Resilience A Priority in Global Supply Chains—McKinsey

I love irony. No sooner had I discussed with a colleague about the time I worked for a couple of McKinsey alums than I received an email promoting a new study undertaken by, you guessed it, McKinsey. Actually the McKinsey Global Institute (MGI). The paper’s authors researched global supply chains very timely in light of the Covid-19 pandemic. The report highlights vulnerabilities in global supply chains and how resilience takes priority, calculating ongoing cost of shocks and prospects for production to shift.

In brief:

  • Industries experience month-long disruptions every 3.7 years on average
  • Companies can expect supply chain disruptions to erase 40 percent of a year’s profits over the course of a decade on average—and extreme events take an even bigger toll
  • Up to a quarter of global trade flows could move to different countries over the next five years if companies restructure their supplier networks and governments take action. But moving supply chains is not the only way to build resilience.

The idea of chasing low-cost labor across the globe while ignoring supply chain risks and costs always seemed goofy to me. For, I didn’t waste my years as the unofficial chief manufacturing cost analyst for a medium-sized manufacturer. But here is some weighty analysis that emphasizes the risks.

The stakes are high, according to Risk, resilience, and rebalancing in global value chains, a new report from the McKinsey Global Institute (MGI). MGI analyzed 23 industry value chains to assess their exposure to specific types of shocks, including pandemics, conflicts, cyberattacks, trade wars, natural disasters, and climate risks. Industries have different exposure to these shocks based on their geographic footprint, factors of production, and other variables.

Based on the frequency and cost of disruptions, MGI scenarios show companies in most industries can expect shocks to erase 45 percent of one year’s EBITDA on average over the course of a decade. A single extreme event could cause even bigger financial losses. On top of this bottom-line impact comes the additional cost of rebuilding damaged physical assets, losing market share to competitors that are able to sustain operations, and significant societal harm such as loss of life, loss of jobs, shortages of critical goods, and damage to communities.

Geographic concentration can often produce supply chain bottlenecks when a shock hits. MGI finds 180 goods that are exported primarily from just one country, worth $135 billion in trade annually. Another issue is that large multinationals can have thousands of suppliers—but most have little visibility beyond the top tier of those tightly interconnected networks.

Will companies restructure their supply chains as part of a flight to safety? Yes and no, the report finds. There is an economic logic behind the way industry value chains have evolved. Given the scale, complexity, and interconnectedness of value chains, they are harder to move than is commonly realized.

MGI estimates that 15 to 25 percent of global goods exports, worth $2.9 trillion to $4.6 trillion annually, could conceivably move to new countries over the next five years. This is based on both economic factors, such as the cost of relocating production, and non-economic factors, such as governments changing policy to promote domestic production of goods deemed essential or important to national economic security.

“The prospect of a significant geographic rebalancing in global supply chains represents a risk for the companies and countries that might lose out—but a potentially significant opportunity for those that manage to capture a share of this production. This could have important consequences for future growth and employment,” says Susan Lund, a partner at the McKinsey Global Institute. “But supply chains involve thousands of independent firms, reflecting specialization, access to consumer markets around the world, substantial sunk costs, and long-standing relationships. Relocating is not a simple task.”

To attracting more production, countries need to develop strong supplier ecosystems, specialized workforce skills, robust infrastructure, and an attractive business environment.

There is more to resilience than changing where goods are made, however. Operational choices and the structure of a company’s supplier network can heighten or lessen vulnerability to disruptions. Common practices such as sourcing from a single supplier, relying on customized inputs with few substitutes, and carrying substantial debt can magnify the financial impact of a shock if they are not calibrated to account for current levels of risk.

Among the steps companies can take are mapping the sub-tiers of their supply chains in detail and connecting them digitally for better transparency; building the capacity to flex production across multiple sites; holding more inventory; and strengthening their balance sheets.

The COVID pandemic is prompting action at a time when cost structures are changing across countries and revolutionary digital technologies are gaining traction in global manufacturing.

“Supply chain shocks are not a new phenomenon, but only a handful of leading companies have really moved to minimize their risk until now,” says Katy George, senior partner and global leader of McKinsey’s operations practice. “That’s largely because of a perception that resilience has to come at the cost of efficiency. But that’s no longer true. Now companies have new tools at their disposal to become more resilient and more productive.”

Return From Covid

It almost sounds like a ’50s SciFi movie.

For a couple of months into the Covid pandemic, my inbox collected a steady stream of press releases about what this or that company was doing to either fight the coronavirus or prepare workplaces and workforces for the return to the office. That mighty river has turned into a stream at the end of summer.

The CTO of a Siemens company on NPR’s Tech Nation with Moira Gunn (good podcast, by the way) and I have interviewed Siemens about its combining of technologies to provide for safer workplaces in light of infectious viruses.

Then I received this note from Marty Edwards, VP of OT Security, Tenable, whom I’ve known for years as a reputable security specialist. “Prediction: Workers who return to the office may well bring new vulnerabilities with them.”

“While many critical infrastructure workers who operate, manage and secure the OT that underpins our economy can’t bring their work home, some of their colleagues certainly can. It’s likely that functions such as sales, marketing, HR, finance and legal of many essential services –food and beverage, manufacturing and pharmaceutical companies — have shifted to a remote-work model. When stay-at-home orders are eventually lifted, many of these folks will return to their offices with equipment that will be re-connected to corporate networks. With this comes the added risk of new vulnerabilities and threats being introduced to either the IT or OT side of mission- and safety-critical operations. During this transition, it’s imperative security teams have visibility into where the organization is exposed and to what extent, enabling them to effectively manage risk on a day-to-day basis. Put simply, the security challenges aren’t gone once everyone is back in the office.”

I have not worked in an office for years, unless you call a coffee house an office. But, many people will be returning to offices in the next few months. They will expect safe workspaces. As will all the factory workers (think about the morons running meat processing plants).

It took a while for cybersecurity to catch up with the sudden working-from-home IT challenge. Now, we’ll have millions returning to the corporate intranet bringing who knows what (computer) viruses with them. Another type of security to deal with.

One way or another, engineers will be busy dealing with this crisis for many months. Probably along with all their other work.

Don’t Look Now, Your Data Has Been Stolen

Tim Bandos, VP of Cybersecurity at Digital Guardian set aside some time to discuss his latest work, The DG Data Trends Report. Research for the report was performed during (and as a result of) the Covid-19 pandemic to study how much sensitive corporate data was “egressing” from the security of home base.

We talked last month, but I was in the midst of five or six virtual conferences and I’m only now beginning to catch up with the accumulated pile of other interviews and reports that come my way.

Digital Guardian has developed and implemented a technology that you can procure that includes an “agent” that gives visibility into data movements within and into and out of your corporate environment. It sounds pretty cool, actually.

To set the stage for the current crisis, Bandos points to the results of the 2007-2009 financial crisis:

[The crisis] led to 37 million unemployment claims. It also resulted in a slew of trade secret theft charges. In 2013, the Department of Justice said it charged more than 1,000 defendants with intellectual property theft between 2008 and 2012.

The DG report derives from real data from organizations spanning the globe and across multiple industry verticals. It is definitely not just a survey.

Following are a few tidbits from the survey.

    Since the onset of Covid-19, DG saw a 123% increase in the volume of data moving to USB drives and 74% of that data was classified according to the DLP practices. Now, much of this was taking work home. But much also this data can now not be controlled.
    With employees working from their homes, data egress via all means (email, cloud, USB, etc.) was 80% higher in the first month following the World Health Organization’s declaration. More than 50% of the observed data egress was classified data.
    Digital Guardian’s managed Detection & Response customers noticed a 62% increase in malicious activity, a number that in turn has led to an increase in incident response investigations—64% more than before the declaration.

Five tips to protect data

1. Issue Data Governance Policy Reminders

2. Label Sensitive Information

3. Limit Access to Sensitive Data

4. Host a Remote Security Awareness Training Session

5. Consider Deploying Virtual Desktop Infrastructure or Desktop-as-a-Service.