Risk Center to Rule the World
This is not the story of how an unrelenting flood in faraway Thailand nearly destroyed the business of a Fortune Global 500 company.
Sure, during the Fall 2011 floods in the Southeast Asian country, nearly 50 percent of its landmass was underwater. More than 1,000 factories shut down.
But for the multinational company in question, Flex, formerly known as Flextronics Inc., the Thailand floods were a bit of a success story — albeit a success story with $100 million in resulting lost revenue.
What kind of victory is that? Thailand became proof that lessons had been learned after a previous disaster — the March 11, 2011 Japanese earthquake. It was proof that Flex, one of the world’s largest outsourced electronics manufacturers, was on the right track.
After that earthquake, Flex’s supply chain team in the States scrambled for weeks to understand the disruption’s size. Which of its suppliers were affected and by how much? They shuffled Excel spreadsheets and flipped through outdated Rolodexes.
They found that their path to victory was partly a software solution called Resilinc.
Connecting the Dots
“The database underlying Resilinc maps suppliers’ footprint and part-origin information, and connects this type of supplier information with products and revenue,” wrote MIT Professor Yossi Sheffi, Resilinc founder Bindiya Vakil and Flex supply chain Senior Director Tim Griffin — in a research paper detailing Flex’s experience.
When the Thailand floods came, Resilinc empowered the Flex supply chain team to know when and how suppliers were being hit — and which and how many parts were built at those suppliers — even as those suppliers were keeping quiet publicly.
Flex could prioritize a “high risk” list and plan recovery strategies at a speed that allowed them to minimize revenue and profit loss.
“The main benefits came from the ability to connect all the dots; from supplier name to part numbers, part numbers to inventory and demand positions, from that to specific products and customers,” the MIT report authors wrote.
Flex’s business recovery success in Thailand was not contingent entirely on a software app. The company with 200,000 employees across 30 countries also avoided serious losses because redundancy built into its supply chain anticipated business interruption for any single-source supplier, said Jose Heftye, senior director, global risk management, at Flex’s San Jose, Calif., office, who was employed elsewhere during the floods.
The nine-figure revenue loss was a victory, thanks to technology and traditional supply chain management, but Flex has since moved to far more dynamic 21st century business recovery processes.
The company now believes it has the ability to accommodate potential physical damage risk to suppliers and essentially become a guarantee to customers — from mobile device makers to automakers.
To do that, the company folds risk management and risk analysis into its day-to-day business. The focus no longer rests solely on mere efficiency.
“Flextronics moved from a traditional supply chain risk management strategy that usually includes building redundancy within the system, procuring insurance and setting up processes to react in the case of a potential disruption, to a real-time risk assessment and risk management strategy,” said Alejandro Marmorek, managing director, Latin America regional sales, and AGCN leader at Aon.
The company, he said, “can follow and analyze specific issues that could potentially disrupt vendors or customers and define mitigation strategies that are executable in real time.”
Or as his colleague Randy Nornes, executive vice president of Aon Risk Solutions, said, “Efficiency and risk are not on the same page.”
Creating a Risk Center
The new business recovery program — which Heftye oversees across business continuity planning and risk treatment strategy, legal, HR, operations, business development and supply chain up through the C-suite — is a so-called “risk center.”
It focuses on three buckets: business continuity, contractual exposure and financial risk.
Here’s how it works: Heftye’s teams conduct internal audits to identify company core processes, their interdependencies across different areas, and their recovery times if they were to go down.
Next, they apply business impact analysis to map the financial and strategic value of each process, calculate how much risk is already in the system and spot where more risks are.
“You go from the very, very granular points, and you take it to a higher level and start to aggregate data and processes. My primary objective is to not buy insurance.” — Jose Heftye, senior director, global risk management, Flex
They bring the results before a steering committee made up of C-suite level leaders across business development, finance, operations and legal — where Heftye’s team recommends ways to eliminate, mitigate or transfer the risk.
“That is pretty much driving all of our activities,” Heftye said. “You go from the very, very granular points, and you take it to a higher level and start to aggregate data and processes.
“My primary objective is to not buy insurance,” he said.
Let’s imagine a scenario where the IT system that manages Flex’s inventory goes down. Heftye and his team evaluate the impact upon their customers, purchase orders, revenue, profitability, etc., if the system were down for X hours at Y facility.
“We can show in hard numbers [what happens] if we don’t have a backup,” he said.
The team quantifies the investments needed to mitigate or eliminate the risk and sits down with the steering committee, which can then comfortably authorize an investment for a redundant IT system and other measures.
They’ve done a similar investigation into key individuals at the company and the potential impact of their departures, then worked with HR to build a talent pipeline to mitigate that risk.
Better Than ERM
Developed by firms like Genentech and Microsoft in the late ’90s, this risk center concept first appeared at companies in a one-off role, such as for a project team to, say, analyze an event that impacted a competitor to see what the ramifications could be for the company. More and more, however, companies are backing the processes into what they do every day.
This is much more than enterprise risk management (ERM). In Nornes’ view, ERM has evolved into risk identification and control. But once ERM identifies supply chain as a “red risk on a heat map,” said Nornes, it typically fails to provide a granular view and guidance on what to do next. ERM, in essence, has evolved into a compliance checkbox.
And as Heftye has explained, a risk center approach is not limited to supply chain; it allows companies to apply analytical rigor and insert risk management into ROI decisions for any critical risk, like cyber.
“It’s the skill set they are bringing, not the knowledge of that specific risk,” Nornes said.
“It does require a high degree of risk maturity across the organization to collaborate across the various teams, which includes deep partnerships with clients and suppliers,” added Marmorek.
For Heftye, it has earned him a veritable role as rainmaker. At Flex, the risk management function can now contribute to the company’s strategy by providing insight and by partnering with business operations, said Heftye.
Flex’s risk is their customers’ supply chain risk, so having their risk under control, holding to that guarantee of little or no business interruption as a talisman, has become a selling point for Flex.
“It’s given us more tools to sell quality of services and show that we are a long-term solution and not just something that could go away after another Thailand,” Heftye said.