"The CIO has some of the insight that can really help the corporation as an entity understand the risks to the system," Lynn says. "But he has to really deeply understand the fact that in the physical system you can't swap in a new plant the way you can a new router when a router goes down. And you can't just throw a switch that routes your information through a different place in the same way you can do with chips. So the CIOs have to make the leap to understanding the difference between the physical world of production and their world of moving information around. But once they understand the difference, their insight could be of great use to the firm as a whole and society as a whole."
In looking for supply chain vulnerabilities it is no good just identifying your tier one suppliers. The CIO should ensure the company can track as many suppliers at all levels as possible. And he or she should brace for some shocks in doing so. For instance, after the Taiwanese earthquake Dell Computer discovered it had been "whacked" in weird ways. Within two days of the quake, for some reason, tier one suppliers in Malaysia had cut off the flow of goods to the organization.
"Dell then went out to i2 Technologies in 2001 and asked for an off-the-shelf package that would allow it to track everything back - everything, down to the littlest screw," Lynn says. "And i2 said: 'No way, that is just not possible'. So Dell went and working off an IT platform developed internally their own system that allowed them to take it as far down as they could, which was at least tier four.
"One of the things they found - they were very honest - they said: 'You know, we were just shocked to find out that we were sourcing hundreds of millions of dollars of product from one company with which we did not even have a relationship'. The company was TSMC - Taiwan Semiconductor Manufacturing Corporation."
That insight led to genuine practical gains. The next year Dell cut a deal with TSMC to supply the same product cheaper.
"They were able to see there was a supplier over whom they had the ability to apply pressure. So that's a practical outcome. It's not a good outcome from TSMC's point of view but it was a good outcome for Dell, which was a good reason for them to spend quite a bit of money on having their CIO help their manufacturing people figure out the whole system.
"In some cases your suppliers won't be honest, they won't tell you the truth, they will try to hide facts, but if you have the power to force the suppliers to do it, you will at least be able to see where your problems are, at a minimum. You may even pay for the process by finding certain places where you can apply pressure to certain suppliers to get some deals."
You should dump suppliers that will not share information with your company, Lynn says.
Lynn also wants CIOs to get more "bullish" in their behaviour. They should, he says, be pushing their CEOs and boards to understand their supply chains, physical and process.
The modern CEO is not the old CEO, he points out. Modern CEOs often come out of sales or finance, and have little if any understanding of the structure of their firms. When the board or CEO resolves to source business services to southern India, it is the CIO who must question whether there are contingency plans in place should southern India go offline.
But ideally, once boards and CEOs understand the extreme fragility of the system, they will start lobbying governments to play a role in shoring it up and reducing the risks.
Lynn says that although Dell Computer CEO Michael Dell understood the value of the information he gleaned from studying his supply chains, he made no effort to use that information to lessen his political risk. "A good corporate citizen might have gone to Washington and said: 'Gosh guys, you know what? If there actually were to be conflict I would be crushed'," Lynn says.
"CIOs need to lobby their boards to get the resources to understand the system so the boards and the CEOs in tandem with the CIOs can work with government and say there are risks here that never existed before, and that we cannot control - they're beyond our ability."
Many Heads Better Than One
Speaking of sharing, Lynn thinks it is time corporations lobbied for a rethink of competition rules that restrict oligopolies from talking to one another. Such entities do share information, he says, but quietly and unofficially. Yet these entities do not dare to sit down with one another to discuss sourcing strategies and contingency plans. In that sense, the competition between these firms is happening at the wrong levels, he says.
"If you're working on a contingency plan, you have to coordinate your contingency plans across industry levels."
The best model for such collaboration is the way CIOs got together and worked with government to draw up best practices and reasonable approaches to ensuring security of the Internet, he says. The outcome is fair to all players, is not excessively expensive and gives all organizations access to best practices.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.