See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/278712727

Supply Chain Risk Management: Resilience and Business Continuity

Chapter in Intelligent Systems Reference Library · January 2012

DOI: 10.1007/978-3-642-25755-1_12

CITATIONS READS

10 7,389

3 authors, including:

Mauricio Blos Hui m Wee

Universidade Santa Cecília Chung Yuan Christian University
66 PUBLICATIONS 731 CITATIONS 360 PUBLICATIONS 11,266 CITATIONS

SEE PROFILE SEE PROFILE

All content following this page was uploaded by Mauricio Blos on 03 July 2017.

The user has requested enhancement of the downloaded file.

DRAFT

Supply Chain Risk Management: Resilience and Business Continuity

Mauricio F. Blos 1† and Hui Ming Wee 2 and Wen-Hsiung Yang3

1
Information Science and Control Engineering Department, Nagaoka University of Technology, Nagaoka, Japan
2
Industrial and Systems Engineering Department, Chung Yuan Christian University, Chungli, Taiwan
3
University of Liverpool Management School, Liverpool L69 3BX, UK

Abstract. These are extraordinary times, especially for risk managers. And that is saying something indeed
when one considers how the last decade has been marked by a succession of disasters that have all thrust the

discipline of risk management into the spotlight. Considering the risks in supply chain, the topic derives from

its importance due to several industry trends currently in place: outsourcing and off-shoring, cost reduction,

product variety, lean manufacturing and just-in-time, low inventory levels, information technologies and

supply chain security. Moreover, organizations and societies are at much greater risk of systemic failure

because of the massive interdependency throughout global supply chains. And to get worst, the natural

disasters are occurring with more frequency and with a big impact than before. Due to those facts, this chapter

has the objective to relate the advances of supply chain risk and supply chain continuity.

1
DRAFT

1. Introduction
In recent years, a number of events around the world have drawn widespread attention – toy recalls
prompted by the presence of lead paint, Toyota recalls due to accelerator pedals defect, food
contamination, crippling natural disasters, and terrorist attacks. These unpredictable events have
significantly disrupted supply chains the world over.
A reasonable proposition, which few would refute, is that managing the supply chain process involves
elements of uncertainty and elements of risk. The differentiation between these terms has classically
been defined as one in which uncertainty reflects the decision situation in which there exists lack of
information, knowledge and understanding of the likely outcomes, including the associated probabilities
and consequences of each [1].
The risk in supply chain management originates from two key areas: supply and demand. The next
level of equal importance is environmental, political, process and security risks. Political and
environmental risks may always remain amorphous and refractory to adequate quantification. Security
risks are even more volatile but on a far higher priority level. Based on the definitions of supply chain
management and SCRM, it appears that one can address the issue of SCRM along two dimensions:
1. Supply Chain Risk – operational risks or disruption risks
2. Mitigation Approach – supply management, demand management, product management, or
information management
Factors that have raised risk levels in supply chains include globalization, market uncertainty, and
increasing pressure to raise performance levels. Over the next few years, these issues are expected to
become even more influential along with the increased need to reduce costs. New challenges also are
anticipated such as tighter environmental regulations. New challenges also are anticipated such as
tighter environmental regulations.

1.1 Enterprise Risk Management (ERM)

First of all, we need to define what is Enterprise Risk Management, because this is the base to
understand why organizations should introduce risk management to the core business.
Enterprise risk management is a broad and complex concept that reaches into every major area of
an organization. ERM is the process of identifying major risks that confront an organization, forecasting
the significance of those risks in business processes, addressing the risks in a systematic and
coordinated plan, implementing the plan, and holding key individuals responsible for managing critical
risks within the scope of their responsibilities [2].
While risk management has long been a priority for many organizations, the recent financial
collapse has put a spotlight on enterprise risk management as a critical component of a company's
overall health and long-term sustainability. There are some risk managers who have been responsible

2
DRAFT

for risk programs for years, but with the renewed focus on ERM comes a host of managers new to the
job.
For some time now, there have been two different groups of professionals who use the term risk
management:
A) The Operational Risk Managers: They handle insurance programs, as always, but also address
the many other risks that threaten to keep the operation from carrying out its daily business.
Among the operational risk manager's chief concerns are legal liabilities, worker safety, crime
prevention, fire prevention, environmental contamination and many other important duties.
The operational risks in supply chain are typically related to the following vulnerabilities:
cargo losses, geopolitical risks, natural risks (flood, earthquake, severe hot/cold temperature,
wildfire, tornados, hurricane/typhoon, heavy rain/thunderstorm, tsunami, lightning strikes, etc),
terrorism/sabotage, animal/insect infestation, loss of key supplier, logistics route interruptions,
personnel turnovers, IT system failure, theft, supplier relations, dealer relation, container
accident, etc.
B) The Financial Risk Managers: They primarily come from the financial or auditing side of the
organization and concern themselves with portfolio risk, credit and currency risk, market risk
and other similar fields.
The financial risks in supply chain are related to the following vulnerabilities: credit default,
shareholder activism, interest rate fluctuations, adverse changes in industry regulations, fuel
prices, currency & foreign exchange rate fluctuations, financial markets instability,
accounting/tax law changes, economic recession, adverse changes in environmental
regulations, currency inconvertibility, liquidity/cash, asset valuation, revenue management,
health care and pension costs, and debt & credit rating.
This introductory chapter seeks to establish a brief introduction of risks in supply chain. In the
following sections, the risks in supply chain will be discussed and business continuity will be presented
as well as the business assessment and the supply chain continuity framework will be described. Finally
the conclusion and recommendations will be presented.

2. Scope
Most organizations have a supply chain that is a mix of competencies, from manufacturing to
professional advisory services. Developing business continuity strategies and embedding business
continuity processes into an organization’s procurement process can enhance the organization’s ability
to actively assess vendor capabilities. By creating a flexible framework for augmenting, retaining, or
shedding vendor competencies in order to assure supply chain integrity, the organization can meet
customer demand, customer expectations and generate consistent performance.

3
DRAFT

2.1 Supply Chain Risk

Risk in the supply chain is not a new phenomenon. Business organizations have always been
exposed to the failure of a supplier to deliver the right quantity, at the right time, to the agreed quality
and at the agreed price. Different organizations have developed different strategies and tactics to
manage these risks and have a typically been successful in doing so, although not universally so as
business cases such as Enron demonstrate.
Supply chain risk is increasingly a fact of modern supply chain management but it is a risk that can
be identified and reduced through the application of various practices and tools. This chapter will
explore the effective practices and tools of supply chain risk and business continuity.

2.1.1 Procurement Process

There isn’t a company that can deliver end-to-end products and/or services in today’s complex
business environment. Many companies are most likely dependent on vendors of various types
(manufacturing, profession services, software, transportation, etc.) to meet customer expectations.
The integration of vendor business continuity capability as part of the procurement process is
becoming an integral part of company strategy. Effective business continuity strategies, like supply
chain assurance, need to be designed. Integrating business continuity principles and concepts into the
company’s business portfolio planning process and at each stage of product/service life cycle can
provide opportunities to enhance the procurement process, allowing the company to deliver superior
products and/or services solutions to its customers. Embedding into the procurement process specific
business continuity objectives, guidelines and assessment metrics can enhance decision-making,
communications (vertical/horizontal) and resource management.

2.1.2 Networked Supply Chain

In today’s economy the creation of a networked supply chain is much easier to achieve through the
application of digital networks, which make it possible to remove the link between rich information and
its physical carrier. When information can be made available across the supply chain through a
collaborative process, the logistics of making, distributing and delivering goods become more efficient.
A network is a conduct for information, and the intelligence of a network is determined by its
functionality; the ability to collect, transform, store and distribute information. In the absence of a
network, data is static and can only live where it resides. Once data is unlocked from where it is stored,
the data becomes information. When information can be accessed and delivered across the supply chain,
it becomes intelligent, and intelligence delivers value to supply chain participants.
When information is moved to the end of the networks, intelligence is no longer held hostage to the
middleman in the business process. So long as the information can be decoupled from the physical

4
DRAFT

goods, the information can flow to the ends of the network and be made available to the seller, customer
and shipper.
Recognizing that information often resides in disparate locations and within disparate systems, the
ability to move information through the network is dramatically improved by the implementation of
standards or by data transformation and transmission.
Thanks to intelligent networks and enterprise-to-enterprise information exchange, a manager can
view supply chain management as a process and management challenge, rather than a technological
challenge. Companies can now turn to optimizing their business process with their customer and
supplier; not just within their organization.

2.2 Risk Management

When managing complex supply chains, companies need to take an end-to-end view of their
operations. But when it comes to managing supply chain risk, many enterprises settle for a narrow
perspective, even though the likelihood of a disruption has increased significantly over recent years.
There are a number of reasons for the above fact. A false sense of security can prevent organizations
from breaking out of the silos that restrict risk mitigation to certain parts of the supply chain. Some
enterprises lack the organizational focus required to develop a more holistic approach to risk
management. Others simply do not share the sense of urgency that drives more enlightened companies
to fortify every segment of their supply chains.
Leading companies take a broad, risk-based approach to securing their supply chains, based on
comprehensive information on the operating environment and detailed analyses of the risks they need to
address. Armed with this information they develop and implement risk management strategies across
the supply chain, and reduce their vulnerability to highly damaging disruptions
As described in Table 1 and Fig. 1, the supply chain risks and vulnerabilities are raising more and
more. Therefore, the awareness of supply chain risk management thinking is changing. Uncertainty
seems to be a disturbing factor in organized life and continuous change feels like a treat to social life
and economy.
One important aspect of risk management in supply chain is the timing of management actions. In
principle, the company’s or the network’s risk management process should be continuous. Companies
observe their operational environment and business processes and carry out decision and planning
procedures, which have an effect of risks. This may be difficult in practice and it is advantageous to
restrict the process to certain situations.
The activation of the risk management process is particularly associated with situations and events
that are new and therefore, cause uncertainty. Such situations can be related to the establishment of a
new network and changes in network relationships. Large purchases or projects and external signals,
like customer or product specific investments and technology decisions also cause uncertainty.

5
DRAFT

Identification of the company’s internal signals may sometimes be a more convenient way to analyze
uncertainty in the business environment.
According to [3] one view of risks that is common in the management literature is that a risk is
thought of in terms of variability or uncertainty. In the insurance industry, the term risk is an accurate
item to be insured. In this category, the writers seek to differentiate the two categories of risk, i.e. pure
risk and speculative risk.
According to a survey report from [4], 74% of the organizations had experienced supply chain
disruption in last 12 months; 35% had experienced increased supply chain disruption; and 88%
expected to experience supply chain disruption in the next 12 months.

Table 1: The 11 Greatest Supply Chain Disasters

Source: SupplyChainDigest

6
DRAFT

The main objective of any risk management practice is to increase risk adjusted returns, improve
strategic judgment, and/or avoid extraordinary losses due to lawsuits, fines, operational failures, or
negligence. The need for organizations to meet best practice in the management of supply chain risk has
never been more important, or challenging, as they face potential economic downturn, increasing
regulation and ever more complex supply chains that make it difficult to understand risk aggregation.
Furthermore, supply chain risk management assumes importance in the wake of organizations
understanding that their risk susceptibility is dependent on other constituents of their supply chain.

Fig. 1: Major Disasters from 1997 to 2005 (adapted from Dr. Debra Elkins, GM).

According to the [5], Risk Management Process involves applying logical and systematic methods for:
 Communication and consultation throughout the process;
 Establishing the context;
 Assessing risks (identification, analysis, evaluation) and treating risk associated with any activity,
process, function, project, product, service or asset;
 Monitoring and reviewing risk;
 Recording and reporting the results appropriately.
In this context, the approach by using the ISO31000, the ISO28002 and the BS 25999 standards
will be essential to describe Risk Mitigation, Resilience, and Business Continuity in Supply Chain.

7
DRAFT

2.2.1 Risk Mitigation

Many supply chain scholars believed that companies could only mitigate supply chain risk but loss
and damage could not be avoided when accident happens. However, supply chain risk management
(SCRM) has become effectively to reduce loss and damage.
The Symbiosis Institute of Telecom Management defines risk mitigation as the implementation of
the preventative measures which risk assessment has identified.
The key to effective risk mitigation strategy development is knowing where we are today, knowing
what our exposures are, understanding what the business impact is, knowing what the business
requirements are from a recovery point and time position, knowing that the recovery strategies that have
been developed truly support these business requirements, understanding where our gaps are and what
needs to be done in order to position our company to being able to effectively recover all mission
critical processes and functions required for business resumption. By taking a risk-based approach to
supply chain resilience, companies can choose the right mix of mitigation measures for their
organizations, and provide end-to-end protection against business-threatening disruptions.
The implementation of mitigation policies requires that certain conditions be met if success is to be
assured. Waugh (1996) [6], utilizing the work of [7] proposed six conditions for effective
implementation: (1) there must be sound theory with causal linkages to assure that goals are reasonable
and appropriate; (2) the tasks or programs must be assigned to sympathetic and capable agencies with
adequate resources; (3) there must be leaders with substantial managerial and political skill; (4) there
must be clear policy objectives; (5) the commitment must be supported by an organized constituency;
and (6) there must be no undermining of the policy over time.
According to [8], we have a list of 11 enablers of risk mitigation:
1. Information sharing: more information means more visibility means less surprises.
2. Supply chain agility: agility allows for faster adapting to changing circumstances without
losing momentum.
3. Trust among supply chain partners: lack of trust creates opportunism only.
4. Collaborative relationships among supply chain partners: collaboration creates interdependence
and the appreciation of flexibility and responsiveness.
5. Information security: information is the most critical asset in the chain, so guard it.
6. Corporate social responsibility: be prepared to manage the consequences of partners’ (wrong)
policies.
7. Aligning of incentives and revenue sharing policies: everybody’s interest must be served, not
just one’s own.
8. Strategic risk planning: the supply chain is a strategic asset, not just an operational necessity.
9. Risk sharing: both risks and rewards need to be distributed evenly throughout he chain.

8
DRAFT

10. Knowledge about risks in the supply chain: risk understanding improves decision-making.
11. Continuous risk analysis and assessment: business environments are dynamic, so are the risks.

According to the [9], we have the following principle for mitigation:

a) The mitigation strategy should consider immediate, interim, and long-term actions.
b) The various resources that would contribute to the mitigation process should be identified.
These resources – including essential personnel and their roles and responsibilities, facilities,
technology, and equipment – should be documented in the plan and become part of “business as usual.”
c) Systems and resources should be monitored continually as part of mitigation strategies. Such
monitoring can be likened to simple inventory management.
d) The resources that will support the organization to mitigate the crisis should also be
monitored continually to ensure that they will be available and able to perform as planned during the
disruption and crisis. Examples of such systems and resources include, but are not limited to:
emergency equipment, fire alarms and suppression systems, local resources and vendors, alternate
worksites, maps and floor plants, system backup, and offsite storage.
To conclude, most business units in large organizations neglect the counterparty risk in their
supplier partnerships. Service degradation risks run high when the supplier’s financial health erodes and
there are potentially huge risks and replacement costs if the supplier defaults.

2.2.2 Supply Chain Resilience

Today’s supply chain becomes more interdependent, complex, and vulnerable to temporary or
long term disruptions. The problem is that the very complexity and global reach that are intrinsic to
modern supply chain management; the low inventory level and lack of redundancies required to achieve
efficient operations, expose companies to a wider range of unexpected disruptions. The challenge is to
make supply chains robust enough not only to continue operating in this risky business environment,
but also to turn this resilience into competitive advantage.
Holling (1973) [10] first used the term resilience to describe a ‘‘measure of the persistence of
systems and their ability to absorb change and disturbance and still maintain the same relationships
between populations or state variables’’. Svensson (2002) [11] defines the concept of resilience in
supply chains as “unexpected deviations from the norm and their negative consequences.” In other
words, resilience in supply chain is the capacity for complex supply chains to survive, adapt, and grow
in the face of turbulent change, including catastrophic events. Mathematically, vulnerability can be
measured in terms of “risk”, a combination of the likelihood of an event and its potential severity [12],
[13]. Both these definitions have foundations in traditional risk management techniques and are
expanded by other authors [14 - 16], [11], [17], [18].
These principles create not only resilient supply chains that can recover from disruptions but also

9
DRAFT

flexible supply chains that can respond to day-to-day demand changes. Nokia, Toyota, Nissan, UPS,
Schneider National, FedEx, Dell, and the U.S. Navy are some of the organizations that can be examples
of flexibility and resilience used for competitive advantage. These industries use the key principle that
designing a supply chain that has a fundamental effect on the inherent risk, managers should work
together to design resilient chains.

2.2.2.1 Resilience Management System Requirements

The organization shall establish, document, implement, maintain, and continually improve a
resilience management system in accordance with the requirements of ISO 28002 [9], and determine
how it will fulfill these requirements. The requirements to build a resilient management system are:
Understanding the Organization and its Context; Policy Management Review; Planning;
Implementation and Operation; Checking and Corrective Action; and Management Review (Fig. 2).
Here we summarize the requirements:
1) Understanding the Organization and its Context
 The organization shall define and document the internal and external context of the
organization.
 The organization shall identify and document some procedures related to risk protection and
resilience in order to define the context for the management system and its commitment to the
management of risk and resilience within specific internal and external contexts of the
organization.
 The organization shall define and document the objectives and scope of its resilience
management system within specific internal and external context of the organization.
 The organization shall define the scope consistent with protecting and preserving the integrity
of the organization and its supply chain including relationships with stakeholders, interactions
with key suppliers, outsourcing partners, and other stakeholders.
2) Policy Management Review
Top management shall define, document, and provide resources for the organization’s resilience
management policy reflecting a commitment to the protection of human, environmental, and physical
assets; anticipating and preparing for potential adverse events; and business and operational resiliency.
The policy statement of an organization shall ensure that within the defined scope of the resilience
management system several responsibilities should be taking in action, including: a commitment to the
enhanced organizational and supply chain sustainability and resilience; a commitment to risk avoidance,
prevention, reduction, and mitigation; to provide a framework for setting and reviewing resilience
management objectives and targets.
3) Planning
The main proposal of this requirement is to ensure that applicable legal, regulatory, and other

10
DRAFT

requirements to which the organization subscribes are considered in developing, implementing, and
maintaining its resilience management system. Furthermore, this requirement follows the risk
assessment exigencies.
4) Implementation and Operation
This requirement which proposal is to implement and operate resilience in supply chain has the
following procedures: resources, roles, responsibility, and authority for resilience management;
competence, training, and awareness; communication and warning; documentation; control of
documents: operational control; and incident prevention, preparedness, and response.
5) Checking and Corrective Action
The organization shall evaluate resilience management plans, procedures, and capabilities through
periodic assessments, testing, post-incident reports, lessons learned, performance evaluations, and
exercises. Significant changes in these factors should be reflected immediately in the procedures.
The organization shall keep records of the results of the periodic evaluations.
6) Management Review
Management shall review the organization’s resilience management system at planned intervals to
ensure its continuing suitability, adequacy, and effectiveness. This review shall include assessing
opportunities for improvement and the need for changes to the resilience management system, including
the resilience management system policy and objectives. The results of the reviews shall be clearly
documented and records shall be maintained.
7) Resilience Management Policy
The resilience management policy is the driver for implementing and improving an organization’s
resilience management system, so that it can maintain and enhance its sustainability and resilience. This
policy should therefore reflect the commitment of top management to:
a) Comply with applicable legal requirements and other requirements
b) Prevention, preparedness, and mitigation of disruptive incidents
c) Continual improvement
The resilience management policy is the framework that forms the basis upon which the
organization sets its objectives and targets. The resilience management policy should be sufficiently
clear to be capable of being understood by internal and external interest parties (particularly its supply
chain partners) and should be periodically reviewed and revised to reflect changing conditions and
information. Its area of application (i.e., scope) should be clearly identifiable and should reflect the
unique nature, scale, and impacts of the risks of its activities, functions, products, and services.

11
DRAFT

Fig. 2: Resilience Management System Flow Diagram

2.2.2.2 Best Practices of a Resilient Organization

Innovative organizations are fielding new ideas and deploying new solutions that increase both
their risk intelligence and capacity for resilience (Fig. 3). Three case studies reported in the literature are
the following.
(1) Nokia changed product configurations in the nick of time to meet customer demand during a
supply disruption. Both Ericsson and Nokia were facing a shortage of a critical cellular phone
component (radio frequency chips) after a key supplier in New Mexico (Philips’s semiconductor plant)
caught fire during March 2000. Ericsson was slow in reacting to this crisis and lost €400 million in sales.
In contrast, Nokia had the foresight to design their mobile phones based on the modular product design
concept and to source their chips from multiple suppliers. After learning about Philips’s supply
disruption, Nokia responded immediately by reconfiguring the design of their basic phones so that the
modified phones could accept slightly different chips from Philips’s other plants and other suppliers.
Consequently, Nokia satisfied customer demand smoothly and obtained a stronger market position. The
reader is referred to [19] details.
(2) Li and Fung Limited changed its supply plan in a flash to meet customer demand during a
currency crisis. When the Indonesian Rupiah devalued by more than 50% in 1997, many Indonesian
suppliers were unable to pay for the imported components or materials and, hence, were unable to

12
DRAFT

produce the finished items for their US customers. This event sent a shock wave to many US customers
who had outsourced their manufacturing operations to Indonesia. In contrast, The Limited and Warner
Bros. continued to receive their shipments of clothes and toys from their Indonesian suppliers without
noticing any problem during the currency crisis in Indonesia. They were unaffected because they had
outsourced their sourcing and production operations to Li and Fung Limited, the largest trading
company in Hong Kong for durable goods such as textiles and toys. Instead of passing the problems
back to their US customers, Li and Fung shifted some production to other suppliers in Asia and
provided financial assistance such as line of credit, loans, etc. to those affected suppliers in Indonesia to
ensure that their US customers would receive their orders as planned. With a supply network of 4,000
suppliers throughout Asia, Li and Fung were able to serve their customers in a cost-effective and
time-efficient manner. Despite the economic crisis in Asia, this special capability enabled Li and Fung
to earn its reputation in Asia and enjoy continuous growth in sales from 5 billion to HK$17 billion from
1993 to 1999. The reader is referred to [20] and [21] for details.
(3) Dell changed its pricing strategy just in time to satisfy customers during supply shortage. After
an earthquake hit Taiwan in 1999, several Taiwanese factories informed Apple and Dell that they were
unable to deliver computer components for a few weeks. When Apple faced component shortages for its
iBook and G4 computers, Apple encountered major complaints from customers after trying to convince
its customers to accept a slower version of G4 computers. In contrast, Dell’s customers continued to
receive Dell computers without even noticing any component shortage problem. Instead of alerting their
customers regarding shortages of certain components, Dell offered special price incentives to entice
their online customers to buy computers that utilized components from other countries. The capability
to influence customer choice enabled Dell to improve its earnings in 1999 by 41% even during a supply
crunch [22], [23].

Fig. 3: A Resilient Supply Chain Structure

13
DRAFT

Creating supply chain resiliency requires more than utilizing the framework to identify, assess, and
mitigate the enterprise risks. The long-term success of a resilient supply chain depends heavily on the
organization’s ability to foster a culture of reliability that stretches across departmental borders.

2.2.3 Business Continuity

Over the years the need for disaster recovery, business recovery and contingency planning has
increased. Realizing that most business processes today extend beyond the boundaries of a single entity,
awareness of critical supply chain interdependencies has risen sharply. (Fig. 4)
Nearly all organizations rely in some way or another on supply chains to ensure business
continuity, and they are vulnerable if supplies are interrupted. Business Continuity is a concern of the
entire organization, not just the IT department. For supply chains, the basic requirement of business
continuity is that the flow of materials is not interrupted by any disaster hitting the chain, or that it is
able to return to normal as quickly as possible. Also, we should pinpoint the changing nature of business,
such as:
 Increasing dependency on ICT.
 Increasing system interdependency.
 Increasing commercial complexity.
 Increasing technical complexity.
 Increasing expectations from customer.
 Increasing Threat.

Fig.4: Scope of Business Continuity Management

Source: Chartered Management Institute (2002)

14
DRAFT

In order to keep an organization's client base and business partners, business continuity standard
[24] was created. BS 25999 offers the framework to develop, implement, maintain, and improve a
dynamic Business Continuity Management System that combats business interruption. The professional
practices that this standard offers are based on 10 principles to know:
1. Project Initiation and Management.

2. Risk Evaluation and Control.

3. Business Impact Analysis.

4. Developing Business Continuity Management Strategies.

5. Emergency Response and Operations.

6. Developing and Implementing Business Continuity Plans.

7. Awareness and Training Programs.

8. Exercising and Maintaining Business Continuity Plans.

9. Crisis Communications.

10. Coordination with External Agencies.

Supply chain continuity is one aspect of a broader category of issues called Supply Chain Risk
Management (SCRM). Supply chain continuity is an emerging discipline. One of the greatest threats to
business continuity faced by manufacturers is loss of critical raw materials. Most organizations rely in
some way on their supply chain to ensure business continuity and they are vulnerable if supplies are
interrupted. BS 25999 ensures that organization will develop a network of supply chains so that when
one link breaks, another link is ready to take its place.
The recommendations to ensure business continuity in supply chain are [25]:
• Maintaining safety stock.
• Monitoring transportation entities and planning for contingent shipping arrangements.
• Observing product transportation paths, looking for potential bottlenecks.
• Developing plans to allow for acceleration of shipments.
• Implementing a crisis communications process with key vendors.
• Developing continuity plans to address in-house product receipt, inventory management and
product shipment processes, with an emphasis on labor interruption and other single points of
failure.
Business continuity efforts are enhanced with management system-oriented models that avoid
professional jargon and focus on business outcomes. Putting the business continuity program into key
organizational outputs is meant to focus on the objectives of management and to speak in the language
of the organization. Because of this, the business continuity program is able to communicate real
capability and output, rather than focusing on micro business continuity-specific projects. Then

15
DRAFT

strategies and plans for how to recover should be developed that could be implemented, both before the
incident (similar to risk management strategies) and after the incident, post-incident strategies are
implemented to maintain partial or total product supply.

2.2.4 Contingency
Once the connected risk themes are identified and evaluated, actions to address consistent themes
throughout the procurement process can be taken. Identification of consistent risk themes across a
number of risk dimensions can help to determine where the company should place significant effort to
mitigate the risk exposure.
The dynamic interactive and evolutionary nature of supply chain relationships suggests that a
contingency approach to constructing a risk framework may be more suitable than a generic approach
seeking to establish common risk characteristics and responses or the situation approach which simply
suggests that every supply chain is different and needs to be treated as a one-off decision case in terms
of risk resolution [26]. Furthermore, a contingency approach to risk framework within the context of the
supply chain seeks to establish a support system and behavioral characteristics for decisions associated
with risk in the supply chain and its effective management.

3. Business Assessment Process

The business assessment is divided into two components, risk assessment and business impact
analysis (BIA). Risk assessment is described to evaluate existing exposures from the organization’s
environment, whereas the BIA assesses potential loss that could be caused by a disaster.

3.1 Risk Assessment

The purpose of risk assessment is the generation of knowledge linking specific risk agents with
uncertain but possible consequences [27], [28]. Furthermore, risk assessment is an evaluation of the
exposures present in an organization’s external and internal environment. It identifies whether or not the
facility housing the organization is susceptible to floods, hurricanes, tornadoes, sabotage, etc. It then
documents what mitigation steps have been taken to address these threats. The basis of risk assessment
is the systematic use of analytical – largely probability-based – methods which have been constantly
improved over the past years.
The basis of risk assessment is the systematic use of analytical – largely probability-based –
methods which have been constantly improved over the past years. Probabilistic risk assessments for
large technological systems, for instance, include tools such as fault and event trees, scenario techniques,
distribution models based on Geographic Information Systems (GIS), transportation modeling and
empirically driven human-machine interface simulations [29], [30]. With respect to human health,
improved methods of modeling individual variation [31], dose-response relationships [32] and exposure
assessments [33] have been developed and successfully applied. The processing of data is often guided

16
DRAFT

by inferential statistics and organized in line with decision analytic procedures. These tools have been
developed to generate knowledge about cause effect relationships, estimate the strength of these
relationships, characterize remaining uncertainties and ambiguities and describe, in quantitative or
qualitative form, other risk or hazard related properties that are important for risk management [34],
[35]. In short, risk assessments specify what is at stake, calculate the probabilities for (un)wanted
consequences, and aggregate both components into a single dimension [36].
According to [5], Risk Assessment is the overall of “Risk Identification, Risk Analysis and Risk
Evaluation”.

3.1.1 Risk Identification

The organization should identify sources of risk, areas of impacts, events and their causes and their
potential consequences. The aim of this step is to generate a comprehensive list of risks based on those
events that might enhance, prevent, degrade or delay the achievement of the objectives. It is also
important to identify the risks associated with not pursuing an opportunity. Comprehensive
identification is critical, because a risk that is not identified at this stage will not be included in further
analysis. Identification should include risks whether or not their source in under control of the
organization.
The organization should apply risk identification tools and techniques which are suited to its
objectives and capabilities, and to the risks faced.
Relevant and up-to-date information is important in identifying risks. This should include suitable
background information where possible. People with appropriate knowledge should be involved in
identifying risks. After identifying what might happen, it is necessary to consider possible causes and
scenarios that show what consequences can occur. All significant causes should be considered.

3.1.2 Risk Analysis

Risk analysis is about developing an understanding of the risk. Risk analysis provides and input to
risk evaluation and to decisions on whether risks need to be treated and on the most appropriate risk
treatment strategies and methods.
Risk analysis involves consideration of the causes and sources of risk, their positive and negative
consequences, and the likelihood that those consequences can occur. Factors that affect consequences
and likelihood should be identified. Risk is analyzed by determining consequences and their likelihood,
and other attributes of the risk. An event can have multiple consequences and can affect multiple
objectives. Existing risk controls and their effectiveness should be taken into account.
The way in which consequences and likelihood are expressed and the way in which they are
combined to determine a level of risk will vary according to the type of risk, the information available
and the purpose for which the risk assessment output is to be used. These should all be consistent with

17
DRAFT

the risk criteria. It is also important to consider the interdependence of different risks and their sources.
The confidence in determination of risk and their sensitivity to preconditions and assumptions
should be considered in the analysis, and communicated effectively to decision makers and other
stakeholders if required. Factors such as divergence of opinion among experts or limitations on
modeling should be stated and may be highlighted.
Risk analysis can be undertaken with varying degrees of detail depending on the risk, the purpose of
the analysis, and the information, data and resources available. Analysis can be qualitative,
semi-quantitative or quantitative, or a combination of these, depending of the circumstances. In practice,
qualitative analysis is often used first to obtain a general indication of the level of risk and to reveal the
major risks. When possible and appropriate, one should undertake more specific and quantitative
analysis of the risks as a following step.
Consequences can be determined by modeling the outcomes of an event or set of events, or by
extrapolation from experimental studies or from available data. Consequences can be expressed in terms
of tangible and intangible impacts. In some cases, more than one numerical value or description is
required to specify consequences for different times, places, groups or situations.

3.1.3 Risk Evaluation

The purpose of risk evaluation is to assist in making decisions, based on the outcomes of risk
analysis, about which risks need treatment to prioritize implementation.
Risk evaluation involves comparing the level of risk found during the analysis process with risk
criteria established when the context was considered. If the level of risk does not meet risk criteria, the
risk should be treated.
Decisions should take account of the wider context of the risk and include consideration of the
tolerance of the risks borne by parties other than the organization that benefit from the risk. Decisions
should be made in accordance with legal, regulatory and other requirements.
In some circumstances, the risk evaluation can lead to ad decision to undertake further analysis. The
risk evaluation can also lead to a decision not to treat the risk in any way other than maintaining existing
risk controls. This decision will be influenced by the organization’s risk appetite or risk attitude and the
risk criteria that have been established.

3.2 Business Impact Analysis (BIA)

A BIA is an assessment of an organization’s business functions to develop an understanding of their
criticality, recovery time objectives, and resource needs all based on the [24]. Moreover, BIA‘s
primarily objective is to identify impact of business disruption and time sensitivity for recovery
During the BIA process it is evaluated the risk of business process failures and it is identified the
critical and the necessary business functions and their resource dependencies [37]. Also, it is

18
DRAFT

estimated the financial and operational impacts of a disruption; it is identified regulatory/compliance

exposure; and it is determined the impact upon the client’s market share and corporate image.
The BIA process is a crucial link between the risk management stage and the business continuity
plan development stage. The BIA identifies the mission-critical areas of business and continuity
requirements which become the main focus of the business continuity.
The benefits of BIA are:
1. Identify the requirements for recovering disrupted mission-critical areas.
2. Guarantee the business stability.
3. Guarantee an ordinate recovery.
4. Reduce the dependency of key personal.
5. Increment the active protection.
6. Guarantee the safety of people, customers and partners.
Business Continuity is a concern of the entire organization, not just the IT department. Therefore, all
area of the organization should be involved in a comprehensive BIA. At least one representative from
each business area of the organization should participate.
Recovery time requirements consist of several components. Collectively, these components refer to
the length of time available to recover from a disruption. An understanding of these components is a
prerequisite for conducting the BIA. Which components are: Maximum Tolerable Downtime (MTD),
Recovery Time Objective (RTO), Recovery Point Objective (RPO), and Work Recovery Time (WRT).
(Fig. 5)
MTD represents the maximum downtime the organization can tolerate for a business process
(RTO+RPO); RTO indicates the time available to recover disrupted system resources; RPO extent of
data loss measured in terms of a time period that can be tolerated by a business process. WRT is the
time period to recover the lost data, work backlog, and manually captured data once the
systems/resources are recovered or repaired.

19
DRAFT

Fig. 5: The BIA Process (Recovery Time Requirements)

One result of the analysis is a determination of each business function’s Recovery Time Objectives
(RTO). The RTO is the time within which business functions or application systems must be restored to
acceptable levels of operational capability to minimize the impact of an outage. The RTO describes the
time between the point of disruption and the point at which business functions or application systems
must be operational and updated to current status. The RTO is associated with the recovery of resources
such as computer systems, manufacturing equipment, communication equipment, facilities, etc.
Recovery Point Objective (RPO) expresses the tolerance to a loss of data as a result of disruptive
event. It is measured as the time between the last data backup and the disruptive event
The BIA determines RPO for each application by asking participants the question “What is the
tolerance, in terms of length of time, to loss of data that may occur between any two backup periods?”
The response to this question indicates the values of RPO.
The BIA process consists of a sequence of 11 steps that interact together to identify the impacts of a
business disruption and determine the requirements to restore disrupted critical business process: 1.
Define BIA objectives, scope, and assumptions; 2. Identify business functions and process; 3. Assess
financial and operational impacts; 4. Identify critical processes; 5. Assess MTDs and prioritize critical
process; 6. Identify critical IT systems and applications; 7. Identify critical non-IT resources; 8.
Determine RTO; 9. Determine RPO; 10. Identify work-around procedures; and 11. Generate BIA
information summary.

20
DRAFT

At the end of the BIA process a report is generated that includes details of the key output from the
steps of the BIA process and summarize its findings..

3.3 Strategy Analysis

Risk strategy defines means of coping with risks, defining approaches to be adopted. If risks are in
the organizations area of expertise, they become business opportunities. Risk strategy should establish
guideline to include: [38]
 Organization & responsibilities;
 Organization risk attitude;
 Ownership for specific risks;
 Methods to be used at each planning level to deal with risk;
 Peer reviewing and benchmarking;
 Encouragement of proactive risk reporting;
 Criteria for risk assessment and definition of critical risks;
 Encouraging effective communications of risks.
Effective supply chain risk management must be holistic and integrated. It is the lack of a strategic
source plan that can result in a conflict of cost versus risk (tradeoff).

3.3.1 Trade-offs
A cost-effectiveness analysis can be interpreted as a cost-benefit analysis where the willingness to
pay per effectiveness unit is assumed to be constant and the same for everyone. To relax this
assumption the willingness to pay per effectiveness unit can be allowed to vary. Cost-effectiveness
analysis is best viewed as a subset of cost-benefit analysis, where the aim of the analysis is to estimate
the cost function of producing health effects.
Although supply chain cost-efficiency measures can increase risk, cost can also reduce supply chain
risks.

3.3.1.1 Cost-Benefit
Experts agree that there are right and wrong ways of incurring and addressing supply chain risk.
Think of cost and risk as variables that exist along a continuum; reducing one often comes at the
expense of increasing the other.
Some firms may express concerns regarding the requisite costs associated with these risk
management strategies, while others would recognize the additional benefits. At a conceptual level,
these risk management strategies would enhance the competitive position of a firm, especially when
other firms’ supply chains are more vulnerable to disruptions. However, it is difficult to quantify the
value of competitiveness. Theoretically speaking, the costs for implementing these proactive strategies

21
DRAFT

can be viewed as “insurance premiums” that will safeguard the supply chains from major disruptions
[39]. However, it is difficult to evaluate the return on these insurance premiums, especially in the
absence of reliable data (probability that a disruption would occur, potential loss due to a disruption,
etc.).

3.3.2 Supply Chain Continuity Framework

Various authors have proposed different development cycles for BCM, each of which places emphasis on

particular aspects of BCM [40], [41], [42], [43], [44]. In this section, a framework is created to allow a company to

create supply chain visibility and better handle supply chain disruptions, improving the organization’s performance.

The framework is based in a BCP process life cycle with six stages (risk mitigation management, business impact

analysis, supply continuity strategy development, supply continuity plan development, supply continuity plan

testing and supply continuity plan maintenance) with five supply chain operational constructs (inventory

management, quality, ordering cycle-time, flexibility and costumers) with the purpose to keep supply chain more

resilience.

In creating a mitigation program the goal is to eliminate risks where possible and to lessen the negative impact

of disasters that cannot be prevented. Mitigation is as simple as fastening down computer terminals in

earthquake-prone areas or moving computers to a higher floor where floods are a potential threat to dispersing

critical business operations among multiple locations, to relocating an operation from an area where the risks are

extremely great or perhaps contractually transferring some operations. However, there is the need to have a BCP to

maintain continuity of business during a destructive disruption.

According to Fig. 6, we have:

The BCP process life cycle has the business continuity best practices for developing and maintaining a supply

chain continuity plan. Therefore, a comprehensive business continuity program that considers all internal and

external links in the supply chain is essential if the business is to survive following a major disaster. With this

affirmation, we developed a supply chain continuity framework, where the BCP process life cycle together with the

operational constructs has the purpose to keep the supply chain more resilient:

1. Stage 1: Risk Mitigation Management:

This first stage will assess the threats of disaster, existing vulnerabilities, potential disaster impacts, and

identifying mitigation control are needed to prevent or reduce the risks of disaster related to the operational

constructs (O.C).

2. Stage 2: Business Impact Analysis (BIA):

This stage identifies mission-critical processes of the O.C., and analyzes impacts to business if these

processes are interrupted as a result of disaster. Furthermore, the BIA is the foundation on which a

comprehensive business continuity program is based. Its goal is to determine the most to least time-critical
business functions throughout

the organization. For each of these functions a related recovery time objective (RTO), the target time in which

22
DRAFT

each function must be operational following a disruption, is determined. For supply management a BIA will include

a review the operations of manufacturing, transportation, distribution services, support technology, warehouses, and

service centers, as well as tradeoff in between of them.

3. Stage 3: Supply Continuity Strategy Development:

The third stage assesses the requirements and identifies the options for recovery of critical processes and

resources related to the O.C. in the event they are disrupted by a disaster

4. Stage 4: Supply Continuity Plan Development:

This stage develops a plan for maintaining business continuity based on the results of previous stages.

5. Stage 5: Supply Continuity Plan Testing:

This stage will test the supply continuity plan document to ensure its currency, viability, and completeness.

6. Stage 6: Supply Continuity Plan Maintenance:

The final stage will maintain the supply continuity plan in a constant ready-state for execution.

Fig. 6 Supply Chain Continuity Framework

23
DRAFT

4. Conclusion
Everything changed for the supply chain area after the terrorist attacks of September 11, 2001 in
New York. From that time until now many strategies in the field of security, risk management and
business continuity has been created.
Supply chain risk management often seems to focus on the risks within a particular organization, but
we know that each member of a supply chain occupies a unique position. Then risks to any single
member can be transmitted and expanded into risks to the whole chain. The best way of dealing with
these joint risks is not to work in isolation but to have all members cooperating and working together to
reduce the level of risk to the whole chain.
Since supply chain risk management is a relatively new area of research, there are many research
opportunities in the field of risk management and business continuity. Therefore, the most important
aspect is to create a supply chain risk management culture. This is not just risk management but
performance improvement, where companies will make money by taking smart risks or lose money by
failing to re-tool their legacy business processes to assess and mitigate risk effectively.
This chapter takes a supply chain risk and business continuity perspective on corporate preparedness
and response to disruptions.

24
DRAFT

References

1. Rowe, W. D. (1977), Anatomy of Risk, Willey New York.

2. John J. Hampton (2009), Fundamentals of Enterprise Risk Management: How Top Companies Assess Risk,

Manage Exposure, and Seize Opportunity, American Management Association.

3. Hertz, D. and Thomas, H. (1983), Risk Analysis and its Applications, John Wiley & Sons, Chischester.

4. Survey Report BCI (2009), Experience of Supply Chain Disruption.

5. ISO/DIS 31000: Risk Management – Principles and Guidelines on Implementation.

6. Waugh, W.L., 1996. Disaster management for the new millennium. In: Sylves, R.T., Waugh, W.L. (Eds.),

Disaster Management in the U.S. and Canada: The Politics, Policymaking, Administration and Analysis of

Emergency Management. Charles C. Thomas Publishers, Spring"eld, Illinois, pp. 344}359 (Chapter XVI).

7. Mazmanian, D.A., Sabatier, P.A., 1983. Implementation and Public Policy. Scott, Foresman and Company,

Glenview, IL.

8. Faisal, M., Banwet, D., & Shankar, R. (2006). Supply chain risk mitigation: modeling the enablers. Business

Process Management Journal, 12 (4), 535-552.

9. ISO 28002: Resilience in the Supply Chain: requirements with Guidance for Use (2009).

10. Holling, C. S. (1973), the Resilience of Terrestrial Ecosystems. Annual Review of Ecology and Systematics

4:1-23

11. Svensson, Goran (2002), "Dyadic Vulnerability in Companies' Inbound and Outbound Logistics Flows,"

International Journal of Logistics and Research Applications, Vol. 5, No. l,pp. 13-44.

12. Craighead, C. S., Blackfurst J., Rungtusanatham M.J. and Handfield R.B., (2007). The Severity of Supply

Chain Disruptions: Design Characteristics and Mitigation Capabilities. Decision Sciences 38, 1, 131-156.

13. Sheffi, Y., (2005). The resilient enterprise: overcoming vulnerability for competitive advantage. MIT Press

Book.

14. Chapman, Paul, Martin Christopher, Uta Jüttner, Helen Peck, and Richard Wilding (2002), "Identifying and

Managing Supply-chain Vulnerability," Logistics and Transport Focus, Vol. 4, No. 4, pp. 59-64.

15. Peck, Helen (2005), "Drivers of Supply Chain Vulnerability: An Integrated Framework," International Journal
of Physical Distribution and Logistics Management, Vol. 35, No. 4, pp. 210-232.

16. Svensson, Goran (2000), "A Conceptual Framework for the Analysis of Vulnerability in Supply Chains,"

International Journal of Physical Distribution and Logistics Management, Vol. 30, No. 9, pp. 731-749.

17. Svensson, Goran (2004), "Vulnerability in Business Relationships: The Gap between Dependence and Trust,"

Journal of Business and Industrial Marketing, Vol. 19, No. 7, pp. 469-483.

18. Zsidisin, George A. (2003), "A Grounded Definition of Supply Risk," Journal of Purchasing and Supply

Management, Vol. 9, No. 5/6, pp. 217-224.

19. Hopking, K. (2005), Value opportunity three: improving the ability to fulfill demand. Business Week.

25
 DRAFT

20. St. George, A., Li and Fung: beyond “filling in the mosaic”. Harvard Business School, case 9-398-092, 1998.

21. McFarlan,W., Li and Fung (A): internet issues. Harvard Business School, case 9-301-009, 2002.

22. Veverka, M., A DRAM shame. Barron’s, 15 October 1999, p. 15.

23. Martha, J. and Subbakrishna (2002), S., Targeting a just-in-case supply chain for the inevitable next disaster.

Supply Chain Mgmnt Rev.

24. BS 25999: Business Continuity Management (BCM) Standard (2007).

25. Parier, Michael and Zawada, Brian (2002). Risky Business – Failing to Assess Supply Chain Continuity. A

Study Conducted by the Council of Logistics Management States.

26. Brindley, Clare (2004), Supply Chain Risk, Ashgate Publishing Company.

27. Lave, L. (1987). Health and Safety Risk Analyses: Information for Better Decisions. Science, 236, pp.291-295.

28. Grahan, J.D. and Rhomberg, L. (1996). How Risks are Identified and Assessed

29. IAEA: Guidelines for Integrated Risk Assessment and Management in Large Industrial Areas (1995).

30. Stricaff, R.S. (1995). Safety Risk Analysis and Process Safety Management: Principles and Practices.

31. Hattis, D. (2004). The conception of variability in risk analyses: Developments since 1980.

32. Olin, S., Farland, W., Park, C., Rhomberg, L., Scheuplein, R., Starr, T. and Wilson, J. (1995). Low Dose

Extrapolation of Cancer Risks: Issues and Perspectives.

33. US-EPA Environmental Protection Agency: Exposure Factors Handbook (1997).

34. IEC: Guidelines for Risk Analysis of Technological Systems (1993), Report IEC-CD (Sec) 381 issued by the

Technical Committee QMS/23. (European Community: Brussels)

35. Kolluru, R.V. (1995). Risk Assessment and Management: A Unified Approach. Mc-Graw-Hill: New York, pp.

1.3-1.41.

36. Barnes, James C. (2001). A guide to Business Continuity Planning. John Wiley & Sons Ltd.

37. Drew, M. (2007). Information risk management and compliance – Expect the unexpected, BT Technology

Journal 25:1, pp 19-29.

38. Sheffi, Y. (2001). Supply chain management under the threat of international terrorism. Int. J. Logistics

Mgmnt, pp. 12, 1–11.

39. Hiles, A. and Barnes, P. (eds), (2001). The Definitive Handbook of Business Continuity Management, J.
Wiley and Sons, Chichester.

40. CCTA. (1995). An introduction to business continuity management. London: HMSO.

41. Barnes, J. C. (2001). A guide to business continuity planning. Chichester: Wiley.

42. Hiles, A. and Barnes, P. (eds), (2001). The Definitive Handbook of Business Continuity Management, J.

Wiley and Sons, Chichester.

43. Starr, R., Newfrock, J., & Delurey, M. (2002). Enterprise resilience: managing risk in the networked economy.

Strategy and Business, V.30, pp.73–79.

44. Smith, D. J. (Ed.). (2002). Business continuity management: Good practice guidelines. Caversham: Business

Continuity Institute.

26

View publication stats