The current trend of outsourcing to low cost countries combined with supplier base reduction has provided significant cost reductions for businesses. However, globalization and implementation of more streamlined supply chains have increased risks for companies when acquiring goods and services needed for their operations. By the term risk is meant a chance of facing undesired consequences such as damage, loss, or injury. More scientifically, risk is defined as the combined probability for an undesired event and the potential damage the event might cause. This definition, or variations of this definition, has been applied by a number of researcher investigating risk (March and Shapira, 1987; Zsidisin, 2003; Spekman and Davis, 2004; Wagner and Bode, 2006; Ritchie and Brindley, 2007). The detrimental effects does not have to be existential to the companies, but typically they cause lost sales, decreased market share and large contractual penalties for the parties affected (Zsidisin, 2003).
A very well-know example of such a detrimental effect is the $400 mill loss suffered by the Swedish cell phone manufacturer Ericsson due to a lightning bolt which struck their sub-supplier of semi-conductors (Latour, 2001). Another example is the battle against the foot-and-mouth disease in the UK agricultural industry during the year 2001. This event temporarily paralyzed the agricultural industry, while the tourism industry suffered great losses. Even luxury car manufacturers such as Volvo and Jaguar were affected since deliveries of quality leather used in various parts in the car compartment were temporarily stopped (Norrman and Jansson, 2004). A general ban on sale and export of British pigs, sheep and cattle was introduced during the outbreak. The tourism industry also suffered as many tourists changed their vacation plans due to transport bans and detergent washing of cars, boots and clothing in affected regions.
Similarly, the fruit company Dole lost over $100 million dollars when a hurricane caused massive damage to the area in Central America where their banana suppliers were located (Griffy-Brown, 2003). The outbreak of SARS in Southeast Asia affected various industries such as the electronics industry, retailing, tourism, and the airline industry with losses at the national level stipulated to $38 billion just for Hong Kong, Singapore, Taiwan, and Thailand (Overby et al., 2004). The economic impact of the hurricane Katrina is stipulated to $100-125 billion. More than half of that amount is due to the flooding of New Orleans which paralyzed industry and disrupted normal living conditions in the affected areas (Boettke et al., 2007). However, the most famous of such disruptive events is probably the 9/11 terrorist attack in 2001, which caused immediate financial losses and initiated a massive restructuring of the airline industry (Bhadra and Texter, 2004).
The above mentioned examples illustrate that supply chains may not be well prepared for dealing with unanticipated events causing disruption in sub-systems of supply chain networks. The traditional cost-efficiency focus of supply chain systems have led companies to eliminate buffers in the form of inventories and multiple sourcing throughout the network. However, this has also led them to remove mechanisms in the supply chain which previously moderated the effects of undesired, disruptive events in the chain. An alternative approach is to introduce more agility in the supply chain. This approach has successfully been applied as a response to the fact that more and more market places in the twenty-first century require a proliferation of products and services, shorter product life cycles and increased demand for innovation (Narasimhan, Swink and Kim, 2006). In agile supply chains, stock out penalties occur immediately in the form of lost sales and the key performance measure is no longer productivity or cost, but customer satisfaction. Traditional stable partnerships are substituted with more fluid clusters where partners enter and leave the network at a more rapid pace. In general, there is also a focus on operator self-management to maximize the actors’ autonomy (Mason-Jones, Naylor and Towill, 1999).
The actors’ higher level of autonomy in agile supply chains makes them better able to respond to changes in supplies upstream as they have no or few bindings keeping them from changing to alternative sources of supply. However, supply chain companies dealing with commodity goods rather than fashion goods can not necessarily be expected to have the same degree of freedom. Their day-to-day competition would require them to eliminate all forms of waste to remain competitive. Any cost driving measure to mediate or avoid risk such as excess production capacity, excess inventory, and increased supplier base would therefore have to be weighed against the expected costs of future unknown disruptive events. To do this, a proactive identification of potential supply and demand hazards is required at a strategic level. The point is to identify where unanticipated risk events have the biggest impact on the supply chain network, identify the type and number of risks, their associated costs, and assess alternative counter-measures to improve the resilience of the supply chain.
The intent of this conceptual paper is to establish a decision framework in order to aid the proactive identification and management of potential upstream and downstream supply and demand hazards. The framework is developed based on a broad variety of literature integrating multiple perspectives on risk from supply chain management, marketing, and organizations theory. The risk framework presented separates itself from previous efforts in its comprehensiveness, and it has been designed to match the supply chain management framework developed by the Global Supply Chain Forum (GSCF). Previous categorization attempts have usually only presented sub-sets of risk factors and have not paid much attention to how supply chain risks can be dealt with proactively.
For instance, Zsidisin (2003) listed a number of useful supply risk characteristics and classified them into characteristics belonging to items, markets and suppliers based on the results of a case study. Item characteristics included impact on profitability and the newness of product application, while market characteristics involved global sourcing, capacity constraints, market price fluctuation, and number of qualified suppliers. Risks associated with suppliers were capacity constraints, inability to reduce costs, incompatible information systems, quality problems, cycle times, and volume and mix requirements changes. However, Zsidisin’s list of supply risk characteristics did not contain important risk elements such as behavioral appearance of supply chain actors and risks associated with skills and qualities of the individual supply chain organizations, nor did it pay much attention to mitigation of risk events. In addition, the network perspective of supply chain management was not evident in the sense that an event can appear several tiers away from the focal organization but still damage the organization via an unknown dependence.
Spekman and Davis (2004) also discussed a typology for categorizing risks. They found that risk lies inherent in every supply chain flow of goods, information, and money and they mentioned many of the same risk characteristics as in Zsidisin (2003). In addition, criminal acts and breach of norms were included as risk elements in the supply chain. However, they did not focus much on actions to minimize or avoid the effects of undesired events. Dealing with risk was eventually reduced to the introduction of buffers or building trust. An exception is made for the management of security risks where they briefly mention the necessity of proactive planning to avoid such risks.
Another example is Peck (2005) who reported from an empirical study where the sources and drivers of supply chain vulnerability were investigated. She used the knowledge achieved to develop a multi-level framework for risk analysis and did not put much emphasis on identifying individual risk characteristics and tactics to improve the supply chain’s resilience. However, the framework illustrated in an intuitive manner how unanticipated and undesirable events at other nodes in a network could influence and cause problems at different levels for a focal company via dependencies. Kleindorfer and Saad (2005) also attempted to provide a conceptual framework to assess risk and introduced three tasks as the foundation of risk management. These were “Specifying sources of risk and vulnerabilities, Assessment, and Mitigation”. The sources of risk and vulnerability were thereafter divided into operational contingencies, natural hazards, and terrorism and political instability. Kleindorfer and Saad (2005) did not elaborate in much detail on which risks to include in each of these categories, thus from a practical risk assessment point of view, the model becomes less interesting.
In a similar vein, Ritchie and Brindley (2007) developed a framework to encapsulate the main strands of supply chain risk management. They distinguished between seven sources of risk, but were not specific about which risks to expect in each category and they were not very detailed in their description of risk avoidance or mediation tactics. In stead, they used their general model as a guide in an exploratory case study where the purpose was to focus on supply chain members’ degree of awareness of supply chain risks, and how supply chain members identified and responded to identified risks.
Ring and Van De Ven (1992) developed a framework for structuring cooperative relationships between organizations based on varying degree of risk and reliance on trust. They based their paper on the assumption that the degree of risk inherent in any transaction depends in the direct proportion to decreases in time, information, and control. Examples provided were commercial risk (risk of not finding a price-performance niche in the market), technological risk (probability of bringing the technology to market), scientific risk (lack of knowledge), engineering uncertainty (will the technology work?), and corporate risk. By corporate risk they referred to the risk of wrong allocation of resources in the organization. However, these types of risk are strongly connected with internal managerial and organizational skills of the focal company, and thus cover only a small portion of the risk concept from a supply chain management perspective. Risks arising from process sharing and network inflicted risks were barely mentioned.
In summary, a higher level of precision in supply chain risk assessment frameworks combined with normative guidelines for risk avoidance seems present in extant literature. This call has formally been put forth by Harland, Brenchley and Walker (2003) who provided an easy-to-follow procedure for risk assessment in supply chain networks. They concluded that “more managerial guidance is required to support risk management and redesigning of supply strategies to incorporate risk strategies “. An attempt to answer this call has been made in the following sections. Mapping of risks in the supply chain has been emphasized combined with a discussion of tactics for risk mitigation and risk avoidance. In essence, this covers steps two to four in the model by Harland, Brenchley and Walker (2003) (Figure 1). Guidance for mapping of the supply chain is the main goal for many of the supply chain management frameworks recently developed. Mapping of the supply chain has therefore only received limited attention in this paper, but references to some well-known supply chain frameworks are provided. Steps five and six have been left for the managers to decide as the strategy formation and implementation would be situation specific and dependent on the outcome of steps one to four.
2. Research method
The framework is developed based on a literature review where multiple perspectives on risk from marketing theory, organizations theory, and supply chain management have been integrated into a composite supply chain risk framework. Relevant contributions were identified through library searches and key word searches in Proquest and ScienceDirect databases. Search words were used either alone or in combination to find contributions which could bring added insight about risk from different theoretical perspectives. Key word searches typically included words such as supply chain management, marketing, or organization theory, and words such as risk, framework, uncertainty, vulnerability, resilience, etc. A large number of research contributions were identified from this procedure and contributions were further selected based on a qualitative assessment of the title and abstract of each identified contribution.
A guideline for the literature review was to find an answer to the question “what do we know from theory which could be relevant for supply chain managers in their efforts to identify and reduce the level of risk in their supply chains?” The emphasis on theory was decided since an exploratory empirical investigation would be descriptive of current practices which would not fit with the normative purpose of this investigation. Ex post empirical testing of the entire framework in a single study were also considered difficult to accomplish due to the amount of risk factors included. However, a varying degree of empirical validity is offered through the previous empirical testing performed by the researchers referenced. Some empirical guidance and initial face validity was also provided through discussions with the general director of a sub-supplier to the Norwegian oil and gas industry.
3. Supply chain management and risk
The term ‘supply chain management’ (SCM) has primarily been linked to the study of either internal supply chains integrating internal business functions, the management of two party relationships with tier one suppliers, the management of a chain of businesses or with the management of a network of interconnected businesses (Harland, 1996). Transaction cost analysis (TCA), organization theory (OT) and relational marketing (RM) literature have contributed substantially to the development of SCM research (Croom, Romano and Giannakis, 2000). However, a definition of SCM given by the members of the Global Supply Chain Forum states that ‘Supply chain management is the integration of key business processes from end user through original suppliers that provides products, services, and information that add value for customers and other stakeholders’. This distinguishes SCM from the previous mentioned theories since it is the network or chain perspective which is emphasized (Lambert, Cooper and Pagh, 1998).
3.1. Mapping the supply chain
In order to be able to assess risk in a focal company’s supply chain, a thorough insight is required about how the supply chain is configured. A number of frameworks have been developed for the purpose of achieving such knowledge, but Lambert, GarcÃa-Dastugue and Croxton (2005) identified only five frameworks which recognized the need to implement business processes among supply chain actors. Such implementation is considered a key area where supply chain management can offer improvement to supply chain actors (Hammer, 2001). However, only two of the five frameworks provided sufficient details to be implemented in practice (Lambert, GarcÃa-Dastugue and Croxton, 2005). On the other hand, these two frameworks are both supported by major corporations which indicate a high level of face validity.
The first framework is the SCOR model developed by the Supply-Chain Council (SCC, 2008). The SCOR model focuses on five different processes which should eventually be connected across firms in the supply chain. These are the plan, source, make, deliver, and return processes. The second framework was developed by the Global Supply Chain Forum in 1996 and was presented in the literature in 1997 and 1998 (Cooper, Lambert and Pagh, 1997; Lambert, Cooper and Pagh, 1998). Similar to the SCOR model, the GSCF model focuses on a set of distinct business processes to be shared among business organizations. However, a main difference between the two supply chain frameworks is their linkage to corporate strategy. While the SCOR framework emphasizes operations strategy, little reference is made to organizations’ corporate strategies. The GSCF framework, on the other hand, directly links with the corporate and functional strategies of the companies and thus offers a wider scope (Lambert, GarcÃa-Dastugue and Croxton, 2005). Since risk is inherent at every level of an organization, and should be considered also at the strategic level, the GSCF framework was chosen as a starting point for our development of a supply chain risk management framework.
3.2. Identify risk and its location
In the GSCF framework, supply chain management consists of three inter-related elements: 1) the structure of the supply chain network, 2) the management components governing the shared supply chain processes, and 3) the different types of processes linked among supply chain actors. Who to link with, which processes to link, and what level of integration and management should be applied are considered key decisions for successful management of supply chains (Lambert, Cooper and Pagh, 1998).
From a supply chain risk management perspective, these managerial questions make way for three propositions regarding risk and the focal company. The first proposition concerns the unpredictability of human nature when processes are shared with others. The second concerns the vulnerabilities created because of dependencies between multiple network actors, and the third refers to the skills and qualities of the different supply chain actors’ organization and management. Stated formally:
P1: A focal company’s exposure to supply chain risk depends on the level of human behavior unpredictability in the supply chain and the impact such unpredictability can have on the company’s supply chain.
P2: A focal company’s exposure to risk depends on the number and strength of dependencies in its supply chain and the impact an external risk event may have on the company.
P3: A focal company’s exposure to risk depends on the supply chain actors’ skills and qualities to identify potential risks in advance and to solve risk situations once they occur.
Although they address different aspects of risk to a focal company, the propositions are closely related. For instance, without the existence of network dependencies, behavioral unpredictability at another supply chain actor becomes irrelevant. Similarly, the focal company does not have to worry about the skills and qualities of other supply chain actors because there is always another alternative to select. Also, an increase in the supply chain actors’ skills and qualities will indirectly reduce the level of human unpredictability since it rules out some of the mistakes humans can make; however, it does not rule out the focal company’s uncertainty about other supply chain actors’ intended strategic actions. The relationship between the propositions has been outlined as arrows in Figure 2. Each category between the arrows refers to a more precise definition of the risks mentioned in the propositions. The categories follow the naming convention in the GSCF framework, and together, they constitute a holistic representation of supply chain risks relevant for successful supply chain management.
The formal definitions for the three types of supply chain risk in Figure 2 are provided below and explained in the subsequent sections:
Supply chain processes risk refers to the perceived risk of other companies in the supply chain behaving – intentionally or unintentionally – in a manner which could be harmful to the company.
Supply chain structure risk is closely linked with the total number and type of dependencies in the network. It is a measure for the level of significant detrimental effects an undesired and unanticipated event can have on a company’s supply chain network. This event can occur externally or internally to a local market or industry and affect either a single node or a multitude of nodes simultaneously.
Supply chain components risk refers to the technical, managerial and organizational abilities each supply chain actor has developed in order to embrace opportunities, detect and avoid potential supply chain disruptions, and to mediate the effects of a disruption once it has occurred.
3.3. Supply chain processes risk
A focal company’s exposure to supply chain risk will, according to proposition one, depend on the level of human behavior unpredictability and the impact such unpredictability can have on the company’s supply chain. When companies begin to explore the competitive advantage of accessing and managing processes belonging to other companies in the chain, they therefore need to identify how the sharing of a process can change its vulnerability to unanticipated events and agree on strategic actions to reduce the processes’ vulnerability. The main factors to consider when processes are shared with other actors are shown in Figure 3 and explained below.
In general, the sharing of processes across tiers in a network can be problematic since it simultaneously makes the focal company more vulnerable to risk. Under working market conditions, each actor is free to choose its trading partner for every transaction. A natural moderating effect on risk therefore exists since there is no dependency on other specific actors in the network. However, when companies begin to integrate processes, as prescribed by supply chain management literature, they distance themselves from the market by creating lock-in effects with selected partners due to the specificity of tangible and intangible assets deployed.
From a transaction cost theory point-of-view (Williamson, 1975, 1985), specific investments in shared processes must be protected against the risk of possible opportunistic behavior from the other actor in each partnership. Opportunistic behavior refers to actors’ “self-interest seeking with guile” (Williamson, 1975) where guile means “lying, stealing, cheating, and calculated efforts to mislead, distort, disguise, obfuscate, or otherwise confuse” (Williamson, 1985). In practice, this type of supplier behavior would materialize in hazards like broken promises, production delays, increased costs, production shortcuts, and masking of inadequate or poor quality (Provan and Skinner, 1989; Wathne and Heide, 2000). Any uncertainty of whether the suppliers behave, or would attempt to behave, opportunistically therefore increases the impression of risk to the actor performing the risk assessment. However, transaction cost theory has been criticized for its assumption of opportunistic decision makers.
Critics argue that it is a too simplistic and pessimistic assumption about human behavior, and that opportunism represents the exception rather than the rule (Macneil, 1980; Granovetter, 1985; Chisholm, 1989). John (1984) also argued that undesired attitude such as “hard bargaining, intense and frequent disagreements, and similar conflictual behaviors do not constitute opportunism” unless an agreement has been reached of not to do so. In addition, even well-meant behavioral actions by one party may have negative effects for another party in the supply chain. The perception of risk linked with human behavior where processes are shared can therefore not be restricted to a matter of opportunism alone, but needs to include any kind of undesired human behavior – whether it is opportunistic, undesirable or well-intended, but still potentially harmful.
It has been suggested that behavioral uncertainty can be reduced with the introduction of formal and informal safeguards to the relationship. In a successful relationship, relational rules of conduct work to enhance the well-being of the relationship as a whole and take explicit account for the historical and social context within which an exchange takes place (Heide and John, 1992). Flexibility among the parties, solidarity, information exchange, and long-term orientation are norms typically associated with, and referred to, as relational safeguarding mechanisms in contemporary research (Ivens, 2002). The presence of these norms in a relationship has been found to improve the efficiency of relationships and to reduce parties’ behavioral uncertainty (Heide and John, 1992).
Alternatively, ownership, or some form of contractual command-obedience authority structure can be used to protect against inherent behavioral uncertainty. Vertical integration has traditionally been prescribed by transaction cost literature as an answer to handle uncertainty in repeated transactions when there are specific investments involved (Williamson, 1975, 1985). However, Stinchcombe (1985) found that the safeguarding features of hierarchical relationships can be built into contracts as well. These features included “authority systems, incentive systems, standard operating procedures, dispute resolution procedures, and non-market internal pricing”. It should be noted that advanced pricing mechanisms used can include agreed risk sharing and paying an insurance premium to a third party to protect against the financial consequences of a business interruption (Li and Kouvelis, 1999; Doherty and Schlesinger, 2002). However, a prerequisite for risk transfer mitigation to work is the ability to clearly define the type, cause and boundaries for when the agreed risk transfer applies. Also, well defined standard operating procedures are particularly important since they indirectly describe the non-conformance cases. Breaches in quality performance or EHS procedures, shipment inaccuracies, delivery times, etc. by the focal company or another party are indications of reduced control over the supply chain. Hence, an increased frequency of such incidents in other nodes in the network will lead to an impression of greater behavioral uncertainty and supply chain risk.
The impression of risk when processes are shared would naturally depend on the degree of lock-in which exists between two parties. A second risk factor in supply chain processes risk therefore refers to the criticality of specific nodes in the network (Craighead et al., 2007). More precisely, critical nodes are actors in the supply chain responsible for delivery of critical components or important subsystems where the number of supplier choices is limited. However, a node can be critical even though there may be little dependence in day-to-day operations. The increased popularity of outsourcing to third parties necessarily increases other actors’ involvement in the company’s material and information flow. But, since both information and materials represent a form of capital investment, this also means that other actors in some cases handle large parts of a company’s tied-up capital – either in the form of information or in the form of goods. This risk is called degree of capital seizure in the framework.
For instance, it is generally not very difficult to switch from one supplier of IT-server capacity to another, but the dependence on the supplier of server capacity can prove severe if sloppy routines at the supplier destroy the electronic database stored. A similar logic applies for other actors with control over much of the company’s information and material flow. Large distribution centers are one example. A typical risk event would be a fire causing damage to much of the company’s goods stored; however, such an event would not be attributable to the processes shared and is therefore not a supply chain process risk. Instead, such a risk event has been characterized as external to the network and described under supply chain structure risk. However, another example would be the distribution centre not informing the focal company of a changed general staff leave. This would be a breach in the “supplier relationship management” process because it is a deviation from expected service levels in that particular period.
3.4. Supply chain structure risk
The decision of who to link with in a network requires an explicit knowledge and understanding of the supply chain network configuration. According to proposition two, this includes a thorough comprehension of the risk inflicted upon the company because of dependencies established in relationship with other network actors. Therefore, the supply chain manager needs to assess how vulnerable the company is to unanticipated changes in the network and its exogenous environment.
Dependencies are created with individual partners in the network and the level of dependency must therefore be assessed for each node. However, attributes of the network configuration itself may increase or reduce the impression of risk. A ‘field risk’ category and a ‘network complexity risk’ category have been created to reflect this duality. Field risk includes risk factors which are exogenous to the network, and not endogenously created as in supply chain process risk. Field risk is assessed for each node, but supply chain structure risk must also take the complexity of the network into consideration. For instance, geographically dense nodes within a network may represent a great risk to a company even though each actor itself may not be very important. This is similar to the Dole example mentioned in the introduction where a hurricane destroyed the banana harvest in the area where Dole had most of its suppliers (Griffy-Brown, 2003).
Network complexity risk refers to decision makers perceiving large networks as more uncertain since the involvement of more actors and more people implicitly includes more things which can go wrong (Craighead et al., 2007). This perception naturally becomes even stronger when the number and strength of identified critical nodes under supply chain processes risk is high. However, if a focal company is engaged in several sub-networks of supply and demand, this would moderate the perception of risk similar to the basic idea of diversification in modern portfolio theory. The reason is that the company can rest on several independent business pillars and prosper with the remaining pillars while the problem in the failing supply chain is sorted out.
Field risk factors such as currency fluctuations, political or legal changes, environmental, and social risks are external to the supply chain network, and refer to the country or region where suppliers, or clusters of suppliers, are located (JÃ¼tner, Peck and Christopher, 2002). Climate changes, in particular in combination with population growth, should receive attention since such changes may alter and threaten the living conditions in large regions of the world with serious effects on both the supply side and demand side to companies (Gilland, 2002; Yea, 2004; Leroy, 2006).
An undesirable side-effect of global trade is that supply chains have become significantly more vulnerable to both organized and unorganized crime. Although cargo thefts have not yet caused major supply chain disruptions, the extent of such crime is steadily increasing and should receive attention from a proactive risk management perspective – particularly if shipment of critical components is part of the day-to-day operations (Caton, 2006; Barnett, 2007).
Another type of crime is abduction of key personnel for ransom money. Kidnappings are mentally challenging to the abducted and the organizations they work for, and can strain organizational resources for a substantial amount of time after a kidnapping incident. In addition, if a decision to pay ransom money is made, the amount required could be financially problematic to smaller companies. This type of crime has generally been associated with Latin America; however, experts have anticipated that such kidnappings will spread to other parts of the world (O Hare, 1994). Although no scientific follow-up study has been identified