A comprehensive risk assessment and evaluation model: proposing a risk priority continuum.
Supply chain risks continue to affect global operations, with no promise of abating in the foreseeable future. While past studies have examined elements of supply chain risk, many have focused on only the likelihood of a risk occurring and/or the impact of the risk. This research outlines a more rigorous risk assessment and evaluation process, one that builds upon the reliability engineering field and includes an additional risk factor, the probability of risk detection. By using the proposed process, managers can create a risk priority continuum, which can lead to the development of better risk mitigation strategies. Given that not all risks are the same, this article provides a tool for assessing and prioritizing risks to enable managers to achieve desired risk prevention levels as well as to offer faster recovery from risks that actually occur.
Supply chain risks, risk identification tools, risk assessment, risk priority continuum, risk mitigation strategies
There is certainly no debate that supply chains are operating under increasingly more pressure (e.g., complexity, global focus, speed to market, increasing customer expectations, financial pressures), and the need to manage an efficient and effective supply chain is challenging given "we find a relatively unstable world on the one hand, and increasingly sensitive supply chains on the other" (Wagner and Bode 2008, 307), This business environment has placed immense pressure on firms to develop and expand new skills that focus on initiatives such as business continuity planning (Zsidisin, Melnyk, and Ragatz 2005), supply chain vulnerability (Peck 2005; Svensson 2002), supply chain resilience (Sheffi and Rice 2005), and supply chain sustainability (Carter and Rogers 2008). While differing in scope and objective, these various initiatives involve examining risk associated with supply chains. Given that "all supply chains are inherently risky," risk management processes are of critical importance (Craighead et al. 2007, 131). Yet, perhaps equally important is the understanding that all risks are not equal--risks differ by likelihood of occurrence, potential impact, and the ability to detect the risk in time to avoid it.
Due to the growing risks in supply chains, many authors call for more attention to risk management with respect to supply chains. Peck (2005, 210) indicates "supply chain vulnerability is a relatively new and unexplored area" of research. Giunipero and Eltantawy (2004) identify a need to provide managers with categorized risk situation factors. Autry and Bobbitt (2008) observe that little guidance exists for managers wishing to minimize damaging supply chain disruptions. Further, as indicated by Harland, Brenchley, and Walker (2003, 51), there is little research or tools available which "identify, assess, and manage" risk with respect to supply management.
In addition to understanding risk profiles, assessing whether or not a risk management strategy has been successful is important because risk management requires resources and investments, which are costly. Wagner and Bode's (2008) study examines the performance outcomes associated with risk management approaches, and proposes that risk management activities may only need to be conducted when the risks potentially disrupt the supply chain.
While investing in risk management can be expensive, not investing in risk management strategies can be costly as well. Giunipero and Eltantawy (2004) discussed the need for managers to recognize the value of prevention. Research by Voss, Whipple, and Closs (2009) illustrated that when a high priority is placed on security efforts, firms were able to improve their ability to detect and recover from security incidents within their own firm as well as across the supply chain. As discussed by Kleindorfer and Saad (2005), firms experiencing a severe supply chain disruption significantly underperform their competitors in terms of stock price. Certainly, it is also well recognized that a supply chain disruption not only has financial consequences, but can also negatively impact a firm's brand image and reputation. This recognition, coupled with the fact that disruptions can have both direct and indirect effects along the supply chain (Wagner and Bode 2008) suggests that a supply chain is only as secure as its weakest link (Sheffi 200l).
This article examines tools for identifying and assessing supply chain risks that can be used to develop appropriate risk management strategies. Additionally, this article proposes a risk assessment and evaluation model to help managers better understand and prioritize the risks faced by their firms. An improved and more comprehensive assessment and evaluation model for risk management that prioritizes risks is warranted and will enable managers to concentrate on the important risk areas and develop risk mitigation strategies to achieve desired outcomes. Further cost reductions may be gained by avoiding dedicating resources to low-priority risks and instead concentrating on higher-priority and more concerning risk events. The article begins with a literature review, then discusses tools for identifying, assessing, and evaluating risks in order to develop a risk priority assessment model. The model can be used to develop and implement better overall risk management strategies. Finally, the article discusses academic and managerial implications and conclusions.
Supply Chain Risk
Risk has been defined in various disciplines, including finance, management, and marketing. From a general perspective, risk can be defined as "variability in outcomes or results" (Zsidisin, Melnyk, and Ragatz 2005, 3403). Risk, when applied to supply chains, has usually focused on a very specific area in the supply chain (e.g., outbound risks, inbound supply risks). Recently a broader focus on supply and demand side risks has developed whereby supply chain risk relates to "any risks for the information, material and product flows from original supplier to the delivery of the final product for the end user" and incorporates the "possibility and effect of a mismatch between supply and demand" (Juttner, Peck, and Christopher 2003, 200).
Juttner, Peck, and Christopher (2003) categorized supply chain risk areas or sources as environmental, network-related, and organizational. Spekman and Davis (2004) identify six supply chain-oriented risk areas: physical movement of goods, flow of information, flow of money (e.g., stable pricing, hedging), security of the firm's internal information system, relationships among supply chain members (e.g., opportunism), and corporate social responsibilities that would impact reputation and image. Manuj and Mentzer (2008) focused on supply, demand, operational, and security risks in evaluating global supply chain risk management.
Despite how risk areas are classified, the more critical issue is perhaps how to manage risks effectively. Risk management is defined as "identifying and assessing the probabilities and consequences of risks, and selecting appropriate risk strategies to reduce the probability of, or losses associated with, adverse events" (Manuj and Mentzer 2008, 141). Various authors posit risk management steps that are often highly similar and involve, at minimum, identifying potential risks and assessing and evaluating the risks (e.g., Juttner, Peck, and Christopher 2003; Kumar and Verruso 2008; Manuj and Mentzer 2008; White 1995). Figure 1 illustrates the basic risk management steps derived from the literature. While some research has provided methods or tools to guide risk management efforts, existing risk management tools are underdeveloped (Khan and Burnes 2007), lack a cross-supply chain focus (Gaudenzi and Borghesi 2006), and display a critical gap of knowledge, particularly with respect to risk identification tools (Neiger, Rotaru, and Churilov 2009). Each of the three risk management steps will be discussed below.
Risk identification involves recognizing potential uncertainties (Hallikas et al. 2004), including hazards, existing failures, and potential consequences (White 1995). Chopra and Sodhi (2004) identified nine broad categories of supply chain risks: disruptions, delays, systems, forecasts, intellectual property, procurement, receivables, inventory, and capacity. Manuj and Mentzer (2008) recommend that, once identified, risks should be segmented by specific characteristics (e.g., domestic versus global) in order to create a risk profile.
Risk assessment and evaluation is performed on identified risks. Given all risks are not equal, it is important to evaluate risks based on some established criteria in order to prioritize potential risks. Prioritization is important as firms often focus on recurring but low-impact risks at the expense of paying attention to high-impact but less-probable risks (Chopra and Sodhi 2004). White (1995), for example, evaluated risks based on the probability of occurrence and the significance of the risk. Hallikas et al. (2004) similarly suggested an assessment based on the potential impact (ranging from none to catastrophic) and the probability of occurrence (ranging from very unlikely to very probable). Sheffi and Rice (2005) created a vulnerability framework as a two-by-two matrix that examined disruption probability (high versus low) and consequence (light versus severe). Manuj and Mentzer (2008) suggest risks should be assessed based on potential loss, probability of occurrence, and impact or consequences.
[FIGURE 1 OMITTED]
Risk mitigation involves creating and implementing strategies to reduce and/or avoid risks, and may also include recovery plans should potential risks be realized. Additionally, risk mitigation may involve monitoring risks over time as the environment changes and new risks are presented (Pettit, Fiksel, and Croxton 2010), and learning from risk failures in order to increase risk knowledge management (Ojha and Gokhale 2009). The culmination of risk identification and risk assessment/evaluation is the development of appropriate risk mitigation strategies.
While not explicitly discussed in the literature, it is apparent that the success of the overall risk mitigation strategy depends, at least to some degree, on the successful identification of risks as well as the process of risk assessment and evaluation. In other words, if the risk identification and risk assessment and evaluation processes are flawed, the selection and/or implementation of the overall risk management process will also likely be flawed. This flaw may occur in terms of inaccuracies with respect to (1) the risks identified; (2) the priority of risks based on assessment and evaluation procedures; and/or (3) the risk mitigation strategy implemented. The chance for a flawed process is potentially high in terms of managing supply chain risks given that research on risk identification and risk assessment/ evaluation from a supply chain perspective is just beginning to emerge as indicated by Rao and Goldsby (2009) and Zsidisin and Wagner (2010). The next section proposes a more robust process for risk assessment and evaluation.
Risk Assessment and Evaluation Model Development
We propose that, in addition to the commonly discussed risk factors (likelihood of occurrence and potential impact), supply chain managers need to be concerned with the probability of detecting the identified risk within the supply chain. Probability of detection is important given that "organizations that think they have managed risk have often overlooked the critical exposures along their supply chains" (Juttner, Peck, and Christopher 2003, 198). While not completely ignored, the probability of detection has not been well developed in the literature. Helferich and Cook (2002) identified detection as one of five steps in a disaster-management process: planning, mitigation, detection, response, and recovery. However, detection is not only needed in terms of attempting to prevent a risk from occurring, but also in quickly identifying when a risk has occurred in order to respond and recover from the risk. Helferich and Cook (2002) provided an example of the latter form of detection whereby biological agents are not easily detected until after individuals have been infected with the agent and medical symptoms appear.
Further, recent supply chain disruptions serve as examples of detection "let-downs." Recent toy recalls illustrate then-insufficient detection capabilities within the supply chain. As the recall story played out across newspapers nationwide, detection of lead paint became a critical risk management strategy for many toy supply chains. Many major retailers, such as Walmart, Target, and Toys "R" Us, recognized this risk and quickly developed more stringent requirements for toy suppliers (pereira and Stecklow 2008).
Suppose, however, that lead paint was not easily detectable. In this case, risk management strategies would need to be different than the currently employed, postproduction compliance testing. For example, rather than a strategy of control, through more frequent testing, retailers and toy manufacturers may have selected an avoidance strategy (e.g., avoiding overseas manufacturing) or a strategy that transferred or shared risk as a mechanism for reducing opportunistic actions (e.g., tougher penalties or charge-backs for recalled product).
Figure 2 illustrates the risk assessment and evaluation model proposed herein. As shown, the risk assessment and evaluation model in this article supplements existing work in the area of supply chain risk management by explicitly considering the probability of risk detection. The addition of the probability of detection is critical and warrants an expanded method than typically suggested in the supply chain literature.
The proposed model allows added factors and granularity to be applied to supply chain risk assessment and evaluation. For instance, a high-likelihood/high-impact risk that is also extremely difficult to detect warrants a substantially different risk management strategy than a high-likelihood/high-impact risk that can be more readily detected. As such, the following section explores tools that can be used to identify and assess risks in order to complete the model shown in figure 2 and, thus, creates a more detailed and accurate risk priority continuum.
[FIGURE 2 OMITTED]
While the proposed model adds dimensions that supply chain risk managers should consider, how each of these dimensions is assessed also merits further consideration. The following section outlines how each of the three risk dimensions could be evaluated and builds upon the reliability engineering discipline that views risks in a substantially more proactive manner than supply chain managers generally have to date.
Risk Identification Tools
The field of reliability engineering has focused on risk identification for decades. A main consideration in reliability engineering is not only how to identify risks, but also how to best avoid risks. Reliability engineering refers to risks as ultimate undesirable events (UUEs) (Ebeling 1997). From the physical reliability perspective, UUEs are not single events but, rather, it is recognized that risk events are often related and may occur within a chain of events such that some events are root-cause events and some events are symptoms of those root causes (Ebeling 1997). Supply chain risks are similar to the risks studied in reliability engineering in that, like UUEs, supply chain risks are outcomes created by chains of events. As an example from the physical reliability arena, a flat tire on a vehicle is a relatable UUE. There are numerous ways in which a delivery vehicle's tire might fail, each way potentially leading to an accident, which could result in loss of life or equipment, or late delivery. Tires might fail due to out-of-limit pressure settings (over- or under-inflation), a slow leak from a puncture, cuts due to road debris, excessive wear, or a material defect present since manufacture. Each of these distinct failure modes can lead to the exact same UUE (i.e., an accident due to a failed tire), but the manner needed to prevent each failure is different. Further compounding the issue is the fact that not only does the mode of prevention for each of these UUEs vary, but also each failure has different potential impacts. Some initiate catastrophic failures with no ability to react in time and prevent the failure (e.g., the tire blowing out at highway speed), while others may provide enough warning to allow an aware driver time to avoid an accident (e.g., low tire pressure).
Regarding supply chains, similar realities exist and multiple risk factors can lead to identical UUEs, such as a late delivery. While the types of risks that occur in a supply chain vary, the tools needed to address these issues need not be unique. Given that reliability tools have created more reliable systems in the field of engineering, the same tools offer the ability to create more reliable supply chains through the identification of supply chain UUEs.
The main tool that has been used to identify UUEs in reliability engineering is the Failure Mode Effects and Criticality Analysis (FMECA) tool. FMECA's utility has been recognized outside of the reliability engineering discipline already. In the health-care environment, FMECA's "impact has been tremendous" (Hambleton 2005, 303) in performing bottom-up analyses of processes to determine, ahead of time, where health-care systems might fail, and then to either design out or improve detection of these potential failure points. Reid (2005) suggests the use of FMECA by government agencies in planning for natural disasters, like Hurricane Katrina, while Kim (2002) advocates using FMECA in an effort to avoid unexpected disasters in nuclear power generation. Chuang (2007) outlines a process for mitigating service failures during the service design phase using FMECA. FMECA has also been considered in preventative/predictive maintenance programs, such as reliability-centered maintenance and condition-based maintenance, to move from reactive to more proactive means of equipment maintenance in an effort to reduce equipment breakdown and failure (Sharma, Kumar, and Kumar 2005).
Despite successful application in disciplines, such as engineering reliability and other systems-oriented environments, FMECA's use as a tool for risk avoidance is relatively absent from the supply chain literature. When reliability-based tools have been applied to supply chain issues, such cases have not always included all three assessment/evaluation factors suggested in this article (likelihood of occurrence, potential impact, and probability of detection). For example, Teng et al. (2006) proposed the use of Failure Modes and Effects Analysis (FMEA) in a supply chain context. FMEA, while similar to FMECA, does not take criticality into account and thus does not completely address the potential impact of a risk.
Identification of Risks Using FMECA
The initial step in performing FMECA is establishing what system faults or risks are possible. The primary tool for this type of analysis is the fault tree. While entire book chapters have been dedicated to this topic (e.g., Ebeling 1997; Lewis 1994; Sundararajan 1991), the basics of the technique are outlined herein. The technique of Ebeling (1997) is summarized in the following section. The first step is to identify all ultimate undesirable events (UUEs), so that the various ways in which these events might possibly occur can be determined. These data are represented in a fault tree, a generic example of which appears in figure 3.
[FIGURE 3 OMITTED]
Basic failures occur at the lowest level and are denoted by circles. Whether or not these faults create system-wide failures is determined by the "gates" that appear above them in the fault tree. Faults are passed up the tree by either "and" gates or "or" gates. Resultant failures, those coming about due to basic failures, appear as rectangles. Resultant failures can occur due either to one of a number of conditions being met (brought about by or gates), or to overlapping sets of conditions being met (brought about by and gates) that lead to the resultant failure. In the example in figure 3, event C is conditional, based upon basic events E and F, and illustrates an or gate. As such, event C occurs if either basic failure E or F occurs. Resultant event D is different, occurring only when both failure G and failure H occur simultaneously. Similarly, for event B to occur both resultant event C and resultant event D need to occur at the same time. At the top level, the UUE occurs whenever either event A (a basic event) or event B occurs; both are not necessary to lead to the UUE. In this manner, all potential failures can be modeled, and their resultant events can be traced to any potential UUEs. It is important to note that the process of identifying UUEs can occur from either a bottom-up or top-down perspective.
Fault tree analysis is a powerful tool that can easily be applied to modeling supply chain risks. Figure 3 could be modified to depict possible events occurring in a supply chain rather than reliability engineering. Suppose a manager wanted to create a fault tree with the top event UUE listed as "Lost Sales Opportunity" in order to identify potential risks from a supply chain perspective. In figure 3, the basic event A could be a production shutdown, which would on its own result in lost sales due to a stockout of finished goods.' A lost sales opportunity can also occur through a resultant event such as a component part stockout (illustrated in figure 3 as event B). This stockout comes about due to two events occurring simultaneously (and): a lead-time delay (event C), such as a late delivery, and a lack of alternative sources for the component part (event D). Examining event C, the lead-time delay could result from either a storm preventing on-time delivery (basic event E) or from a transportation-worker strike limiting the overall movement of any materials (basic event F). Resultant event D, the lack of alternative sources could occur when both an alternate supplier's annual product changeover occurs, which prevents the supplier from providing the components in a timely manner (basic event G), and when an additional alternate source of supply holds an exclusive contract with a competitor, precluding the supplier from providing components to other customers (basic event H).
In this manner, failure modes and their effects are determined. As a diagnostic tool, it can be seen how failures mode analysis can help root out potential failures through the process of building fault trees. However, fault trees only identify the potential challenges/risk factors--risk factors are not assessed in terms of the likelihood of occurrence, potential impact, or detectability. The following section examines how supply chain risks, once identified, can be assessed and evaluated to take the three risk factors into account.
Assessment and Evaluation of Risks
A number of issues are important in assessing and evaluating supply chain risks. The traditional approach is to evaluate the probability or likelihood of occurrence for each risk (described as criticality in reliability engineering), and then evaluate the potential impact of all possible risks. These two values are merged together in order to develop a risk criticality matrix. The resulting assessment tool looks like the one depicted in figure 4.
The mechanism often used for creating the matrix illustrated in figure 4 starts with developing the criticality index, followed by addressing severity classifications. These considerations are then merged into the resulting criticality matrix. In the supply chain context, in particular, the criticality matrix is of importance given that some risks and potential failures are of greater concern than others. A criticality matrix can be formed by simultaneously considering the criticality index, and the severity or impact of those same failures/risks. The first element, the criticality index for risk mode k is defined as: [C.sub.k] = [[lambda].sub.p] [[alpha].sub.kp] [[beta].sub.k] t where:
[[lambda].sub.p] = probability of risk p occurring
[[alpha].sub.kp] = Conditional probability of risk mode k given that risk p has occurred
[[beta].sub.k] = Conditional probability that risk mode k will result in the identified risk effect
t = Duration of time used in analysis
[FIGURE 4 OMITTED]
The values for the preceding equation (modified from Ebeling 1997, 170) are derived from a firm's own supply chain. Values for [[lambda].sub.p], [[alpha].sub.kp], and t would be assigned based upon the particular supply chain's properties and risk susceptibility. In application [[lambda].sub.p] would represent events that might occur, such as a winter storm. The next term, [[alpha].sub.kp], would represent the conditional probability of events occurring, based upon the storm's occurrence: for instance, road closure that might prevent product deliveries, or work stoppages due to loading dock employee unavailability because of the storm. The term [[beta].sub.k] represents the effect of this failure, with lower values implying little to no effect, and values approaching or equal to i representing certain effect. Values for the [[beta].sub.k] value estimation already exist (MIL-STD-1629 1980) but can be modified to suit a specific supply chain's needs. Examples of standard values for [[beta].sub.k] appear in table 1. While commonly used as thresholds in reliability engineering, these values can be adjusted as needed to conform to a particular supply chain scenario where thresholds may differ.
The resulting value, [C.sub.k] represents the probability or likelihood of a risk's occurrence. This likelihood is represented by the y axis of figure 4. However, simply assessing the likelihood of occurrence does not provide sufficient detail for supply chain managers. More information is needed for managers to accurately decide where to spend limited supply chain resources in order to mitigate these risks.
Implicit in the x axis of figure 4 is the fact that some risks are more severe than others. For example, a short-term delivery delay that results in stockouts and temporary loss of sales is arguably less severe than a long-term production shutdown that could occur from a natural disaster that destroys a production facility. The creation of a criticality matrix allows for these realities to be accounted for in the assessment and evaluation of supply chain risk. The criticality matrix simultaneously considers both the criticality index (calculated above) and the potential impact of the risk itself. In the reliability arena, the severity of the impact values are typically classified into four categories, including catastrophic, critical, marginal, and negligible (Ebeling 1997). Once these values have been determined, the full criticality matrix can be considered.
However, even with all of this information about potential risks, an incomplete picture exists with regard to supply chain risks, given that the probability of detecting these risk factors is not accounted for in the traditional two-by-two matrix used by other authors (e.g., Sheffi and Rice 2005). The following section outlines factors to consider in risk detection and how to integrate these issues into the risk assessment and evaluation process.
The ability to detect risk factors across a supply chain differs, just as the sources of risks themselves vary. Helferich and Cook (2002) indicated that detection is related to warning and forecasting. Consider the disruption of an ocean shipment; a vessel could be delayed due to weather, equipment failure, or piracy. Each of these disruptions has different detection lead-times, as well as differing ability to detect and avoid the risk prior to its occurrence. A dangerous storm could, in many cases, be forecasted with sufficient warning such that a vessel about to traverse a dangerous region could take an alternate route and avoid the storm. While some additional transit time may result, communication with the vessel would allow supply chain members sufficient notification of the impending delay associated with avoiding the storm. On the other hand, an ocean vessel experiencing a mechanical failure may have little to no advance warning of pending problems. If the equipment failure also impacted communication capabilities, the impact to supply chain members would be greater due to a lag between risk occurrence and supply chain awareness of the occurrence. In cases of piracy, while certain shipping lanes are known to be more dangerous than others (forecasted based on past history), little warning is likely when pirates employ new routes or techniques. However, upon capture, modern pirates contact the owners of pirated vessels to extort ransoms, thereby providing quick notice of the event. Despite the relatively immediate recognition of the detection, there is little way around the risk, given that warning time was diminished. As seen in these examples, the ability to avoid the risk and the notification of the events differ substantially and, as such, the potential impacts differ as well.
Not all supply chain risks are transportation based though. Recently, Midler (2007) coined the term quality fade to describe the deterioration of product quality amid cost reductions in pursuit of increased revenues. Whipple and Roh (2010) note that quality fade can occur when suppliers (product or service) either intentionally or unintentionally underperform with respect to product quality, service quality, or both. Examples of quality fade include using unapproved materials/ingredients (e.g., melamine in milk in China), allowing production standards to become lax (e.g., food recalls blamed on unsanitary conditions in the production facility), failing to properly train or monitor employees with respect to handling and transportation procedures (e.g., turning off refrigeration during transportation to save fuel), and using less secure transportation lanes or less expensive modes or carriers (e.g., not understanding the risks associated with transportation in an emerging market).
Midler (2007) notes that quality fade is not always detected quickly and often not until the actual risk or disruption is realized. Dayton (2008) indicates that a typical response of "trust but verify" may not work with respect to quality fade because total verification of quality is not always possible. Quality fade issues, like transportation-related supply chain risks, can be assessed and evaluated in advance of their actual occurrence. In this manner, managers could develop a different risk mitigation strategy for products where quality fade may be more likely to occur. Quality fade may be more important, for example, with respect to components that are more critical (e.g., impact safety of the product more directly) and/or products and services that offer a greater incentive for a supplier to intentionally underperform.
Given the aforementioned challenges, we propose that it is important to measure at least two components of probability of detection: lead-time of detection, and the ability to monitor the risk. Events that have long lead times to occurrence and that can be detected well before becoming an issue are inherently easier to deal with in a supply chain than events that occur quickly, without warning, and/or are difficult to detect in advance. For example, if it is known that the truck will operate for three weeks after an engine management control fails, it is a less risky situation than if a tire blows out and strands the vehicle by the side of the road. Either event prevents the vehicle from operating eventually, but the former provides sufficient warning to facilitate remediation, whereas the latter provides no opportunity for avoidance.
The ease with which a potential risk factor can be monitored for occurrence is also important. In modern supply chains, the ability to track the likelihood of severe weather (through weather forecasts) along a route is easy through a number of electronic means, something that could not be said even a half century ago. Similarly, the information age has facilitated the ability to monitor operations using on-the-scene sensors and remote monitoring via various lines of communication (e.g., GPS tracking of transportation shipments). However, not everything is so easy. The lead-paint issues experienced within the toy supply chain in 2008 demonstrated that even processes that are relatively easy to monitor at a low cost can go wrong.
Figure 5 depicts the two components of probability of detection. On the x axis is the ease of monitoring, where the supply chain manager can assess, for a specific risk factor, the ease with which the occurrence of that risk factor can be monitored. On the y axis, the lead time between detection and realization of the risk is depicted. By assessing these two characteristics together for a specific risk, the analyst can identify which region the risk falls within figure 5, the probability of detection matrix. The quadrant in which the risk exists can be used to represent its probability of detection. As can be seen in figure 5, quadrant 4 represents those risks that are more difficult to monitor, and with generally shorter time horizons. As such, risks in quadrant 4 warrant greater emphasis, while those in quadrant 1 are of lesser concern.
[FIGURE 5 OMITTED]
A Comprehensive Risk Assessment and Evaluation Model
As indicated previously, we propose that a more robust risk assessment and evaluation model is needed to simultaneously consider the likelihood of occurrence, the potential impact, and the probability of detection associated with supply chain risks. Figure 6 illustrates a comprehensive view of the proposed risk model (originally shown in figure 2). By considering the location of each potential risk factor along the three indicators (likelihood of occurrence, potential impact, and probability of detection), a distinct location within the risk assessment and evaluation model can be determined. The corner points of the cube illustrate the highest risk condition (high likelihood, high impact, and difficult to detect) at one corner and the lowest risk condition (low likelihood, low impact, and easy to detect) at the other corner. The shaded areas in figure 6 highlight the sectors where one or more risk conditions exist--as the shading moves from light to dark, more risk conditions are present. The risk assessment and evaluation model helps managers better understand the full spectrum of risks faced by their firms and supply chains. This prioritization from a safe zone to a danger zone provides managers with greater information that can be used to develop stronger risk mitigation plans.
Given that Chopra and Sodhi (2004) indicated that managers tend to focus more on recurring but low-impact events, tools considering only two risk factors fail to identify the full magnitude of supply chain risk. The traditional view would lead supply chain managers to be concerned with only one of the four risk quadrants in a typical two-by-two potential impact versus likelihood of occurrence matrix. When the full risk assessment and evaluation model is considered (shown in figure 6), it can be seen that managers who predominantly focus on low-impact/high-probability events are considering only two of eight potential risk areas.
[FIGURE 6 OMITTED]
As illustrated in figure 6, the shaded areas (progressing from lighter to darker shading) show that not only do different levels of risk exist, but also that different risk mitigation strategies need to be considered. Risk mitigation research is not new. Miller (1992) indicates five main risk mitigation strategies exist, including avoidance, control, cooperation, flexibility, and imitation. Juttner, Peck, and Christopher (2003) discussed four of Miller's (1992) strategies as relating to supply chains: avoidance, control, cooperation, and flexibility. Hallikas et al. (2004) suggests managers consider transferring risk, taking risk, eliminating and reducing risk, as well as subdividing risk. Examples of mechanisms used to eliminate and/or reduce risk include monitoring techniques, such as audits of supplier's quality checks, inspections of random materials, and tracking of key performance indicators (KPIs). Manuj and Mentzer (2008) suggest risk mitigation strategies including avoidance, control, postponement, speculation, hedging, sharing or transferring risk, and security.
Despite the lack of a consistent list of risk mitigation strategies, we propose that figure 6 illustrates the importance of the selected strategy matching the risk priority. As such, a risk priority continuum can be developed where one end of the continuum illustrates cases where little to no risk exists or risks are easily detected (safe zone), while the other end of the spectrum illustrates a danger zone with respect to risk. Table 2 illustrates the risk priority continuum and the potential risk mitigation strategies that may coincide with each risk priority.
As shown in table 2, strategies such as monitoring and risk taking can be used when the likelihood and potential impact from the risk are low and the ability to detect the risk is easy. When the likelihood of occurrence and potential impact are low, managers selecting a monitoring strategy may choose to perform random inspections of products to detect errors. Alternatively, the risk may be perceived to be so low that managers could choose to merely "take" the risk, thus, virtually ignoring it in terms of developing a mitigation strategy.
However, at the opposite extreme, when the likelihood that the risk will occur and the impact of the risk are both high, and the ability to detect the risk is difficult or perhaps even undetectable, more aggressive risk mitigation strategies need to be considered. For example, in situations where the risk of tampering or theft of a shipment is likely, various risk mitigation strategies can be considered. If the potential tampering or theft is based on sourcing location or transportation route, one strategy would be to avoid that location by sourcing in an alternate location or selecting a safer transportation mode or route. Alternatively, a firm may employ a control strategy whereby product is no longer outsourced to a supplier, but rather the firm vertically integrates and manufactures the product in-house or controls any distribution-related services (e.g., own versus outsource distribution center operations). Control may also be achieved through more stringent contractual mechanisms that levy strict penalties for noncompliance or through the utilization of tracking technology whereby a transportation provider, for example, can be held accountable for violating specified routes.
While not as high a priority, risks present in the midsection of the continuum are still important for managers to consider. Situations may exist where the likelihood of a risk occurring is low and detection may be easy, but the impact of the risk could be significant. In this case, a postponement strategy may be appropriate if the event causing the risk can be postponed until more control by the focal firm is established. Alternatively, the firm may choose to embrace a speculation strategy, building up inventory to buffer against the specific risk.
In cases where the impact of a risk may be low, but the likelihood of occurrence is high, and the ability to detect the risk in advance is difficult, a firm may select an imitation strategy and source with the same supplier(s) that competitors utilize. This way, if one firm is exposed to the risk, all firms are, and differential disadvantage is nullified. This imitation strategy may explain retailers' responses to lead-paint problems in toys. Many retailers began to add more stringent safety requirements for their suppliers in light of lead-paint recalls (Pereira and Stecklow 2008). As each retailer announced similar, more stringent standards, these announcements can be seen as attempts to imitate each other. Consumer confidence may also have increased as consumers were relieved that some action was being taken to ensure safe toys. As such, the imitation strategy enabled each retailer not only to protect its business, but also to benefit from the collective reaction among retailers.
Finally, a flexibility strategy could be used when the likelihood of risk occurrence is high and detection is easy. Flexibility could be achieved through the use of dual or multiple sourcing. For example, outsourcing transportation to multiple carriers or 3PLs could offer greater flexibility than sourcing to one provider. In this case, regardless of the level of potential impact (low or high), a firm may attempt to mitigate risk through the use of alternative suppliers.
Managerial and Academic Insights
This article proposes a more comprehensive risk assessment and evaluation model to assist managers in making better risk management decisions. The article provides greater insights in terms of supply chain risk management processes as called for by recent works (Autry and Bobbitt 2008; Rao and Goldsby 2009; Zsidisin and Wagner 2010). Step 1 of the risk management process is risk identification. The identification of supply chain management risks can be improved by applying FMECA tools whereby managers consider a full range of undesirable events and build--either from a top-down or bottom-up approach--the basic events that culminate into the main undesirable event (UUE). From this process, managers will have a better understanding of potential supply chain risks that are faced by their firm.
Once risks are identified, managers need to move to step 2 of the risk management process by assessing and evaluating the potential risks. While previous research had suggested risks could be evaluated based on the likelihood of occurrence and the potential impact, this research suggests a third risk factor, the probability of detection, is also necessary to create the full risk assessment and evaluation model as shown in figure 6.
From this, managers can develop a risk priority continuum to fully understand the range of risks faced by the firm as well as to match the risk with the appropriate risk mitigation strategy (step 3 of the risk management process). While the literature is not in complete agreement with respect to appropriate risk mitigation strategies, managers can consider low-priority risks to be best managed with less-extensive mitigation strategies, such as monitoring and taking the risk, where higher-priority risks will need more comprehensive strategies, such as avoiding the risk and/or controlling at least some portion of the supply chain in an attempt to prevent the risk. Additionally, there are mitigation strategies for managing medium- or mixed-priority risks, including imitate, postpone, and speculate, as well as creating greater flexibility in order to respond quickly to new risks or to recover from a realized risk.
Given the emergent state of supply chain risk management, the step-by-step process summarized above provides academics with greater insights in order to study supply chain risk management more cohesively. For example, little work has been done to examine risk detection from a supply chain context. We propose two elements of detection: the ease of monitoring risks and the lead time associated with detecting a risk. Further research is warranted to understand if other elements of detection exist beyond the two proposed herein.
Academic attention is also needed to focus on the success of a risk management process. Risk management requires costly investments in resources (e.g., both human resources as well as physical/technology resources). Managers are seeking advice in terms of which mitigation strategies offer the greatest protection from risks. At the same time, managers are also interested in ways to reduce or eliminate costs associated with risk management of low-priority risks. The value of prevention is certainly acknowledged; however, risks that have little potential to disrupt the supply chain may not warrant investments associated with prevention.
Conclusions and Future Research
This article proposes a comprehensive risk assessment and evaluation model as well as a supply chain risk priority continuum to provide managers with more detailed risk management tools. The comprehensive nature of these assessment tools is derived by adding the probability of detection to the traditionally considered risk assessment factors--likelihood of occurrence and potential impact of identified risks. Given that researchers have considered the risk identification and risk assessment and evaluation knowledge in supply chain management to be emerging (Rao and Goldsby 2009; Zsidisin and Wagner 2010), this article contributes to the body of knowledge concerning supply chain risk management. In particular, this article provides a conceptual framework for understanding risk management as called for in recent research (Manuj and Mentzer 2008).
The risk assessment and evaluation model and risk priority continuum provided allow managers to assess the highest-priority risks and develop mitigation strategies that improve the risk management processes by preventing the risk from occurring, lessening the impact of the risk should it occur and recovering more quickly from the aftereffects of the risk. Further, the models illustrate low-priority risks can be managed in a more appropriate and potentially less costly manner. Using the proposed tools, managers can improve the first two steps in the risk management process, risk identification and risk assessment and evaluation, and then also improve the overall risk management process by selecting appropriate risk mitigation strategies.
Future research can expand upon the risk assessment and evaluation model and risk priority continuum proposed in this article in order to give direction and guidance to both managers and academicians. For example, case-based research that evaluates a broad category of supply chain risks according to the proposed risk categories (likelihood of occurrence, potential impact, and probability of detection) could be used to understand whether or not firms that use more sophisticated risk tools, as proposed here, have a greater ability to reduce disruptions and/or improve recovery efforts. The supply chain risk priority continuum offers another avenue for future research. We group the six mixed-risk priority areas in table 2 together as opposed to proposing a priority order for all eight risk priority "cubes" on the risk assessment and evaluation model in figure 6. Future research could more closely examine the full risk spectrum and suggest a priority scheme for all eight risk priority areas. From that research, the three risk categories (likelihood, impact, or detection) could be empirically evaluated to determine if one category has a greater impact on the overall risk priority continuum for a firm. Future research could investigate additional risk mitigation strategies (e.g., collaborative relationships that reduce opportunism) as well as examine which risk mitigation strategies (e.g., control, avoid, imitate) offer the greatest ability to manage risk across the full risk priority spectrum.
Autry, C. W., and L. M. Bobbitt. 2008. "Supply Chain Security Orientation: Conceptual Development and a Proposed Framework." International Journal of Logistics Management 19 (1): 42-64.
Carter, C. R., and D. S. Rogers. 2008. "A Framework for Sustainable Supply Chain Management: Moving Toward New Theory." International Journal of Physical Distribution and Logistics Management 38 (5): 360-87.
Chopra, S., and M. S. Sodhi. 2004. "Managing Risk to Avoid Supply-Chain Breakdown." Sloan Management Review 46 (1): 53-61.
Chuang, P. T. 2007. "Combining Service Blueprint and FMEA for Service Design." Services Industrtry Journal 27 (2): 91-104.
Craighead, C. W., J. Blackhurst, M. J. Rungtusanatham, and R. B. Handfield. 2007. "The Severity of Supply Chain Disruptions: Design Characteristics and Mitigation Capabilities." Decision Sciences 38 (1): 131-56.
Dayton, D. 2008. "Managing China Product Quality: preventing 'Quality Fade.'" SmartChinaSourcing.com j Global Sources, May 7. www.smartchinasourcing. com/china-product-quality/managing-china-product-quality-preventingquality.html (accessed January 19, 2010).
Ebeling, C. E. 1997. An Introduction to Reliability and Maintainability Engineering. Long Grove IL: Waveland Press.
Gaudenzi, B., and A. Borghesi. 2006. "Managing Risks in the Supply Chain Using the AHP Method." International Journal of Logistics Management 17 (1): 114-36.
Giunipero, L. C., and R. A. Eltantawy. 2004. "Securing the Upstream Supply Chain: A Risk Management Approach." International Journal of Physical Distribution and Logistics Management 34 (9): 698-713.
Hallikas, J., I. Karvonen, U. Pulkkinen, V. M. Virolainen, and M. Tuominen. 2004. "Risk Management Processes in Supplier Networks." International Journal of Production Economics 90 (1): 47-58.
Hambleton, M. 2005. "Applying Root Cause Analysis and Failure Mode and Effect Analysis to Our Compliance Programs."Journal of Health Car Compliance 7 (2): 303-11.
Harland, C., R. Brenchley, and H. Walker. 2003. "Risk in Supply Networks." Journal of Purchasing and Supply Management 9 (2): 51-62.
Helferich, O. K., and R. L. Cook. 2002. Securing the Supply Chain. Oak Brook, IL: Council of Logistics Management.
Juttner, U., H. Peck, and M. Christopher. 2003. "Supply Chain Risk Management: Outlining an Agenda for Future Research." International Journal of Logistics: Research and Applications 6 (4): 197-210.
Khan, O., and B. Burnes. 2007. "Risk and Supply Chain Management: Creating a Research Agenda." International Journal of Logistics Management 18 (2): 197-216.
Kim, K. 2002. "Periodic Safety Review Program." Nuclear Plant Journal 20 (2): 18-21. Kleindorfer, P. R., and G. H. Saad. 2005. "Managing Disruption Risks in Supply Chains." Production and Operations Management 14 (1): 53-68.
Kumar, S., and J. Verruso. 2008. "Risk Assessment for the Security of Inbound Containers at U.S. Ports: A Failure, Mode, Effects, and Criticality Analysis Approach." Transportation Journal 47 (4): 26-41.
Lewis, E. E. 1994. Introduction to Reliability Engineering. New York: John Wiley and Sons. Manuj I., and J. T. Mentzer 2008. "Global Supply Chain Risk Management." Journal of Business Logistics 29 (1): 133-55.
Midler, P. 2007. '"Quality Fade': China's Great Business Challenge." Knowledge@ Wharton, July 25. http://knowledge.wharton.upenn.edu/article.cfm?articleid= 1776 (accessed January 19, 2010).
MIL-STD-1629A. 1980. "Military Standard: Procedures for Performing a Failure Mode, Effects, and Criticality Analysis." Naval Publications and Forms Center, Philadelphia, PA.
Miller, K. D. 1992. "A Framework for Integrated Risk Management in International Business,"Journal of International Business Studies 23 (2): 311-32.
Neiger, D., K. Rotaru, and L. Churilov. 2009. "Supply Risk Identification with Value-Focused Process Engineering." Journal of Operations Management 27 (2): 154-68.
Ojha, D., and R. A. Gokhale. 2009. "Logistics Business Continuity Planning-Scale Development and Validation." International Journal of Logistics Management 20 (3): 342-59.
Peck, H. 2005. "Drivers of Supply Chain Vulnerability: An Integrated Framework." International Journal of Physical Distribution and Logistics Management 35 (4): 210-32.
Pereira, J., and S. Stecklow. 2008. "Wal-Mart Raises Bar on Toy-Safety Standards." Wall Street Journal, May 14, B1.
Pettit, T. J., J. Fiksel, and K. L. Croxton. 2010. "Ensuring Supply Chain Resilience: Development of a Conceptual Framework." Journal of Business Logistics 31 (1): 1-21.
Rao, S., and T. J. Goldsby. 2009. "Supply Chain Risks: A Review and Typology." International Journal of Logistics Management 20 (1): 97-123.
Reid, R. D. 2005. "What Organizations Can Learn from Hurricane Katrina." Quality Progress 82 (11): 82-85.
Sharma, R. K., D. Kumar, and P. Kumar. 2005. "FLM to Select Suitable Maintenance Strategy in Process Industries using MISO Model." Journal of Quality in Maintenance Engineering 11 (4): 359-74.
Sheffi, Y. 2001. "Supply Chain Management under the Threat of International Terrorism." International Journal of Logistics Management 12 (2): 1-11.
Sheffi, Y., and J. B. Rice. 2005. "A Supply Chain View of the Resilient Enterprise." Sloan Management Review 47 (1): 41-48.
Spekman, R. E., and E. W. Davis. 2004. "Risky Business: Expanding the Discussion on Risk and the Extended Enterprise." International Journal of Physical Distribution and Logistics Management 34 (5): 414-33.
Sundararajan, C. 1991. Guide to Reliability Engineering: Data, Analysis, Applications, Implementation, and Management. New York: Van Nostrand Reinhold.
Svensson, G. 2002. "A Conceptual Framework of Vulnerability in Firms' Inbound and Outbound Logistics Flows." International Journal of Physical Distribution and Logistics Management 32 (2): 110-34.
Teng, S. G., S. M. Ho, D. Shumar, and R C. Liu. 2006. "Implementing FMEA in a Collaborative Supply Chain Environment." International Journal of Quality and Reliability Management 23 (2): 179-96.
Voss, M. D., J. M. Whipple, and D. J. Closs. 2009. "The Role of Strategic Security: Internal and External Security Measures with Security Performance Implications." Transportation Journal 48 (2): 5-23.
Wagner, S. M., and C. Bode. 2008. "An Empirical Examination of Supply Chain Performance along Several Dimensions of Risk." Journal of Business Logistics 29 (1): 307-25.
Whipple, J. M., and J. Roh. 2010. "Agency Theory and Quality Fade in Buyer-Supplier Relationships." International Journal of Logistics Management 21 (3): 338-52.
White, D. 1995. "Application of Systems Thinking to Risk Management: A Review of the Literature." Management Decisions 33 (10): 35-45.
Zsidisin, G. A., S. A. Melnyk, and G. L. Ragatz. 2005. "An Institutional Theory Perspective of Business Continuity Planning for Purchasing and Supply Management." International Journal of Production Research 43 (16): 3401-20.
Zsidisin, G. A., and S. M. Wagner. 2010. "Do Perceptions Become Reality? The Moderating Role of Supply Chain Resiliency on Disruption Occurrence." Journal of Business Logistics 31 (2): 1-20.
Stanley E. Griffis
Michigan State University
Judith M. Whipple
Department of Supply Chain Management
N370 Business Complex
Michigan State University
East Lansing, M148824
(1.) It is important to note that while a production shutdown is described as a basic event, such an event could be an UUE on its own, to be examined through a separate fault tree analysis. However, in the interest of simplicity, a production shutdown is treated as a basic event for this application.
Table 1/Risk Effect Assessment Risk Effect [[beta].sub.k] Certain [[beta].sub.k] = 1.00 Probable 0.10 < [[beta].sub.k] < 1.00 Possible 0 < [[beta].sub.k] < 0.10 No Effect [[beta].sub.k] = 0 Source: Ebeling 1997, 171. Table 2/Supply Chain Risk Priority Continuum Risk Category Low Priority Mixed Priority High Priority Likelihood of Low High occurrence Potential impact Low At least one risk High category exists Probability Easy Difficult of detection Examples of Monitor Imitate Avoid potential risk Take Flexibility Control mitigation strategy Postpone Speculate
|Printer friendly Cite/link Email Feedback|
|Author:||Griffis, Stanley E.; Whipple, Judith M.|
|Date:||Sep 22, 2012|
|Previous Article:||An exploration of the relational effects of supply chain disruptions.|
|Next Article:||Impact of collaborative transportation management on logistics capability and competitive advantage for the carrier.|