LATEST THINKING


Managing risk in the government supply chain

Problems that plague commercial supply chains can be national security risk for governments.

Overview

The federal government increasingly is being challenged to understand and manage risk across global supply chain and transportation networks. The political, economic and security implications of regulating in a complex environment have necessitated new approaches for public-private collaboration.

The problems and challenges that plague the private sector supply chain—everything from theft to counterfeiting to natural disasters—are an even greater threat to the federal supply chain. For the government, risks to the supply chain can affect national security. The growing dangers of cyber espionage, for instance, mean that purchases of information technology, components and software must be guarded against the threat of compromise.

The General Accounting Office in its March 2012 report stated: “Reliance on a global supply chain introduces multiple risks to federal information systems and underscores the importance of threat assessments and mitigation. Supply chain threats are present at various phases of a system’s development life cycle and could create an unacceptable risk to federal agencies.”

Background

By using leading commercial practices in risk management, the federal government can minimize the potential damage that a breach in supply chain integrity would cause. It is not realistic, in either financial or practical terms, to eliminate risk altogether, but vulnerabilities can be identified and strengthened; effects can be mitigated; and disruption times can be shortened. A parallel can be drawn to agencies' development of “continuity of operations plans,” contingency plans to keep functioning following a disaster, whether natural or man-made.

Because risk cannot be eliminated, only anticipated and managed, it is critical for agencies to define their risk policy, including objectives for risk tolerance levels. This is a necessary step— not all risk is created equal, and containment measures may be disproportionately expensive to the impact of the possible event. Assessing the risks, countermeasures and possible consequences provides the wherewithal to make tradeoffs among competing priorities.

Analysis

Once a risk policy is in place, risk management can be addressed in three waves:

  • Identify and optimize physical flows of material.

  • Standardize and optimize information flow.

  • Evaluate the risk/reward tradeoff and identify reserves and resources needed to maintain agency operations.

The first two waves are self-evident, though experience in executing the streamlining of physical and information flows is needed for these complex areas. The third concept, striking the balance between risk and reward, aims at the heart of government operations—what reserves (whether of manpower, physical and IT assets, financing or governing procedures) the agency requires to have available in the event of a risk scenario developing. There are many questions that can help develop this, among them:

  • What would be the impact of demand-supply imbalances?

  • What are the systemic and specific risks in the supply chain?

  • How much risk is introduced by supply chain design and decisions?

  • What is the magnitude of the risk? How does it behave over time?

  • What is the velocity of the risk, that is, how quickly will it amplify and spread beyond the initial incident?

Recommendations

For federal agencies, use risk management techniques is more than a mechanism for avoiding costs. Understanding the supply chain's vulnerabilities, then taking steps to avoid or minimize them, is a proactive measure in our national security strategy. It is not practical, for instance, to inspect every piece of IT hardware that will be placed on a network; undertaking a systematic examination of the supply chain and modifying its elements to minimize risk, e.g., certifying manufacturers in advance, is one way to gain much of the benefit of inspections.

Taking a comprehensive approach to implementing a supply chain risk management process will help agencies improve the performance of their supply chains, as well as increase the resiliency of those agencies in response to any risk. It is a complex process, but reducing the risks of failure in the links in the chain will produce both performance and budgetary benefits—while strengthening our national security.