In this episode of the McKinsey on Government podcast, McKinsey partner Ed Barriball and Bob Kolasky, director of the National Risk Management Center at the Cybersecurity and Infrastructure Security Agency (CISA), discuss the need for supply-chain resilience. But why are supply chains such a hot topic for government right now? What’s driving this laser-like focus? And how is the role of government in understanding and improving supply-chain resilience changing? An edited transcript of their conversation follows.
Francis Rose: Welcome to McKinsey on Government. Each episode examines one of the hardest problems facing government today, along with solutions from McKinsey experts and other leaders. I’m the host of McKinsey on Government, Francis Rose. A number of high-profile incidents in the past few months have highlighted the fragility of the supply chain, both in the cyber realm and in hard goods.
Bob Kolasky is director of the National Risk Management Center at the Cybersecurity and Infrastructure Security Agency. McKinsey partner Ed Barriball works with public- and private-sector organizations that manage manufacturing and supply-chain operations.
Gentlemen, thanks for joining me today. Bob, let’s start with you. What has happened over the past several years to generate such an interest in the supply chain?
Bob Kolasky: Supply-chain security and resilience are a focus of attention for the US government because the risk demands it. The increase in digitization and use of information and communications technology to deliver critical functions—which has inevitably been a great thing for the country in terms of efficiency and effectiveness—has introduced new aspects of risk that need to be managed. It’s also caught the attention of our adversaries. Nation-states that are interested in causing harm via cyber methods are looking at supply chains as a mechanism for those attacks.
And when I say, “supply chains as a mechanism for attacks,” I’m largely talking about software attacks and the fact that software runs everything. How software is deployed creates new vulnerabilities. Adversaries have gone after those vulnerabilities. As national- and corporate-security professionals, we need to be prepared to understand and address those vulnerabilities.
At the same time, the fact that supply chains have become so global has created new risk in terms of the reliability and the availability of certain things, and we want to make sure that those supply chains are properly managed. So, it’s a question of going where the risk is, getting ahead of it, and anticipating security needs and addressing them before they become problems.
The public-sector data challenge
Francis Rose: Ed, welcome. Thanks for joining the conversation. What are the biggest challenges facing organizations across the public sector in managing and assessing risk in their supply chains?
Ed Barriball: The first challenge is the data that you need to do this type of assessment. Most companies and governments know who they buy from directly, but our research finds that more risk emerges from tier two, tier three, and tier four of the supply chain, which would be your supplier’s suppliers or your supplier’s supplier’s supplier.
Most companies and governments know who they buy from directly, but our research finds that more risk emerges from tier two, tier three, and tier four of the supply chain, which would be your supplier’s suppliers.Ed Barriball
For most industries, most folks don’t have those data. And if you ask your supplier, a lot of times they might say that’s proprietary information. So even knowing who to assess is a challenge. Once you know who to assess, there are all sorts of different vectors for attack. Making sure you conduct a truly comprehensive assessment of those suppliers requires stitching together a lot of different data and information. And doing that at scale for thousands or tens of thousands of suppliers—which is what it is for complex products like information technology or weapons systems—becomes a real challenge. And that’s why this is hard.
Francis Rose: What have organizations done, Ed, to try to fill that gap themselves? Are there assessments? Are there tools? Are there processes that organizations can put in place to try to figure out some of that on their own?
Ed Barriball: This is a space that is rapidly innovating right now. The coronavirus crisis has shined a spotlight across industries on what a problem this is for the United States and Europe and other places in the world, so there’s a lot of venture-capital funding flowing into this space. A lot of established companies are getting into it, and a lot of start-ups are trying to build solutions. Companies and government agencies are sorting through how much of this they can do on their own. Do they just go buy the data, get the information, and stitch it together on their own? And how much is actually going to become a product or a service that we just go out and buy? That’s still a pretty uncertain question, I think.
And there is a lot of testing of different methods, both in the government and in the private sector. At the end of the day, I think it’s a mix of having the data so one can do outside assessments and ask, “Who do I think my supplier’s supplier might be?”
But it’s also about ramping up supplier collaboration. One of the companies that’s doing quite well right now in the semiconductor shortage is Toyota. Toyota actually invested heavily after the tsunami in 2011 in Japan, which put a big squeeze on their supply chain. There was much better supplier cooperation, a much better understanding of their supply chain, and an understanding of where they needed to keep more stock—which particular components they were vulnerable without. And given that, when you look at their performance during the coronavirus crisis versus others, it’s been better. I think there’s a lot of lessons of that type of preparedness that others are trying to adopt right now.
Making a better supply chain together
Francis Rose: I want to come back to those concepts because I think there’s an important analogy and maybe an important difference for a public-sector organization. Bob, one of the elements that you and your colleagues at CISA have undertaken is an information and communications technology supply-chain risk-management task force. Tell me what that task force is trying to accomplish when it comes to this supply-chain challenge.
Bob Kolasky: The task force is one of these examples of public–private collaboration and the authority we have within the department to bring industry to the table to help deal with national-security priorities. The task force includes 20 federal agencies—that have a lot to say about how we’re going to make the federal government more secure—as well as big IT companies, big communications companies, and some associations representing some of the small organizations. And we work, industry and government together, to solve some of those problems or make progress against problems in order to make a better supply chain.
Are we able to share information between government and industry to understand supply-chain risk? Can we knit that information together as a task force to then ask, “What are the priority threats that supply-chain risk managers within government and industry should be looking at?”
We’ve identified more than 100 threat scenarios that can form the basis for supply-chain risk-management programs. There are also other tools out there: the task force is working on developing tools to help small or medium-sized businesses implement supply-chain risk-management programs.
At the same time, at the policy level, we’re working on things that will drive incentives, taking into account supply-chain risk as part of acquisitions processes—ways to do that effectively. The task force sits around and tries to understand the risk collectively. And then we prioritize things that will help advance the overall approach to national supply-chain security.
Francis Rose: Are the risks in the supply chain of those private-sector companies similar to the risks in a public-sector organization like a federal agency? Are they close enough—analogous enough—that the lessons learned make sense? Is it just a matter of those companies being able to share something with the public sector, or am I looking at it all wrong?
Bob Kolasky: No. First of all, it’s shared risk. These are companies that the government is buying technology from. We’re not making up our own software and hardware. We’re getting the technology from these companies. If they have risk in their suppliers, that’s our risk, too. A lot of these are tier-one suppliers to the defense industrial base, tier-one suppliers to the banks, and so on.
We’ve got to manage our own ICT [information and communications technology] risk through supplies in the government. But we want these companies to be doing that further on, as Ed was talking about—down to their tier-two, tier-three, or tier-four suppliers. Then, it is shared risk.
Regarding the availability of the commercial technologies that Ed mentioned: for companies in this space to understand their risk and translate some of that information to the government and the information that we have through intelligence processes—that will help us get a better understanding of that shared risk so that we’re making consistent risk-management decisions.
Francis Rose: Ed, you used that Toyota example, and it’s a good one because it’s something that a lot of regular citizens who don’t necessarily care about how the government works or don’t think about supply chain understand; they understand that it’s harder now to find a new car on the lot because of the computer-chip problem.
What did Toyota do that could apply to an organization in the public sector that can’t necessarily go out and buy from those tier-two, tier-three, or tier-four organizations but that needs to work with them to be able to deliver on its mission?
Ed Barriball: That’s a great question. I think the first step is understanding what we do and don’t know. And I find that even in the private and public sector right now—if you walk into an organization that’s trying to deal with this problem and you ask, “Where do you know who’s in your supply chain, and where don’t you?” it’s actually uncommon for someone to have quantified that. They might say, “Here’s where we think we’re blind; here’s where we think we actually might know.” That is really the first step—to say, “What do we know?” and “What don’t we know?”
In the Toyota example, they actually have quite a bit of market leverage over their suppliers. They were able to go and say, “We’d like you to start providing this information.” They were able to get compliance over time and get better visibility.
I think the challenge for the government is that there are some markets where the government has that type of leverage, but there are a lot of markets—like Bob mentioned about ICT—where, frankly, the government may not have the leverage to be able to say, “Look, if you want to do business with us, you’re going to have to give us this information.”
There are some companies that might say, “OK, then we’re just not going to do business with you.” I think the government, in this case, needs to understand where they have that power. Where can they use acquisition practices like Bob mentioned to help companies get their arms around this and make sure that the government’s getting the information that it needs?
And for the sectors where there may be less market influence, less ability to do that—they must leverage some of the techniques that are becoming commercially available. What do they think they’re exposed to, and what kind of risk are they bearing?
Risk-management fundamentals: Critical functions and the big picture
Francis Rose: Bob, does the risk-management framework in a supply-chain environment work the same way? Are the techniques the same in assessing and prioritizing risk as in other types of risk management, or is there something unique to the supply-chain concept that requires somebody to look at it differently?
Bob Kolasky: Ultimately, I think the answer is more, “It’s the same” rather than “It’s unique.” Obviously, there are elements of inquiry. The risk-management framework that we advocate is, “Think about the critical functions that you present.” So, if you are the government, what are the critical things that the Department of Homeland Security does?
What are the essential functions? What are the critical functions that would contribute to [those essential functions]? And how are supply-chain attacks or failures linked to the risk of lack of functionality? A lot of this functionality is not just about delivering functionality but the integrity around those things.
So, the end state I’m trying to manage risk against is continued—functionally safe with information professionals. That’s the same whether I’m in government or whether my continued business functionality and supply chains present a new attack vector—a new vulnerability to that functionality. Prioritize based on risk: Where is the likelihood of loss of functionality? Loss of safety is going to be the highest. Take steps to reduce that risk.
Francis Rose: Ed, do you find that to be the way people are thinking about it when you sit down with them for the first time? Is that how they’re analyzing their supply-chain risk and how they’re thinking about trying to prioritize it?
Ed Barriball: I think folks are getting there. A lot of times, organizations are initially thinking about whatever is the most recent event, be it a cyberattack, or a flood, or an earthquake. But then they step back and say, “If we want to be more resilient as a business or as an agency, what are all the elements we need to look at?”
It’s getting more and more common that people are starting to think across the range of potential effects. This [way of thinking about supply-chain risk] is also starting to get more attention, like Bob was saying, in the C-suite. We released some research last year that the average company can expect to lose about 45 percent of one year’s earnings over the next decade due to supply-chain disruption.
And if you’re sitting in the CEO’s seat, that’s pretty material. It’s essentially 5 percent of your earnings in the next decade, if you’re simple about it. It might not materialize. And the implication for the government on that is the same as it is for companies: they can expect the production to stop for one to two months due to supply-chain disruption every three and a half years.
And depending on what kinds of goods there are and how much stockpile you have, one to two months can be a long time to have production shut down. So I think this is an industry that people are starting to look at much more comprehensively. It might start with, “What hit me most recently?” But as people start to understand the breadth of the potential effects they could experience, they’re really starting to look at it more broadly.
Francis Rose: How do you move somebody, Ed, from a situation where they’re thinking about what just broke to getting in front of the issue and thinking about, as you said earlier, how to know what you know?
Ed Barriball: I think the best thing that you can do when something happens is to go back and do an initial root-cause assessment. But also ask, “What does this tell us about the broader context we’re now operating in?” I think, frankly, that’s where a lot of leaders have been caught flat-footed.
But I think the reason this has become such a hot topic so quickly is that I don’t think people appreciate how much the context that we were operating in as a global economy had changed over the past decade. You had some kind of warning indicators, but then you had trade agreements start to change that people thought were stable. You had climate events happening that hadn’t happened before. And all these things started stacking up. You can write one off and write another off as, “Wow, I couldn’t believe that happened.”
But eventually, you start to have to say, “OK, maybe something is going on here.” I think what is most important for organizations is to look not just at the thing that happened but to step back and say, “Has the context that we’re operating in changed?” and “Is the thing that just happened not a one-off but more of a sign that we’re operating in a different environment than we were before?”
Looking ahead: Assess vulnerabilities and brace for change
Francis Rose: We’ve talked a lot about where we are today and how we got there. Bob, what’s coming next? How does one anticipate risks that we might not know are risks yet? For example, how do we sit in November of 2019 or January of 2020 and anticipate risks from a pandemic that may or may not be coming at some point in time—but that we might have to deal with? How do we put something like that on to the matrix to understand what we have to plan for—what we have to think about?
Bob Kolasky: McKinsey does some good strategic thinking about what the future is going to look like. So do other consulting companies and other folks. I look at drivers that we use at the National Risk Management Center: physical, cyber, convergent, digitalization of convergence, where geopolitics are headed, emerging technologies, artificial intelligence, biotech, quantum computing, societal trends, and market forces and governance; all of those are changing so quickly.
Let’s not predict the future; let’s consider the future and look for things that will indicate we’re heading one way or the other toward the future—and have plans as those things change. In the best organizations, it takes an investment in planning; it takes an investment in thinking; it takes an investment in redundancy, and capacity, and things that aren’t quite all about efficiency and earnings quarter by quarter. Then do the planning and exercise and stress test it against the scenarios.
Let’s not predict the future; let’s consider the future and look for things that will indicate we’re heading one way or the other toward the future—and have plans as those things change.Bob Kolasky
The only thing that’s certain is that things are going to change pretty dramatically in the next 15 years. I don’t know exactly how they’re going to change, but if you’re not preparing for change with some backup capability, you’re likely to be left behind.
Francis Rose: And the challenge I suppose, Bob, is that you can plan for ten or 15 contingencies and not know when number 16 is going to be the one that you actually get, right?
Bob Kolasky: Hopefully in planning for that many, they share enough characteristics that you might get the specifics wrong but the capabilities that you need to deal with a problem are the same.
Francis Rose: And that’s the same concept as you laid out a couple of minutes ago in talking about the potential change elements of trade agreements in climate and so on—things that we saw in the past. What do the most successful organizations that you’ve worked with do to think about the possibilities of what they might be up against at some point in the future? How do they successfully strategize the potential contingencies, understanding they won’t be able to get them all?
Ed Barriball: That’s a good question. So the way we think about a supply-chain risk that manifests itself in the news—it’s the product of a shock and a vulnerability. And shocks are things like the flooding, unexpected earthquakes, or a cyberattack.
You probably shouldn’t spend a ton of time trying to predict when exactly those are going to happen, because if you could, you should go get a different career. Be a stock trader, and you’ll make a lot of money. But the thing that you can really understand is vulnerability. I think part of this is just stepping back and saying, “What is the conference of assessment or vulnerabilities, and where are they today?”
For the operational context we’re in—if you’re a company, for your production lines; if you’re a government agency, for the mission you’re trying to achieve—what are the different things that we really need? And where are we vulnerable? As Bob was saying, I think what we’re seeing a lot of companies actually do now is get their boards and their executives in a room together and do some scenario planning. Not just, “Let’s all get together for two days and talk about what could happen” but doing the real prep work: doing the analysis ahead of time, getting the understanding of where these vulnerabilities are, and actually putting together some structured scenarios on, “If this happened, what would we do?” The board might play the competitors; the C-suite might play themselves. And let’s actually see what decisions we make and what would happen.
It’s not that you’re trying to predict the future and say, “That is what’s going to happen.” But as Bob was saying, hopefully that gives you the practice, so when something does happen, you’ve all thought about it—you’re on the same page about what types of moves you would make. And it gets the executive team more ready. I think government agencies can do the same thing.
Francis Rose: As you were describing that vision, I was thinking about some C-suites inside federal agencies; I wonder if they’re doing that kind of contingency planning. It sounds to me like one of the greatest benefits of what you just laid out there, Ed, is the level of engagement—is the awareness of all of those people around the table.
Maybe they didn’t think of the possibility that this is something that—whatever “this” may be at the moment—their organization has to deal with. But it raises that level of awareness and makes conversations about other subjects more useful and more productive. Do you think that is a fair observation, Ed?
Ed Barriball: That is totally right. The one thing I’d say for folks who are either doing this or thinking about it—and I know that’s DHS [Department of Homeland Security], so Cyber Storm [DHS’s cybersecurity exercise] and things like that; this isn’t a foreign concept in government—is that the preparation is key: high-quality preparation in terms of actually understanding the context, the facts of what you’re operating on, the thing that you’re stress-testing. Otherwise, it just becomes a fun conversation that you could have over red wine. It really has to be something that’s based in facts and information to make it a useful exercise.
The future of risk management
Francis Rose: Bob, I asked you earlier in our conversation whether there was a difference between supply-chain risk management and other types of risk management. What’s the trajectory of risk management as a practice moving forward? Do you expect to see different techniques, different concerns? Or is risk management, in your view, kind of a mature specialty or practice that will continue along the trajectory that it’s on today?
Bob Kolasky: One of the things that will change, and is changing, is the proliferation of available data and translating data into risk models. And so much of risk management of complex things was data that are poor or dominated by uncertainty early on. I think if you can build risk models that take advantage of all the information that’s out there more quickly, that’s going to give you a more real-time understanding of risk.
The other thing that I think is happening in risk—and we advocate this around cyber all the time—is to make risk management and cyberrisk management part of your overall enterprise risk governance. And think seriously about risk governance.
This means communicating all this data into a way that a board or a C-suite can make decisions in a translatable way that does that. I’ve seen great improvement in the last five to ten years in data-driven models being moved into sort of a risk-governance practice. And that’s going to help with this practice. Managing risk doesn’t mean getting everything right, but it means thinking through contingencies, making investments. So that’s my optimism.
Francis Rose: We’re almost out of time. Ed, one final question for you. What does the future, in your view, look like for public–private partnerships in risk management? Bob talked about how important the public–private piece is of the task force that he’s running. What does that look like more broadly in your view in the next year, three years, or five years?
Ed Barriball: The biggest thing, I think, is obviously that risk management is an end to a means. You want to identify the risks and then figure out how to mitigate them to the extent that you can. A lot of folks are talking about domestic sourcing—revitalizing domestic sourcing as a way to do that.
We just released a report last week on revitalizing US manufacturing. One of the big things I thought was interesting in that report is that we looked at scale-based industry—things like auto, chemicals, production—and the returns on investment that US investors or North American investors expected versus Asian investors.
North American investors expected about a 12 to 14 percent return on their investments in those industries, versus about 7 percent in Asia. That naturally results in CEOs and leaders, to satisfy those demands, squeezing their supply chains.
That is not a problem that the public sector or the private sector is going to solve on their own. They’re going to have to solve it together. So, I think the future and the way ahead on this is going to be great once we all work together to understand where the risks sit.
But the really hard work and collaboration is going to be actually figuring out how to resolve some of these issues because it’s not as easy as snapping a finger, and there are a lot of market and structural barriers that are going to need to be worked through together—in the public and private sector—to get there.
Francis Rose: Very quickly, what are some of those barriers? What do you anticipate them being?
Ed Barriball: I think first is actually just questioning our own fundamental assumptions. You look at a lot of countries, and I think people typically say, “Oh, well, the labor’s just so much cheaper there.” That’s not true anymore. A lot of countries that were formerly low-cost countries—if you look at their fully loaded labor costs, they’re not that different than the United States.
So I think we just need to question some of the fundamental assumptions that folks might hold and make sure that the information and the facts that we’re operating off of are current. The world’s changing pretty fast, so that’s a foundation for good policy making and any good decisions.
But from there, I think it’s about figuring out how we take advantage of—the buzzword is “Industry 4.0”—basically all the new, advanced manufacturing techniques, from additive technology to much better end-to-end supply-chain management tools, which people are finding, in this pandemic, let you have more visibility about what’s going on and be more reactive when things happen. Investing in those [tools] can help drive productivity and really help the United States be a more competitive place to do business from a manufacturing perspective. I think it’s about figuring out how we invest in this technology as a country—how we reestablish some of our manufacturing capabilities here, the barriers and the things that we can cross over; we just need to get together between government and industry.
Francis Rose: Ed Barriball of McKinsey and Bob Kolasky of CISA at the Department of Homeland Security, thanks very much for the conversation. I appreciate your time today.
Bob Kolasky: Thanks, Francis.
Ed Barriball: Thanks, Francis; thanks, Bob.
Francis Rose: You’ve been listening to McKinsey on Government, a presentation of McKinsey and Company. Our next episode is in two weeks. I’m the host of McKinsey on Government, Francis Rose. Thanks very much for listening.