Mexican Risk Identification and Remediation
- Gordon Housworth [ 5/19/2015 - 12:29 ] #
Mexican Risk Identification and Remediation
Capital Group LLC
Forecast accuracy: Intellectual
Capital Group LLC (ICG) predicted the disruption and criminalization of Mexico
in late 2006 and made this outlook public in 2007. Seen as alarmist -- even unbelievable -- at
that time the projection was vindicated by 2010 updates that reported
accelerated criminal activity. ICG flagged extortion as Mexican business supply
chain risk in 2010. Mexican entities'
consistent denials of this risk are not supported by facts on the ground.
headlong industrial investment into Mexico by OEMs and large tier one and tier
two suppliers belies real and growing supply disruption. In fact OEMs and upper tier suppliers already
have unidentified risks in their Mexican supply chains.
Unremediated risk rises from
information gaps between
a corporate investment or sourcing decision and on-the-ground local
consequences for affected companies in Mexico. Examples:
Fearing retribution Mexican firms and their
management deny or underreport violence. Maquiladora plants and their employees
have long been victims of robbery, extortion and abduction
yet underreport for fear of criminal retribution and upper tier de-sourcing.
Firms with extensive Mexican operations
quietly curtail movement of visiting and expat personnel. An OEM client asked a tier one electrical
supplier to accompany its staff on a multi-facility benchmarking effort
including Mexican facilities. The
supplier declined noting that they no longer send US staff to Mexico due to
risk of criminal harm.
operations can suffer reduced quality and/or increased costs as long as these under-reported risks remain unresolved. There are solutions that mitigate
these risks but these remedies must be tailored and monitored to be
effective. A one-size-fits-all approach
would be needlessly expensive and cumbersome and would overlook site-specific
risks to plants and personnel.
protective responses that adapt to emerging and changing threats exist and are
best performed early, even at the supplier/site selection stage. Protective
responses performed at a later date will have to accommodate legacy risks in
site selection, hiring, and contractor selection. While the second condition is
the industry norm, in all cases a cost-effective preemptive security response
will include:Asset Value
(Assess value of the facility, process, personnel to be protected which is
needed to estimate an appropriate cost of protection. If the protective cost is
too high or the target is too vulnerable the function may have to be
Assessment (Specific nature and scope of the threat(s) which is essential to
design the minimum effective protective response.)
Assessment (Assess vulnerability of the target(s) to attack.)
Assessment (Assess risk from each threat actor or group, the likelihood of
attack and the likely damage of an attack.)
Management (Continuous management of pertinent threats and appropriate
Mexico's Low Cost
Country (LCC) Position
has long recognized Mexico is a low cost country (LCC) in terms of total chain
cost, as opposed to many Asian piece part costs that are not low cost when
total chain costs are considered. While this view is vindicated by the
inclusion of Mexico in backshoring (repatriating
manufacturing) to the "US local" region (defined as the US, Canada and Mexico),
conditions on the ground in
Mexico have deteriorated to the point that even the industrial heart of Mexico is at
risk. Disruptions in Nuevo Leon (Monterrey) are proof that all of Mexico faces
these risks. Investor optimism
regarding crime as a temporary problem is unsupported by the Mexican trade and popular press.
firms often conceal risk for a variety of reasons such as extortion threats to
Mexican employees and their families, desire to keep the parent firm from
pressing organizational changes at the Mexican firm, or to shield local
Mexico's Rising Cost
only a few years ago, small and medium-sized companies "operating in and around
Monterrey in 2011 were spending 5 percent of cash flow on security." From If Monterrey falls,
Even if manufacturing is showing some
resilience, security costs are growing, while moving goods up to the U.S.
border and to neighboring states is getting riskier.
Small and medium-sized companies operating in
and around Monterrey are spending 5 percent of cash flow on security, a cost
that was negligible just five years ago, while firms selling GPSs, alarms,
locks and cameras in Monterrey have seen a 20 percent jump in annual profits in
three years, according to Monterrey's commerce, retail and tourism chamber.
"If you look at the figures, companies
are still investing, but there's a lot of evidence that the money is being
diverted into security, not into research and development... This is money
that's going into barbed wire fences, not solar panels and that is going to
hurt competitiveness in the long term."
extreme circumstances, such costs can go much higher, rising to 40+% of the
operating budget as happened in high threat periods in Africa and the Americas.
costs are far lower when remediation is commenced early, before criminals have
come to perceive the company as a target.
Blackouts Do Not Imply Improvement
for example, has receded from the headlines without a significant reduction in
crime. On the ground, the Gulf Cartel with the assistance of the Sinaloa Cartel
reasserted control over significant areas of the city and substituted a less
violent but equally aggressive control.
new arrangement coupled with a government mandated reduction of crime related news
and redirection (such as claims that
violence was geographically bounded; that most deaths were linked to organized
crime members - none of which were correct) largely removed Monterrey from the
US mainstream press.
crime does its part by intimidating and
journalists. Dozens were killed during the Calderon
Hinojosa administration's actions against cartel leaders. Intimidation and
horrific crimes against the press have continued under the Pena Nieto
administration, primarily in northern
along the US border. The result is self-censorship among Mexico's regional news
election of Pena Nieto and the return of the PRI accelerated the PR campaign without
significantly altering the national level of violence. The government stopped
announcing arrests, seizures, and operational details of security policy, while
deflecting the public agenda onto topics such as the automotive sector (the
"new Detroit") and export growth.
The Risk Tree
A ranking of least risk to greatest risk
would typically contain this vulnerability hierarchy:
1. Global investors.
2. Corporate or group level management.
3. In-country expat management.
4. Tier 1, 2, 3... tier N suppliers.
5. Employed local nationals.
6. Local nationals in industries and services outside the
top tier and its suppliers.
7. Citizenry of the region. [Greatest Risk]
The issues that routinely confront Mexican
citizens and most of its industries are either unknown to, have no effect upon,
or do not enter into the risk calculation of the more insulated and least risky
parts of the hierarchy (typically groups 1. And 2.). Friedman's "How Mexico Got Back
in the Game" states an opinion typical of US/EU
corporate decision makers that will elect to produce in Mexico. At their remote risk/high
reward level, Mexico makes perfect sense.
Mexican companies immediately adjacent to US/EU companies can have very
different risks. A company's size, skill and location in the tier supply chain often
make a substantial difference in its threat posture. While large manufacturers
do consider their immediate risks they often do not take into account the
susceptibility of their supply chain to predation and interruption.
See Realistic Supply Chain Transparency
Capacity at tier (from top tier or OEM down
to smaller, isolated tier suppliers) is an important factor generally
overlooked in risk analysis because there is no single security or risk rating for
all companies in a state or region. A
major supplier may have the size, revenue, processes and training to better protect
its commodities, personnel, plants and finished goods.
An example would be a large supplier's
ability to assemble a convoy of vehicle transporters escorted by vetted, paid
Mexican federal police officers. Yet a smaller supplier that may be physically located
next door to the larger supplier is vulnerable precisely because it lacks those
resources. Furthermore, hourly workers at
these lower tier suppliers are completely vulnerable to criminal predation at
work, at home and in transit.
While criminal elements can strike both expat
and Mexican nationals of US/EU firms, attacks against expats generally occur at
much lower frequency, are opportunistic or simply a result of accidentally "being
in the wrong place" events. Thefts of
inbound commodities and outbound finished goods are increasing in Mexico. In addition,
both contraband (usually narcotics) and counterfeit goods are being inserted in
shipments bound for the US.
Mexican industry and local suppliers fare
worse as criminal elements attack wide tiers of industry and society. Criminals have long troubled
maquiladora plants with robbery, extortion, abduction and murder of maquiladora
workers and family members. Extortion payments by maquiladoras are rising
despite silence from the victims of these crimes. Lower tier suppliers remain silent for fear that publicity will result in retaliation
by criminal elements and/or upper tiers will resource their business
automotive parts are candidates for criminal extortion intended to choke
vehicle production. Manufacture of wiring harnesses for North American assembly
have been highly localized in Mexico. Criminal
interruption to this wiring harness nexus would impact a significant portion of
US vehicle production.
of these many variations the risks to a particular supplier and that supplier's
appropriate remediation strategies must be analyzed on a case by case basis.
Extortion Is Now a Pervasive National Threat
Extortion [extorsion], also called "illegal protection" [proteccion ilegal], is now rampant in Mexico.
Extortion includes activities that
imply coercion of the victim by an agent distinct
from the state. Successful extortion demands that said agent demonstrate a
reputation for the use of force against those who refuse to pay for their
services. High levels of violence coupled with participation of police confer
impunity on the extortionist.
Extortion is economically
depressive, a production-less crime, i.e.,
criminals have only to tax without having to produce and sell a product. Long
present in Mexico, extortion has surged as part of criminal diversification
beyond narcotics into extortion and kidnapping, costing Mexico one percent of
GDP. We call it an unsustainable
societal tax that continues to grow, in part, because it is so easy to raise
incremental demand without risk or cost to the attacker.
Mexican assets are highly vulnerable
to predation despite denials from the Mexican side of the supply chain that a
problem exists. There is immediate loss, possibly death, to the victim;
retribution to both the victim and his/her family members for any corroboration
or public comment; and forced induction of locals into the criminal apparatus.
Mexican statistics are supremely
underreported as individuals refuse to report extortion as the police are
either directly running the extortion, or managing gangs running the extortion.
Businesses and individuals pay as long as they can, then close or are harmed
when they cannot.
The breathtaking penetration of
Mexico's commercial sector has allowed the narcotics trade to diversify their
revenue streams and reduce their net organizational risk while the economic
loss to Mexico continues to rise.
Supply Chain Vulnerabilities
Mexican supply chains are notable for
insider threats (co-opting/threatening employees), supply chain threats
(takeover of labor providers, sub-suppliers and shippers); and expropriation
(forced sale/turnover of companies and assets).
Primary extraction industries
(mining, petroleum, timber) have been a staple of Mexican criminal interest,
from hardwood timbering on native lands in the south, to illegal
bunkering/skimming of PEMEX petroleum in the east, to silver, gold and iron mining
in western Mexico.
The dining, bar, brothel, and
storefront sector - virtually anything with a fixed address for customers - has
already been brought under monthly extortion or driven out of business (as
testified by the thousands of shuttered businesses).
The focusing of criminal predation
against the Mexican side of the supply chain is good business because:
- Targeted employees and families are
local, accessible and defenseless.
- The cost of predation is low while the
reward is high.
- Local predation does not attract
significant US political and police attention.
- Mexican authorities compound the
problem by limiting access when US assets make inquiries against local
Extortion's Rising Disruption
Extortion, theft and contraband
continue to increase in the Mexican supply side. Extortion risk is already
present to maquiladora employees and the maquilas themselves. We have already
seen limited jumps to the US/EU side in areas of transport, power interruption
and contraband insertion into parcel carriers and corporate shipping containers
(especially damaging to C-TPAT suppliers as it may negatively
impact their expedited customs clearance).
The US/EU side of the supply chain
strives at all costs to have no appearance of unreliability to its upper tiers
and investors alike. Being seen as a potentially unreliable supplier is to
invite a resourcing review by an upper tier and/or see the company's share
price suffer. As a result the US/EU side of the supply chain is willing to
under-report the risks.
We see the entry point for extortion
shifting in the automotive supply chain. Initially it was Mexican tier
suppliers but has now expanded to Mexican employees of US/EU firms. Mexican
nationals are desperate not to talk about these threats for a variety of
reasons, e.g., personal threats, termination/reassignment and fear of driving
an upper tier supplier to resource.
As a result, it is difficult for Mexican
firms to execute genuinely rigorous security assessments as too many points are
open to compromise.
US/EU supply chains in Mexico will
face greater risk from compromised firms and individuals on the Mexican supply
chain side. Crossover will occur as one or more criminal groups become more
aggressive vis-a-vis its peers, more acquisitive for revenue, and
simultaneously less fearful of US response. Once the Mexican chain side is
consumed (offers no further share growth), there is only taking market share
from competitors and entering new markets such as the US/EU suppliers.
Unfortunately most commercial firms
have a defensive (target) mentality that prohibits seeing themselves through an
attacker's eyes. Gaining the potential to influence outcomes demands an ability
to see into the attackers' assessment of risk and uncertainty.
Tailored Solutions Under a Governing
companies select risk to accept by design. The unprepared or poorly advised company
blindly accepts risk by default. Such firms will continually put their assets
and personnel at risk.
for such eventualities means that needed security measures are identified and quickly
put in place to ensure that the company is operating with a layered defense
against current and emerging threats.
means that the company will be able to demonstrate its commitment to a genuine
preemptive protection of its employees, dependents and suppliers. Risk
assessment and mitigation must be performed without triggering reprisal by adversaries.
and international press disclosures need to be managed as the company reduces
security risk without raising uncertainty or concern on the part of any
customer or partner.
commences with real world risk assessments and recommendations followed by
implementation and subsequent review of what succeeded and what requires
correction. Successful risk resolution implies business and supply chain continuity,
thus company managers are co-participants in the assessment and implementation
Over Confrontation to Minimize Risk
the high threat
in certain areas, operations must be conducted with the highest level
of control and security in all phases, as both Mexican security forces and
operating criminals can be expected to be on high alert for any
groups in Mexico can deliver more firepower than most companies are willing to
sustain. A corporate response that confronts or challenges such criminal groups
invariably draws unacceptable reprisal against staff, facilities and product.
lower cost, lower risk responses focus on deflecting hostile attention without
confrontation. Criminals make a risk-reward
just as businesses do. Effective security must drive up their level of
uncertainty, thereby moving them onto a more docile or unprepared victim.
must be performed in a highly compressed timetable to address existing and
needed security risk mitigation efforts in the critical areas of key personnel
(including dependents), facility operations and transport of commodities and
must focus on specific and actual security risk management matters that will
need the company's immediate, short term and medium term attention. The initial
assessment should serve the company as an extendable regional template that can
be applied to security risk management across the company's operating
managers and staff must be taught tools and skills so as to understand what has
been working, why it has worked, what should be changed and how urgently this
needs to occur. Skills training is needed to build core competencies in key
areas of operating risk management specific to security and safety risks.
protection program must be designed for the actual threat environment in a
specific location, and must produce a security risk mitigation effort that will
generate assessments, briefings, decision points, implementation plans and
immediate effectiveness reviews.
this immediate scope, company personnel must gain a broader ability to ensure
continuity of operations in any deteriorating security environment and provide
the company a basis for balancing resources while ensuring effective security
Proven Solution Paths Do Exist
All firms, and most certainly firms seen as high value targets,
must continuously address three vulnerability areas:
model compromise (Tier supply chain events, supplier outsourcing, subcontracting, tertiary
services such as trucking, etc.).
core (Company/research, R&D hives, manufacturing, warehousing).
resources (Personnel data.)
Each of these areas, singly and in combination, are best examined
by Design Basis Threat (DBT) process
(originally created to protect nuclear facilities and weapons) to define and
adjust specific responses to specific threats. This Threat Analysis entered the
mainstream in the wake of the Khobar Towers bombing in Saudi Arabia.
As the threats change so must the protective responses change. DBT
is adaptive, can be taught and embedded in normal business operations to be
monitored by company personnel. As security is embedded, there is no added
organizational layer for security.
level steps in this dynamic process are:
Value Assessment (Assess value of the facility, process, personnel to be protected
which is needed to estimate an appropriate cost of protection. If the
protective cost is too high or the target is too vulnerable the function may
have to be relocated.)
Assessment (Specific nature and scope of the threat which is essential to
design the minimum effective protective response.)
Assessment (Degree of vulnerability of the target(s) to attack.)
Assessment (Assessment of risk from any actor or group, the likelihood of
attack and the likely damage of an attack.)
Management (Continuous management of pertinent threats and appropriate
Necessary Risk Remediation Activities in Mexico
In potentially high threat environments such as Mexico, all associated
surveillance must be performed by skilled personnel in a completely
non-alertive manner as many criminal groups will assume that an unknown person
or group is a hostile competitor to be immediately eliminated.
Affected firms will need a partner that can perform a thorough threat
analysis and a calibrated response that includes:
- Actionable intelligence at national, regional and situational
- Outreach to authorities and relevant entities
- Executive protection
- Facility protection and upgrade steps
- Transportation protection of raw materials and finished goods
- Vetting employees and contractors to reduce insider threats
Each step must be executed with precision and with continuous monitoring
of any changes that alter the inbound threats.
#Mexico #SupplyChain #Risk #Extortion #Corruption
Infrastructure Defense Public Intellectual Property Theft Public Risk Containment and Pricing Public Strategic Risk Public Terrorism Public Weapons & Technology Public