Managing the Risk of Supply Chain Disruption: Towards a Resilient Approach of Supply Chain Management

Jianxin Xu School of Management, Hanghzou Dianzi University

Hangzhou 310027 P.R. China

leoxu007@gmail.com

Abstract

Disruption risk has received increasing attention in the last few years, when it comes to global supply chains, the potential for disruption comes in many packages, from large-scale natural disasters and terrorist attacks to plant manufacturing fires, widespread electrical blackouts, and operational contingencies such as shipping ports too small to handle the flow of goods coming into a country. The reason is undoubtedly that, supply chain innovation over the past decade has focused on flexibility and responsiveness, with longer paths and shorter clock speeds, today’s leaner, just-in-time globalized supply chains are more vulnerable than ever before to natural and man-made disasters, and there are more opportunities for disruption and a smaller margin for error if a disruption takes place. So, managing supply chain disruptions revolves around two goals: first, to thoroughly understand the potential of identified risks; and second, to increase the capacity of the supply chain — within reasonable limits — to sustain and absorb disruption without serious impact, a reality that creates greater demands on companies to keep supply chains flexible and integrate disruption risk management into every facet of supply chain operations. In this paper, we expressed out views in three steps, the first part, we delivered a framework for risks analyzing in supply chains, and second, we developed approaches on building resilient supply chains, and also gave some advices on how to build up resilient supply chains. In the third part, we provided Ericsson as a case to support our views. 1. Introduction

Before discussion, some of definitions about SCM

(Supply Chain Management) and risk management should be clarified here, namely, SCM, risk, risk management

and SCRM (Supply Chain Risk Management), which will be helpful to understand the logistical relationship among them.

1.1. Supply Chain Management

The definition of supply chain management can be easily found from the research papers, and it is not difficult to recall the tidal wave of logistics and SC principles of the last few decades, from reducing costs, then to time and quality and later, to the concepts of responsiveness, agility and leanness, and recently, the principles could lead to very vulnerable supply chains, and, consequently, the interest in supply chain risk management has increased greatly. (see Figure 1). 1.2. Risk and risk management

Risk is not only a common word but also a complex word with an unclear definition. Until now there was no consolidated theoretic definition of risk, but the popular explanations are mainly as follows: risk is

uncertainty of outcomes probability of lost or lost occurrence deviation of outcomes from expectation change leading to loss danger of harm loss.

According to these explanations, we can get the basic characters of risk:

risk is attitude to the future, which means time is a key factor

risk is rooted in uncertainty, which means uncertainty is a key factor

risk occurs because of knowledge of information, which means information is a key factor

risk includes disadvantage, which means loss is a key factor.

2008 ISECS International Colloquium on Computing, Communication, Control, and Management

978-0-7695-3290-5/08 $25.00 © 2008 IEEE

DOI 10.1109/CCCM.2008.9

3

2008 ISECS International Colloquium on Computing, Communication, Control, and Management

978-0-7695-3290-5/08 $25.00 © 2008 IEEE

DOI 10.1109/CCCM.2008.9

3

Figure 1. Developing Trend of Supply Chain

Deloach (2002) defines business risk as “the level of exposure to uncertainties that the enterprise must understand and effectively manage as it executes its strategies to achieve its business objectives and create value”. A ‘quantitative definition’ could be expressed thus: Risk = Probability (of the event) × Business Impact (or severity of the event) (The Royal Society, 1992).

Risk management is a series of procedures and steps made by certain organizations for facing all kinds of risk exposure. It usually includes risk identification, measurement, control and monitoring. The purpose of risk management is to make decisions regarding risk and their subsequent implementation and flows from risk estimation and risk evaluation The Royal Society, 1992). The risk management process is focused on understanding the risks and minimizing their impact by addressing, e.g., probability and direct impact. The stages of the risk management process discussed can vary from risk identification/analysis (or estimation), via risk assessment (or evaluation), to different ways of risk management (labels differ among authors, although the steps are similar) (Norrman and Jansson, 2004). 1.3. Supply Chain Risk Management

Risk in the SC means the benefit deviation from the

expectations of organizations in the SC, which is caused by all kinds of unforeseeable and uncertain factors in SC operation. SC risks come in many different forms. SCRM should be aware of both events that may cause disturbances and of every significant link along the SC (Finch, 2004). The focus of SCRM is to understand and try to avoid, the devastating ripple effects that disasters, for even minor business disruptions, can have in a SC (Norrman and Jansson, 2004).

1.4. Supply Chain Disruption Supply chain disruption: An interruption in the

continuity of the normal supply chain flow with a negative impact.

Given the high stakes, experts generally agree that managing supply chain disruptions revolves around two goals: first, to thoroughly understand the potential of identified risks; and second, to increase the capacity of the supply chain – within reasonable limits – to sustain and absorb disruption without serious impact.

2. Risks and Vulnerabilities Analysis in Supply Chains

As defined above, risks in the supply chain do not

usually occur in one or two parts. They will be present in and have impact on every node and every link of global supply chain.

Supply chain experts suggest that the key to first mitigating and then managing disruption risks is understanding and assessing a company’s vulnerabilities. Vulnerability assessment involves answering three questions: What can go wrong? What is the likelihood of that happening? What are the consequences if it does happen?

Kleindorfer (2005) has identified three main categories as the primary sources of supply chain disruption risk: operational contingencies, which include equipment malfunctions and systemic failures, abrupt discontinuity of supply (when a main supplier goes out of business), bankruptcy, fraud, or labor strikes; natural hazards such as earthquakes, hurricanes, storms; and terrorism or political instability.

44

High Vulnerability

Low Vulnerability

Consequences

Dis

rupt

ion

Prob

abili

ty

High

Low

Light Severe

Figure 2. The vulnerability map

In another point of view (Yossi Sheffi and James B.

Rice Jr., 2005), disruptions can also be classified as random events (including natural disasters), accidents or intentional disruptions (such as job actions or acts of terrorism or sabotage). The method of estimating the likelihood of each class differs. The probabilities of random phenomena such as earthquakes, hurricanes, floods or lightning strikes can be estimated from historical data. The likelihood of accidents can also be estimated from industry data, prior events and the enterprise’s safety program. The probability of intentional disruptions – known as adaptive threats because they are designed by their perpetrators to inflict maximal damage – is more difficult to estimate, in part because o f their lack of

historical data and in part because the likelihood is a function of the specific company’s decisions and actions.

Potential disruptions can be categorized as a function of their probability and consequences (See Figure 2, Yossi Sheffi, ect, 2005). The vulnerability to a specific risk – say, a terrorist attack on a corporate asset – varies considerably from company to company. For American Airlines Inc., such an attack is both high probability and high impact. For fast-food giant KFC, such an event is high probability but relatively low impact. On the other hand, while clothing retailers such as Timberland may be an unlikely terrorist target, it would be severely affected should an attack occur since it processes a significant portion of its merchandise through a single distribution center. Lastly, Ace Hardware Corp. is one of many businesses that are unlikely target of terrorism, and it would be highly resilient in any event. Even though it operates 500 of its stores in more than 70 foreign countries including gulf states such as Kuwait and Saudi Arabia, Ace Hardware is a dealers’ buying cooperative with a low profile. It is not an obvious target and, with thousands of US retail outlets and dozens of distribution centers and cross-dock facilities, it could easily withstand a single-point disruption.

Single PortClosure

Transportation LinkDisruption

ComputerVirus

Flood

WindDamage

WorkplaceViolence

IT SystemFailure

Labor Unrest

EconomicRecession

Visible QualityProblems

Loss of KeySupplier

ProductTamering

AccountingIrregularity

Earthquake

Multiple PortClosure

TechnologicalChange

EmployeeSabotage

Disruption

Probability

Consequences

High

Low

Light Severe Figure 3. Vulnerability map for a single firm

Individual companies can create an “enterprise vulnerability map” (Figure 3) by placing various threats in the appropriate quadrant of the vulnerability framework. Such maps (Yossi Sheffi and James B. Rice Jr., 2005) can then direct management attention and prioritize planning. Vulnerability maps must be continuously updates and

new threats emerge. In particular, the likelihood of, and resilience to, adaptive threats will change with a company’s actions. For example, human resources policy may affect the likelihood of industrial actions, and the availability of alternate manufacturing resources many affect the severity of a potential supply disruption.

55

Similarly, defensive measures might deflect a terrorist attack or sabotage, while significant redundancy may allow for a fast recovery, thereby reducing the likelihood of an attack even further.

As they chart their vulnerability maps, supply chain managers not only must take into account familiar risk factors such as the financial viability of their vendors, the likelihood of natural disasters, the availability of energy supplies and so on, but they must also worry about terrorism and the vulnerabilities of more comprehensive scenario planning to model the dynamics and consequences of high –impact risks such as terrorism, the 2001 foot and mouth disease outbreak the UK or the 2003 SARS outbreak in China. Such comprehensive scenario planning can illuminate the direct effects of large-scale disruptions as well as their secondary effects, such as the public fear and resource boarding that these events can engender.

3. How to Be Resilient in Supply Chain Management

In materials science, resilience is the physical property of a material that can return to its original shape or position after a deformation that does not exceed its elastic limit. In today’s business environment, resilience is widely used to characterize an organization’s ability to react to an unexpected disruption, such as one caused by a terrorist attack or a natural disaster, and restore normal operations.

Beyond enabling a company to maintain operations following a disruption, resilience potentially can be competitive advantage if you can respond more favorably to disruption than the competition. This might mean being ready to capitalize on opportunities to serve your competitors’ customers if your competitors cannot.

Even in cases where the disruption affects the competitors equally, companies can compete on their resilience capabilities. This was evident in the respective responses of Nokia and Ericsson to the loss of a supply of radio-frequency chips (RFC) in early 2000. While both competitors depended solely on Philips Electronics for RFCs and were thus equally affected by a fire in the main Philips RFC plant, their responses could not have been more different. Nokia immediately sensed the disruption and responded aggressively, dedicating 30 employees to work with Philips and other suppliers to maintain a steady RFC supply. Ericsson, however, did not sense the seriousness of the disruption and ultimately mounted only a modest effort to restore supply. The net effect was that Nokia achieved its sales plans, while Ericsson missed a critical new product introduction that amounted to an estimated $400-million-revenue loss. Ericsson ultimately exited from the business of making cellular phones.

3.1. Flexibility or Redundancy?

Of all the ways to create resilience, two methods hold

the greatest potential. One involves flexibility, the other redundancy. Each approach has different cost and service characteristics that are important considerations when designing a supply network of resilience.

RiskMonitoring

RiskAssessment

RiskIndenfi-cation

RiskTreatment

IncidentHandling

ContingencyPlanning

Figure 4. Ericsson's basic approach to supply chain

risk management Flexibility entails creating capabilities within the

organization to respond. These capabilities are mainly developed through investments in infrastructure and resources before they actually are needed. Initiatives to improve flexibility would include, for example, developing a multi-skilled workforce, designing production systems that can accommodate multiple products and real-time changes, and adopting sourcing strategies that permit transparent switching of suppliers. By using flexibility, the company redeploys some existing capacity in one area to make up for lost or delayed capacity in another area. This involves some costs for designing rapid change operations that accommodate multiple products and for developing a multi-skilled workforce.

Redundancy, by contrast, entails maintaining capacity to respond to disruptions in the supply network, largely through investments in capital and capacity prior to the point of need. Redundancy is central to such efforts as managing inventory, maintaining production lines or facilities in excess of capacity requirements, committing to contracts for material supply (buying capacity whether

66

it is used or not), and maintaining a dedicated transportation fleet.

An important distinction between flexibility and redundancy is that the latter involves capacity that may or may not be used; it is this additional capacity that would be used to replace the capacity loss caused by a disruption. Flexibility, on the other hand, entails redeploying previously committed capacity. This implicitly involves making tradeoffs among producing different products or serving different customers, which would not be the case with redundancy.

Someone argued that there is significantly more leverage in making supply chains flexible than there is adding redundancy. Flexibility amounts to building organic capabilities that can sense threats and respond to them quickly. Not only does this bolster the resilience of an organization, but it also creates a competitive advantage in the marketplace. To see how flexibility can be achieved, consider the essential elements of any supply chain: Material flows from supplier through a conversion process, then through distribution channels. It is controlled by various systems, all working in the context of the corporate culture. Each of these five elements offers a dimension of potential flexibility.

Ultimately, a company will likely adopt a mixture of these flexibility and redundancy alternatives, depending on different cost and service characteristics as well as on specific business and industry factors.

4. Case from Ericsson

In the last few years (after the “Albuquerque accident” and before the renewal of its insurance), Ericsson has further developed and implemented processes and tools for supply chain risk management. The purpose is “minimizing risk exposure in the supply chain”. Its approach for this (Figure 4) is based on a process with feedback-loops between the sub-processes. The risk management process includes risk identification (similar to risk analysis), risk assessment, risk treatment (similar to risk management) as previously discussed in theory, but it has also added a process step for risk monitoring. In parallel (and central) to this, the company has put incident handling and contingency planning considering both flexibility and redundancy.

5. Concluding Discussion

Managers have a wealth of options available for designing a supply chain that is resilient. But any effort will likely fall short unless an adequate business case is made for investing in supply chain re-silience. And the business case cannot be made successfully unless the impact of a disruption is quantified to some degree. Critical to making the business case and quantifying the

impact is recog-nizing that the company is dependent on external entities for supply chain resilience—and not just on internal business operations. A key lesson from the study centers on the weakness of focusing solely on internal operations by considering only the likelihood of a terrorist attack or major disruption on the company. Because the probability of such an event is very low, some may feel lucky and not work to make their supply chain resilient. But the more prudent perspective is to recognize that the supply chain may be disrupted by events or sources that are completely external to the organization. Ultimately, what determines whether or not a company takes action may actually come down to its organizational capabilities to learn and be motivated from past experiences, just like Ericsson, rather than the availability of new technologies or risk assessment methodologies.

Acknowledgement

The paper is sponsored both by Research Subject from Social Science Federation of Zhejiang Province as one of the achievements of the subject of No.07N55 and Hangzhou Science & Technology Bureau as one of the achievements of the subject of No.20070334M11. References [1] Deloach, J.W., Enterprise-Wide Risk Management:

Strategies for Linking Risk and Opportunities, FT Prentice-Hall, London, 2002.

[2] Finch, P., “Supply Chain Risk Management”, Supply Chain Management, Vol. 9, No. 2, pp.183–196

[3] Kleindorfer, P.R., Saad, G.H., “Managing Disruption Risks in Supply Chains”, Production and Operations Management, Vol. 14, No.1, pp.53-68.

[4] Norrman, A. and Jansson, U., “Ericsson’s Proactive Supply Chain Risk Management Approach after a Serious Sub-Supplier Accident”, Int. J. of Physical Distribution and Logistics Management, Vol. 34, No. 5, pp.434–456.

[5] Sheffi, Y., Rice Jr. J. B., “A Supply Chain View of the Resilient Enterprise”, MIT Sloan Management Review, Fall 2005, pp.41-48.

[6] The Royal Society, Analysis, Perception and Management, The Royal Society, London, 1992.

77