www.sciedu.ca/jbar Journal of Business Administration Research Vol. 2, No.

1; 2013

Supply Chain Risk Management within the Context of COSO’s

Enterprise Risk Management Framework
Thomas V. Scannell1, Sime Curkovic1, Bret J. Wagner1 & Michael J. Vitek2
1
Haworth College of Business, Western Michigan University, Kalamazoo, MI, United States
2
Mercedes-Benz Technology, Troy, MI, United States
Correspondence: Thomas V. Scannell, Haworth College of Business, Management Department, Western Michigan
University, Kalamazoo, MI, 49008, United States. Tel: 1-269-387.5419, E-mail: Thomas.scannell@wmich.edu

Received: December 30, 2012 Accepted: January 17, 2013 Online Published: January 21, 2013
doi:10.5430/jbar.v2n1p15 URL: http://dx.doi.org/10.5430/jbar.v2n1p15

Abstract
This study examined how companies identify and manage supply chain risks and how those actions relate to
systemic enterprise risk management (ERM). The structure, implementation, and maintenance of supply chain risk
management (SCRM) systems and tools are described, and the potential integration of SCRM with ERM is explored.
The ERM framework proposed by The Committee of Sponsoring Organizations (COSO) of the Treadway
Commission (COSO, 2004) is used to examine such integration. Data from 46 firms were analyzed to identify which
factors affect the decision to develop an SCRM system and how the resultant systems compare to an ERM system. It
is suggested that explicitly linking SCRM with ERM will more readily advance research regarding these important
issues and support supply managers in their efforts to develop SCRM strategies, garner the necessary resources, and
execute SCRM at their firms.
Keywords: Supply, Supply chain risk Management (SCRM), Enterprise risk management (ERM), COSO
1. Introduction
Every firm is engaged in some type of risk management. However, few firms conduct risk management using a
systematic approach (Beasley et al., 2005; Bowling & Rieger, 2005). Enterprise risk management (ERM), though not
widely adopted, provides a framework and set of tools for managing risks holistically. ERM has been defined a
variety of ways, bust most definitions focus on holistically identifying, assessing and managing risks throughout an
organization and its value chain (COSO, 2004).
Supply chain risk management (SCRM), one element of ERM, is emerging as a viable, proactive, and strategic
supply chain management (SCM) application. However, existing SCRM models do not explicitly make the linkage
to ERM. This research focuses on the structure, implementation, and maintenance of a formal SCRM system and
how such a system may be integrated with ERM. The ERM framework proposed by The Committee of Sponsoring
Organizations (COSO) of the Treadway Commission (COSO, 2004) is used to examine such integration. It is
suggested that explicitly linking SCRM with ERM may more readily advance research regarding these important
issues and support supply managers in their efforts to develop SCRM strategies, garner the necessary resources, and
execute SCRM at their firms.
Data from 46 firms were analyzed to identify which factors affect the decision to develop an SCRM system and how
these factors can influence the level of ERM and SCRM success. The decision to manage supply chain risks
constitutes a major undertaking for most firms. Such an undertaking is a response to a number of factors or
influences. There seems to be recognition that succeeding requires more than simply creating a new program or
department. It is suggested that various factors act to pre-condition the firm and its systems to the introduction,
acceptance, and progress on managing supply risks.
The remainder of this paper begins with a review of the literature, followed by the methods section. The survey data
are then analyzed to profile the respondents and identify how they manage supply chain risks. The article then
concludes with an evaluation of the factors underlying the decision to develop a system for managing supply chain
risks and how these factors can be leveraged into a competitive advantage through ERM.

Published by Sciedu Press 15 ISSN 1927-9507 E-ISSN 1927-9515

www.sciedu.ca/jbar Journal of Business Administration Research Vol. 2, No. 1; 2013

2. Literature Review
The literature review consists of four related sections. First, the rationale for pursuing a standard risk framework is
presented. Next, an established ERM framework is explored. Proposed SCRM frameworks are then discussed
relative to the ERM framework. Finally, an overview of supply risks and approaches that were included in the survey
is presented.
2.1 Rationale for a Standard Framework
The advancement of research in a discipline (e.g., Just-In-Time Manufacturing, Supply Chain Management) may be
accelerated through the development and validation of frameworks and concepts generated through exploratory
empirical research. For example, the Total Quality Management (TQM) discipline leveraged standardized
frameworks to advance theory building and testing [see for example (Black & Porter, 1996; Capon et al., 1994;
Curkovic et al., 2000; Dean & Bowen, 1994; Flynn et al., 1994; Saraph et al., 1989)]. By leveraging such
frameworks, TQM research moved from a focus on case studies (the current state of SCRM research) to testable
models and specific research hypotheses, linking the theoretical concept of TQM to empirical indicants. Operational
definitions and standardized frameworks have contributed to TQM theory building by identifying the constructs
associated with TQM, developing scales for measuring these constructs, and empirically validating the scales. SCRM
research is still in its infancy stages and would benefit from development of standardized frameworks and concepts.
Sodhi, Son and Tang (2012) identified the lack of consensus regarding the scope of SCRM as a critical gap in SCRM
research. They suggested that there is a great need to reach a consensus on such issues in order to better
communicate with company executives and practitioners, and to more quickly advance SCRM research. They also
suggest that SCRM is a subset or extension of ERM (Sodhi et al., 2012). Given their suggestions, the COSO ERM
framework was identified as a potential consensus framework for SCRM that could fill the research gap while also
contributing to managerial efforts to link SCRM to corporate-wide risk management efforts.
2.2 Enterprise Risk Management and the COSO Framework
Global competitive landscapes and increasingly complex supply chain processes and partnerships, coupled with
increased requirements to comply with regulations, laws and industry guidelines has heightened awareness that firms
may benefit from a systematic approach to risk management. Enterprise risk management (ERM) has garnered
significant academic, consultant and practitioner interest over the last decade as a way to not only mitigate risk but to
take advantage of risk opportunities (Hoyt & Liebenberg, 2011; Nocco & Stulz, 2006). ERM is a process for
identifying, analyzing and proactively planning responses to a portfolio of risks (Bowling & Rieger, 2005; Chapman,
2003).
Though effective ERM can provide significant benefits for a firm (Hoyt & Liebenberg, 2011; Smithson & Simkins,
2005), a relatively small percentage of firms have a detailed understanding of this integrated process and adoption of
ERM is rather limited (Chapman, 2003; COSO, 2010). Ad hoc approaches to risk management by various “silos” in
an organization leads to duplication of resources, uncoordinated planning and less efficient and effective risk
management processes (Hoyt & Liebenberg, 2011).
Varying frameworks have been proposed to support and standardize implementation of systematic ERM. Sample
frameworks include the Joint Australia/New Zealand AS/NZ 4360-2004, the Turnbull Guidance, and the ISO
standards for risk management. This research adopts the framework developed by The Committee of Sponsoring
Organizations (COSO) of the Treadway Commission (COSO, 2004), shown in Figure 1. This framework perhaps the
most widely discussed and familiar ERM framework (COSO, 2010). COSO is a voluntary private sector organization,
led by the Institute of Management Accountants, The Institute of Internal Auditors Inc., Financial Executives
International, the American Accounting Association, and the American Institute of Public Accountants. COSO
provides executive management with guidance regarding effective, efficient and ethical business practices.
The COSO ERM framework consists of eight components of ERM that are needed to help a firm achieve its
objectives, as described in Table 1 (COSO, 2004; Sobel, 2006). All eight components need to be implemented and
integrated to provide effective ERM. The framework also emphasizes entity wide risk management across four
objectives: strategic, operations, reporting, compliance. The COSO framework also emphasizes that risks are
examined at each level of the organization (i.e., subsidiary, business units, division, entity) beginning with the entity
level and aggregated across all levels so that a portfolio of risks can be managed holistically (Chapman, 2003; COSO,
2004). This research focuses on the “entity” level and “operational” objectives across the eight components of ERM.

Published by Sciedu Press 16 ISSN 1927-9507 E-ISSN 1927-9515

www.sciedu.ca/jbar Journal of Business Administration Research Vol. 2, No. 1; 2013

Figure 1. COSO ERM framework

Table 1. Interrelated components of the COSO ERM framework

Component Description
Internal Reflects alignment of the firm's risk philosophy, its appetite for risk, the risk management and
Environment ethical culture, human resource policies and practices, assignment of responsibility, and the
organizational structure to manage risks.
Objective Setting Identifies the firm's competitive strategy or positioning (e.g., low cost, high quality, etc.) and
related objectives in four areas: strategy, operations, reporting and compliance, which in turn
drives objectives throughout the value chain.
Event Identification Identifies possible internal and external events, and the potential interrelatedness of those
events, that impact a firm's ability to realize its strategy and objectives. Positive impact events
are "opportunities" that are channeled back to strategic planning, while negative impact events
are risks that should be managed through an integrated risk management process to help
determine how such risks might be managed.
Risk Assessment Examines the likelihood, frequency and the impact (e.g., financial, reputation, etc.) of events
across a range (e.g., best to worst case) of possible outcomes associated with the events.
Risk Response Identifies, assesses and selects risk response options that align with the organization's risk
tolerances and risk appetite. Options include avoidance (e.g., not engaging in the activity),
reduction (e.g., rebalancing the risk, reallocating resources, robust business process, etc.),
sharing (e.g., insurance, partnering, contractual agreements, hedging, etc.) and acceptance.
Control Activities Establishes that risk policies and procedures are in place and properly executed, and that the
risk management initiatives are effective. Such controls may include required authorizations,
supervision, segregation of duties, reconciliations and verifications for example.
Information & Requires that internal and external sources be used to provide appropriate and timely risk
Communications related information that enables people to execute their responsibilities. Such communications
need to be integrated throughout the value chain and impacted organizations.
Monitoring Ensures that an ERM is present and determines how well it is working so that it can be revised
and/or expanded.

Published by Sciedu Press 17 ISSN 1927-9507 E-ISSN 1927-9515

www.sciedu.ca/jbar Journal of Business Administration Research Vol. 2, No. 1; 2013

COSO defines risk as the probability that an event may occur which adversely impacts the achievement of objectives
(Chapman, 2003). However, given that some risks if managed proactively may lead to positive outcomes for a firm,
the framework supports management of positive risk opportunities and negative risk impacts.
COSO formally defines ERM as “…a process, effected by an entity’s board of directors, management and other
personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect
the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement
of entity objectives.” (COSO, 2004)
ERM and related frameworks are not without detractors. Even COSO states that its ERM framework is not a panacea
and is a challenge to implement, and it invites research based on better understanding the framework (Landsittel &
Rittenberg, 2010). There is a lack of empirical research into the effectiveness of ERM in general (Hoyt & Liebenberg,
2011) and the specific frameworks in particular. Other detractors note that implementing ERM requires a substantial
commitment of resources (time, personnel, money) that are not likely to be available during lean times, and a cultural
shift of the entire organization (Ballou & Heitger, 2005) without an appropriate return on such efforts (Samad-Khan,
2005). However, with appropriate planning and execution COSO’s ERM framework may be implemented by any
organization, from large to small firms (Ballou & Heitger, 2005; Chapman, 2003; COSO, 2004).
2.3 Linking ERM and SCRM Frameworks
SCRM frameworks have also been proposed (Hallikas et al., 2004; Kleindorfer & Saad, 2005; Manuj & Mentzer,
2008; Tummala & Schoenherr, 2011). There are many similarities in these frameworks, though there is no consensus
on the scope of SCRM (Sodhi, et al., 2012). In some cases, the concepts are the same, but the terms used are slightly
different (e.g., risk assessment versus risk evaluation) and some frameworks do not explicitly identify key processes
(e.g., monitoring and review). Table 2 compares four SCRM frameworks with the COSO framework.
Table 2. Comparison of SCRM Frameworks to COSO

Tummala &
Hallikasa et. al., Kleindorfer & Saad, Manuj & Mentzer, Schoenherr,
COSO 2004 2004 2005 2008 2011
Internal Environment
Objective Setting
Event Identification Risk identification Specifying sources Risk Identification Risk Identification;
of risks and Risk Measurement
vulnerabilities
Risk Assessment Risk assessment Assessment Risk assessment and Risk assessment;
evaluation Risk Evaluations
Risk Response Decision and Mitigation Selection of Risk mitigation &
implementation of appropriate risk contingency plans
risk management management
actions strategies;
Implementation of
supply chain risk
management
strategies;
Mitigation of supply
chain risks
Control Activities
Information &
Communications
Monitoring Risk monitoring Risk control &
monitoring

Published by Sciedu Press 18 ISSN 1927-9507 E-ISSN 1927-9515

www.sciedu.ca/jbar Journal of Business Administration Research Vol. 2, No. 1; 2013

Though SCRM frameworks and COSO share many similarities, there are significant differences. Most noticeably,
the COSO framework explicitly identifies internal environment, objective setting, control activities and information
& communications as key components of risk management. Some of those components are implied and/or integrated
into some of the SCRM frameworks, but the COSO framework provides a more explicit and comprehensive
framework. This might be expected as COSO is an “enterprise: framework while the SCRM frameworks are
“operational”. But that is the point. Until SCRM is positioned as a key component of ERM, supply managers will
continue to struggle to secure the resources and to make risk decisions that support corporate wide strategy and
objectives, and researchers will struggle to identify and measure risk management factors.
2.4 Supply Chain Risks and Practices
Firms face multiple supply risks, whether in combination or isolation. Sample risks include supplier reliability/failure,
information errors, natural disasters, shrinkage, capacity shortages, financial instability, currency exchange rate
fluctuations, port security and increased government regulations for example (Blackhurst et al., 2005; Kumar &
Verruso, 2008; Liu & Cruz, 2012; Manuj & Mentzer, 2008; Tummala & Schoenherr, 2011; Zsidisin & Hartley,
2012). Each risk might require a specific SCRM technique (Zsidisin & Wagner, 2010).
SCRM treatment options include evaluation and trust building (Laeequddin et al., 2009), use of dual sources (Khan
& Burnes, 2007), environmental scanning (Zsidisin et al., 2004), combined capacity reservation contracts and spot
markets (Inderfurth & Kelle, 2011), supply chain modeling and information systems integration (Giannakis & Louis,
2001), qualification and use of capable suppliers (Manuj & Mentzer, 2008), supplier quality management initiatives
(Holschbach & Hofmann, 2011), buffer inventory (Tang, 2006), contingency plans (Kleindorfer & Saad, 2005),
credit analysis (Kern et al., 2012), strategic sourcing and flexibility (Chiang et al., 2012), forward buying or hedging
(Zsidisin & Hartley, 2012) and supplier development (Matook et al., 2009) for example. Despite the plethora of risks
and risk management approaches, few firms have a structured SCRM approach (Martin et al., 2011).
3. Research Method
The purpose of this study was to identify how companies identify and manage supply chain risks and how those
actions relate to systemic ERM. The research was exploratory in nature. A purposeful sample was selected to support
the research objectives and methodology (Eisenhardt, 1989; Miles & Huberman, 1994). Key criterion included that
the company would agree to identify an informed respondent, reply in a timely manner to a scaled and open ended
survey, and be willing to participate in follow-up questions as needed. All targeted companies were known to support
supply management educational programs and professional associations.
A total of 67 surveys were sent to perceived supporters of the effort. Several industries were chosen for this study to
achieve some level of generalizability. A total of 46 completed responses were received. Early to late respondent
survey comparisons were made to analyze potential non-response bias (Armstrong & Overton, 1977). The mean
values for 7 randomly selected questions were compared between the first 25% of responses and the last 25% of
responses. No statistically significant differences were found between responses. The majority of non-respondents
indicated that either company policy prevented them from participation in this particular survey or that resources
were constrained when the survey was distributed.
4. Results
4.1 Respondent Profiles
The majority of responses (84.8%) were from manufacturing firms (e.g., automotive, electronics, furniture,
aerospace, etc.). All companies were based in North America and had global sales. Approximately 60% of
companies were publicly owned, 33% privately owned and 7% publicly/privately owned. Companies were asked to
have the survey completed by the person most familiar with supply risk management in their organizations. Table 3
suggests that informed respondents replied to the survey.
Table 3. Respondent titles
Title Percent
Procurement or Supply Chain Leader / Manager / Coordinator 37%
Supply Chain Director / Vice President 16%
Materials / Inventory Manager 16%
Strategic / Senior Buyer 13%
Plant Manager 6%
Supply Chain Analyst 6%
Account / Sales Director 6%

Published by Sciedu Press 19 ISSN 1927-9507 E-ISSN 1927-9515

 www.sciedu.ca/jbar Journal of Business Administration Research Vol. 2, No. 1; 2013

4.2 Data Mapped to COSO Framework

Enterprise and supply chain risk management is a highly integrated process that requires coordination of strategy,
process, policy and tools throughout the value chain. Though discussed in separate sections below, each of the
categories of the COSO ERM framework should be present and integrated to most effectively manage risks.
4.2.1 Internal Environment and Objective Setting
Table 4 provides descriptive statistics related to internal environment and objective setting. All “agree / disagree”
questions are scaled from 1 = strongly disagree to 7 = strongly agree. All “extent of use” questions are scaled from 1
= not used to 7 = extensively used.
Need: Respondents clearly believe that risk management is a critically important strategic initiative for their firms
and that the management of risk should be a core issue in the planning of any organization. However, the
concomitant development of resources, tools and budgets appears lacking as suggested below.
Approach: Managing risks requires an integrated and systemic approach as he COSO framework suggests. Firms
recognize that no single set of tools or technologies exist to manage all risks, so despite the clear need there is a
significant challenge in implementation. Approximately half the firms agreed that supply chain risks are managed
reactively rather than proactively, and that risk initiatives are driven top-down. It appears that in the absence of risk
management applications, these firms are building risk considerations into traditional SCM applications (e.g., spend,
contract, & inventory management, demand planning, benchmarking, building long-term partnerships, etc.) on an
ad-hoc basis.
Budget: Respondents suggested that firms are spending funds on supply risk management, but few suggested that
spending was “very high” (only 26% of firms agreed that spending was very high.) Budget allocations varied
depending on firm size (larger firms having larger budgets) and industry type (service firms spending more on
logistics issues, manufacturing firms spending more on supplier failure issues.) With regards to potential change in
budget for the next year, 45% indicated an increase, 41% no change, and only 14% indicated a decrease. Companies
also indicated that ownership of investments for managing supply chain risks generally resides with Supply
Chain/Purchasing (60%), though in some firms other areas had ownership (Manufacturing/Operations = 12%,
Accounting/Finance = 7%, Quality = 6%, Legal = 6%, IT = 3%, Logistics = 3% and Risk = 3%.). Only 17% of firms
had a specific budget to address supply chain issues, with other firms reporting that budget for managing supply
chain risks came from other specific department (57%) or general operations (26%). It seems that while spending
intentions for managing supply chain risks are moderate, funding is poorly targeted and ownership is not centered
within the SCM discipline. Managing risks is just now reaching the core of traditional and mature SCM applications.
Organization: Respondents indicated that they have no intention to outsource risk management. Currently however,
the supply chain function lacks the appropriate knowledge and structure (e.g., no supply risk managers linked with
corporate risk managers) to most effectively mitigate supply risks. It would appear that the corporate function is
involved with risk management but does not necessarily coordinate risk management activities in the whole group.
Table 4. Internal environment and objective setting
NEED Mean Std. Dev.
Managing supply chain risk is an increasingly important initiative for our operations. 5.65 1.30
Without a systematic analysis technique to assess risk, much can go wrong in a supply chain. 5.54 1.03
It is critical for us to have an easily understood method to identify & manage supply chain risk. 5.30 1.23
My workplace plans on evaluating or implementing supply chain risk tools and technologies. 4.98 1.58
We are very concerned about our supply chain resiliency, and the failure implications. 4.78 1.59
APPROACH
There is no single set of tools or technologies on the market for managing supply chain risks. 5.24 1.49
We are currently using some form of supply chain risk management tools and services. 4.46 1.93
Managing supply chain risks is driven by reactions to failures rather being proactively driven. 4.39 1.36
Proactive risk mitigation efforts applied to the supply chain is common practice for us. 4.33 1.49
Supply chain risk initiatives are driven from the bottom up rather than top down. 3.67 1.56
BUDGET
We do plan on investing nontrivial amounts in managing supply chain risks. 4.30 1.86
Funding for managing supply chain risks will come from a general operations budget. 3.91 1.94
We have a dedicated budget for activities associated with managing supply chain risks. 3.65 1.96
Our spending intentions for managing supply chain risks are very high. 3.37 1.58
ORGANIZATION
I fully understand the activities being performed by our risk management group. 4.00 1.86
Supply chain employees understand government legislation & geopolitical issues. 3.70 1.26
My workplace uses supply chain risk managers who work closely with corporate risk mgmt. 2.53 1.74
We are planning to outsource all or some of our risk management functions. 2.25 1.28

Published by Sciedu Press 20 ISSN 1927-9507 E-ISSN 1927-9515

www.sciedu.ca/jbar Journal of Business Administration Research Vol. 2, No. 1; 2013

4.2.2 Event Identification and Risk Assessment

Table 5 suggests that although specific risk issues (e.g., moving facilities overseas) may be carefully evaluated, only
about half the firms indicated that a key part of SCM is documenting the likelihood and impact of risks. Further, only
half the firms exploit risks to an advantage, This is not surprising given that few firms have an integrated risk
strategy and appropriate supply chain risk management skills as previously discussed.
Respondents see a broad set of risk factors that pose a disruption to their supply chains. These risks did not vary
much by industry. Supplier failure/reliability, bankruptcies of suppliers, logistics failure, commodity cost volatility,
natural disasters, and strikes/labor disputes were the highest rated factors. The non-manufacturing respondents were
more inclined to place a higher priority on logistics failure which is not surprising since they were mostly made up of
distributors and a retailer. Respondents were also asked if each supply chain risks would increase, stay the same, or
decrease in the next 1-2 years. The risks most frequently identified as increasing in the future include: currency
exchange, interest, and/or inflation rate fluctuations; commodity cost volatility; bankruptcy, ruin, or default of
suppliers, shippers, etc.; and banking regulations / tighter financing conditions
While supplier failure is a high risk factor for all the firms and will increase in risk for several of the firms, 13 firms
did say that they expect supplier failure to be less of a risk in the future. A close assessment of these 13 firms reveals
that they have done the most to build risk considerations into as many SCM applications as possible.
Some of the top risk factors are to a large extent beyond the control of buying organizations (e.g., natural disasters,
default or ruin of supplier, geopolitical events). Managers insisted that while preventing these will not always be
possible, reacting to them quickly is an option through contingency planning.
Table 5. Event identification and risk assessment
Issue Mean Std. Dev.
Risks of moving manufacturing facilities overseas are carefully evaluated. 5.65 1.15
Supplier reliability and continuous supply is the top risk factor for our supply chain. 5.35 1.34
Risks of not being able to fulfill a spike in consumer demand are carefully evaluated. 5.22 1.25
Key metrics are in place to measure the risk associated with key suppliers. 4.65 1.68
We apply high levels of analytical rigor to assess our supply chain practices. 4.37 1.53
A key part of our supply chain management is documenting the likelihood & impact of 4.20 1.67
risks.
We can actually exploit risk to an advantage by taking calculated risks in the supply 4.02 1.63
chain.
Taxes such as excise and VAT impact our supply chain decisions. 3.86 1.69

4.2.3 Risk Response

Table 6 suggests that companies use a range of response options by accepting, reducing or sharing risks. Inventory
management in particular was a critical SCM application used to buffer risk and serve as a de-coupler between
echelons of the supply chain when risk was accepted. The table also suggests that although contingency plans may be
in place, there will always be some disruptions that ultimately will impact a firm.
Reduction activities focused on the standard SCM practice of identifying qualified suppliers. Very few firms used
postponement or product differentiation approaches, somewhat surprising given the discussion of “mass
customization” and “portfolio management” over the last decades. Risk sharing appears to be focused on
development of strong supplier relationships. Few firms seem to be taking advantage of hedging and speculation
approaches, particularly given the recognized volatility of global markets. Even fewer firms seem to be engaged in
joint technology development, which is where lifecycle risks might be most effectively addressed.
4.2.4 Control Activities
Table 7 suggests that firms are not using training or network optimization tools to ensure risk management practices
are properly executed. However, other performance analysis tools (e.g., spend analysis, business process
management) seemed to be in place, though it is unclear if such tools are integrated to optimize the entire value chain
performance.

Published by Sciedu Press 21 ISSN 1927-9507 E-ISSN 1927-9515

www.sciedu.ca/jbar Journal of Business Administration Research Vol. 2, No. 1; 2013

Table 6. Risk response

Item Mean Std. Dev.
ACCEPTANCE
Inventory management (buffers, safety stock levels, optimal order/production qty.) 4.96 1.69
We have placed an increased focus on inventory management to deal with supply 4.80 1.34
risks.
Our suppliers are required to have secure sourcing, business continuity, & 4.62 1.71
contingency plans.
Contingency Planning (jointly with suppliers) 4.22 1.25
We are prepared to minimize the effects of disruptions (terrorism, weather, theft, 3.70 1.31
etc.)
REDUCTION
Using an approved list of suppliers 5.78 1.18
Multiple sourcing (rather than sole sourcing) 4.04 1.36
Increasing product differentiation 3.91 1.50
Postponement (delaying the actual commitment of resources to maintain flexibility) 3.70 1.35
SHARING
Partnership formation and long-term agreements 5.11 1.08
Supplier development initiatives 4.83 1.37
Speculation (forward placement of inventory, forward buying of raw material, etc.) 4.07 1.69
We are hedging our raw materials exposure to reduce input cost volatility. 3.78 1.49
Hedging strategies (to protect against commodity price swings) 3.61 1.63
Joint technology development initiatives 3.59 1.47
Table 7. Control activities
Item Mean Std. Dev.
Spend management and analysis 4.85 1.53
Inventory optimization tools 4.78 1.66
Business process management 4.65 1.37
Credit and financial data analysis 4.54 1.60
Contract mgmt (e.g., leverage tools to monitor performance against commitments) 4.48 1.64
We use network design and optimization tools to cope with uncertainty in the supply 3.66 1.85
chain.
Training programs 3.54 1.59
4.2.5 Information & Communications
Table 8 suggests that information systems and communications channels are relatively well established to support
supply activities. However, overall visibility is only modest and supply chain risk information accuracy and
availability is less than optimal. The information that is communicated can certainly help manage risks, but without
communication of risk factors overall ERM effectiveness may be limited.
Most firms in this study did not use their information technology to evaluate their supply chain networks and risks. A
few firms did leverage their technology to periodically assess strategic decisions about where to locate distribution
centers and manufacturing capacity, and to determine how to service customer demand at the lowest cost and risk.
None of them however were using network-design tools in innovative ways such as modeling risks or modeling the
networks of their key competitors to test various scenarios and to perform “what-if” analysis.

Published by Sciedu Press 22 ISSN 1927-9507 E-ISSN 1927-9515

www.sciedu.ca/jbar Journal of Business Administration Research Vol. 2, No. 1; 2013

Table 8. Information and communication

Item Mean Std. Dev.
Information gathering 5.67 1.21
Establishing good communications with suppliers 5.65 1.04
Our company uses real-time inventory information and analytics in managing the 4.76 1.52
supply chain.
Forecasting techniques (e.g., to pre-build & carry additional inventory of critical 4.61 1.57
items)
Visibility (detailed knowledge of what goes on in other parts of the supply chain – e.g., 4.26 1.29
finished goods inventory, material inventory, WIP, pipeline inventory, actual demands
and forecasts, production plans, capacity, yields, and order status)
Data warehousing 4.09 1.76
Supply chain risk information is accurate and readily available to key-decision makers. 3.87 1.57
Demand signal repositories 3.42 1.85
Network design analysis programs 3.25 1.94
4.2.6 Monitoring
Table 9 indicates that firms are monitoring supply chain performance using traditional processes (e.g., supplier visits
and assessment systems) but relatively few assess their risk management processes relative to best in class. Table 10
suggests that most firms are relatively satisfied with key SCM performance outcomes. However, 65% of the
respondents indicated that they have had supply disruptions that have caused financial hardships in the past 24
months.
Table 9. Monitoring
Item Mean Std. Dev.
Supplier performance measurement systems 5.35 1.61
Visiting supplier operations 5.04 1.32
Consistent monitoring and auditing of a supplier’s processes 4.59 1.72
Benchmarking (internal, external, industry-wide, etc.) 4.59 1.54
We have placed an emphasis on incident reporting to decrease the effects of 4.50 1.43
disruptions.
We actively benchmark our supply chain risk processes against competitors. 3.57 1.68
Table 10. Satisfaction with performance
Item Mean Std. Dev
Damage-free and defect-free delivery 5.41 0.83
Meeting customer service levels 5.07 1.20
Logistics and delivery reliability 4.96 1.01
Order completeness and correctness 4.96 1.11
Supplier reliability and continuous supply 4.85 0.99
Reduced disruptions in the supply chain 4.59 1.15
After sales service performance 4.57 1.29
Inventory management 4.52 1.22
Lower commodity prices 3.98 1.27
Reduced material price volatility 3.80 1.51

Published by Sciedu Press 23 ISSN 1927-9507 E-ISSN 1927-9515

www.sciedu.ca/jbar Journal of Business Administration Research Vol. 2, No. 1; 2013

5. Discussion
Risk management professionals and organizations, including COSO, indicate that risk management is led by senior
management, and that ERM is a continuous process embedded throughout the organization’s culture, strategy and
processes, and that is integrated across all levels of the firm. ERM translates strategy into tactical and operational
objectives, assigning ownership throughout the organization with each manager and employee responsible for the
management of risk as part of their job description. It supports accountability, performance metrics and rewards,
promoting operational efficiency at all levels including SCM. However, most of the supply risk management
strategies in this study appear to be fragmented (e.g., one group buys insurance, another administers claims, another
handles everything related to safety or security, another selects dual sources, etc.)
SCM focuses primarily on the input part of the value chain, though it has at least some type of support role
throughout the value chain. A closely aligned strategy and relationship between risk managers and others in the
organization supports effective supply chain risk management. A corporate risk management group can address risks
for the entire supply chain and life cycle of a program. There has been an increased recognition of the “Chief Risk
Officer” position to take on such responsibilities. Though not an absolute requirement, having somebody in charge of
ERM enables integrated risk management. The supply chain risk manager would work closely with corporate risk
management, as well as with the supply chain managers. In this study, a gap was suggested as firms failed to use
supply chain managers who work closely with corporate risk management, and managers did not fully understand the
activities being performed by their risk management groups.
Gaining management support may be the most challenging part of implementing a proactive system for managing
risks in the supply chain. SCM leaders might emphasize the importance of supply chain risk management to senior
management in order to get the properly targeted resources necessary to implement such a system, rather than the
poorly targeted budgets seen in this study. The firms in this study recognized the need for risk management and had
at least moderate top management support for such initiatives. This suggests the strong potential for proactive risk
management, yet few firms seem to have such an approach.
Managers agreed that without a systematic analysis technique to assess risk, much can go wrong in a supply chain
(i.e., unexpected cost, extended lead times, poor quality, or numerous other negative performance variables).
Analyzing the risk associated with SCM is a relatively new subject, and little has been done to assist managers with
this process. It would seem a key first step is documenting and analyzing risk. The method for analyzing supply
chain risk should be a cross-functional process that involves senior management as well as key stakeholders from
finance, operations, internal audit, and risk management. This could make roles unclear, so responsibilities need to
be defined. The companies in this study generally have not adopted such boundary spanning processes for risk
management. Instead, they have managed risks within functional silos.
In the absence of cross functional processes and lacking risk management applications, the supply chain managers in
this study are building risk considerations into existing traditional SCM applications (e.g., spend, contract, &
inventory management, demand planning, benchmarking, etc.). This study suggests that supply chain managers
generally coordinate the work to maintain an optimal balance between risk exposures and costs for damages versus
protection activities.
Supply chain risk management goes beyond documenting the likelihood and impact of risks. It also provides
visibility to risks when they occur and translates that risk information to key decision makers so that they can
evaluate and act on information. This study suggests that throughout the supply chain, key operational data and
information such as inventory, demand, forecasts, production and shipment plans, work in progress, yields,
capacities and backlogs was accessible to key members of the supply chains. However, this study also showed that
documenting the likelihood and impact of risks was not always a key part of SCM and that supply chain risk
information was not readily available to key decision makers. Perhaps because of this risk information shortcoming,
very few of the firms were able to exploit risk to an advantage by taking calculated risks in the supply chain and even
fewer were prepared to minimize the effects of disruptions. Thus, it is important that data and information are tightly
managed and that any updates are made as timely as possible. The accuracy of the data should be a source of
confidence to the parties using the data.
The role of supply network design and optimizations tools for risk management is still evolving on the SCM side.
Some of the firms in this study make use of network design tools for infrequent, long-range decision making, such as
manufacturing location or distribution capacity given long-term demand expectations. However, there was no
indication that there are new cases of usage, such as helping companies understand, model, and cope with increasing
levels of uncertainty in the supply chain or network. Some companies have adopted software tools to address

Published by Sciedu Press 24 ISSN 1927-9507 E-ISSN 1927-9515

www.sciedu.ca/jbar Journal of Business Administration Research Vol. 2, No. 1; 2013

multi-echelon inventory optimization. Firms are using these tools to apply probabilistic forecasting techniques to
make inventory policy and configuration decisions and to evaluate different inventory strategies, though none of
them used it to evaluate postponement strategies. Used effectively, they can help companies improve
customer-service levels and fill rates, dampen the impact of supply disruptions, reduce risk, and yield better trade-off
decisions between customer-service levels and required inventory investment.
All of the firms in this study have developed and monitor a set of performance metrics to maintain a risk profile for
their supply chains. They do so by using an assortment of tools and techniques such as: initial supplier evaluations,
QS audits, industry benchmarking, supplier questionnaires, report cards, capacity planning, lead-time analysis,
financial risk assessment, business continuity plans, risk analysis based on accounts payable performance, historical
data, technical capability assessment, on-site capability reviews, forecasting techniques and analysis, data tracking
with customers to identify demand trends, supplier performance measurement, etc. Some also used supplier risk
rankings, similar to credit scores used in the financial industry, to measure suppliers on stability, contingency
planning, and on-target delivery performance. Firms tracked this type of performance through supplier scorecards to
monitor leading indicators that impact risk. However, no firm had an ongoing risk-review process to ensure that they
keep their risk profile within an optimal range of economic impact. In general, the development of proactive risk
management performance metrics in the supply chain was lacking in this study. The supplier scorecards were not
balanced, optimal, and supported reactive decision making.
Several of the firms used financial reports and questionnaires during supplier approval to compare supply candidates
to the business requirements of the buyers or project teams. When justified by a perceived level of risk, a few of the
firms went one step further and had candidate comparison matrices (e.g., supplier profiling form and supply chain
PFMEA). Additionally, most had formal processes for supplier visits (e.g., rapid plant assessment, site verification of
the supplier questionnaire, etc.). Some firms used life cycle management with supplier report cards and their buyers
would conduct periodic supply chain reviews. In one firm, sourcing was assigned risk ownership and they used
PFMEA principles to evaluate risk impact. For each risk, they would assess what the financial impact would be in
the event of a disruption. They then assigned a probability to each risk area and then they prioritized by multiplying
the financial impact by the risk probability.
This study also demonstrates that the measurement of risk factors does not necessarily require a new or unique set of
performance measures. For example, one firm used average on-time delivery as a measure of supplier performance
and chose to look more closely at the peaks and valleys of this indicator to determine the supplier’s risk impact on its
own delivery performance. In another example, key metrics were established to measure the risk associated with key
suppliers and their performance against service level agreements. Supplier agreements were then aligned with the
established levels negotiated with the company’s key customer agreements.
Firms face a variety of risks and are unlikely to be able to cost effectively identify and respond to all risks. Some
firms conducted a Pareto analysis to determine where to focus their SCM risk management efforts. The most
common current risk identified by respondents was supplier failure. Though some firms indicated that in the future
such risk will decrease, more firms indicated that the risk will increase. This provides support for the suggestion that
current ad-hoc approaches by the firm and SCM are largely ineffective in the long term.
Commodity cost volatility was also a growing concern, but with limited amounts of systems to manage its risk. For
example, the majority of the firms strongly disagreed that they were using hedging strategies (to protect against
commodity price swings) and speculation (forward placement of inventory, forward buying of raw material, etc.) for
managing supply chain risks (and yet it was identified as one the top risk factors). Not surprisingly, firms were very
disappointed with their supply chain’s performance on lower commodity prices and reduced material price volatility.
Only one firm in the sample had a system in place to proactively manage commodity prices. This firm had a
dedicated staff that used a price sliding system on key commodities which were tied to market indices (e.g., plastics,
metals, rubbers, etc.).
Some firms in this study used management scorecards (e.g., dashboards, reviews, audits, etc.) to identify trends in
advance and to view the progress of their supply chains according to a collection of performance indicators. In this
manner, they do get some early warning signs if suppliers or carriers are underperforming. However, they fall short
on having systems with event-based alerts that let them know when their supply chains are at risk. Until that happens,
it will be difficult for managers to take appropriate and well managed risks. Instead, they may outsource to low cost
regions to meet their cost savings goals and not stay within an optimal range on the risk management side.
In general, no one was compensated or incented in their day to day job to look at and evaluate the risks within an
optimal range of economic impact. For example, a typical off-shore target for several supply chain managers was to

Published by Sciedu Press 25 ISSN 1927-9507 E-ISSN 1927-9515

www.sciedu.ca/jbar Journal of Business Administration Research Vol. 2, No. 1; 2013

achieve “x” million dollars of component off-shore in “y” years. Such situations may force managers to compromise
on risk issues as they focused on achieving cost efficiency. If the reward system only rewards those who achieve
their objectives irrespective of due attention to risks, then managers will strive to achieve objectives at the cost of
disproportionate risks. In most of the firms in this study, the major objectives were to reduce inventory, improve
in-stock availability, and cut costs. Most of these firms had specific targets for off-shore sourcing that that forced
managers to inevitably compromise on risk issues. Managing risks in the supply chain was perceived as something
that contradicts the process of achieving other company objectives.
Responses to supply risk included acceptance, reduction and sharing. Though firms used a variety of techniques,
unfortunately this research did not determine if the techniques were used based on sound risk management principles
or because it was the only technique the firm was able to implement. Perhaps the old adage that “if the only tool you
have is a hammer, then everything looks like a nail” applies to supply risk management.
6. Conclusion
This descriptive research examined existing supply chain risk management (SCRM) strategies, processes and
frameworks to determine how well they align and integrate with enterprise risk management (ERM) systems. It is
suggested that the ERM framework proposed by The Committee of Sponsoring Organizations (COSO) of the
Treadway Commission (COSO, 2004) provides a reasonable framework that enables firms to accomplish integration
of SCRM and ERM. Such integration of SCRM with ERM frameworks may provide a more solid foundation for
future research through the use of consistent terms, measures, contexts and interrelationships. Such integration might
also enable supply managers to more efficiently and effectively develop SCRM strategies, secure the necessary
resources, and execute SCRM at their firms.
References
Armstrong, J.S., Overton T.S. (1977). Estimating Nonresponse Bias in Mail Surveys. Journal of Marketing Research
14(3): 396-402. http://dx.doi.org/10.2307/3150783
Ballou, B., Heitger D. (2005). A Building Block Approach for Implementing Coso's Enterprise Risk Management -
Integrated Framework. Management Accounting Quarterly 6(2): 1-10.
Beasley, M., Clune R., Hermanson D. (2005). Erm: A Status Report. The Internal Auditor 62(1): 67-72.
Black, S., Porter L. (1996). Identification of the Critical Factors of Tqm. Decision Sciences Journal 27(1): 1-21.
http://dx.doi.org/10.1111/j.1540-5915.1996.tb00841.x
Blackhurst, J., Wu T., O'Grady P. (2005). Pdcm: A Decision Support Modeling Methodology for Supply Chain,
Product and Process Design Decisions. Journal of Operations Management 23(3-4): 325-343.
http://dx.doi.org/10.1016/j.jom.2004.05.009
Bowling, D., Rieger L. (2005). Making Sense of Coso's New Framework for Enterprise Risk Management. Bank
Accounting & Finance Feb/Mar: 35-40.
Capon, N., Kaye M., Wood M. (1994). Measuring the Success of a Tqm Programme. International Journal of
Quality and Reliability Management 12(8): 8-22. http://dx.doi.org/10.1108/02656719510097471
Chapman, C. (2003). Bringing Erm into Focus. The Internal Auditor 60(3): 30-35.
Chiang, C.Y., Kocabasoglu-Hillmer C., Suresh N. (2012). An Empirical Investigation of the Impact of Strategic
Sourcing and Flexibility on Firms Supply Chain Agility. International Journal of Operations and Production
Management 32(1): 49-78. http://dx.doi.org/10.1108/01443571211195736
COSO. (2004). Enterprise Risk Management - Integrated Framework. Committee of Sponsoring Organizations of the
Treadway Commission.
COSO. (2010). Current State of Enterprise Risk Oversight and Market Perceptions of Coso’s Erm Framework.
Committee of Sponsoring Organizations of the Treadway Commission.
Curkovic, S., Melnyk S., Calantone R., Handfield R. (2000). Validating the Malcolm Baldrige National Quality
Framework through Structural Equation Modeling. International Journal of Production Research 38(4):
765-791. http://dx.doi.org/10.1080/002075400189149
Dean, J., Bowen D. (1994). Management Theory and Total Quality: Improving Research and Practice through
Theory Development. Academy of Management Journal 19(3): 392-418.

Published by Sciedu Press 26 ISSN 1927-9507 E-ISSN 1927-9515

www.sciedu.ca/jbar Journal of Business Administration Research Vol. 2, No. 1; 2013

Eisenhardt, K. (1989). Building Theories from Case Study Research. The Academy of Management Review 14(4):
532-550.
Flynn, B., Schroeder R., Sakakibara S. (1994). A Framework for Quality Management Research and an Associated
Instrument. Journal of Operations Management 11(4): 339-366.
http://dx.doi.org/10.1016/S0272-6963(97)90004-8
Giannakis, M., Louis M. (2001). A Multi-Agen Based Framework for Supply Chain Risk Management Journal of
Purchasing and Supply Management 17(1): 23-31.
Hallikas, J., Karvonen I., Pulkkinen U., Virolainen V.M., Tuominem M. (2004). Risk Management Processes in
Supplier Networks. International Journal of Production Economics 90(1): 47-58.
http://dx.doi.org/10.1016/j.ijpe.2004.02.007
Holschbach, E., Hofmann E. (2011). Exploring Quality Management for Business Services from a Buyer's
Perspective Using Multiple Case Study Evidence. International Journal of Operations & Production
Management 31(6): 648-685. http://dx.doi.org/10.1108/01443571111131980
Hoyt, R., Liebenberg A. (2011). The Value of Enterprise Risk Management. Journal of Risk and Insurance 78(4):
795-822. http://dx.doi.org/10.1111/j.1539-6975.2011.01413.x
Inderfurth, K., Kelle P. (2011). Capacity Reservation under Spot Market Price Uncertainty. International Journal of
Production Economics 133(1): 272-279. http://dx.doi.org/10.1016/j.ijpe.2010.04.022
Kern, D., Moser R., Hartmann E., Moder M. (2012). Supply Risk Management: Model Development and Empirical
Analysis. International Journal of Physical Distribution & Logistics Management 42(1): 60-82.
http://dx.doi.org/10.1108/09600031211202472
Khan, O., Burnes B. (2007). Risk and Supply Chain Management: A Research Agenda. The International Journal of
Logistics Management 18(2): 197-216. http://dx.doi.org/10.1108/09574090710816931
Kleindorfer, P.R., Saad G.H. (2005). Managing Disruptions in Supply Chains. Production and Operations
Management 14(1): 53-68. http://dx.doi.org/10.1111/j.1937-5956.2005.tb00009.x
Kumar, S., Verruso J. (2008). Risk Assessment of the Security of Inbound Containers at Us Ports: A Failure, Mode,
Effects, and Criticality Analysis Approach. Transportation Journal 47(4): 26-41.
Laeequddin, M., Sardana G.D., Sahay B.S., Abdul Waheed K., Sahay V. (2009). Supply Chain Partners Trust
Building Process through Risk Evaluation: The Perspectives of Uae Packaged Food Industry. Supply Chain
Management 14(4): 280-290. http://dx.doi.org/10.1108/13598540910970117
Landsittel, D., Rittenberg L. (2010). Coso: Working with the Academic Community. Accounting Horizons 24(3):
455-469. http://dx.doi.org/10.2308/acch.2010.24.3.455
Liu, Z., Cruz J. (2012). Supply Chain Networks with Corporate Financial Risks and Trade Credits under Economic
Uncertainty. International Journal of Production Economics 137(1): 55-67.
http://dx.doi.org/10.1016/j.ijpe.2012.01.012
Manuj, I., Mentzer J.T. (2008). Global Supply Chain Risk Management. Journal of Business Logistics 29(1):
133-156. http://dx.doi.org/10.1002/j.2158-1592.2008.tb00072.x
Martin, C., Mena C., Khan O., Yurt O. (2011). Approaches to Managing Global Sourcing Risk. Supply Chain
Management 16(2): 67-81. http://dx.doi.org/10.1108/13598541111115338
Matook, S., Lasch R., Tamaschke R.." 29.3 (2009). 241-67. 2009. Supplier Development with Benchmarking as Part
of a Comprehensive Supplier Risk Management Framework. International Journal of Operations and
Production Management 29(3): 241-267. http://dx.doi.org/10.1108/01443570910938989
Miles, M., Huberman A. (1994). Qualitative Data Analysis: A Sourcebook of New Methods. Newbury Park, CA:
Sage Publications.
Nocco, B., Stulz R. (2006). Enterprise Risk Management: Theory and Practice. Journal of Applied Corporate
Finance 18(4): 8-20. http://dx.doi.org/10.1111/j.1745-6622.2006.00106.x
Samad-Khan, A. (2005). Why Coso Is Flawed. Operational Risk 6(1): 24-28.
Saraph, V., Benson P., Schroeder R. (1989). An Instrument for Measuring the Critical Factors of Quality
Management. Decision Sciences 20(4): 810-829. http://dx.doi.org/10.1111/j.1540-5915.1989.tb01421.x

Published by Sciedu Press 27 ISSN 1927-9507 E-ISSN 1927-9515

www.sciedu.ca/jbar Journal of Business Administration Research Vol. 2, No. 1; 2013

Smithson, C., Simkins B. (2005). Does Risk Management Add Value? A Survey of the Evidence. Journal of Applied
Corporate Finance 17(3): 8-17. http://dx.doi.org/10.1111/j.1745-6622.2005.00042.x
Sobel, P. (2006). Building on Section 404: Investments in Sarbanes-Oxley Compliance Can Provide a Solid
Foundation for Enterprise Risk Management Projects. The Internal Auditor 63(2): 38-44.
Sodhi, M.S., Son B.G., Tang C.S. (2012). Researcher's Perspective on Supply Risk Management. Productions and
Operations Management 21(1): 1-13. http://dx.doi.org/10.1111/j.1937-5956.2011.01251.x
Tang, C.S. (2006). Perspectives in Supply Chain Risk Management. International Journal of Production Economics
103(2): 451-488. http://dx.doi.org/10.1016/j.ijpe.2005.12.006
Tummala, R., Schoenherr T. (2011). Assessing and Managing Risks Using the Supply Chain Risk Management
Process (Scrmp). Supply Chain Management 16(6): 474-483. http://dx.doi.org/10.1108/13598541111171165
Zsidisin, G., Ellram L., Carter J., Cavinato J. (2004). An Analysis of Supply Risk Assessment Techniques.
International Journal of Physical Distribution & Logistics Management 34(5): 397-413.
http://dx.doi.org/10.1108/09600030410545445
Zsidisin, G., Hartley J. (2012). A Strategy for Managing Commodity Price Risk. Supply Chain Management Review
Mar/Apr(2): 46-53.
Zsidisin, G., Wagner S. (2010). Do Perceptions Become Reality? The Moderating Role of Supply Chain Resiliency
on Disruption Occurence Journal of Business Logistics 31(2): 1-20.

Published by Sciedu Press 28 ISSN 1927-9507 E-ISSN 1927-9515