Supply Chain Risks

Risk Center to Rule the World

A combination of technology and data-centric risk management almost guarantees resilient supply chains.
By: | September 14, 2015 • 6 min read

This is not the story of how an unrelenting flood in faraway Thailand nearly destroyed the business of a Fortune Global 500 company.

Sure, during the Fall 2011 floods in the Southeast Asian country, nearly 50 percent of its landmass was underwater. More than 1,000 factories shut down.

But for the multinational company in question, Flex, formerly known as Flextronics Inc., the Thailand floods were a bit of a success story — albeit a success story with $100 million in resulting lost revenue.


What kind of victory is that? Thailand became proof that lessons had been learned after a previous disaster — the March 11, 2011 Japanese earthquake. It was proof that Flex, one of the world’s largest outsourced electronics manufacturers, was on the right track.

After that earthquake, Flex’s supply chain team in the States scrambled for weeks to understand the disruption’s size. Which of its suppliers were affected and by how much? They shuffled Excel spreadsheets and flipped through outdated Rolodexes.

They found that their path to victory was partly a software solution called Resilinc.

Connecting the Dots

“The database underlying Resilinc maps suppliers’ footprint and part-origin information, and connects this type of supplier information with products and revenue,” wrote MIT Professor Yossi Sheffi, Resilinc founder Bindiya Vakil and Flex supply chain Senior Director Tim Griffin — in a research paper detailing Flex’s experience.

When the Thailand floods came, Resilinc empowered the Flex supply chain team to know when and how suppliers were being hit — and which and how many parts were built at those suppliers — even as those suppliers were keeping quiet publicly.

Flex could prioritize a “high risk” list and plan recovery strategies at a speed that allowed them to minimize revenue and profit loss.

“The main benefits came from the ability to connect all the dots; from supplier name to part numbers, part numbers to inventory and demand positions, from that to specific products and customers,” the MIT report authors wrote.

 Jose Heftye, senior director, global risk management, Flex

Jose Heftye, senior director, global risk management, Flex

Flex’s business recovery success in Thailand was not contingent entirely on a software app. The company with 200,000 employees across 30 countries also avoided serious losses because redundancy built into its supply chain anticipated business interruption for any single-source supplier, said Jose Heftye, senior director, global risk management, at Flex’s San Jose, Calif., office, who was employed elsewhere during the floods.

The nine-figure revenue loss was a victory, thanks to technology and traditional supply chain management, but Flex has since moved to far more dynamic 21st century business recovery processes.

The company now believes it has the ability to accommodate potential physical damage risk to suppliers and essentially become a guarantee to customers — from mobile device makers to automakers.

To do that, the company folds risk management and risk analysis into its day-to-day business. The focus no longer rests solely on mere efficiency.

“Flextronics moved from a traditional supply chain risk management strategy that usually includes building redundancy within the system, procuring insurance and setting up processes to react in the case of a potential disruption, to a real-time risk assessment and risk management strategy,” said Alejandro Marmorek, managing director, Latin America regional sales, and AGCN leader at Aon.


The company, he said, “can follow and analyze specific issues that could potentially disrupt vendors or customers and define mitigation strategies that are executable in real time.”

Or as his colleague Randy Nornes, executive vice president of Aon Risk Solutions, said, “Efficiency and risk are not on the same page.”

Creating a Risk Center

The new business recovery program — which Heftye oversees across business continuity planning and risk treatment strategy, legal, HR, operations, business development and supply chain up through the C-suite — is a so-called “risk center.”

It focuses on three buckets: business continuity, contractual exposure and financial risk.

Here’s how it works: Heftye’s teams conduct internal audits to identify company core processes, their interdependencies across different areas, and their recovery times if they were to go down.

Next, they apply business impact analysis to map the financial and strategic value of each process, calculate how much risk is already in the system and spot where more risks are.

“You go from the very, very granular points, and you take it to a higher level and start to aggregate data and processes. My primary objective is to not buy insurance.” — Jose Heftye, senior director, global risk management, Flex

They bring the results before a steering committee made up of C-suite level leaders across business development, finance, operations and legal — where Heftye’s team recommends ways to eliminate, mitigate or transfer the risk.

“That is pretty much driving all of our activities,” Heftye said. “You go from the very, very granular points, and you take it to a higher level and start to aggregate data and processes.

“My primary objective is to not buy insurance,” he said.

Let’s imagine a scenario where the IT system that manages Flex’s inventory goes down. Heftye and his team evaluate the impact upon their customers, purchase orders, revenue, profitability, etc., if the system were down for X hours at Y facility.


“We can show in hard numbers [what happens] if we don’t have a backup,” he said.

The team quantifies the investments needed to mitigate or eliminate the risk and sits down with the steering committee, which can then comfortably authorize an investment for a redundant IT system and other measures.

They’ve done a similar investigation into key individuals at the company and the potential impact of their departures, then worked with HR to build a talent pipeline to mitigate that risk.

Better Than ERM

Developed by firms like Genentech and Microsoft in the late ’90s, this risk center concept first appeared at companies in a one-off role, such as for a project team to, say, analyze an event that impacted a competitor to see what the ramifications could be for the company. More and more, however, companies are backing the processes into what they do every day.

090152015_20_flextronics_sidebarThis is much more than enterprise risk management (ERM). In Nornes’ view, ERM has evolved into risk identification and control. But once ERM identifies supply chain as a “red risk on a heat map,” said Nornes, it typically fails to provide a granular view and guidance on what to do next. ERM, in essence, has evolved into a compliance checkbox.

And as Heftye has explained, a risk center approach is not limited to supply chain; it allows companies to apply analytical rigor and insert risk management into ROI decisions for any critical risk, like cyber.

“It’s the skill set they are bringing, not the knowledge of that specific risk,” Nornes said.

“It does require a high degree of risk maturity across the organization to collaborate across the various teams, which includes deep partnerships with clients and suppliers,” added Marmorek.

For Heftye, it has earned him a veritable role as rainmaker. At Flex, the risk management function can now contribute to the company’s strategy by providing insight and by partnering with business operations, said Heftye.

Flex’s risk is their customers’ supply chain risk, so having their risk under control, holding to that guarantee of little or no business interruption as a talisman, has become a selling point for Flex.

“It’s given us more tools to sell quality of services and show that we are a long-term solution and not just something that could go away after another Thailand,” Heftye said.

Matthew Brodsky is editor of Wharton Magazine. He can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

4 Companies That Rocked It by Treating Injured Workers as Equals; Not Adversaries

The 2018 Teddy Award winners built their programs around people, not claims, and offer proof that a worker-centric approach is a smarter way to operate.
By: | October 30, 2018 • 3 min read

Across the workers’ compensation industry, the concept of a worker advocacy model has been around for a while, but has only seen notable adoption in recent years.

Even among those not adopting a formal advocacy approach, mindsets are shifting. Formerly claims-centric programs are becoming worker-centric and it’s a win all around: better outcomes; greater productivity; safer, healthier employees and a stronger bottom line.


That’s what you’ll see in this month’s issue of Risk & Insurance® when you read the profiles of the four recipients of the 2018 Theodore Roosevelt Workers’ Compensation and Disability Management Award, sponsored by PMA Companies. These four programs put workers front and center in everything they do.

“We were focused on building up a program with an eye on our partner experience. Cost was at the bottom of the list. Doing a better job by our partners was at the top,” said Steve Legg, director of risk management for Starbucks.

Starbucks put claims reporting in the hands of its partners, an exemplary act of trust. The coffee company also put itself in workers’ shoes to identify and remove points of friction.

That led to a call center run by Starbucks’ TPA and a dedicated telephonic case management team so that partners can speak to a live person without the frustration of ‘phone tag’ and unanswered questions.

“We were focused on building up a program with an eye on our partner experience. Cost was at the bottom of the list. Doing a better job by our partners was at the top.” — Steve Legg, director of risk management, Starbucks

Starbucks also implemented direct deposit for lost-time pay, eliminating stressful wait times for injured partners, and allowing them to focus on healing.

For Starbucks, as for all of the 2018 Teddy Award winners, the approach is netting measurable results. With higher partner satisfaction, it has seen a 50 percent decrease in litigation.

Teddy winner Main Line Health (MLH) adopted worker advocacy in a way that goes far beyond claims.

Employees who identify and report safety hazards can take credit for their actions by sending out a formal “Employee Safety Message” to nearly 11,000 mailboxes across the organization.

“The recognition is pretty cool,” said Steve Besack, system director, claims management and workers’ compensation for the health system.

MLH also takes a non-adversarial approach to workers with repeat injuries, seeing them as a resource for identifying areas of improvement.

“When you look at ‘repeat offenders’ in an unconventional way, they’re a great asset to the program, not a liability,” said Mike Miller, manager, workers’ compensation and employee safety for MLH.

Teddy winner Monmouth County, N.J. utilizes high-tech motion capture technology to reduce the chance of placing new hires in jobs that are likely to hurt them.

Monmouth County also adopted numerous wellness initiatives that help workers manage their weight and improve their wellbeing overall.

“You should see the looks on their faces when their cholesterol is down, they’ve lost weight and their blood sugar is better. We’ve had people lose 30 and 40 pounds,” said William McGuane, the county’s manager of benefits and workers’ compensation.


Do these sound like minor program elements? The math says otherwise: Claims severity has plunged from $5.5 million in 2009 to $1.3 million in 2017.

At the University of Pennsylvania, putting workers first means getting out from behind the desk and finding out what each one of them is tasked with, day in, day out — and looking for ways to make each of those tasks safer.

Regular observations across the sprawling campus have resulted in a phenomenal number of process and equipment changes that seem simple on their own, but in combination have created a substantially safer, healthier campus and improved employee morale.

UPenn’s workers’ comp costs, in the seven-digit figures in 2009, have been virtually cut in half.

Risk & Insurance® is proud to honor the work of these four organizations. We hope their stories inspire other organizations to be true partners with the employees they depend on. &

Michelle Kerr is associate editor of Risk & Insurance. She can be reached at [email protected]