more intertwined and integrated processes between companies; reduced buffers, e.g. inventory and lead time;

Transcription

1 The Emerald Research Register for this journal is available at wwwemeraldinsightcom/researchregister The current issue and full text archive of this journal is available at wwwemeraldinsightcom/ htm IJPDLM 434 Received July 2003 Revised February 2004 Accepted March 2004 Ericsson s proactive supply chain risk management approach after a serious sub-supplier accident Andreas Norrman Department of Industrial Management and Logistics, Lund University, Lund, Sweden, and Ulf Jansson Ericsson AB, Sweden, Core Unit Supply, Stockholm, Sweden International Journal of Physical Distribution & Logistics Management Vol 34 No 5, 2004 pp q Emerald Group Publishing Limited DOI / Keywords Supply chain management, Risk management, Business continuity, Insurance Abstract Supply chain risk management (SCRM) is of growing importance, as the vulnerability of supply chains increases The main thrust of this article is to describe how Ericsson, after a fire at a sub-supplier, with a huge impact on Ericsson, has implemented a new organization, and new processes and tools for SCRM The approach described tries to analyze, assess and manage risk sources along the supply chain, partly by working close with suppliers but also by placing formal requirements on them This explorative study also indicates that insurance companies might be a driving force for improved SCRM, as they now start to understand the vulnerability of modern supply chains The article concludes with a discussion of risk related to traditional logistics concepts (time, cost, quality, agility and leanness) by arguing that supply chain risks should also be put into the trade-off analysis when evaluating new logistics solutions not with the purpose to minimize risks, however, but to find the efficient level of risk and prevention Introduction Background In industry, especially those industries moving towards longer supply chains (eg due to outsourcing) and facing increasingly uncertain demand as well as supply, the issue of risk handling and risk sharing along the supply chain is an important topic The leaner and more integrated supply chains get, the more likely uncertainties, dynamics and accidents in one link affect the other links in the chain Hence, the supply chain vulnerability (Svensson, 2000; Christopher et al, 2002) increases, and it will increase even more if companies, by outsourcing, have become dependent on other organizations A number of current business trends that increase the vulnerability to risks in supply chains are: increased use of outsourcing of manufacturing and R&D to suppliers; globalization of supply chains; reduction of supplier base; more intertwined and integrated processes between companies; reduced buffers, eg inventory and lead time; increased demand for on-time deliveries in shorter time windows, and shorter lead times; shorter product life cycles and compressed time-to-market;

2 fast and heavy ramp-up of demand early in product life cycles; and capacity limitation of key components Souter (2000) stresses that companies should not only focus on their own risks: they must also focus on risks in other links in their supply chain According to Lambert and Cooper (2000) and Mentzer et al (2001), for example, a key component for supply chain management (SCM) is sharing both risks and rewards between the members of the supply chain This is often mentioned, but not further elaborated on, in traditional SCM literature The focus of supply chain risk management (SCRM) is to understand, and try to avoid, the devastating ripple effects that disasters or even minor business disruptions can have in a supply chain Some examples of risk sources and such supply chain rippling effects from the last few years are: Hurricanes Hurricane Floyd flooded a Daimler-Chrysler plant producing suspension parts in Greenville, North Carolina (USA) As a result, seven of the company s other plants across North America had to be shut down for seven days Diseases The foot-and-mouth disease in the UK in 2001 affected the agriculture industry more than its last outbreak 25 years ago The reason for this was that former local and regional supply networks had become national and international, and that the industry was much more consolidated (Jüttner et al, 2002) But many other industries were also affected: luxury car manufacturers like Volvo and Jaguar had to stop deliveries due to lack of quality leather supply Fires Toyota was forced to shut down 18 plants for almost two weeks following a fire in February 1997 at its brake-fluid proportioning valve supplier (Aisin Seiki) Costs caused by the disruption were estimated to be $195 million and sales loss was estimated to 70,000 vehicles (, $325 million) (Converium, 2001) Demand Rapidly weakening demand coupled with locked-in supply agreements made Cisco take a $25 billion inventory write-off in Q Supply Inaccurate supply planning led Nike to an inventory shortage of hot footwear models and the sales for Q were $100 million off target Supply chain capacity risks In a situation where demand is very uncertain, and the capacity bottleneck is far upstream from the market place, the risk of investing in more capacity could be a joint issue for the whole supply chain, and different instruments for supply chain risk sharing can be used Ericsson s proactive approach 435 Purpose Recently, the interest of supply chain risk management has increased in purchasing, logistics and supply chain management research (eg Smeltzer and Siferd, 1998; Zsidisin and Ellram, 1999; Hallikas et al, 2000; Ritchie et al, 2000; Lindroth and Norrman, 2001; Johnson, 2001; Lamming et al, 2001; Christopher et al, 2002) This article aims to extend current SCRM knowledge by describing and sharing insights of a company s new organization, processes and tools focused on SCRM The company is Ericsson, a leading telecom company seriously affected by a fire at a sub-supplier some years ago, an accident which has been widely reported (eg TheWall Street Journal, 2001)

3 IJPDLM 436 The remainder of the paper is structured as follows First, literature related to supply chain risk management and business continuity planning in a supply chain perspective will be summarized to give a background of the topic Then there is a short discussion of the methodology Next, the case is introduced by a short description of the Albuquerque incident that increased Ericsson s focus on supply chain risk management The following section describes Ericsson s current approach to SCRM, and the paper ends with a concluding discussion Supply chain risk management The underlying definition of SCRM in this article is: Supply chain risk management is to [collaborate] with partners in a supply chain apply risk management process tools to deal with risks and uncertainties caused by, or impacting on, logistics related activities or resources (Norrman and Lindroth, 2002) Supply chain risk management could of course deal with risks for a single company, or even with the impact on a single logistics activity But following the definition, the unit analyzed should represent a buyer-seller relationship (a dyad) or, preferably, a supply chain of three or more companies Two important dimensions in the definition are risk and uncertainties and the risk management process, which will now be further elaborated on Risk and uncertainty Deloach (2000) defines business risk as the level of exposure to uncertainties that the enterprise must understand and effectively manage as it executes its strategies to achieve its business objectives and create value A more standard definition of risk is risk is the chance, in quantitative terms, of a defined hazard occurring It therefore combines a probabilistic measure of the occurrence of the primary event(s) with a measure of the consequences of that/those event(s) (The Royal Society, 1992, p 4) Hence, risk is a quality that reflects both the range of possible outcomes and the distribution of respective probabilities for each of the outcomes This quantitative definition could be expressed: Risk ¼ Probability (of the event) * Business Impact (or severity) of the event, often illustrated in a risk map or matrix (Figure 1) While risks can be calculated, uncertainties are genuinely unknown But as soon as the quantitative definition is left for a broader and more business oriented perspective, the term also gets fuzzier Jüttner et al (2002) have also observed that the use of the term risk can be confusing, and they argue that risk should be separated from risk (and uncertainty) sources and risk consequences (equal to the term risk impact) Risk sources are the environmental, organizational or supply chain related variables that cannot be predicted with certainty and that affect the supply chain-outcome variables Jüttner et al (2002) suggest organizing risk sources relevant for supply chains into three categories: (1) Numbers: external to the supply chain (2) Internal to the supply chain (3) Network related External risk sources are exemplified by political risks, natural risks, social risks, industry/market risks (eg volatility of customer demand) Internal risk sources

4 Ericsson s proactive approach 437 Figure 1 Risk map/matrix range from labor (strikes) or production (eg machine failure) to IT system uncertainties Network-related risks arise from interaction between organizations within the supply chain, eg due to insufficient interaction and cooperation Risk consequences/impacts are the focused supply chain outcome variables like costs or quality (but also health and safety), ie the different forms in which the variance becomes manifest Other authors discussing similar types of risks are Johnson (2001) and Zsidisin (2001) Johnson (2001) divides supply chains risks between supply risks (eg capacity limitations, currency fluctuations and supply disruptions) and demand risks (eg seasonal imbalances, volatility of fads, new products) Zsidisin et al (eg 2000) focuses on supply risks related to design, quality, cost, availability, manufacturability, supplier, legal, and environmental, health and safety We find supply chain risks to be related to the logistics activities in companies flows of material and information Consequently, it is only a part of all business risks (But, on the other hand, the supply chain perspective also implies a perspective not only including your own company, but a chain of at least three entities: customers, suppliers, sub-suppliers, etc) The stages of the risk management process Risk management is the making of decisions regarding risks and their subsequent implementation, and flows from risk estimation and risk evaluation (The Royal Society, 1992, p 3) The risk management process is focused on understanding the risks, and minimizing their impact by addressing, eg probability and direct impact The stages of the risk management process discussed can vary from risk identification/analysis (or estimation) via risk assessment (or evaluation) to different ways of risk management (labels differ among authors although the steps are similar) Parallel to risk management is the issue of how to mitigate the consequences of an accident if it does happen: to deal with the situation in a way that minimizes business impact This is normally referred to as business continuity management (BCM) and relates to those management disciplines, processes and techniques, which seek to provide the means for continuous operations of essential functions under all circumstances (Hiles and Barnes, 2001, p 379) BCM aims at getting interrupted

5 IJPDLM 438 businesses restarted In many ways, risk management and BCM are overlapping, and some argue that business continuity plans development is the risk management action to take for risks of low probability (such as fires and floods), but whose potential impact is a business failure Supply chain risk analysis and assessment Risk analysis/identification is an important stage in the risk management process Consequently, by identifying a risk, decision-makers become aware of events that may cause disturbances To assess supply chain risk exposures, the company must identify not only direct risks to its operations, but also the potential causes or sources of those risks at every significant link along the supply chain (Christopher et al, 2002) Hence, the main focus of supply chain risk analysis is to recognize future uncertainties to enable proactive management of risk-related issues There are many methods for risk identification and analysis One important tool is risk mapping, ie using a structured approach and mapping risk sources and thereby understanding their potential consequences Two commonly used techniques for researching factors and causes contributing to accidental events are the fault tree analysis (FTA) and the event tree analysis (ETA) Both are logic diagrams that represent the sequences of failures that may propagate through a complex system FTA examines all potential events leading up to the critical event and is a graphical diagram that shows how a system can fail The analysis starts with top events, then the necessary and sufficiently hazardous events, the causes and contributing factors of which are identified together with their logical relationships by way of a backward logic The ETA is also a graphical logic diagram, but goes the other way It focuses on events that could occur after a critical event and identifies and quantifies possible outcomes following initiating events by looking at potential consequences (eg Mullai and Paulsson, 2002) For both techniques, quantitative data, such as probabilities for events, could be used to get an idea of the final probability Deloach (2000) proposes a similar tool called risk driver map, where potential threats are mapped After the risk analysis, it is important to assess and prioritize risks to be able to choose management actions appropriate to the situation One common method is to compare events by assessing their probabilities and consequences and put them in a risk map/matrix (Figure 1) In theory, and when historical events are assessed, this could be quite a straightforward and quantitative task, but in business this could be a subjective process relying on specialists judgements Hallikas et al (2000), show an example of this in a supply context In practice, other risk assessment tools are also used, which are not consistent with the theory of probability and impact but cover a broader perspective instead Zsidisin and Ellram (1999) summarize the supply risk assessment process of a Fortune 500 high-tech company, and propose a ten-step approach to risk assessment (Figure 2) Primarily, they are concerned with material-related risks that could affect timely and cost-effective delivery of quality products and services Risk management Risk management is the process whereby decisions are made to accept a known or assessed risk and/or the implementation of actions to reduce the consequences or probability of occurrence Generally used actions for risk management are to avoid,

6 reduce, transfer, share or even take the risk To avoid is to eliminate the types of event that could trigger the risk To reduce applies both to reduction of probability and consequence Examples of how to reduce the impact could be to have an extra inventory, multiple sources, back-up sites/resources identified, sprinklers in buildings, having risk managers and emergency teams appointed, parallel systems or to diversify Probability could be reduced by improving risky operational processes, both internally and in cooperation with suppliers, and to improve related processes, eg supplier selection Risk could also be transferred to insurance companies but also to supply chain partners by moving inventory liability, changing delivery times of suppliers (just-in-time deliveries) and to customers (make-to-order manufacturing), or by outsourcing activities Furthermore, contracts can be used to transfer commercial risks Finally, risks could be shared, both by contractual mechanisms (eg Tsay et al (1998) or Cachon (2002), for a review on supply chain contracts) and by improved collaboration Ericsson s proactive approach 439 Business continuity management Business continuity management (BCM) is defined as: the development of strategies, plans and actions which provide protection or alternative modes of operation for those activities or business processes which, if they were to be interrupted, might otherwise bring about a seriously damaging or potentially fatal loss to the enterprise (Hiles and Barnes, 2001) Business continuity management includes crisis management (overall processes to manage the incident), disaster recovery (recovery of critical systems, applications, data and networks), business recovery (recovery of critical business processes) and contingency planning (recovery from impact external to the organization) (CMI, 2002) Developing action plans is important in BCM, and business continuity planning (BCP) is a term often used BCP is planning to ensure continued operations in case of a catastrophic event But it goes beyond disaster-recovery planning, since it includes the actions to be taken, resources required, and procedures to be followed to ensure the continued availability of essential services, programs and operations in the event of unexpected interruptions BCP has previously been mostly related to computers and information technology-related disasters, especially before Y2K, but since then the approach has moved towards more applications in other business contexts However, according to a study by CMI (2002), only about 30 percent of all companies studied developed BCP jointly with suppliers Only 9 percent of companies that have outsourced activities (not only logistics) insist on their outsource suppliers having business continuity plans Figure 2 Supply risk assessment process based on Zsidisin and Ellram (1999)

7 IJPDLM 440 The first activities in developing business continuity plans are identifying the risks and assessing their probability and impact the steps are hence identical to risk management Part of this is to understand what will be affected (damage potential analysis) Then, strategies and recovery plans should be developed that could be implemented both before the incident (similar to risk management strategies) and after the incident Post-incident strategies are implemented to maintain partial or total product supply and could for manufacturing and logistics include (Musson, 2001): use of spare capacity within the organization; shutdown of marginal product lines and transfer of key products to those production facilities; assistance from competition; outsourcing to sub-contractors, job shops, etc; re-labeling of competitors products (after consideration of all legal implications); and establishment of temporary facilities when production capabilities can be established with off-the-shelf or second-hand equipment Methodology Since only limited empirical research on how companies deal with supply chain risk management has been found, an explorative approach has been chosen Examples of earlier case studies in the area are those of Zsidisin (2001), Zsidisin and Ellram (1999) and Zsidisin et al (2000), but they have focused more on purchasing and supply than a supply-chain approach, consisting of the idea to work with risks along multiple companies in a chain In our study, a single case is used, which is an appropriate way of establishing the field at the early stages of an emerging topic (Eisenhardt, 1989) To capture and examine contemporary events, the case study approach is normally preferred (Yin, 1994) The single case could give good enough insights on the breadth of issues and a better opportunity to penetrate important issues Ericsson has been chosen for several different reasons: It is in a volatile industry that faces many of the business trends described in the introduction; it has recently had a major supply chain incident that has been widely reported; lately, it has worked hard to improve its supply chain risk management; and, finally, the company has been willing to openly share its experiences and has given good access to information and data Empirical data have initially been collected through semi-structured and open interviews done by the academic co-author with about ten representatives from various functions within Ericsson: corporate risk management, core unit supply (a both strategic and operational SCM-function), sourcing, and supply chain risk management (industry co-author) In addition, supplementary documents showing processes, organizational structures and risk management tools were collected by the academic co-author to verify and more detailed illustrate the findings from the interviews By using multiple sources of evidence and interviewees, construct validity improves (Yin, 1994) The joint writing process started with a structured synopsis developed by the academic researcher, comparable with an interview guide, which was then filled with facts and descriptions in a collaborative writing and analysis process (The industry co-author had of course meetings and written communication with colleagues to get supplementary data and opinions) By this collaborative writing and analysis process

8 between an academic and industry co-author, we think that the richness of the case study description can be improved as well as the construct validity increased (Yin, 1994, pp 32-4) Further the final paper has been returned for comments and correction to the other functions interviewed As this research is an explorative single case study, external validity and broad generalizability are difficult to address One purpose has been to describe pioneering practice for other practioneers to make it possible to benchmark, and for academics to start a process of analytical generalization (Yin, 1994) by first doing replicate studies and pattern matching-analysis Hence external validity and generalizability could increase over time with more cases Ericsson s proactive approach 441 Ericsson and the sub-supplier accident Ericsson is the largest supplier of mobile telecom systems in the world, active worldwide since 1876 and currently employing approximately 61,000 people in more than 140 countries The world s ten largest mobile-phone operators are among their customers and some 40 percent of all mobile phone calls are made through Ericsson systems For the last ten years, Ericsson has outsourced a great deal of its assembly and production to contract manufacturers and sub-suppliers With Sony Ericsson (including Ericsson s old cellular phone business) it is also a top supplier of complete mobile multi-media products Like most companies, Ericsson has been exposed to a number of risks and incidents in the last few years:, eg suppliers having quality and delivery problem, industries general lack of capacity, and power disruption lasting a few days We will shortly describe the accident that can be seen as the major trigger for Ericsson to improve its supply chain risk management The Albuquerque accident A major accident from an Ericsson perspective was a fire on 18 March 2000 in a very small production cell (small as a conference room for ten people) at a sub-supplier s plant in Albuquerque, New Mexico (USA) The ten-minute fire was an effect of a lightning bolt hitting an electric line in New Mexico, causing power fluctuations throughout the state The problem was that when the power was out, there was no spare diesel motor to supply the fans with power, so the fans stopped From a plant perspective, the resulting fire was almost negligible, and when the fire brigade arrived it was sent home as the fire already was out (The Wall Street Journal) But for Ericsson, the impact was huge In the spring of 2001, when the annual report from Ericsson was announced, a major loss of about $400 million was indicated, primarily due to gaps in the supply of radio-frequency chips from this supplier The reason was that the fire occurred in one of the plant s clean rooms, where absolutely no dust is tolerated Due to the fire, and especially the smoke and sprinkler water, it took almost three weeks until the production was up and running After six months, the yield was only 50 percent, and it would take years to get new equipment delivered and installed As this plant was Ericsson s only source for this chip, Ericsson was not able to sell and deliver one of its key consumer products during its booming market window The company lost many months of mobile phone production, and the accident finally had a great impact on Ericsson s decision to withdraw from the mobile phone terminal business Later, Ericsson s business interruption costs were calculated as approximately $200 million, which was compensated by insurance companies This was one of the biggest

9 IJPDLM 442 insurance payments that year (after the 9/11 disaster) The accident made Ericsson realize the importance of not only understanding and managing risks internally but also trying to better analyze, assess and manage risk along the supply chain and to take immediate action when incidents are indicated In a widespread analysis, The Wall Street Journal argued that Ericsson did not take action quickly and powerfully enough after the Albuquerque accident, and that it took too long before higher management was aware of the incident Further, Ericsson neither had alternative sources nor was prepared for this kind of accident Now, actions have been taken: During the last few years, a formal SCRM organization has been put in place, and many SCRM processes and tools have been developed and implemented Today s philosophy at Ericsson is that everyone is a risk manager Ericsson s current supply chain risk management approach In the last few years (after the Albuquerque accident and before the renewal of its insurance), Ericsson has further developed and implemented processes and tools for supply chain risk management The purpose is minimizing risk exposure in the supply chain Its approach for this (Figure 3) is based on a process with feedback-loops between the sub-processes The risk management process includes risk identification (similar to risk analysis), risk assessment, risk treatment (similar to risk management) as previously discussed in theory, but it has also added a process step for risk monitoring In parallel (and central) to this, the company has put incident handling and contingency planning Organizational principles and responsibility Previously, risk management was handled by a corporate function, mostly dealing with insurance companies (and later also security) In the last few years the organisation for supply chain risk management has been developed and many people and functions are involved On a high level, the corporate function for risk management, the SCM/logistics function (in Ericsson called the core unit supply) and the purchasing function (core unit sourcing) are involved, as well as (Figure 4) the units responsible for the different business areas (SBAs) They are working together in a Figure 3 Ericsson s basic approach to SCRM

10 Ericsson s proactive approach 443 Figure 4 Organization of risk management on a corporate level matrix-oriented way, for example with a risk management council with representatives from the different units The roles of the main functions involved are: corporate risk management has the overall responsibility for risk management in the Ericsson group and has contact with the insurance companies and co-ordinates risk management activities in the whole group, also developing directives; core unit supply (CSUP) is responsible for the operative work and daily interface with suppliers; system business area (SBA) has the business perspective and owns the product; and core unit sourcing is responsible for the commercial interfaces with the supplier and is therefore involved in evaluation of suppliers and when incidents occur A matrix approach is taken (Figure 5) on a more operational level within the SCM/logistics function (CSUP), as well A supply chain risk manager, placed within core unit supply, is responsible for development and implementation of SCRM He is working closely together with corporate risk management, as well as with the line people (supply chain managers), responsible for different supply chains and hence also for the supply chains risks Supply chain managers are also part of CSUP, but interfacing the SBAs Supply chain managers should use the tools and processes developed by the SCR manager to analyze, assess and manage risk in their supply chains In this work purchasers are involved in the assessments of and contacts with suppliers The roles of the operational people involved in SCRM are: Supply chain risk manager (SCR manager) at core unit supply runs and coordinates the work to maintain an optimal balance between risk exposures and costs for damages versus protection activities Supply chain managers (SCM) within CSUP are the interface to SBAs and have full responsibility for the respective SBA s supply chain They are responsible for risk management as regards securing the reliability of supply chains and their ability to deliver Core production: supports SCM with risk management issues

11 IJPDLM 444 Figure 5 Organization of SCRM within the SCM/logistics function core unit supply The matrix approach means that many different players are involved in and sharing responsibility for implementing and maintaining information regarding risk management This could make roles unclear, and hence responsibility grids (Figure 6) are defined However, the key responsibility lies with the SCMs that should run the risk management work in their respective supply chain Risk identification process Initially, Ericsson identifies and analyzes its supply chain risks by mapping the supply chain upstream, looking at suppliers as well as products/services (Figure 7) Figure 6 Part of responsibility grid

12 Ericsson s proactive approach 445 Figure 7 Supply chain risk and structure map The purpose of this is verifying the business flow between Ericsson and the supplier/service provider and defining the critical parts and risk sources in the process, ie products, components, sites, etc The goal is to get a better understanding of what the probability and impact of the risks are So far, more than 10,000 components have been analyzed, mainly of first and second tier suppliers First, each component is classified into four different classes depending on the number of sources: (1) The product is currently sourced from more than one approved source (eg two or more manufacturers or one manufacturer with two or more sites) (2) The product is currently sourced from one approved source; other sources are approved and available but not used (3) The product is currently sourced from one approved source; other sources are available and approved but no tools, masks or other equipment needed are in place (4) The product is currently sourced from one supplier No additional manufacturer is available Ericsson then tries to understand the impact by looking at how long an accident will affect deliveries This is expressed by business recovery time (BRT) Components are put into four different classes: (1) It takes less than three months to get deliveries from an alternative source (2) Three to eight months to get approval and deliveries from an alternative source (3) Nine to 12 months, re-design the only alternative (4) 12 months, re-design of a unit/product of high complexity Risk assessment process Then, an in-depth analysis is carried out of the suppliers and sub-suppliers of critical products For this, Ericsson has developed a tool called Ericsson risk management evaluation tool (ERMET) ERMET (Figure 8) evaluates many different issues in detail, eg business control, financial issues, hazards in the surroundings (external as well as

13 IJPDLM 446 Figure 8 Overview of ERMET Ericsson risk management evaluation tool man-made); hazards at the site; and business-interruption handling The tool is used to analyze both internal and external suppliers Internally, the tool will be used in combination with contingency planning When using ERMET, corporate risk managers and SCR managers often work together, as the tool is complex and requires knowledge to use Often, a representative from sourcing is brought in, who is responsible for the supplier contacts Each sub-area in ERMET is thoroughly evaluated by looking into different aspects (see Figure 9), trying to quantify the risk by looking at impact (consequence) and probability The suppliers total risk situation, and their forecasted development, is then summarized into spider-web diagrams Those evaluations are done regularly and are used to follow up improvements and action plans ERMET is mostly focusing on operational accidents and catastrophes and how to avoid business interruption Ericsson uses other tools to try to identify and assess more strategic uncertainties such as shifts in products or product generations When a risk or uncertainty source has been identified, the SCR manager facilitates workshops attended by different functional and business specialists where events are discussed that could lead to risks For each event causes are identified, so that preventive actions can be developed (This methodology is similar to FTA) The analysis and actions are then summarized into special templates that are later used for follow-up and monitoring of the risks (Figure 10) Ericsson tries to combine impact and probability in a risk map/matrix But it has found that the risk value (calculated by multiplying impact and probability) is not always easy to use, as the probability could be difficult to get and the value is not always understandable to business people Therefore, Ericsson is focusing on the financial impact when assessing which risks to prioritize and for which supplier or components to take actions To get a financial value of the impact on Ericsson s own business, the company calculates the business interruption value (BIV) Currently this value is defined by gross margin multiplied by the business recovery time (BRT) plus extra costs such as idle capacity labor and equipment, inventory carrying etc Its aim is to also consider values such as lost goodwill This calculation is made by the

14 Ericsson s proactive approach 447 Figure 9 Examples of detailed risk assessment and summary diagrams business control function in order to help the supply chain manager To categorize the risks, BIV is divided into four classes: (1) Severe: BIV, $100 million (2) Major: BIV, $50 million-$100 million (3) Minor: BIV, $10 million-$50 million (4) Negligible: BIV,, $10 million

15 IJPDLM 448 Figure 10 Risk map/matrix and corresponding risk management actions

16 This is then used as a basis for the risk matrix to compare the result from the risk identification process to understand the impact if an interruption occurs (very high, high, medium or low) For each of these risk levels, different actions are required (Figure 11) Ericsson finds risks with high consequences/low probability more important to handle from a risk management perspective than those with low consequence/high probability Risk treatment/management The third step in Ericsson s process is called risk treatment, which includes both developing risk mitigation strategies and deciding on those This is a line responsibility, and who is doing it depends on which tier the risk source is part of: for higher tier, supplier sourcing is responsible, while for lower tier, the supply chain manager (Figure 6), and for internal plants it is production Standard templates and tools for this (Figure 10) are developed by the SCR manager Those templates start with describing the risk source and its probability and consequence, and continue with a summary of different mitigations strategies, their costs and how they affect the risk situation To compare the cost of different preventive actions with the business interruption value is regarded as very important Finally, responsible persons are appointed Ericsson s proactive approach 449 Risk monitoring and follow-up If the risk level is very high, or high and not mitigated, risk monitoring is required If the residual risk, after mitigation, is not reduced to an acceptable risk level it must continue to be monitored Risk assessment and treatment templates (Figure 10) and the spider web (Figure 9) are used to monitor who is responsible internally and how different supply chain partners are developing compared to their commitments For suppliers and sub-suppliers, special attention is given to how their risk management processes are developing Incident handling and business continuity planning Ericsson is putting emphasis on developing procedures and templates for incident handling and BCP to decrease the consequences of an accident After the Albuquerque accident, the process for incident reporting is very important and task forces/emergency teams have been appointed If an incident occurs, this should be reported to either the sourcing task force (if external supplier) or the SCM task force and production task force (if internal supplier) When an incident has been reported, it should then be communicated to the other task forces as well as to the supply chain risk manager and the corporate risk management (Figure 12) Also, related SBA and Figure 11 Templates for risk assessment and treatment, and contingency planning

17 IJPDLM 450 Figure 12 Information flow and task forces for incident handling market representatives that might potentially be affected should be notified It is not tolerated that suppliers not report incidents they should not first be reported by newspapers or other sources The task forces/emergency teams will be trained at least once a year in different scenarios, for example a disruption in the supply chain due to a disaster at a class four supplier When an incident occurs, the three task forces should work closely together, if necessary To develop contingency plans, a toolbox is available on the intranet While the previous contingency planning focus was on site recovery, it has now moved towards a focus on the whole supply chain If Ericsson cannot manage a risk by eliminating or minimizing the consequences, the company makes a contingency plan to know what to do if something happens Ericsson has divided contingency planning into three steps (Figure 10): (1) Response plan: the response is the required reaction to an incident or emergency to assess the level of containment and to control activity (2) Recovery plan: the recovery phase actions shall include the actions that are needed to resume critical or essential business operations, functions or processes (3) Restoration plan: the process of planning for and implementing full-scale business operations again and to allow the organization to return to normal service level For each risk source, a responsible person shall be appointed and actions for response, recovery as well as restoration phase be developed The supply chain approach to risk management and business continuity management Supply chain risk management is not only to analyze, assess and manage internal risks and try to plan for business continuity for the own company SCRM means widening this approach to the chain of suppliers and suppliers suppliers This could be done by visiting suppliers and analyze and assess them, but more proactively to make them implement a SCRM approach themselves, which guarantees a further spread upstream

18 Ericsson is implementing this approach both by soft discussion and by putting the following guidelines as requirements into the frame contracts: The supplier shall establish and maintain a secure sourcing plan including regularly updated business continuity and business contingency plans The supplier shall identify a back-up site/resource for each relevant site A person responsible for initiating the secure sourcing plan activities shall be appointed for each relevant site Key personnel at the supplier shall be appointed and reasonably trained on Ericsson s specific product requirements Alternatively, personnel in the facilities concerned shall be prepared to be transferred to the dedicated back-up capacity The supplier shall report incidents Ericsson s proactive approach 451 The Ericsson entities placing orders should be allowed to review the plan The supplier shall have corresponding requirements on its suppliers and contractors The supplier shall actively work with risk management with its contractors and suppliers Ericsson shall at any time have the option to acquire some or all assets which are unique for the production of Ericsson products by the supplier To summarize Ericsson s approach for SCRM (Figure 13) it starts with mapping all the components and products many tiers upstream the supply chain and identifies critical suppliers and sites that have to be prioritized in the further risk assessment Suppliers, first critical then others, are then analyzed and assessed with the Ericsson evaluation tool (ERMET), which takes many different risk sources into account By these two first Figure 13 Ericsson s approach to supply chain risk management

19 IJPDLM 452 steps, a rough assessment is made on how a shortage of a material or product will affect the supply chain and, finally, Ericsson s invoicing Based on a more thorough investigation, risk probability and the impact of different accidents at each supplier will be evaluated and the impact measured as business recovery time The supplier risk is then translated to the risk related to Ericsson s business with the impact measured in business interruption value Based on this assessment, risk management actions can be discussed and taken A very important part in this last step is to find the right trade-off between risk management (protection) cost and risk cost (impact measured as BIV): a too high investment in safeguards is not good business practice, either So far, most joint work has been with the next upstream tier, the contract manufacturers They have been very positive to and interested in the co-operative approach to secure the supply chain and reduce supply chain risks An important part of the work has been to share tools and methods used in the risk management process to analyze and assess risks Business impact of improved supply chain risk management The new SCRM approach has so far contributed well to Ericsson After the Albuquerque accident, it was quite difficult to get new business-interruption insurances The insurance companies were skeptical and an increase of insurance costs was flagged Further, they demanded more and more information on risks in the supply chain With the current way of working with SCRM, this has changed again, and lately, insurance companies have praised Ericsson s way of working, and will probably impose the same requirements on other companies The insurance premium offered was 50 percent lower than Ericsson first expected, due to its SCRM work Although the supply chains now are more secure and less vulnerable, there have been incidents after Albuquerque (and always will be) During the implementation of SCRM processes, a new incident occurred at a supplier A small fire in a plating line caused a disruption This incident gave Ericsson the opportunity to test and verify the processes with a real case In their risk identification process, the business recovery time for that component was estimated to approximately three months, which proved to be correct Based on BRT and previous experience, Ericsson could act and set up enough resources to handle the incident Ericsson quickly enough allocated components, so there was no disruption in their inbound supply The SCRM tools have also started being used for other purposes than those they were initially developed for The supply chain risk and structure maps are now also used to assess capacity and dimensioning risks in order to arrange buffers Another example is that a SBA uses the cause-event analysis for risks related to product introduction, ramp-up and product changes This indicates that the SCRM work has been positively received by the organization Concluding discussion Supply chain risk management seems to be of growing interest and importance both from an academic and a practioner perspective The development lately within SCM/logistics has created long, lean and interconnected chains of companies vulnerable to accidents and their rippling effects In the last few years, there have been many examples of such accidents, and in this article we have described Ericsson s new

20 approach to SCRM after its supply chain accident in Albuquerque Ericsson has now developed and implemented improved organization, processes and tools for supply chain risk management It tries to identify, analyze and manage both internal and external risk sources, related to the company as well as its suppliers and sub-suppliers By this, and an increased requirement on and cooperation with suppliers regarding risk management, it also tries to avoid impact from network related risk sources According to Ericsson, an important success factor, to make SCRM work, is having an open discussion with the suppliers, both during risk analysis and assessment, but particularly when handling incidents Many ideas and tools have been taken from normal risk management practice, but have been applied with a supply chain perspective, focusing not only on Ericsson s own activities As a result, risk consequences have been reduced, Ericsson has been better able to handle incidents and its insurance costs have been reduced However, the approach is continuously implemented and has still not come to its end (if it ever will) Although Ericsson s approach can be considered proactive, the company will stress the importance of having reactive task forces prepared Even if much resources are invested in risk analysis and assessment, accidents might appear where and when least expected and then an efficient crisis organization must be in place to minimize the consequences Ericsson s work has, to some extent, been driven by a pressure from insurance companies a pressure that most likely will be put on other companies and industries too What the insurance companies realized, with the Albuquerque accident as a trigger, was that they did not understand the risks, risk sources and consequences that the current long supply chains and their rippling effects had Hence, a new driving force for companies to work with SCRM could be that insurance companies will require it to reduce insurance premiums or even to sell contingency insurances Current logistics and supply chain principles have been influenced by the attempts in the last few decades, first to reduce costs, then time and quality, and have lately focused on concepts of responsiveness, agility and leanness (Figure 14) Those principles could lead to very vulnerable supply chains, and, consequently, the interest in SCRM has increased lately However, to safeguard logistics processes too much could be both counteractive to current best practice in logistics as well as too costly Hence, we would argue that a balanced approach should be taken, where SCRM Ericsson s proactive approach 453 Figure 14 Key focus areas within logistics and SCM

21 IJPDLM 454 is one part of the equation This could be done by trying to relate risk consequences to time (business recovery time) and money (business interruption value) as Ericsson is now doing Further, it is possible to expand the risk management focus from the companies own sites to suppliers and sub-suppliers by working together in risk identification, assessment, management and business continuity planning, but also by formal assessment of how suppliers are working with those issues and by putting requirements into the contracts Current and new logistics principles could be evaluated from a SCRM perspective, and risk management actions must be evaluated from a logistics perspective focusing on cost, time, quality etc Some connections between SCRM and the other areas (Figure 14) are: Risk and costs: SCRM might create too high prevention costs (reducing probability or impact by increased buffers, new processes, extra suppliers, etc) as well as reduce cost for both business interruptions and insurances The Ericsson case is an example in which the risk is measured in money (BIV), prevention cost is compared to risk costs, and insurance cost is decreased thanks to improved SCRM Risk and time: SCRM might create buffers and processes delaying lead time but through good and well thought out SCRM other actions should be found Time could also be reduced eg the reaction time when an incident or accident happens Ericsson is also an example of how a time measurement (BRT) is used to assess risk impact Risk and quality: these two areas are most similar and should definitely work out well in parallel both have a clear process orientation and a focus on avoiding errors (Lee and Wolfe, 2003, elaborate on this issue) Risk and agility, responsiveness and leanness: companies efforts to increase agility, responsiveness and leanness have led to increased outsourcing and reduced buffers and lead time and hence to increased vulnerability Ericsson is characterized by this aspiration and has implied a high risk exposure However, as these three concepts are very important in today s business, efficient SCRM is important for managing the increased risk exposure The main contributions of this article have been to stress the supply chain approach in SCRM as a complement to more purchasing oriented studies, and to give a quite detailed description of how SCRM could work in practice By using a case company that only a few years ago was seriously affected by a sub-suppliers fire and hence started to focus on SCRM, it should hopefully bring new insights both to academy and practioners The interrelation between supply chain risk management and current logistic/supply chain management principles is not clear, and we find this to be an interesting field for future research so that SCRM actions neither decreases supply chain efficiency nor is seen only as costly and time consuming References Cachon, G (2002), Supply Chain Coordination with Contracts, The Wharton School of Business, University of Pennsylvania, Philadelphia, PA

22 Chartered Management Institute (CMI) (2002), Business Continuity and Supply Chain Management, report available at: wwwthebciorg/ %20bus%20continuity% 20Summpdf Christopher, M, McKinnon, A, Sharp, J, Wilding, R, Peck, H, Chapman, P, Jüttner, U and Bolumole, Y (2002), Supply Chain Vulnerability, Cranfield University, Cranfield Converium (2001), Suppliers extension or contingent business interruption insurance, available at: wwwconveriumcom/web/converium/converiumnsf/2a1b7a462af6c ad2000da28c/30c4e3ebc211d4f9c1256ad b5?OpenDocument Deloach, JW (2000), Enterprise-wide Risk Management Strategies for Linking Risk and Opportunities, Financial Times/Prentice-Hall, London Eisenhardt, KM (1989), Building theories from case study research, Academy of Management Review, Vol 14 No 4, pp Hallikas, J, Virolainen, V-M and Tuominen, M (2000), Risk analysis and assessment in network environment a dyadic case study, Preprints of the 11th International Working Seminar on Production Economics, pp Hiles, A and Barnes, P (Eds) (2001), The Definitive Handbook of Business Continuity Management, J Wiley & Sons, Chichester Johnson, ME (2001), Learning from toys: lessons in managing supply chain risk from the toy industry, California Management Review, Vol 43 No 3, pp Jüttner, U, Peck, H and Christopher, M (2002), Supply chain risk management: outlining an agenda for future research, in Griffiths, J, Hewitt, F and Ireland, P (Eds), Proceedings of the Logistics Research Network 7th Annual Conference, pp Lambert, DM and Cooper, MC (2000), Issues in supply chain management, Industrial Marketing Management, Vol 29, pp Lamming, R, Caldwell, N, Harrison, D and Phillips, W (2001), Transparency in supply relationships: concept and practice, Proceedings of the 10th International IPSERA Conference, pp Lee, HL and Wolfe, M (2003), Supply chain security without tears, Supply Chain Management Review, January/February, pp Lindroth, R and Norrman, A (2001), Supply chain risks and risk sharing instruments an illustration from the telecommunication industry, Proceedings of the Logistics Research Network 6th Annual Conference, Heriot-Watt University, September, pp Mentzer, JT, DeWitt, W, Keebler, JS, Min, S, Nix, NW, Smith, CD and Zacharia, ZG (2001), Defining supply chain management, Journal of Business Logistics, Vol 22 No 2, pp 1-25 Mullai, A and Paulsson, U (2002), Oil Spills in Öresund Hazardous Events, Causes and Claims, Lund University, Lund Musson, M (2001), BC strategies for manufacturing and logistics, in Hiles, A and Barnes, P (Eds), The Definitive Handbook of Business Continuity Management, J Wiley & Sons, Chichester, pp Norrman, A and Lindroth, R (2002), Supply chain risk management: purchasers vs planners views on sharing capacity investment risks in the telecom iindustry, Proceedings of the 11th International Annual IPSERA Conference, Twente University, March, pp Ritchie, B, Brindley, C, Morris, J and Peet, S (2000), Managing risk within the supply chain, paper presented at the 9th International IPSERA conference, Ontario, May (The) Royal Society (1992), Analysis, Perception and Management, The Royal Society, London Ericsson s proactive approach 455

23 IJPDLM 456 Smeltzer, LR and Siferd, SP (1998), Proactive supply management: the management of risk, International Journal of Purchasing and Materials Management, Vol 34 No 1, pp Souter, G (2000), Risks from supply chain also demand attention, Business Insurance, Vol 34 No 20, pp 26-8 Svensson, G (2000), A conceptual framework for the analysis of vulnerability in supply chains, International Journal of Physical Distribution & Logistics Management, Vol 30 No 9, pp Tsay, AA, Nahmias, S and Agrawal, N (1998), Modelling supply chain contracts: a review, in Tayur, S et al (Eds), Quantitative Models for Supply Chain Management, Kluwer Academic, Norwall, MA, pp Wall Street Journal (2001), Trial by fire a blaze in Albuquerque sets off major crisis for cell-phone giants, 29 January Yin, RK (1994), Case Study Research Design and Methods, Applied Social Research Methods Series, Vol 5, Sage Publications, Thousand Oaks, CA Zsidisin, G (2001), Measuring supply risk: an example from Europe, Practix, Best Practices in Purchasing and Supply Chain Management, June, pp 1-6 Zsidisin, G and Ellram, LM (1999), Supply risk assessment analysis, Practix, Best Practices in Purchasing and Supply Chain Management, June, pp 9-12 Zsidisin, G, Panelli, A and Upton, R (2000), Purchasing organization involvement in risk assessment, contingency plans, and risk management: an exploratory study, Supply Chain Management: An International Journal, Vol 5 No 4, pp Further reading AT Kearney and European Logistics Association (1999), Insight to Impact Results of the 4th Quinquennial European Logistics Study, ELA, Brussels Lonsdale, C (1999), Effectively managing vertical relationships: a risk management model for outsourcing, Supply Chain Management: An International Journal, Vol 4 No 4, pp