ericsson’s proactive supply chain risk management approach after a serious sub-supplier...

Ericssons proactive supply chainrisk management approach aftera serious sub-supplier accident

Andreas NorrmanDepartment of Industrial Management and Logistics, Lund University,

Lund, Sweden, and

Ulf JanssonEricsson AB, Sweden, Core Unit Supply, Stockholm, Sweden

Keywords Supply chain management, Risk management, Business continuity, Insurance

Abstract Supply chain risk management (SCRM) is of growing importance, as the vulnerabilityof supply chains increases. The main thrust of this article is to describe how Ericsson, after a fire ata sub-supplier, with a huge impact on Ericsson, has implemented a new organization, and newprocesses and tools for SCRM. The approach described tries to analyze, assess and manage risksources along the supply chain, partly by working close with suppliers but also by placing formalrequirements on them. This explorative study also indicates that insurance companies might be adriving force for improved SCRM, as they now start to understand the vulnerability of modernsupply chains. The article concludes with a discussion of risk related to traditional logistics concepts(time, cost, quality, agility and leanness) by arguing that supply chain risks should also be put intothe trade-off analysis when evaluating new logistics solutions not with the purpose to minimizerisks, however, but to find the efficient level of risk and prevention.

IntroductionBackgroundIn industry, especially those industries moving towards longer supply chains (e.g. dueto outsourcing) and facing increasingly uncertain demand as well as supply, the issueof risk handling and risk sharing along the supply chain is an important topic. Theleaner and more integrated supply chains get, the more likely uncertainties, dynamicsand accidents in one link affect the other links in the chain. Hence, the supply chainvulnerability (Svensson, 2000; Christopher et al., 2002) increases, and it will increaseeven more if companies, by outsourcing, have become dependent on otherorganizations. A number of current business trends that increase the vulnerabilityto risks in supply chains are:

. increased use of outsourcing of manufacturing and R&D to suppliers;

. globalization of supply chains;

. reduction of supplier base;

. more intertwined and integrated processes between companies;

. reduced buffers, e.g. inventory and lead time;

. increased demand for on-time deliveries in shorter time windows, and shorterlead times;

. shorter product life cycles and compressed time-to-market;

The Emerald Research Register for this journal is available at The current issue and full text archive of this journal is available at

www.emeraldinsight.com/researchregister www.emeraldinsight.com/0960-0035.htm

IJPDLM34,5

434

Received July 2003Revised February 2004Accepted March 2004

International Journal of PhysicalDistribution & Logistics ManagementVol. 34 No. 5, 2004pp. 434-456q Emerald Group Publishing Limited0960-0035DOI 10.1108/09600030410545463

. fast and heavy ramp-up of demand early in product life cycles; and

. capacity limitation of key components.

Souter (2000) stresses that companies should not only focus on their own risks: theymust also focus on risks in other links in their supply chain. According to Lambert andCooper (2000) and Mentzer et al. (2001), for example, a key component for supply chainmanagement (SCM) is sharing both risks and rewards between the members of thesupply chain. This is often mentioned, but not further elaborated on, in traditional SCMliterature. The focus of supply chain risk management (SCRM) is to understand, andtry to avoid, the devastating ripple effects that disasters or even minor businessdisruptions can have in a supply chain. Some examples of risk sources and suchsupply chain rippling effects from the last few years are:

. Hurricanes. Hurricane Floyd flooded a Daimler-Chrysler plant producingsuspension parts in Greenville, North Carolina (USA). As a result, seven of thecompanys other plants across North America had to be shut down for sevendays.

. Diseases. The foot-and-mouth disease in the UK in 2001 affected the agricultureindustry more than its last outbreak 25 years ago. The reason for this was thatformer local and regional supply networks had become national andinternational, and that the industry was much more consolidated (Juttner et al.,2002). But many other industries were also affected: luxury car manufacturerslike Volvo and Jaguar had to stop deliveries due to lack of quality leather supply.

. Fires. Toyota was forced to shut down 18 plants for almost two weeks followinga fire in February 1997 at its brake-fluid proportioning valve supplier (AisinSeiki). Costs caused by the disruption were estimated to be $195 million and salesloss was estimated to 70,000 vehicles (, $325 million) (Converium, 2001).

. Demand. Rapidly weakening demand coupled with locked-in supply agreementsmade Cisco take a $2.5 billion inventory write-off in Q2 2001.

. Supply. Inaccurate supply planning led Nike to an inventory shortage of hotfootwear models and the sales for Q3 2001 were $100 million off target.

. Supply chain capacity risks. In a situation where demand is very uncertain, andthe capacity bottleneck is far upstream from the market place, the risk ofinvesting in more capacity could be a joint issue for the whole supply chain, anddifferent instruments for supply chain risk sharing can be used.

PurposeRecently, the interest of supply chain risk management has increased in purchasing,logistics and supply chain management research (e.g. Smeltzer and Siferd, 1998;Zsidisin and Ellram, 1999; Hallikas et al., 2000; Ritchie et al., 2000; Lindroth andNorrman, 2001; Johnson, 2001; Lamming et al., 2001; Christopher et al., 2002). Thisarticle aims to extend current SCRM knowledge by describing and sharing insights ofa companys new organization, processes and tools focused on SCRM. The company isEricsson, a leading telecom company seriously affected by a fire at a sub-supplier someyears ago, an accident which has been widely reported (e.g. TheWall Street Journal,2001).

Ericssonsproactiveapproach

435

The remainder of the paper is structured as follows. First, literature related tosupply chain risk management and business continuity planning in a supply chainperspective will be summarized to give a background of the topic. Then there is a shortdiscussion of the methodology. Next, the case is introduced by a short description ofthe Albuquerque incident that increased Ericssons focus on supply chain riskmanagement. The following section describes Ericssons current approach to SCRM,and the paper ends with a concluding discussion.

Supply chain risk managementThe underlying definition of SCRM in this article is:

Supply chain risk management is to [collaborate] with partners in a supply chain apply riskmanagement process tools to deal with risks and uncertainties caused by, or impacting on,logistics related activities or resources (Norrman and Lindroth, 2002).

Supply chain risk management could of course deal with risks for a single company, oreven with the impact on a single logistics activity. But following the definition, the unitanalyzed should represent a buyer-seller relationship (a dyad) or, preferably, a supplychain of three or more companies. Two important dimensions in the definition are riskand uncertainties and the risk management process, which will now be furtherelaborated on.

Risk and uncertaintyDeloach (2000) defines business risk as the level of exposure to uncertainties that theenterprise must understand and effectively manage as it executes its strategies toachieve its business objectives and create value. A more standard definition of risk isrisk is the chance, in quantitative terms, of a defined hazard occurring. It thereforecombines a probabilistic measure of the occurrence of the primary event(s) with ameasure of the consequences of that/those event(s) (The Royal Society, 1992, p. 4).Hence, risk is a quality that reflects both the range of possible outcomes and thedistribution of respective probabilities for each of the outcomes. This quantitativedefinition could be expressed: Risk Probability (of the event) * Business Impact (orseverity) of the event, often illustrated in a risk map or matrix (Figure 1). While riskscan be calculated, uncertainties are genuinely unknown.

But as soon as the quantitative definition is left for a broader and more businessoriented perspective, the term also gets fuzzier. Juttner et al. (2002) have also observedthat the use of the term risk can be confusing, and they argue that risk should beseparated from risk (and uncertainty) sources and risk consequences (equal to theterm risk impact). Risk sources are the environmental, organizational or supply chainrelated variables that cannot be predicted with certainty and that affect the supplychain-outcome variables. Juttner et al. (2002) suggest organizing risk sources relevantfor supply chains into three categories:

(1) Numbers: external to the supply chain.

(2) Internal to the supply chain.

(3) Network related.

External risk sources are exemplified by political risks, natural risks, social risks,industry/market risks (e.g. volatility of customer demand). Internal risk sources

IJPDLM34,5

436

range from labor (strikes) or production (e.g. machine failure) to IT systemuncertainties. Network-related risks arise from interaction between organizationswithin the supply chain, e.g. due to insufficient interaction and cooperation. Riskconsequences/impacts are the focused supply chain outcome variables like costs orquality (but also health and safety), i.e. the different forms in which the variancebecomes manifest. Other authors discussing similar types of risks are Johnson (2001)and Zsidisin (2001). Johnson (2001) divides supply chains risks between supply risks(e.g. capacity limitations, currency fluctuations and supply disruptions) and demandrisks (e.g. seasonal imbalances, volatility of fads, new products). Zsidisin et al. (e.g.2000) focuses on supply risks related to design, quality, cost, availability,manufacturability, supplier, legal, and environmental, health and safety.

We find supply chain risks to be related to the logistics activities in companiesflows of material and information. Consequently, it is only a part of all business risks.(But, on the other hand, the supply chain perspective also implies a perspective notonly including your own company, but a chain of at least three entities: customers,suppliers, sub-suppliers, etc.)

The stages of the risk management processRisk management is the making of decisions regarding risks and their subsequentimplementation, and flows from risk estimation and risk evaluation (The RoyalSociety, 1992, p. 3). The risk management process is focused on understanding therisks, and minimizing their impact by addressing, e.g. probability and direct impact.The stages of the risk management process discussed can vary from riskidentification/analysis (or estimation) via risk assessment (or evaluation) to differentways of risk management (labels differ among authors although the steps are similar).

Parallel to risk management is the issue of how to mitigate the consequences of anaccident if it does happen: to deal with the situation in a way that minimizes businessimpact. This is normally referred to as business continuity management (BCM) andrelates to those management disciplines, processes and techniques, which seek toprovide the means for continuous operations of essential functions under allcircumstances (Hiles and Barnes, 2001, p. 379). BCM aims at getting interrupted

Figure 1.Risk map/matrix


437

businesses restarted. In many ways, risk management and BCM are overlapping, andsome argue that business continuity plans development is the risk management actionto take for risks of low probability (such as fires and floods), but whose potentialimpact is a business failure.

Supply chain risk analysis and assessmentRisk analysis/identification is an important stage in the risk management process.Consequently, by identifying a risk, decision-makers become aware of events that maycause disturbances. To assess supply chain risk exposures, the company must identifynot only direct risks to its operations, but also the potential causes or sources of thoserisks at every significant link along the supply chain (Christopher et al., 2002). Hence,the main focus of supply chain risk analysis is to recognize future uncertainties toenable proactive management of risk-related issues.

There are many methods for risk identification and analysis. One important tool isrisk mapping, i.e. using a structured approach and mapping risk sources and therebyunderstanding their potential consequences. Two commonly used techniques forresearching factors and causes contributing to accidental events are the fault treeanalysis (FTA) and the event tree analysis (ETA). Both are logic diagrams thatrepresent the sequences of failures that may propagate through a complex system.FTA examines all potential events leading up to the critical event and is a graphicaldiagram that shows how a system can fail. The analysis starts with top events, thenthe necessary and sufficiently hazardous events, the causes and contributing factors ofwhich are identified together with their logical relationships by way of a backwardlogic. The ETA is also a graphical logic diagram, but goes the other way. It focuses onevents that could occur after a critical event and identifies and quantifies possibleoutcomes following initiating events by looking at potential consequences (e.g. Mullaiand Paulsson, 2002). For both techniques, quantitative data, such as probabilities forevents, could be used to get an idea of the final probability. Deloach (2000) proposes asimilar tool called risk driver map, where potential threats are mapped.

After the risk analysis, it is important to assess and prioritize risks to be able tochoose management actions appropriate to the situation. One common method is tocompare events by assessing their probabilities and consequences and put them in arisk map/matrix (Figure 1). In theory, and when historical events are assessed, thiscould be quite a straightforward and quantitative task, but in business this could be asubjective process relying on specialists judgements. Hallikas et al. (2000), show anexample of this in a supply context. In practice, other risk assessment tools are alsoused, which are not consistent with the theory of probability and impact but cover abroader perspective instead. Zsidisin and Ellram (1999) summarize the supply riskassessment process of a Fortune 500 high-tech company, and propose a ten-stepapproach to risk assessment (Figure 2). Primarily, they are concerned withmaterial-related risks that could affect timely and cost-effective delivery of qualityproducts and services.

Risk managementRisk management is the process whereby decisions are made to accept a known orassessed risk and/or the implementation of actions to reduce the consequences orprobability of occurrence. Generally used actions for risk management are to avoid,

IJPDLM34,5

438

reduce, transfer, share or even take the risk. To avoid is to eliminate the types of eventthat could trigger the risk. To reduce applies both to reduction of probability andconsequence. Examples of how to reduce the impact could be to have an extrainventory, multiple sources, back-up sites/resources identified, sprinklers in buildings,having risk managers and emergency teams appointed, parallel systems or todiversify. Probability could be reduced by improving risky operational processes, bothinternally and in cooperation with suppliers, and to improve related processes, e.g.supplier selection. Risk could also be transferred to insurance companies but also tosupply chain partners by moving inventory liability, changing delivery times ofsuppliers (just-in-time deliveries) and to customers (make-to-order manufacturing), orby outsourcing activities. Furthermore, contracts can be used to transfer commercialrisks. Finally, risks could be shared, both by contractual mechanisms (e.g. Tsay et al.(1998) or Cachon (2002), for a review on supply chain contracts) and by improvedcollaboration.

Business continuity managementBusiness continuity management (BCM) is defined as:

. . . the development of strategies, plans and actions which provide protection or alternativemodes of operation for those activities or business processes which, if they were to beinterrupted, might otherwise bring about a seriously damaging or potentially fatal loss to theenterprise (Hiles and Barnes, 2001).

Business continuity management includes crisis management (overall processes tomanage the incident), disaster recovery (recovery of critical systems, applications, dataand networks), business recovery (recovery of critical business processes) andcontingency planning (recovery from impact external to the organization) (CMI, 2002).

Developing action plans is important in BCM, and business continuity planning(BCP) is a term often used. BCP is planning to ensure continued operations in case of acatastrophic event. But it goes beyond disaster-recovery planning, since it includes theactions to be taken, resources required, and procedures to be followed to ensure thecontinued availability of essential services, programs and operations in the event ofunexpected interruptions. BCP has previously been mostly related to computers andinformation technology-related disasters, especially before Y2K, but since then theapproach has moved towards more applications in other business contexts. However,according to a study by CMI (2002), only about 30 percent of all companies studieddeveloped BCP jointly with suppliers. Only 9 percent of companies that haveoutsourced activities (not only logistics) insist on their outsource suppliers havingbusiness continuity plans.

Figure 2.Supply risk assessment

process based on Zsidisinand Ellram (1999)


439

The first activities in developing business continuity plans are identifying the risksand assessing their probability and impact the steps are hence identical to riskmanagement. Part of this is to understand what will be affected (damage potentialanalysis). Then, strategies and recovery plans should be developed that could beimplemented both before the incident (similar to risk management strategies) and afterthe incident. Post-incident strategies are implemented to maintain partial or totalproduct supply and could for manufacturing and logistics include (Musson, 2001):

. use of spare capacity within the organization;

. shutdown of marginal product lines and transfer of key products to thoseproduction facilities;

. assistance from competition;

. outsourcing to sub-contractors, job shops, etc.;

. re-labeling of competitors products (after consideration of all legal implications);and

. establishment of temporary facilities when production capabilities can beestablished with off-the-shelf or second-hand equipment.

MethodologySince only limited empirical research on how companies deal with supply chain riskmanagement has been found, an explorative approach has been chosen. Examples ofearlier case studies in the area are those of Zsidisin (2001), Zsidisin and Ellram (1999)and Zsidisin et al. (2000), but they have focused more on purchasing and supply thana supply-chain approach, consisting of the idea to work with risks along multiplecompanies in a chain. In our study, a single case is used, which is an appropriate way ofestablishing the field at the early stages of an emerging topic (Eisenhardt, 1989). Tocapture and examine contemporary events, the case study approach is normallypreferred (Yin, 1994). The single case could give good enough insights on the breadthof issues and a better opportunity to penetrate important issues. Ericsson has beenchosen for several different reasons: It is in a volatile industry that faces many of thebusiness trends described in the introduction; it has recently had a major supply chainincident that has been widely reported; lately, it has worked hard to improve its supplychain risk management; and, finally, the company has been willing to openly share itsexperiences and has given good access to information and data.

Empirical data have initially been collected through semi-structured and openinterviews done by the academic co-author with about ten representatives from variousfunctions within Ericsson: corporate risk management, core unit supply (a bothstrategic and operational SCM-function), sourcing, and supply chain risk management(industry co-author). In addition, supplementary documents showing processes,organizational structures and risk management tools were collected by the academicco-author to verify and more detailed illustrate the findings from the interviews. Byusing multiple sources of evidence and interviewees, construct validity improves (Yin,1994). The joint writing process started with a structured synopsis developed by theacademic researcher, comparable with an interview guide, which was then filled withfacts and descriptions in a collaborative writing and analysis process. (The industryco-author had of course meetings and written communication with colleagues to getsupplementary data and opinions). By this collaborative writing and analysis process

IJPDLM34,5

440

between an academic and industry co-author, we think that the richness of the casestudy description can be improved as well as the construct validity increased (Yin,1994, pp. 32-4). Further the final paper has been returned for comments and correctionto the other functions interviewed. As this research is an explorative single case study,external validity and broad generalizability are difficult to address. One purpose hasbeen to describe pioneering practice for other practioneers to make it possible tobenchmark, and for academics to start a process of analytical generalization (Yin,1994) by first doing replicate studies and pattern matching-analysis. Hence externalvalidity and generalizability could increase over time with more cases.

Ericsson and the sub-supplier accidentEricsson is the largest supplier of mobile telecom systems in the world, activeworldwide since 1876 and currently employing approximately 61,000 people in morethan 140 countries. The worlds ten largest mobile-phone operators are among theircustomers and some 40 percent of all mobile phone calls are made through Ericssonsystems. For the last ten years, Ericsson has outsourced a great deal of its assemblyand production to contract manufacturers and sub-suppliers. With Sony Ericsson(including Ericssons old cellular phone business) it is also a top supplier of completemobile multi-media products. Like most companies, Ericsson has been exposed to anumber of risks and incidents in the last few years:, e.g. suppliers having quality anddelivery problem, industries general lack of capacity, and power disruption lasting afew days. We will shortly describe the accident that can be seen as the major trigger forEricsson to improve its supply chain risk management.

The Albuquerque accidentA major accident from an Ericsson perspective was a fire on 18 March 2000 in a verysmall production cell (small as a conference room for ten people) at a sub-suppliersplant in Albuquerque, New Mexico (USA). The ten-minute fire was an effect of alightning bolt hitting an electric line in New Mexico, causing power fluctuationsthroughout the state. The problem was that when the power was out, there was nospare diesel motor to supply the fans with power, so the fans stopped. From a plantperspective, the resulting fire was almost negligible, and when the fire brigadearrived it was sent home as the fire already was out (The Wall Street Journal). But forEricsson, the impact was huge. In the spring of 2001, when the annual report fromEricsson was announced, a major loss of about $400 million was indicated, primarilydue to gaps in the supply of radio-frequency chips from this supplier. The reason wasthat the fire occurred in one of the plants clean rooms, where absolutely no dust istolerated. Due to the fire, and especially the smoke and sprinkler water, it took almostthree weeks until the production was up and running. After six months, the yield wasonly 50 percent, and it would take years to get new equipment delivered andinstalled. As this plant was Ericssons only source for this chip, Ericsson was not ableto sell and deliver one of its key consumer products during its booming marketwindow. The company lost many months of mobile phone production, and theaccident finally had a great impact on Ericssons decision to withdraw from themobile phone terminal business.

Later, Ericssons business interruption costs were calculated as approximately $200million, which was compensated by insurance companies. This was one of the biggest


441

insurance payments that year (after the 9/11 disaster). The accident made Ericssonrealize the importance of not only understanding and managing risks internally butalso trying to better analyze, assess and manage risk along the supply chain and totake immediate action when incidents are indicated. In a widespread analysis, TheWall Street Journal argued that Ericsson did not take action quickly and powerfullyenough after the Albuquerque accident, and that it took too long before highermanagement was aware of the incident. Further, Ericsson neither had alternativesources nor was prepared for this kind of accident. Now, actions have been taken:During the last few years, a formal SCRM organization has been put in place, andmany SCRM processes and tools have been developed and implemented. Todaysphilosophy at Ericsson is that everyone is a risk manager.

Ericssons current supply chain risk management approachIn the last few years (after the Albuquerque accident and before the renewal of itsinsurance), Ericsson has further developed and implemented processes and tools forsupply chain risk management. The purpose is minimizing risk exposure in thesupply chain. Its approach for this (Figure 3) is based on a process withfeedback-loops between the sub-processes. The risk management process includes riskidentification (similar to risk analysis), risk assessment, risk treatment (similar to riskmanagement) as previously discussed in theory, but it has also added a process step forrisk monitoring. In parallel (and central) to this, the company has put incident handlingand contingency planning.

Organizational principles and responsibilityPreviously, risk management was handled by a corporate function, mostly dealingwith insurance companies (and later also security). In the last few years theorganisation for supply chain risk management has been developed and many peopleand functions are involved. On a high level, the corporate function for riskmanagement, the SCM/logistics function (in Ericsson called the core unit supply) andthe purchasing function (core unit sourcing) are involved, as well as (Figure 4) the unitsresponsible for the different business areas (SBAs). They are working together in a

Figure 3.Ericssons basic approachto SCRM

IJPDLM34,5

442

matrix-oriented way, for example with a risk management council with representativesfrom the different units. The roles of the main functions involved are:

. corporate risk management has the overall responsibility for risk management inthe Ericsson group and has contact with the insurance companies and co-ordinatesrisk management activities in the whole group, also developing directives;

. core unit supply (CSUP) is responsible for the operative work and daily interfacewith suppliers;

. system business area (SBA) has the business perspective and owns the product;and

. core unit sourcing is responsible for the commercial interfaces with the supplierand is therefore involved in evaluation of suppliers and when incidents occur.

A matrix approach is taken (Figure 5) on a more operational level within theSCM/logistics function (CSUP), as well. A supply chain risk manager, placed withincore unit supply, is responsible for development and implementation of SCRM. He isworking closely together with corporate risk management, as well as with the linepeople (supply chain managers), responsible for different supply chains and hencealso for the supply chains risks. Supply chain managers are also part of CSUP, butinterfacing the SBAs. Supply chain managers should use the tools and processesdeveloped by the SCR manager to analyze, assess and manage risk in their supplychains. In this work purchasers are involved in the assessments of and contacts withsuppliers. The roles of the operational people involved in SCRM are:

. Supply chain risk manager (SCR manager) at core unit supply runs andcoordinates the work to maintain an optimal balance between risk exposures andcosts for damages versus protection activities.

. Supply chain managers (SCM) within CSUP are the interface to SBAs and havefull responsibility for the respective SBAs supply chain. They are responsiblefor risk management as regards securing the reliability of supply chains andtheir ability to deliver.

. Core production: supports SCM with risk management issues.

Figure 4.Organization of risk

management on acorporate level


443

The matrix approach means that many different players are involved in and sharingresponsibility for implementing and maintaining information regarding riskmanagement. This could make roles unclear, and hence responsibility grids(Figure 6) are defined. However, the key responsibility lies with the SCMs thatshould run the risk management work in their respective supply chain.

Risk identification processInitially, Ericsson identifies and analyzes its supply chain risks by mapping thesupply chain upstream, looking at suppliers as well as products/services (Figure 7).

Figure 5.Organization of SCRMwithin the SCM/logisticsfunction core unit supply

Figure 6.Part of responsibility grid

IJPDLM34,5

444

The purpose of this is verifying the business flow between Ericsson and thesupplier/service provider and defining the critical parts and risk sources in theprocess, i.e. products, components, sites, etc. The goal is to get a betterunderstanding of what the probability and impact of the risks are. So far, more than10,000 components have been analyzed, mainly of first and second tier suppliers.

First, each component is classified into four different classes depending on thenumber of sources:

(1) The product is currently sourced from more than one approved source (e.g. twoor more manufacturers or one manufacturer with two or more sites).

(2) The product is currently sourced from one approved source; other sources areapproved and available but not used.

(3) The product is currently sourced from one approved source; other sources areavailable and approved but no tools, masks or other equipment needed are inplace.

(4) The product is currently sourced from one supplier. No additional manufactureris available.

Ericsson then tries to understand the impact by looking at how long an accident willaffect deliveries. This is expressed by business recovery time (BRT). Components areput into four different classes:

(1) It takes less than three months to get deliveries from an alternative source.

(2) Three to eight months to get approval and deliveries from an alternative source.

(3) Nine to 12 months, re-design the only alternative.

(4) 12 months, re-design of a unit/product of high complexity.

Risk assessment processThen, an in-depth analysis is carried out of the suppliers and sub-suppliers of criticalproducts. For this, Ericsson has developed a tool called Ericsson risk managementevaluation tool (ERMET). ERMET (Figure 8) evaluates many different issues in detail,e.g. business control, financial issues, hazards in the surroundings (external as well as

Figure 7.Supply chain risk and

structure map


445

man-made); hazards at the site; and business-interruption handling. The tool is used toanalyze both internal and external suppliers. Internally, the tool will be used incombination with contingency planning.

When using ERMET, corporate risk managers and SCR managers often worktogether, as the tool is complex and requires knowledge to use. Often, a representativefrom sourcing is brought in, who is responsible for the supplier contacts. Each sub-areain ERMET is thoroughly evaluated by looking into different aspects (see Figure 9),trying to quantify the risk by looking at impact (consequence) and probability. Thesuppliers total risk situation, and their forecasted development, is then summarizedinto spider-web diagrams. Those evaluations are done regularly and are used to followup improvements and action plans.

ERMET is mostly focusing on operational accidents and catastrophes and how toavoid business interruption. Ericsson uses other tools to try to identify and assess morestrategic uncertainties such as shifts in products or product generations. When a riskor uncertainty source has been identified, the SCR manager facilitates workshopsattended by different functional and business specialists where events are discussedthat could lead to risks. For each event causes are identified, so that preventive actionscan be developed. (This methodology is similar to FTA). The analysis and actions arethen summarized into special templates that are later used for follow-up andmonitoring of the risks (Figure 10).

Ericsson tries to combine impact and probability in a risk map/matrix. But it hasfound that the risk value (calculated by multiplying impact and probability) is notalways easy to use, as the probability could be difficult to get and the value is notalways understandable to business people. Therefore, Ericsson is focusing on thefinancial impact when assessing which risks to prioritize and for which supplier orcomponents to take actions. To get a financial value of the impact on Ericssons ownbusiness, the company calculates the business interruption value (BIV). Currently thisvalue is defined by gross margin multiplied by the business recovery time (BRT)plus extra costs such as idle capacity labor and equipment, inventory carrying etc. Itsaim is to also consider values such as lost goodwill. This calculation is made by the

Figure 8.Overview of ERMET Ericsson risk managementevaluation tool

IJPDLM34,5

446

business control function in order to help the supply chain manager. To categorize therisks, BIV is divided into four classes:

(1) Severe: BIV . ,$100 million.(2) Major: BIV ,$50 million-$100 million.(3) Minor: BIV ,$10 million-$50 million.(4) Negligible: BIV , ,$10 million.

Figure 9.Examples of detailed riskassessment and summary

diagrams


447

Figure 10.Risk map/matrix andcorresponding riskmanagement actions

IJPDLM34,5

448

This is then used as a basis for the risk matrix to compare the result from the riskidentification process to understand the impact if an interruption occurs (very high,high, medium or low). For each of these risk levels, different actions are required(Figure 11). Ericsson finds risks with high consequences/low probability moreimportant to handle from a risk management perspective than those with lowconsequence/high probability.

Risk treatment/managementThe third step in Ericssons process is called risk treatment, which includes bothdeveloping risk mitigation strategies and deciding on those. This is a lineresponsibility, and who is doing it depends on which tier the risk source is part of:for higher tier, supplier sourcing is responsible, while for lower tier, the supply chainmanager (Figure 6), and for internal plants it is production. Standard templates andtools for this (Figure 10) are developed by the SCR manager. Those templates startwith describing the risk source and its probability and consequence, and continue witha summary of different mitigations strategies, their costs and how they affect the risksituation. To compare the cost of different preventive actions with the businessinterruption value is regarded as very important. Finally, responsible persons areappointed.

Risk monitoring and follow-upIf the risk level is very high, or high and not mitigated, risk monitoring is required. Ifthe residual risk, after mitigation, is not reduced to an acceptable risk level it mustcontinue to be monitored. Risk assessment and treatment templates (Figure 10) andthe spider web (Figure 9) are used to monitor who is responsible internally and howdifferent supply chain partners are developing compared to their commitments. Forsuppliers and sub-suppliers, special attention is given to how their risk managementprocesses are developing.

Incident handling and business continuity planningEricsson is putting emphasis on developing procedures and templates for incidenthandling and BCP to decrease the consequences of an accident. After the Albuquerqueaccident, the process for incident reporting is very important and taskforces/emergency teams have been appointed. If an incident occurs, this should bereported to either the sourcing task force (if external supplier) or the SCM task forceand production task force (if internal supplier). When an incident has been reported, itshould then be communicated to the other task forces as well as to the supply chainrisk manager and the corporate risk management (Figure 12). Also, related SBA and

Figure 11.Templates for risk

assessment and treatment,and contingency planning


449

market representatives that might potentially be affected should be notified. It is nottolerated that suppliers not report incidents they should not first be reported bynewspapers or other sources. The task forces/emergency teams will be trained at leastonce a year in different scenarios, for example a disruption in the supply chain due to adisaster at a class four supplier. When an incident occurs, the three task forces shouldwork closely together, if necessary.

To develop contingency plans, a toolbox is available on the intranet. While theprevious contingency planning focus was on site recovery, it has now moved towards afocus on the whole supply chain. If Ericsson cannot manage a risk by eliminating orminimizing the consequences, the company makes a contingency plan to know what todo if something happens. Ericsson has divided contingency planning into three steps(Figure 10):

(1) Response plan: the response is the required reaction to an incident or emergencyto assess the level of containment and to control activity.

(2) Recovery plan: the recovery phase actions shall include the actions that areneeded to resume critical or essential business operations, functions orprocesses.

(3) Restoration plan: the process of planning for and implementing full-scalebusiness operations again and to allow the organization to return to normalservice level.

For each risk source, a responsible person shall be appointed and actions for response,recovery as well as restoration phase be developed.

The supply chain approach to risk management and business continuity managementSupply chain risk management is not only to analyze, assess and manage internalrisks and try to plan for business continuity for the own company. SCRM meanswidening this approach to the chain of suppliers and suppliers suppliers. This couldbe done by visiting suppliers and analyze and assess them, but more proactively tomake them implement a SCRM approach themselves, which guarantees a furtherspread upstream.

Figure 12.Information flow and taskforces for incidenthandling

IJPDLM34,5

450

Ericsson is implementing this approach both by soft discussion and by puttingthe following guidelines as requirements into the frame contracts:

. The supplier shall establish and maintain a secure sourcing plan includingregularly updated business continuity and business contingency plans.

. The supplier shall identify a back-up site/resource for each relevant site.

. A person responsible for initiating the secure sourcing plan activities shall beappointed for each relevant site.

. Key personnel at the supplier shall be appointed and reasonably trained onEricssons specific product requirements. Alternatively, personnel in thefacilities concerned shall be prepared to be transferred to the dedicatedback-up capacity.

. The supplier shall report incidents.

. The Ericsson entities placing orders should be allowed to review the plan.

. The supplier shall have corresponding requirements on its suppliers andcontractors.

. The supplier shall actively work with risk management with its contractors andsuppliers.

. Ericsson shall at any time have the option to acquire some or all assets which areunique for the production of Ericsson products by the supplier.

To summarize Ericssons approach for SCRM (Figure 13) it starts with mapping all thecomponents and products many tiers upstream the supply chain and identifies criticalsuppliers and sites that have to be prioritized in the further risk assessment. Suppliers,first critical then others, are then analyzed and assessed with the Ericsson evaluationtool (ERMET), which takes many different risk sources into account. By these two first

Figure 13.Ericssons approach to

supply chain riskmanagement


451

steps, a rough assessment is made on how a shortage of a material or product willaffect the supply chain and, finally, Ericssons invoicing. Based on a more thoroughinvestigation, risk probability and the impact of different accidents at each supplierwill be evaluated and the impact measured as business recovery time. The supplierrisk is then translated to the risk related to Ericssons business with the impactmeasured in business interruption value. Based on this assessment, risk managementactions can be discussed and taken. A very important part in this last step is to find theright trade-off between risk management (protection) cost and risk cost (impactmeasured as BIV): a too high investment in safeguards is not good business practice,either.

So far, most joint work has been with the next upstream tier, the contractmanufacturers. They have been very positive to and interested in the co-operativeapproach to secure the supply chain and reduce supply chain risks. An importantpart of the work has been to share tools and methods used in the risk managementprocess to analyze and assess risks.

Business impact of improved supply chain risk managementThe new SCRM approach has so far contributed well to Ericsson. After theAlbuquerque accident, it was quite difficult to get new business-interruptioninsurances. The insurance companies were skeptical and an increase of insurance costswas flagged. Further, they demanded more and more information on risks in thesupply chain. With the current way of working with SCRM, this has changed again,and lately, insurance companies have praised Ericssons way of working, and willprobably impose the same requirements on other companies. The insurance premiumoffered was 50 percent lower than Ericsson first expected, due to its SCRM work.

Although the supply chains now are more secure and less vulnerable, there havebeen incidents after Albuquerque (and always will be). During the implementation ofSCRM processes, a new incident occurred at a supplier. A small fire in a plating linecaused a disruption. This incident gave Ericsson the opportunity to test and verify theprocesses with a real case. In their risk identification process, the business recoverytime for that component was estimated to approximately three months, which provedto be correct. Based on BRT and previous experience, Ericsson could act and set upenough resources to handle the incident. Ericsson quickly enough allocatedcomponents, so there was no disruption in their inbound supply.

The SCRM tools have also started being used for other purposes than those theywere initially developed for. The supply chain risk and structure maps are now alsoused to assess capacity and dimensioning risks in order to arrange buffers. Anotherexample is that a SBA uses the cause-event analysis for risks related to productintroduction, ramp-up and product changes. This indicates that the SCRM work hasbeen positively received by the organization.

Concluding discussionSupply chain risk management seems to be of growing interest and importance bothfrom an academic and a practioner perspective. The development lately withinSCM/logistics has created long, lean and interconnected chains of companiesvulnerable to accidents and their rippling effects. In the last few years, there have beenmany examples of such accidents, and in this article we have described Ericssons new

IJPDLM34,5

452

approach to SCRM after its supply chain accident in Albuquerque. Ericsson has nowdeveloped and implemented improved organization, processes and tools for supplychain risk management. It tries to identify, analyze and manage both internal andexternal risk sources, related to the company as well as its suppliers and sub-suppliers.By this, and an increased requirement on and cooperation with suppliers regardingrisk management, it also tries to avoid impact from network related risk sources.According to Ericsson, an important success factor, to make SCRM work, is having anopen discussion with the suppliers, both during risk analysis and assessment, butparticularly when handling incidents. Many ideas and tools have been taken fromnormal risk management practice, but have been applied with a supply chainperspective, focusing not only on Ericssons own activities. As a result, riskconsequences have been reduced, Ericsson has been better able to handle incidents andits insurance costs have been reduced. However, the approach is continuouslyimplemented and has still not come to its end (if it ever will). Although Ericssonsapproach can be considered proactive, the company will stress the importance ofhaving reactive task forces prepared. Even if much resources are invested in riskanalysis and assessment, accidents might appear where and when least expected andthen an efficient crisis organization must be in place to minimize the consequences.

Ericssons work has, to some extent, been driven by a pressure from insurancecompanies a pressure that most likely will be put on other companies and industriestoo. What the insurance companies realized, with the Albuquerque accident as atrigger, was that they did not understand the risks, risk sources and consequences thatthe current long supply chains and their rippling effects had. Hence, a new drivingforce for companies to work with SCRM could be that insurance companies will requireit to reduce insurance premiums or even to sell contingency insurances.

Current logistics and supply chain principles have been influenced by the attemptsin the last few decades, first to reduce costs, then time and quality, and have latelyfocused on concepts of responsiveness, agility and leanness (Figure 14).

Those principles could lead to very vulnerable supply chains, and, consequently, theinterest in SCRM has increased lately. However, to safeguard logistics processes toomuch could be both counteractive to current best practice in logistics as well as toocostly. Hence, we would argue that a balanced approach should be taken, where SCRM

Figure 14.Key focus areas within

logistics and SCM


453

is one part of the equation. This could be done by trying to relate risk consequences totime (business recovery time) and money (business interruption value) as Ericsson isnow doing. Further, it is possible to expand the risk management focus from thecompanies own sites to suppliers and sub-suppliers by working together in riskidentification, assessment, management and business continuity planning, but also byformal assessment of how suppliers are working with those issues and by puttingrequirements into the contracts. Current and new logistics principles could beevaluated from a SCRM perspective, and risk management actions must be evaluatedfrom a logistics perspective focusing on cost, time, quality etc. Some connectionsbetween SCRM and the other areas (Figure 14) are:

. Risk and costs: SCRM might create too high prevention costs (reducingprobability or impact by increased buffers, new processes, extra suppliers, etc) aswell as reduce cost for both business interruptions and insurances. The Ericssoncase is an example in which the risk is measured in money (BIV), prevention costis compared to risk costs, and insurance cost is decreased thanks to improvedSCRM.

. Risk and time: SCRM might create buffers and processes delaying lead time but through good and well thought out SCRM other actions should be found.Time could also be reduced e.g. the reaction time when an incident or accidenthappens. Ericsson is also an example of how a time measurement (BRT) is usedto assess risk impact.

. Risk and quality: these two areas are most similar and should definitely work outwell in parallel both have a clear process orientation and a focus on avoidingerrors (Lee and Wolfe, 2003, elaborate on this issue).

. Risk and agility, responsiveness and leanness: companies efforts to increaseagility, responsiveness and leanness have led to increased outsourcing andreduced buffers and lead time and hence to increased vulnerability. Ericsson ischaracterized by this aspiration and has implied a high risk exposure.However, as these three concepts are very important in todays business, efficientSCRM is important for managing the increased risk exposure.

The main contributions of this article have been to stress the supply chain approachin SCRM as a complement to more purchasing oriented studies, and to give a quitedetailed description of how SCRM could work in practice. By using a case companythat only a few years ago was seriously affected by a sub-suppliers fire and hencestarted to focus on SCRM, it should hopefully bring new insights both to academy andpractioners. The interrelation between supply chain risk management and currentlogistic/supply chain management principles is not clear, and we find this to be aninteresting field for future research so that SCRM actions neither decreases supplychain efficiency nor is seen only as costly and time consuming.

References

Cachon, G. (2002), Supply Chain Coordination with Contracts, The Wharton School of Business,University of Pennsylvania, Philadelphia, PA.

IJPDLM34,5

454

Chartered Management Institute (CMI) (2002), Business Continuity and Supply ChainManagement, report available at: www.thebci.org/2809-01%20Bus%20Continuity%20Summ.pdf

Christopher, M., McKinnon, A., Sharp, J., Wilding, R., Peck, H., Chapman, P., Juttner, U. andBolumole, Y. (2002), Supply Chain Vulnerability, Cranfield University, Cranfield.

Converium (2001), Suppliers extension or contingent business interruption insurance,available at: www.converium.com/web/converium/converium.nsf/2a1b7a462af6c00185256ad2000da28c/30c4e3ebc211d4f9c1256ad5004334b5?OpenDocument.

Deloach, J.W. (2000), Enterprise-wide Risk Management. Strategies for Linking Risk andOpportunities, Financial Times/Prentice-Hall, London.

Eisenhardt, K.M. (1989), Building theories from case study research, Academy of ManagementReview, Vol. 14 No. 4, pp. 532-50.

Hallikas, J., Virolainen, V.-M. and Tuominen, M. (2000), Risk analysis and assessment innetwork environment a dyadic case study, Preprints of the 11th International WorkingSeminar on Production Economics, pp. 255-70.

Hiles, A. and Barnes, P. (Eds) (2001), The Definitive Handbook of Business ContinuityManagement, J. Wiley & Sons, Chichester.

Johnson, M.E. (2001), Learning from toys: lessons in managing supply chain risk from the toyindustry, California Management Review, Vol. 43 No. 3, pp. 106-24.

Juttner, U., Peck, H. and Christopher, M. (2002), Supply chain risk management: outlining anagenda for future research, in Griffiths, J., Hewitt, F. and Ireland, P. (Eds), Proceedings ofthe Logistics Research Network 7th Annual Conference, pp. 443-50.

Lambert, D.M. and Cooper, M.C. (2000), Issues in supply chain management, IndustrialMarketing Management, Vol. 29, pp. 65-83.

Lamming, R., Caldwell, N., Harrison, D. and Phillips, W. (2001), Transparency in supplyrelationships: concept and practice, Proceedings of the 10th International IPSERAConference, pp. 585-94.

Lee, H.L. and Wolfe, M. (2003), Supply chain security without tears, Supply Chain ManagementReview, January/February, pp. 12-20.

Lindroth, R. and Norrman, A. (2001), Supply chain risks and risk sharing instruments anillustration from the telecommunication industry, Proceedings of the Logistics ResearchNetwork 6th Annual Conference, Heriot-Watt University, 13-14 September, pp. 297-307.

Mentzer, J.T., DeWitt, W., Keebler, J.S., Min, S., Nix, N.W., Smith, C.D. and Zacharia, Z.G. (2001),Defining supply chain management, Journal of Business Logistics, Vol. 22 No. 2, pp. 1-25.

Mullai, A. and Paulsson, U. (2002), Oil Spills in Oresund Hazardous Events, Causes and Claims,Lund University, Lund.

Musson, M. (2001), BC strategies for manufacturing and logistics, in Hiles, A. and Barnes, P.(Eds), The Definitive Handbook of Business Continuity Management, J. Wiley & Sons,Chichester, pp. 163-70.

Norrman, A. and Lindroth, R. (2002), Supply chain risk management: purchasers vs plannersviews on sharing capacity investment risks in the telecom iindustry, Proceedings of the11th International Annual IPSERA Conference, Twente University, 25-27 March,pp. 577-95.

Ritchie, B., Brindley, C., Morris, J. and Peet, S. (2000), Managing risk within the supply chain,paper presented at the 9th International IPSERA conference, Ontario, May.

(The) Royal Society (1992), Analysis, Perception and Management, The Royal Society, London.


455

Smeltzer, L.R. and Siferd, S.P. (1998), Proactive supply management: the management of risk,International Journal of Purchasing and Materials Management, Vol. 34 No. 1, pp. 38-45.

Souter, G. (2000), Risks from supply chain also demand attention, Business Insurance, Vol. 34No. 20, pp. 26-8.

Svensson, G. (2000), A conceptual framework for the analysis of vulnerability in supply chains,International Journal of Physical Distribution & Logistics Management, Vol. 30 No. 9,pp. 731-50.

Tsay, A.A., Nahmias, S. and Agrawal, N. (1998), Modelling supply chain contracts: a review, inTayur, S. et al. (Eds), Quantitative Models for Supply Chain Management, KluwerAcademic, Norwall, MA, pp. 299-336.

Wall Street Journal (2001), Trial by fire a blaze in Albuquerque sets off major crisis forcell-phone giants, 29 January.

Yin, R.K. (1994), Case Study Research Design and Methods, Applied Social Research MethodsSeries, Vol. 5, Sage Publications, Thousand Oaks, CA.

Zsidisin, G. (2001), Measuring supply risk: an example from Europe, Practix, Best Practices inPurchasing and Supply Chain Management, June, pp. 1-6.

Zsidisin, G. and Ellram, L.M. (1999), Supply risk assessment analysis, Practix, Best Practices inPurchasing and Supply Chain Management, June, pp. 9-12.

Zsidisin, G., Panelli, A. and Upton, R. (2000), Purchasing organization involvement in riskassessment, contingency plans, and risk management: an exploratory study, SupplyChain Management: An International Journal, Vol. 5 No. 4, pp. 187-97.

Further reading

A.T. Kearney and European Logistics Association (1999), Insight to Impact. Results of the 4thQuinquennial European Logistics Study, ELA, Brussels.

Lonsdale, C. (1999), Effectively managing vertical relationships: a risk management model foroutsourcing, Supply ChainManagement: An International Journal, Vol. 4 No. 4, pp. 176-83.

IJPDLM34,5

456