SCRLC Triennial Meeting: Jabil Circuit, St. Petersburg, FLJanuary 31, 2012 – February 1, 2012

Attendees (25) John Brown – Coca Cola Marc Siegel – ASIS Steve Miller – Navistar Nick Wildgoose – Zurich Jim Rice – MIT Kirsten Provence – Boeing Ken Konigsmark – Boeing Tyler Hooper – Cisco David Blackorby – WalMart Ravi Anupindi – University of Michigan Edward Erickson – IntraPoint Taylor Wilkerson – LMI Joe Robinson – Navistar (BCP)

Craig Babcock – Proctor & Gamble Dave Pollard - FedEx Chuck Anderson – John Deere Bob Smola – John Deere Nancy Moore – RAND Mark Mondello – COO Jabil John Novotny – Jabil Noha Tohamy – AMR Bob Weronik – Alexion Phil Renaud – DHL Rob Gilbert – GE Energy Brian Callahan – Boeing (Cyber Security)

Action Items: 1. EVERYONE:

a. Register and access the SCRLC Sharepoint; see instructions below2. Kirsten:

a. Email to members to volunteer at CSCMP (get details of email from Ravi)b.

3. New Work Products: a. Quantifying and Measuring Risk (Cisco’s Resiliency Index)

i. Idea origination: Bob Weronik question to Edward Erickson during his presentation. Tyler is aware of the Cisco Resiliency Index.

b. How does a company develop a standard practice to attain information on a company’s sub-tier suppliers (discussion from Ravi’s simulation platform discussion)

4. Evolution of the SCRLCa. Edward Erickson: Create requirements to sustain membershipb. Ravi: PPT for students (Ravi)

5. Web Sitea. Bob Weronik: determine web developer scope of work and buy-inb. Tyler Hooper: identify average annual costs based off of 3-year historyc. Web Site team – work with web designer/developer to identify initial costs and any

recurring costs.6. Symposium Planning Team

a. Jim Rice: Get-it-planned7. Prepare agenda and focus of Zurich meeting

a. Hot Topicsi. SRT Integration Forum report out (Edward Erickson)

1

b. Risk Management of Companies from Insurance Perspective – how are insurance (Zurich)

i. Risk identification in supplier selection and sourcing; impacts when risks aren’t considered in supplier selection

c. Financial Risk Assessment (Chuck Anderson)d. Sub-team status reviewe. Sub-tier risksf. Mastery Spotlight

i. Risk Index – James Steeleg. Impacts of risks in country (inflation, aging population, etc.); impact on each other (WEF)

i. Could we get someone from WEF come and explain the report to explain what they’re doing on a global scale with governments and industry.

h. Lightening Round

Topics / Discussion: History of the SCRLC – Edward Erickson Overview of New Member Companies

o WalMart – David Blackorby SCRM Tools & Events – Ravi Anupindi (Univ. of Michigan)

o DHL is willing to share the track they participated on in the CSCMP with Ravi from Chicago meeting a few years ago

o CSCMP Event in October: SCRLC should present Best Practices guide Interested companies:

Phil from DHL is interested in participating Cisco is interested in participating

o SCRM Simulation Platform Sub-tier supplier risks, impacts from an event, etc. Sub-tier suppliers that are at multiple levels of the tier structure (1, 2, 3 and

beyond) Visibility of supply chains Supplier sharing constraints (supplier’s not willing to share information of

their sub-tiers) What format is useful for companies: Companies interested in participating in developing tool

Contact Ravi at anupindi@umich.edu Hot Topics:

o Key findings from WEF on systemic supply chain risks (Nick Wildgoose)o U.S. / Canada: Cross-border trade – Ken Konigsmark, Boeingo Conflict Minerals – Kim Miller, Boeing (virtual)

2

Panel Session: o Cyber Security in the Supply Chain

Speakers: Don Davidson (DD) Chief, Outreach, Science & Standards (CNCI-

SCRM) Trusted Mission Systems & Networks (TMSN) Office of the DoD-CIO

Donald Fergus (DF) – Independent IT Risk Consultant Edna Conway (EC) (Cisco) – Chief Security Strategist, Global Value

Chain Hart Rossman (HR) (SAIC) – VP & Chief Technology Officer for Cyber

Programs Intro:

2 aspects of cyber securityo Addressing security risk in supply chaino Security of the products themselves and the IT within them

(free of imbedded code that you don’t want in the product) Discussion Questions:

What do you see as your risks from supply chain cyber security? How could an “event” effect your organization?

o DD: Series of studies indicate that DoD capabilities were 20% reliant on IT communication; now 80% reliant.

Concerns are hacking into the weapons control systems to disrupt and disable systems

o DF: Supply chain has to expect the risk is a reality. Risk need to be proactive and reactive

Expect that the supply chain is already infiltrated and deploy tools to monitor and react to minimize

o EC: Depends on how you define cyber security events; perspective from Cisco is that they are deploying a capability with 4 foundational substances

Counterfeit ???? Deploying Overlay of security Protection of intellectual property (Cisco

and its partners) An event that is a cyber attack – what type of back

up mechanisms are available An event that changes the product at the end user

pointo HR: looking at it from 2 perspectives

How does the company stay in the defense industrial base?

3

From a broader community aspect, how does it affect a community framework?

An attack on a supply chain is more intrusive than just the product, but affects the trust and confidence in the community of that company and its product

What actions are you taking to minimize cyber security risk in your supply chain? How are they coordinated (or not) with the more traditional SCRM roles?

o DD: some technologies are out there to trace products through the supply chain are underutilized. US Gov’t tends to think they can solve things through regulatory practice; they’ve developed a stronger public/private partnership to develop a more trusting COTS product.

COTS products are developed to maximize market share, but they get so watered down that they aren’t useful. Challenge for gov’t.

o DF: information sharing is necessary to engage all vendors and suppliers, sub-contractors, etc. Any vulnerability needs to be communicated immediately upon detection so that everyone can remedy the risk according to their standards.

o EC: focus on crisis management from events; understand that security is the overlay and that there are continuity supply issues beneath that. Tools have to integrate not only within your organization, but with your business partners, suppliers, and industry counterparts.

o HR: Evaluate the policy frameworks that they operate in; must collaborate and coordinate through agreement.

What resources (standards, guidance, consortiums, etc.) have you identified to help you manage cyber security in the supply chain (tiered supplier)?

o DD: need to establish a baseline to measure risko DF: Need to look at entire supply chain holistically and

systemically. Everyone of the 3rd parties (internal or external) and raise the bar; need to establish a baseline to measure risk, but be careful not to look at compliance as security.

o EC: interesting challenge for Cisco due to outsourced capacity. Need international standards; balance of traditional long standing techniques (contract terms, etc.); key to success is to differentiate your value as an OEM, but must come to table that agree on foundational best practice that must be embodied to ensure multi-tier holistic view is incorporated throughout the entire supply chain

This council needs to bring this topic to the forefront

4

o HR: make standards useful so that they can be easily deployed

Questions from the room: Rob Gilbert – GE: Government attacks on manufacturer website

(e.g. China and Iran governments attacking corporate infrastructure), how is that being addressed

o DD: Doesn’t matter who the actor is; may be a spoofed IP address to re-route the origin

o DF: counterfeiting is the biggest issue now (medicine and IT lead the list)

o EC: from a practical perspective, it shouldn’t matter if it’s a state or personal attack. It should be detected and reacted to in the same manner as if it’s a private attack

Nancy Moore – RAND: Federal government have set high goals of 23% of large business goes to small businesses – mostly of wholesalers who are the most vulnerable to counterfeit parts;

o DD: Investigating use of qualified supplier list; US companies are all about cost and schedule and we need to enforce a performance requirement for our vendors

o HR: small businesses are more tactical in security where larger companies are more strategic. Small businesses don’t have a lack of interest or effort, it’s a lack of infrastructure to deploy.

Sub-Team Working Session: Jabil Company Overview – Mark Mondello, Chief Operating Officer Jabil Jabil Circuit, Virtual Facility Tour

Day 2: Mastery Spotlights

o Supply Chain Security – Ken Konigsmark

o Crisis Management Overview – Bob Weronik

SCRLC Symposium – MIT (October 2012)

o October 2012 – MIT (week of 8th or 15th) o SCRLC Meeting - days 1 & 2o SCRM Symposium – day 3 Symposium Discussion:

Objective:

5

o Influence & learno Learn what everyone is doing (processes), tools o Learn about leading practiceso Produce deliverableo Get feedback on mapping supply chainso Emerging Riskso Interactive session talking about SCRM and Emerging Riskso Solicit associate members to participate on working groupso JIT system managemento Demonstrate value and return on investmento What methodologies, technologies and tools are people using

successfulo Learn from leading practitioners on SCRM

Speakers on SCRM topics (presenter is leading authority on that topic)

Preparation: o Ask attendees for information prior to event attendance

Purpose: o Host event open to broader audience to learn about BP guide and what

SCRLC is doing; obtain future SCRLC focus from feedback of audience.o Build RM capability in SC industry

Target Audienceo SCRLC Associate memberso No consulting firms

Capacity of Symposium: o 50 – 75 (Classroom)

SCRLC 25 Governance Board / Core 25 Associate

MIT Partners 40 (Shippers / Carriers)

Content: o History, Purpose, Intento BP overview

How has it been used?o Topic Panels: purpose: share best practice, influence, examine other

practices in industry 1. ROI2. Identifying sub-tier risks3. Emerging Risks and their costs4. Demonstrate value and return on investment5. What successful methodologies, technologies and tools are

companies using Planning Team:

Name Organization Email

6

Jim Rice MIT jrice@mit.eduJoe Robinson Navistar joseph.robinson2@navistar.com Edward Erickson Intrapoint edward.erickson@intrapoint.com John Brown Coca-Cola jjbrown@coca-cola.com Tyler Hooper Cisco thooper@cisco.com

Date: Date

PreferenceSymposium Date SCRLC Meeting Date

1st 10/10 10/112nd 10/30 10/313rd 11/28 11/29

Discussion: Evolution of the SCRLCo Fee based membership to cover costs

Complexity with taxation and barrier for companieso Cost Overview

Website Development: ~$5000

Editing for Newsletter: ~$1000o Outcome:

Too complicated to introduce fee based membership. Alexion is offering the staff and funds to develop new web site LMI is offering staff for editing services

Managing Crisis in the Supply Chain – Lessons from Toyotao See file: RAND-Toyota_Managing_Crisis in the supply chain

Meeting Close-Outo PROs

A lot of take away topics for new participants; very insightful Diverse supply chains Networking

o Improvement Opportunities Lightening round of questions to connect with people on benchmarking

o Notes: Tier 2 & 3 supplier task force to see what people are doing (Nancy)

7

Sharepoint access for working groups:

Please join the SCRLC SharePoint team site You have been invited to collaborate with the SCRLC using a SharePoint team site at

The Coca-Cola Company. Carefully read this entire message and understand the registration process before you click the link to register.

Step 1 - Register and create your password1. After reading this entire message, click the following link or paste it into the address

bar of your browser. http://teamspaces.ko.com/kots/scrlc/default.aspx2. On the Login or Register page, click Register.3. Complete the Registration form. IMPORTANT: In the Contact Information section,

type the email address of the employee who is requesting you have access: jjbrown@coca-cola.com.

4. Click Submit.5. Read the Network Access Agreement and click Agree and Continue.6. Type at least five answers on the Set Answers to Authentication Questions form

and click Submit.7. On the Assign Password form, create a password that complies with the Password

Policy shown on the form, and click Submit. You will receive an email indicating you have successfully submitted your request.

Step 2 - Wait for Approval and receive your KO User ID The Coca-Cola Company employee who invited you must now approve your

registration. After your registration is approved, you will receive an Access Request for

SharePoint completed email containing your KO User ID. You will need this KO User ID to login to the SharePoint team site.

Step 3 - Wait for Membership to the SharePoint team site1. The Coca-Cola Company employee who invited you must now add your name to the

membership list of their SharePoint team site.2. Once you are granted membership to the team site you will receive a Welcome to

SharePoint email.3. Open the Welcome to SharePoint email and click the link to Participate in the

SharePoint site.4. On the Login or Register page, type your KO User ID and Password and click Login.5. The SharePoint team site is displayed. You may now collaborate on the SharePoint

team site. Depending on the access you have been granted, you will be able to read and possibly contribute information and files.

o Tip: We recommend you add the SharePoint team site to the Favorites menu of your browser in order to easily access it in the future.

8

Important Note: Once you have your User ID and Password, you DO NOT need to register again. If you are invited to participate in other SharePoint team sites, you can use the same User ID and Password.

Need Help? External Business Partners can call the 24/7 help desk at (U.S. direct) +1-404-676-0606.

Future Meeting Schedule:o 2012:

Jun 20/21 – Zurich Zurich Development Center Keltenstrasse, Switzerland http:// www.zurich.com/developmentcenter/home/home.htm

o October – MIT (week of 8th or 15th) SCRLC Meeting - days 1 & 2 SCRM Symposium – day 3

o 2013:o January, Wal-Mart; Bentonville, AR

Week of: o June, Navistar, Chicago, IL

Week of: o October, John Deere, Manheim Germany

Week of: o 2014:

January: RAND, Santa Monica, CA Week of:

June: Alexion - Cheshire, CT Week of:

October: Procter & Gamble, Cincinnati, OH or EUROPE or ASIA Week of:

o 2015: January:

June: DHL,

October

9