1. Supply Chain Management: An International Journal
Emerald Article: Supply chain risk management
Peter Finch
Article information:
To cite this document:
Peter Finch, (2004),"Supply chain risk management", Supply Chain Management: An International Journal, Vol. 9 Iss: 2 pp. 183 - 196
Permanent link to this document:
http://dx.doi.org/10.1108/13598540410527079
Downloaded on: 14-06-2012
References: This document contains references to 45 other documents
Citations: This document has been cited by 4 other documents
To copy this document: permissions@emeraldinsight.com
This document has been downloaded 11850 times since 2005. *
Users who downloaded this Article also downloaded: *
Ila Manuj, John T. Mentzer, (2008),"Global supply chain risk management strategies", International Journal of Physical
Distribution & Logistics Management, Vol. 38 Iss: 3 pp. 192 - 223
http://dx.doi.org/10.1108/09600030810866986
Rao Tummala, Tobias Schoenherr, (2011),"Assessing and managing risks using the Supply Chain Risk Management Process (SCRMP)",
Supply Chain Management: An International Journal, Vol. 16 Iss: 6 pp. 474 - 483
http://dx.doi.org/10.1108/13598541111171165
Uta Jüttner, (2005),"Supply chain risk management: Understanding the business requirements from a practitioner perspective", The
International Journal of Logistics Management, Vol. 16 Iss: 1 pp. 120 - 141
http://dx.doi.org/10.1108/09574090510617385
Access to this document was granted through an Emerald subscription provided by UNIVERSITY OF THE PUNJAB
For Authors:
If you would like to write for this, or any other Emerald publication, then please use our Emerald for Authors service.
Information about how to choose which publication to write for and submission guidelines are available for all. Please visit
www.emeraldinsight.com/authors for more information.
About Emerald www.emeraldinsight.com
With over forty years' experience, Emerald Group Publishing is a leading independent publisher of global research with impact in
business, society, public policy and education. In total, Emerald publishes over 275 journals and more than 130 book series, as
well as an extensive range of online products and services. Emerald is both COUNTER 3 and TRANSFER compliant. The organization is
a partner of the Committee on Publication Ethics (COPE) and also works with Portico and the LOCKSS initiative for digital archive
preservation.
*Related content and download information correct at time of download.
2. Introduction
Case study
Supply chain risk Do large companies increase their exposure to
risk by having small to medium-sized
management enterprises (SMEs) as partners in business
critical positions in the supply chain?
Peter Finch This article presents a review of the literature,
supplemented by case studies that aims to
determine if large companies are taking
unnecessary risks related to information
systems (IS) management and maintenance of
the supply chain.
The author Methods
Peter Finch is a Risk Management Consultant with AEA
Secondary analysis of published and grey
Technology, Warrington, UK.
literature, and case studies was undertaken.
The aim of the search strategy was to be
Keywords
comprehensive but not exhaustive. The
Supply chain management, Risk management, material was restricted to the English language
Small to medium-sized enterprises, Information systems as there were insufficient resources for
translation. The search strategy was as follows.
Abstract
Published and grey literature
This article presents a secondary analysis of the literature,
Electronic searches of the following journal
supplemented by case studies to determine if large
databases were undertaken to identify
companies increase their exposure to risk by having
published literature: ANBAR, BIDS, Emerald,
small- and medium-size enterprises (SMEs) as partners in
Infotrac, INSPEC, and Ei Compendex. This
business critical positions in the supply chain, and to make
was supplemented by online searches using the
recommendations concerning best practice. A framework
Copernic, Google, and Northern Light search
defining the information systems (IS) environment is used to
engines:
structure the review. The review found that large companies' . Electronic searches were undertaken using
exposure to risk appeared to be increased by
the terms ``SME'', ``small business'',
inter-organisational networking. Having SMEs as partners in
``supply chain'', ``risk'', ``risk management'',
the supply chain further increased the risk exposure. SMEs
``business continuity'', and ``disaster''.
increased their own exposure to risk by becoming partners in
Search dates were restricted to between
a supply chain. These findings indicate the importance of
1995 and 2001.
undertaking risk assessments and considering the need for . Additional grey literature (for example,
business continuity planning when a company is exposed to
newspaper articles, trade magazines,
inter-organisational networking.
company policies and procedures) was
obtained.
Electronic access . Hand searching was undertaken to identify
The Emerald Research Register for this journal is available at relevant published and grey literature not
www.emeraldinsight.com/researchregister identified by electronic searches.
The current issue and full text archive of this journal is
Case studies
available at
The case studies originate from newspapers,
www.emeraldinsight.com/1359-8546.htm
magazine and journal articles, and examples
Supply Chain Management: An International Journal from the author's own practice.
Volume 9 . Number 2 . 2004 . pp. 183-196
# Emerald Group Publishing Limited . ISSN 1359-8546 The views expressed in this article are those of the
DOI 10.1108/13598540410527079 author and not necessarily of his employer.
183
3. Supply chain risk management Supply Chain Management: An International Journal
Peter Finch Volume 9 . Number 2 . 2004 . 183-196
In total, in excess of 2,000 articles, papers, supply chain. Where available, examples of best
surveys and case studies were obtained and practice are identified.
screened. Relevant literature was extracted for
analysis.
1 The application level
Framework
Natural disasters
Bandyopadhyay et al.'s (1999) IS environment
Whilst these risks affect both large companies
and risk identification framework is used to
and SMEs equally, they may affect SMEs
structure the review. Bandyopadhyay et al.
disproportionately hard because of their size
defined the IS environment within a company and limited resources.
as comprising three levels: Research by the Guardian IT Group (Youett,
(1) the application level; 2001) into their clients' invocation of business
(2) the organisational level; and continuity plans found that almost 2 per cent of
(3) the inter-organisational level. IS failures in the UK are caused by flood or
The risks affecting each of these environments storm. The following review of the literature
are outlined in Table I. looks at the preparedness of a small
In the following sections, case studies and organisation when faced with flooding and the
evidence from the literature are used as potential for disruption of the supply chain.
examples of the IS risk types outlined in Flooding
Bandyopadhyay et al.'s framework, and their A National Computer Centre (NCC, 1996)
impact upon SMEs, large companies and the survey in 1996 reported that 5 per cent of large
Table I Framework for structuring the review and summary of IS risks
IS environment and risk identification
IS environment Type of IS risk Examples of IS risks
1. Application level. The risk Natural disaster ± flood, storm/lightning strike, Flooding
of technical or disease/epidemic
implementation failure of Accidents ± fires, poorly designed, constructed or Human error
an application resulting maintained systems, buildings, policies and
from either internal or procedures (human error)
external factors Deliberate acts (physical actions) ± sabotage, Terrorism
theft, vandalism, terrorism and hoaxes
Data information security risks ± hackers, viruses, Information security
destruction and denial of access
Management issues ± decision making, human Skill acquisition and
resourcing, (succession planning, skill retention
acquisition and retention)
2. Organisational level. The As above plus: Legal risk ± violation of rights, Intellectual property/capital
risks from the strategic intellectual property
implementation of IS Strategic decision making: Strategic re-organisation
throughout all functional Competitor's actions
areas Strategic and sustainability risks. Lack of
investment to sustain competitive advantage
Increased bargaining power ± suppliers and
customers
3. Inter-organisational level. As above plus: weak or ineffective control ± of Risk from strategic alliances
The risks associated with suppliers or customers' systems, policies and
inter-organisational procedures
networking
Source: Bandyopadhyay et al. (1999)
184
4. Supply chain risk management Supply Chain Management: An International Journal
Peter Finch Volume 9 . Number 2 . 2004 . 183-196
companies had experienced flooding. No and restaurants on the same stretch of river, was
figures were given for SMEs, however, there is flooded. Within 24 hours of the flood water
no reason to imagine the figure should differ subsiding the pub was able to open. Not all
greatly. The average cost to a large company establishments were so prepared or had
was found to be £25,540 with a maximum cost assessed the risks. The nearby Ship Inn was
of £100,000 (1996 prices). SMEs would closed for three months whilst a £250,000 refit
probably suffer lower costs should such events was underway (Rutstein, 2000). In this example
occur due to their lower investment in IS. It is the brewery may have business continuity
likely that the costs would still be considerable procedures in place to ensure its own
when compared to the size of an SME and its continuity, however, if a significant number of
available resources. outlets in the supply chain are unable to
In the UK, floods in late 2000 and early 2001 continue for an extended period (as was the
brought wide-scale disruption. In October, case in York), then revenues will be harmed.
November and December 2000 between
Flooding ± best practice
one-and-a-half and two times normal rainfall
Whilst this example does not relate specifically
occurred (Environment Agency, 2001).
to the company's IS infrastructure, the aim is to
Disruption was widespread with many
demonstrate best practice by illustrating the
companies, particularly smaller ones, going out
preparedness of the small firm and the potential
of business or facing an uncertain future (Jolly,
impact upon the supply chain. It is clear that
2000). The Federation of Small Businesses
the impact upon business can be reduced if
gave £20,000 to each of the regions hit by
potential risks are proactively managed, and
flooding towards the cost of temporary
there is a well-conceived and constructed
accommodation (Sunday Times, 2000a). In
business continuity plan in place.
Lewes in East Sussex over 200, mostly small
The following section examines the risks
companies were affected by the flooding (Daily
faced by companies from accidents.
Telegraph, 2000a). This led to Sussex Enterprise
requesting that the government should draw up
Accidents
contingency plans to help these companies.
These risks can to a large extent be mitigated by
There are some instances where small
a company's policies and procedures. One
companies have exhibited good risk planning
potential source of accidents common to all
and management. One sector badly affected by
sizes of company is human error.
flooding was the brewing and leisure industry.
Pubmaster (a pub operator) estimated that the Human error
floods would cost the industry upwards of £100 A study by Broadcasters Network International
million in damage and lost revenue with many (Sullivan, 1999) found that as much as 66 per
small firms going out of business (The cent of data loss was caused by human error.
Independent, 2000). The following case study The National Computer Centre (NCC, 1996)
examines the preparedness of a public house, survey in 1996 reported that 34 per cent of large
the King's Arms, when faced with flooding. companies had experienced human error. The
average cost to an organisation was £3,570 with
The King's Arms
a maximum cost of £20,000 (1996 prices).
In York, which suffered extensive flooding of
There is no evidence to suggest that the
the River Ouse in both 2000 and 2001, many
incidence will be greatly different in small
companies suffered long-term damage. The
companies, however, the average costs may well
King's Arms public house, which is located on
differ. The following case study examines the
and at times in the River Ouse was not one of
effects of human error on two large companies
them (Rawstorne, 2001). The pub has a
in the supply chain.
``mobile'' bar and all fixtures and fittings can be
removed quickly. Electrical wiring is at ceiling NASA Mars missions
height, the floors flagged and the walls tiled or One of the largest and most public examples of
covered with waterproof plaster. In October human error in recent years was the loss of the
2000 the King's Arms, along with other pubs North American Space Agency (NASA) Mars
185
5. Supply chain risk management Supply Chain Management: An International Journal
Peter Finch Volume 9 . Number 2 . 2004 . 183-196
Climate Orbiter, which disappeared in 1999 at cost being lower. The case study described
a cost of $250 milllion. NASA had below examines another deliberate act that has
sub-contracted the construction of the Orbiter far-reaching and often unanticipated outcomes:
to Lockheed Martin. An independent review the actions of terrorists.
board blamed the loss of the Orbiter on poor
Terrorism
project management, a lack of supervision, poor
Research by the Guardian IT Group reported
communications and short-sighted engineering.
by Youett (2001) found that almost 2 per cent
Specifically, the review board found that the of IS failures resulted from bombs or terrorist
root cause of the loss was due to the mission's activities. The following case study examines
navigation team being unfamiliar with the the impact and aftermath of the Manchester
spacecraft and lacked training. Notably, the (England) bombing in 1996.
NASA team failed to detect a mistake by
Lockheed Martin engineers who delivered Manchester bombing
navigation information in imperial rather than The IRA bomb, which exploded in Manchester
metric units. The review board concluded that city centre in 1996 with the equivalent energy of
the Climate Orbiter project team did not spend 800kg TNT, injured 216 people and affected
enough time studying what might go wrong over 4,000 companies; 49,000m2 of retail space
during the mission and, consequently, and 57,000m2 of offices were lost (Jenkins,
developing contingency procedures to correct 1999).
mistakes in flight (CNN.com, 1999). Companies in the vicinity of the explosion
found that even if there had not been any
Human error ± best practice damage caused by the explosion, they were
The final report from the review board unable to access premises for at least three days
concluded that poor training, inadequate because of a police cordon. Due to the damage
testing, minimal supervision and a lack of caused by the bomb many companies had to
people and money meant that there was not relocate away from their original premises.
enough margin or adequate funding. The result Moyes (1996) reported that five months after
was that risk gradually grew throughout the the blast many small companies (and in total
programme. A thorough and ongoing project around 700 companies) had not returned to
risk management process may have identified business. Because of the relocation and the
some of the problems faced by the programme. negative publicity surrounding the bombing,
Whilst this example focuses on large those small companies that had returned
companies, it does highlight the threat posed by reported takings were down by 50 per cent
human error and how this threat may be (Jeffay, 1996). The total loss in trade was
amplified by any breakdown in communication estimated to be £5 million on the first day
between two companies in a supply chain. alone.
There is no evidence to suggest that SMEs are The Chartered Institute of Loss Adjusters
any better at communicating with partners than stated that the insured cost of the bomb blast
large companies, although case studies of three ranged between £25,000 for small units to
SMEs by Hill and Stewart (2000) found more than £60 million for one store (Cicutti,
evidence to suggest internal communications in 1996). The total cost of claims was estimated to
SMEs are better than larger companies. be in the region of £400 million. Substantial
proportions of the claims were related to
Deliberate acts (physical actions) business interruption rather than damage
These risks are to a limited extent under the resulting from the bomb explosion itself. Youett
control of the company. The NCC (1996) (2001) found that it was unlikely that a
survey found that equipment theft had been company's commercial insurance policy
experienced by 46 per cent of large companies. covered disaster recovery or extended periods of
The average cost to the organisation was interruption. This highlights the importance of
£26,730, with the maximum cost being not only having a business continuity plan, but
£750,000. The incidence is likely to be similar also of transferring some risk via appropriate
for SMEs with the actual cost if not the relative types and levels of insurance.
186
6. Supply chain risk management Supply Chain Management: An International Journal
Peter Finch Volume 9 . Number 2 . 2004 . 183-196
Terrorism ± best practice Information security
The Home Office (1998) report on the Figure 1 is a graph from the NCC (2000)
Manchester bomb recommended that those survey and shows the percentage of companies
companies without a contingency plan needed with an information security policy by size. It is
to be encouraged to prepare one. Such a plan clear from the data that SMEs, and in particular
should include the issues of whether the staff micro and small companies, exhibit less
should evacuate the building, and to plan and preparedness than larger companies.
arrange for the temporary relocation of the The following case studies were sourced from
business. The report went on to recommend the author's practice and examine some aspects
that insurance policies should be reviewed of information security and the manner in
regularly to ensure that they are up to date and which SMEs and large companies have
cover all potential losses to the business from all approached the risks.
possible causes, including disaster recovery and
Virus detection/hacking
extended periods of disruption.
A large company had a well-respected virus
detection tool on a network server and the virus
Data/information security risks
database was kept up to date. Incoming e-mail
Data and information security risks are largely
under the control of the organisation, although messages were automatically scanned for
this is not always the case. An Information viruses when they were opened. This appeared
Security Survey by Ernst & Young (2001) that to be a well-managed situation, however, the
interviewed 273 chief information officers and e-mail scanner was not set up to monitor the
IT directors of ``leading companies'' found that e-mail and Web servers. A hacker was able to
over 70 per cent of UK companies had suffered place a Trojan (information collecting ``virus'')
disruption to a critical IT service in the past 12 on the Web server and this went undetected for
months and 31 per cent of these disruptions over a month. The virus scanner should have
were attributed to failures of or in third party been integrated with the firewall so that all
systems, suggesting that many companies are messages passing across the firewall would be
not addressing fully the risks posed by their scanned.
partners or customers. Firewalls
Those companies that have implemented As part of an information security workshop
information security policies or procedures may with a large company an employee informed a
still be unaware of the risks they face. A study consultant that their network had a firewall.
undertaken by ICSA.net (1999) examined 54 When this response was probed further it
corporate Web sites that had implemented emerged that the client did indeed have a
security technologies and policies in order to
mitigate risk. This study found that of the Figure 1 Percentage of companies with an information security policy
companies:
. 60 per cent were susceptible to denial of
service attacks;
. 80 per cent did not know what services
were on their network and visible over the
Internet;
. 80 per cent had insufficient security
policies; and
. 70 per cent of sites with firewalls remained
vulnerable to known attacks.
This study shows that even in instances where a
company has data or information security
policies and procedures, unless they have been
carefully considered and implemented their
utility may be limited.
187
7. Supply chain risk management Supply Chain Management: An International Journal
Peter Finch Volume 9 . Number 2 . 2004 . 183-196
firewall. Unfortunately the firewall only access rights did not allow use of one particular
extended to coverage of one particular folder on a network drive. The consultant
e-commerce application. The rest of the telephoned the IS help desk asking for
company's network (including all e-mail, additional access rights. Without further
intranet and Internet servers) was unprotected. authorisation he was given access to the whole
An SME had a relatively simple network of the network, including personnel and
serving 35 PCs. The company believed that medical records, financial information and
they needed to create an extranet with a firewall minutes of the board meetings.
to allow remote access to data and e-mail. A network manager in a SME created a user
Having reviewed the options they chose a account for a consultant, but did not delete the
reputable product, employed a contractor to account when the work was completed. Over
install it for them, and enjoyed the benefits. six months later he went back to the site and
What they failed to recognise was that a firewall was able to log on again. His password had
requires management. The security policies expired but he was allowed to change it as he
employed must be carefully thought through, logged on.
and the log files regularly scrutinised for traces
Information security ± best practice
of an attack. In this case an intrusion was
Information technology has become essential to
detected by accident even though there was
the performance and effective running of many
clear evidence in the firewall log.
companies. As the above examples show,
Backups however, many companies, regardless of their
A large company had an extensive network that size, do not appear to comprehend fully the
was actively managed. Full backups were taken extent to which their business depend on these
on a routine basis, with incremental backups systems. In many cases little consideration
being taken every night. It was common appeared to be given to the monitoring, control
practice to store backups in a secure location and security of these systems. This was despite
off-site. A junior member of the IS department the many surveys on the subject and the
was tasked with taking the backup tapes to widespread recognition and publicity they
reception every morning. A courier would arrive receive. If the monitoring, control and security
to collect the latest tapes and return the oldest of these systems are ignored, the consequences
set. The junior member of staff was offered a can be far reaching with the potential to affect a
job elsewhere. When the staff member left company severely or even disastrously. The fact
nobody took responsibility for managing the that SMEs have been shown to treat
off-site backups. Consequently the courier information security lightly should be a matter
arrived each day to deposit a box of tapes and of concern for large companies with whom they
take one away. It was over two months before may do business. This concern should be even
someone noticed that the contents of the boxes greater if the companies are connected
never changed. electronically via extranets or electronic data
An SME had a digital audio tape (DAT) interchange (EDI). Companies should assess
drive and ``a few tapes'' which they used to back and manage the risks arising from the control
up network servers. The IS manager did not and security of their own and other companies'
understand the value of the data being stored
systems effectively, allowing these
on the servers, and believed that his equipment
consequences to be mitigated.
was reliable ``because I've not had to change
anything for ages''. There were no current
Management issues
system or data backups and there would have
Risks arising from management issues, which
been significant business disruption had a
include decision making, succession planning,
problem occurred.
skill acquisition and retention can be mitigated
User accounts/passwords to a large extent by organisational policies and
When working at a large company for an procedures. Millward et al. (1992) found that,
extended period, a consultant was given a user whereas larger companies rely greatly on formal
account on the company's network. The basic methods and bureaucratic procedures by
188
8. Supply chain risk management Supply Chain Management: An International Journal
Peter Finch Volume 9 . Number 2 . 2004 . 183-196
specialist personnel departments, SME shortage and that the number of such SMEs is
owners/managers are likely to handle recruiting rising rapidly. The following case study
and personnel matters without delegating and examines the skill issues facing a Web-based car
are unlikely to have relevant skills. The specific sales company.
risks to SMEs from shortages of appropriate IS
Portfolio For Cars
skills and knowledge are examined below and
A case highlighted by the Sunday Times (1998),
followed by a case study.
that of ``Portfolio For Cars'', an Internet-based
Skill acquisition and retention car sales Web media company, highlights the
According to a survey conducted for the dilemmas encountered by SMEs when facing
Department of Trade and Industry (DTI, an IS skills shortage.
2000) the perception that a shortage of IS skills Portfolio had more than 600 franchised
is a barrier to the adoption and implementation motor dealers using and paying for their
of IS appears to be higher in medium and large services. In the 1997-1978 financial year
companies. Figure 2 illustrates this perception Portfolio made a profit of almost £250,000 on
and also demonstrates a correlation between the sales of £1.1 million, from a staff of 63, nine of
perception of a skills shortage, the level of whom were IS staff. Staff turnover was
formal IS training and the implementation of IS extremely low and Portfolio had never lost staff
within companies. to other companies. Due to expansion there was
The reduced perception of a skills shortage
a need to expand the number of IS staff at the
amongst SMEs may be a result of a lower
rate of one a month. This was proving to be
perceived requirement for IS within small
very difficult. A number of reasons were cited
companies or a greater degree of confidence in
for the difficulty in attracting suitable IS staff:
the SMEs' own ability to implement these . high salary expectations of candidates
technologies. A recent survey for the Federation
(£30-55,000);
of Small Businesses (2000) found that 53 per . shortage of appropriate Web related skills
cent of small business owners or managers were
generally; which was exacerbated by
either satisfied or very satisfied with their ability . scarce skills due to geographical location
to implement new technologies. Davies (2000),
(edge of the Peak District).
however, suggests otherwise, reporting that
those SMEs who rely on information Portfolio was unwilling to use contract staff for
technology, are increasingly facing an IS skills these IS roles. It was also reluctant to train
unskilled staff, citing that there were too few
Figure 2 UK companies' IT skill shortage and IT training people who have the basic skills required. One
of the partners in the company laid the blame
elsewhere, commenting:
I just don't know if these people exist. Online
commerce is the future of retail. Nowhere near
enough secondary-school pupils are being trained
in digital technologies to make it happen. British
business is losing out as a result.
This appears to be a common attitude amongst
SMEs. Hill and Stewart (2000) found that in
SMEs IS related training and development
often does not take place. Where it does it tends
to be reactive and informal, aimed at solving
short-term problems rather than the
development of staff. Small firms tend not to
have a lifelong learning culture or see a need for
sustained improvement in organisational
management (Lawless et al., 2000).
189
9. Supply chain risk management Supply Chain Management: An International Journal
Peter Finch Volume 9 . Number 2 . 2004 . 183-196
Skill acquisition and retention ± best practice hardware related development play an
For SMEs to want to implement human important role in innovation. It is necessary for
resource policies, account must be taken of all companies, but especially SMEs, to
their unique situation. The link between understand the importance of protecting
proactive human resource policy and business intellectual property. In particular the
performance needs to be made clear to SME possession of intellectual property rights helps
owners/managers. Alternatively, issues such as a an organisation to:
skill shortage may ultimately impact upon . raise finance to develop and market
partners in the supply chain. Zsidisin et al. inventions or innovations;
(2000) highlighted the risk arising from the . license a product or service to competitors;
capacity constraints of a partner as being one of and
the major risks affecting supply chains. If . sell or license innovations to larger
human resource management risks are companies.
effectively assessed and managed by a company The following case study examines an SME that
then there is a greater likelihood that suitable has actively protected its intellectual property
remedies can be identified early on. and looks at the ways in which the company has
benefited.
Gorix Textiles
2 The organisational level
Gorix is a manufacturer of hi-tech
Legal electro-conductive textiles that had sales in
Organisational policies and procedures can 1999 of £270,000 and employed four full- and
largely mitigate risks such as violation of rights, two part-time staff (Renton, 2000a). Gorix's
legal obligations of disclosure and intellectual innovations included materials that regulate the
property issues. Companies listed on the stock flow of electrical heat according to body
exchange (normally larger companies) have to temperature, a ``smart'' fire jacket that warns
comply with certain legal requirements relating the wearer when their body temperature is too
to risk. This is not the case for most small high and, in conjunction with pharmaceutical
companies. Another legal issue that can impact companies, a heated dressing designed to speed
upon (often hi-tech) SMEs is the handling of up the healing process.
intellectual property or capital. According to the company's two founders,
the largest outlay for Gorix has been in legal
Intellectual property/capital
According to Roos (1996), the intellectual fees relating to intellectual property. Gorix has
property or capital of a company includes the spent a total of £280,000 on patents aimed at
knowledge and skills of its employees, the securing its intellectual property worldwide.
infrastructure, customer relationships, This strong defence of intellectual property has
employee motivation, processes that leverage meant that Gorix is now in a position to license
these assets and methods of doing business. the manufacture of a number of its products to
A survey by KPMG (Sunday Times, 2000b) competitors and larger companies.
The proactive approach to this particular
found that intellectual property licensing
legal issue has benefited the company twofold.
revenues were worth more than $150 billion
First, Gorix's ongoing viability has been
globally yet this is only 10 per cent of the total
ensured and, second, it has allowed the
intellectual property assets. This suggests that
company to utilise its intellectual property to
around $1,350 billion of intellectual property
competitive advantage.
assets are currently not realised. The National
Criminal Intelligence Service (NCIS, 2000) Intellectual property/capital ± best practice
estimates that in 1998 losses caused by Lang (2001) suggests that the proliferation of
intellectual property theft, in terms of UK sales software and business method patents and the
not made, were £6.42 billion. SMEs' exposure legal challenges that have become more
to these losses is not made clear. However, common have made it necessary for hi-tech
SMEs involved in, for example, software and companies to scrutinise their legal risks and
190
10. Supply chain risk management Supply Chain Management: An International Journal
Peter Finch Volume 9 . Number 2 . 2004 . 183-196
adopt an intellectual property strategy. The commercial requirements and increases in
above case study of Gorix highlights the technology costs; and
importance of this for SMEs, and demonstrates . rapid consolidation of prime contractors in
the effectiveness of proactive assessment and the USA squeezing out smaller European
management of risks. competitors.
Renton (2000b) reported that large aerospace
Strategic decision making companies aimed to cut the number of
Risks such as the actions of competitors and the suppliers by 80 per cent by utilising techniques
increased bargaining power of customers and first used in the car industry. UK SME
suppliers are external to the company. suppliers were, therefore, faced with three main
Formulating an appropriate and effective challenges to their survival, requiring them to
organisational strategy can to a certain extent adopt new strategies and new skills:
mitigate these risks. (1) a global redefinition of the existing supply
Strategic re-organisation chain;
A recent report undertaken for 3COM (2000) (2) global competition leading to consolidation
Consulting found that 76 per cent of SMEs in of major contractors; and
the UK have no IS strategy and did not (3) customer expectation of self-financed
understand the competitive advantage offered research and development.
by information technology. The research report The major contractors effectively transferred
concluded that the use of technology by small risk and responsibility onto their suppliers. The
companies is reactive and complacent, while AT Kearney and SBAC (2000) report
their budgets are poorly targeted. The following concludes by stating that those SMEs who fail
case study examines the strategic capabilities of to adapt risk being eclipsed by globally oriented
an SME and its ability to change strategic focus competitors.
when larger partners' requirements alter. Confronted by these challenges St Bernard
began a wholesale rethink of the way they do
St Bernard Composites
business. St Bernard is:
The UK aerospace industry is the second
. actively reducing costs by consolidating in a
largest earning export sector. Companies such
single location;
as Rolls Royce and BAE Systems buy in about . investing in new technology;
70 per cent of their production content, much . aggressively targeting export markets; and
of it from smaller British companies. The . diversifying into new markets (using
aerospace supply chain provides employment
existing techniques and technologies).
for 80,000 people.
St Bernard Composites supplies advanced St Bernard plans to differentiate itself by
composite components to aero-engine and emphasising quality and continuous
airframe manufacturers in the aerospace improvement. To this end, the company is
industry. They employ 195 staff and have a introducing modern Japanese production
turnover of £20 million (Renton, 2000b). techniques and concepts, investigating the
Following the publication of a report by AT possibilities of e-commerce, making strategic
Kearney and the Society of British Aerospace alliances and is considering the potential for
Companies (SBAC) (AT Kearney and SBAC, merger.
2000) St Bernard reappraised its business Strategic re-organisation ± best practice
strategy. Whilst the actions of competitors and suppliers
The AT Kearney and SBAC (2000) report external to the company cannot (in most cases)
found that the global aerospace industry had in be strictly controlled, formulation and
the 1990s undergone a radical transformation implementation of an appropriate and effective
due to: strategy can help a company prepare for many
. large reductions in global defence spending; eventualities. In doing so, a company can
. erosion of a close privileged relationship improve its chances of long-term survival. The
with national governments due to St Bernard example suggests that SMEs are at
191
11. Supply chain risk management Supply Chain Management: An International Journal
Peter Finch Volume 9 . Number 2 . 2004 . 183-196
just as great a risk from their partners in the The EDI network connects 1,300 of 2,000
supply chain as are large companies. It does, suppliers (around 96 per cent by volume of
however, illustrate that SMEs are capable of goods sold) suggesting that many of the other
changing the way they work in response to 700 are small suppliers. The EDI network is
changing circumstances. Whether this case is well suited for the one-way exchange of
representative of strategic decision making in structured transactions such as purchase orders
SMEs is unclear. The high failure rate amongst with suppliers. However, it is not suitable for
SMEs suggests that it may not be. handling collaborative processes such as the
management of promotions.
In order to overcome the drawbacks
3 Inter-organisational level associated with the EDI system (and a target of
bringing all of their suppliers online by 2000)
Weak or ineffective control Tesco rolled out a Web enabled supply chain
These risks are external to the company and can (extranet) solution from GE Information
occur due to uncertainty arising from Services. Suppliers paid from £100 to
inter-organisational networking. The aim of this £100,000 to join the Tesco Information
empirical review is to ascertain whether large Exchange (TIE ± the acronym is intentional),
companies increase their exposure to risk by dependent on their size. At the time of writing
having SMEs in business critical positions in 600 suppliers (approximately 65 per cent of
their supply chain. Das and Teng (1999) Tesco business) were using the system. This
suggest such strategic alliances with customers allowed Tesco and its suppliers to jointly plan,
or suppliers are a high-risk strategy because a execute, track and evaluate promotions by
company has less control over the alliance than sharing common data as well as viewing daily
it has over its own subsidiaries. The following electronic point-of-sale data from Tesco stores.
example examines the extent to which strategic Tesco hoped to achieve at least a 20 per cent
alliances have become commonplace and the reduction in stocks as well as increasing the
potential risks that they can face. number of products handled only once in the
Risk from strategic alliances store by 30 per cent (Nairn, 2000).
In the UK, the supermarket sector was
St Ivel
estimated to be worth around £66 billion in
St Ivel is a business unit of the Uniq (formerly
1997. The largest six food retailers had a 76 per
Unigate) Group and employs over 1,450 staff at
cent share of fruit and vegetable sales with the
five production plants throughout the UK. A
``big four'' alone (Tesco, Sainsbury's, Asda and
total of 70 per cent of production is branded
Safeway) accounting for 60 per cent of all
and 30 per cent private label. St Ivel supplies
grocery sales in the UK (Fearne and Hughes,
many of the UK supermarkets including Tesco.
1998). These dominant companies have
According to a narrative article by Nairn
invested heavily in the development of their
(2000), TIE has saved St Ivel 30 per cent of
supply chains to increase efficiency and reduce
annual promotional on-costs.
costs. In order to limit their exposure to risk
Tesco has, however, experienced difficulties
they have implemented increased monitoring
in persuading all of its suppliers to utilise the
and control of their suppliers. The following
system fully. Only two of their suppliers have
case studies examine the risks faced by two
changed fundamentally the way they work as a
companies following the forming of a strategic
result of TIE, allowing them to bring products
alliance.
to market much faster than their competitors.
Tesco A risk in implementing such supply chain
Tesco is the largest and most profitable management systems, that are designed to tie
company in the UK supermarket sector. The suppliers to customers and vice versa, is the
results for 2000-2001 show group sales of weakened level of control over supplies. This
£22.8 billion with profits before tax at £1.05 was exhibited clearly during the weeklong UK
billion (Tesco, 2001). Since the 1980s, Tesco fuel crisis of September 2000. Biederman
has used EDI to order goods from suppliers. (2000) opined that:
192
12. Supply chain risk management Supply Chain Management: An International Journal
Peter Finch Volume 9 . Number 2 . 2004 . 183-196
The crisis revealed that modern day supply chains compare like with like due to the diversity of the
as finely tuned machines, are highly vulnerable, sources. Many of the original case studies had
proving the old adage that a chain is only as strong
different aims to those of this empirical review.
as the weakest link.
Relevant information may have been accessible
Food and other deliveries to the supermarket if appropriate questions had been asked. In
chains including Tesco remained largely certain case studies information was incomplete
undisturbed due to the short length of the or absent. In order to address this weakness,
disruption. This would have been rather supplementary searching of the literature was
different had the crisis gone on any longer undertaken to increase the validity of the case
(Biederman, 2000). The supermarket's petrol studies and the rigour of the research process.
stations were, however, severely disrupted and Utilising predominantly secondary data for
rapidly ran dry. This had a knock-on effect, as this empirical review allowed a broader
customers were unable to reach many
selection of case studies to be identified. The
supermarkets. The situation was sufficiently
case studies, however, did not in all cases
serious to worry investors, with Tesco shares
examine risks affecting IS. This made it more
falling by 4.75p (Parkinson, 2000) and analysts
difficult to generalise about the findings. The
forecasting a £200 million reduction in retail
literature search revealed fewer IS risk case
sales in that one week alone (Daily Telegraph,
studies than would have been desirable. This
2000b).
lack of IS risk case studies impacts on the
Risk from strategic alliances ± best practice generalisability of the findings. This can be
The weak control over suppliers and customers attributed in part to the difficulty of finding
in the supply chain can be compounded by the information regarding IS and IS risk
risks highlighted, which affect links up or down management in SMEs. It would be useful to
the supply chain. Zsidisin et al. (2000) report conduct a small number of case studies using
that whilst proffering many companies a primary research to verify the findings of this
competitive advantage in the marketplace,
secondary analysis.
outsourcing has resulted in corresponding
In addition, whilst identifying some
increases in the level of corporate exposure to
incidences of best IS risk management practice,
uncertain events with suppliers. A company
this review did not identify fully what
should actively assess the risks and threats, not
constitutes best IS risk management practice.
only to itself but also to its direct and indirect
This may be due to a reporting bias in the
suppliers and customers.
literature that leans toward an examination of
poor practice rather than best practice. A
carefully constructed primary study designed to
Discussion ascertain examples of best and poor practice
The aim of this review was to determine if large needs to be undertaken to increase the rigour of
companies increase their exposure to risk by this empirical review. Table II summarises the
having SMEs as partners in business critical areas where best practice was identified in each
positions in the supply chain and make case study.
recommendations concerning best practice. A A common theme identified from the case
number of issues that could potentially impact studies was that whilst there were few specific
on the rigour of the process arose that warrant examples of best practice, there were valuable
further discussion. lessons to be learned from the way individual
The strength of using case studies is that they companies assessed and managed the risks
showed clearly that SMEs can assess and confronting them and planned for the
manage risk. However, there was strong continuation of business should the worst
evidence in the wider literature to suggest that happen.
many SMEs do not assess and manage risk The management of risk is, or should be, a
adequately. core issue in the planning and management of
The case studies originated from a wide any organisation. Bandyopadhyay et al. (1999)
variety of sources. This made it difficult to in their review of the literature stated that four
193
13. Supply chain risk management Supply Chain Management: An International Journal
Peter Finch Volume 9 . Number 2 . 2004 . 183-196
Table II IS risks, impact on the supply chain and best practice
Examples of IS risks Examples of best practice
Flooding The impact upon business can be reduced if potential risks are proactively managed, and there is a well-conceived and
constructed business continuity plan in place
Human error A thorough and ongoing project risk management process may have identified some of the problems faced by the
programme
Terrorism Those companies without a contingency plan need to be encouraged to prepare one ± to include the issues of whether
the staff should evacuate buildings, and to plan and arrange for the temporary relocation of the business. Insurance
policies should be reviewed regularly to ensure that they are up to date and cover all potential losses to the business
from all possible causes
Information security If the monitoring, control and security of these systems is ignored, the consequences can be far reaching with the
potential to affect a company severely or even disastrously. Companies should assess and manage the risks arising
from the control and security of their own and other companies' systems effectively, allowing these consequences to
be mitigated
Skill acquisition and retention The link between proactive human resource management policy and business performance needs to be made clear to
SME owners/managers. Alternatively, issues such as a skill shortage may ultimately impact upon partners in the
supply chain. If such human resource management risks are effectively assessed and managed by a company then
there is a greater likelihood that suitable remedies can be identified early on
Intellectual property/capital The proliferation of software and business method patents and the legal challenges that have become more common
have made it necessary for hi-tech companies to scrutinise their legal risks and adopt an intellectual property
strategy. The case study of Gorix highlights the importance of this for SMEs, and demonstrates the effectiveness
of proactive assessment and management of risks
Strategic re-organisation Whilst the actions of competitors and suppliers external to the company cannot (in most cases) be strictly controlled,
formulation and implementation of an appropriate and effective strategy can help a company prepare for many
eventualities. In doing so, a company can improve its chances of long-term survival. The St Bernard example
suggests that SMEs are at just as great a risk from their partners in the supply chain as are large companies
Risk from strategic alliances The weak control over suppliers and customers in the supply chain can be compounded by the risks highlighted, which
affect links up or down the supply chain. Zsidisin et al. (2000) report that whilst proffering many companies a
competitive advantage in the marketplace, outsourcing has resulted in corresponding increases in the level of
corporate exposure to uncertain events with suppliers. A company should actively assess the risks and threats, not
only to itself but also to its direct and indirect suppliers and customers
major components of risk management had However, no matter how well risk is managed it
been identified: is necessary to prepare for negative events. It is
(1) Risk identification ± identifying and important to understand the distinction
quantifying the exposures that threaten a between risk management and planning for
company's assets and profitability. continued operation once a potential risk has
(2) Risk analysis ± identifying and assessing the occurred (business continuity planning). The
risks to which the company and its assets management of risks and business continuity
are exposed in order to select appropriate planning were two high-level examples
and justifiable safeguards. identified from the case studies where best
(3) Risk reduction, transfer and acceptance ± practice was demonstrated and positive
reducing or shifting the financial burden of outcomes were achieved.
loss so that, in the event of a catastrophe, a
company can continue to function without
severe hardship to its financial stability. Conclusion
(4) Risk monitoring ± continually assessing
The review found that large companies'
existing and potential exposure.
exposure to risk appeared to be increased by
A company manages risk in order to protect its inter-organisational networking. Having SMEs
assets and profits, and stay in business. as partners in the supply chain further increased
194
14. Supply chain risk management Supply Chain Management: An International Journal
Peter Finch Volume 9 . Number 2 . 2004 . 183-196
the risk exposure. SMEs increased their own Federation of Small Businesses (2000), ``Barriers to survival
exposure to risk by becoming partners in a and growth in UK small firms'', available at:
www.fsb.org.uk
supply chain and few had made an assessment
Hill, R. and Stewart, J. (2000), ``Human resource
of the risks involved or had a strategy in place development in small organizations'', Journal of
for managing risk. These findings indicate the European Industrial Training, Vol. 24 No. 2-3-4,
importance of undertaking risk assessments and pp. 105-17.
Home Office (1998), ``Business as usual: maximising
considering the need for business continuity
business resilience to terrorist bombings'', available at:
planning when a company is exposed to www.homeoffice.gov.uk/rds/horspubs1.html
inter-organisational networking. ICSA.net (1999), Information Security: A Practical
Solution for Senior Management, available at:
www.icsa.net
(The) Independent (2000), ``Floods may cost pub industry
References £100m'', The Independent, 8 November, p. 20.
Jeffay, J. (1996), ``Come and find us'', Manchester Metro
3COM (2000), ``Research from 3Com reveals that over 75
News, 15 November, p. 1.
per cent of SMEs currently have no IT strategy in Jenkins, R. (1999), ``Manchester rises from the rubble'',
place'', 13 November, available at: www.3com.co.uk/ The Times, 25 November, p. 19.
news/prel_20001113_1.html Jolly, I. (2000), ``Murky future for flood hit firms'',
AT Kearney and SBAC (2000), ``The impact of global 2 November, available at: http://news.bbc.co.uk/hi/
aerospace consolidation on UK suppliers'', available english/business/newsid_998000/998734.stm
at: www.atkearney.com/pdf/eng/aero_consolidation. Lang, J.C. (2001), ``Management of intellectual property
pdf rights: strategic patenting'', Journal of Intellectual
Bandyopadhyay, K., Mykytyn, P. and Mykytyn, K. (1999), ``A Capital, Vol. 2 No. 1, pp. 8-26.
framework for integrated risk management in Lawless, N., Allan, J. and O'Dwyer, M. (2000), ``Face-to-face
information technology'', Management Decision, or distance training: motivating SMEs to learn'',
Vol. 37 No. 5, pp. 437-44. Education + Training, Vol. 42 No. 4-5, pp. 308-16.
Biederman, D. (2000), ``The weak link'', Traffic World, Millward, N., Stevens, M., Smart, D. and Hawes, W.R.
16 October, available at: www.findarticles.com/cf_0/ (1992), Workplace Industrial Eelations in Transition:
m0VOO/3_264/66277581/print.jhtml the ED/ESRC/PSI/ACAS Surveys, Dartmouth, Aldershot.
Cicutti, N. (1996), ``Premiums to rise after IRA bomb costs Moyes, J. (1996) "Bombed, battered, unbowed, Manchester
£400m'', The Independent, 13 July, p. 20. gets back to business as usual'', The Independent,
CNN.com (1999), ``NASA: human error caused loss of Mars 2 November, available at: www.rebuilding-
orbiter'', 10 November, available at: www.cnn.com/ manchester.co.uk/articles/art27.htm
TECH/space/9911/10/orbiter.02/ Nairn, G. (2000), ``IT in retailing: retailer's suppliers can
Daily Telegraph (2000a), ``Businesses may never recover monitor product demand'', 3 May, available at:
from the floods'', Daily Telegraph, 4 December, www.ft.com/ftsurveys/spaad6.htm
available at: http://web4.infotrac.galegroup.com National Computing Centre (NCC) (1996), ``How real is the
Daily Telegraph (2000b), ``High street suffered in fuel crisis'', threat?'', NCC, available at: www.ncc.co.uk
National Computing Centre (NCC) (2000), ``The business
Daily Telegraph, 23 September, available at: http://
information security survey'', NCC, available at:
web4.infotrac.galegroup.com
www.ncc.co.uk
Das, T.K. and Teng, B.-S. (1999), ``Managing risks in
National Criminal Intelligence Service (NCIS) (2000), ``2000
strategic alliances'', The Academy of Management
UK threat assessment'', NCIS, available at: www.ncis.
Executive, Vol. 13 No. 4, November, p. 50.
org.uk
Davies, L. (2000), ``This time its personnel'', The Guardian,
Rawstorne, T. (2001), ``Still more to come: the Met men
30 November, available at: www.guardianunlimited. warn things will only get wetter this weekend'',
co.uk/Print/0,3858,4098219,00.html Daily Mail, 9 February, p. 9.
Department of Trade and Industry (DTI) (2000), ``Small and Renton, J. (2000a), ``Textile makers must cut their cloth to
medium enterprise (SME) statistics for the UK, 1999'', suit the 21st century'', Sunday Times, 7 July,
Statistical News Release, DTI, 7 August, available at: available at: www.enterprisenetwork.co.uk/
www.dti.gov.uk/ knowledge_store/
Environment Agency (2001), available at: Renton, J. (2000b), ``Small suppliers must adapt to survive in
www.environment-agency.gov.uk/ aerospace shake-out'', Sunday Times, 27 August,
Ernst & Young (2001), Information Security Survey 2001, available at: www.enterprisenetwork.co.uk/
Ernst & Young, available at: www.ey.com knowledge_store/
Fearne, A. and Hughes, D. (1998), ``Success factors in the Roos, J. (1996), ``Intellectual capital: what you can measure
fresh produce supply chain: some examples from the you can manage'', Perspectives for Manager, IMD,
UK'', executive summary, Wye College, London. No. 10, November.
195
15. Supply chain risk management Supply Chain Management: An International Journal
Peter Finch Volume 9 . Number 2 . 2004 . 183-196
Rutstein, D. (2000), ``Narrow escape from floodwaters'', Zsidisin, G.A., Panelli, A. and Upton, R. (2000), ``Purchasing
available at: www.thisisyork.co.uk/york/news/Floods/ organization involvement in risk assessments'', Supply
news30.html Chain Management: An International Journal, Vol. 5
Sullivan, S. (1999), ``Human error: bigger problem than No. 4, pp. 187-97.
disasters'', ENT, Vol. 4 No. 9, May, p. 3.
Sunday Times (1998), ``Skills gap threatens nice little
earner'', Sunday Times, 22 November, available at:
www.enterprise network.co.uk/knowledge_store/
Further reading
casestudy_detail. asp?d_id=4 AT Kearney (2000), ``Strategic information technology and
Sunday Times (2000a), ``Grants for flooding'', Sunday Times, the CEO agenda'', available at: www.atkearney.com
19 November, p. 20. Blackburn, R. and Athayde, R. (2000), ``Making the
Sunday Times (2000b), ``Intellectual property'', Sunday connection: the effectiveness of Internet training in
Times, 1 August, available at: www.enterprise small businesses'', Education + Training, Vol. 42
network.co.uk/knowledge_store/ No. 4-5, pp. 289-98.
Tesco (2001), ``Tesco preliminary statement of results ± 52 Parkinson, G. (2000), ``Fuel crisis takes its toll across the
weeks'', 10 April, available at: www.tesco.com/ board'', Daily Telegraph, 13 September, available at:
talkingTesco/corporateinfo.htm www.telegraph.co.uk/et?ac= 005236261357609&
Youett, C. (2001), ``Don't dig yourself into a hole'', IBM rtmo=V15xP1wx&atmo=99999999&pg=/et/00/9/13/
Today, February, pp. 47-9. cxmktrep.html
196