Assessing and managing risks using

Assessing and managing risks using the Supply Chain Risk Management Process (SCRMP)
Article
1. Supply chain risk management
At a time when global competition is intensifying and supply chains are becoming longer and more complex, the likelihood of not achieving the desired supply chain (SC) performance increases, mainly due to the risk of SC failures. It is therefore essential that companies plan for disruptions and develop contingency plans as they design or redesign their supply chains. Firms need to understand supply chain interdependencies, identify potential risk factors, their likelihood, consequences and severities. Risk management action plans can then be developed to preferably avoid the identified risks, or if not possible, at least mitigate, contain and control them. The risk involved in supply chains, as well as the impact severity of supply chain failures, has been demonstrated recently by the recalls and subsequent lawsuits for toy cars (Story, 2007) and pet food (FDA, 2008). While risk may be associated with unacceptable products delivered from upstream, it can also involve risks associated with the environment, such as the impact of hurricanes Katrina and Rita (Devlin, 2005), or the current hijackings and robberies of vessels by pirates off the coast of Somalia (Peats, 2008).
The purpose of this paper is to introduce a structured and systematic approach to enumerate SC risks, and to assess their severity and likelihood, so that risk mitigation plans can be developed and implemented. As such, this paper makes an important contribution to the area of supply chain risk management, and highlights an approach to manage these risks. It continues the tradition of recent academic research and industry reports, which have stressed the importance of supply chain risk management, as well as the development of approaches for its management (e.g. Blos et al., 2009; Manuj and Mentzer, 2008; Shaer and Goedhart, 2009).
Risk can be defined as a “combination of probability or frequency of occurrence of a defined hazard and magnitude of the occurrence” (BS 4778, 1991). Building on several authors that have defined supply chain risk (e.g. Choi and Krause, 2006; Zsidisin et al., 2000, 2004), we conceptualize supply chain risk as an event that adversely affects supply chain operations and hence its desired performance measures, such as chain‐wide service levels and responsiveness, as well as cost. Regardless of the area of interest, risk is associated with an undesirable loss, i.e. an unwanted negative consequence, and uncertainty. Table I presents an illustrative list of supply chain risks, compiled from various prior studies, most notably Chopra and Sodhi (2004) and Schoenherr et al. (2008).
Even though the assessment and management of risk in supply chains is more of a recent phenomenon, studies exist that explored risk management approaches from a variety of angles (e.g. Charette, 1989; Hayes et al., 1986; Lowrance, 1976; Rowe, 1977; Starr and Whipple, 1980). Building on these studies, Tummala et al. (1994), by following Raiffa (1982) and Hertz and Thomas (1983), developed a structured Risk Management Process (RMP) consisting of the five phases risk identification, risk measurement, risk assessment, risk evaluation, and risk control and monitoring. This RMP framework has been successfully applied to identify potential risk factors and to assess their likelihood of occurrence. In addition, the seriousness of associated consequences can be identified, and appropriate risk mitigating strategies can be developed (Burchett and Tummala, 1998). While the RMP has proven to be useful when applied to such individual project decisions, for example the risk involved in an extra high voltage transmission line project (Tummala and Burchett, 1999), it has yet to be applied to the much broader context of the supply chain. Additional risk management approaches are included in the works of, Blos et al. (2009), De Waart (2006), Kilgore (2004), Kleindorfer and Saad (2005), Kleindorfer and Van Wassenhove (2004), Manuj and Mentzer (2008), Sinha et al. (2004) and Zsidisin and Ellram (2003).
However the process may look like, techniques need to be in place for assessing the likelihood of occurrence of identified risk factors, as well as the seriousness of associated consequences. The present paper is based on and extends above studies, primarily the work by Tummala and colleagues (Tummala et al., 1994; Tummala and Mak, 2001), but also research conducted by Ellegaard (2008), Finch (2004), Manuj and Mentzer (2008), Schoenherr et al. (2008), and proposes an approach consisting of a modified RMP to identify, assess and manage supply chain risks. This modified approach is referred to as the supply chain risk management process (SCRMP). Techniques mentioned by Tummala and colleagues (Tummala et al., 1994; Tummala and Mak, 2001), as well as others, will be highlighted in subsequent sections within the context of supply chain risk assessment. Overall, the paper presents a conceptual framework and approach for effective and efficient management of risks in supply chains, and attempts to reduce to the current lack of conceptual frameworks in SC risk management (Manuj and Mentzer, 2008). While this work is a primary extension of Tummala and colleagues' (Tummala et al., 1994; Tummala and Mak, 2001) RMP, its application to supply chain management and supply chain risks is novel and provides significant insight into the management of such risks. The paper follows the tradition of risk management within the supply chain (e.g. Harland et al., 2003; Hauser, 2003; Paulsson, 2004).

2. The Supply Chain Risk Management Process (SCRMP)
The complete SCRMP is depicted in Figure 1. While the focus of this paper is on a detailed description of the three phases, the other components, such as drivers, risk categories, supplier/logistics evaluation criteria and performance measures should not be neglected. Risk identification, risk measurement and risk assessment comprise Phase I of the SCRMP, which will be described in the next section. Input to this first phase are internal and external drivers, such as those illustrated in Figure 1.



2.1 Phase I of SCRMP
2.1.1 Risk identification
The first step of the first phase of the SCRMP is risk identification (Figure 1). Risk identification involves a comprehensive and structured determination of potential SC risks associated with the given problem. Understanding risks, related to such categories as highlighted in Table I, is critical. These risk categories have also been included in our overall framework (Figure 1). Rather than attempting to be exhaustive, this list is illustrative of the multitude of risks that may be present. Affected areas need to be clearly identified and consequences need to be understood so that risk mitigation strategies can be implemented. Care should be taken since some strategies may adversely affect other risks (Chopra and Sodhi, 2004). Understanding the variety and interrelationships of SC risks is therefore important as well. Such an understanding can be achieved by considering threats and resources (Crockford, 1986). While threats refer to the broad range of forces, which could produce adverse results, resources refer to assets, people or earnings, which could be affected by the threats. One can start by first enumerating all possible threats that could produce adverse results for the performance of the supply chain. Then, for each threat, one needs to determine the resources of the organization that could be affected. The following approaches can help in the identification of potential SC risks: supply chain mapping, checklists or check sheets, event tree analysis, fault tree analysis, failure mode and effect analysis (FMEA) and Ishikawa cause and effect analysis (CEA) (see Tummala et al., 1994).
While it is beyond the scope of this paper to provide a thorough overview of each of these suggested approaches, they will be briefly defined and described in the following. Illustrative references are provided to which the interested reader is referred. First, supply chain mapping is an approach in which the SC and its flow of goods, information and money is visually depicted, from upstream suppliers, throughout the focal firm, to downstream customers. A strategic supply chain map is a tool to align supply chain strategy with corporate strategy, and to help firms manage and modify the supply chain (Gardner and Cooper, 2003). Once every detail of the supply chain has been mapped, potential risks can be identified better. Second, checklists or checksheets are forms to record how often a failure was attributed to a specific event. These forms are used to standardize data collection and to create histograms (Chase et al., 2006). Checklists could for example be used to record late deliveries from suppliers, which can serve as information to rate their reliability, i.e. the risk for not delivering on time. Third, event tree or fault tree analyses are graphical representations of all possible and subsequent outcomes triggered by an event (Pate‐Cornell, 1984), such as a supply chain failure. While both types of trees may appear to look the same, there are important differences, such as the presence of single or multiple event paths in the diagram (Hollnagel, 2004). One may for example map out the potential events and responses that may be triggered by a supply chain failure to then plan for alternatives. Fourth, failure mode and effect analysis (FMEA) is a tool to identify “at the design stages potential risks during the manufacture of a product and during its use by the end customer” (Karim et al., 2008, p. 3,601). For an introduction to FMEA please see McDermott et al. (1996). Before committing to a supply chain one could conduct such an analysis with this SC to analyze and assess what could go wrong, as well as how severe the consequences would be. And fifth, Ishikawa cause and effect analy