How to Foster Resilience When Diversifying Supply Chains
The trend of de-risking and diversifying supply chains away from China has been underway for years. Geopolitical and economic risks—such as pandemic lockdowns, the potential for a future conflict over Taiwan, and increased tariffs and investment curbs—have accelerated the need to diversify supply chains.
Diversification is a long-term strategy that aims to make global supply chains more resilient from geopolitical-related risks. Many companies have adopted a “China +1” strategy where they continue to use their mature supply chain partners in China while gradually developing capacity in an additional country, often a nearby Asian nation. Depending on the industry, diversification may also include friend- or near-shoring. However, as mature supply chains diversify, there are also associated risks with new geographic areas and less developed supply chain programs at these new locations. This evolving process requires a period of adaptation and the maturation of new supply chain programs, including for security compliance.
Supply chain managers and security professionals have been developing and expanding security compliance programs for many years in China. Multinational firms often leverage security and other standards coupled with extensive auditing programs to build up the capability and resiliency of long-term suppliers. This lengthy process, which can involve multi-year engagements, has forced security teams to adapt and evolve with their supply chain management counterparts to develop best practices and improve the overall knowledge of in-region supply chain security professionals.
From these long-term engagements, suppliers’ own processes and security controls mature as requirements and expectations increase over the course of the relationship. In recent years, the growing supply chain risk environment has prompted many companies and their suppliers to diversify their manufacturing capacity.
Developing a supply chain security program at a new supplier site is often challenging, but it becomes even more so when adding logistical, cultural, travel, labor, and other factors associated with a new overseas site. Suppliers need to carefully leverage existing talent, know-how, understanding of customer expectations, and tested best practices from their mature manufacturing sites. Security program managers will also need to adapt their engagement strategy.
The know-how built up from years of managing security compliance at suppliers in China can now be applied to speeding up the maturity timeline at new sites. The sooner a site develops a mature compliance program, the greater the resiliency of newly established supply chains.
Understand the Location, Site, and Project Layout
A critical first step is to conduct detailed due diligence and risk monitoring of the country and area where a new supplier site will be located. This will help to identify the overall complexity of the operational environment.
Part of this process should also weigh the potential logistical, regulatory, labor, travel, and other challenges associated with sharing or reallocating resources, know-how, and expertise from mature suppliers. An understanding of the individual supplier’s anticipated expansion in the new location or country should be considered early on. Longer-term development of the supply chain in the country will enable the program manager to understand current and future upstream or downstream linkages for making a particular product.
Once both a deep understanding of the operating environment and supply chain development plans are established, program managers need to decide how to engage with the new site. The more on-the-ground interaction and visibility of the project area and ongoing development the better. It is not always possible to sustain regular visits or a continuous onsite presence. Security program managers have several options to include regular onsite audits, including the use of other team members when onsite, third-party auditors, or regular remote project management and validation. The presence of a trusted security manager from the supplier’s mature site is also advantageous. This allows the security manager to provide on-the-job training and mentoring to the local security manager.
The size of the project at a new site will also have an impact on the ability to influence local compliance. A large project will necessitate greater support and coordination between the supplier and the customer. In this case, it will be easier to influence the supplier on designing the project areas with your security requirements in mind. Engaging the supplier on layout design and security equipment selection provides security program managers with the opportunity to establish strong fundamental physical site security, which may include appropriate storage areas for critical assets, tailored alarm, video surveillance coverage, access control, and security guard deployments focused on the material and digital flow of the project’s critical assets.
Build a Team That Understands Your Security Requirements
The most essential factor for establishing a resilient security program at a new supplier site is the selection of the local security manager. Given that there may be limited resources while setting up a new supplier site, the supplier may designate an individual that does not have direct security management experience. This is not necessarily a negative outcome, as long as the individual is willing to invest the time to learn. This will require the program manager to also invest more time explaining security concepts and training or mentoring the security manager. If the individual comes from a quality, project management, or continuous improvement background and can influence operational processes, this will be an asset.
It is also essential for the senior management at the site to buy into the security program and have a clear understanding of compliance expectations. To ensure this can be achieved, it may be necessary to involve multiple stakeholders including mature site leadership and security team members, the customer’s onsite project team, and third-party auditors or security providers. It is recommended that stakeholders participate in regular security-related meetings and audit-finding review sessions. This approach will expose key stakeholders to the details of security requirements, the current problem areas and the expected corrective actions for non-compliance.
Regularly Audit SOP Implementation and Security Improvements
At the start of the project, non-compliance will likely be very common. It is essential that the local team be very clear on expected security improvements and the root cause of non-compliance.
One factor that can be an issue early on is when security standard operating procedures (SOPs) are copied from a mature site and translated into the local language verbatim. This can often lead to problems with implementation and execution by local security guards. SOPs need to be carefully reviewed to ensure that the procedures are adapted to the local factory situation. Shortages of key personnel, equipment, space, or differences in the local legal or cultural environment necessitate careful adaptation of established SOPs.
After creating site-appropriate SOPs, the local security team will need to establish their own internal auditing function. A customer or third-party’s audits are essential, but a site’s internal audit capability will ensure that the local team understands the expected implementation of SOPs and how to identify their own areas of non-compliance. At the core of the auditing function will be a focus on finding the root cause of any non-compliance issues. In the early stages of a project, there can be many factors—including procedural, equipment/technical, people resource, or environmental issues—preventing the effective implementation of required security controls. Based on accurate analysis of non-compliance, the security team can articulate a more appropriate corrective action and provide trackable progress for the security program.
For example, if a customer’s audit found that a security post did not respond in an adequate amount of time to an alarm, the auditor and the local security team should study why this occurred. After discussing with the security guard force and reviewing surveillance footage, one possible cause is that the security post is not located near the alarm or able to receive notification of it. Another possible cause could be that a single security guard is not able to leave the post due to limited guard personnel. The supplier should aim to uncover the root cause, correct it with appropriate resources, and continue to audit internally for similar problems.
Having this formal loop of customer or third-party auditing and an internal compliance program fosters a robust collaborative partnership for continuous improvement.
The goal of diversifying supply chains is to provide greater resiliency with production partners and the flow of product. Supply chain diversification is a gradual process that can result in initial fragility for new production sites. Robust compliance, especially in the area of security, contributes significantly to the resiliency of a manufacturing site’s production capabilities. To foster secure and resilient supply chains during early-stage diversification efforts, companies should focus on conducting detailed due diligence, establishing strong in-region security teams, and regularly auditing and correcting areas of non-compliance.
Kevin Biggs, CPP, was formerly based in Shanghai, China, working on supply chain security at a multinational corporation. In this previous role, he developed extensive experience in building up security programs and local security teams at suppliers throughout Asia. Biggs has been an active member of ASIS since 2019.
