OPEN ACCESS
From news reports about companies attempting to reduce the impact of compromised supply chains, due to natural disasters, accidents or targeted attacks, or trying to avoid specific products or ingredients banned on moral grounds, it is apparent that many organizations have only rudimentary knowledge of the provenance of software, hardware, and other supplied items. Reasons for this situation include the difficulty and effort required to:
• build and maintain complete and accurate databases;
• obtain information on subcontractors down to the required level of detail;
• review, monitor and test products to ensure that they are genuine;
• encourage eradication of deficiencies, weaknesses, and vulnerabilities;
• ensure that changes are identified, reported, analyzed, and addressed;
• identify commonalities and common points of failure;
• introduce resiliency, redundancy, and backup within the supply chain;
• develop methods to simulate infrastructures, transactions, etc.; and
• bring together competitors to collaborate in exercising various scenarios.
Thus, the question arises as to how to resolve these issues in an accurate, efficient, and cost-effective manner. Answering this question is our goal.
Supply-chain models are generally substantially more intricate than the model developed for the US equities marketplace. However, the same approach works for developing and operating any complex industry-wide and sector-wide systems with many participants who want to keep proprietary information confidential but need to share information to facilitate a rich exercise experience for learning, training, and testing a variety of realistic scenarios. This paper describes a process for implementing such simulation-based exercises.
closed-loop tabletop exercises, commonalities, complexity, complicatedness, counterfeiting, resiliency, supply chain, tampering, transaction-level simulation models, vendor management
[1] Lelong, A., Complicated systems vs. complex systems, Global Supply Chain News, Global Supply Chain Group, December 2013.
[2] Glouberman, S. & Zimmerman, B., Complicated and complex systems: what would successful reform of medicare look like? Discussion Paper No. 8, Commission on the Future of Health Care in Canada, July 2002.
[3] Allen, W., Complicated or complex – knowing the difference is important, Sparks for Change, available at http://learningforsustainability.net/sparksforchange/complicated-or-complexknowing-the-difference-is-important-for-the-management-of-adaptive-systems/, March 2013.
[4] Kamensky, J.M., Managing the Complicated vs. the Complex, IBM Center for the Business of Government: Washington, DC, Fall/Winter 2011.
[5] Sargut, G. & McGrath, R., Learning to live with complexity, Harvard Business Review, 89(9), pp. 68–76, 2011.
[6] Snyder, S., The simple, the complicated, and the complex: educational reform through the lens of complexity theory, OECD Education Working Papers No. 96, December 2013.
[7] Strauss, V. & Cuban, L., The difference between “complex” and “complicated” – and why it matters in school reform, The Washington Post, August 8, 2014.
[8] Waldrop, M.M., Complexity: the Emerging Science At the Edge of Order and Chaos, Touchstone, Simon & Schuster: New York, NY, 1992.
[9] Brody, P., Today’s Complex Global Supply Chains are Poised to be Dismantled, Gigaom, July 2, 2013.
[10] Deshpande, B.R., Top 5 reasons for supply chain complexity – measuring and monitoring complexity to generate early warnings, Ontonix, July 2010.
[11] Shared Assessments Program, Agreed Upon Procedures (AUP) and Standard Information Gathering Questionnaire (SIG), The Santa Fe Group, available at http://santa-fe-group.com/ capabilities/shared-assessments, 2014
[12] BITS IT Service Provider Working Group, BITS Framework: Managing Technology Risk for Information Technology (IT) Service Provider Relationships, BITS/Financial Services Roundtable, available at http://www.bits.org/publications/vendormanagement/ TechRiskFramework0210.pdf, October 2001.
[13] Shanker, D., 11 Food companies that won’t tell you where their meat comes from, BuzzFeed Life, April 10, 2014.
[14] Axelrod, C.W., Malware, ‘weakware’, and the security of software supply chains, CrossTalk Journal, March/April, 2014.
[15] Pelgrin, W., Routh, J. & Williams, J., SANS Application Security Procurement Language, SANS Software Security, available at http://software-security.sans.org/appseccontract, January 2009.
[16] Axelrod, C.W., Outsourcing Information Security, Artech House: Norwood, MA, 2004.
[17] Axelrod, C.W., Risks of unrecognized commonalities in the information technology supply chain, IEEE International HST Conference, Waltham, MA, 2010.
[18] Axelrod, C.W. & Schmidt, R., A successful transaction level simulation model of the US securities marketplace, IEEE International HST Conference, Waltham, MA, 2012.
[19] Axelrod, C.W., Using transaction-level simulation to prepare for and recover from supplychain disasters, IEEE International HST Conference, Waltham, MA, 2013.