Supply Chain Risk Management Framework

1. Supply Chain Risk Management Framework Supply Chain Risk Leadership Council Zurich Case Study 30 January 2008 Confidential – Do Not Forward Outside SCRLC

2. Types of risk are not mutually exclusive Types of risk Internal Environment Objective Setting Risk Management is an iterative process Downstream Customer Primary Customer Event Identification Your Company Risk managementcomponents First-tier Supplier Risk Assessment X-Tier Supplier Risk Response Control Activities Information & Communication Monitoring Supply Chain Scope Includes links (logistics and electronic transfer of information) between supplier, your company, and customer Zurich Case Study INSTITUTIONAL PHYSICAL PROCESS

3. Manufacturer of Business Machines

4. Background • $2.5bn business supplying high security equipment and software solutions to the worldwide banking industry • Centralised (European) risk management and audit • Moved European manufacture out to China 3 - 4 years ago • Initial savings of >50% achieved, now around 40% • Investment in local quality management • Initially poorly managed extended supply chain

5. Risk Management Components I • Commercial drivers, little focus on risk management • Dimensions: Physical, Tier 1 (China) Internal Environment Cost, cost, cost, quality Objective setting Control Activities Audit Quality, delivery, EH&S, insurable risks Monitoring

6. Risk identification ‘deep dive’ Supply chain mapping, EHS, CSR, QA, physical Risk mitigation and transfer Verification and audit, BCM Supply chain metrics, risk mitigation review Risk Management Components II • Corporate (Enterprise) level, belated focus at Supply Chain level Event identification Risk Assessment Risk Response Control Activities Monitoring

7. Risk Assessment • ‘Fundamental’ requirement to monitor and assess EH&S and physical risks • Concern over ‘Hyper-optimisation’ in supply chain • Growing recognition of reputation vulnerability • Supply chain mapped – key product lines • Scenarios evaluated

8. Risk Response • ‘Institutional’ dimension recognised • Focus on critical supplies (not just geographical) • Actions defined to mitigate reputation exposure • Risk transfer options defined

9. Control Activities • Greater focus on BCM in the supply chain • Push audit focus upstream • Extending BCM testing assurance to Tiers 1 & 2

10. Monitoring • Tighten internal monitoring • Establish metrics to evaluate overall supply chain vulnerability • Monitor suppliers on this basis • Maintain focus on competitor activity, customer response and regional drivers • Measure effects of risk mitigation(?)

11. Conclusions • Valuable reference / check • Iterative nature of framework • Focus on different elements at different times • Cumulative value