Professional Documents
Culture Documents
Supply Chain Risk Management: Resilience and Business Continuity
Supply Chain Risk Management: Resilience and Business Continuity
Supply Chain Risk Management: Resilience and Business Continuity
net/publication/278712727
CITATIONS READS
10 7,389
3 authors, including:
All content following this page was uploaded by Mauricio Blos on 03 July 2017.
1
Information Science and Control Engineering Department, Nagaoka University of Technology, Nagaoka, Japan
2
Industrial and Systems Engineering Department, Chung Yuan Christian University, Chungli, Taiwan
3
University of Liverpool Management School, Liverpool L69 3BX, UK
Abstract. These are extraordinary times, especially for risk managers. And that is saying something indeed
when one considers how the last decade has been marked by a succession of disasters that have all thrust the
discipline of risk management into the spotlight. Considering the risks in supply chain, the topic derives from
its importance due to several industry trends currently in place: outsourcing and off-shoring, cost reduction,
product variety, lean manufacturing and just-in-time, low inventory levels, information technologies and
supply chain security. Moreover, organizations and societies are at much greater risk of systemic failure
because of the massive interdependency throughout global supply chains. And to get worst, the natural
disasters are occurring with more frequency and with a big impact than before. Due to those facts, this chapter
has the objective to relate the advances of supply chain risk and supply chain continuity.
1
DRAFT
1. Introduction
In recent years, a number of events around the world have drawn widespread attention – toy recalls
prompted by the presence of lead paint, Toyota recalls due to accelerator pedals defect, food
contamination, crippling natural disasters, and terrorist attacks. These unpredictable events have
significantly disrupted supply chains the world over.
A reasonable proposition, which few would refute, is that managing the supply chain process involves
elements of uncertainty and elements of risk. The differentiation between these terms has classically
been defined as one in which uncertainty reflects the decision situation in which there exists lack of
information, knowledge and understanding of the likely outcomes, including the associated probabilities
and consequences of each [1].
The risk in supply chain management originates from two key areas: supply and demand. The next
level of equal importance is environmental, political, process and security risks. Political and
environmental risks may always remain amorphous and refractory to adequate quantification. Security
risks are even more volatile but on a far higher priority level. Based on the definitions of supply chain
management and SCRM, it appears that one can address the issue of SCRM along two dimensions:
1. Supply Chain Risk – operational risks or disruption risks
2. Mitigation Approach – supply management, demand management, product management, or
information management
Factors that have raised risk levels in supply chains include globalization, market uncertainty, and
increasing pressure to raise performance levels. Over the next few years, these issues are expected to
become even more influential along with the increased need to reduce costs. New challenges also are
anticipated such as tighter environmental regulations. New challenges also are anticipated such as
tighter environmental regulations.
2
DRAFT
for risk programs for years, but with the renewed focus on ERM comes a host of managers new to the
job.
For some time now, there have been two different groups of professionals who use the term risk
management:
A) The Operational Risk Managers: They handle insurance programs, as always, but also address
the many other risks that threaten to keep the operation from carrying out its daily business.
Among the operational risk manager's chief concerns are legal liabilities, worker safety, crime
prevention, fire prevention, environmental contamination and many other important duties.
The operational risks in supply chain are typically related to the following vulnerabilities:
cargo losses, geopolitical risks, natural risks (flood, earthquake, severe hot/cold temperature,
wildfire, tornados, hurricane/typhoon, heavy rain/thunderstorm, tsunami, lightning strikes, etc),
terrorism/sabotage, animal/insect infestation, loss of key supplier, logistics route interruptions,
personnel turnovers, IT system failure, theft, supplier relations, dealer relation, container
accident, etc.
B) The Financial Risk Managers: They primarily come from the financial or auditing side of the
organization and concern themselves with portfolio risk, credit and currency risk, market risk
and other similar fields.
The financial risks in supply chain are related to the following vulnerabilities: credit default,
shareholder activism, interest rate fluctuations, adverse changes in industry regulations, fuel
prices, currency & foreign exchange rate fluctuations, financial markets instability,
accounting/tax law changes, economic recession, adverse changes in environmental
regulations, currency inconvertibility, liquidity/cash, asset valuation, revenue management,
health care and pension costs, and debt & credit rating.
This introductory chapter seeks to establish a brief introduction of risks in supply chain. In the
following sections, the risks in supply chain will be discussed and business continuity will be presented
as well as the business assessment and the supply chain continuity framework will be described. Finally
the conclusion and recommendations will be presented.
2. Scope
Most organizations have a supply chain that is a mix of competencies, from manufacturing to
professional advisory services. Developing business continuity strategies and embedding business
continuity processes into an organization’s procurement process can enhance the organization’s ability
to actively assess vendor capabilities. By creating a flexible framework for augmenting, retaining, or
shedding vendor competencies in order to assure supply chain integrity, the organization can meet
customer demand, customer expectations and generate consistent performance.
3
DRAFT
4
DRAFT
goods, the information can flow to the ends of the network and be made available to the seller, customer
and shipper.
Recognizing that information often resides in disparate locations and within disparate systems, the
ability to move information through the network is dramatically improved by the implementation of
standards or by data transformation and transmission.
Thanks to intelligent networks and enterprise-to-enterprise information exchange, a manager can
view supply chain management as a process and management challenge, rather than a technological
challenge. Companies can now turn to optimizing their business process with their customer and
supplier; not just within their organization.
5
DRAFT
Identification of the company’s internal signals may sometimes be a more convenient way to analyze
uncertainty in the business environment.
According to [3] one view of risks that is common in the management literature is that a risk is
thought of in terms of variability or uncertainty. In the insurance industry, the term risk is an accurate
item to be insured. In this category, the writers seek to differentiate the two categories of risk, i.e. pure
risk and speculative risk.
According to a survey report from [4], 74% of the organizations had experienced supply chain
disruption in last 12 months; 35% had experienced increased supply chain disruption; and 88%
expected to experience supply chain disruption in the next 12 months.
Source: SupplyChainDigest
6
DRAFT
The main objective of any risk management practice is to increase risk adjusted returns, improve
strategic judgment, and/or avoid extraordinary losses due to lawsuits, fines, operational failures, or
negligence. The need for organizations to meet best practice in the management of supply chain risk has
never been more important, or challenging, as they face potential economic downturn, increasing
regulation and ever more complex supply chains that make it difficult to understand risk aggregation.
Furthermore, supply chain risk management assumes importance in the wake of organizations
understanding that their risk susceptibility is dependent on other constituents of their supply chain.
Fig. 1: Major Disasters from 1997 to 2005 (adapted from Dr. Debra Elkins, GM).
According to the [5], Risk Management Process involves applying logical and systematic methods for:
Communication and consultation throughout the process;
Establishing the context;
Assessing risks (identification, analysis, evaluation) and treating risk associated with any activity,
process, function, project, product, service or asset;
Monitoring and reviewing risk;
Recording and reporting the results appropriately.
In this context, the approach by using the ISO31000, the ISO28002 and the BS 25999 standards
will be essential to describe Risk Mitigation, Resilience, and Business Continuity in Supply Chain.
7
DRAFT
8
DRAFT
10. Knowledge about risks in the supply chain: risk understanding improves decision-making.
11. Continuous risk analysis and assessment: business environments are dynamic, so are the risks.
9
DRAFT
flexible supply chains that can respond to day-to-day demand changes. Nokia, Toyota, Nissan, UPS,
Schneider National, FedEx, Dell, and the U.S. Navy are some of the organizations that can be examples
of flexibility and resilience used for competitive advantage. These industries use the key principle that
designing a supply chain that has a fundamental effect on the inherent risk, managers should work
together to design resilient chains.
10
DRAFT
requirements to which the organization subscribes are considered in developing, implementing, and
maintaining its resilience management system. Furthermore, this requirement follows the risk
assessment exigencies.
4) Implementation and Operation
This requirement which proposal is to implement and operate resilience in supply chain has the
following procedures: resources, roles, responsibility, and authority for resilience management;
competence, training, and awareness; communication and warning; documentation; control of
documents: operational control; and incident prevention, preparedness, and response.
5) Checking and Corrective Action
The organization shall evaluate resilience management plans, procedures, and capabilities through
periodic assessments, testing, post-incident reports, lessons learned, performance evaluations, and
exercises. Significant changes in these factors should be reflected immediately in the procedures.
The organization shall keep records of the results of the periodic evaluations.
6) Management Review
Management shall review the organization’s resilience management system at planned intervals to
ensure its continuing suitability, adequacy, and effectiveness. This review shall include assessing
opportunities for improvement and the need for changes to the resilience management system, including
the resilience management system policy and objectives. The results of the reviews shall be clearly
documented and records shall be maintained.
7) Resilience Management Policy
The resilience management policy is the driver for implementing and improving an organization’s
resilience management system, so that it can maintain and enhance its sustainability and resilience. This
policy should therefore reflect the commitment of top management to:
a) Comply with applicable legal requirements and other requirements
b) Prevention, preparedness, and mitigation of disruptive incidents
c) Continual improvement
The resilience management policy is the framework that forms the basis upon which the
organization sets its objectives and targets. The resilience management policy should be sufficiently
clear to be capable of being understood by internal and external interest parties (particularly its supply
chain partners) and should be periodically reviewed and revised to reflect changing conditions and
information. Its area of application (i.e., scope) should be clearly identifiable and should reflect the
unique nature, scale, and impacts of the risks of its activities, functions, products, and services.
11
DRAFT
12
DRAFT
produce the finished items for their US customers. This event sent a shock wave to many US customers
who had outsourced their manufacturing operations to Indonesia. In contrast, The Limited and Warner
Bros. continued to receive their shipments of clothes and toys from their Indonesian suppliers without
noticing any problem during the currency crisis in Indonesia. They were unaffected because they had
outsourced their sourcing and production operations to Li and Fung Limited, the largest trading
company in Hong Kong for durable goods such as textiles and toys. Instead of passing the problems
back to their US customers, Li and Fung shifted some production to other suppliers in Asia and
provided financial assistance such as line of credit, loans, etc. to those affected suppliers in Indonesia to
ensure that their US customers would receive their orders as planned. With a supply network of 4,000
suppliers throughout Asia, Li and Fung were able to serve their customers in a cost-effective and
time-efficient manner. Despite the economic crisis in Asia, this special capability enabled Li and Fung
to earn its reputation in Asia and enjoy continuous growth in sales from 5 billion to HK$17 billion from
1993 to 1999. The reader is referred to [20] and [21] for details.
(3) Dell changed its pricing strategy just in time to satisfy customers during supply shortage. After
an earthquake hit Taiwan in 1999, several Taiwanese factories informed Apple and Dell that they were
unable to deliver computer components for a few weeks. When Apple faced component shortages for its
iBook and G4 computers, Apple encountered major complaints from customers after trying to convince
its customers to accept a slower version of G4 computers. In contrast, Dell’s customers continued to
receive Dell computers without even noticing any component shortage problem. Instead of alerting their
customers regarding shortages of certain components, Dell offered special price incentives to entice
their online customers to buy computers that utilized components from other countries. The capability
to influence customer choice enabled Dell to improve its earnings in 1999 by 41% even during a supply
crunch [22], [23].
13
DRAFT
Creating supply chain resiliency requires more than utilizing the framework to identify, assess, and
mitigate the enterprise risks. The long-term success of a resilient supply chain depends heavily on the
organization’s ability to foster a culture of reliability that stretches across departmental borders.
14
DRAFT
In order to keep an organization's client base and business partners, business continuity standard
[24] was created. BS 25999 offers the framework to develop, implement, maintain, and improve a
dynamic Business Continuity Management System that combats business interruption. The professional
practices that this standard offers are based on 10 principles to know:
1. Project Initiation and Management.
15
DRAFT
strategies and plans for how to recover should be developed that could be implemented, both before the
incident (similar to risk management strategies) and after the incident, post-incident strategies are
implemented to maintain partial or total product supply.
2.2.4 Contingency
Once the connected risk themes are identified and evaluated, actions to address consistent themes
throughout the procurement process can be taken. Identification of consistent risk themes across a
number of risk dimensions can help to determine where the company should place significant effort to
mitigate the risk exposure.
The dynamic interactive and evolutionary nature of supply chain relationships suggests that a
contingency approach to constructing a risk framework may be more suitable than a generic approach
seeking to establish common risk characteristics and responses or the situation approach which simply
suggests that every supply chain is different and needs to be treated as a one-off decision case in terms
of risk resolution [26]. Furthermore, a contingency approach to risk framework within the context of the
supply chain seeks to establish a support system and behavioral characteristics for decisions associated
with risk in the supply chain and its effective management.
16
DRAFT
by inferential statistics and organized in line with decision analytic procedures. These tools have been
developed to generate knowledge about cause effect relationships, estimate the strength of these
relationships, characterize remaining uncertainties and ambiguities and describe, in quantitative or
qualitative form, other risk or hazard related properties that are important for risk management [34],
[35]. In short, risk assessments specify what is at stake, calculate the probabilities for (un)wanted
consequences, and aggregate both components into a single dimension [36].
According to [5], Risk Assessment is the overall of “Risk Identification, Risk Analysis and Risk
Evaluation”.
17
DRAFT
the risk criteria. It is also important to consider the interdependence of different risks and their sources.
The confidence in determination of risk and their sensitivity to preconditions and assumptions
should be considered in the analysis, and communicated effectively to decision makers and other
stakeholders if required. Factors such as divergence of opinion among experts or limitations on
modeling should be stated and may be highlighted.
Risk analysis can be undertaken with varying degrees of detail depending on the risk, the purpose of
the analysis, and the information, data and resources available. Analysis can be qualitative,
semi-quantitative or quantitative, or a combination of these, depending of the circumstances. In practice,
qualitative analysis is often used first to obtain a general indication of the level of risk and to reveal the
major risks. When possible and appropriate, one should undertake more specific and quantitative
analysis of the risks as a following step.
Consequences can be determined by modeling the outcomes of an event or set of events, or by
extrapolation from experimental studies or from available data. Consequences can be expressed in terms
of tangible and intangible impacts. In some cases, more than one numerical value or description is
required to specify consequences for different times, places, groups or situations.
18
DRAFT
19
DRAFT
One result of the analysis is a determination of each business function’s Recovery Time Objectives
(RTO). The RTO is the time within which business functions or application systems must be restored to
acceptable levels of operational capability to minimize the impact of an outage. The RTO describes the
time between the point of disruption and the point at which business functions or application systems
must be operational and updated to current status. The RTO is associated with the recovery of resources
such as computer systems, manufacturing equipment, communication equipment, facilities, etc.
Recovery Point Objective (RPO) expresses the tolerance to a loss of data as a result of disruptive
event. It is measured as the time between the last data backup and the disruptive event
The BIA determines RPO for each application by asking participants the question “What is the
tolerance, in terms of length of time, to loss of data that may occur between any two backup periods?”
The response to this question indicates the values of RPO.
The BIA process consists of a sequence of 11 steps that interact together to identify the impacts of a
business disruption and determine the requirements to restore disrupted critical business process: 1.
Define BIA objectives, scope, and assumptions; 2. Identify business functions and process; 3. Assess
financial and operational impacts; 4. Identify critical processes; 5. Assess MTDs and prioritize critical
process; 6. Identify critical IT systems and applications; 7. Identify critical non-IT resources; 8.
Determine RTO; 9. Determine RPO; 10. Identify work-around procedures; and 11. Generate BIA
information summary.
20
DRAFT
At the end of the BIA process a report is generated that includes details of the key output from the
steps of the BIA process and summarize its findings..
3.3.1 Trade-offs
A cost-effectiveness analysis can be interpreted as a cost-benefit analysis where the willingness to
pay per effectiveness unit is assumed to be constant and the same for everyone. To relax this
assumption the willingness to pay per effectiveness unit can be allowed to vary. Cost-effectiveness
analysis is best viewed as a subset of cost-benefit analysis, where the aim of the analysis is to estimate
the cost function of producing health effects.
Although supply chain cost-efficiency measures can increase risk, cost can also reduce supply chain
risks.
3.3.1.1 Cost-Benefit
Experts agree that there are right and wrong ways of incurring and addressing supply chain risk.
Think of cost and risk as variables that exist along a continuum; reducing one often comes at the
expense of increasing the other.
Some firms may express concerns regarding the requisite costs associated with these risk
management strategies, while others would recognize the additional benefits. At a conceptual level,
these risk management strategies would enhance the competitive position of a firm, especially when
other firms’ supply chains are more vulnerable to disruptions. However, it is difficult to quantify the
value of competitiveness. Theoretically speaking, the costs for implementing these proactive strategies
21
DRAFT
can be viewed as “insurance premiums” that will safeguard the supply chains from major disruptions
[39]. However, it is difficult to evaluate the return on these insurance premiums, especially in the
absence of reliable data (probability that a disruption would occur, potential loss due to a disruption,
etc.).
particular aspects of BCM [40], [41], [42], [43], [44]. In this section, a framework is created to allow a company to
create supply chain visibility and better handle supply chain disruptions, improving the organization’s performance.
The framework is based in a BCP process life cycle with six stages (risk mitigation management, business impact
analysis, supply continuity strategy development, supply continuity plan development, supply continuity plan
testing and supply continuity plan maintenance) with five supply chain operational constructs (inventory
management, quality, ordering cycle-time, flexibility and costumers) with the purpose to keep supply chain more
resilience.
In creating a mitigation program the goal is to eliminate risks where possible and to lessen the negative impact
of disasters that cannot be prevented. Mitigation is as simple as fastening down computer terminals in
earthquake-prone areas or moving computers to a higher floor where floods are a potential threat to dispersing
critical business operations among multiple locations, to relocating an operation from an area where the risks are
extremely great or perhaps contractually transferring some operations. However, there is the need to have a BCP to
The BCP process life cycle has the business continuity best practices for developing and maintaining a supply
chain continuity plan. Therefore, a comprehensive business continuity program that considers all internal and
external links in the supply chain is essential if the business is to survive following a major disaster. With this
affirmation, we developed a supply chain continuity framework, where the BCP process life cycle together with the
operational constructs has the purpose to keep the supply chain more resilient:
identifying mitigation control are needed to prevent or reduce the risks of disaster related to the operational
constructs (O.C).
This stage identifies mission-critical processes of the O.C., and analyzes impacts to business if these
processes are interrupted as a result of disaster. Furthermore, the BIA is the foundation on which a
comprehensive business continuity program is based. Its goal is to determine the most to least time-critical
business functions throughout
the organization. For each of these functions a related recovery time objective (RTO), the target time in which
22
DRAFT
each function must be operational following a disruption, is determined. For supply management a BIA will include
a review the operations of manufacturing, transportation, distribution services, support technology, warehouses, and
The third stage assesses the requirements and identifies the options for recovery of critical processes and
resources related to the O.C. in the event they are disrupted by a disaster
This stage develops a plan for maintaining business continuity based on the results of previous stages.
This stage will test the supply continuity plan document to ensure its currency, viability, and completeness.
The final stage will maintain the supply continuity plan in a constant ready-state for execution.
23
DRAFT
4. Conclusion
Everything changed for the supply chain area after the terrorist attacks of September 11, 2001 in
New York. From that time until now many strategies in the field of security, risk management and
business continuity has been created.
Supply chain risk management often seems to focus on the risks within a particular organization, but
we know that each member of a supply chain occupies a unique position. Then risks to any single
member can be transmitted and expanded into risks to the whole chain. The best way of dealing with
these joint risks is not to work in isolation but to have all members cooperating and working together to
reduce the level of risk to the whole chain.
Since supply chain risk management is a relatively new area of research, there are many research
opportunities in the field of risk management and business continuity. Therefore, the most important
aspect is to create a supply chain risk management culture. This is not just risk management but
performance improvement, where companies will make money by taking smart risks or lose money by
failing to re-tool their legacy business processes to assess and mitigate risk effectively.
This chapter takes a supply chain risk and business continuity perspective on corporate preparedness
and response to disruptions.
24
DRAFT
References
2. John J. Hampton (2009), Fundamentals of Enterprise Risk Management: How Top Companies Assess Risk,
3. Hertz, D. and Thomas, H. (1983), Risk Analysis and its Applications, John Wiley & Sons, Chischester.
6. Waugh, W.L., 1996. Disaster management for the new millennium. In: Sylves, R.T., Waugh, W.L. (Eds.),
Disaster Management in the U.S. and Canada: The Politics, Policymaking, Administration and Analysis of
Emergency Management. Charles C. Thomas Publishers, Spring"eld, Illinois, pp. 344}359 (Chapter XVI).
7. Mazmanian, D.A., Sabatier, P.A., 1983. Implementation and Public Policy. Scott, Foresman and Company,
Glenview, IL.
8. Faisal, M., Banwet, D., & Shankar, R. (2006). Supply chain risk mitigation: modeling the enablers. Business
9. ISO 28002: Resilience in the Supply Chain: requirements with Guidance for Use (2009).
10. Holling, C. S. (1973), the Resilience of Terrestrial Ecosystems. Annual Review of Ecology and Systematics
4:1-23
11. Svensson, Goran (2002), "Dyadic Vulnerability in Companies' Inbound and Outbound Logistics Flows,"
International Journal of Logistics and Research Applications, Vol. 5, No. l,pp. 13-44.
12. Craighead, C. S., Blackfurst J., Rungtusanatham M.J. and Handfield R.B., (2007). The Severity of Supply
Chain Disruptions: Design Characteristics and Mitigation Capabilities. Decision Sciences 38, 1, 131-156.
13. Sheffi, Y., (2005). The resilient enterprise: overcoming vulnerability for competitive advantage. MIT Press
Book.
14. Chapman, Paul, Martin Christopher, Uta Jüttner, Helen Peck, and Richard Wilding (2002), "Identifying and
Managing Supply-chain Vulnerability," Logistics and Transport Focus, Vol. 4, No. 4, pp. 59-64.
15. Peck, Helen (2005), "Drivers of Supply Chain Vulnerability: An Integrated Framework," International Journal
of Physical Distribution and Logistics Management, Vol. 35, No. 4, pp. 210-232.
16. Svensson, Goran (2000), "A Conceptual Framework for the Analysis of Vulnerability in Supply Chains,"
International Journal of Physical Distribution and Logistics Management, Vol. 30, No. 9, pp. 731-749.
17. Svensson, Goran (2004), "Vulnerability in Business Relationships: The Gap between Dependence and Trust,"
Journal of Business and Industrial Marketing, Vol. 19, No. 7, pp. 469-483.
18. Zsidisin, George A. (2003), "A Grounded Definition of Supply Risk," Journal of Purchasing and Supply
19. Hopking, K. (2005), Value opportunity three: improving the ability to fulfill demand. Business Week.
25
DRAFT
20. St. George, A., Li and Fung: beyond “filling in the mosaic”. Harvard Business School, case 9-398-092, 1998.
21. McFarlan,W., Li and Fung (A): internet issues. Harvard Business School, case 9-301-009, 2002.
23. Martha, J. and Subbakrishna (2002), S., Targeting a just-in-case supply chain for the inevitable next disaster.
25. Parier, Michael and Zawada, Brian (2002). Risky Business – Failing to Assess Supply Chain Continuity. A
26. Brindley, Clare (2004), Supply Chain Risk, Ashgate Publishing Company.
27. Lave, L. (1987). Health and Safety Risk Analyses: Information for Better Decisions. Science, 236, pp.291-295.
28. Grahan, J.D. and Rhomberg, L. (1996). How Risks are Identified and Assessed
29. IAEA: Guidelines for Integrated Risk Assessment and Management in Large Industrial Areas (1995).
30. Stricaff, R.S. (1995). Safety Risk Analysis and Process Safety Management: Principles and Practices.
31. Hattis, D. (2004). The conception of variability in risk analyses: Developments since 1980.
32. Olin, S., Farland, W., Park, C., Rhomberg, L., Scheuplein, R., Starr, T. and Wilson, J. (1995). Low Dose
34. IEC: Guidelines for Risk Analysis of Technological Systems (1993), Report IEC-CD (Sec) 381 issued by the
35. Kolluru, R.V. (1995). Risk Assessment and Management: A Unified Approach. Mc-Graw-Hill: New York, pp.
1.3-1.41.
36. Barnes, James C. (2001). A guide to Business Continuity Planning. John Wiley & Sons Ltd.
37. Drew, M. (2007). Information risk management and compliance – Expect the unexpected, BT Technology
38. Sheffi, Y. (2001). Supply chain management under the threat of international terrorism. Int. J. Logistics
39. Hiles, A. and Barnes, P. (eds), (2001). The Definitive Handbook of Business Continuity Management, J.
Wiley and Sons, Chichester.
42. Hiles, A. and Barnes, P. (eds), (2001). The Definitive Handbook of Business Continuity Management, J.
43. Starr, R., Newfrock, J., & Delurey, M. (2002). Enterprise resilience: managing risk in the networked economy.
Continuity Institute.
26