When supply chain disruptions strike, risk mitigation strikes back. And, it does so in many forms. Whether it’s enhanced software, improved employee training or solutions equipped with visibility features, managing risk is a 24/7/365 job. It requires all hands on deck, the latest and greatest technologies and the ability to pivot accordingly.
That’s because supply chain disruptions also come in many forms -- ransomware attacks and port closures, natural disasters and global pandemics, food fraud and cargo fraud.
If history repeats itself, disruptions of major magnitude will continue to rock U.S. supply chains. But, it’s how companies plan, manage and react to these disruptions that allows them to efficiently and successfully mitigate risk.
Here’s an interview with Alex Apostolou, principal solutions strategist, risk management strategy at VelocityEHS, with excerpts publishing in Food Logistics’ October 2021 issue. [CLICK HERE to read the article in full].
Food Logistics: The COVID-19 pandemic presented a host of risk/security challenges to today’s cold food chains. Now, the Delta Variant is looming its dark head. What is your company or companies in the cold food chain doing to mitigate and stay in front of these types of risks?
Alex Apostolou: No one has escaped the impact that COVID-19 has wrought on the cold food supply chain. Every person involved has experienced—and continues to experience—those impacts personally, in their families and communities, professionally and in their companies, and as consumers who shop to feed their families; and very commonly all three at once. Countering these long-term and multi-dimensional shocks is best done in a collaborative and open context where everyone can draw from the strengths of the shared experience, a clear understanding of expectations and the flexibility to devise new ways of solving problems.
A small but illustrative example we’ve seen repeated with encouraging results is where employers have taken the time to ensure that the right safety processes and procedures are in place to mitigate the impacts of resourcing challenges. For example, where jobs were affected by staffing levels or throughput targets, the relevant Job Safety Analyses (JSAs) where reviewed in a series of collaborative workshops to ensure they covered, for example, how job steps requiring multiple personnel could be performed safely when performed by one, or production goals based on certain team levels scaled down with reduced personnel. By including expectations around quality, productivity, and of course, safety into the JSA made those jobs more realistic, more understandable and scalable, built confidence in the work teams involved, made the processes more shock-proof for the future and had the beneficial effect of reinforcing team cohesion at a time of great stress and instability.
Another example that comes to mind relates to the impact of large-scale absences of key technical, production or management personnel for indeterminate durations. It was in this context that companies who had been relying on key personnel to manage the flow of knowledge and processes came to a halt. The option to simply transfer the missing skillset onto another employee wasn’t available because who knew how long it might be before that employee took sick? At varying speeds, companies began to transition, opening up and sharing the knowledge and skills, authorizations and approvals necessary to make the gears turn and keep the lights on for their businesses. Instead of a need-to-know basis, employers asked themselves, “Is there any reason our employees shouldn’t have access to safety knowledge and information?” Software permissions were eased, restrictions to management-only material were removed and the knowledge, like water, flowed to those people who could do something with it. We saw risk analyses being re-used, insightful learnings generated and applied and simple things like control verifications finding measurable improvements simply because it was a new set of eyes performing the task. As a result of these broader learnings, we are now looking at how we help schedulers find someone who hasn’t been involved in an observation or inspection before so we can embed knowledge diversification throughout our customer communities.
Food Logistics: Cyberattacks are becoming more commonplace in the cold food chain. Thoughts on how to prepare for when cybersecurity disrupts the cold food chain.
Apostolou: Cyberattacks are just like every other attack on the business. They require subject matter experts working with your personnel to develop a shared understanding of the threats, potential impacts and corresponding risk levels and then a review and implementation of appropriate treatments or controls to prevent those threats and mitigate any potential consequences. People sometimes forget that one of the benefits of good risk management is that when a threat is realized, you already have a game plan and a series of plays to prevent it—stopping it in its tracks, as it were—and mitigate any of the impacts.
One shortcoming we often see occurs right after the agreed controls are identified and implemented (transition to cloud-based solutions—CHECK; ensure security vendors adhere to strict AICPA SOC 2 Type II standards aligned with the widest range of national and international data protection requirements—CHECK). At this point, typically, everyone breathes a sigh of relief since those boxes are ticked and focus shifts to the next challenge.
Risk management is not about managing risks; it’s about managing the controls that manage the risks. And, the questions you need to be asking of those controls include:
· What are the criteria by which we expect the controls to perform?
· Are the controls in place and do they perform as specified by the criteria when tested?
· Are they being tested and verified by someone who is trained and competent as often as required?
· If any incidents or attacks occurred, did the controls respond according to the criteria and if not, have we corrected and re-tested their performance to ensure full compliance?
These are the types of questions that companies should be asking themselves over and over again to minimize the risks of cyberattacks on their business.
Food Logistics: Risk reduction entails other facets of the business, i.e., worker safety, product safety and plant safety. What is your company or companies in the cold food chain doing to protect employees, product, facilities, fleet and more?
Apostolou: All our energy goes into making risk management tools that helps our customers quickly and efficiently perform risk assessments, collaborating and communicating with the workforce and embedding learnings and improvements. The processes supported in risk management can be used to manage risks at home, in the car or at work. The risk management process can assess environmental risk, consumer risk, quality risk, cyber or supplier risk.
In other words, risk is a process, not a product, and our focus is on building a risk management toolset that lets our customers identify, assess and manage any type of risk. By keeping the toolset constant, the workforce learns and trusts the process to deliver the right outcomes. And, just as almost all risks have multiple consequential impacts (e.g. a worker injury will have a safety and financial impact, a customer with food poisoning might have a reputational, financial and legal impact), by fleshing out all the impacted stakeholders, you’ll be more likely to get more smart minds solving problems properly with the correct level of resourcing.
We recommend bowtie risk analysis in these multi-disciplinary situation as it helps visually map risks and illustrate the pathways between causes and potential impacts. In addition to mapping risks, or any type, bowties allow you to assign controls to individual causal or consequential pathways, apply performance standards and the visually track the performance of those controls. People remember pictures and understand flows or cause and effect, so as you explore more complex scenarios in a collaborative setting, having a tool that visualizes all elements instead of an Excel spreadsheet builds the common understanding that helps users better organize and prioritize risks and facilitate a more comprehensive understanding of the risks facing your business and how to control and manage them.
Food Logistics: Going into 2022, what are some things companies should be doing now to better identify risks?
Apostolou: Engage with your workforce and stay engaged with them throughout this transition period that hopefully leads back to normality. Listen and learn as much as you can about the challenges faced by your competitors, your neighbors, your suppliers and your customers and ask, “Could this happen here?”
Analyzing the data in your EHS solution can help generate lots of ideas for a risk workshop. Use can also use the increasing knowledge that is being gathered from your control assurance program to identify potential failure modes and improve your response. For example, if a certain brand of smoke detector is not reliable, find a vendor and a product with guaranteed effectiveness and tell purchasing not to buy any another. Solve problems once, properly. Run what-if workshops or find out how you can use HAZOPs to standardize the questions you ask about the process, the plant, your suppliers, your contractors, your customers, your employees. Risk identification like control assurance doesn’t stop.
Food Logistics: What are some things not addressed above that may be pertinent to our readers?
Apostolou: All workers should be included in the risk management process. The learnings of how the business actually works, the role everyone plays, who does what, etc. all of that is shared and understood in the workshop and the results pay dividends over years. Capturing all the knowledge generated is obviously critical as no one wants to reinvent the wheel, so having it available and online at all times is critical. Keep things simple, start small and scale up as you share and embed knowledge in running the process across the entire workforce. Follow up on corrective actions and ensure that there is top-down and bottom-up visibility. Don’t buy a software package and try to configure it to replicate the way you work now. It’s a journey. Pick a software package that is built on proven best practice principles and supports you from this starting point and will go with you to wherever you aspire. Engage with your employees and make them part of the solution. Share your knowledge and passion with everyone, and as your risk management program gets picked up and run by others, start thinking about where you can take it next.
Always remember, risk management is not about managing risks; it’s about managing the controls that manage the risks.
[CLICK HERE to read the article in full].