SlideShare una empresa de Scribd logo

Supply chain 4

S
softuni29
1 de 15
Descargar para leer sin conexión
Supply Chain Management: An International Journal Emerald Article: Supply chain risk management Peter Finch Article information: To cite this document: Peter Finch, (2004),"Supply chain risk management", Supply Chain Management: An International Journal, Vol. 9 Iss: 2 pp. 183 - 196 Permanent link to this document: http://dx.doi.org/10.1108/13598540410527079 Downloaded on: 14-06-2012 References: This document contains references to 45 other documents Citations: This document has been cited by 4 other documents To copy this document: permissions@emeraldinsight.com This document has been downloaded 11850 times since 2005. * Users who downloaded this Article also downloaded: * Ila Manuj, John T. Mentzer, (2008),"Global supply chain risk management strategies", International Journal of Physical Distribution & Logistics Management, Vol. 38 Iss: 3 pp. 192 - 223 http://dx.doi.org/10.1108/09600030810866986 Rao Tummala, Tobias Schoenherr, (2011),"Assessing and managing risks using the Supply Chain Risk Management Process (SCRMP)", Supply Chain Management: An International Journal, Vol. 16 Iss: 6 pp. 474 - 483 http://dx.doi.org/10.1108/13598541111171165 Uta Jüttner, (2005),"Supply chain risk management: Understanding the business requirements from a practitioner perspective", The International Journal of Logistics Management, Vol. 16 Iss: 1 pp. 120 - 141 http://dx.doi.org/10.1108/09574090510617385 Access to this document was granted through an Emerald subscription provided by UNIVERSITY OF THE PUNJAB For Authors: If you would like to write for this, or any other Emerald publication, then please use our Emerald for Authors service. Information about how to choose which publication to write for and submission guidelines are available for all. Please visit www.emeraldinsight.com/authors for more information. About Emerald www.emeraldinsight.com With over forty years' experience, Emerald Group Publishing is a leading independent publisher of global research with impact in business, society, public policy and education. In total, Emerald publishes over 275 journals and more than 130 book series, as well as an extensive range of online products and services. Emerald is both COUNTER 3 and TRANSFER compliant. The organization is a partner of the Committee on Publication Ethics (COPE) and also works with Portico and the LOCKSS initiative for digital archive preservation. *Related content and download information correct at time of download.
Introduction Case study Supply chain risk Do large companies increase their exposure to risk by having small to medium-sized management enterprises (SMEs) as partners in business critical positions in the supply chain? Peter Finch This article presents a review of the literature, supplemented by case studies that aims to determine if large companies are taking unnecessary risks related to information systems (IS) management and maintenance of the supply chain. The author Methods Peter Finch is a Risk Management Consultant with AEA Secondary analysis of published and grey Technology, Warrington, UK. literature, and case studies was undertaken. The aim of the search strategy was to be Keywords comprehensive but not exhaustive. The Supply chain management, Risk management, material was restricted to the English language Small to medium-sized enterprises, Information systems as there were insufficient resources for translation. The search strategy was as follows. Abstract Published and grey literature This article presents a secondary analysis of the literature, Electronic searches of the following journal supplemented by case studies to determine if large databases were undertaken to identify companies increase their exposure to risk by having published literature: ANBAR, BIDS, Emerald, small- and medium-size enterprises (SMEs) as partners in Infotrac, INSPEC, and Ei Compendex. This business critical positions in the supply chain, and to make was supplemented by online searches using the recommendations concerning best practice. A framework Copernic, Google, and Northern Light search defining the information systems (IS) environment is used to engines: structure the review. The review found that large companies' . Electronic searches were undertaken using exposure to risk appeared to be increased by the terms ``SME'', ``small business'', inter-organisational networking. Having SMEs as partners in ``supply chain'', ``risk'', ``risk management'', the supply chain further increased the risk exposure. SMEs ``business continuity'', and ``disaster''. increased their own exposure to risk by becoming partners in Search dates were restricted to between a supply chain. These findings indicate the importance of 1995 and 2001. undertaking risk assessments and considering the need for . Additional grey literature (for example, business continuity planning when a company is exposed to newspaper articles, trade magazines, inter-organisational networking. company policies and procedures) was obtained. Electronic access . Hand searching was undertaken to identify The Emerald Research Register for this journal is available at relevant published and grey literature not www.emeraldinsight.com/researchregister identified by electronic searches. The current issue and full text archive of this journal is Case studies available at The case studies originate from newspapers, www.emeraldinsight.com/1359-8546.htm magazine and journal articles, and examples Supply Chain Management: An International Journal from the author's own practice. Volume 9 . Number 2 . 2004 . pp. 183-196 # Emerald Group Publishing Limited . ISSN 1359-8546 The views expressed in this article are those of the DOI 10.1108/13598540410527079 author and not necessarily of his employer. 183
Supply chain risk management Supply Chain Management: An International Journal Peter Finch Volume 9 . Number 2 . 2004 . 183-196 In total, in excess of 2,000 articles, papers, supply chain. Where available, examples of best surveys and case studies were obtained and practice are identified. screened. Relevant literature was extracted for analysis. 1 The application level Framework Natural disasters Bandyopadhyay et al.'s (1999) IS environment Whilst these risks affect both large companies and risk identification framework is used to and SMEs equally, they may affect SMEs structure the review. Bandyopadhyay et al. disproportionately hard because of their size defined the IS environment within a company and limited resources. as comprising three levels: Research by the Guardian IT Group (Youett, (1) the application level; 2001) into their clients' invocation of business (2) the organisational level; and continuity plans found that almost 2 per cent of (3) the inter-organisational level. IS failures in the UK are caused by flood or The risks affecting each of these environments storm. The following review of the literature are outlined in Table I. looks at the preparedness of a small In the following sections, case studies and organisation when faced with flooding and the evidence from the literature are used as potential for disruption of the supply chain. examples of the IS risk types outlined in Flooding Bandyopadhyay et al.'s framework, and their A National Computer Centre (NCC, 1996) impact upon SMEs, large companies and the survey in 1996 reported that 5 per cent of large Table I Framework for structuring the review and summary of IS risks IS environment and risk identification IS environment Type of IS risk Examples of IS risks 1. Application level. The risk Natural disaster ± flood, storm/lightning strike, Flooding of technical or disease/epidemic implementation failure of Accidents ± fires, poorly designed, constructed or Human error an application resulting maintained systems, buildings, policies and from either internal or procedures (human error) external factors Deliberate acts (physical actions) ± sabotage, Terrorism theft, vandalism, terrorism and hoaxes Data information security risks ± hackers, viruses, Information security destruction and denial of access Management issues ± decision making, human Skill acquisition and resourcing, (succession planning, skill retention acquisition and retention) 2. Organisational level. The As above plus: Legal risk ± violation of rights, Intellectual property/capital risks from the strategic intellectual property implementation of IS Strategic decision making: Strategic re-organisation throughout all functional Competitor's actions areas Strategic and sustainability risks. Lack of investment to sustain competitive advantage Increased bargaining power ± suppliers and customers 3. Inter-organisational level. As above plus: weak or ineffective control ± of Risk from strategic alliances The risks associated with suppliers or customers' systems, policies and inter-organisational procedures networking Source: Bandyopadhyay et al. (1999) 184
Supply chain risk management Supply Chain Management: An International Journal Peter Finch Volume 9 . Number 2 . 2004 . 183-196 companies had experienced flooding. No and restaurants on the same stretch of river, was figures were given for SMEs, however, there is flooded. Within 24 hours of the flood water no reason to imagine the figure should differ subsiding the pub was able to open. Not all greatly. The average cost to a large company establishments were so prepared or had was found to be £25,540 with a maximum cost assessed the risks. The nearby Ship Inn was of £100,000 (1996 prices). SMEs would closed for three months whilst a £250,000 refit probably suffer lower costs should such events was underway (Rutstein, 2000). In this example occur due to their lower investment in IS. It is the brewery may have business continuity likely that the costs would still be considerable procedures in place to ensure its own when compared to the size of an SME and its continuity, however, if a significant number of available resources. outlets in the supply chain are unable to In the UK, floods in late 2000 and early 2001 continue for an extended period (as was the brought wide-scale disruption. In October, case in York), then revenues will be harmed. November and December 2000 between Flooding ± best practice one-and-a-half and two times normal rainfall Whilst this example does not relate specifically occurred (Environment Agency, 2001). to the company's IS infrastructure, the aim is to Disruption was widespread with many demonstrate best practice by illustrating the companies, particularly smaller ones, going out preparedness of the small firm and the potential of business or facing an uncertain future (Jolly, impact upon the supply chain. It is clear that 2000). The Federation of Small Businesses the impact upon business can be reduced if gave £20,000 to each of the regions hit by potential risks are proactively managed, and flooding towards the cost of temporary there is a well-conceived and constructed accommodation (Sunday Times, 2000a). In business continuity plan in place. Lewes in East Sussex over 200, mostly small The following section examines the risks companies were affected by the flooding (Daily faced by companies from accidents. Telegraph, 2000a). This led to Sussex Enterprise requesting that the government should draw up Accidents contingency plans to help these companies. These risks can to a large extent be mitigated by There are some instances where small a company's policies and procedures. One companies have exhibited good risk planning potential source of accidents common to all and management. One sector badly affected by sizes of company is human error. flooding was the brewing and leisure industry. Pubmaster (a pub operator) estimated that the Human error floods would cost the industry upwards of £100 A study by Broadcasters Network International million in damage and lost revenue with many (Sullivan, 1999) found that as much as 66 per small firms going out of business (The cent of data loss was caused by human error. Independent, 2000). The following case study The National Computer Centre (NCC, 1996) examines the preparedness of a public house, survey in 1996 reported that 34 per cent of large the King's Arms, when faced with flooding. companies had experienced human error. The average cost to an organisation was £3,570 with The King's Arms a maximum cost of £20,000 (1996 prices). In York, which suffered extensive flooding of There is no evidence to suggest that the the River Ouse in both 2000 and 2001, many incidence will be greatly different in small companies suffered long-term damage. The companies, however, the average costs may well King's Arms public house, which is located on differ. The following case study examines the and at times in the River Ouse was not one of effects of human error on two large companies them (Rawstorne, 2001). The pub has a in the supply chain. ``mobile'' bar and all fixtures and fittings can be removed quickly. Electrical wiring is at ceiling NASA Mars missions height, the floors flagged and the walls tiled or One of the largest and most public examples of covered with waterproof plaster. In October human error in recent years was the loss of the 2000 the King's Arms, along with other pubs North American Space Agency (NASA) Mars 185
Supply chain risk management Supply Chain Management: An International Journal Peter Finch Volume 9 . Number 2 . 2004 . 183-196 Climate Orbiter, which disappeared in 1999 at cost being lower. The case study described a cost of $250 milllion. NASA had below examines another deliberate act that has sub-contracted the construction of the Orbiter far-reaching and often unanticipated outcomes: to Lockheed Martin. An independent review the actions of terrorists. board blamed the loss of the Orbiter on poor Terrorism project management, a lack of supervision, poor Research by the Guardian IT Group reported communications and short-sighted engineering. by Youett (2001) found that almost 2 per cent Specifically, the review board found that the of IS failures resulted from bombs or terrorist root cause of the loss was due to the mission's activities. The following case study examines navigation team being unfamiliar with the the impact and aftermath of the Manchester spacecraft and lacked training. Notably, the (England) bombing in 1996. NASA team failed to detect a mistake by Lockheed Martin engineers who delivered Manchester bombing navigation information in imperial rather than The IRA bomb, which exploded in Manchester metric units. The review board concluded that city centre in 1996 with the equivalent energy of the Climate Orbiter project team did not spend 800kg TNT, injured 216 people and affected enough time studying what might go wrong over 4,000 companies; 49,000m2 of retail space during the mission and, consequently, and 57,000m2 of offices were lost (Jenkins, developing contingency procedures to correct 1999). mistakes in flight (CNN.com, 1999). Companies in the vicinity of the explosion found that even if there had not been any Human error ± best practice damage caused by the explosion, they were The final report from the review board unable to access premises for at least three days concluded that poor training, inadequate because of a police cordon. Due to the damage testing, minimal supervision and a lack of caused by the bomb many companies had to people and money meant that there was not relocate away from their original premises. enough margin or adequate funding. The result Moyes (1996) reported that five months after was that risk gradually grew throughout the the blast many small companies (and in total programme. A thorough and ongoing project around 700 companies) had not returned to risk management process may have identified business. Because of the relocation and the some of the problems faced by the programme. negative publicity surrounding the bombing, Whilst this example focuses on large those small companies that had returned companies, it does highlight the threat posed by reported takings were down by 50 per cent human error and how this threat may be (Jeffay, 1996). The total loss in trade was amplified by any breakdown in communication estimated to be £5 million on the first day between two companies in a supply chain. alone. There is no evidence to suggest that SMEs are The Chartered Institute of Loss Adjusters any better at communicating with partners than stated that the insured cost of the bomb blast large companies, although case studies of three ranged between £25,000 for small units to SMEs by Hill and Stewart (2000) found more than £60 million for one store (Cicutti, evidence to suggest internal communications in 1996). The total cost of claims was estimated to SMEs are better than larger companies. be in the region of £400 million. Substantial proportions of the claims were related to Deliberate acts (physical actions) business interruption rather than damage These risks are to a limited extent under the resulting from the bomb explosion itself. Youett control of the company. The NCC (1996) (2001) found that it was unlikely that a survey found that equipment theft had been company's commercial insurance policy experienced by 46 per cent of large companies. covered disaster recovery or extended periods of The average cost to the organisation was interruption. This highlights the importance of £26,730, with the maximum cost being not only having a business continuity plan, but £750,000. The incidence is likely to be similar also of transferring some risk via appropriate for SMEs with the actual cost if not the relative types and levels of insurance. 186
Supply chain risk management Supply Chain Management: An International Journal Peter Finch Volume 9 . Number 2 . 2004 . 183-196 Terrorism ± best practice Information security The Home Office (1998) report on the Figure 1 is a graph from the NCC (2000) Manchester bomb recommended that those survey and shows the percentage of companies companies without a contingency plan needed with an information security policy by size. It is to be encouraged to prepare one. Such a plan clear from the data that SMEs, and in particular should include the issues of whether the staff micro and small companies, exhibit less should evacuate the building, and to plan and preparedness than larger companies. arrange for the temporary relocation of the The following case studies were sourced from business. The report went on to recommend the author's practice and examine some aspects that insurance policies should be reviewed of information security and the manner in regularly to ensure that they are up to date and which SMEs and large companies have cover all potential losses to the business from all approached the risks. possible causes, including disaster recovery and Virus detection/hacking extended periods of disruption. A large company had a well-respected virus detection tool on a network server and the virus Data/information security risks database was kept up to date. Incoming e-mail Data and information security risks are largely under the control of the organisation, although messages were automatically scanned for this is not always the case. An Information viruses when they were opened. This appeared Security Survey by Ernst & Young (2001) that to be a well-managed situation, however, the interviewed 273 chief information officers and e-mail scanner was not set up to monitor the IT directors of ``leading companies'' found that e-mail and Web servers. A hacker was able to over 70 per cent of UK companies had suffered place a Trojan (information collecting ``virus'') disruption to a critical IT service in the past 12 on the Web server and this went undetected for months and 31 per cent of these disruptions over a month. The virus scanner should have were attributed to failures of or in third party been integrated with the firewall so that all systems, suggesting that many companies are messages passing across the firewall would be not addressing fully the risks posed by their scanned. partners or customers. Firewalls Those companies that have implemented As part of an information security workshop information security policies or procedures may with a large company an employee informed a still be unaware of the risks they face. A study consultant that their network had a firewall. undertaken by ICSA.net (1999) examined 54 When this response was probed further it corporate Web sites that had implemented emerged that the client did indeed have a security technologies and policies in order to mitigate risk. This study found that of the Figure 1 Percentage of companies with an information security policy companies: . 60 per cent were susceptible to denial of service attacks; . 80 per cent did not know what services were on their network and visible over the Internet; . 80 per cent had insufficient security policies; and . 70 per cent of sites with firewalls remained vulnerable to known attacks. This study shows that even in instances where a company has data or information security policies and procedures, unless they have been carefully considered and implemented their utility may be limited. 187
Supply chain risk management Supply Chain Management: An International Journal Peter Finch Volume 9 . Number 2 . 2004 . 183-196 firewall. Unfortunately the firewall only access rights did not allow use of one particular extended to coverage of one particular folder on a network drive. The consultant e-commerce application. The rest of the telephoned the IS help desk asking for company's network (including all e-mail, additional access rights. Without further intranet and Internet servers) was unprotected. authorisation he was given access to the whole An SME had a relatively simple network of the network, including personnel and serving 35 PCs. The company believed that medical records, financial information and they needed to create an extranet with a firewall minutes of the board meetings. to allow remote access to data and e-mail. A network manager in a SME created a user Having reviewed the options they chose a account for a consultant, but did not delete the reputable product, employed a contractor to account when the work was completed. Over install it for them, and enjoyed the benefits. six months later he went back to the site and What they failed to recognise was that a firewall was able to log on again. His password had requires management. The security policies expired but he was allowed to change it as he employed must be carefully thought through, logged on. and the log files regularly scrutinised for traces Information security ± best practice of an attack. In this case an intrusion was Information technology has become essential to detected by accident even though there was the performance and effective running of many clear evidence in the firewall log. companies. As the above examples show, Backups however, many companies, regardless of their A large company had an extensive network that size, do not appear to comprehend fully the was actively managed. Full backups were taken extent to which their business depend on these on a routine basis, with incremental backups systems. In many cases little consideration being taken every night. It was common appeared to be given to the monitoring, control practice to store backups in a secure location and security of these systems. This was despite off-site. A junior member of the IS department the many surveys on the subject and the was tasked with taking the backup tapes to widespread recognition and publicity they reception every morning. A courier would arrive receive. If the monitoring, control and security to collect the latest tapes and return the oldest of these systems are ignored, the consequences set. The junior member of staff was offered a can be far reaching with the potential to affect a job elsewhere. When the staff member left company severely or even disastrously. The fact nobody took responsibility for managing the that SMEs have been shown to treat off-site backups. Consequently the courier information security lightly should be a matter arrived each day to deposit a box of tapes and of concern for large companies with whom they take one away. It was over two months before may do business. This concern should be even someone noticed that the contents of the boxes greater if the companies are connected never changed. electronically via extranets or electronic data An SME had a digital audio tape (DAT) interchange (EDI). Companies should assess drive and ``a few tapes'' which they used to back and manage the risks arising from the control up network servers. The IS manager did not and security of their own and other companies' understand the value of the data being stored systems effectively, allowing these on the servers, and believed that his equipment consequences to be mitigated. was reliable ``because I've not had to change anything for ages''. There were no current Management issues system or data backups and there would have Risks arising from management issues, which been significant business disruption had a include decision making, succession planning, problem occurred. skill acquisition and retention can be mitigated User accounts/passwords to a large extent by organisational policies and When working at a large company for an procedures. Millward et al. (1992) found that, extended period, a consultant was given a user whereas larger companies rely greatly on formal account on the company's network. The basic methods and bureaucratic procedures by 188
Supply chain risk management Supply Chain Management: An International Journal Peter Finch Volume 9 . Number 2 . 2004 . 183-196 specialist personnel departments, SME shortage and that the number of such SMEs is owners/managers are likely to handle recruiting rising rapidly. The following case study and personnel matters without delegating and examines the skill issues facing a Web-based car are unlikely to have relevant skills. The specific sales company. risks to SMEs from shortages of appropriate IS Portfolio For Cars skills and knowledge are examined below and A case highlighted by the Sunday Times (1998), followed by a case study. that of ``Portfolio For Cars'', an Internet-based Skill acquisition and retention car sales Web media company, highlights the According to a survey conducted for the dilemmas encountered by SMEs when facing Department of Trade and Industry (DTI, an IS skills shortage. 2000) the perception that a shortage of IS skills Portfolio had more than 600 franchised is a barrier to the adoption and implementation motor dealers using and paying for their of IS appears to be higher in medium and large services. In the 1997-1978 financial year companies. Figure 2 illustrates this perception Portfolio made a profit of almost £250,000 on and also demonstrates a correlation between the sales of £1.1 million, from a staff of 63, nine of perception of a skills shortage, the level of whom were IS staff. Staff turnover was formal IS training and the implementation of IS extremely low and Portfolio had never lost staff within companies. to other companies. Due to expansion there was The reduced perception of a skills shortage a need to expand the number of IS staff at the amongst SMEs may be a result of a lower rate of one a month. This was proving to be perceived requirement for IS within small very difficult. A number of reasons were cited companies or a greater degree of confidence in for the difficulty in attracting suitable IS staff: the SMEs' own ability to implement these . high salary expectations of candidates technologies. A recent survey for the Federation (£30-55,000); of Small Businesses (2000) found that 53 per . shortage of appropriate Web related skills cent of small business owners or managers were generally; which was exacerbated by either satisfied or very satisfied with their ability . scarce skills due to geographical location to implement new technologies. Davies (2000), (edge of the Peak District). however, suggests otherwise, reporting that those SMEs who rely on information Portfolio was unwilling to use contract staff for technology, are increasingly facing an IS skills these IS roles. It was also reluctant to train unskilled staff, citing that there were too few Figure 2 UK companies' IT skill shortage and IT training people who have the basic skills required. One of the partners in the company laid the blame elsewhere, commenting: I just don't know if these people exist. Online commerce is the future of retail. Nowhere near enough secondary-school pupils are being trained in digital technologies to make it happen. British business is losing out as a result. This appears to be a common attitude amongst SMEs. Hill and Stewart (2000) found that in SMEs IS related training and development often does not take place. Where it does it tends to be reactive and informal, aimed at solving short-term problems rather than the development of staff. Small firms tend not to have a lifelong learning culture or see a need for sustained improvement in organisational management (Lawless et al., 2000). 189
Supply chain risk management Supply Chain Management: An International Journal Peter Finch Volume 9 . Number 2 . 2004 . 183-196 Skill acquisition and retention ± best practice hardware related development play an For SMEs to want to implement human important role in innovation. It is necessary for resource policies, account must be taken of all companies, but especially SMEs, to their unique situation. The link between understand the importance of protecting proactive human resource policy and business intellectual property. In particular the performance needs to be made clear to SME possession of intellectual property rights helps owners/managers. Alternatively, issues such as a an organisation to: skill shortage may ultimately impact upon . raise finance to develop and market partners in the supply chain. Zsidisin et al. inventions or innovations; (2000) highlighted the risk arising from the . license a product or service to competitors; capacity constraints of a partner as being one of and the major risks affecting supply chains. If . sell or license innovations to larger human resource management risks are companies. effectively assessed and managed by a company The following case study examines an SME that then there is a greater likelihood that suitable has actively protected its intellectual property remedies can be identified early on. and looks at the ways in which the company has benefited. Gorix Textiles 2 The organisational level Gorix is a manufacturer of hi-tech Legal electro-conductive textiles that had sales in Organisational policies and procedures can 1999 of £270,000 and employed four full- and largely mitigate risks such as violation of rights, two part-time staff (Renton, 2000a). Gorix's legal obligations of disclosure and intellectual innovations included materials that regulate the property issues. Companies listed on the stock flow of electrical heat according to body exchange (normally larger companies) have to temperature, a ``smart'' fire jacket that warns comply with certain legal requirements relating the wearer when their body temperature is too to risk. This is not the case for most small high and, in conjunction with pharmaceutical companies. Another legal issue that can impact companies, a heated dressing designed to speed upon (often hi-tech) SMEs is the handling of up the healing process. intellectual property or capital. According to the company's two founders, the largest outlay for Gorix has been in legal Intellectual property/capital According to Roos (1996), the intellectual fees relating to intellectual property. Gorix has property or capital of a company includes the spent a total of £280,000 on patents aimed at knowledge and skills of its employees, the securing its intellectual property worldwide. infrastructure, customer relationships, This strong defence of intellectual property has employee motivation, processes that leverage meant that Gorix is now in a position to license these assets and methods of doing business. the manufacture of a number of its products to A survey by KPMG (Sunday Times, 2000b) competitors and larger companies. The proactive approach to this particular found that intellectual property licensing legal issue has benefited the company twofold. revenues were worth more than $150 billion First, Gorix's ongoing viability has been globally yet this is only 10 per cent of the total ensured and, second, it has allowed the intellectual property assets. This suggests that company to utilise its intellectual property to around $1,350 billion of intellectual property competitive advantage. assets are currently not realised. The National Criminal Intelligence Service (NCIS, 2000) Intellectual property/capital ± best practice estimates that in 1998 losses caused by Lang (2001) suggests that the proliferation of intellectual property theft, in terms of UK sales software and business method patents and the not made, were £6.42 billion. SMEs' exposure legal challenges that have become more to these losses is not made clear. However, common have made it necessary for hi-tech SMEs involved in, for example, software and companies to scrutinise their legal risks and 190
Supply chain risk management Supply Chain Management: An International Journal Peter Finch Volume 9 . Number 2 . 2004 . 183-196 adopt an intellectual property strategy. The commercial requirements and increases in above case study of Gorix highlights the technology costs; and importance of this for SMEs, and demonstrates . rapid consolidation of prime contractors in the effectiveness of proactive assessment and the USA squeezing out smaller European management of risks. competitors. Renton (2000b) reported that large aerospace Strategic decision making companies aimed to cut the number of Risks such as the actions of competitors and the suppliers by 80 per cent by utilising techniques increased bargaining power of customers and first used in the car industry. UK SME suppliers are external to the company. suppliers were, therefore, faced with three main Formulating an appropriate and effective challenges to their survival, requiring them to organisational strategy can to a certain extent adopt new strategies and new skills: mitigate these risks. (1) a global redefinition of the existing supply Strategic re-organisation chain; A recent report undertaken for 3COM (2000) (2) global competition leading to consolidation Consulting found that 76 per cent of SMEs in of major contractors; and the UK have no IS strategy and did not (3) customer expectation of self-financed understand the competitive advantage offered research and development. by information technology. The research report The major contractors effectively transferred concluded that the use of technology by small risk and responsibility onto their suppliers. The companies is reactive and complacent, while AT Kearney and SBAC (2000) report their budgets are poorly targeted. The following concludes by stating that those SMEs who fail case study examines the strategic capabilities of to adapt risk being eclipsed by globally oriented an SME and its ability to change strategic focus competitors. when larger partners' requirements alter. Confronted by these challenges St Bernard began a wholesale rethink of the way they do St Bernard Composites business. St Bernard is: The UK aerospace industry is the second . actively reducing costs by consolidating in a largest earning export sector. Companies such single location; as Rolls Royce and BAE Systems buy in about . investing in new technology; 70 per cent of their production content, much . aggressively targeting export markets; and of it from smaller British companies. The . diversifying into new markets (using aerospace supply chain provides employment existing techniques and technologies). for 80,000 people. St Bernard Composites supplies advanced St Bernard plans to differentiate itself by composite components to aero-engine and emphasising quality and continuous airframe manufacturers in the aerospace improvement. To this end, the company is industry. They employ 195 staff and have a introducing modern Japanese production turnover of £20 million (Renton, 2000b). techniques and concepts, investigating the Following the publication of a report by AT possibilities of e-commerce, making strategic Kearney and the Society of British Aerospace alliances and is considering the potential for Companies (SBAC) (AT Kearney and SBAC, merger. 2000) St Bernard reappraised its business Strategic re-organisation ± best practice strategy. Whilst the actions of competitors and suppliers The AT Kearney and SBAC (2000) report external to the company cannot (in most cases) found that the global aerospace industry had in be strictly controlled, formulation and the 1990s undergone a radical transformation implementation of an appropriate and effective due to: strategy can help a company prepare for many . large reductions in global defence spending; eventualities. In doing so, a company can . erosion of a close privileged relationship improve its chances of long-term survival. The with national governments due to St Bernard example suggests that SMEs are at 191
Supply chain risk management Supply Chain Management: An International Journal Peter Finch Volume 9 . Number 2 . 2004 . 183-196 just as great a risk from their partners in the The EDI network connects 1,300 of 2,000 supply chain as are large companies. It does, suppliers (around 96 per cent by volume of however, illustrate that SMEs are capable of goods sold) suggesting that many of the other changing the way they work in response to 700 are small suppliers. The EDI network is changing circumstances. Whether this case is well suited for the one-way exchange of representative of strategic decision making in structured transactions such as purchase orders SMEs is unclear. The high failure rate amongst with suppliers. However, it is not suitable for SMEs suggests that it may not be. handling collaborative processes such as the management of promotions. In order to overcome the drawbacks 3 Inter-organisational level associated with the EDI system (and a target of bringing all of their suppliers online by 2000) Weak or ineffective control Tesco rolled out a Web enabled supply chain These risks are external to the company and can (extranet) solution from GE Information occur due to uncertainty arising from Services. Suppliers paid from £100 to inter-organisational networking. The aim of this £100,000 to join the Tesco Information empirical review is to ascertain whether large Exchange (TIE ± the acronym is intentional), companies increase their exposure to risk by dependent on their size. At the time of writing having SMEs in business critical positions in 600 suppliers (approximately 65 per cent of their supply chain. Das and Teng (1999) Tesco business) were using the system. This suggest such strategic alliances with customers allowed Tesco and its suppliers to jointly plan, or suppliers are a high-risk strategy because a execute, track and evaluate promotions by company has less control over the alliance than sharing common data as well as viewing daily it has over its own subsidiaries. The following electronic point-of-sale data from Tesco stores. example examines the extent to which strategic Tesco hoped to achieve at least a 20 per cent alliances have become commonplace and the reduction in stocks as well as increasing the potential risks that they can face. number of products handled only once in the Risk from strategic alliances store by 30 per cent (Nairn, 2000). In the UK, the supermarket sector was St Ivel estimated to be worth around £66 billion in St Ivel is a business unit of the Uniq (formerly 1997. The largest six food retailers had a 76 per Unigate) Group and employs over 1,450 staff at cent share of fruit and vegetable sales with the five production plants throughout the UK. A ``big four'' alone (Tesco, Sainsbury's, Asda and total of 70 per cent of production is branded Safeway) accounting for 60 per cent of all and 30 per cent private label. St Ivel supplies grocery sales in the UK (Fearne and Hughes, many of the UK supermarkets including Tesco. 1998). These dominant companies have According to a narrative article by Nairn invested heavily in the development of their (2000), TIE has saved St Ivel 30 per cent of supply chains to increase efficiency and reduce annual promotional on-costs. costs. In order to limit their exposure to risk Tesco has, however, experienced difficulties they have implemented increased monitoring in persuading all of its suppliers to utilise the and control of their suppliers. The following system fully. Only two of their suppliers have case studies examine the risks faced by two changed fundamentally the way they work as a companies following the forming of a strategic result of TIE, allowing them to bring products alliance. to market much faster than their competitors. Tesco A risk in implementing such supply chain Tesco is the largest and most profitable management systems, that are designed to tie company in the UK supermarket sector. The suppliers to customers and vice versa, is the results for 2000-2001 show group sales of weakened level of control over supplies. This £22.8 billion with profits before tax at £1.05 was exhibited clearly during the weeklong UK billion (Tesco, 2001). Since the 1980s, Tesco fuel crisis of September 2000. Biederman has used EDI to order goods from suppliers. (2000) opined that: 192
Supply chain risk management Supply Chain Management: An International Journal Peter Finch Volume 9 . Number 2 . 2004 . 183-196 The crisis revealed that modern day supply chains compare like with like due to the diversity of the as finely tuned machines, are highly vulnerable, sources. Many of the original case studies had proving the old adage that a chain is only as strong different aims to those of this empirical review. as the weakest link. Relevant information may have been accessible Food and other deliveries to the supermarket if appropriate questions had been asked. In chains including Tesco remained largely certain case studies information was incomplete undisturbed due to the short length of the or absent. In order to address this weakness, disruption. This would have been rather supplementary searching of the literature was different had the crisis gone on any longer undertaken to increase the validity of the case (Biederman, 2000). The supermarket's petrol studies and the rigour of the research process. stations were, however, severely disrupted and Utilising predominantly secondary data for rapidly ran dry. This had a knock-on effect, as this empirical review allowed a broader customers were unable to reach many selection of case studies to be identified. The supermarkets. The situation was sufficiently case studies, however, did not in all cases serious to worry investors, with Tesco shares examine risks affecting IS. This made it more falling by 4.75p (Parkinson, 2000) and analysts difficult to generalise about the findings. The forecasting a £200 million reduction in retail literature search revealed fewer IS risk case sales in that one week alone (Daily Telegraph, studies than would have been desirable. This 2000b). lack of IS risk case studies impacts on the Risk from strategic alliances ± best practice generalisability of the findings. This can be The weak control over suppliers and customers attributed in part to the difficulty of finding in the supply chain can be compounded by the information regarding IS and IS risk risks highlighted, which affect links up or down management in SMEs. It would be useful to the supply chain. Zsidisin et al. (2000) report conduct a small number of case studies using that whilst proffering many companies a primary research to verify the findings of this competitive advantage in the marketplace, secondary analysis. outsourcing has resulted in corresponding In addition, whilst identifying some increases in the level of corporate exposure to incidences of best IS risk management practice, uncertain events with suppliers. A company this review did not identify fully what should actively assess the risks and threats, not constitutes best IS risk management practice. only to itself but also to its direct and indirect This may be due to a reporting bias in the suppliers and customers. literature that leans toward an examination of poor practice rather than best practice. A carefully constructed primary study designed to Discussion ascertain examples of best and poor practice The aim of this review was to determine if large needs to be undertaken to increase the rigour of companies increase their exposure to risk by this empirical review. Table II summarises the having SMEs as partners in business critical areas where best practice was identified in each positions in the supply chain and make case study. recommendations concerning best practice. A A common theme identified from the case number of issues that could potentially impact studies was that whilst there were few specific on the rigour of the process arose that warrant examples of best practice, there were valuable further discussion. lessons to be learned from the way individual The strength of using case studies is that they companies assessed and managed the risks showed clearly that SMEs can assess and confronting them and planned for the manage risk. However, there was strong continuation of business should the worst evidence in the wider literature to suggest that happen. many SMEs do not assess and manage risk The management of risk is, or should be, a adequately. core issue in the planning and management of The case studies originated from a wide any organisation. Bandyopadhyay et al. (1999) variety of sources. This made it difficult to in their review of the literature stated that four 193
Supply chain risk management Supply Chain Management: An International Journal Peter Finch Volume 9 . Number 2 . 2004 . 183-196 Table II IS risks, impact on the supply chain and best practice Examples of IS risks Examples of best practice Flooding The impact upon business can be reduced if potential risks are proactively managed, and there is a well-conceived and constructed business continuity plan in place Human error A thorough and ongoing project risk management process may have identified some of the problems faced by the programme Terrorism Those companies without a contingency plan need to be encouraged to prepare one ± to include the issues of whether the staff should evacuate buildings, and to plan and arrange for the temporary relocation of the business. Insurance policies should be reviewed regularly to ensure that they are up to date and cover all potential losses to the business from all possible causes Information security If the monitoring, control and security of these systems is ignored, the consequences can be far reaching with the potential to affect a company severely or even disastrously. Companies should assess and manage the risks arising from the control and security of their own and other companies' systems effectively, allowing these consequences to be mitigated Skill acquisition and retention The link between proactive human resource management policy and business performance needs to be made clear to SME owners/managers. Alternatively, issues such as a skill shortage may ultimately impact upon partners in the supply chain. If such human resource management risks are effectively assessed and managed by a company then there is a greater likelihood that suitable remedies can be identified early on Intellectual property/capital The proliferation of software and business method patents and the legal challenges that have become more common have made it necessary for hi-tech companies to scrutinise their legal risks and adopt an intellectual property strategy. The case study of Gorix highlights the importance of this for SMEs, and demonstrates the effectiveness of proactive assessment and management of risks Strategic re-organisation Whilst the actions of competitors and suppliers external to the company cannot (in most cases) be strictly controlled, formulation and implementation of an appropriate and effective strategy can help a company prepare for many eventualities. In doing so, a company can improve its chances of long-term survival. The St Bernard example suggests that SMEs are at just as great a risk from their partners in the supply chain as are large companies Risk from strategic alliances The weak control over suppliers and customers in the supply chain can be compounded by the risks highlighted, which affect links up or down the supply chain. Zsidisin et al. (2000) report that whilst proffering many companies a competitive advantage in the marketplace, outsourcing has resulted in corresponding increases in the level of corporate exposure to uncertain events with suppliers. A company should actively assess the risks and threats, not only to itself but also to its direct and indirect suppliers and customers major components of risk management had However, no matter how well risk is managed it been identified: is necessary to prepare for negative events. It is (1) Risk identification ± identifying and important to understand the distinction quantifying the exposures that threaten a between risk management and planning for company's assets and profitability. continued operation once a potential risk has (2) Risk analysis ± identifying and assessing the occurred (business continuity planning). The risks to which the company and its assets management of risks and business continuity are exposed in order to select appropriate planning were two high-level examples and justifiable safeguards. identified from the case studies where best (3) Risk reduction, transfer and acceptance ± practice was demonstrated and positive reducing or shifting the financial burden of outcomes were achieved. loss so that, in the event of a catastrophe, a company can continue to function without severe hardship to its financial stability. Conclusion (4) Risk monitoring ± continually assessing The review found that large companies' existing and potential exposure. exposure to risk appeared to be increased by A company manages risk in order to protect its inter-organisational networking. Having SMEs assets and profits, and stay in business. as partners in the supply chain further increased 194
Supply chain risk management Supply Chain Management: An International Journal Peter Finch Volume 9 . Number 2 . 2004 . 183-196 the risk exposure. SMEs increased their own Federation of Small Businesses (2000), ``Barriers to survival exposure to risk by becoming partners in a and growth in UK small firms'', available at: www.fsb.org.uk supply chain and few had made an assessment Hill, R. and Stewart, J. (2000), ``Human resource of the risks involved or had a strategy in place development in small organizations'', Journal of for managing risk. These findings indicate the European Industrial Training, Vol. 24 No. 2-3-4, importance of undertaking risk assessments and pp. 105-17. Home Office (1998), ``Business as usual: maximising considering the need for business continuity business resilience to terrorist bombings'', available at: planning when a company is exposed to www.homeoffice.gov.uk/rds/horspubs1.html inter-organisational networking. ICSA.net (1999), Information Security: A Practical Solution for Senior Management, available at: www.icsa.net (The) Independent (2000), ``Floods may cost pub industry References £100m'', The Independent, 8 November, p. 20. Jeffay, J. (1996), ``Come and find us'', Manchester Metro 3COM (2000), ``Research from 3Com reveals that over 75 News, 15 November, p. 1. per cent of SMEs currently have no IT strategy in Jenkins, R. (1999), ``Manchester rises from the rubble'', place'', 13 November, available at: www.3com.co.uk/ The Times, 25 November, p. 19. news/prel_20001113_1.html Jolly, I. (2000), ``Murky future for flood hit firms'', AT Kearney and SBAC (2000), ``The impact of global 2 November, available at: http://news.bbc.co.uk/hi/ aerospace consolidation on UK suppliers'', available english/business/newsid_998000/998734.stm at: www.atkearney.com/pdf/eng/aero_consolidation. Lang, J.C. (2001), ``Management of intellectual property pdf rights: strategic patenting'', Journal of Intellectual Bandyopadhyay, K., Mykytyn, P. and Mykytyn, K. (1999), ``A Capital, Vol. 2 No. 1, pp. 8-26. framework for integrated risk management in Lawless, N., Allan, J. and O'Dwyer, M. (2000), ``Face-to-face information technology'', Management Decision, or distance training: motivating SMEs to learn'', Vol. 37 No. 5, pp. 437-44. Education + Training, Vol. 42 No. 4-5, pp. 308-16. Biederman, D. (2000), ``The weak link'', Traffic World, Millward, N., Stevens, M., Smart, D. and Hawes, W.R. 16 October, available at: www.findarticles.com/cf_0/ (1992), Workplace Industrial Eelations in Transition: m0VOO/3_264/66277581/print.jhtml the ED/ESRC/PSI/ACAS Surveys, Dartmouth, Aldershot. Cicutti, N. (1996), ``Premiums to rise after IRA bomb costs Moyes, J. (1996) "Bombed, battered, unbowed, Manchester £400m'', The Independent, 13 July, p. 20. gets back to business as usual'', The Independent, CNN.com (1999), ``NASA: human error caused loss of Mars 2 November, available at: www.rebuilding- orbiter'', 10 November, available at: www.cnn.com/ manchester.co.uk/articles/art27.htm TECH/space/9911/10/orbiter.02/ Nairn, G. (2000), ``IT in retailing: retailer's suppliers can Daily Telegraph (2000a), ``Businesses may never recover monitor product demand'', 3 May, available at: from the floods'', Daily Telegraph, 4 December, www.ft.com/ftsurveys/spaad6.htm available at: http://web4.infotrac.galegroup.com National Computing Centre (NCC) (1996), ``How real is the Daily Telegraph (2000b), ``High street suffered in fuel crisis'', threat?'', NCC, available at: www.ncc.co.uk National Computing Centre (NCC) (2000), ``The business Daily Telegraph, 23 September, available at: http:// information security survey'', NCC, available at: web4.infotrac.galegroup.com www.ncc.co.uk Das, T.K. and Teng, B.-S. (1999), ``Managing risks in National Criminal Intelligence Service (NCIS) (2000), ``2000 strategic alliances'', The Academy of Management UK threat assessment'', NCIS, available at: www.ncis. Executive, Vol. 13 No. 4, November, p. 50. org.uk Davies, L. (2000), ``This time its personnel'', The Guardian, Rawstorne, T. (2001), ``Still more to come: the Met men 30 November, available at: www.guardianunlimited. warn things will only get wetter this weekend'', co.uk/Print/0,3858,4098219,00.html Daily Mail, 9 February, p. 9. Department of Trade and Industry (DTI) (2000), ``Small and Renton, J. (2000a), ``Textile makers must cut their cloth to medium enterprise (SME) statistics for the UK, 1999'', suit the 21st century'', Sunday Times, 7 July, Statistical News Release, DTI, 7 August, available at: available at: www.enterprisenetwork.co.uk/ www.dti.gov.uk/ knowledge_store/ Environment Agency (2001), available at: Renton, J. (2000b), ``Small suppliers must adapt to survive in www.environment-agency.gov.uk/ aerospace shake-out'', Sunday Times, 27 August, Ernst & Young (2001), Information Security Survey 2001, available at: www.enterprisenetwork.co.uk/ Ernst & Young, available at: www.ey.com knowledge_store/ Fearne, A. and Hughes, D. (1998), ``Success factors in the Roos, J. (1996), ``Intellectual capital: what you can measure fresh produce supply chain: some examples from the you can manage'', Perspectives for Manager, IMD, UK'', executive summary, Wye College, London. No. 10, November. 195
Supply chain risk management Supply Chain Management: An International Journal Peter Finch Volume 9 . Number 2 . 2004 . 183-196 Rutstein, D. (2000), ``Narrow escape from floodwaters'', Zsidisin, G.A., Panelli, A. and Upton, R. (2000), ``Purchasing available at: www.thisisyork.co.uk/york/news/Floods/ organization involvement in risk assessments'', Supply news30.html Chain Management: An International Journal, Vol. 5 Sullivan, S. (1999), ``Human error: bigger problem than No. 4, pp. 187-97. disasters'', ENT, Vol. 4 No. 9, May, p. 3. Sunday Times (1998), ``Skills gap threatens nice little earner'', Sunday Times, 22 November, available at: www.enterprise network.co.uk/knowledge_store/ Further reading casestudy_detail. asp?d_id=4 AT Kearney (2000), ``Strategic information technology and Sunday Times (2000a), ``Grants for flooding'', Sunday Times, the CEO agenda'', available at: www.atkearney.com 19 November, p. 20. Blackburn, R. and Athayde, R. (2000), ``Making the Sunday Times (2000b), ``Intellectual property'', Sunday connection: the effectiveness of Internet training in Times, 1 August, available at: www.enterprise small businesses'', Education + Training, Vol. 42 network.co.uk/knowledge_store/ No. 4-5, pp. 289-98. Tesco (2001), ``Tesco preliminary statement of results ± 52 Parkinson, G. (2000), ``Fuel crisis takes its toll across the weeks'', 10 April, available at: www.tesco.com/ board'', Daily Telegraph, 13 September, available at: talkingTesco/corporateinfo.htm www.telegraph.co.uk/et?ac= 005236261357609& Youett, C. (2001), ``Don't dig yourself into a hole'', IBM rtmo=V15xP1wx&atmo=99999999&pg=/et/00/9/13/ Today, February, pp. 47-9. cxmktrep.html 196

Recomendados

Pruebas1
Pruebas1Pruebas1
Pruebas1Aquiles Benítez
 
02
0202
02viji yuvaraj
 
حرير
حريرحرير
حريرGHJKLzxcvb
 
Ronald torres act_1.2
Ronald torres act_1.2Ronald torres act_1.2
Ronald torres act_1.2Ronald Torres
 
Improving Health Care for Foreigners in Japan: Stories, Data and Policy Models
Improving Health Care for Foreigners in Japan: Stories, Data and Policy ModelsImproving Health Care for Foreigners in Japan: Stories, Data and Policy Models
Improving Health Care for Foreigners in Japan: Stories, Data and Policy ModelsJulia Puebla Fortier
 
Sektorirajat ylittävä terveys- ja sosiaalipalvelujen käyttö: tutkimusta Oulu-...
Sektorirajat ylittävä terveys- ja sosiaalipalvelujen käyttö: tutkimusta Oulu-...Sektorirajat ylittävä terveys- ja sosiaalipalvelujen käyttö: tutkimusta Oulu-...
Sektorirajat ylittävä terveys- ja sosiaalipalvelujen käyttö: tutkimusta Oulu-...Sitra / Hyvinvointi
 
Andjust....
Andjust....Andjust....
Andjust....Andrew Strickland
 
Person centred theory
Person centred theoryPerson centred theory
Person centred theoryIqaa Safura
 

Recomendados

Pruebas1
Pruebas1Pruebas1
Pruebas1Aquiles Benítez
 
02
0202
02viji yuvaraj
 
حرير
حريرحرير
حريرGHJKLzxcvb
 
Ronald torres act_1.2
Ronald torres act_1.2Ronald torres act_1.2
Ronald torres act_1.2Ronald Torres
 
Improving Health Care for Foreigners in Japan: Stories, Data and Policy Models
Improving Health Care for Foreigners in Japan: Stories, Data and Policy ModelsImproving Health Care for Foreigners in Japan: Stories, Data and Policy Models
Improving Health Care for Foreigners in Japan: Stories, Data and Policy ModelsJulia Puebla Fortier
 
Sektorirajat ylittävä terveys- ja sosiaalipalvelujen käyttö: tutkimusta Oulu-...
Sektorirajat ylittävä terveys- ja sosiaalipalvelujen käyttö: tutkimusta Oulu-...Sektorirajat ylittävä terveys- ja sosiaalipalvelujen käyttö: tutkimusta Oulu-...
Sektorirajat ylittävä terveys- ja sosiaalipalvelujen käyttö: tutkimusta Oulu-...Sitra / Hyvinvointi
 
Andjust....
Andjust....Andjust....
Andjust....Andrew Strickland
 
Person centred theory
Person centred theoryPerson centred theory
Person centred theoryIqaa Safura
 
Art songs and composers
Art songs and composers Art songs and composers
Art songs and composers Kimberly Norio
 
Cpu scheduling
Cpu schedulingCpu scheduling
Cpu schedulingAbhijith Reloaded
 
Desarrollo del sistema cardiovascular
Desarrollo del sistema cardiovascularDesarrollo del sistema cardiovascular
Desarrollo del sistema cardiovascularMariana Navarro
 
Business plan soccer school
Business plan soccer schoolBusiness plan soccer school
Business plan soccer schoolSamiSavanur
 
Observatoire départemental de l'eau - Eure 2012
Observatoire départemental de l'eau - Eure 2012Observatoire départemental de l'eau - Eure 2012
Observatoire départemental de l'eau - Eure 2012cg27
 
Notre catalogue 2012-2013
Notre catalogue 2012-2013Notre catalogue 2012-2013
Notre catalogue 2012-2013Julien Voyez
 
Catalogue de nos formation auprès des elus janvier 2013
Catalogue de nos formation auprès des elus janvier 2013Catalogue de nos formation auprès des elus janvier 2013
Catalogue de nos formation auprès des elus janvier 2013Julien Voyez
 
Conflicts (social psychology)
Conflicts (social psychology)Conflicts (social psychology)
Conflicts (social psychology)Iqaa Safura
 
Supplychainresilience Ups 123666078292 Phpapp01
Supplychainresilience Ups 123666078292 Phpapp01Supplychainresilience Ups 123666078292 Phpapp01
Supplychainresilience Ups 123666078292 Phpapp01det1mac
 
Supply Chain Resilience
Supply Chain ResilienceSupply Chain Resilience
Supply Chain ResilienceJordi Planas Manzano
 
Running head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY2.docx
Running head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY2.docxRunning head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY2.docx
Running head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY2.docxhealdkathaleen
 
Cyber terrorism.. sir summar
Cyber terrorism.. sir summarCyber terrorism.. sir summar
Cyber terrorism.. sir summarmanailmalik
 
Supply chain, a risk management survey results and analysis
Supply chain, a risk management survey results and analysisSupply chain, a risk management survey results and analysis
Supply chain, a risk management survey results and analysisSimone Luca Giargia
 
Managing Risk in the Global Supply Chain
Managing Risk in the Global Supply ChainManaging Risk in the Global Supply Chain
Managing Risk in the Global Supply ChainGlobal Business Professor
 
Dissertation - Cyber Security
Dissertation - Cyber Security Dissertation - Cyber Security
Dissertation - Cyber Security Alysha Paulsen
 
FERMA ECIIA Cyber Risk Governance report 29 June 2017
FERMA ECIIA Cyber Risk Governance report 29 June 2017FERMA ECIIA Cyber Risk Governance report 29 June 2017
FERMA ECIIA Cyber Risk Governance report 29 June 2017FERMA
 
Offset print-brochure-ferma-2017v3-1
Offset print-brochure-ferma-2017v3-1Offset print-brochure-ferma-2017v3-1
Offset print-brochure-ferma-2017v3-1Manuel Lofino
 
Get Prepared
Get PreparedGet Prepared
Get PreparedHewlett Packard Enterprise Business Value Exchange
 
Enterprise Risk Management as a Core Management Process
Enterprise Risk Management as a Core Management ProcessEnterprise Risk Management as a Core Management Process
Enterprise Risk Management as a Core Management Processregio12
 
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxINTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxMargenePurnell14
 
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxINTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxbagotjesusa
 
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldRSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldEMC
 

Más contenido relacionado

Destacado

Art songs and composers
Art songs and composers Art songs and composers
Art songs and composers Kimberly Norio
 
Desarrollo del sistema cardiovascular
Desarrollo del sistema cardiovascularDesarrollo del sistema cardiovascular
Desarrollo del sistema cardiovascularMariana Navarro
 
Business plan soccer school
Business plan soccer schoolBusiness plan soccer school
Business plan soccer schoolSamiSavanur
 
Observatoire départemental de l'eau - Eure 2012
Observatoire départemental de l'eau - Eure 2012Observatoire départemental de l'eau - Eure 2012
Observatoire départemental de l'eau - Eure 2012cg27
 
Notre catalogue 2012-2013
Notre catalogue 2012-2013Notre catalogue 2012-2013
Notre catalogue 2012-2013Julien Voyez
 
Catalogue de nos formation auprès des elus janvier 2013
Catalogue de nos formation auprès des elus janvier 2013Catalogue de nos formation auprès des elus janvier 2013
Catalogue de nos formation auprès des elus janvier 2013Julien Voyez
 
Conflicts (social psychology)
Conflicts (social psychology)Conflicts (social psychology)
Conflicts (social psychology)Iqaa Safura
 

Destacado (8)

Art songs and composers
Art songs and composers Art songs and composers
Art songs and composers
 
Cpu scheduling
Cpu schedulingCpu scheduling
Cpu scheduling
 
Desarrollo del sistema cardiovascular
Desarrollo del sistema cardiovascularDesarrollo del sistema cardiovascular
Desarrollo del sistema cardiovascular
 
Business plan soccer school
Business plan soccer schoolBusiness plan soccer school
Business plan soccer school
 
Observatoire départemental de l'eau - Eure 2012
Observatoire départemental de l'eau - Eure 2012Observatoire départemental de l'eau - Eure 2012
Observatoire départemental de l'eau - Eure 2012
 
Notre catalogue 2012-2013
Notre catalogue 2012-2013Notre catalogue 2012-2013
Notre catalogue 2012-2013
 
Catalogue de nos formation auprès des elus janvier 2013
Catalogue de nos formation auprès des elus janvier 2013Catalogue de nos formation auprès des elus janvier 2013
Catalogue de nos formation auprès des elus janvier 2013
 
Conflicts (social psychology)
Conflicts (social psychology)Conflicts (social psychology)
Conflicts (social psychology)
 

Similar a Supply chain 4

Supplychainresilience Ups 123666078292 Phpapp01
Supplychainresilience Ups 123666078292 Phpapp01Supplychainresilience Ups 123666078292 Phpapp01
Supplychainresilience Ups 123666078292 Phpapp01det1mac
 
Running head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY2.docx
Running head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY2.docxRunning head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY2.docx
Running head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY2.docxhealdkathaleen
 
Cyber terrorism.. sir summar
Cyber terrorism.. sir summarCyber terrorism.. sir summar
Cyber terrorism.. sir summarmanailmalik
 
Supply chain, a risk management survey results and analysis
Supply chain, a risk management survey results and analysisSupply chain, a risk management survey results and analysis
Supply chain, a risk management survey results and analysisSimone Luca Giargia
 
Dissertation - Cyber Security
Dissertation - Cyber Security Dissertation - Cyber Security
Dissertation - Cyber Security Alysha Paulsen
 
FERMA ECIIA Cyber Risk Governance report 29 June 2017
FERMA ECIIA Cyber Risk Governance report 29 June 2017FERMA ECIIA Cyber Risk Governance report 29 June 2017
FERMA ECIIA Cyber Risk Governance report 29 June 2017FERMA
 
Offset print-brochure-ferma-2017v3-1
Offset print-brochure-ferma-2017v3-1Offset print-brochure-ferma-2017v3-1
Offset print-brochure-ferma-2017v3-1Manuel Lofino
 
Enterprise Risk Management as a Core Management Process
Enterprise Risk Management as a Core Management ProcessEnterprise Risk Management as a Core Management Process
Enterprise Risk Management as a Core Management Processregio12
 
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxINTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxMargenePurnell14
 
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxINTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxbagotjesusa
 
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldRSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldEMC
 
Risk of Adopting Open Source ERP for Small Manufacturers: A Case Study
Risk of Adopting Open Source ERP for Small Manufacturers: A Case StudyRisk of Adopting Open Source ERP for Small Manufacturers: A Case Study
Risk of Adopting Open Source ERP for Small Manufacturers: A Case StudyPlacide Poba Nzaou
 
ITS 835Chapter 12Measuring Performance at
ITS 835Chapter 12Measuring Performance at ITS 835Chapter 12Measuring Performance at
ITS 835Chapter 12Measuring Performance at mariuse18nolet
 
Sc Logistic Competence Small And Medium Enterprise
Sc Logistic Competence Small And Medium EnterpriseSc Logistic Competence Small And Medium Enterprise
Sc Logistic Competence Small And Medium EnterprisePhilippe Venard
 
Ace emerging-risks-barometer-2013
Ace emerging-risks-barometer-2013Ace emerging-risks-barometer-2013
Ace emerging-risks-barometer-2013Factor-X
 
Quality management
Quality managementQuality management
Quality managementsunthorn don
 
4182020 Originality Reporthttpsucumberlands.blackboar.docx
4182020 Originality Reporthttpsucumberlands.blackboar.docx4182020 Originality Reporthttpsucumberlands.blackboar.docx
4182020 Originality Reporthttpsucumberlands.blackboar.docxblondellchancy
 

Similar a Supply chain 4 (20)

Supplychainresilience Ups 123666078292 Phpapp01
Supplychainresilience Ups 123666078292 Phpapp01Supplychainresilience Ups 123666078292 Phpapp01
Supplychainresilience Ups 123666078292 Phpapp01
 
Supply Chain Resilience
Supply Chain ResilienceSupply Chain Resilience
Supply Chain Resilience
 
Running head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY2.docx
Running head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY2.docxRunning head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY2.docx
Running head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY2.docx
 
Cyber terrorism.. sir summar
Cyber terrorism.. sir summarCyber terrorism.. sir summar
Cyber terrorism.. sir summar
 
Supply chain, a risk management survey results and analysis
Supply chain, a risk management survey results and analysisSupply chain, a risk management survey results and analysis
Supply chain, a risk management survey results and analysis
 
Managing Risk in the Global Supply Chain
Managing Risk in the Global Supply ChainManaging Risk in the Global Supply Chain
Managing Risk in the Global Supply Chain
 
Dissertation - Cyber Security
Dissertation - Cyber Security Dissertation - Cyber Security
Dissertation - Cyber Security
 
FERMA ECIIA Cyber Risk Governance report 29 June 2017
FERMA ECIIA Cyber Risk Governance report 29 June 2017FERMA ECIIA Cyber Risk Governance report 29 June 2017
FERMA ECIIA Cyber Risk Governance report 29 June 2017
 
Offset print-brochure-ferma-2017v3-1
Offset print-brochure-ferma-2017v3-1Offset print-brochure-ferma-2017v3-1
Offset print-brochure-ferma-2017v3-1
 
Get Prepared
Get PreparedGet Prepared
Get Prepared
 
Enterprise Risk Management as a Core Management Process
Enterprise Risk Management as a Core Management ProcessEnterprise Risk Management as a Core Management Process
Enterprise Risk Management as a Core Management Process
 
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxINTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
 
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxINTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
 
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldRSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
 
Risk of Adopting Open Source ERP for Small Manufacturers: A Case Study
Risk of Adopting Open Source ERP for Small Manufacturers: A Case StudyRisk of Adopting Open Source ERP for Small Manufacturers: A Case Study
Risk of Adopting Open Source ERP for Small Manufacturers: A Case Study
 
ITS 835Chapter 12Measuring Performance at
ITS 835Chapter 12Measuring Performance at ITS 835Chapter 12Measuring Performance at
ITS 835Chapter 12Measuring Performance at
 
Sc Logistic Competence Small And Medium Enterprise
Sc Logistic Competence Small And Medium EnterpriseSc Logistic Competence Small And Medium Enterprise
Sc Logistic Competence Small And Medium Enterprise
 
Ace emerging-risks-barometer-2013
Ace emerging-risks-barometer-2013Ace emerging-risks-barometer-2013
Ace emerging-risks-barometer-2013
 
Quality management
Quality managementQuality management
Quality management
 
4182020 Originality Reporthttpsucumberlands.blackboar.docx
4182020 Originality Reporthttpsucumberlands.blackboar.docx4182020 Originality Reporthttpsucumberlands.blackboar.docx
4182020 Originality Reporthttpsucumberlands.blackboar.docx
 

Supply chain 4

  • 1. Supply Chain Management: An International Journal Emerald Article: Supply chain risk management Peter Finch Article information: To cite this document: Peter Finch, (2004),"Supply chain risk management", Supply Chain Management: An International Journal, Vol. 9 Iss: 2 pp. 183 - 196 Permanent link to this document: http://dx.doi.org/10.1108/13598540410527079 Downloaded on: 14-06-2012 References: This document contains references to 45 other documents Citations: This document has been cited by 4 other documents To copy this document: permissions@emeraldinsight.com This document has been downloaded 11850 times since 2005. * Users who downloaded this Article also downloaded: * Ila Manuj, John T. Mentzer, (2008),"Global supply chain risk management strategies", International Journal of Physical Distribution & Logistics Management, Vol. 38 Iss: 3 pp. 192 - 223 http://dx.doi.org/10.1108/09600030810866986 Rao Tummala, Tobias Schoenherr, (2011),"Assessing and managing risks using the Supply Chain Risk Management Process (SCRMP)", Supply Chain Management: An International Journal, Vol. 16 Iss: 6 pp. 474 - 483 http://dx.doi.org/10.1108/13598541111171165 Uta Jüttner, (2005),"Supply chain risk management: Understanding the business requirements from a practitioner perspective", The International Journal of Logistics Management, Vol. 16 Iss: 1 pp. 120 - 141 http://dx.doi.org/10.1108/09574090510617385 Access to this document was granted through an Emerald subscription provided by UNIVERSITY OF THE PUNJAB For Authors: If you would like to write for this, or any other Emerald publication, then please use our Emerald for Authors service. Information about how to choose which publication to write for and submission guidelines are available for all. Please visit www.emeraldinsight.com/authors for more information. About Emerald www.emeraldinsight.com With over forty years' experience, Emerald Group Publishing is a leading independent publisher of global research with impact in business, society, public policy and education. In total, Emerald publishes over 275 journals and more than 130 book series, as well as an extensive range of online products and services. Emerald is both COUNTER 3 and TRANSFER compliant. The organization is a partner of the Committee on Publication Ethics (COPE) and also works with Portico and the LOCKSS initiative for digital archive preservation. *Related content and download information correct at time of download.
  • 2. Introduction Case study Supply chain risk Do large companies increase their exposure to risk by having small to medium-sized management enterprises (SMEs) as partners in business critical positions in the supply chain? Peter Finch This article presents a review of the literature, supplemented by case studies that aims to determine if large companies are taking unnecessary risks related to information systems (IS) management and maintenance of the supply chain. The author Methods Peter Finch is a Risk Management Consultant with AEA Secondary analysis of published and grey Technology, Warrington, UK. literature, and case studies was undertaken. The aim of the search strategy was to be Keywords comprehensive but not exhaustive. The Supply chain management, Risk management, material was restricted to the English language Small to medium-sized enterprises, Information systems as there were insufficient resources for translation. The search strategy was as follows. Abstract Published and grey literature This article presents a secondary analysis of the literature, Electronic searches of the following journal supplemented by case studies to determine if large databases were undertaken to identify companies increase their exposure to risk by having published literature: ANBAR, BIDS, Emerald, small- and medium-size enterprises (SMEs) as partners in Infotrac, INSPEC, and Ei Compendex. This business critical positions in the supply chain, and to make was supplemented by online searches using the recommendations concerning best practice. A framework Copernic, Google, and Northern Light search defining the information systems (IS) environment is used to engines: structure the review. The review found that large companies' . Electronic searches were undertaken using exposure to risk appeared to be increased by the terms ``SME'', ``small business'', inter-organisational networking. Having SMEs as partners in ``supply chain'', ``risk'', ``risk management'', the supply chain further increased the risk exposure. SMEs ``business continuity'', and ``disaster''. increased their own exposure to risk by becoming partners in Search dates were restricted to between a supply chain. These findings indicate the importance of 1995 and 2001. undertaking risk assessments and considering the need for . Additional grey literature (for example, business continuity planning when a company is exposed to newspaper articles, trade magazines, inter-organisational networking. company policies and procedures) was obtained. Electronic access . Hand searching was undertaken to identify The Emerald Research Register for this journal is available at relevant published and grey literature not www.emeraldinsight.com/researchregister identified by electronic searches. The current issue and full text archive of this journal is Case studies available at The case studies originate from newspapers, www.emeraldinsight.com/1359-8546.htm magazine and journal articles, and examples Supply Chain Management: An International Journal from the author's own practice. Volume 9 . Number 2 . 2004 . pp. 183-196 # Emerald Group Publishing Limited . ISSN 1359-8546 The views expressed in this article are those of the DOI 10.1108/13598540410527079 author and not necessarily of his employer. 183
  • 3. Supply chain risk management Supply Chain Management: An International Journal Peter Finch Volume 9 . Number 2 . 2004 . 183-196 In total, in excess of 2,000 articles, papers, supply chain. Where available, examples of best surveys and case studies were obtained and practice are identified. screened. Relevant literature was extracted for analysis. 1 The application level Framework Natural disasters Bandyopadhyay et al.'s (1999) IS environment Whilst these risks affect both large companies and risk identification framework is used to and SMEs equally, they may affect SMEs structure the review. Bandyopadhyay et al. disproportionately hard because of their size defined the IS environment within a company and limited resources. as comprising three levels: Research by the Guardian IT Group (Youett, (1) the application level; 2001) into their clients' invocation of business (2) the organisational level; and continuity plans found that almost 2 per cent of (3) the inter-organisational level. IS failures in the UK are caused by flood or The risks affecting each of these environments storm. The following review of the literature are outlined in Table I. looks at the preparedness of a small In the following sections, case studies and organisation when faced with flooding and the evidence from the literature are used as potential for disruption of the supply chain. examples of the IS risk types outlined in Flooding Bandyopadhyay et al.'s framework, and their A National Computer Centre (NCC, 1996) impact upon SMEs, large companies and the survey in 1996 reported that 5 per cent of large Table I Framework for structuring the review and summary of IS risks IS environment and risk identification IS environment Type of IS risk Examples of IS risks 1. Application level. The risk Natural disaster ± flood, storm/lightning strike, Flooding of technical or disease/epidemic implementation failure of Accidents ± fires, poorly designed, constructed or Human error an application resulting maintained systems, buildings, policies and from either internal or procedures (human error) external factors Deliberate acts (physical actions) ± sabotage, Terrorism theft, vandalism, terrorism and hoaxes Data information security risks ± hackers, viruses, Information security destruction and denial of access Management issues ± decision making, human Skill acquisition and resourcing, (succession planning, skill retention acquisition and retention) 2. Organisational level. The As above plus: Legal risk ± violation of rights, Intellectual property/capital risks from the strategic intellectual property implementation of IS Strategic decision making: Strategic re-organisation throughout all functional Competitor's actions areas Strategic and sustainability risks. Lack of investment to sustain competitive advantage Increased bargaining power ± suppliers and customers 3. Inter-organisational level. As above plus: weak or ineffective control ± of Risk from strategic alliances The risks associated with suppliers or customers' systems, policies and inter-organisational procedures networking Source: Bandyopadhyay et al. (1999) 184
  • 4. Supply chain risk management Supply Chain Management: An International Journal Peter Finch Volume 9 . Number 2 . 2004 . 183-196 companies had experienced flooding. No and restaurants on the same stretch of river, was figures were given for SMEs, however, there is flooded. Within 24 hours of the flood water no reason to imagine the figure should differ subsiding the pub was able to open. Not all greatly. The average cost to a large company establishments were so prepared or had was found to be £25,540 with a maximum cost assessed the risks. The nearby Ship Inn was of £100,000 (1996 prices). SMEs would closed for three months whilst a £250,000 refit probably suffer lower costs should such events was underway (Rutstein, 2000). In this example occur due to their lower investment in IS. It is the brewery may have business continuity likely that the costs would still be considerable procedures in place to ensure its own when compared to the size of an SME and its continuity, however, if a significant number of available resources. outlets in the supply chain are unable to In the UK, floods in late 2000 and early 2001 continue for an extended period (as was the brought wide-scale disruption. In October, case in York), then revenues will be harmed. November and December 2000 between Flooding ± best practice one-and-a-half and two times normal rainfall Whilst this example does not relate specifically occurred (Environment Agency, 2001). to the company's IS infrastructure, the aim is to Disruption was widespread with many demonstrate best practice by illustrating the companies, particularly smaller ones, going out preparedness of the small firm and the potential of business or facing an uncertain future (Jolly, impact upon the supply chain. It is clear that 2000). The Federation of Small Businesses the impact upon business can be reduced if gave £20,000 to each of the regions hit by potential risks are proactively managed, and flooding towards the cost of temporary there is a well-conceived and constructed accommodation (Sunday Times, 2000a). In business continuity plan in place. Lewes in East Sussex over 200, mostly small The following section examines the risks companies were affected by the flooding (Daily faced by companies from accidents. Telegraph, 2000a). This led to Sussex Enterprise requesting that the government should draw up Accidents contingency plans to help these companies. These risks can to a large extent be mitigated by There are some instances where small a company's policies and procedures. One companies have exhibited good risk planning potential source of accidents common to all and management. One sector badly affected by sizes of company is human error. flooding was the brewing and leisure industry. Pubmaster (a pub operator) estimated that the Human error floods would cost the industry upwards of £100 A study by Broadcasters Network International million in damage and lost revenue with many (Sullivan, 1999) found that as much as 66 per small firms going out of business (The cent of data loss was caused by human error. Independent, 2000). The following case study The National Computer Centre (NCC, 1996) examines the preparedness of a public house, survey in 1996 reported that 34 per cent of large the King's Arms, when faced with flooding. companies had experienced human error. The average cost to an organisation was £3,570 with The King's Arms a maximum cost of £20,000 (1996 prices). In York, which suffered extensive flooding of There is no evidence to suggest that the the River Ouse in both 2000 and 2001, many incidence will be greatly different in small companies suffered long-term damage. The companies, however, the average costs may well King's Arms public house, which is located on differ. The following case study examines the and at times in the River Ouse was not one of effects of human error on two large companies them (Rawstorne, 2001). The pub has a in the supply chain. ``mobile'' bar and all fixtures and fittings can be removed quickly. Electrical wiring is at ceiling NASA Mars missions height, the floors flagged and the walls tiled or One of the largest and most public examples of covered with waterproof plaster. In October human error in recent years was the loss of the 2000 the King's Arms, along with other pubs North American Space Agency (NASA) Mars 185
  • 5. Supply chain risk management Supply Chain Management: An International Journal Peter Finch Volume 9 . Number 2 . 2004 . 183-196 Climate Orbiter, which disappeared in 1999 at cost being lower. The case study described a cost of $250 milllion. NASA had below examines another deliberate act that has sub-contracted the construction of the Orbiter far-reaching and often unanticipated outcomes: to Lockheed Martin. An independent review the actions of terrorists. board blamed the loss of the Orbiter on poor Terrorism project management, a lack of supervision, poor Research by the Guardian IT Group reported communications and short-sighted engineering. by Youett (2001) found that almost 2 per cent Specifically, the review board found that the of IS failures resulted from bombs or terrorist root cause of the loss was due to the mission's activities. The following case study examines navigation team being unfamiliar with the the impact and aftermath of the Manchester spacecraft and lacked training. Notably, the (England) bombing in 1996. NASA team failed to detect a mistake by Lockheed Martin engineers who delivered Manchester bombing navigation information in imperial rather than The IRA bomb, which exploded in Manchester metric units. The review board concluded that city centre in 1996 with the equivalent energy of the Climate Orbiter project team did not spend 800kg TNT, injured 216 people and affected enough time studying what might go wrong over 4,000 companies; 49,000m2 of retail space during the mission and, consequently, and 57,000m2 of offices were lost (Jenkins, developing contingency procedures to correct 1999). mistakes in flight (CNN.com, 1999). Companies in the vicinity of the explosion found that even if there had not been any Human error ± best practice damage caused by the explosion, they were The final report from the review board unable to access premises for at least three days concluded that poor training, inadequate because of a police cordon. Due to the damage testing, minimal supervision and a lack of caused by the bomb many companies had to people and money meant that there was not relocate away from their original premises. enough margin or adequate funding. The result Moyes (1996) reported that five months after was that risk gradually grew throughout the the blast many small companies (and in total programme. A thorough and ongoing project around 700 companies) had not returned to risk management process may have identified business. Because of the relocation and the some of the problems faced by the programme. negative publicity surrounding the bombing, Whilst this example focuses on large those small companies that had returned companies, it does highlight the threat posed by reported takings were down by 50 per cent human error and how this threat may be (Jeffay, 1996). The total loss in trade was amplified by any breakdown in communication estimated to be £5 million on the first day between two companies in a supply chain. alone. There is no evidence to suggest that SMEs are The Chartered Institute of Loss Adjusters any better at communicating with partners than stated that the insured cost of the bomb blast large companies, although case studies of three ranged between £25,000 for small units to SMEs by Hill and Stewart (2000) found more than £60 million for one store (Cicutti, evidence to suggest internal communications in 1996). The total cost of claims was estimated to SMEs are better than larger companies. be in the region of £400 million. Substantial proportions of the claims were related to Deliberate acts (physical actions) business interruption rather than damage These risks are to a limited extent under the resulting from the bomb explosion itself. Youett control of the company. The NCC (1996) (2001) found that it was unlikely that a survey found that equipment theft had been company's commercial insurance policy experienced by 46 per cent of large companies. covered disaster recovery or extended periods of The average cost to the organisation was interruption. This highlights the importance of £26,730, with the maximum cost being not only having a business continuity plan, but £750,000. The incidence is likely to be similar also of transferring some risk via appropriate for SMEs with the actual cost if not the relative types and levels of insurance. 186
  • 6. Supply chain risk management Supply Chain Management: An International Journal Peter Finch Volume 9 . Number 2 . 2004 . 183-196 Terrorism ± best practice Information security The Home Office (1998) report on the Figure 1 is a graph from the NCC (2000) Manchester bomb recommended that those survey and shows the percentage of companies companies without a contingency plan needed with an information security policy by size. It is to be encouraged to prepare one. Such a plan clear from the data that SMEs, and in particular should include the issues of whether the staff micro and small companies, exhibit less should evacuate the building, and to plan and preparedness than larger companies. arrange for the temporary relocation of the The following case studies were sourced from business. The report went on to recommend the author's practice and examine some aspects that insurance policies should be reviewed of information security and the manner in regularly to ensure that they are up to date and which SMEs and large companies have cover all potential losses to the business from all approached the risks. possible causes, including disaster recovery and Virus detection/hacking extended periods of disruption. A large company had a well-respected virus detection tool on a network server and the virus Data/information security risks database was kept up to date. Incoming e-mail Data and information security risks are largely under the control of the organisation, although messages were automatically scanned for this is not always the case. An Information viruses when they were opened. This appeared Security Survey by Ernst & Young (2001) that to be a well-managed situation, however, the interviewed 273 chief information officers and e-mail scanner was not set up to monitor the IT directors of ``leading companies'' found that e-mail and Web servers. A hacker was able to over 70 per cent of UK companies had suffered place a Trojan (information collecting ``virus'') disruption to a critical IT service in the past 12 on the Web server and this went undetected for months and 31 per cent of these disruptions over a month. The virus scanner should have were attributed to failures of or in third party been integrated with the firewall so that all systems, suggesting that many companies are messages passing across the firewall would be not addressing fully the risks posed by their scanned. partners or customers. Firewalls Those companies that have implemented As part of an information security workshop information security policies or procedures may with a large company an employee informed a still be unaware of the risks they face. A study consultant that their network had a firewall. undertaken by ICSA.net (1999) examined 54 When this response was probed further it corporate Web sites that had implemented emerged that the client did indeed have a security technologies and policies in order to mitigate risk. This study found that of the Figure 1 Percentage of companies with an information security policy companies: . 60 per cent were susceptible to denial of service attacks; . 80 per cent did not know what services were on their network and visible over the Internet; . 80 per cent had insufficient security policies; and . 70 per cent of sites with firewalls remained vulnerable to known attacks. This study shows that even in instances where a company has data or information security policies and procedures, unless they have been carefully considered and implemented their utility may be limited. 187
  • 7. Supply chain risk management Supply Chain Management: An International Journal Peter Finch Volume 9 . Number 2 . 2004 . 183-196 firewall. Unfortunately the firewall only access rights did not allow use of one particular extended to coverage of one particular folder on a network drive. The consultant e-commerce application. The rest of the telephoned the IS help desk asking for company's network (including all e-mail, additional access rights. Without further intranet and Internet servers) was unprotected. authorisation he was given access to the whole An SME had a relatively simple network of the network, including personnel and serving 35 PCs. The company believed that medical records, financial information and they needed to create an extranet with a firewall minutes of the board meetings. to allow remote access to data and e-mail. A network manager in a SME created a user Having reviewed the options they chose a account for a consultant, but did not delete the reputable product, employed a contractor to account when the work was completed. Over install it for them, and enjoyed the benefits. six months later he went back to the site and What they failed to recognise was that a firewall was able to log on again. His password had requires management. The security policies expired but he was allowed to change it as he employed must be carefully thought through, logged on. and the log files regularly scrutinised for traces Information security ± best practice of an attack. In this case an intrusion was Information technology has become essential to detected by accident even though there was the performance and effective running of many clear evidence in the firewall log. companies. As the above examples show, Backups however, many companies, regardless of their A large company had an extensive network that size, do not appear to comprehend fully the was actively managed. Full backups were taken extent to which their business depend on these on a routine basis, with incremental backups systems. In many cases little consideration being taken every night. It was common appeared to be given to the monitoring, control practice to store backups in a secure location and security of these systems. This was despite off-site. A junior member of the IS department the many surveys on the subject and the was tasked with taking the backup tapes to widespread recognition and publicity they reception every morning. A courier would arrive receive. If the monitoring, control and security to collect the latest tapes and return the oldest of these systems are ignored, the consequences set. The junior member of staff was offered a can be far reaching with the potential to affect a job elsewhere. When the staff member left company severely or even disastrously. The fact nobody took responsibility for managing the that SMEs have been shown to treat off-site backups. Consequently the courier information security lightly should be a matter arrived each day to deposit a box of tapes and of concern for large companies with whom they take one away. It was over two months before may do business. This concern should be even someone noticed that the contents of the boxes greater if the companies are connected never changed. electronically via extranets or electronic data An SME had a digital audio tape (DAT) interchange (EDI). Companies should assess drive and ``a few tapes'' which they used to back and manage the risks arising from the control up network servers. The IS manager did not and security of their own and other companies' understand the value of the data being stored systems effectively, allowing these on the servers, and believed that his equipment consequences to be mitigated. was reliable ``because I've not had to change anything for ages''. There were no current Management issues system or data backups and there would have Risks arising from management issues, which been significant business disruption had a include decision making, succession planning, problem occurred. skill acquisition and retention can be mitigated User accounts/passwords to a large extent by organisational policies and When working at a large company for an procedures. Millward et al. (1992) found that, extended period, a consultant was given a user whereas larger companies rely greatly on formal account on the company's network. The basic methods and bureaucratic procedures by 188
  • 8. Supply chain risk management Supply Chain Management: An International Journal Peter Finch Volume 9 . Number 2 . 2004 . 183-196 specialist personnel departments, SME shortage and that the number of such SMEs is owners/managers are likely to handle recruiting rising rapidly. The following case study and personnel matters without delegating and examines the skill issues facing a Web-based car are unlikely to have relevant skills. The specific sales company. risks to SMEs from shortages of appropriate IS Portfolio For Cars skills and knowledge are examined below and A case highlighted by the Sunday Times (1998), followed by a case study. that of ``Portfolio For Cars'', an Internet-based Skill acquisition and retention car sales Web media company, highlights the According to a survey conducted for the dilemmas encountered by SMEs when facing Department of Trade and Industry (DTI, an IS skills shortage. 2000) the perception that a shortage of IS skills Portfolio had more than 600 franchised is a barrier to the adoption and implementation motor dealers using and paying for their of IS appears to be higher in medium and large services. In the 1997-1978 financial year companies. Figure 2 illustrates this perception Portfolio made a profit of almost £250,000 on and also demonstrates a correlation between the sales of £1.1 million, from a staff of 63, nine of perception of a skills shortage, the level of whom were IS staff. Staff turnover was formal IS training and the implementation of IS extremely low and Portfolio had never lost staff within companies. to other companies. Due to expansion there was The reduced perception of a skills shortage a need to expand the number of IS staff at the amongst SMEs may be a result of a lower rate of one a month. This was proving to be perceived requirement for IS within small very difficult. A number of reasons were cited companies or a greater degree of confidence in for the difficulty in attracting suitable IS staff: the SMEs' own ability to implement these . high salary expectations of candidates technologies. A recent survey for the Federation (£30-55,000); of Small Businesses (2000) found that 53 per . shortage of appropriate Web related skills cent of small business owners or managers were generally; which was exacerbated by either satisfied or very satisfied with their ability . scarce skills due to geographical location to implement new technologies. Davies (2000), (edge of the Peak District). however, suggests otherwise, reporting that those SMEs who rely on information Portfolio was unwilling to use contract staff for technology, are increasingly facing an IS skills these IS roles. It was also reluctant to train unskilled staff, citing that there were too few Figure 2 UK companies' IT skill shortage and IT training people who have the basic skills required. One of the partners in the company laid the blame elsewhere, commenting: I just don't know if these people exist. Online commerce is the future of retail. Nowhere near enough secondary-school pupils are being trained in digital technologies to make it happen. British business is losing out as a result. This appears to be a common attitude amongst SMEs. Hill and Stewart (2000) found that in SMEs IS related training and development often does not take place. Where it does it tends to be reactive and informal, aimed at solving short-term problems rather than the development of staff. Small firms tend not to have a lifelong learning culture or see a need for sustained improvement in organisational management (Lawless et al., 2000). 189
  • 9. Supply chain risk management Supply Chain Management: An International Journal Peter Finch Volume 9 . Number 2 . 2004 . 183-196 Skill acquisition and retention ± best practice hardware related development play an For SMEs to want to implement human important role in innovation. It is necessary for resource policies, account must be taken of all companies, but especially SMEs, to their unique situation. The link between understand the importance of protecting proactive human resource policy and business intellectual property. In particular the performance needs to be made clear to SME possession of intellectual property rights helps owners/managers. Alternatively, issues such as a an organisation to: skill shortage may ultimately impact upon . raise finance to develop and market partners in the supply chain. Zsidisin et al. inventions or innovations; (2000) highlighted the risk arising from the . license a product or service to competitors; capacity constraints of a partner as being one of and the major risks affecting supply chains. If . sell or license innovations to larger human resource management risks are companies. effectively assessed and managed by a company The following case study examines an SME that then there is a greater likelihood that suitable has actively protected its intellectual property remedies can be identified early on. and looks at the ways in which the company has benefited. Gorix Textiles 2 The organisational level Gorix is a manufacturer of hi-tech Legal electro-conductive textiles that had sales in Organisational policies and procedures can 1999 of £270,000 and employed four full- and largely mitigate risks such as violation of rights, two part-time staff (Renton, 2000a). Gorix's legal obligations of disclosure and intellectual innovations included materials that regulate the property issues. Companies listed on the stock flow of electrical heat according to body exchange (normally larger companies) have to temperature, a ``smart'' fire jacket that warns comply with certain legal requirements relating the wearer when their body temperature is too to risk. This is not the case for most small high and, in conjunction with pharmaceutical companies. Another legal issue that can impact companies, a heated dressing designed to speed upon (often hi-tech) SMEs is the handling of up the healing process. intellectual property or capital. According to the company's two founders, the largest outlay for Gorix has been in legal Intellectual property/capital According to Roos (1996), the intellectual fees relating to intellectual property. Gorix has property or capital of a company includes the spent a total of £280,000 on patents aimed at knowledge and skills of its employees, the securing its intellectual property worldwide. infrastructure, customer relationships, This strong defence of intellectual property has employee motivation, processes that leverage meant that Gorix is now in a position to license these assets and methods of doing business. the manufacture of a number of its products to A survey by KPMG (Sunday Times, 2000b) competitors and larger companies. The proactive approach to this particular found that intellectual property licensing legal issue has benefited the company twofold. revenues were worth more than $150 billion First, Gorix's ongoing viability has been globally yet this is only 10 per cent of the total ensured and, second, it has allowed the intellectual property assets. This suggests that company to utilise its intellectual property to around $1,350 billion of intellectual property competitive advantage. assets are currently not realised. The National Criminal Intelligence Service (NCIS, 2000) Intellectual property/capital ± best practice estimates that in 1998 losses caused by Lang (2001) suggests that the proliferation of intellectual property theft, in terms of UK sales software and business method patents and the not made, were £6.42 billion. SMEs' exposure legal challenges that have become more to these losses is not made clear. However, common have made it necessary for hi-tech SMEs involved in, for example, software and companies to scrutinise their legal risks and 190
  • 10. Supply chain risk management Supply Chain Management: An International Journal Peter Finch Volume 9 . Number 2 . 2004 . 183-196 adopt an intellectual property strategy. The commercial requirements and increases in above case study of Gorix highlights the technology costs; and importance of this for SMEs, and demonstrates . rapid consolidation of prime contractors in the effectiveness of proactive assessment and the USA squeezing out smaller European management of risks. competitors. Renton (2000b) reported that large aerospace Strategic decision making companies aimed to cut the number of Risks such as the actions of competitors and the suppliers by 80 per cent by utilising techniques increased bargaining power of customers and first used in the car industry. UK SME suppliers are external to the company. suppliers were, therefore, faced with three main Formulating an appropriate and effective challenges to their survival, requiring them to organisational strategy can to a certain extent adopt new strategies and new skills: mitigate these risks. (1) a global redefinition of the existing supply Strategic re-organisation chain; A recent report undertaken for 3COM (2000) (2) global competition leading to consolidation Consulting found that 76 per cent of SMEs in of major contractors; and the UK have no IS strategy and did not (3) customer expectation of self-financed understand the competitive advantage offered research and development. by information technology. The research report The major contractors effectively transferred concluded that the use of technology by small risk and responsibility onto their suppliers. The companies is reactive and complacent, while AT Kearney and SBAC (2000) report their budgets are poorly targeted. The following concludes by stating that those SMEs who fail case study examines the strategic capabilities of to adapt risk being eclipsed by globally oriented an SME and its ability to change strategic focus competitors. when larger partners' requirements alter. Confronted by these challenges St Bernard began a wholesale rethink of the way they do St Bernard Composites business. St Bernard is: The UK aerospace industry is the second . actively reducing costs by consolidating in a largest earning export sector. Companies such single location; as Rolls Royce and BAE Systems buy in about . investing in new technology; 70 per cent of their production content, much . aggressively targeting export markets; and of it from smaller British companies. The . diversifying into new markets (using aerospace supply chain provides employment existing techniques and technologies). for 80,000 people. St Bernard Composites supplies advanced St Bernard plans to differentiate itself by composite components to aero-engine and emphasising quality and continuous airframe manufacturers in the aerospace improvement. To this end, the company is industry. They employ 195 staff and have a introducing modern Japanese production turnover of £20 million (Renton, 2000b). techniques and concepts, investigating the Following the publication of a report by AT possibilities of e-commerce, making strategic Kearney and the Society of British Aerospace alliances and is considering the potential for Companies (SBAC) (AT Kearney and SBAC, merger. 2000) St Bernard reappraised its business Strategic re-organisation ± best practice strategy. Whilst the actions of competitors and suppliers The AT Kearney and SBAC (2000) report external to the company cannot (in most cases) found that the global aerospace industry had in be strictly controlled, formulation and the 1990s undergone a radical transformation implementation of an appropriate and effective due to: strategy can help a company prepare for many . large reductions in global defence spending; eventualities. In doing so, a company can . erosion of a close privileged relationship improve its chances of long-term survival. The with national governments due to St Bernard example suggests that SMEs are at 191
  • 11. Supply chain risk management Supply Chain Management: An International Journal Peter Finch Volume 9 . Number 2 . 2004 . 183-196 just as great a risk from their partners in the The EDI network connects 1,300 of 2,000 supply chain as are large companies. It does, suppliers (around 96 per cent by volume of however, illustrate that SMEs are capable of goods sold) suggesting that many of the other changing the way they work in response to 700 are small suppliers. The EDI network is changing circumstances. Whether this case is well suited for the one-way exchange of representative of strategic decision making in structured transactions such as purchase orders SMEs is unclear. The high failure rate amongst with suppliers. However, it is not suitable for SMEs suggests that it may not be. handling collaborative processes such as the management of promotions. In order to overcome the drawbacks 3 Inter-organisational level associated with the EDI system (and a target of bringing all of their suppliers online by 2000) Weak or ineffective control Tesco rolled out a Web enabled supply chain These risks are external to the company and can (extranet) solution from GE Information occur due to uncertainty arising from Services. Suppliers paid from £100 to inter-organisational networking. The aim of this £100,000 to join the Tesco Information empirical review is to ascertain whether large Exchange (TIE ± the acronym is intentional), companies increase their exposure to risk by dependent on their size. At the time of writing having SMEs in business critical positions in 600 suppliers (approximately 65 per cent of their supply chain. Das and Teng (1999) Tesco business) were using the system. This suggest such strategic alliances with customers allowed Tesco and its suppliers to jointly plan, or suppliers are a high-risk strategy because a execute, track and evaluate promotions by company has less control over the alliance than sharing common data as well as viewing daily it has over its own subsidiaries. The following electronic point-of-sale data from Tesco stores. example examines the extent to which strategic Tesco hoped to achieve at least a 20 per cent alliances have become commonplace and the reduction in stocks as well as increasing the potential risks that they can face. number of products handled only once in the Risk from strategic alliances store by 30 per cent (Nairn, 2000). In the UK, the supermarket sector was St Ivel estimated to be worth around £66 billion in St Ivel is a business unit of the Uniq (formerly 1997. The largest six food retailers had a 76 per Unigate) Group and employs over 1,450 staff at cent share of fruit and vegetable sales with the five production plants throughout the UK. A ``big four'' alone (Tesco, Sainsbury's, Asda and total of 70 per cent of production is branded Safeway) accounting for 60 per cent of all and 30 per cent private label. St Ivel supplies grocery sales in the UK (Fearne and Hughes, many of the UK supermarkets including Tesco. 1998). These dominant companies have According to a narrative article by Nairn invested heavily in the development of their (2000), TIE has saved St Ivel 30 per cent of supply chains to increase efficiency and reduce annual promotional on-costs. costs. In order to limit their exposure to risk Tesco has, however, experienced difficulties they have implemented increased monitoring in persuading all of its suppliers to utilise the and control of their suppliers. The following system fully. Only two of their suppliers have case studies examine the risks faced by two changed fundamentally the way they work as a companies following the forming of a strategic result of TIE, allowing them to bring products alliance. to market much faster than their competitors. Tesco A risk in implementing such supply chain Tesco is the largest and most profitable management systems, that are designed to tie company in the UK supermarket sector. The suppliers to customers and vice versa, is the results for 2000-2001 show group sales of weakened level of control over supplies. This £22.8 billion with profits before tax at £1.05 was exhibited clearly during the weeklong UK billion (Tesco, 2001). Since the 1980s, Tesco fuel crisis of September 2000. Biederman has used EDI to order goods from suppliers. (2000) opined that: 192
  • 12. Supply chain risk management Supply Chain Management: An International Journal Peter Finch Volume 9 . Number 2 . 2004 . 183-196 The crisis revealed that modern day supply chains compare like with like due to the diversity of the as finely tuned machines, are highly vulnerable, sources. Many of the original case studies had proving the old adage that a chain is only as strong different aims to those of this empirical review. as the weakest link. Relevant information may have been accessible Food and other deliveries to the supermarket if appropriate questions had been asked. In chains including Tesco remained largely certain case studies information was incomplete undisturbed due to the short length of the or absent. In order to address this weakness, disruption. This would have been rather supplementary searching of the literature was different had the crisis gone on any longer undertaken to increase the validity of the case (Biederman, 2000). The supermarket's petrol studies and the rigour of the research process. stations were, however, severely disrupted and Utilising predominantly secondary data for rapidly ran dry. This had a knock-on effect, as this empirical review allowed a broader customers were unable to reach many selection of case studies to be identified. The supermarkets. The situation was sufficiently case studies, however, did not in all cases serious to worry investors, with Tesco shares examine risks affecting IS. This made it more falling by 4.75p (Parkinson, 2000) and analysts difficult to generalise about the findings. The forecasting a £200 million reduction in retail literature search revealed fewer IS risk case sales in that one week alone (Daily Telegraph, studies than would have been desirable. This 2000b). lack of IS risk case studies impacts on the Risk from strategic alliances ± best practice generalisability of the findings. This can be The weak control over suppliers and customers attributed in part to the difficulty of finding in the supply chain can be compounded by the information regarding IS and IS risk risks highlighted, which affect links up or down management in SMEs. It would be useful to the supply chain. Zsidisin et al. (2000) report conduct a small number of case studies using that whilst proffering many companies a primary research to verify the findings of this competitive advantage in the marketplace, secondary analysis. outsourcing has resulted in corresponding In addition, whilst identifying some increases in the level of corporate exposure to incidences of best IS risk management practice, uncertain events with suppliers. A company this review did not identify fully what should actively assess the risks and threats, not constitutes best IS risk management practice. only to itself but also to its direct and indirect This may be due to a reporting bias in the suppliers and customers. literature that leans toward an examination of poor practice rather than best practice. A carefully constructed primary study designed to Discussion ascertain examples of best and poor practice The aim of this review was to determine if large needs to be undertaken to increase the rigour of companies increase their exposure to risk by this empirical review. Table II summarises the having SMEs as partners in business critical areas where best practice was identified in each positions in the supply chain and make case study. recommendations concerning best practice. A A common theme identified from the case number of issues that could potentially impact studies was that whilst there were few specific on the rigour of the process arose that warrant examples of best practice, there were valuable further discussion. lessons to be learned from the way individual The strength of using case studies is that they companies assessed and managed the risks showed clearly that SMEs can assess and confronting them and planned for the manage risk. However, there was strong continuation of business should the worst evidence in the wider literature to suggest that happen. many SMEs do not assess and manage risk The management of risk is, or should be, a adequately. core issue in the planning and management of The case studies originated from a wide any organisation. Bandyopadhyay et al. (1999) variety of sources. This made it difficult to in their review of the literature stated that four 193
  • 13. Supply chain risk management Supply Chain Management: An International Journal Peter Finch Volume 9 . Number 2 . 2004 . 183-196 Table II IS risks, impact on the supply chain and best practice Examples of IS risks Examples of best practice Flooding The impact upon business can be reduced if potential risks are proactively managed, and there is a well-conceived and constructed business continuity plan in place Human error A thorough and ongoing project risk management process may have identified some of the problems faced by the programme Terrorism Those companies without a contingency plan need to be encouraged to prepare one ± to include the issues of whether the staff should evacuate buildings, and to plan and arrange for the temporary relocation of the business. Insurance policies should be reviewed regularly to ensure that they are up to date and cover all potential losses to the business from all possible causes Information security If the monitoring, control and security of these systems is ignored, the consequences can be far reaching with the potential to affect a company severely or even disastrously. Companies should assess and manage the risks arising from the control and security of their own and other companies' systems effectively, allowing these consequences to be mitigated Skill acquisition and retention The link between proactive human resource management policy and business performance needs to be made clear to SME owners/managers. Alternatively, issues such as a skill shortage may ultimately impact upon partners in the supply chain. If such human resource management risks are effectively assessed and managed by a company then there is a greater likelihood that suitable remedies can be identified early on Intellectual property/capital The proliferation of software and business method patents and the legal challenges that have become more common have made it necessary for hi-tech companies to scrutinise their legal risks and adopt an intellectual property strategy. The case study of Gorix highlights the importance of this for SMEs, and demonstrates the effectiveness of proactive assessment and management of risks Strategic re-organisation Whilst the actions of competitors and suppliers external to the company cannot (in most cases) be strictly controlled, formulation and implementation of an appropriate and effective strategy can help a company prepare for many eventualities. In doing so, a company can improve its chances of long-term survival. The St Bernard example suggests that SMEs are at just as great a risk from their partners in the supply chain as are large companies Risk from strategic alliances The weak control over suppliers and customers in the supply chain can be compounded by the risks highlighted, which affect links up or down the supply chain. Zsidisin et al. (2000) report that whilst proffering many companies a competitive advantage in the marketplace, outsourcing has resulted in corresponding increases in the level of corporate exposure to uncertain events with suppliers. A company should actively assess the risks and threats, not only to itself but also to its direct and indirect suppliers and customers major components of risk management had However, no matter how well risk is managed it been identified: is necessary to prepare for negative events. It is (1) Risk identification ± identifying and important to understand the distinction quantifying the exposures that threaten a between risk management and planning for company's assets and profitability. continued operation once a potential risk has (2) Risk analysis ± identifying and assessing the occurred (business continuity planning). The risks to which the company and its assets management of risks and business continuity are exposed in order to select appropriate planning were two high-level examples and justifiable safeguards. identified from the case studies where best (3) Risk reduction, transfer and acceptance ± practice was demonstrated and positive reducing or shifting the financial burden of outcomes were achieved. loss so that, in the event of a catastrophe, a company can continue to function without severe hardship to its financial stability. Conclusion (4) Risk monitoring ± continually assessing The review found that large companies' existing and potential exposure. exposure to risk appeared to be increased by A company manages risk in order to protect its inter-organisational networking. Having SMEs assets and profits, and stay in business. as partners in the supply chain further increased 194
  • 14. Supply chain risk management Supply Chain Management: An International Journal Peter Finch Volume 9 . Number 2 . 2004 . 183-196 the risk exposure. SMEs increased their own Federation of Small Businesses (2000), ``Barriers to survival exposure to risk by becoming partners in a and growth in UK small firms'', available at: www.fsb.org.uk supply chain and few had made an assessment Hill, R. and Stewart, J. (2000), ``Human resource of the risks involved or had a strategy in place development in small organizations'', Journal of for managing risk. These findings indicate the European Industrial Training, Vol. 24 No. 2-3-4, importance of undertaking risk assessments and pp. 105-17. Home Office (1998), ``Business as usual: maximising considering the need for business continuity business resilience to terrorist bombings'', available at: planning when a company is exposed to www.homeoffice.gov.uk/rds/horspubs1.html inter-organisational networking. ICSA.net (1999), Information Security: A Practical Solution for Senior Management, available at: www.icsa.net (The) Independent (2000), ``Floods may cost pub industry References £100m'', The Independent, 8 November, p. 20. Jeffay, J. (1996), ``Come and find us'', Manchester Metro 3COM (2000), ``Research from 3Com reveals that over 75 News, 15 November, p. 1. per cent of SMEs currently have no IT strategy in Jenkins, R. (1999), ``Manchester rises from the rubble'', place'', 13 November, available at: www.3com.co.uk/ The Times, 25 November, p. 19. news/prel_20001113_1.html Jolly, I. (2000), ``Murky future for flood hit firms'', AT Kearney and SBAC (2000), ``The impact of global 2 November, available at: http://news.bbc.co.uk/hi/ aerospace consolidation on UK suppliers'', available english/business/newsid_998000/998734.stm at: www.atkearney.com/pdf/eng/aero_consolidation. Lang, J.C. (2001), ``Management of intellectual property pdf rights: strategic patenting'', Journal of Intellectual Bandyopadhyay, K., Mykytyn, P. and Mykytyn, K. (1999), ``A Capital, Vol. 2 No. 1, pp. 8-26. framework for integrated risk management in Lawless, N., Allan, J. and O'Dwyer, M. (2000), ``Face-to-face information technology'', Management Decision, or distance training: motivating SMEs to learn'', Vol. 37 No. 5, pp. 437-44. Education + Training, Vol. 42 No. 4-5, pp. 308-16. Biederman, D. (2000), ``The weak link'', Traffic World, Millward, N., Stevens, M., Smart, D. and Hawes, W.R. 16 October, available at: www.findarticles.com/cf_0/ (1992), Workplace Industrial Eelations in Transition: m0VOO/3_264/66277581/print.jhtml the ED/ESRC/PSI/ACAS Surveys, Dartmouth, Aldershot. Cicutti, N. (1996), ``Premiums to rise after IRA bomb costs Moyes, J. (1996) "Bombed, battered, unbowed, Manchester £400m'', The Independent, 13 July, p. 20. gets back to business as usual'', The Independent, CNN.com (1999), ``NASA: human error caused loss of Mars 2 November, available at: www.rebuilding- orbiter'', 10 November, available at: www.cnn.com/ manchester.co.uk/articles/art27.htm TECH/space/9911/10/orbiter.02/ Nairn, G. (2000), ``IT in retailing: retailer's suppliers can Daily Telegraph (2000a), ``Businesses may never recover monitor product demand'', 3 May, available at: from the floods'', Daily Telegraph, 4 December, www.ft.com/ftsurveys/spaad6.htm available at: http://web4.infotrac.galegroup.com National Computing Centre (NCC) (1996), ``How real is the Daily Telegraph (2000b), ``High street suffered in fuel crisis'', threat?'', NCC, available at: www.ncc.co.uk National Computing Centre (NCC) (2000), ``The business Daily Telegraph, 23 September, available at: http:// information security survey'', NCC, available at: web4.infotrac.galegroup.com www.ncc.co.uk Das, T.K. and Teng, B.-S. (1999), ``Managing risks in National Criminal Intelligence Service (NCIS) (2000), ``2000 strategic alliances'', The Academy of Management UK threat assessment'', NCIS, available at: www.ncis. Executive, Vol. 13 No. 4, November, p. 50. org.uk Davies, L. (2000), ``This time its personnel'', The Guardian, Rawstorne, T. (2001), ``Still more to come: the Met men 30 November, available at: www.guardianunlimited. warn things will only get wetter this weekend'', co.uk/Print/0,3858,4098219,00.html Daily Mail, 9 February, p. 9. Department of Trade and Industry (DTI) (2000), ``Small and Renton, J. (2000a), ``Textile makers must cut their cloth to medium enterprise (SME) statistics for the UK, 1999'', suit the 21st century'', Sunday Times, 7 July, Statistical News Release, DTI, 7 August, available at: available at: www.enterprisenetwork.co.uk/ www.dti.gov.uk/ knowledge_store/ Environment Agency (2001), available at: Renton, J. (2000b), ``Small suppliers must adapt to survive in www.environment-agency.gov.uk/ aerospace shake-out'', Sunday Times, 27 August, Ernst & Young (2001), Information Security Survey 2001, available at: www.enterprisenetwork.co.uk/ Ernst & Young, available at: www.ey.com knowledge_store/ Fearne, A. and Hughes, D. (1998), ``Success factors in the Roos, J. (1996), ``Intellectual capital: what you can measure fresh produce supply chain: some examples from the you can manage'', Perspectives for Manager, IMD, UK'', executive summary, Wye College, London. No. 10, November. 195
  • 15. Supply chain risk management Supply Chain Management: An International Journal Peter Finch Volume 9 . Number 2 . 2004 . 183-196 Rutstein, D. (2000), ``Narrow escape from floodwaters'', Zsidisin, G.A., Panelli, A. and Upton, R. (2000), ``Purchasing available at: www.thisisyork.co.uk/york/news/Floods/ organization involvement in risk assessments'', Supply news30.html Chain Management: An International Journal, Vol. 5 Sullivan, S. (1999), ``Human error: bigger problem than No. 4, pp. 187-97. disasters'', ENT, Vol. 4 No. 9, May, p. 3. Sunday Times (1998), ``Skills gap threatens nice little earner'', Sunday Times, 22 November, available at: www.enterprise network.co.uk/knowledge_store/ Further reading casestudy_detail. asp?d_id=4 AT Kearney (2000), ``Strategic information technology and Sunday Times (2000a), ``Grants for flooding'', Sunday Times, the CEO agenda'', available at: www.atkearney.com 19 November, p. 20. Blackburn, R. and Athayde, R. (2000), ``Making the Sunday Times (2000b), ``Intellectual property'', Sunday connection: the effectiveness of Internet training in Times, 1 August, available at: www.enterprise small businesses'', Education + Training, Vol. 42 network.co.uk/knowledge_store/ No. 4-5, pp. 289-98. Tesco (2001), ``Tesco preliminary statement of results ± 52 Parkinson, G. (2000), ``Fuel crisis takes its toll across the weeks'', 10 April, available at: www.tesco.com/ board'', Daily Telegraph, 13 September, available at: talkingTesco/corporateinfo.htm www.telegraph.co.uk/et?ac= 005236261357609& Youett, C. (2001), ``Don't dig yourself into a hole'', IBM rtmo=V15xP1wx&atmo=99999999&pg=/et/00/9/13/ Today, February, pp. 47-9. cxmktrep.html 196