In today’s bulletin, Charlie discusses supply chains and business continuity and gives an insight into some useful case studies around supply chain resilience.

Around 2010, I wrote a supply chain course which was then adopted by the BCI and delivered by its training partners worldwide. I had a similar version of it, which I delivered to PlanB Consulting’s clients, as either in-house training courses or as part of a supply chain piece of consultancy. The last time I delivered the course was in 2017, to a building materials manufacturer for their procurement staff. Since then, I think I have only carried out one piece of supply chain work and no training courses.

In early 2020, supply chain in business continuity was all the rage, and there were lots of courses around, and even an annual conference. When looking around for my old supply chain materials, I came across a presentation I gave on supply chain to the Scottish Continuity Group in 2008. I was presenting at the event again this week, this time with Chris Butler. The BCI has a supply chain resilience course, but it seems to me—having gone to the BCI Conference and kept a weather eye on who is writing what—that I have seen very few, if any, articles on supply chain and resilience or linking the subject to business continuity. Supply chain professionals, I am sure, are writing articles, but business continuity people writing on supply chain is not presently happening.

In a discussion with a client, they asked for a supply chain course, so I thought I would dig out the old course and see what needed to be updated and changed. As the course would be written for them and they are a service provider to their customers, the course needed to have a Managed Service Provider and outsourced service slant, rather than the old course, which was very much geared around the provision of goods.

At the beginning of the training, I like to do a few case studies to set the scene and get people in the mood for some of the issues they will discuss throughout the course. The case studies were: ‘Fires that changed the world’ (Philips, Ericsson and Nokia), Ford and Firestone, the Mattel Catwoman toy, the Tesco horse meat scandal, and a picture of the Spanish environment minister, Rosa Aguilar, eating a cucumber during the 2011 E. coli outbreak in Europe.

These case studies are all too old, but I have kept the Philips fire as it is such an iconic supply chain story. The case studies I am using now relate to cyber attacks on suppliers having a major impact on the delivery of healthcare (Synnovis Cyber Attack Impacting NHS Services), cyber-attacks on MSP service suppliers infecting multiple companies (Kaseya Ransomware Attack), logistics issues (like the great KFC chicken disaster and the EverGiven ship stuck across the Suez Canal), spats between suppliers and providers (Ticketmaster and Inbenta), and some of the moral issues around the Rana Plaza factory collapse in 2013.

What I take away from looking at a new set of case studies is that MSPs and specialist outsourcers have been integral to a vast number of different organisations. There can be rapid and long-lasting impacts when one of these key providers fails.

One of the aspects of the old course was to talk about trends in the supply chain, one of which was offshoring. We have now gone full circle—one of my new trends is Nearshoring & Regionalisation!

One principle that has not changed is that ‘you can outsource the activity but not the risk’, and this is firmly stated at the beginning of both the new and old courses. Organisations, then and now, are still strongly criticised if they try to blame their suppliers for a failure to deliver. They are the company that appointed the supplier and monitored their performance.

Cyber is a major threat to organisations and has to feature prominently in the course, as there are a large number of instances of cyber attacks on organisations having an impact on the organisations they supply or provide services to. This is a new risk, and I am not sure yet that all organisations have thought through how they would work together to handle an incident.

In all the cyber exercises I have ran, I have never seen organisations with plans that have been pre-agreed with suppliers on how they would manage an incident that impacted them both. This is an area I will definitely be pushing in the course.

I enjoy updating a course, especially an old favourite I haven’t updated for years, and seeing what I am going to deliver now compared to what I used to deliver. The world is always changing fast, so I think it is good to look back at where we have come from and what has changed over the preceding years.