A MODEL FOR PROACTIVE SUPPLY CHAIN RISK MANAGEMENT

A MODEL FOR PROACTIVE SUPPLY CHAIN RISK MANAGEMENT I Nyoman Pujawan and Laudine H. Geraldin Logistics and Supply Chain Management Laboratory Department of Industrial Engineering Sepuluh Nopember Institute of Technology Kampus ITS Sukolilo, Surabaya Indonesia E-mail: pujawan@ie.its.ac.id ABSTRACT Increasingly, companies need to be vigilant with the risks that could harm the short-term operations as well as the long-term sustainability of their supply chain. A wide variety of risks could disturb a supply chain from its smooth operations, ranging from material shortages, delayed transportation, unexpected declining in demand, supplier bankruptcy, natural disaster, terrorist attack, etc. With the increasing complexity of supply chain configurations as a result of companies involving more partners in their operations through outsourcing and other contract schemes, the supply chains are more exposed to risks, and hence it is imperative for them to have an effective management of supply chain risks. In this paper, we present a model for risk assessment and mitigation. We modified the well known FMEA model for risk assessment and adapt the House of Quality model for determining which risk agents are to be prioritized and then for selecting a set of cost-effective mitigation actions. In the model, each risk event is associated with a value of severity and each risk agent will have a probability of occurrence. The correlation of each risk agent and each risk event is determined. We defined aggregate risk potential for each risk agent as a measure of risks caused by a risk agent. The model is applied to a large fertilizer company in East Java, Indonesia. KEY WORDS Supply Chain Risk Management, Framework, Case Study 1. Introduction Business communities are facing increasingly more risky environments recently. Stringent competitions, internal instability caused by employee strikes and technical failures, changes in macro economy and politics, as well as natural and man made disasters are sources of risks facing business communities nowadays. In the context of supply chain, the risks are increasing partly due supply chain complexity as a result of companies outsourcing more and more activities to outside parties. A study conducted by Finch [1] revealed that inter-organizational networking increased large companies exposure to risks, especially if the partners are small and medium enterprises. In addition, factors such as reduction of supply base, globalization of supply chain, shortened product life cycles, and capacity limitation of key components also increase supply chain risks [2]. Risk is a function of the level of uncertainty and the impact of an event [3]. Tang [4] classified supply chain risks into operations and disruptions risks. The operations risks are associated with uncertainties inherent in a supply chain which include demand, supply, and cost uncertainties. Disruption risks, on the other hand, are those caused by major natural and man-made disasters such as flood, earthquake, tsunami, and major economic crisis. Both operations and disruption risks could seriously disrupt and delay materials, information, and cash flow, which in the end could damage sales, increase costs, or both [5]. Analysis conducted by Hendricks and Singhal ([6], [7]) show that companies experiencing disruption risks were significantly outperformed by their peers in terms of operating as well as stock performance. To survive in a risky business environment, it is imperative for companies to have a proper supply chain risk management. According to Norrman and Jansson [2], the focus of supply chain risk management is to understand, and try to avoid, the devastating effects that disasters or even minor business disruptions can have in a supply chain. The aim of supply chain risk management is to reduce the probability of risk events occurring and to increase resilience, that is, the capability to recover from a disruption. Sheffi & Rice [8] suggest that the supply chain resilience can be improved by either creating redundancy or improving flexibility. With the increasing interest in supply chain management, where companies no longer focus solely on their own organizations, the supply chain risk management should also be managed in relation with inter-organizational view. In this paper, we present a model for identification, assessment, and mitigation of supply chain risks. We modified the well known FMEA model for risk quantification and adapt the House of Quality model for

prioritizing which risk agents are to be dealt with first and for selecting the most effective actions in order to reduce the risks potentially posed by the risk agents. In the quantification stage, we first define basic supply chain processes based on the SCOR terminology. The core supply chain processes will be analyzed to identify the risks that could happen and the consequences if it happened. The risk agents and their associated probabilities are also assessed. For each risk agent, we calculate the aggregate risk potential, defined as the aggregate severity of impacts from all risk events caused by a risk agent multiplied by the corresponding probability occurrence of the risk agent. The model is applied to a large fertilizer company in East Java, Indonesia. 2. Exiting Models for SC Risk Assessment and Mitigation A number of different models for risk assessment and mitigation have been proposed in the literature. Sinha et al. [3] proposed a methodology to mitigate supply chain risks. The model involves the process of identifying, assessing, planning and implementing solution, conducting FMEA analysis, and doing continuous improvement. The five activities were modeled in IDEF0 where each activity should have an input, an output, a mechanism, and a control. The model was applied to a supplier in the aerospace industry. In the FMEA stage, the risk potential number (RPN) of each potential failure mode is a product of the probability of a failure mode occurring (P) and the associated severity of impacts generated (S) if it occurred. Both the P and S were assessed subjectively using a scale of 1 to 10. Kleindorfer and Saad [9] proposed a methodology in dealing with supply chain disruption risks. The methodology includes three general processes, called SAM (Specifying resources of risk and vulnerabilities, Assessment, and Mitigation). To implement the above three tasks, the authors proposed 10 principles derived from industrial risk and supply chain management literatures. Cucchiella & Gastaldi [10] presented a real option approach for managing supply chain risks. The proposed model include six steps to be carried out: analysis of supply chain, identify uncertainty sources, examine the subsequent risk, manage risk, individualize the most adequate real option, and implement supply chain risk strategy. The real option types considered in the paper include defer, stage, explore, lease, outsource, scale down, scale up, abandon switch, and strategic grow. Analytical Hierarchy Process (AHP) has also been used to assess risk in a supply chain [11]. The AHP was used to prioritize supply chain objectives, identifying risk indicators, as well as assessing the potential impact of negative events and the cause-effects relationships along the chain. The authors suggest that supply chain risk management can be considered as a process that supports the achievement of supply chain management objectives. 3. House of Risk Model Our model is based on the notion that a proactive SC risk management should attempt to focus on preventive actions, i.e., reducing the probability of risk agents to occur. Reducing occurrence of the risk agents would typically prevent some of the risk events to occur. In such a case, it is necessary to identify the risk events and the associated risk agents. Typically, one risk agent could induce more than one risk events. For example, problems in a supplier production system could result in shortage of materials and increased reject rate where the latter is due to switching procurement to other, less capable, suppliers. In the well known Failure Mode and Effect Analysis (FMEA), risk assessment is done through calculation of a Risk Potential Number (RPN) as a product of 3 factors, i.e., probability of occurrence, severity of impacts, and detection. Unlike in the FMEA model where both the probability of occurrence and the degree of severity are associated with the risk events, here we assign the probability to the risk agent and the severity to the risk event. Since one risk agent could induce a number of risk events, it is necessary to quantity the aggregate risk potential of a risk agent. If Oj is the probability of occurrence of risk agent j, Si is the severity of impact if risk event i occurred, and Rij is the relation between risk agent j and risk event i then the ARPj (aggregate risk potential of risk agent j) can be calculated as follows: ARP = O S R (1) j j i We adapt the house of quality (HOQ) model to determine which risk agents should be given priority for preventive actions. A rank is assigned to each risk agent based on the magnitude of the ARPj values for each j. Hence, if there are many risk agents, the company can select first a few of those considered having large potentials to induce risk events. In this paper, we propose two deployment models, called House of Risk (HOR), both of which are based on the modified HOQ: 1. HOR1 is used to determine which risk agents are to be given priority for preventive actions. 2. HOR 2 is to give priority to those actions considered effective but with reasonable money and resource commitments i ij

Risk Agents (Aj) Business Processes Risk Event (Ei) A1 A2 A3 A4 A5 A6 A7 Severity of Risk Event i (Si) Plan E1 R11 R12 R13.... S1 E2 R21 R22..... S2 Source E3 R31...... S3 E4 R41...... S4 Make E5....... S5 E6....... S6 Deliver E7....... S7 E8....... S8 Return E9....... S9 Occurrence of agent j O1 O2 O3 O4 O5 O6 O7 Aggregate Risk ARP1 ARP2 ARP3 ARP4 ARP5 ARP6 ARP7 Potential j Priority rank of agent j Figure 1: House of Risk (HOR) 1 Model Preventive Action (PAk) To be treated risk agent (Aj) PA1 PA2 PA3 PA4 PA5 Aggregate Risk Potentials (ARPj) A1 E11 ARP1 A2 ARP2 A3 ARP3 A4 ARP4 Total effectiveness of TE1 TE2 TE3 TE4 TE5 action k Degree of difficulty D1 D2 D3 D4 D5 performing action k Effectiveness to difficulty ETD1 ETD2 ETD3 ETD4 ETD5 ratio Rank of priority R1 R2 R3 R4 R5 Figure 2: House of Risk (HOR) 2 Model

HOR 1 In the House of Quality (HOQ) model, we relate a set of requirements (What) and a set of responses (How) where each response could address one or more requirements. The degree of correlation is typically classified as none (and given an equivalent value of 0), low (1), moderate (3), and high (9). Each requirement has a certain gap to fill and each response would require some types of resources and funds. The main objective of the HOQ is to identify responses which are deemed cost-effective. Adopting the above procedure, the HOR1 is developed through the following steps: 1. Identify risk events that could happen in each business process. This can be done through mapping supply chain processes (such as Plan, Source, Deliver, Make, and Return) and then identify what can go wrong in each of those processes. In the HOR1 model shown in figure 1, the risk events are put in the left column, represented as Ej. 2. Assess the impact (severity) of such risk event (if happened). We use a 1-10 scale where 10 represents extremely severe or catastrophic impact (see Shahin [12] for a detailed verbal description about the scale). The severity of each risk event is put in the right column of figure 1, indicated as Si. 3. Identify risk agents and assess probability of occurrence of each risk agent. Here, a scale of 1 10 is also applied where 1 means almost never occurred and a value of 10 means almost certain to happen. The risk agents (Aj) are placed on top row of the figure and the associated occurrence is on the bottom row, notated as Oj. 4. Develop a relationship matrix, i.e., relationship between each risk agent and each risk event, Rij {0, 1, 3, 9} where 0 represents no correlation and 1, 3, and 9 represent respectively low, moderate, and high correlation. 5. Calculate aggregate risk potential of agent j (ARPj) which is determined as the product of the probability of occurrence of the risk agent j and the aggregate impacts generated by the risk events caused by the risk agent j as in equation 1 above. 6. Rank risk agents according to their aggregate risk potentials in a descending order (from large to low values). HOR2 HOR 2 is used to determine which actions are to be done first, considering their differing effectiveness as well as resources involved and the degree of difficulties in performing. The company should ideally select set of actions that are not so difficult to perform but could effectively reduce the probability of risk agents occurring. The steps are as follows: 1. Select a number of risk agents with high priority rank, possibly using Pareto analysis of the ARPj, to be dealt with in the second HOR. Those selected will be placed in the left side (what) of the 2 nd HOR as depicted in figure 2. Put the corresponding ARPj values in the right column. 2. Identify actions considered relevant for preventing the risk agents. Note that one risk agent could be tackled with more than one actions and one action could simultaneously reduce the probability of occurrence of more than one risk agent. The actions are put on the top row as the How for this HOR. 3. Determine the relationship between each preventive action and each risk agent, Ejk. The values could be {0, 1, 3, and 9} which represents respectively no, low, moderate, and high relationship between action k and agent j. This relationship (Ejk) could be considered as the degree of effectiveness of action k in reducing the probability of occurrence of risk agent j. 4. Calculate the total effectiveness of each action as follows TE ARP E k k = j j jk 5. Assess the degree of difficulties in performing each action, Dk, and put those values in a row below the total effectiveness. The degree of difficulties should reflect the fund and other resources needed in doing the action. 6. Calculate the total effectiveness to difficulty TEk ratio, i.e., ETD k =. Dk 7. Assign rank of priority to each action (Rk) where rank 1 is given to the action with the highest ETDk. 4. Computer Application If a large number of risk events and risk agents are involved, constructing the above two tables, especially table 1, could be technically difficult and prone to error. To improve the applicability of the above models, we have developed a computer application to assist with constructing table 1, based on the visual basic application within the Excel. This application enables the inputs to be entered in a user friendly interface and the calculation of the Pj and Rj values is done automatically by the

application. In the input module, we include a rechecking process before the data entered are sent to the system. 5. Case Example 5.1 Brief Case Company Background We applied the above models to a large governmentowned fertilizer company in Indonesia. The company has three production plants and produces a wide range of fertilizer, including Urea, TSP, and ZA. The raw materials used in these plants include natural gas and a number of chemical substances such as sulfur and potassium chloride. The aggregate capacity of the three plants is over 2.5 million tons per year. The main products are distributed to all regions in Indonesia which are divided into two distribution areas. As a government-owned company, the pricing, marketing and distribution of the products should comply with the government regulations. 5.2 Identification of Risk Events and Assessment of Their Severity The risk events were identified through breakdown of major business processes into sub-processes and then asking the question of what can go wrong? in each of the sub-processes. The company has already documented risk events before this study was carried out so we included many of already defined risk events in this study. Some of other risk events were identified during the study, through interview with relevant managers, which then led us to have a total of 50 risk events (7 of which are associated with Plan, 24 with Source, 7 with Make, and 2 with Return). Some of the identified risk events are presented in table 1. The next step is assessment of severity of each risk event. This was accomplished by distributing questionnaire to relevant managers. They were asked to fill in a number (between 1 and 10) next to each risk event where a value of 1 means almost no impact if the associated risk event occurred while a value of 10 means hazardous impact. Numbers in parentheses in table 1 represent the severity of the associated risk events. 5.3 Identification of Risk Agents Many of the risk agents had also been documented by the company. However, we did make clarification and suggest some other possible risk agents not included in their list. Finally, we ended up with a total of 58 risk agents, 20 of which are presented in table 2 along with their respective degree of occurrence. The occurrence represents the probability of each of those risk agents happening. The values range from 1 to 10 where a value of 1 means almost never occurred and a value of 10 means almost certain to happen [12]. The values of occurrence were also obtained through questionnaire distributed to relevant managers. 5.4 Identification of Rij The relationship between the risk agents and risk events were identified and a value of 0, 1, 3, or 9 was assigned in each combination. We obtain, for example, a value of 9 between A14 (interrupted gas supply) and plant shut down. 5.5 Aggregate Risk Potentials With the three inputs above, we can calculate the aggregate risk potentials of each risk agent. The calculated values range from 24 to 2144. The Pareto diagram of the aggregate risk potentials for all 58 risk events is shown in figure 3. The results show that there is only 1 risk agent with an ARP value of more than 2000, 5 risk agents with an ARP value between 1000 and 2000, 12 risk agents with an ARP value between 500 and 1000, and the rests (40) have an ARP value below 500. Further analysis shows that the first 11 risk agents contribute to about 50% of the total ARP values. 5.6 Identification and Prioritizing Mitigation Actions The above Pareto diagram indicates that the degree of importance of reducing the probability of occurrence of each risk agent differs widely. Naturally, a company should prioritize those with high aggregate risk potentials. In this case, the company was advised to tackle the first 11 risk agents as these contribute to about 50% of the total ARP. The second HOR framework in section 3 can be used to identify and prioritize mitigation actions that the company should do in order to maximize the effectiveness of effort with acceptable resource and financial commitments. This case study did not attempt to work on the second HOR. In general the actions could be strategic or tactical in nature. Juttner et al. [13] suggest that mitigation actions could be in the form of avoidance, control, cooperation, and flexibility. Risk avoidance could be done by, for example, dropping specific products / geographical markets. Risk control can be done by vertical integration and increasing the inventory buffer, while cooperation can be in the form of sharing risk information and jointly develop a contingency with suppliers. A number of efforts to increase flexibility, as another form of risk mitigation strategies, can be done through postponing activities deemed risky to be done before receiving orders from customers and establishing multiple suppliers. Similarly, Tang [14] provides a list of possible strategies for

designing a robust supply chain. These include postponement, strategic stock, flexible supply base, flexible transportation, and silent product rollover. The company can use those generic strategic actions to specify which are appropriate to be proposed. 6. Concluding Remarks We presented a model for proactive risk management in this paper. We adapted the well known House of Quality (HOQ) model to determine which risk actions to be tackled first and to select a set of preventive actions deemed cost-effective to be prioritized. The proposed model is different from the previous models in the sense that we select the risk agents having large aggregate risk potentials, i.e., those with high probability to occur and causing many risk events with severe impacts. The model was applied to a large fertilizer company in Indonesia. [10] F. Cucchiella and M. Gastaldi, Risk management in supply chain: A real option approach. Journal of Manufacturing Technology Management 17 (6), 2006, 700-720. [11] B. Gaudenzi and A. Borghesi, Managing risk in the supply chain using the AHP method. The International Journal of Logistics Management 17 (1), 114 136. [12] A. Shahin, Integration of FMEA and the Kano model, An exploratory examination. International journal of Quality and Reliability Management 21 (7), 2004, 731-746. [13] U. Juttner, H. Peck, and M. Christopher, Supply chain risk management: Outlining an agenda for future research. International Journal of Logistics: Research and Application 6 (4), 2003, 197-210. [14] C. S. Tang, Robust strategies for mitigating supply chain disruptions. International Journal of Logistics: Research and Application 9 (1), 2006, 33 45. References [1] P. Finch, Supply chain risk management. Supply Chain Management: An International Journal 9 (2), 2004, 183 196. [2] A. Norrman and U. Jansson, Ericsson s proactive supply chain risk management approach after a serious sub-supplier accident. International Journal of Physical Distribution & Logistics Management 34 (5), 2004, 434-456. [3] P. R., Sinha, L. E. Whitman, and D. Malzahn, Methodology to mitigate supplier risk in an aerospace supply chain. Supply Chain Management: An International Journal 9 (2), 2004, 154 168. [4] C. S. Tang, Perspectives in Supply Chain Risk Management: A Review. International Journal Production Economics, 103, 2006, 451-458. [5] S. Chopra and S. M. Sodhi, Managing Risk to Avoid Supply-Chain Breakdown. Sloan Management Review, 46 (1), 2004, 53-61. [6] K. B. Hendricks and V. R. Singhal, The effect of supply chain glitches on shareholder wealth. Journal of Operations Management 21, 2003, 501 522 [7] K. B. Hendricks and V. R. Singhal, An Empirical Analysis of the Effect of Supply Chain Disruptions on Long-Run Stock Price Performance and Equity Risk of the Firm. Production and Operations Management 14 (1), 2005, 35-52. [8] Y. Sheffi and J. B. Rice Jr., A supply chain view of the resilient enterprise. MIT Sloan Management Review 47 (1), 2005, pp. 41 48. [9] P. R. Kleindorfer and G. H.. Saad, Managing disruption risks in supply chains. Production and Operations Management 14 (1), 2005, 53 68.

Table 1: Some of Risk Events Identified Through Breakdown of Business Processes Major Sub-Processes Risk Events (Severity) Processes Plan Demand forecasting Large forecast error (4) Production planning Sudden changes in production plans (4) Inventory control for materials Discrepancy between recorded and available stocks (5) Source Procurement process Purchase Requisition (PR) is not received by Procurement Department (6) Delay in sending RFQ/RFP documents (5) Supplier evaluation and developing list Supplier breach contract agreement (7) of approved suppliers Make Production execution and control Shortage of materials (7) Plant shut down (9) Packaging process Leakage of package items (4) Quality control Defective products (7) Deliver Selection of shipping companies Shortage of shipment capacity during farming season (6) Warehousing of finished products Shortage of products in distribution center (7) Delivery of products to customers Faulty delivery of products to customer (7) Return Returning rejected items to supplier Delay in return process to supplier (2) Handling return from customers Delay in return process from customer (5) Table 2: Some of Risk Agents and Their Occurrence Code Risk Agent Occurrence A1 Significant increase in demand 6 A2 Shortage in supply capacity 2 A3 Inaccurate price reference 6 A4 Urgent purchase requisition from user 6 A5 Purchase requisition does not include clear specification 5 A6 Technical evaluation requires long time 8 A7 Dependence on one supplier 4 A8 Natural disaster 2 A9 Seasonality factor 5 A10 Information distortion or bullwhip effect 4 A11 Labor strike 2 A12 Exchange rate fluctuation 2 A13 Supplier bankruptcy 1 A14 Interrupted gas supply 5 A15 Changes in sales plans 9 A16 Messiness in the storage area 10 A17 Report on stock mutation is not received on time by the central office 9 A18 Vessels do not arrive on schedule 8 A19 Breakdown of IS system 4 A20 Package items do no meet specification 7

2500 2000 1500 1000 500 0 A47 A17 A12 A15 A18 A9 A20 A42 A36 A21 A51 A11 A53 A19 A3 A26 A31 A34 A32 A44 A38 A5 A43 A35 A10 A50 A24 A55 A30 ARP risk agent Figure 3: Pareto Diagram of Aggregate Risk Potentials of All Risk Agents