Assessing and managing risk: interview with IBM's Louis R. Ferretti
Five years ago, IBM went in search of a tool to help it better assess the vulnerabilities of its vast global pool of suppliers. When the company couldn't find what it needed, Lou Ferretti and his team built their own.
As supply chains have become more global, the complexities of managing risk across vast and varied physical and political geographies arguably have grown by orders of magnitude. That's a lesson that IBM, one of the world's largest technology companies, has taken to heart. Beginning in 2009, the company undertook the task of building a complex supply chain risk management tool, now deployed globally, that provides managers with a way to examine supply risk in a much more robust fashion than ever before.
The team that developed the tool was headed by Louis R. Ferretti, the project executive who leads global and strategic programs within IBM's Integrated Supply Chain business unit and across its global supplier network on environmental compliance, supply chain social responsibility, conflict minerals, business continuity planning, and sustainability as well as risk management. He is also a member of IBM's corporate crisis management team.
Ferretti recently spoke to Editorial Director Peter Bradley about the development and rollout of the supply chain risk management tool.
Q: Companies have been talking about risk management for a long time. What led IBM to develop a supply chain risk tool?
A: IBM, like others, has always assessed supply chain risk. Typically, we would look at whether our supplier was a single or sole source supplier and whether there was a financial risk associated with that supplier, and maybe we'd look at some logistics aspects. That was the sum total of what was done for our suppliers across the board.
But our supply chain has become global in nature. We are sourcing in probably 80 countries, and we are sourcing many times in countries where the risks are much higher. So our senior leaders asked our [chief procurement officer] what we were doing. Quickly, our CPO responded that we would work to address supplier and supply chain risk in a much broader, holistic fashion. We would cover political, financial, economic, logistics, and climatic factors. Our CPO listed probably a dozen factors that we would consider in a newer approach to risk. That was the mission that was handed over to me in 2009.
Q: Give me a sense of the timeline of the process to make that happen.
A: I needed to step back. I thought that there was a supply chain risk industry, and what I would do is go find a subscription and get someone to provide me with all the information I was looking for as far as disruptions to the supply chain. After interviewing large companies and even small companies, they told us at the time that this was interesting but that nobody else was asking for it.
I figured that if they didn't have it and would have to build it, that we could probably do an equally good or better job of building it for ourselves and customizing it to our specific risk profile. We had a small core team, maybe a half-dozen people, and we started examining how we would put this together. It probably took us a little bit over a year to put our concept in place, to develop the requirements, and actually do the coding. The end result is what's known as our "Total Risk Assessment Tool and Process."
When I got this assignment, I wasn't told to build a tool. I was told to put a process in place that would assess supplier and supply chain risk and all these factors. Once we started examining the scope of risk and then looking at the data that we would need, we realized very quickly that this was not a spreadsheet tool, but it really had to be a much more sophisticated database and analytic tool [for] developing an algorithm that would look at this information and produce, as a result, the level of risk. But that is not where I started out.
Q: Prior to developing this tool, how did you assess supply risk?
A: Our procurement councils—what most companies call category management groups—would look at their suppliers, and they would make a determination of the level of risk, typically based upon one or two factors: single source and financial risk. Now, the interesting thing is that comparing council to council, there was really no definition of risk. There were no criteria. Each council—we had dozens of councils—would make, I want to say, a subjective call. They really didn't have a benchmark in order to compare one with another.
Q: Let's go back to the development of the tool. What did it take to build and get this tool in place?
A: We assembled a small team from procurement, engineering, GBS [IBM's Global Business Services consulting division], business integration and transformation, and the CIO's office. We determined what risks we needed to consider, what data we would need to evaluate the risks, an algorithm to assess the impact versus likelihood of an event occurring, who the users would be, what kind of training they would need, and how often to run the tool. We had to develop thresholds and metrics as well as a management system around the process. Gathering the tool requirements, tool development, and testing took about a year.
Q: Tell me a little bit about the rollout.
A: Prior to the actual rollout, we built a prototype and then ran a pilot with several users. We got excellent feedback and made changes. The CPO was a very strong proponent of using the tool. And within just about a year from the initial deployment, the Fukushima earthquake and tsunami struck Japan. The teams found the tool invaluable in gaining insight as to which suppliers we had in Japan, what commodities were made there, etc. Then later that year came the Thailand floods. After those two events, all of the procurement team members were in.
Now, this is clearly extra work for the sourcing team. We did a couple of things to ease into this. We had extensive education on not just why we were doing this but also on how the tool works; the purpose of the questions; why we would look at the country, region, suppliers, supplier sites, and the commodity—and why we chose those particular things; and then how the algorithm would take that information, weigh it, and produce a result. Then, when we had a result, what we would do with it.
Q: There must be some way for the tool to adjust to changing conditions.
A: The factors that are considered in the tool are not ones where you would typically see dramatic changes from week to week, month to month, and so forth, and we don't run the tool that frequently, though we could. What really changes are situations, whether it be the Thailand floods, issues with Ukraine, the protests in Hong Kong. Those things are real time. To augment the tool's calculation on the high-risk, medium-risk, low-risk slider, you rely quite heavily on the real-time alerts. So we have a system in which we collect information around the clock, and we look at the data, the alerts, and we make a determination very quickly whether or not we think it is going to impact the supply chain only in the short term or if it is a fundamental issue that is going to change the supply chain for the longer term.
Q: What has the tool done for IBM?
A: Well, overall it has raised the level of risk awareness and sensitivity. Sourcing people around the world understand that sourcing the product and getting the best price and getting it delivered on time are all necessary, but understanding the level of risk that the supplier brings as well as the part's supply chain is something that is equal to the other items.
In the Japan situation, the tool immediately told us how many suppliers we had in Japan, whether they were tier one or two, what commodities they provided, etc. The executive team could reach out to the suppliers right away and determine if the factories would be up and running and if not now, when. We had an abundance of information at our fingertips that we eventually would have gotten to, but the sooner you get this information, the more options you have to deal with the crisis because for the most part, competitors are going to the same suppliers, the same manufacturing lines, the same capacity.
Q: Do you have plans to expand the tool's scope and features?
A: There are really a couple of things here. It would sure be nice if we could see a picture of the factory when our executive is talking to that top executive in Japan. Actually, we developed what we call a risk app and tested it, and we have it in play now. We are going to be using it for other aspects of IBM, so this gives us the ability to communicate on the spot.
The next thing that we have done is [a result of] the Thailand flooding. About 50 percent of the hard drive business is in Thailand, so that situation was very, very acute. We were asked to look at supply clustering. So we looked around, and we found that we do have suppliers in several sites around the world that are clustered in different geographies. So we started to look at the potential of flooding. We actually have this now; we've got a prototype that is up and running, and we are using it.
About the Author
Peter Bradley is an award-winning career journalist with more than three decades of experience in both newspapers and national business magazines. His credentials include seven years as the transportation and supply chain editor at Purchasing Magazine and six years as the chief editor of Logistics Management.
More articles by Peter Bradley
Resources Mentioned In This Article
Join the Discussion
After you comment, click Post. If you're not already logged in, you will be asked to log in or register.
Feedback: What did you think of this article? We'd like to hear from you. DC VELOCITY is committed to accuracy and clarity in the delivery of important and useful logistics and supply chain news and information. If you find anything in DC VELOCITY you feel is inaccurate or warrants further explanation, please ?Subject=Feedback - : Assessing and managing risk: interview with IBM's Louis R. Ferretti">contact Chief Editor David Maloney. All comments are eligible for publication in the letters section of DC VELOCITY magazine. Please include you name and the name of the company or organization your work for.