Preparing for Pandemics: How Cisco Immunized Its Operations
Professor Ravi Anupindi examines how Cisco keeps its complex supply chain resilient against all disruptions, even flu pandemics.
ANN ARBOR, Mich.—Cisco Systems Inc. runs one of the most complex supply chains in the global information technology industry. The company relies on more than 1,000 suppliers, four contract manufacturers and 50,000 purchased parts. It also outsources assembly. In October 2009, senior management was concerned the H1N1 flu outbreak would evolve into a pandemic and disrupt its supply chain. The SARS outbreak in 2002 and 2003 nearly paralyzed business in Asia, site of many Cisco suppliers.
In the case study Supply Chain Risk Management at Cisco: Response to H1N1 professor Ravi Anupindi examines a pandemic drill Cisco applied to its supply chain and its managers to test resilience while assessing procedures the company has taken in the past. In the following Q&A, Anupindi talks about Cisco's best-in-class supply chain risk management and some of the lessons learned from the tsunami in Japan. Anupindi, Michael R. and Mary K. Hallman Fellow and professor of operations and management science, also is faculty director of the Ross Master of Supply Chain Management (MSCM) Program.
One thing this case makes clear is that while the impact of H1N1 on production was relatively muted, supply chains have become very complex. Are they becoming too vulnerable?
Anupindi: Indeed the global supply chains of today are more complex and subject to many types of risks. We can think of three types of risks —physical, process, and institutional. The Cisco case focuses on physical or disruption risk. Whatever kind of footprint you have, disruptions are bound to occur — lightning strikes , floods, or hurricanes could damage a plant. Companies have to become good at managing their supply chain; the more global supply chains become, the more difficult is the task. Complexity also arises because of the multi-tier nature of a supply chain. Cisco's partners have suppliers who supply to them, and those suppliers have suppliers. I chose to write about Cisco because I think they're one of the best at managing risk across their extended supply chain. About four years ago, Cisco and some other companies founded the Supply Chain Risk Leadership Council (SCRLC) to discuss and share best practices and good systems for risk management. I represent the University of Michigan on this council and began attending meetings in 2007. These interactions have given me a good perspective on practices of various companies. Early on it became clear to me Cisco's approach was best in class. Cisco's Kevin Harrington, who is mentioned in the case, is a member of the MSCM Corporate Advisory Council. I proposed to Kevin to document their approach as a case. My objective was to illustrate the key elements of a world-class supply chain risk management system and show a use case. While the current case focuses on H1N1 planning, I'm currently writing a supplement that illustrates Cisco's response to the recent tsunami in Japan.
Cisco created a supply chain risk management team that is involved in all functional aspects of the company. Is this common? In the case you mention a disruption at a plant that supplied both Nokia and Ericsson, and both responded quite differently to the exact same situation.
Anupindi: The ability to sense and respond to a risk varies a lot across companies and that's what the Nokia and Ericsson situation implies. Nokia reacted promptly but Ericsson was slower and suffered losses. I think it's inevitable at some that at some point a company has to develop a risk management team.
Cisco ran a drill to test their resiliency against an H1N1 pandemic scenario. Talk a little about that.
Anupindi: Let's take a step back. Before you even get to the drill, a fundamental requirement of a supply chain risk management (SCRM) system is business continuity planning, or BCP. Cisco populates its BCP database with a list of suppliers and related information—location, key contact people, capacities, estimated recovery times, etc. It's a lot of detailed information that also needs to be verified. Other elements of SCRM include analytics and crisis management. Cisco's SCRM system gives management the ability to quickly assess the impact of disruptions on specific product lines, customers, and the business. Post- event, every company eventually will figure that out. The critical thing is how quickly they can do this and make appropriate decisions. With initial outbreaks, there was concern that H1N1 could become a pandemic. If that were to happen, actions likely would have to have been coordinated with an affected country as well as the World Health Organization (WHO). The reason they laid out the drill was to see how quickly they could understand the implications for Cisco and what actions to take in coordination with the country's government and WHO in the event of a pandemic. To be able to come to that state so quickly is the power of Cisco's platform. Speed is everything.
The recent tsunami in Japan was a real test for this. Japan is a big player in the electronics supply chain. The tsunami affected everybody. It was a real stress test for Cisco because it wasn't just enough to look into the first layer of the supply chain, but further down. That was the challenging part. But within 12 hours of the tsunami hitting Japanís coast Cisco had a basic idea of who its first-level suppliers were in that region, what potential impact the tsumani may have had on them and hence on Cisco, and what alternatives Cisco had. That is the power of this platform. It gives a firm decision-making latency. Until you know that basic information, you can't take any action.
Management was asking some hard questions of the supply chain managers about preparedness before running that drill. Did the results give management some reassurance?
Anupindi: Yes they did. Management likes to know the business exposure to risks the company faces. When a major event occurs, they would like to be able to quickly assess impacts. There are two other constituencies to consider as well. Your customers want to know how the situation affects them. For example, if AT&T has bought Cisco equipment to be deployed they are eager to know if they will get their orders on time. The firmís second audience is the investment community. Whenever there's a big disruption they're going to ask how it will affect the company. Senior management needs to have a good answer about their exposure and how quickly they can recover. Unless you have this at your fingertips, your stakeholders can lose confidence in your ability to meet the promised financial targets.
Is it possible to build this system up to be able to respond to an unspecified, future event that hasn't occurred to anyone?
Anupindi: To quote Donald Rumsfeld, there are known unknowns and unknown unknowns. Cisco has playbooks for specific types of events such as a hurricane, a flood, or a flu outbreak. But it is hard to build a playbook for unknown unknowns. However, if you can build a robust system that becomes disruption-agnostic, you have a methodology in place to quickly put together an assessment and a response, no matter the occurrence. You do this by taking appropriate pieces from existing systems and constructing a new one. Learning from management of a specific past crisis to improve the system also is important. One of the gaps that came up for Cisco during the tsunami was that while they had a good BCP analysis of their first-level partners, there was no easy way to find out who the second- and third-level suppliers were and how they fared during the tsunami. But they have engineers who do keep track of what happens with various important commodities that affect design. Cisco was able to tap into this internal resource to build a more complete picture. Now Cisco is taking this learning to codify the process of assimilating sub-tier information, improving the capability and robustness of their SCRM.
For more information, contact:
Terry Kosdrosky, (734) 936-2502, firstname.lastname@example.org