UCLA Anderson Global Supply Chain Blog

By ManMohan Sodhi (City University London) and Christopher Tang (UCLA)

Supply chains have become global in part because of outsourcing as companies want to be ‘nimble’, carry fewer assets on their books and lower their headcount. Yet, as Apple, Nike and others have discovered, the benefits are accompanied by risks. The horsemeat crisis in Europe and the 1,100+ lives lost in Rana Plaza in Bagladesh point to the risks of outsourcing in the food and the apparel industries. Yet, a little discussed risk of outsourcing has only just emerged: the risk of a whistleblower from the provider organization as in the case of the leaks by Mr Edward Snowden on the extent of U.S. surveillance. And there are basic risk management lessons about outsourcing that are worth reiterating.

In November 2013, a German lawmaker met with Mr. Edward Snowden in Moscow to assist investigations into alleged U.S. surveillance of Chancellor Angela Merkel’s mobile phone.  Earlier it was the news of the surveillance of the Brazilian president, Dilma Roussef, who was forced to cancel her visit to the US. Other foreign governments, all allies, are shocked or at least claim to be shocked that their leaders have been under surveillance with their e-mails and mobiles phones having been hacked.

To give a quick background, after the 9/11 terrorist attack, the U.S. government sought to expand the intelligence program quickly. As any IT manager knows, pretty much the only way to gain a lot of qualified hands is to outsource, and the U.S. government too outsourced various surveillance activities to private companies.  Since 2001, apparently hundreds of private companies including Booz Allen, Lockheed Martin, and the Computer Sciences Corporations have gathered information and have provided analysis to U.S. government officials. During the year of 2012 alone, these companies conducted $56 billion of contracted work for the U.S. government, or 70%  of American’s intelligence annual budget (we should note however, there are other budgets for intelligence, which may have higher or lower percentages that were outsourced). There are approximately 25,000 contractors engaged in the intelligence program, and about half are said to hold top secret security clearances, i.e., they have “access to information that would cause exceptional grave damage to national security if disclosed to the public.”

With those kind of amounts spent annually over such a prolonged period, one question for any company would be whether the work should be in-sourced. Indeed, Nancy Pelosi, Hourse minority leader, suggested “Maybe we should bring some of that more in-house.” (Shorrock 2013).  Add to that the risks that are materializing by way of the Snowden leaks and the case for in-sourcing would appear stronger.

Still, our comment is not about whether to outsource or in-source but rather about managing the risks of outsourcing. As supply chain researchers, we were intrigued to learn that (1)  Mr. Snowden was a contractor at Booz Allen Hamilton (a technology and strategy consulting firm) for less than three months, not NSA; (2) Mr. Snowden obtained top level secret clearances as a contractor, even though his resume contains inaccurate information regarding his education; and (3) Mr. Snowden background check was conducted by U.S. Investigation Services (a private company spun off from the federal government in the 1990s), not the NSA. All three facts shed light on the risks of outsourcing in the supply chain.

What are the lessons companies should learn from this about risks of outsourcing a ‘core’ competence? Conversely, perhaps the U.S. government can learn from private companies who develop processes to manage the risks (e.g., product adultration, child labor, environmental law violations) associated with outsourcing and with contract manufacturers in general (Sodhi and Tang 2012).

With a large increase in budget, the challenges of finding qualified personnel quickly, and the prevailing philosophy of Mr. Donald Rumsfeld, U.S. Defence Secretary from 2001 to 2006, the U.S. government chose to outsource. What might an approach to managing outsourcing risk look like? There are three steps of risk management that apply to outsourcing as well:

1. Identify and assess risks.  Besides the concern about the risk of a whistleblower or someone compromising classified information, there are potential risks for selecting contractors based on ‘relationships’.  For example, Booz Allen has a strong relationship with the NSA through, for instance, Mr. Michael McConnell (former NSA director and former National Intelligence Director and currently Vice Chairman of Booz Allen). It may be perceived that there is undue advantage Booz Allen has to win contracts. However, this is not uncommon in consulting: senior managers are sometimes ex-consultants and bring their own ex-colleagues for consulting. This is not bad – relationships mean greater trust, which engenders better performance – but it can also bias selection. And, when the chips are down, open either party to allegations of ‘cosiness’ trumping ‘business’.
2. Mitigate risks.  Clearly, there are inherent risks when the U.S. government delegates its conduct covert operations to contractors especially as intelligence gathering is arguably ‘core competence’.  To reduce potential risks of information leakage, there need to be mechanisms in place not only to monitor the performance of these contractors like most companies would do but to ensure the access to information is limited so that any damage from leaks would be limited.
3. Respond to risks.   Companies usually develop contingency plans in advance so that they can deploy them swiftly when a disruptive event occurs.  At least from the press reports, it seems clear that the White House or the U.S. government in general did not have contingency plans even well after the leaks started emerging. So far the line is that these countries are dependent on the U.S. for intelligence so eventually they and their leaders will come around. But if this is the only response, that is also a risk and we are back to Step 1 above.

In our mind, outsourcing in the supply chain can be like eating puffer fish (Fugu) Sashimi: if you slice the meat properly, it is delicious. Indeed, outsourcing has been highly profitable for western companies like Apple – by contrast, their contract manufacturers have been stuck with assets and wafer-thin margins (Sodhi and Tang 2013). But there is a risk: the fish can be deadly if not sliced properly, which is why it is good to manage the risk by ensuring quick access to a hospital if need be.

References:

Applebaum, B., and E. Lipton. “Leaker’s employer is paid to maintain government secrets,” New York Times, June 9, 2013.

Shorrock, T. “Put the spies back under one roof,” New York Times, June 17, 2013.

Sodhi, M., and C.S. Tang.  Managing Supply Chain Risk. Springer, 2012.

Sodhi, M. and C.S. Tang. Strategies and tactics of chinese contract manufacturers and western OEMs (2001-2011), IJPE, 2013 (forthcoming).