By Peter Marotta
When the average person walks into a supermarket to buy a simple box of cereal, what does he or she see? An aisle filled with a staggering choice ranging from the breakfast of champions to breakfast food that goes snap, crackle, and pop. What doesn't that consumer notice?
All for a box of cereal. So if one thing goes awry along the way, a lot more can go wrong as a result. No matter what the product, measuring and managing the risk at each link of the supply chain can separate the profitable company from those in peril.
The good news is insurers and risk managers are relying more and more on sophisticated analytics and models to identify and handle supply chain risk. But models don't live by algorithms alone. The "seeds" for the knowledge that models provide derive from the data that feeds the analytics. In fact, a lack of data could become one of the greatest risks to the supply chain.
The supply chain encompasses the upstream and downstream flow of resources associated with the creation, storage, transportation, distribution, and delivery of a product or service, starting from raw materials until that product or service arrives in the hands of the consumer. Therefore, supply chain risk involves the potential for interruption — internal or external — in each step of the process. And any disruption can result in failure to deliver a product or service.
Figure 1 illustrates a typical supply chain and how it links to a much more complex chain of supply chains. Using the cereal example, the supply chain also includes electricity — lights, cooling, alarms, computers, and whatever else requires power. That's another link in the chain affecting the ability of the retailer to meet customers' needs. Then multiply that by the other activities needed to run a supermarket, such as purchasing, production, and distribution. With that view, what schematic would suffice?
Traditionally, supply chain risk has focused on the movement of goods and materials. But in today's world, supply chain risk applies to any object or activity related to the delivery of a product or service, including financial transactions and contracts. Examples of breaks in the supply chain include credit default swaps managed by an obscure financial services subsidiary in Ireland (primarily a credit risk transparency issue), a clothing manufacturer sweatshop in Bangladesh, and a drug compounding center in New England. Due to severe weather or other hazards, regulation, disease, labor disputes, political activity, malfeasance, ineptitude, and the like, these companies' actions not only had a direct and negative impact on their businesses but also on their trading partners' businesses and, in one case, world economies.
The diagram illustrates a typical supply chain (center inset) and how it links to a much more complex chain of supply chains.
So, how does an organization get a handle on supply chain risk? A key first step is gathering facts: identifying all the internal and external touch points involved in a product or service.
In October 2012, the National Institute of Standards and Technology (NIST, http://www.nist.gov), an agency of the U.S. Department of Commerce, issued Report 7622, titled "Notional Supply Chain Risk Management Practices for Federal Information Systems." The report includes ten supply chain risk management practices that federal departments and agencies should consider as part of their supply chain risk management strategy. These practices, however, apply to any organization.
From a data and data management perspective, three components — discovery, data lineage, and interoperability — are central to supply chain risk mitigation.
In the discovery phase, the supply chain analyst (or data manager) should identify all parties involved in producing a product or service, internally or externally. Each party's role in the relationship must be determined, in addition to the relationships among those parties and other parties not directly associated with the organization but affecting the organization's supply chain. The identification should comprise characteristics associated with each party: location, personnel, raw materials, corporate structure, company financials, adverse legal activities, and so on. Any risk associated with those characteristics is critical to recognize as well. All the information should then populate a data dictionary, which becomes part of a data model and a data repository to support supply chain risk analyses.
Once the analyst has identified the "who" and "what," the analyst needs to document the sources of data and any changes to the data from the beginning of the process to the end. This metadata is extremely important when there are many parties, roles, and relationships and even more so when the information changes frequently. NIST labels that activity as "provenance," using the term often associated with artwork and antiques. The data management community often labels that activity as data lineage.
After the metadata underlying data discovery and lineage has been documented, the analyst must now connect the dots: The data associated with each party and its characteristics, as a prelude to creating analytics, must allow for interoperability and for financial risk transparency. The interoperability is not only with other data within the repository but also with external data sources. For example, the supply chain risk associated with the box of cereal must relate to the weather risk associated with the farm producing the grain used to produce the cereal.
For all supply chain risk, especially important to financial services, the analyst must identify corporate structure hierarchies at the macro level but not lose sight of the granularity needed at the micro level. An example at the micro level would include individual mortgage details underlying a mortgage portfolio being transferred from one financial entity to another. Transparency can be attained only when this macro- and micro-level information has been properly documented.
Regarding corporate hierarchies: In response to the recent financial crisis, the Financial Stability Board — working with other regulatory agencies, the International Standards Organization, and industry associations including the EDM (Enterprise Data Management) Council — has created the legal entity identification (LEI) code to uniquely identify all business and legal entities. Regulators and service providers within the insurance industry have also created corporate hierarchies. The insurance-specific hierarchies, however, may not recognize related business entities that are not insurance companies.
Other data management tools and techniques that can support interoperability are semantic databases and ontologies. Semantic database technologies, where each data element is put into context, can provide a common framework that promotes data linkage, sharing, and reuse. Ontologies extend semantic functionality to relationships between data.
It is only after the analyst has documented metadata, lineage, and linkages that risk analyses can be conducted and metrics compiled. Complete and comprehensive data and data management are therefore necessary prerequisites to any understanding of supply chain risk and identification of risk mitigation strategies.
Like the ingredients in cereal, if properly combined, relevant data can help companies become champions.
Peter Marotta, AIDM, FIDM, is enterprise data administrator of Enterprise Data Management at Verisk Analytics.