return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

ICG Risk Blog - [ Mexican Risk Identification and Remediation ]

Mexican Risk Identification and Remediation


Mexican Risk Identification and Remediation
By Gordon Housworth
Intellectual Capital Group LLC

Forecast accuracy:  Intellectual Capital Group LLC (ICG) predicted the disruption and criminalization of Mexico in late 2006 and made this outlook public in 2007.  Seen as alarmist -- even unbelievable -- at that time the projection was vindicated by 2010 updates that reported accelerated criminal activity. ICG flagged extortion as Mexican business supply chain risk in 2010.  Mexican entities' consistent denials of this risk are not supported by facts on the ground.

The headlong industrial investment into Mexico by OEMs and large tier one and tier two suppliers belies real and growing supply disruption.  In fact OEMs and upper tier suppliers already have unidentified risks in their Mexican supply chains.

Unremediated risk rises from information gaps between a corporate investment or sourcing decision and on-the-ground local consequences for affected companies in Mexico. Examples:

Fearing retribution Mexican firms and their management deny or underreport violence. Maquiladora plants and their employees have long been victims of robbery, extortion and abduction yet underreport for fear of criminal retribution and upper tier de-sourcing.

Firms with extensive Mexican operations quietly curtail movement of visiting and expat personnel.  An OEM client asked a tier one electrical supplier to accompany its staff on a multi-facility benchmarking effort including Mexican facilities.  The supplier declined noting that they no longer send US staff to Mexico due to risk of criminal harm.

Supplier operations can suffer reduced quality and/or increased costs as long as these under-reported risks remain unresolved. There are solutions that mitigate these risks but these remedies must be tailored and monitored to be effective.  A one-size-fits-all approach would be needlessly expensive and cumbersome and would overlook site-specific risks to plants and personnel.

Successful protective responses that adapt to emerging and changing threats exist and are best performed early, even at the supplier/site selection stage. Protective responses performed at a later date will have to accommodate legacy risks in site selection, hiring, and contractor selection. While the second condition is the industry norm, in all cases a cost-effective preemptive security response will include:

Asset Value Assessment (Assess value of the facility, process, personnel to be protected which is needed to estimate an appropriate cost of protection. If the protective cost is too high or the target is too vulnerable the function may have to be relocated.)
  •  Threat/Hazard Assessment (Specific nature and scope of the threat(s) which is essential to design the minimum effective protective response.)
  • Vulnerability Assessment (Assess vulnerability of the target(s) to attack.)
  • Risk Assessment (Assess risk from each threat actor or group, the likelihood of attack and the likely damage of an attack.)
  • Risk Management (Continuous management of pertinent threats and appropriate responses.)

Mexico's Low Cost Country (LCC) Position

ICG has long recognized Mexico is a low cost country (LCC) in terms of total chain cost, as opposed to many Asian piece part costs that are not low cost when total chain costs are considered. While this view is vindicated by the inclusion of Mexico in backshoring (repatriating manufacturing) to the "US local" region (defined as the US, Canada and Mexico), conditions on the ground in Mexico have deteriorated to the point that even the industrial heart of Mexico is at risk. Disruptions in Nuevo Leon (Monterrey) are proof that all of Mexico faces these risks. Investor optimism regarding crime as a temporary problem is unsupported by the Mexican trade and popular press.

Mexican firms often conceal risk for a variety of reasons such as extortion threats to Mexican employees and their families, desire to keep the parent firm from pressing organizational changes at the Mexican firm, or to shield local financial operations.

Mexico's Rising Cost of Security

Negligible only a few years ago, small and medium-sized companies "operating in and around Monterrey in 2011 were spending 5 percent of cash flow on security." From If Monterrey falls, Mexico falls:

Even if manufacturing is showing some resilience, security costs are growing, while moving goods up to the U.S. border and to neighboring states is getting riskier. 

Small and medium-sized companies operating in and around Monterrey are spending 5 percent of cash flow on security, a cost that was negligible just five years ago, while firms selling GPSs, alarms, locks and cameras in Monterrey have seen a 20 percent jump in annual profits in three years, according to Monterrey's commerce, retail and tourism chamber.

"If you look at the figures, companies are still investing, but there's a lot of evidence that the money is being diverted into security, not into research and development... This is money that's going into barbed wire fences, not solar panels and that is going to hurt competitiveness in the long term."

In extreme circumstances, such costs can go much higher, rising to 40+% of the operating budget as happened in high threat periods in Africa and the Americas.

Security costs are far lower when remediation is commenced early, before criminals have come to perceive the company as a target.

Mexican News Blackouts Do Not Imply Improvement

Monterrey, for example, has receded from the headlines without a significant reduction in crime. On the ground, the Gulf Cartel with the assistance of the Sinaloa Cartel reasserted control over significant areas of the city and substituted a less violent but equally aggressive control.

This new arrangement coupled with a government mandated reduction of crime related news and redirection (such as claims that violence was geographically bounded; that most deaths were linked to organized crime members - none of which were correct) largely removed Monterrey from the US mainstream press.

Organized crime does its part by intimidating and killing journalists. Dozens were killed during the Calderon Hinojosa administration's actions against cartel leaders. Intimidation and horrific crimes against the press have continued under the Pena Nieto administration, primarily in northern states along the US border. The result is self-censorship among Mexico's regional news outlets.

The election of Pena Nieto and the return of the PRI accelerated the PR campaign without significantly altering the national level of violence. The government stopped announcing arrests, seizures, and operational details of security policy, while deflecting the public agenda onto topics such as the automotive sector (the "new Detroit") and export growth.

The Risk Tree

A ranking of least risk to greatest risk would typically contain this vulnerability hierarchy:

1.    Global investors.  [Least Risk]

2.    Corporate or group level management.

3.    In-country expat management.

4.    Tier 1, 2, 3... tier N suppliers.

5.    Employed local nationals.

6.    Local nationals in industries and services outside the top tier and its suppliers.

7.    Citizenry of the region. [Greatest Risk]

The issues that routinely confront Mexican citizens and most of its industries are either unknown to, have no effect upon, or do not enter into the risk calculation of the more insulated and least risky parts of the hierarchy (typically groups 1. And 2.).  Friedman's "How Mexico Got Back in the Game" states an opinion typical of US/EU corporate decision makers that will elect to produce in Mexico.[1] At their remote risk/high reward level, Mexico makes perfect sense.

Mexican companies immediately adjacent to US/EU companies can have very different risks. A company's size, skill and location in the tier supply chain often make a substantial difference in its threat posture. While large manufacturers do consider their immediate risks they often do not take into account the susceptibility of their supply chain to predation and interruption.

See Realistic Supply Chain Transparency

Capacity at tier (from top tier or OEM down to smaller, isolated tier suppliers) is an important factor generally overlooked in risk analysis because there is no single security or risk rating for all companies in a state or region.  A major supplier may have the size, revenue, processes and training to better protect its commodities, personnel, plants and finished goods. 

An example would be a large supplier's ability to assemble a convoy of vehicle transporters escorted by vetted, paid Mexican federal police officers. Yet a smaller supplier that may be physically located next door to the larger supplier is vulnerable precisely because it lacks those resources.  Furthermore, hourly workers at these lower tier suppliers are completely vulnerable to criminal predation at work, at home and in transit.

While criminal elements can strike both expat and Mexican nationals of US/EU firms, attacks against expats generally occur at much lower frequency, are opportunistic or simply a result of accidentally "being in the wrong place" events.  Thefts of inbound commodities and outbound finished goods are increasing in Mexico. In addition, both contraband (usually narcotics) and counterfeit goods are being inserted in shipments bound for the US.  

Mexican industry and local suppliers fare worse as criminal elements attack wide tiers of industry and society.  Criminals have long troubled maquiladora plants with robbery, extortion, abduction and murder of maquiladora workers and family members. Extortion payments by maquiladoras are rising despite silence from the victims of these crimes.  Lower tier suppliers remain silent for fear that publicity will result in retaliation by criminal elements and/or upper tiers will resource their business elsewhere.

Certain automotive parts are candidates for criminal extortion intended to choke vehicle production. Manufacture of wiring harnesses for North American assembly have been highly localized in Mexico.  Criminal interruption to this wiring harness nexus would impact a significant portion of US vehicle production.

Because of these many variations the risks to a particular supplier and that supplier's appropriate remediation strategies must be analyzed on a case by case basis.

Extortion Is Now a Pervasive National Threat

Extortion [extorsion], also called "illegal protection" [proteccion ilegal], is now rampant in Mexico.

Extortion includes activities that imply coercion of the victim by an agent distinct from the state. Successful extortion demands that said agent demonstrate a reputation for the use of force against those who refuse to pay for their services. High levels of violence coupled with participation of police confer impunity on the extortionist.

Extortion is economically depressive, a production-less crime, i.e., criminals have only to tax without having to produce and sell a product. Long present in Mexico, extortion has surged as part of criminal diversification beyond narcotics into extortion and kidnapping, costing Mexico one percent of GDP. We call it an unsustainable societal tax that continues to grow, in part, because it is so easy to raise incremental demand without risk or cost to the attacker.

Mexican assets are highly vulnerable to predation despite denials from the Mexican side of the supply chain that a problem exists. There is immediate loss, possibly death, to the victim; retribution to both the victim and his/her family members for any corroboration or public comment; and forced induction of locals into the criminal apparatus.

Mexican statistics are supremely underreported as individuals refuse to report extortion as the police are either directly running the extortion, or managing gangs running the extortion. Businesses and individuals pay as long as they can, then close or are harmed when they cannot.

The breathtaking penetration of Mexico's commercial sector has allowed the narcotics trade to diversify their revenue streams and reduce their net organizational risk while the economic loss to Mexico continues to rise.

Supply Chain Vulnerabilities

Mexican supply chains are notable for insider threats (co-opting/threatening employees), supply chain threats (takeover of labor providers, sub-suppliers and shippers); and expropriation (forced sale/turnover of companies and assets).

Primary extraction industries (mining, petroleum, timber) have been a staple of Mexican criminal interest, from hardwood timbering on native lands in the south, to illegal bunkering/skimming of PEMEX petroleum in the east, to silver, gold and iron mining in western Mexico.

The dining, bar, brothel, and storefront sector - virtually anything with a fixed address for customers - has already been brought under monthly extortion or driven out of business (as testified by the thousands of shuttered businesses).

The focusing of criminal predation against the Mexican side of the supply chain is good business because:

  • Targeted employees and families are local, accessible and defenseless.
  • The cost of predation is low while the reward is high.
  • Local predation does not attract significant US political and police attention.
  • Mexican authorities compound the problem by limiting access when US assets make inquiries against local predations.

Extortion's Rising Disruption

Extortion, theft and contraband continue to increase in the Mexican supply side. Extortion risk is already present to maquiladora employees and the maquilas themselves. We have already seen limited jumps to the US/EU side in areas of transport, power interruption and contraband insertion into parcel carriers and corporate shipping containers (especially damaging to C-TPAT suppliers as it may negatively impact their expedited customs clearance).

The US/EU side of the supply chain strives at all costs to have no appearance of unreliability to its upper tiers and investors alike. Being seen as a potentially unreliable supplier is to invite a resourcing review by an upper tier and/or see the company's share price suffer. As a result the US/EU side of the supply chain is willing to under-report the risks.

We see the entry point for extortion shifting in the automotive supply chain. Initially it was Mexican tier suppliers but has now expanded to Mexican employees of US/EU firms. Mexican nationals are desperate not to talk about these threats for a variety of reasons, e.g., personal threats, termination/reassignment and fear of driving an upper tier supplier to resource.

As a result, it is difficult for Mexican firms to execute genuinely rigorous security assessments as too many points are open to compromise.

US/EU supply chains in Mexico will face greater risk from compromised firms and individuals on the Mexican supply chain side. Crossover will occur as one or more criminal groups become more aggressive vis-a-vis its peers, more acquisitive for revenue, and simultaneously less fearful of US response. Once the Mexican chain side is consumed (offers no further share growth), there is only taking market share from competitors and entering new markets such as the US/EU suppliers.

Unfortunately most commercial firms have a defensive (target) mentality that prohibits seeing themselves through an attacker's eyes. Gaining the potential to influence outcomes demands an ability to see into the attackers' assessment of risk and uncertainty.

Tailored Solutions Under a Governing Architecture

Prepared companies select risk to accept by design. The unprepared or poorly advised company blindly accepts risk by default. Such firms will continually put their assets and personnel at risk.

Preparedness for such eventualities means that needed security measures are identified and quickly put in place to ensure that the company is operating with a layered defense against current and emerging threats.

Preparedness means that the company will be able to demonstrate its commitment to a genuine preemptive protection of its employees, dependents and suppliers. Risk assessment and mitigation must be performed without triggering reprisal by adversaries.

Local and international press disclosures need to be managed as the company reduces security risk without raising uncertainty or concern on the part of any customer or partner.

Resolution commences with real world risk assessments and recommendations followed by implementation and subsequent review of what succeeded and what requires correction. Successful risk resolution implies business and supply chain continuity, thus company managers are co-participants in the assessment and implementation effort.

Choose Deflection Over Confrontation to Minimize Risk

Given the high threat environment in certain areas, operations must be conducted with the highest level of control and security in all phases, as both Mexican security forces and operating criminals can be expected to be on high alert for any counter-surveillance.

Criminal groups in Mexico can deliver more firepower than most companies are willing to sustain. A corporate response that confronts or challenges such criminal groups invariably draws unacceptable reprisal against staff, facilities and product.

Effective, lower cost, lower risk responses focus on deflecting hostile attention without confrontation. Criminals make a risk-reward calculation just as businesses do. Effective security must drive up their level of uncertainty, thereby moving them onto a more docile or unprepared victim.

Assessments must be performed in a highly compressed timetable to address existing and needed security risk mitigation efforts in the critical areas of key personnel (including dependents), facility operations and transport of commodities and finished goods.

Implementation must focus on specific and actual security risk management matters that will need the company's immediate, short term and medium term attention. The initial assessment should serve the company as an extendable regional template that can be applied to security risk management across the company's operating portfolio.

Company managers and staff must be taught tools and skills so as to understand what has been working, why it has worked, what should be changed and how urgently this needs to occur. Skills training is needed to build core competencies in key areas of operating risk management specific to security and safety risks.

Each protection program must be designed for the actual threat environment in a specific location, and must produce a security risk mitigation effort that will generate assessments, briefings, decision points, implementation plans and immediate effectiveness reviews.

Beyond this immediate scope, company personnel must gain a broader ability to ensure continuity of operations in any deteriorating security environment and provide the company a basis for balancing resources while ensuring effective security risk management.

Proven Solution Paths Do Exist

All firms, and most certainly firms seen as high value targets, must continuously address three vulnerability areas:

  • Pricing model compromise (Tier supply chain events, supplier outsourcing, subcontracting, tertiary services such as trucking, etc.).
  • Corporate core (Company/research, R&D hives, manufacturing, warehousing).
  • Human resources (Personnel data.)

Each of these areas, singly and in combination, are best examined by Design Basis Threat (DBT) process (originally created to protect nuclear facilities and weapons) to define and adjust specific responses to specific threats. This Threat Analysis entered the mainstream in the wake of the Khobar Towers bombing in Saudi Arabia.

As the threats change so must the protective responses change. DBT is adaptive, can be taught and embedded in normal business operations to be monitored by company personnel. As security is embedded, there is no added organizational layer for security.

The top level steps in this dynamic process are:

  • Asset Value Assessment (Assess value of the facility, process, personnel to be protected which is needed to estimate an appropriate cost of protection. If the protective cost is too high or the target is too vulnerable the function may have to be relocated.)
  • Threat/Hazard Assessment (Specific nature and scope of the threat which is essential to design the minimum effective protective response.)
  • Vulnerability Assessment (Degree of vulnerability of the target(s) to attack.)
  • Risk Assessment (Assessment of risk from any actor or group, the likelihood of attack and the likely damage of an attack.)
  • Risk Management (Continuous management of pertinent threats and appropriate responses.)

Necessary Risk Remediation Activities in Mexico

In potentially high threat environments such as Mexico, all associated surveillance must be performed by skilled personnel in a completely non-alertive manner as many criminal groups will assume that an unknown person or group is a hostile competitor to be immediately eliminated.

Affected firms will need a partner that can perform a thorough threat analysis and a calibrated response that includes:

  • Actionable intelligence at national, regional and situational levels
  • Outreach to authorities and relevant entities
  • Executive protection
  • Facility protection and upgrade steps
  • Transportation protection of raw materials and finished goods
  • Vetting employees and contractors to reduce insider threats

Each step must be executed with precision and with continuous monitoring of any changes that alter the inbound threats.

#Mexico #SupplyChain #Risk #Extortion #Corruption

[1] Thomas L. Friedman, "How Mexico Got Back in the Game", The New York Times, February 23, 2013:  11.

Infrastructure Defense Public  Intellectual Property Theft Public  Risk Containment and Pricing Public  Strategic Risk Public  Terrorism Public  Weapons & Technology Public  


  discuss this article

<<  |  July 2020  |  >>
view our rss feed