An integrated approach to supply chain risk analysis

An integrated approach to supply chain risk analysis Anna Corinna Cagliano* Alberto De Marco Sabrina Grimaldi Carlo Rafele Department of Production Systems and Business Economics Politecnico di Torino corso Duca degli Abruzzi 24 10129 Torino, Italy * Corresponding author Telephone: +39 0110907206 Fax: +39 0110907299 e-mail: anna.cagliano@polito.it An integrated approach to supply chain risk analysis Despite the increasing attention that supply chain risk management is receiving by both researchers and practitioners, companies still lack a risk culture. Moreover, risk management approaches either are too general or require pieces of information not regularly recorded by organisations. This work develops a risk identification and analysis methodology that integrates widely adopted supply chain and risk management tools. In particular, process analysis is performed by means of the standard framework provided by the SCOR-Model, the risk identification and analysis tasks are accomplished by applying the Risk Breakdown Structure and the Risk Breakdown Matrix, and the effects of risk occurrence on activities are assessed by indicators that are already measured by companies in order to monitor their performances. In such a way, the framework contributes to increase companies’ awareness and communication about risk, which are essential components of the management of modern supply chains. A base case has been developed by applying the proposed approach to a hypothetical manufacturing supply chain. An in-depth validation will be carried out to improve the methodology and further demonstrate its benefits and limitations. Future research will extend the framework to include the understanding of the multiple effects of risky events on different processes. Keywords: risk management; supply chain; performance measurement 1. Introduction Risk management has been gaining considerable attention in the last ten years as an autonomous subject in the field of supply chain management. The Supply Chain Council defines supply chains as encompassing every effort involved in producing and delivering a final product. Such efforts include managing supply and demand, sourcing raw materials and parts, manufacturing and assembling, warehousing and inventory tracking, order entry and order management, and distribution across all channels and delivery to the customer (Lummus et al. 2001). The relevance given to the risk topic is notably triggered by the frequency and intensity of catastrophes, disasters, and crises that seem to have increased on a global scale (Coleman 2006). Supply chains operate in an unpredictable environment and several factors and trends contribute to the exposure to uncertainty. In recent years, almost all industries have faced fiercer competition and accelerated market globalisation resulting in the need for making intra-firm and inter-firm business processes more efficient and responsive. This is the context that has spawned current supply chain strategies such as outsourcing and offshoring large portions of manufacturing and R&D activities, sourcing in low-cost countries, reducing inventories, streamlining the supply base, and collaborating more intensively with other supply chain partners (Hult et al. 2004). Similar policies produce stronger interfirm dependence together with longer and more complex supply chain setups and globe-spanning operations, thus exacerbating the vulnerability of supply chains to unexpected events (Tang 2006). The failure to effectively manage supply chain risk may result in economic and financial losses, reductions in product quality, delivery delays, and loss of reputation in the eyes of customers and suppliers (Hendricks and Singhal 2003; Cousins et al. 2004). Therefore, risk management should be a core issue in planning and control of any organisation (Finch 2004). However, companies that understand the importance of supply chain risk often do not know where to start in order to tackle it (Kiser and Cantrell 2006). With this regard, literature takes a quite general perspective on supply chain uncertainties and provides a limited support about how to deal with them from a practical point of view (Blackhurst et al. 2005). General literature on risk presents a wide range of techniques but they have been scarcely adapted to the needs of supply chain management (Khan and Burnes 2007). Thus, tools to assess the exposure to supply chain risks as well as to support the creation of awareness about this issue are needed (Zsidisin et al. 2005). Contributing to this field, an approach for identifying and analysing supply chain risk is developed. It integrates process mapping prepared through the Supply Chain Operations Reference Model (SCOR-Model), key performance indicators (KPIs) measuring the effects of the occurrence of risky events, and conventional risk management tools such as the Risk Breakdown Structure and the Risk Breakdown Matrix. Based on a standard process reference model and on KPIs commonly measured by companies, our framework aims to provide a guideline to risk management and, in this way, to promote companies’ interest in this crucial aspect of supply chains. The paper is organised as follows. Literature background for this work is presented in Section 2. The developed method for supply chain risk identification and analysis is detailed in Section 3 and its application to a base case is described in Section 4. Finally, Section 5 discusses findings, limitations, and future research directions. 2. Literature background Risk is an issue that has been extensively discussed in the last decades and several definitions have been put forward in literature, including both undesirable and desirable unexpected outcomes. Basically, risk takes into account two aspects: the uncertainty about and the severity of the consequences of an activity having a value for human beings (Aven and Renn 2009). In the context of supply chain, risk has been usually defined by taking a negative perspective. Juttner (2005) addresses supply chain risk as anything that presents an impediment or a hazard to information, material, and product flows from original suppliers to the delivery of the final product to the ultimate end-users. Supply chain risk management is the identification and management of risks affecting a supply network through a coordinated effort among supply chain members to reduce vulnerability as a whole (Christopher et al. 2002). Supply chain risk management should be considered as a strategic activity because it impacts on operational, market, and financial performances of a firm (Narasimhan and Talluri 2009). Risk management is usually divided into a number of stages: risk identification, risk analysis, and risk response and monitoring (Project Management Institute 2008). Available literature in identification and analysis is reviewed below for the purpose of this research. There are basically two kinds of approaches to supply chain risk identification. The first one relies on brainstorming. Hallikas and others (2002) apply the brainstorming technique through in-depth interviews with a group of final assemblers and some of their suppliers operating in the electronics and metal sectors. As a result of this procedure, risks are divided into four groups: demand related factors and value chain positioning, delivery performance ability, financial factors, and pricing. Moreover, the relationships between their causes and effects are investigated. Sinha and others (2004) conduct a brainstorming session for risk identification in a company in the aerospace industry in order to generate a list of the possible risks that could be encountered when dealing with vendors. The second approach to supply chain risk identification is based on taxonomies. Chopra and Sodhi (2004) classify supply chain risks into disruptions, delays, systems, forecast, intellectual property, procurement, receivables, inventory, and capacity. For each of these categories, risk sources are identified and they may include natural disasters, labour disputes, supplier bankruptcies, and wars and terrorism. Spekman and Davis (2004) relate supply chain risks to six areas: material flows, information flows, cash flows, security, opportunistic behaviours, and social responsibility. According to each area, risky events that may occur are analysed. Lockamy III and McCormack (2010) look at the nature of risks and classify them into operational, network, and external ones. Operational risks are related to inadequate or failed internal processes, people, and systems as well as to external ones. Network risks are due to the structure of the supplier network, and external risks are driven by forces such as weather, earthquakes, political, regulatory, and market strategies. As far as supply chain risk analysis is concerned, it is usually performed by means of a number of qualitative, semi-quantitative, and quantitative methods. Several models assess risky events by evaluating the probability of occurrence and the severity of impact. Sheffi (2005) uses qualitative estimates for these two dimensions. To be more precise, the probability of occurrence may assume two levels, “high” and “low”, and, in a similar way, the severity of impact may be “severe” or “light”. Norrman and Jansson (2004) present four level scales for evaluating the probability of occurrence (“rare”, “unlikely”, “likely”, and “almost certain”) and the severity of impact (“negligible”, “minor”, “major”, and “severe”). Such evaluations contribute to estimate the degree of risk, which may be low, medium, high, and very high. Sinha and others (2004) assess the severity of risk impacts by using three levels: high, medium, and low. Hallikas and others (2002) define semi-quantitative scales: values ranging from 1 to 4 for the probability of occurrence represent very unlikely, improbable, probable, and very probable events respectively and values from 1 to 4 for the severity of impact represent insignificant, minor, serious, and catastrophic influences of risky events respectively. Wu and others (2006) apply the Analytic Hierarchy Process (AHP) to calculate the relative weight of each risk factor, which is an indicator of how important a risk factor is. Finally, quantitative risk analysis usually relies on simulation approaches such as Montecarlo technique, Petri Nets, and fault and event trees (Kleindorfer and Saad 2005; Wu and Olson 2008; Tuncel and Alpan 2010). The literature review reveals that most of the approaches for supply chain risk management either are limited to the identification of risk areas or face risk analysis by requiring a careful recording of past events and data in order to evaluate the probability of occurrence of risky events as well as the related impact. In addition, the proliferation of risk management software packages, which use sophisticated probabilistic methods to quantify uncertainty, does not encourage the development of a deep understanding of the underlying structure constituting the inter-dependencies between risk sources, risk occurrences, and effects (Tah and Carr 2001). Therefore, there is a need for comprehensive methodologies that do not require companies to invest in information systems and human resources to gather a huge amount of additional historical data that are usually not available from organisations but they are essential to perform supply chain risk management. To this end, our work proposes a framework to integrate both risk identification and analysis in well established supply chain management practices, like process mapping and performance measurement. This is based on data currently recorded by companies for purposes other than risk investigation. The data are set into the SCOR-Model and then applied to risk analysis. The implementation of a methodology that not only provides accurate guidelines about how to deal with risk, but also builds on widely used tools stimulates companies to acquire an adequate knowledge about causes and effects of supply chain uncertainty. 3. A new framework for supply chain risk identification and analysis 3.1 Aim and steps of the framework Our approach to supply chain risk management is intended to deal with the entire risk escalation process (Hillson 2004; Hillson et al. 2006). Any risky event is triggered by an internal or external source (step 1) and evolves through an occurrence affecting an activity (step 2). A probability and an impact may be associated to such occurrence, which in turn brings consequences (step 3) usually in terms of time, cost, and quality variance against expected performance (Figure 1). Figure 1. Risk escalation process (Adapted from Hillson 2004) Based on the guidelines suggested by literature to manage the risk escalation process (Hauser 2003; Norrman and Jansson 2004; Kiser and Cantrell 2006), the present framework can be subsumed as composed of three steps:  Process mapping: processes are analysed in order to understand in what parts of a supply chain risky events may occur. Such task is accomplished by applying a breakdown of activities based on the SCOR-Model (Supply Chain Council 2008). This model describes all the business activities associated with satisfying customer demand, in order to address, improve, and communicate supply chain management practices within and between partners, from the supplier's supplier to the customer's customer. Process mapping according to the SCOR-Model allows to understand those supply chain structures responsible for risk occurrence and to relate sources of uncertainty, identified through common tools for risk investigation, to the associated process activities.  Risk identification: identification and classification of main sources of risk (step 1 in Figure 1) for each SCOR process are performed using a standard breakdown structure decomposed into main kinds of risk in a supply chain. Risk sources are then linked to the activities where associated risky events may occur and the nature of such events is identified.  Risk analysis: taking a broad perspective, risk may be seen as an uncertainty that may be in turn either a threat or an opportunity, depending if it affects a business either negatively or positively (Ward and Chapman 2003; Hillson 2004). In the risk analysis phase of our approach, performance indicators, assessing the effects (step 3 in Figure 1) of risk occurrence (step 2 in Figure 1) on activities, are selected according to the nature of the risky events identified in the previous step. These performance indicators are measured and compared against their associated target values. The analysis of discrepancies reveals whether risky events that happened benefitted or harmed the investigated processes, in order to set proper actions to either exploit or mitigate their consequences. Such actions will become proactive measures in the next time bucket, being supply chain activities repetitive in nature. The following sections detail the steps along with the present framework unfolds as well as the foundations on which it is based. 3.2 SCOR-Model as the foundation of the framework Our approach uses the SCOR-Model version 9.0 as the fundamental supply chain structure for the analysis of risk. The SCOR-Model is organised around the five main supply chain processes, namely Plan, Source, Make, Deliver, and Return. Each of these five processes (SCOR Level 1) is in turn decomposed into sub-processes (SCOR Level 2) according to three process categories: Planning, Execution and Enable. Each sub-process is divided into elementary activities (SCOR Level 3) for which inputs, outputs, best practices, and performance indicators are defined. In particular, the SCOR-Model provides a rich catalogue of key indicators to measure the performance of supply chain operations. The SCOR-Model version 9.0 also incorporates supply chain risk assessment, tracking, and mitigation through the suggestion of risk management activities as well as best practices and performance metrics. The SCOR-Model has been chosen as the foundation for the proposed risk management framework because it is a widely applied supply chain management tool (Stephens 2001; Huang et al. 2005). Moreover, the SCOR-Model has been recognised as being a valuable means to provide incentive alignment and collaboration for risk avoidance and reduction by promoting cooperation among supply chain partners (Kleindorfer and Saad 2005; Srividhya and Jayaraman 2007). For example, the SCOR-Model has been adopted in the aerospace industry to integrate planning activities with the purpose of overcoming uncertainty and conflicting objectives and stimulating coordination among supply chain members (Raj and Whitman 2004). The three pillars of the SCOR-Model, namely process modelling, performance measurement, and best practices, allow to take a systemic and effective perspective on risk. First, the SCOR-Model provides a process modelling ensuring that all the significant activities within a supply chain are identified, thus building a reliable basis for a comprehensive definition of risks. The standard structure provided by the SCOR-Model also makes all decision makers agree on processes and goals, which is of paramount importance to the establishment of a risk measurement system (Gaudenzi and Borghesi 2006). Second, the key performance indicators suggested by the SCOR-Model enable to evaluate the behaviour of different supply chain activities when exposed to risk. Third, the best practices presented by this model may support the identification of successful actions to either exploit or mitigate the risks detected by our approach. 3.3 Supply chain process mapping To identify activities that might be affected by risk is the first step in every risk management methodology. In fact, a coherent representation of the supply chain structure is essential to express how different risks are related to the components of this structure (Narasimhan and Talluri 2009). Moreover, it makes companies more conscious of their business processes and assures proper actions to reduce the exposure to vulnerability (Braunscheidel and Suresh 2009). Our framework suggests using the Activity Breakdown Structure (ABS) to map supply chain processes. The ABS comes from the Work Breakdown Structure (WBS) (Project Management Institute 2001) and is a hierarchical grouping of activities that organises and defines the scope of a process. Each descending level constitutes a more detailed decomposition of process tasks. The ABS has been selected because it does not only decompose activities in a clear way but it is also able to properly represent the SCOR-Model structure. As a matter of fact, the SCOR-Model provides a three-level hierarchical structure defining the business activities associated with the fundamental supply chain processes, and each descending level depicts an increasingly detailed description of such activities. Taking advantage of such similarity between the ABS and the SCOR-Model, our methodology performs risk identification by using ABSs based on the process breakdown provided by the SCOR-Model. The bottom level ABS elements are represented by SCOR third level elementary activities (Table A.1 in the Appendix). 3.4 Supply chain risk identification To identify and classify risks according to their nature is an essential task before performing risk analysis and developing control strategies (Narasimhan and Talluri 2009). An accurate understanding of types of supply chain risks enables tailoring risk reduction approaches to the specific characteristics of each single organisation (Chopra and Sodhi 2004). In our framework, once the activities of a supply chain process have been classified into an ABS, sources of risk for each lowest level activity should be identified and arranged to provide a standard representation of risk exposure facilitating understanding, communication, and management. This can be accomplished by adopting the Risk Breakdown Structure (RBS). The RBS is a hierarchical, source-oriented grouping of risks that organises and defines the total risk exposure. Each descending level represents an increasingly detailed definition of sources of risk (Hillson 2002). The RBS tool is chosen because it provides an effective foundation for a stratified classification of risks and the associated nomenclature (Tah and Carr 2001). In our methodology, the RBS does not only serve as a framework for organising selected risk sources, but also supports their identification. Main literature about supply chain risk management is reviewed in order to build a general taxonomy that can be customised according to the process at issue. The RBS levels are intended to provide a prompt list of areas of risk affecting supply chain processes that guides the identification of risk sources impacting on specific activities. Table 1 illustrates the standard RBS structure; more levels may be added as needed. Table 1. RBS frame for supply chain risk Sources of supply chain risks are first categorised as external and internal ones (Smallman 1996; Kiser and Cantrell 2006). External risk sources cannot be controlled by a company, being exposed to its external environment. On the contrary, internal risk sources can be better handled because they are associated with decisions made and actions undertaken within the company. RBS Level 2 and Level 3 represent the most common determinants of supply chain risk reported by literature. Internal risk sources are structured according to the supply chain activity levels where risky events may occur. To this end, the three levels defined by the Global Supply Chain Forum (Lambert 2008), namely Strategic, Tactical, and Operational, are adopted. Detailed internal risk sources (Level 3) cannot be defined in this general RBS because they strongly depend on the specific kind of process under study. The risk identification phase is completed by connecting detailed risk sources for each supply chain process with the corresponding elementary activities (SCORModel Level 3). The joint analysis of supply chain activities and risk sources increases risk visibility, which in turn may contribute to improve performance (Narasimhan and Talluri 2009). For this purpose, activities at the lowest ABS level are the rows of a matrix, whose columns represent risk sources at the lowest RBS level. A Risk Breakdown Matrix (RBM) (Hillson 2004; Hillson et al. 2006) is thus generated; its cells identify the impacts of risk sources on activities. Figure 2 shows a RBM where the impacts of risk sources on activities are represented by colouring the corresponding cells. For example, in this RBM the risky events caused by the source R2.1 affect the activity A1.1, therefore the cell at the intersection between the risk source R2.1 and the activity A1.1 appears grey coloured. Figure 2. Impacts of risk sources on activities in a RBM (Adapted from Hillson 2004) After identification, it is necessary to investigate the nature of risk occurrence for each RBM cell that was marked: what kind of risky events caused by a source may affect the associated activity and what are the related effects, i.e. time delays, quality issues, raw material shortages, etc. This knowledge will guide the selection of performance indicators in the analysis phase of the framework. Such task is of paramount importance for choosing KPIs able to reflect risk effects properly and requires the understanding of supply chain processes provided by the first step of the approach. 3.5 Supply chain risk analysis The risk analysis phase of the developed methodology focuses on the effects on activities of the occurrence of risky events due to the identified sources and estimates these effects through performance measurement. In many companies, the availability of data about risk probabilities, impacts, and effects is scarce and they do not appear to be collected systematically. In some cases, managers estimate such quantities by means of subjective judgements, and this task may be difficult especially when events have not occurred before (Harland et al. 2003). Therefore, the value of risk, obtained as a multiplication of probability and impact, is not always easy to use and is not always understandable to business people (Norrman and Jansson 2004). To this end, performance indicators provide a reliable basis to estimate the probability and the impact of risky events as well as their effects through quantities that are specific to each organisation and can be easily controlled. Coupled with an accurate monitoring process, they may control any deviation (bias) from foreseen plans (Badr and Stephan 2007). Risk metrics may be either causal variables or proxies for the risk drivers as well as the associated consequences. They may either be monitored independently, in order to analyse single risks, or be considered as a system, in order to have a picture of the overall risk exposure of the business (Scandizzo 2005). The assessment of risk does not require a new set of KPIs, but rather a risk-adjusted view of the performance metrics already in place (Hauser 2003). In our methodology, the indicators that are most capable to reflect the effects of risks (step 3 in Figure 1) are selected from companies’ dashboards, to form a measurement system that aims to analyse the consequences of the occurrence of risky events (step 2 in Figure 1) on supply chain activities, given their importance to properly control disruptions and other kinds of uncertainty (Scandizzo 2005). These consequences become manifest in supply chain outcome measures, such as those related to cost or quality, and, in general, in all those variables expressing a variance from expected performance. Literature provides comprehensive lists of such measures, ranging from financial through reputational, to safety-related ones (Goldberg et al. 1999; Harland and Brenchley 2001). For each RBM cell where an impact of a risk source on an activity is defined, the occurrence of a risky event due to the source changes the performance of the activity in some way. Therefore, a KPI capturing such change is able to assess the degree of the effect of the risk occurrence on the activity, and it indirectly gives a knowledge about such occurrence that may be useful for future evaluations of the existing risks for each activity. To this end, KPIs are selected according to the nature of risky events and of their effects and placed into RBM cells. The primary effects of risk on the processes where it occurs are assessed, thus providing a good trade-off between accuracy and speed in the risk management process (Zsidisin et al. 2004). As a matter of fact, performance indicators allow a quick but clear understanding of what supply chain areas need more attention and enable to prioritise those risks requiring a deeper investigation by acquiring additional pieces of information. The analysis of any discrepancy of the actual performance against the target KPIs allows to investigate on either the negative or the positive nature of risky events to activate subsequent actions directed to either mitigate the effects of a threat or exploit the benefits of an opportunity. 4. Applying the framework to a manufacturing supply chain The present section describes the application of the proposed framework for risk identification and analysis to a hypothetical internal supply chain of a manufacturing company. In order to focus on a manageable case, we analysed the supply chain activities included in the SCOR-Model part dealing with Make-to-Order products. Moreover, risk sources are drawn from literature and performance metrics are selected from the SCOR-Model catalogue giving particular attention to the two most important aspects of customer requirements: timely delivery and product quality (Svensson 2004). Source, Make, and Deliver processes of the SCOR-Model are studied. For each of them, most relevant sub-processes belonging to all the three Level 2 process categories are considered. In turn, most significant elementary activities for each of these sub-processes are selected. As an example, the ABS for the Source process is detailed in the Appendix (Table A.1). P2 Plan Source, S2 Source Make-to-Order Product, and ES Enable Source are the SCOR Level 2 sub-processes that are taken into account. The RBS that identifies the risk sources impacting on the Source process is presented in Table A.2 of the Appendix. It has been worked out by adapting the general RBS frame presented in Table 1 to take into account Level 3 risk sources specific for the process at issue. The last column of the RBS in Table A.2 reports literature sources not included in the review presented in Table 1. The RBSs classifying the risk sources affecting the Make and Deliver processes have been defined in the same way as for the Source process, and are presented in Table A.3 and Table A.4 of the Appendix respectively. For the purpose of preparing the RBMs, ABSs for the Source, Make, and Deliver processes are linked to associated RBSs. As an example, Table 2 presents the complete RBM for the Source process with the identification of the impacts of risk sources on activities (grey cells). All the RBMs for this case study, together with the ABSs and the RBSs, are available from the authors (please visit link to the authors’ website, not reported in this version of the paper for blind review reasons). The possible risk occurrences are investigated for each impact defined in the RBM, together with the related effects on activities. According to the nature of both the risky events that may happen and their effects, KPIs enabling to measure the degree of such effects are selected. Performance indicators are coded according to the activity they refer to and how many different metrics have been associated with this activity. For example, the indicator SI2.4.1 defines the first KPI selected for the Source activity S2.4. The analysis of some of the RBM cells of the three supply chain processes studied in this base case is presented below. As far as the RBM for the Source process is concerned (Table 3), the risk source IS.5 Machine performance during transiting of the sourced products impacts on both the activity S2.2 Receive Product and the activity S2.4 Transfer Product. The identified risk occurrence is an incorrect functioning of the material handling equipment while either downloading the sourced products from trucks and moving them to the incoming raw material area or transporting them from that area to the manufacturing department. The main effects are delays in making such materials available for undergoing the production process and physical damages to the incoming products. On this basis, the effect on the activity S.2.2 is measured by the KPI SI2.2 % Orders/lines received damage free, which assesses the number of orders or lines that are received damage free divided by the total orders or lines received in the measurement period. In this case, only damages due to the material handling equipment used by the focus company are considered. The effect of risk occurrence on the activity S2.4 is measured by the indicators SI2.4.1 %Product transferred ontime to demand requirement and SI2.4.2 % Product transferred damage free. The first one evaluates the number of product orders or lines that are transferred to the manufacturing department on time divided by the total orders or lines transferred in the measurement period. The second one assesses the number of product orders or lines that are transferred to the manufacturing department damage free divided by the total orders or lines processed in the measurement period. As far as the RBM for the Make process is concerned (Table 4), the risk source IM.7 Machine performance impacts on both the activity M2.3 Produce and Test and the activity M2.4 Package. In the first case, the identified risk occurrence is a poor performance of the production lines that could give as effects either a total manufacturing lead time longer than its standard value, because for example workstations take longer to perform their operations, or an increase in the number of defective products out of the line that have to be discarded. The following three metrics have been chosen to evaluate these effects: MI.2.3.1 Scrap expense, MI2.3.2 Total build cycle time, and MI2.3.3 Yield. Scrap expense assesses the costs incurred in the measurement period from finished products falling outside of specifications and possessing characteristics that make rework impractical. Total build cycle time is defined as the time necessary to transform raw materials into finished products. Yield is the ratio of usable output from a production process to the amount of input in the measurement period, as a result of the finished product quality test. In the second case the risk occurrence is represented by a poor performance of the machines packaging the finished products to be delivered. The effect is packages not compliant with set quality standards and is measured by the KPI MI2.4 Scrap packaging expense, which is defined as the costs incurred in the measurement period from dealing with packages falling outside of specifications. Finally, the RBM for the Deliver process (Table 5) defines an impact of the risk source EXD.1 Nature disasters on the activity D2.12 Ship Product and an impact of the same source on the activity D2.13 Receive and Verify Product by Customer. In both the cases the risk occurrence is represented by natural events such as floods and hurricanes. On the one hand, the main effect of these risky events on the activity D2.12 is a delay in delivering the finished products to the customer. Thus, the KPI DI2.12 Delivery performance to customer commit date is chosen to measure such effect. This metric assesses the percentage of orders in the measurement period that are fulfilled on or before the original scheduled date. On the other hand, the effect of natural events on the activity D2.13 is receiving a relevant quantity of products that have been damaged during the transportation, and the KPI DI2.13 Perfect order fulfilment is selected to measure this effect. Here the Perfect order fulfilment evaluates the consignment compliance to the committed quality. Table 2. Complete RBM for the Source process Table 3. Portion of RBM for the Source process Table 4. Portion of RBM for the Make process Table 5. Portion of RBM for the Deliver process The defined performance indicators should be then evaluated and compared with the associated target values in order to assess the degree of the effects of the occurrence of risky events on supply chain activities. Threats and benefits originated by these events should be identified with the aim of supporting appropriate decision making. 5. Discussion The developed framework for risk identification and analysis is grounded on the standard categorisation of supply chain processes offered by the SCOR-Model, thus making clear “what” risk management is applied to. Risk identification is not completely left to the experience and knowledge of process experts, but it is guided by a standard RBS frame that presents a comprehensive, literature driven list of possible risk sources affecting supply chain operations. Such list ensures that any possible gaps or blind spots in risk identification are avoided, and all potential sources of risk are considered. In addition, the Risk Breakdown Structure and the Risk Breakdown Matrix are simple but powerful risk management tools because they allow a systemic representation of both risk sources and their impacts on activities. The systemic perspective is also guaranteed by the fact that our framework analyses both positive and negative outcomes of risk occurrence and covers all the phases of the risk escalation process. In fact, sources of risk are identified by means of the RBS, risk occurrence is investigated by the RBM for each supply chain activity, and effect analysis is performed by evaluating KPIs (Figure 3). Figure 3. Mapping the framework on the risk escalation process The developed framework is also extremely flexible because it may be applied to various levels of organisational complexity, in order to analyse just one supply chain process or to understand risks affecting all the main processes of a company, according to the amount of information that is available. Moreover, different breakdowns of supply chain processes may be used as an alternative to the one suggested by the SCOR-Model. A key point of our approach is that risk effect estimate by means of performance measurement, a well-established management practice among both Small and Medium Enterprises (SMEs) and large companies, enables to quantify risk without recording a great amount of additional historical data. Furthermore, the developed methodology enhances the value of performance measurement because it associates KPIs not only with activities but also with related risk sources. Therefore, the integration among process and risk management tools already existing in literature and implemented in practice facilitates a constant and purposeful application of the methodology by a large variety of industries. Also, the use of the SCOR-Model, the RBS, the RBM and KPIs enhances the value of the Supply Chain Council model by supporting the implementation of the actions the SCOR-Model recommends for dealing with supply chain risk. The value of this framework is that it increases communication about supply chain risk, a field where responsibilities are interdependent and there must be a regular, cross-functional and multidirectional information sharing among people, who are the most important enabler of an effective risk management system (Elkins et al. 2005). In such a way, the proposed methodology contributes to promote a culture of risk awareness by providing management and employees with a detailed procedure to handle uncertainty. When the level of maturity towards risk is high enough to enable a systematic tracking of risk data, the framework developed in this work may also replace performance indicators with accurate numerical values of risk exposure. 5.1 Limitations and future research The proposed methodology is mainly focused on observing the consequences of risks and does not quantify the probabilities of occurrence and the impacts. Furthermore, it does not analyse whether the risk occurrence has secondary effects on multiple processes. Finally, an extensive validation of the approach by applying it to multiple supply chain settings is required in order to uncover its potential weaknesses and foster refinements. These limitations bring two future research lines. First, the methodology could be extended to analyse risk not only after its occurrence but also before it, by calculating probabilities of occurrence and impacts of risky events. Second, the investigation of the cause and effect relationships among the monitored KPIs could be integrated in our framework as a way to trace how the effects of risk occurrence spread through multiple activities and processes, for instance from the Source process through the Deliver one. 6. Conclusions This work presents a risk identification and analysis methodology that integrates well established supply chain and risk management tools, such as the SCOR-Model, the Risk Breakdown Structure, the Risk Breakdown Matrix, and performance indicators. The main purpose of the framework is increasing companies’ awareness about supply chain risk by providing a structured approach to identify, assess, and communicate sources and consequences of risky events. A base case has been developed by applying the proposed approach to a hypothetical manufacturing supply chain. Acknowledgements The authors are grateful to Lisha Chen, M.Sc. in Management Engineering at Politecnico di Torino, for her active involvement in the research. References Aven, T., and O. Renn. 2009. On risk defined as an event where the outcome is uncertaint, Journal of Risk Research 12, no. 1: 1–11. Badr, Y., and J. Stephan. 2007. Security and Risk Management in Supply Chain, Journal of Information Insurance and Security 2: 288–296. Blackhurst, J., C.W. Craighead, D. Elkins, and R.B. Handfield. 2005. An empirically derived agenda of critical research issues for managing supply-chain disruptions. International Journal of Production Research 43, no.19: 4067– 4081. Braunscheidel, M.J., and N.C. Suresh. 2009. The organizational antecedents of a firms supply chain agility for risk mitigation and response. Journal of Operations Management 27: 119–140. Chakraborty, T., B.C. Giri, and K.S. Chaudhuri. 2009. Production lot sizing with process deterioration and machine breakdown under inspection schedule. Omega 37, no. 2: 257–271. Chopra, S., and P. Meindl. 2004. Supply chain management. 2nd ed. Upper Saddle River (NJ): Pearson Education, Inc. Chopra, S., and M. S. Sodhi. 2004. Managing risk to avoid supply-chain breakdown. MIT Sloan Management Review 46, no.1: 53–62. Christopher, M., A. McKinnon, J. Sharp, R. Wilding, H. Peck, P. Chapman, U. Juttner, and Y. Bolumole. 2002. Supply Chain Vulnerability. Cranfield, UK: Cranfield University. Coleman, L. 2006. Frequency of man-made disasters in the 20th century. Journal of Contingencies and Crisis Management 14, no.1: 3–11. Cousins, P., R.C. Lamming, and F. Bowen. 2004. The role of risk in environmentrelated initiatives. International Journal of Operations & Production Management 24, no.6: 554 – 565. Elkins, D., R.B. Handfield, J. Blackhurst, and C. W. Craighead. 2005. 18 Ways to Guard against Disruption. Supply Chain Management Review, Janaury/February 2005: 46 – 53. Faisal, M. N., D. K. Banwet, and R.Shankar. 2006. Mapping supply chains on risk and customer sensitivity dimensions. Industrial Management & Data System 106, no.6: 878–895. Finch, P. 2004. Supply Chain Risk Management. Supply Chain Management: An International Journal 9, no2: 183–196. Gaudenzi, B., and A. Borghesi. 2006. Managing risks in the supply chain using the AHP method. The International Journal of Logistics Management 17, no.1: 114 –136. Goh, M., Y.S. Lim, and F. Meng. 2007. A stochastic model for risk management in global supply chain networks. European Journal of Operational Research 182: 164–173. Goldberg, S., S. Davis, and A. Pegalis.1999. Y2K Risk Management. New York: Wiley. Hallikas, J., V.-M. Virolainen, and M. Tuominen. 2002. Risk analysis and assessment in network environments: A dyadic case study. International Journal of Production Economics 78, no. 1: 45–55. Harland, C., and R. Brenchley. 2001. Risk in Supply Networks. Paper presented at the European Operations Management Association 8th Annual Conference, June 3–5, in Bath, UK. Harland , C., R. Brenchley, and H. Walker. 2003. Risk in supply networks. Journal of Purchasing & Supply Management 9: 51–62. Hauser, L. M. 2003. Risk – adjusted Supply Chain Management. Supply Chain Management Review, November/December 2003: 64–71. Hendricks, K.B., and V.R. Singhal. 2003. The effects of supply chain glitches on shareholder value. Journal of Operations Management 21, no.5: 501–522. Hillson, D. A. 2002. The Risk Breakdown Structure (RBS) as an aid to effective risk management. Paper presented at the Fifth Project Management Conference PMI Europe 2002, June 19-20, in Cannes, France. Hillson, D. A. 2004. Effective Opportunity Management for Projects. Exploiting Positive Risk. New York: Dekker. Hillson, D., S. Grimaldi, and C. Rafele. 2006. Managing Project Risks Using a Cross Risk Breakdown Matrix. Risk Management 8: 61–76. Huang, S.H., S.K. Sheoran, and H. Keskar. 2005. Computer-assisted supply chain configuration based on supply chain operations reference (SCOR) model. Computers&Industrial Engineering 48: 377–394 . Hult, G.T.M., D.J Ketchen Jr., and S.F. Slater. 2004. Information processing, knowledge development and strategic supply chain performance. Academy of Management Journal 47, no. 2: 241–253. Ji, G., and C. Zhu. 2008. Study on supply chain disruption risk management strategies and model. Paper presented at the IEEE 2008 International Conference on Service Systems and Service Management, June 30-July 2, in Melbourne, Australia. John, G. 1984. An empirical investigation of some antecedents of opportunism in a marketing Channel. Journal of Marketing Research 21, no. 3: 278 – 289. Juttner, U. 2005. Supply chain risk management: Understanding the business requirements from a practitioner perspective. The International Journal of Logistics Management 16, no. 1: 120–141. Khan, O., and B. Burnes. 2007. Risk and supply chain management: creating a research agenda. The International Journal of Logistics Management 18, no. 2: 197–216. Kiser, J., and G. Cantrell. 2006. Six steps to managing risk. Supply Chain Management Review 10, no. 3: 12–17. Kleindorfer, P.R., and G.H. Saad. 2005. Managing Disruption Risks in Supply Chains. Production and Operations Management 14, no.1: 53 – 68. Lambert, D. M. 2008. Supply Chain Management: Processes, Partnerships, Performance. 3rd ed. Sarasota, FL: Supply chain management institute. Lee, H.L., V. Padmanabhan, and S. Whang. 1997. The bullwhip effect in supply chains. Sloan Management Review 43, no. 4: 93–102. Lockamy III, A., and K. McCormack. 2010. Analysing risks in supply networks to facilitate outsourcing decisions. International Journal of Production Research 48, no. 2: 593–611. Lummus, R. R., D. W. Krumwiede, and R.J. Vokurka. 2001.The relationship of logistics to supply chain management: developing a common industry definition. Industrial Management & Data Systems 101, no. 8: 426–431. Manuj, I., and J. T. Mentzer. 2008. Global supply chain risk management strategies. International Journal of Physical Distribution & Logistics Management 38, no. 3: 192–223. Martha, J. 2002. Just-In-Case Operations. Warehousing Forum 17, no. 2, http://www.warehousing-forum.com/news/2002_01.pdf (accessed December 1, 2010). Narasimhan, R., and S. Talluri. 2009. Perspectives on risk management in supply chain. Journal of Operations Management, no. 27: 114–118. Norrman, A., and U. Jansson. 2004. Ericsson’s proactive supply chain risk management approach after a serious sub-supplier accident. International Journal of Physical Distribution & Logistics Management 34, no.5: 434 – 456. Oke, A., and M. Gopalakrishnan. 2009. Managing disruptions in supply chains: A case study of a retail supply chain. International Journal of Production Economics 118: 168–174. Project Management Institute. 2001. Practice Standard for Work Breakdown Structures. Philadelphia (PA): Project Management Institute. Project Management Institute 2008. A Guide to the Project Management Body of Knowledge (PMBOK Guide). 4rd ed. Newtown Square (PA): Project Management Institute. Raj, P., and L.Whitman. 2004. Methodology to mitigate supplier risk in an aerospace supply chain. Supply Chain Management: An International Journal 9, no.2: 154 – 168. Ritchie, B., and C. Brindley. 2007. Supply chain risk management and performance: A guiding framework for future development. International Journal of Operations & Production Management 27, no. 3: 303–322. Scandizzo, S. 2005. Risk Mapping and Key Indicators in Operational Risk Management. Economic Notes 34, no. 2: 231–256. Sheffi, Y. 2005. The Resilient Enterprise: Overcoming Vulnerability for Competitive Advantage. Cambridge, MA: The MIT Press. Sheffi,Y., and J.B. Rice. 2005. A supply chain view of the resilient enterprise. Sloan Management Review 47, no.1: 41–48. Sinha, P. R., L. E. Whitman, and D. Malzahn. 2004. Methodology to mitigate supplier risk in an aerospace supply chain. Supply Chain Management: An International Journal 9, no. 2: 154 – 168. Smallman, C. 1996. Risk and organisational behaviour: a research model. Disaster Prevention and Management 5, no. 2: 12–26. Spekman, R. E., and E. W. Davis. 2004. Risky business: expanding the discussion on risk and the extended enterprise. International Journal of Physical Distribution & Logistics Management 34, no. 5: 414–433. Srividhya, V.S., and R. Jayaraman. 2007. Management of Supplier Risks in Global Supply Chains. SETLabs Briefings 5, no.3: 1–12. Stephens, S. 2001. Supply Chain Operations Reference Model Version 5.0: A New Tool to Improve Supply Chain Efficiency and Achieve Best Practice. Information Systems Frontiers 3, no.4: 471–476. Supply Chain Council. 2008. Supply-Chain Operations Reference-Model. Version 9.0. Pittsburgh (PA): Supply-Chain Council. Svensson, G. 2004. Key areas, causes and contingency planning of corporate vulnerability in supply chains: A qualitative approach. International Journal of Physical Distribution & Logistics Management 34, no. 9: 728–748. Tah,, J. H. M., and V. Carr. 2001. Towards a framework for project risk knowledge management in the construction supply chain. Advances in Engineering Software 32: 835–846 . Tang, C.S. 2006. Review Perspectives in supply chain risk management. International Journal of Production Economics 103: 451–488. Tuncel, G., and G. Alpan. 2010. Risk assessment and management for supply chain networks: A case study. Computers in Industry 61, no.3: 250-259. Wagner, S.M., and C. Bode. 2006. An empirical investigation into supply chain vulnerability. Journal of Purchasing & Supply Management 12: 301–312. Ward, S. and Chapman, C. 2003. Transforming project risk management into project uncertainty management. International Journal of Project Management 21: 97–105. Wu, D., and D.L. Olson. 2008. Supply chain risk, simulation, and vendor selection. International Journal of Production Economics 114: 646–655. Wu, T., J. Blackhurst, and V. Chidambaram. 2006. A model for inbound supply risk analysis. Computers in Industry 57: 350–365. Yigitbasioglu, O. 2004. Upstream Information Flow in the Supply Chain: The Case of Finnish Manufacturers. M.Sc. diss., The Swedish School of Economics and Business Administration. Zsidisin, G.A., L.M. Ellram, J.R. Carter, and J.L. Cavinato. 2004. An analysis of supply risk assessment techniques. International Journal of Physical Distribution & Logistics Management 34, no.5: 397–413. Zsidisin, G.A., S.A. Melnyk, and G.L. Ragatz. 2005. An institutional theory perspective of business continuity planning for purchasing and supply management. International Journal of Production Research 43, no.16: 3401– 3420. Appendix Table A.1. ABS for the Source Process Table A.2. RBS for the Source Process Table A.3. RBS for the Make process Table A.4. RBS for the Deliver process Causes/Sources Occurrence Effect analysis Occurrence Origin Transition Consequence Risk Factor INT. EXT. . Risk effects Process Risk Probability X% step 1 step 2 Impact step 3 Figure 2 RBS RBM Causes/Sources Occurrence KPIs Effect analysis Table 1. RBS frame for supply chain risk Level 0 Level 1 Level 2 Level 3 Literature Source Nature disasters Kleindorfer and Saad 2005; Faisal et al. 2006; Kiser and Cantrell 2006; Catastrophic Man-made Goh et al. 2007; Khan and Burnes accidents 2007 Political Changes in Kleindorfer and Saad 2005; Sheffi government and Rice 2005; Khan and Burnes policies 2007 Fuel price fluctuation Exchange rate Wagner and Bode 2006; Ritchie and Economic fluctuation Brindley 2007; Ji and Zhu 2008 Standard Changes in the RBS for economic supply situation chain Labour strikes processes Changes in the External network of transportation Juttner 2005; Tang 2006; hubs Braunscheidel and Suresh 2009 Social IT system functioning Changes in import/export Zsidisin et al. 2000; Kiser and regulations Cantrell 2006 Legal Tariff changes Cultural Different culture Wu et al. 2006; Manuj and Mentzer 2008 Market price of resources changes Production Industrial technological Oke and Gopalakrishnan 2009 changes Product design changes Events related to Zsidisin et al. 2000; Chopra and suppliers, Partner Sodhi 2004; Spekman and Davis customers or 2004 retailers Strategic Tactical Depending on the Internal Lambert 2008 process at issue Operational Table 2. Complete RBM for the Source process Risk sources (RBS) EXS EXS EXS. EXS. EXS EXS EXS EXS. EXS. EXS. EXS. EXS. EXS. EXS. EXS. EXS. EXS. EXS .1 .2 3 4 .5 .6 .7 8 9 10 11 12 13 14 15 16 17 .18 IS.1 P2.1 P2.2 P2.3 P2.4 S2.2 S2.3 S2.4 Activities ES.2 (ABS) ES.3 ES.4 ES.5 ES.6 ES.7 ES.8 ES.10 IS.2 IS.3 IS.4 IS.5 IS.6 Table 3. Portion of RBM for the Source process Source RBM RBS Internal Operational ABS IS.5 Machine performance IS.6 Operator’s operations during transiting of the during transiting of the sourced sourced products products SI2.2 % Orders / lines SI2.2 % Orders / lines received received damage free damage free SI2.4.1 % Product transferred SI2.4.1 % Product transferred on-time to demand on-time to demand requirement requirement SI2.4.2 % Product transferred SI2.4.2 % Product damage free S2: Source Make-toOrder Product S2.2 Receive Product S2.3 Verify Product S2.4 Transfer Product transferred damage free Table 4. Portion of RBM for the Make process Make RBM RBS Internal Operational ABS IM.6 Production IM.7 Machine IM.8 Operator’s IM.9 Production scheduling performance operations process MI2.3.1 Scrap expense MI2.3.1 Scrap expense MI2.3.1 Scrap expense MI2.3.2 Total build MI2.3.2 Total build MI2.3.2 Total build cycle time cycle time cycle time MI2.3.3 Yield MI2.3.3 Yield MI2.3.3 Yield MI2.4 Scrap packaging MI2.4 Scrap packaging MI2.4 Scrap packaging M2: Make-to-Order M2.2 Issue Product MI2.2 Inventory accuracy M2.3 Produce and Test M2.4 Package expense M2.5 Stage Product M2.6 Release Finished Product to Deliver expense expense Table 5. Portion of RBM for the Deliver process Deliver RBM RBS External Catastrophic ABS EXD.1 Nature disasters EXD.2 Man-made accidents D2:Deliver Make-toOrder Product D2.5 Build Loads D2.6 Route Shipments D2.7 Select Carriers and Rate Shipments D2.11 Load Product and Generate Shipping Docs D2.12 Ship Product DI2.12 Delivery DI2.12 Delivery performance to customer performance to customer commit date commit date D2.13 Receive and DI2.13 Perfect order DI2.13 Perfect order Verify Product by fulfilment fulfilment Customer D2.15 Invoice Table A.1. ABS for the Source Process Level 0 Level 1 Level 2 P2 Plan Source P2.1 Identify, Prioritize, and Aggregate Product Requirements P2.2 Identify, Asses, and Aggregate Product Resources P2.3 Balance Product Resources with Product Requirements P2.4 Establish Sourcing Plans S2 Source Make-to- S2.2 Receive Product Order Product S2.3 Verify Product Source Process S2.4 Transfer Product ES Enable Source ES.2 Assess Supplier Performance ES.3 Maintain Source Data ES.4 Manage Product Inventory ES.5 Manage Capital Assets ES.6 Manage Incoming Product ES.7 Manage Supplier Network ES.8 Manage Import/Export Requirements ES.10 Manage Supplier Agreements Table A.2. RBS for the Source Process Level 0 Level 1 Level 2 Level 3 Literature Source External Catastrophic EXS.1 Nature disasters EXS.2 Man-made accidents Economic EXS.3 Fuel price fluctuation EXS.4 Exchange rate fluctuation EXS.5 Changes in the economic situation Social EXS.6 Labour strikes EXS.7 Changes in the network of transportation hubs EXS.8 IT system functioning See Table 1 Legal EXS.9 Changes in import/export regulations Source EXS.10 Tariff changes process Industrial EXS.11 Market price of resources changes EXS.12 Production technological changes EXS.13 Product design changes Partner EXS.14 Supplier business Chopra and Sodhi 2004 EXS.15 Supplier product Zsidisin et al. quality 2000 EXS.16 Supplier capacity Lee et al. 1997 constraints Internal Strategic EXS.17 Supplier behaviour John 1984 EXS.18 Supplier production Wagner and continuity Bode 2006 IS.1 Attitude about Yigitbasioglu information sharing 2004 IS.2 Investment on information system Tactical IS.3 Supplier assessment Chopra and criteria Meindl 2004 IS.4 Inventory policy Operational IS.5 Machine performance during transiting of the sourced products IS.6 Operator’s operations during transiting of the sourced products Table A.3. RBS for the Make process Level 0 Level 1 Level 2 Level 3 Literature Source External Catastrophic EXM.1 Nature disasters See Table 1 EXM.2 Man-made accidents Social EXM.3 Labour strikes EXM.4 IT system functioning Internal Legal EXM.5 Tariff changes Strategic IM.1 Capacity management Spekman and IM.2 Information system Davis 2004 Make IM.3 Attitude about information process sharing Tactical IM.4 Inventory replenishment model Martha 2002 IM.5 Internal transportation path decisions Operational IM.6 Production scheduling Chakraborty IM.7 Machine performance et al. 2009 IM.8 Operator’s operations IM.9 Production process Table A.4. RBS for the Deliver process Level 0 Level 1 Level 2 Level 3 Literature Source External Catastrophic EXD.1 Nature disasters EXD.2 Man-made accidents Economic EXD.3 Fuel price fluctuation EXD.4 Exchange rate fluctuation EXD.5 Changes in the economic situation Social EXD.6 Labour strikes EXD.7 Changes in the network of See Table 1 transportation hubs EXD.8 IT system functioning Legal EXD.9 Changes in import/export Deliver regulations process EXD.10 Tariff changes Partner EXD.11 Financial health of the customers EXD.12 Behaviour of the intermediaries Internal Strategic Tactical ID.1 Warehouse network design ID.2 Information technology Chopra and infrastructure Meindl 2004; ID.3 Attitude about information Chopra and sharing Sodhi 2004 ID.4 Inventory decisions ID.5 Transportation strategy Operational ID.6 Planning of shipment transfers between different modes ID.7 Operator’s operations while handling finished goods ID.8 Machine performance during transiting of the finished goods