Supply Chains Mean (Cyber) War

Author’s note: Since this column was originally written, another “scandal” broke around the use by third-party suppliers of North Korean gold, affecting such companies as Hewlett-Packard Co. and IBM, as described by Joel Schectman in the Risk & Compliance Journal section of The Wall Street Journal of June 4, 2014 in an article with the title “Dozens of Firms Report N. Korea Gold in Supply Lines” … see,chain-2/ This article further illustrates the horrendous lack of knowledge of sources of supply, particularly as you delve deeper into the supply chains of common products. While most of the emphasis to date has been on materials in hardware components, there should be equal, if not greater, concern that software might contain unacceptable, and potentially dangerous, components from hostile sources.


Emily Chasan and Joel Schectman wrote a piece in the CFO Journal section of The Wall Street Journal of May 20, 2014 about “War and the Supply Chain: Companies Unearth Few Answers About Whether Vendors Used ‘Conflict Minerals.’” The subtitle really brings out the point that many companies have little to no knowledge of many components of their supply chains. Where on Earth (to continue the pun) is their vendor management office? And how do they manage supply-chain risk if they don’t know where their stuff is coming from? According to the article, “Hewlett-Packard Co. had planned to disclose that it was unsure of the ‘conflict’ status of its materials …” [emphasis added] However a court ruling, which is the basis of the article, means that H-P is no longer required to make such a report, since they now only need show that “they investigated their supply chains.” After all, “there may be as many as 10 companies between H-P and the initial buyer of the materials, which for now makes it almost impossible to learn where many materials are obtained.”[emphasis added]

Wait a minute! If it’s almost impossible to obtain supply-chain information, how can you only be unsure about it? Surely, you just don’t know and may never know details of the complex supply chains upon which you so heavily depend.

But this should come as no surprise. It is a huge task for large companies just to determine a complete list of vendors that supply them directly, and an even bigger effort to try to verify vendor viability and security. Many sophisticated companies and government agencies are well aware of the risks involved; however, even they find it increasingly difficult and costly to get information as they delve deeper into the sources of supply. Furthermore, it is even more difficult to get suppliers to cooperate when there are many degrees of separation involved.

That is why I believe that the only way to get any handle at all on the risks of supply chains is to build them into a computer model which honors the need for anonymity among vendors and their customers. The model could not only help to describe the complexities of specific supply chains, but could be used to test various scenarios, such as the exit of companies for various reasons such as bankruptcy, takeovers, mergers, new management, etc., the impact of natural disasters and other catastrophic events, common points of failure, and whether conflict minerals or hostile players might be involved.

Having been heavily involved in vendor management and in financial-services industry survey projects, I know only too well the difficulties of just maintaining a current list of vendors, never mind trying to get vendors to indicate all their suppliers.

If a simulation model with its surrounding protections is used, then all participants in a particular supply chain would feel more free to enter information without the usual fear that the information would be divulged to customers or particularly to competitors. How can I say that the information shouldn’t be disclosed to customers? Well, the reason is that by requiring such disclosures, the organization providing the information would be reluctant to be forthcoming, to say the least. If some neutral and trustworthy body were to be the “keeper of the keys,” then there may be some hope that more useful and more honest data will be supplied.

The WSJ article throws out huge estimates, supplied by the Securities and Exchange Commission (SEC), of the cost of just putting together conflict-mineral reports (which cover a small fraction of overall risk assessment) of the order of $3 to $4 billion for the first year alone. The effort is unquestionably huge, but if we do not capture complete “soup to nuts” information about supply chains, as in a simulation model, then that expenditure of expensive and scarce resources will only apply to a particular question and will have to be repeated each time a new question is asked. Such other questions might relate to the impact of earthquakes, tsunamis, hurricanes, and (yes) war, social unrest, and insurrection.

Post a Comment

Your email is never published nor shared. Required fields are marked *