, leading on to 

reinstating full services. 


e. Exercising, maintaining and reviewing 

Ensuring that the business continuity plan is fit for purpose, kept up to 

date and quality assured. An exercise programme will enable the 

council to: 

• demonstrate the extent to which strategies and plans are complete, 

current and accurate and 

• identify opportunities for involvement. 

f. Embedding BCM in the council’s culture 

The embedding of a continuity culture by raising awareness throughout 

the council and offering training to key staff on BCM issues. 

This could also include: 

• incorporating BCM in the staff induction process 

• items in Governance Matters 

• e-mail bulletins 

• pages on TOM 

• booklets and prompt cards 

• staff development session. 


The goal of business continuity management is to ensure 

that important business processes are only interrupted 

temporarily or not interrupted at all, even in critical situations, 

and to ensure the economic existence of the organisation even 

after incurring serious damage. A holistic approach is therefore 

critical in this regard. All aspects necessary for maintaining the 

continuity of the critical business processes when damage is 

incurred should be examined, not only the aspect of information 

technology resources. IT-service continuity management is a part of 

business continuity management. 


Thank you for 

your attention!

Supply Chain Security Management (SCSM) and Business ... - ecr-uvt

Create successful ePaper yourself

Delete template?

Save as template?