Supply chain 4
Upcoming SlideShare
Loading in...5

Supply chain 4






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Supply chain 4 Supply chain 4 Document Transcript

  • Supply Chain Management: An International JournalEmerald Article: Supply chain risk managementPeter FinchArticle information:To cite this document:Peter Finch, (2004),"Supply chain risk management", Supply Chain Management: An International Journal, Vol. 9 Iss: 2 pp. 183 - 196Permanent link to this document: on: 14-06-2012References: This document contains references to 45 other documentsCitations: This document has been cited by 4 other documentsTo copy this document: permissions@emeraldinsight.comThis document has been downloaded 11850 times since 2005. *Users who downloaded this Article also downloaded: *Ila Manuj, John T. Mentzer, (2008),"Global supply chain risk management strategies", International Journal of PhysicalDistribution & Logistics Management, Vol. 38 Iss: 3 pp. 192 - 223 Tummala, Tobias Schoenherr, (2011),"Assessing and managing risks using the Supply Chain Risk Management Process (SCRMP)",Supply Chain Management: An International Journal, Vol. 16 Iss: 6 pp. 474 - 483 Jüttner, (2005),"Supply chain risk management: Understanding the business requirements from a practitioner perspective", TheInternational Journal of Logistics Management, Vol. 16 Iss: 1 pp. 120 - 141 to this document was granted through an Emerald subscription provided by UNIVERSITY OF THE PUNJABFor Authors:If you would like to write for this, or any other Emerald publication, then please use our Emerald for Authors service.Information about how to choose which publication to write for and submission guidelines are available for all. Please for more information.About Emerald www.emeraldinsight.comWith over forty years experience, Emerald Group Publishing is a leading independent publisher of global research with impact inbusiness, society, public policy and education. In total, Emerald publishes over 275 journals and more than 130 book series, aswell as an extensive range of online products and services. Emerald is both COUNTER 3 and TRANSFER compliant. The organization isa partner of the Committee on Publication Ethics (COPE) and also works with Portico and the LOCKSS initiative for digital archivepreservation. *Related content and download information correct at time of download.
  • Introduction Case studySupply chain risk Do large companies increase their exposure to risk by having small to medium-sizedmanagement enterprises (SMEs) as partners in business critical positions in the supply chain?Peter Finch This article presents a review of the literature, supplemented by case studies that aims to determine if large companies are taking unnecessary risks related to information systems (IS) management and maintenance of the supply chain.The author MethodsPeter Finch is a Risk Management Consultant with AEA Secondary analysis of published and greyTechnology, Warrington, UK. literature, and case studies was undertaken. The aim of the search strategy was to beKeywords comprehensive but not exhaustive. TheSupply chain management, Risk management, material was restricted to the English languageSmall to medium-sized enterprises, Information systems as there were insufficient resources for translation. The search strategy was as follows.Abstract Published and grey literatureThis article presents a secondary analysis of the literature, Electronic searches of the following journalsupplemented by case studies to determine if large databases were undertaken to identifycompanies increase their exposure to risk by having published literature: ANBAR, BIDS, Emerald,small- and medium-size enterprises (SMEs) as partners in Infotrac, INSPEC, and Ei Compendex. Thisbusiness critical positions in the supply chain, and to make was supplemented by online searches using therecommendations concerning best practice. A framework Copernic, Google, and Northern Light searchdefining the information systems (IS) environment is used to engines:structure the review. The review found that large companies . Electronic searches were undertaken usingexposure to risk appeared to be increased by the terms ``SME, ``small business,inter-organisational networking. Having SMEs as partners in ``supply chain, ``risk, ``risk management,the supply chain further increased the risk exposure. SMEs ``business continuity, and ``disaster.increased their own exposure to risk by becoming partners in Search dates were restricted to betweena supply chain. These findings indicate the importance of 1995 and 2001.undertaking risk assessments and considering the need for . Additional grey literature (for example,business continuity planning when a company is exposed to newspaper articles, trade magazines,inter-organisational networking. company policies and procedures) was obtained.Electronic access . Hand searching was undertaken to identifyThe Emerald Research Register for this journal is available at relevant published and grey literature identified by electronic searches.The current issue and full text archive of this journal is Case studiesavailable at The case studies originate from newspapers, magazine and journal articles, and examplesSupply Chain Management: An International Journal from the authors own practice.Volume 9 . Number 2 . 2004 . pp. 183-196# Emerald Group Publishing Limited . ISSN 1359-8546 The views expressed in this article are those of theDOI 10.1108/13598540410527079 author and not necessarily of his employer. 183
  • Supply chain risk management Supply Chain Management: An International Journal Peter Finch Volume 9 . Number 2 . 2004 . 183-196 In total, in excess of 2,000 articles, papers, supply chain. Where available, examples of bestsurveys and case studies were obtained and practice are identified.screened. Relevant literature was extracted foranalysis. 1 The application levelFramework Natural disastersBandyopadhyay et al.s (1999) IS environment Whilst these risks affect both large companiesand risk identification framework is used to and SMEs equally, they may affect SMEsstructure the review. Bandyopadhyay et al. disproportionately hard because of their sizedefined the IS environment within a company and limited comprising three levels: Research by the Guardian IT Group (Youett,(1) the application level; 2001) into their clients invocation of business(2) the organisational level; and continuity plans found that almost 2 per cent of(3) the inter-organisational level. IS failures in the UK are caused by flood orThe risks affecting each of these environments storm. The following review of the literatureare outlined in Table I. looks at the preparedness of a small In the following sections, case studies and organisation when faced with flooding and theevidence from the literature are used as potential for disruption of the supply chain.examples of the IS risk types outlined in FloodingBandyopadhyay et al.s framework, and their A National Computer Centre (NCC, 1996)impact upon SMEs, large companies and the survey in 1996 reported that 5 per cent of largeTable I Framework for structuring the review and summary of IS risks IS environment and risk identificationIS environment Type of IS risk Examples of IS risks1. Application level. The risk Natural disaster ± flood, storm/lightning strike, Flooding of technical or disease/epidemic implementation failure of Accidents ± fires, poorly designed, constructed or Human error an application resulting maintained systems, buildings, policies and from either internal or procedures (human error) external factors Deliberate acts (physical actions) ± sabotage, Terrorism theft, vandalism, terrorism and hoaxes Data information security risks ± hackers, viruses, Information security destruction and denial of access Management issues ± decision making, human Skill acquisition and resourcing, (succession planning, skill retention acquisition and retention)2. Organisational level. The As above plus: Legal risk ± violation of rights, Intellectual property/capital risks from the strategic intellectual property implementation of IS Strategic decision making: Strategic re-organisation throughout all functional Competitors actions areas Strategic and sustainability risks. Lack of investment to sustain competitive advantage Increased bargaining power ± suppliers and customers3. Inter-organisational level. As above plus: weak or ineffective control ± of Risk from strategic alliances The risks associated with suppliers or customers systems, policies and inter-organisational procedures networkingSource: Bandyopadhyay et al. (1999) 184
  • Supply chain risk management Supply Chain Management: An International Journal Peter Finch Volume 9 . Number 2 . 2004 . 183-196companies had experienced flooding. No and restaurants on the same stretch of river, wasfigures were given for SMEs, however, there is flooded. Within 24 hours of the flood waterno reason to imagine the figure should differ subsiding the pub was able to open. Not allgreatly. The average cost to a large company establishments were so prepared or hadwas found to be £25,540 with a maximum cost assessed the risks. The nearby Ship Inn wasof £100,000 (1996 prices). SMEs would closed for three months whilst a £250,000 refitprobably suffer lower costs should such events was underway (Rutstein, 2000). In this exampleoccur due to their lower investment in IS. It is the brewery may have business continuitylikely that the costs would still be considerable procedures in place to ensure its ownwhen compared to the size of an SME and its continuity, however, if a significant number ofavailable resources. outlets in the supply chain are unable to In the UK, floods in late 2000 and early 2001 continue for an extended period (as was thebrought wide-scale disruption. In October, case in York), then revenues will be harmed.November and December 2000 between Flooding ± best practiceone-and-a-half and two times normal rainfall Whilst this example does not relate specificallyoccurred (Environment Agency, 2001). to the companys IS infrastructure, the aim is toDisruption was widespread with many demonstrate best practice by illustrating thecompanies, particularly smaller ones, going out preparedness of the small firm and the potentialof business or facing an uncertain future (Jolly, impact upon the supply chain. It is clear that2000). The Federation of Small Businesses the impact upon business can be reduced ifgave £20,000 to each of the regions hit by potential risks are proactively managed, andflooding towards the cost of temporary there is a well-conceived and constructedaccommodation (Sunday Times, 2000a). In business continuity plan in place.Lewes in East Sussex over 200, mostly small The following section examines the riskscompanies were affected by the flooding (Daily faced by companies from accidents.Telegraph, 2000a). This led to Sussex Enterpriserequesting that the government should draw up Accidentscontingency plans to help these companies. These risks can to a large extent be mitigated by There are some instances where small a companys policies and procedures. Onecompanies have exhibited good risk planning potential source of accidents common to alland management. One sector badly affected by sizes of company is human error.flooding was the brewing and leisure industry.Pubmaster (a pub operator) estimated that the Human errorfloods would cost the industry upwards of £100 A study by Broadcasters Network Internationalmillion in damage and lost revenue with many (Sullivan, 1999) found that as much as 66 persmall firms going out of business (The cent of data loss was caused by human error.Independent, 2000). The following case study The National Computer Centre (NCC, 1996)examines the preparedness of a public house, survey in 1996 reported that 34 per cent of largethe Kings Arms, when faced with flooding. companies had experienced human error. The average cost to an organisation was £3,570 withThe Kings Arms a maximum cost of £20,000 (1996 prices).In York, which suffered extensive flooding of There is no evidence to suggest that thethe River Ouse in both 2000 and 2001, many incidence will be greatly different in smallcompanies suffered long-term damage. The companies, however, the average costs may wellKings Arms public house, which is located on differ. The following case study examines theand at times in the River Ouse was not one of effects of human error on two large companiesthem (Rawstorne, 2001). The pub has a in the supply chain.``mobile bar and all fixtures and fittings can beremoved quickly. Electrical wiring is at ceiling NASA Mars missionsheight, the floors flagged and the walls tiled or One of the largest and most public examples ofcovered with waterproof plaster. In October human error in recent years was the loss of the2000 the Kings Arms, along with other pubs North American Space Agency (NASA) Mars 185
  • Supply chain risk management Supply Chain Management: An International Journal Peter Finch Volume 9 . Number 2 . 2004 . 183-196Climate Orbiter, which disappeared in 1999 at cost being lower. The case study describeda cost of $250 milllion. NASA had below examines another deliberate act that hassub-contracted the construction of the Orbiter far-reaching and often unanticipated outcomes:to Lockheed Martin. An independent review the actions of terrorists.board blamed the loss of the Orbiter on poor Terrorismproject management, a lack of supervision, poor Research by the Guardian IT Group reportedcommunications and short-sighted engineering. by Youett (2001) found that almost 2 per centSpecifically, the review board found that the of IS failures resulted from bombs or terroristroot cause of the loss was due to the missions activities. The following case study examinesnavigation team being unfamiliar with the the impact and aftermath of the Manchesterspacecraft and lacked training. Notably, the (England) bombing in 1996.NASA team failed to detect a mistake byLockheed Martin engineers who delivered Manchester bombingnavigation information in imperial rather than The IRA bomb, which exploded in Manchestermetric units. The review board concluded that city centre in 1996 with the equivalent energy ofthe Climate Orbiter project team did not spend 800kg TNT, injured 216 people and affectedenough time studying what might go wrong over 4,000 companies; 49,000m2 of retail spaceduring the mission and, consequently, and 57,000m2 of offices were lost (Jenkins,developing contingency procedures to correct 1999).mistakes in flight (, 1999). Companies in the vicinity of the explosion found that even if there had not been anyHuman error ± best practice damage caused by the explosion, they wereThe final report from the review board unable to access premises for at least three daysconcluded that poor training, inadequate because of a police cordon. Due to the damagetesting, minimal supervision and a lack of caused by the bomb many companies had topeople and money meant that there was not relocate away from their original premises.enough margin or adequate funding. The result Moyes (1996) reported that five months afterwas that risk gradually grew throughout the the blast many small companies (and in totalprogramme. A thorough and ongoing project around 700 companies) had not returned torisk management process may have identified business. Because of the relocation and thesome of the problems faced by the programme. negative publicity surrounding the bombing,Whilst this example focuses on large those small companies that had returnedcompanies, it does highlight the threat posed by reported takings were down by 50 per centhuman error and how this threat may be (Jeffay, 1996). The total loss in trade wasamplified by any breakdown in communication estimated to be £5 million on the first daybetween two companies in a supply chain. alone.There is no evidence to suggest that SMEs are The Chartered Institute of Loss Adjustersany better at communicating with partners than stated that the insured cost of the bomb blastlarge companies, although case studies of three ranged between £25,000 for small units toSMEs by Hill and Stewart (2000) found more than £60 million for one store (Cicutti,evidence to suggest internal communications in 1996). The total cost of claims was estimated toSMEs are better than larger companies. be in the region of £400 million. Substantial proportions of the claims were related toDeliberate acts (physical actions) business interruption rather than damageThese risks are to a limited extent under the resulting from the bomb explosion itself. Youettcontrol of the company. The NCC (1996) (2001) found that it was unlikely that asurvey found that equipment theft had been companys commercial insurance policyexperienced by 46 per cent of large companies. covered disaster recovery or extended periods ofThe average cost to the organisation was interruption. This highlights the importance of£26,730, with the maximum cost being not only having a business continuity plan, but£750,000. The incidence is likely to be similar also of transferring some risk via appropriatefor SMEs with the actual cost if not the relative types and levels of insurance. 186
  • Supply chain risk management Supply Chain Management: An International Journal Peter Finch Volume 9 . Number 2 . 2004 . 183-196Terrorism ± best practice Information securityThe Home Office (1998) report on the Figure 1 is a graph from the NCC (2000)Manchester bomb recommended that those survey and shows the percentage of companiescompanies without a contingency plan needed with an information security policy by size. It isto be encouraged to prepare one. Such a plan clear from the data that SMEs, and in particularshould include the issues of whether the staff micro and small companies, exhibit lessshould evacuate the building, and to plan and preparedness than larger companies.arrange for the temporary relocation of the The following case studies were sourced frombusiness. The report went on to recommend the authors practice and examine some aspectsthat insurance policies should be reviewed of information security and the manner inregularly to ensure that they are up to date and which SMEs and large companies havecover all potential losses to the business from all approached the risks.possible causes, including disaster recovery and Virus detection/hackingextended periods of disruption. A large company had a well-respected virus detection tool on a network server and the virusData/information security risks database was kept up to date. Incoming e-mailData and information security risks are largelyunder the control of the organisation, although messages were automatically scanned forthis is not always the case. An Information viruses when they were opened. This appearedSecurity Survey by Ernst & Young (2001) that to be a well-managed situation, however, theinterviewed 273 chief information officers and e-mail scanner was not set up to monitor theIT directors of ``leading companies found that e-mail and Web servers. A hacker was able toover 70 per cent of UK companies had suffered place a Trojan (information collecting ``virus)disruption to a critical IT service in the past 12 on the Web server and this went undetected formonths and 31 per cent of these disruptions over a month. The virus scanner should havewere attributed to failures of or in third party been integrated with the firewall so that allsystems, suggesting that many companies are messages passing across the firewall would benot addressing fully the risks posed by their or customers. Firewalls Those companies that have implemented As part of an information security workshopinformation security policies or procedures may with a large company an employee informed astill be unaware of the risks they face. A study consultant that their network had a firewall.undertaken by (1999) examined 54 When this response was probed further itcorporate Web sites that had implemented emerged that the client did indeed have asecurity technologies and policies in order tomitigate risk. This study found that of the Figure 1 Percentage of companies with an information security policycompanies:. 60 per cent were susceptible to denial of service attacks;. 80 per cent did not know what services were on their network and visible over the Internet;. 80 per cent had insufficient security policies; and. 70 per cent of sites with firewalls remained vulnerable to known attacks.This study shows that even in instances where acompany has data or information securitypolicies and procedures, unless they have beencarefully considered and implemented theirutility may be limited. 187
  • Supply chain risk management Supply Chain Management: An International Journal Peter Finch Volume 9 . Number 2 . 2004 . 183-196firewall. Unfortunately the firewall only access rights did not allow use of one particularextended to coverage of one particular folder on a network drive. The consultante-commerce application. The rest of the telephoned the IS help desk asking forcompanys network (including all e-mail, additional access rights. Without furtherintranet and Internet servers) was unprotected. authorisation he was given access to the whole An SME had a relatively simple network of the network, including personnel andserving 35 PCs. The company believed that medical records, financial information andthey needed to create an extranet with a firewall minutes of the board allow remote access to data and e-mail. A network manager in a SME created a userHaving reviewed the options they chose a account for a consultant, but did not delete thereputable product, employed a contractor to account when the work was completed. Overinstall it for them, and enjoyed the benefits. six months later he went back to the site andWhat they failed to recognise was that a firewall was able to log on again. His password hadrequires management. The security policies expired but he was allowed to change it as heemployed must be carefully thought through, logged on.and the log files regularly scrutinised for traces Information security ± best practiceof an attack. In this case an intrusion was Information technology has become essential todetected by accident even though there was the performance and effective running of manyclear evidence in the firewall log. companies. As the above examples show,Backups however, many companies, regardless of theirA large company had an extensive network that size, do not appear to comprehend fully thewas actively managed. Full backups were taken extent to which their business depend on theseon a routine basis, with incremental backups systems. In many cases little considerationbeing taken every night. It was common appeared to be given to the monitoring, controlpractice to store backups in a secure location and security of these systems. This was despiteoff-site. A junior member of the IS department the many surveys on the subject and thewas tasked with taking the backup tapes to widespread recognition and publicity theyreception every morning. A courier would arrive receive. If the monitoring, control and securityto collect the latest tapes and return the oldest of these systems are ignored, the consequencesset. The junior member of staff was offered a can be far reaching with the potential to affect ajob elsewhere. When the staff member left company severely or even disastrously. The factnobody took responsibility for managing the that SMEs have been shown to treatoff-site backups. Consequently the courier information security lightly should be a matterarrived each day to deposit a box of tapes and of concern for large companies with whom theytake one away. It was over two months before may do business. This concern should be evensomeone noticed that the contents of the boxes greater if the companies are connectednever changed. electronically via extranets or electronic data An SME had a digital audio tape (DAT) interchange (EDI). Companies should assessdrive and ``a few tapes which they used to back and manage the risks arising from the controlup network servers. The IS manager did not and security of their own and other companiesunderstand the value of the data being stored systems effectively, allowing theseon the servers, and believed that his equipment consequences to be mitigated.was reliable ``because Ive not had to changeanything for ages. There were no current Management issuessystem or data backups and there would have Risks arising from management issues, whichbeen significant business disruption had a include decision making, succession planning,problem occurred. skill acquisition and retention can be mitigatedUser accounts/passwords to a large extent by organisational policies andWhen working at a large company for an procedures. Millward et al. (1992) found that,extended period, a consultant was given a user whereas larger companies rely greatly on formalaccount on the companys network. The basic methods and bureaucratic procedures by 188
  • Supply chain risk management Supply Chain Management: An International Journal Peter Finch Volume 9 . Number 2 . 2004 . 183-196 specialist personnel departments, SME shortage and that the number of such SMEs is owners/managers are likely to handle recruiting rising rapidly. The following case study and personnel matters without delegating and examines the skill issues facing a Web-based car are unlikely to have relevant skills. The specific sales company. risks to SMEs from shortages of appropriate IS Portfolio For Cars skills and knowledge are examined below and A case highlighted by the Sunday Times (1998), followed by a case study. that of ``Portfolio For Cars, an Internet-based Skill acquisition and retention car sales Web media company, highlights the According to a survey conducted for the dilemmas encountered by SMEs when facing Department of Trade and Industry (DTI, an IS skills shortage. 2000) the perception that a shortage of IS skills Portfolio had more than 600 franchised is a barrier to the adoption and implementation motor dealers using and paying for their of IS appears to be higher in medium and large services. In the 1997-1978 financial year companies. Figure 2 illustrates this perception Portfolio made a profit of almost £250,000 on and also demonstrates a correlation between the sales of £1.1 million, from a staff of 63, nine of perception of a skills shortage, the level of whom were IS staff. Staff turnover was formal IS training and the implementation of IS extremely low and Portfolio had never lost staff within companies. to other companies. Due to expansion there was The reduced perception of a skills shortage a need to expand the number of IS staff at the amongst SMEs may be a result of a lower rate of one a month. This was proving to be perceived requirement for IS within small very difficult. A number of reasons were cited companies or a greater degree of confidence in for the difficulty in attracting suitable IS staff: the SMEs own ability to implement these . high salary expectations of candidates technologies. A recent survey for the Federation (£30-55,000); of Small Businesses (2000) found that 53 per . shortage of appropriate Web related skills cent of small business owners or managers were generally; which was exacerbated by either satisfied or very satisfied with their ability . scarce skills due to geographical location to implement new technologies. Davies (2000), (edge of the Peak District). however, suggests otherwise, reporting that those SMEs who rely on information Portfolio was unwilling to use contract staff for technology, are increasingly facing an IS skills these IS roles. It was also reluctant to train unskilled staff, citing that there were too fewFigure 2 UK companies IT skill shortage and IT training people who have the basic skills required. One of the partners in the company laid the blame elsewhere, commenting: I just dont know if these people exist. Online commerce is the future of retail. Nowhere near enough secondary-school pupils are being trained in digital technologies to make it happen. British business is losing out as a result. This appears to be a common attitude amongst SMEs. Hill and Stewart (2000) found that in SMEs IS related training and development often does not take place. Where it does it tends to be reactive and informal, aimed at solving short-term problems rather than the development of staff. Small firms tend not to have a lifelong learning culture or see a need for sustained improvement in organisational management (Lawless et al., 2000). 189
  • Supply chain risk management Supply Chain Management: An International Journal Peter Finch Volume 9 . Number 2 . 2004 . 183-196Skill acquisition and retention ± best practice hardware related development play anFor SMEs to want to implement human important role in innovation. It is necessary forresource policies, account must be taken of all companies, but especially SMEs, totheir unique situation. The link between understand the importance of protectingproactive human resource policy and business intellectual property. In particular theperformance needs to be made clear to SME possession of intellectual property rights helpsowners/managers. Alternatively, issues such as a an organisation to:skill shortage may ultimately impact upon . raise finance to develop and marketpartners in the supply chain. Zsidisin et al. inventions or innovations;(2000) highlighted the risk arising from the . license a product or service to competitors;capacity constraints of a partner as being one of andthe major risks affecting supply chains. If . sell or license innovations to largerhuman resource management risks are companies.effectively assessed and managed by a company The following case study examines an SME thatthen there is a greater likelihood that suitable has actively protected its intellectual propertyremedies can be identified early on. and looks at the ways in which the company has benefited. Gorix Textiles2 The organisational level Gorix is a manufacturer of hi-techLegal electro-conductive textiles that had sales inOrganisational policies and procedures can 1999 of £270,000 and employed four full- andlargely mitigate risks such as violation of rights, two part-time staff (Renton, 2000a). Gorixslegal obligations of disclosure and intellectual innovations included materials that regulate theproperty issues. Companies listed on the stock flow of electrical heat according to bodyexchange (normally larger companies) have to temperature, a ``smart fire jacket that warnscomply with certain legal requirements relating the wearer when their body temperature is tooto risk. This is not the case for most small high and, in conjunction with pharmaceuticalcompanies. Another legal issue that can impact companies, a heated dressing designed to speedupon (often hi-tech) SMEs is the handling of up the healing process.intellectual property or capital. According to the companys two founders, the largest outlay for Gorix has been in legalIntellectual property/capitalAccording to Roos (1996), the intellectual fees relating to intellectual property. Gorix hasproperty or capital of a company includes the spent a total of £280,000 on patents aimed atknowledge and skills of its employees, the securing its intellectual property worldwide.infrastructure, customer relationships, This strong defence of intellectual property hasemployee motivation, processes that leverage meant that Gorix is now in a position to licensethese assets and methods of doing business. the manufacture of a number of its products to A survey by KPMG (Sunday Times, 2000b) competitors and larger companies. The proactive approach to this particularfound that intellectual property licensing legal issue has benefited the company twofold.revenues were worth more than $150 billion First, Gorixs ongoing viability has beenglobally yet this is only 10 per cent of the total ensured and, second, it has allowed theintellectual property assets. This suggests that company to utilise its intellectual property toaround $1,350 billion of intellectual property competitive advantage.assets are currently not realised. The NationalCriminal Intelligence Service (NCIS, 2000) Intellectual property/capital ± best practiceestimates that in 1998 losses caused by Lang (2001) suggests that the proliferation ofintellectual property theft, in terms of UK sales software and business method patents and thenot made, were £6.42 billion. SMEs exposure legal challenges that have become moreto these losses is not made clear. However, common have made it necessary for hi-techSMEs involved in, for example, software and companies to scrutinise their legal risks and 190
  • Supply chain risk management Supply Chain Management: An International Journal Peter Finch Volume 9 . Number 2 . 2004 . 183-196adopt an intellectual property strategy. The commercial requirements and increases inabove case study of Gorix highlights the technology costs; andimportance of this for SMEs, and demonstrates . rapid consolidation of prime contractors inthe effectiveness of proactive assessment and the USA squeezing out smaller Europeanmanagement of risks. competitors. Renton (2000b) reported that large aerospaceStrategic decision making companies aimed to cut the number ofRisks such as the actions of competitors and the suppliers by 80 per cent by utilising techniquesincreased bargaining power of customers and first used in the car industry. UK SMEsuppliers are external to the company. suppliers were, therefore, faced with three mainFormulating an appropriate and effective challenges to their survival, requiring them toorganisational strategy can to a certain extent adopt new strategies and new skills:mitigate these risks. (1) a global redefinition of the existing supplyStrategic re-organisation chain;A recent report undertaken for 3COM (2000) (2) global competition leading to consolidationConsulting found that 76 per cent of SMEs in of major contractors; andthe UK have no IS strategy and did not (3) customer expectation of self-financedunderstand the competitive advantage offered research and information technology. The research report The major contractors effectively transferredconcluded that the use of technology by small risk and responsibility onto their suppliers. Thecompanies is reactive and complacent, while AT Kearney and SBAC (2000) reporttheir budgets are poorly targeted. The following concludes by stating that those SMEs who failcase study examines the strategic capabilities of to adapt risk being eclipsed by globally orientedan SME and its ability to change strategic focus competitors.when larger partners requirements alter. Confronted by these challenges St Bernard began a wholesale rethink of the way they doSt Bernard Composites business. St Bernard is:The UK aerospace industry is the second . actively reducing costs by consolidating in alargest earning export sector. Companies such single location;as Rolls Royce and BAE Systems buy in about . investing in new technology;70 per cent of their production content, much . aggressively targeting export markets; andof it from smaller British companies. The . diversifying into new markets (usingaerospace supply chain provides employment existing techniques and technologies).for 80,000 people. St Bernard Composites supplies advanced St Bernard plans to differentiate itself bycomposite components to aero-engine and emphasising quality and continuousairframe manufacturers in the aerospace improvement. To this end, the company isindustry. They employ 195 staff and have a introducing modern Japanese productionturnover of £20 million (Renton, 2000b). techniques and concepts, investigating theFollowing the publication of a report by AT possibilities of e-commerce, making strategicKearney and the Society of British Aerospace alliances and is considering the potential forCompanies (SBAC) (AT Kearney and SBAC, merger.2000) St Bernard reappraised its business Strategic re-organisation ± best practicestrategy. Whilst the actions of competitors and suppliers The AT Kearney and SBAC (2000) report external to the company cannot (in most cases)found that the global aerospace industry had in be strictly controlled, formulation andthe 1990s undergone a radical transformation implementation of an appropriate and effectivedue to: strategy can help a company prepare for many. large reductions in global defence spending; eventualities. In doing so, a company can. erosion of a close privileged relationship improve its chances of long-term survival. The with national governments due to St Bernard example suggests that SMEs are at 191
  • Supply chain risk management Supply Chain Management: An International Journal Peter Finch Volume 9 . Number 2 . 2004 . 183-196just as great a risk from their partners in the The EDI network connects 1,300 of 2,000supply chain as are large companies. It does, suppliers (around 96 per cent by volume ofhowever, illustrate that SMEs are capable of goods sold) suggesting that many of the otherchanging the way they work in response to 700 are small suppliers. The EDI network ischanging circumstances. Whether this case is well suited for the one-way exchange ofrepresentative of strategic decision making in structured transactions such as purchase ordersSMEs is unclear. The high failure rate amongst with suppliers. However, it is not suitable forSMEs suggests that it may not be. handling collaborative processes such as the management of promotions. In order to overcome the drawbacks3 Inter-organisational level associated with the EDI system (and a target of bringing all of their suppliers online by 2000)Weak or ineffective control Tesco rolled out a Web enabled supply chainThese risks are external to the company and can (extranet) solution from GE Informationoccur due to uncertainty arising from Services. Suppliers paid from £100 tointer-organisational networking. The aim of this £100,000 to join the Tesco Informationempirical review is to ascertain whether large Exchange (TIE ± the acronym is intentional),companies increase their exposure to risk by dependent on their size. At the time of writinghaving SMEs in business critical positions in 600 suppliers (approximately 65 per cent oftheir supply chain. Das and Teng (1999) Tesco business) were using the system. Thissuggest such strategic alliances with customers allowed Tesco and its suppliers to jointly plan,or suppliers are a high-risk strategy because a execute, track and evaluate promotions bycompany has less control over the alliance than sharing common data as well as viewing dailyit has over its own subsidiaries. The following electronic point-of-sale data from Tesco stores.example examines the extent to which strategic Tesco hoped to achieve at least a 20 per centalliances have become commonplace and the reduction in stocks as well as increasing thepotential risks that they can face. number of products handled only once in theRisk from strategic alliances store by 30 per cent (Nairn, 2000).In the UK, the supermarket sector was St Ivelestimated to be worth around £66 billion in St Ivel is a business unit of the Uniq (formerly1997. The largest six food retailers had a 76 per Unigate) Group and employs over 1,450 staff atcent share of fruit and vegetable sales with the five production plants throughout the UK. A``big four alone (Tesco, Sainsburys, Asda and total of 70 per cent of production is brandedSafeway) accounting for 60 per cent of all and 30 per cent private label. St Ivel suppliesgrocery sales in the UK (Fearne and Hughes, many of the UK supermarkets including Tesco.1998). These dominant companies have According to a narrative article by Nairninvested heavily in the development of their (2000), TIE has saved St Ivel 30 per cent ofsupply chains to increase efficiency and reduce annual promotional on-costs.costs. In order to limit their exposure to risk Tesco has, however, experienced difficultiesthey have implemented increased monitoring in persuading all of its suppliers to utilise theand control of their suppliers. The following system fully. Only two of their suppliers havecase studies examine the risks faced by two changed fundamentally the way they work as acompanies following the forming of a strategic result of TIE, allowing them to bring productsalliance. to market much faster than their competitors.Tesco A risk in implementing such supply chainTesco is the largest and most profitable management systems, that are designed to tiecompany in the UK supermarket sector. The suppliers to customers and vice versa, is theresults for 2000-2001 show group sales of weakened level of control over supplies. This£22.8 billion with profits before tax at £1.05 was exhibited clearly during the weeklong UKbillion (Tesco, 2001). Since the 1980s, Tesco fuel crisis of September 2000. Biedermanhas used EDI to order goods from suppliers. (2000) opined that: 192
  • Supply chain risk management Supply Chain Management: An International Journal Peter Finch Volume 9 . Number 2 . 2004 . 183-196 The crisis revealed that modern day supply chains compare like with like due to the diversity of the as finely tuned machines, are highly vulnerable, sources. Many of the original case studies had proving the old adage that a chain is only as strong different aims to those of this empirical review. as the weakest link. Relevant information may have been accessibleFood and other deliveries to the supermarket if appropriate questions had been asked. Inchains including Tesco remained largely certain case studies information was incompleteundisturbed due to the short length of the or absent. In order to address this weakness,disruption. This would have been rather supplementary searching of the literature wasdifferent had the crisis gone on any longer undertaken to increase the validity of the case(Biederman, 2000). The supermarkets petrol studies and the rigour of the research process.stations were, however, severely disrupted and Utilising predominantly secondary data forrapidly ran dry. This had a knock-on effect, as this empirical review allowed a broadercustomers were unable to reach many selection of case studies to be identified. Thesupermarkets. The situation was sufficiently case studies, however, did not in all casesserious to worry investors, with Tesco shares examine risks affecting IS. This made it morefalling by 4.75p (Parkinson, 2000) and analysts difficult to generalise about the findings. Theforecasting a £200 million reduction in retail literature search revealed fewer IS risk casesales in that one week alone (Daily Telegraph, studies than would have been desirable. This2000b). lack of IS risk case studies impacts on theRisk from strategic alliances ± best practice generalisability of the findings. This can beThe weak control over suppliers and customers attributed in part to the difficulty of findingin the supply chain can be compounded by the information regarding IS and IS riskrisks highlighted, which affect links up or down management in SMEs. It would be useful tothe supply chain. Zsidisin et al. (2000) report conduct a small number of case studies usingthat whilst proffering many companies a primary research to verify the findings of thiscompetitive advantage in the marketplace, secondary analysis.outsourcing has resulted in corresponding In addition, whilst identifying someincreases in the level of corporate exposure to incidences of best IS risk management practice,uncertain events with suppliers. A company this review did not identify fully whatshould actively assess the risks and threats, not constitutes best IS risk management practice.only to itself but also to its direct and indirect This may be due to a reporting bias in thesuppliers and customers. literature that leans toward an examination of poor practice rather than best practice. A carefully constructed primary study designed toDiscussion ascertain examples of best and poor practiceThe aim of this review was to determine if large needs to be undertaken to increase the rigour ofcompanies increase their exposure to risk by this empirical review. Table II summarises thehaving SMEs as partners in business critical areas where best practice was identified in eachpositions in the supply chain and make case study.recommendations concerning best practice. A A common theme identified from the casenumber of issues that could potentially impact studies was that whilst there were few specificon the rigour of the process arose that warrant examples of best practice, there were valuablefurther discussion. lessons to be learned from the way individual The strength of using case studies is that they companies assessed and managed the risksshowed clearly that SMEs can assess and confronting them and planned for themanage risk. However, there was strong continuation of business should the worstevidence in the wider literature to suggest that happen.many SMEs do not assess and manage risk The management of risk is, or should be, aadequately. core issue in the planning and management of The case studies originated from a wide any organisation. Bandyopadhyay et al. (1999)variety of sources. This made it difficult to in their review of the literature stated that four 193
  • Supply chain risk management Supply Chain Management: An International Journal Peter Finch Volume 9 . Number 2 . 2004 . 183-196Table II IS risks, impact on the supply chain and best practiceExamples of IS risks Examples of best practiceFlooding The impact upon business can be reduced if potential risks are proactively managed, and there is a well-conceived and constructed business continuity plan in placeHuman error A thorough and ongoing project risk management process may have identified some of the problems faced by the programmeTerrorism Those companies without a contingency plan need to be encouraged to prepare one ± to include the issues of whether the staff should evacuate buildings, and to plan and arrange for the temporary relocation of the business. Insurance policies should be reviewed regularly to ensure that they are up to date and cover all potential losses to the business from all possible causesInformation security If the monitoring, control and security of these systems is ignored, the consequences can be far reaching with the potential to affect a company severely or even disastrously. Companies should assess and manage the risks arising from the control and security of their own and other companies systems effectively, allowing these consequences to be mitigatedSkill acquisition and retention The link between proactive human resource management policy and business performance needs to be made clear to SME owners/managers. Alternatively, issues such as a skill shortage may ultimately impact upon partners in the supply chain. If such human resource management risks are effectively assessed and managed by a company then there is a greater likelihood that suitable remedies can be identified early onIntellectual property/capital The proliferation of software and business method patents and the legal challenges that have become more common have made it necessary for hi-tech companies to scrutinise their legal risks and adopt an intellectual property strategy. The case study of Gorix highlights the importance of this for SMEs, and demonstrates the effectiveness of proactive assessment and management of risksStrategic re-organisation Whilst the actions of competitors and suppliers external to the company cannot (in most cases) be strictly controlled, formulation and implementation of an appropriate and effective strategy can help a company prepare for many eventualities. In doing so, a company can improve its chances of long-term survival. The St Bernard example suggests that SMEs are at just as great a risk from their partners in the supply chain as are large companiesRisk from strategic alliances The weak control over suppliers and customers in the supply chain can be compounded by the risks highlighted, which affect links up or down the supply chain. Zsidisin et al. (2000) report that whilst proffering many companies a competitive advantage in the marketplace, outsourcing has resulted in corresponding increases in the level of corporate exposure to uncertain events with suppliers. A company should actively assess the risks and threats, not only to itself but also to its direct and indirect suppliers and customers major components of risk management had However, no matter how well risk is managed it been identified: is necessary to prepare for negative events. It is (1) Risk identification ± identifying and important to understand the distinction quantifying the exposures that threaten a between risk management and planning for companys assets and profitability. continued operation once a potential risk has (2) Risk analysis ± identifying and assessing the occurred (business continuity planning). The risks to which the company and its assets management of risks and business continuity are exposed in order to select appropriate planning were two high-level examples and justifiable safeguards. identified from the case studies where best (3) Risk reduction, transfer and acceptance ± practice was demonstrated and positive reducing or shifting the financial burden of outcomes were achieved. loss so that, in the event of a catastrophe, a company can continue to function without severe hardship to its financial stability. Conclusion (4) Risk monitoring ± continually assessing The review found that large companies existing and potential exposure. exposure to risk appeared to be increased by A company manages risk in order to protect its inter-organisational networking. Having SMEs assets and profits, and stay in business. as partners in the supply chain further increased 194
  • Supply chain risk management Supply Chain Management: An International Journal Peter Finch Volume 9 . Number 2 . 2004 . 183-196the risk exposure. SMEs increased their own Federation of Small Businesses (2000), ``Barriers to survivalexposure to risk by becoming partners in a and growth in UK small firms, available at: chain and few had made an assessment Hill, R. and Stewart, J. (2000), ``Human resourceof the risks involved or had a strategy in place development in small organizations, Journal offor managing risk. These findings indicate the European Industrial Training, Vol. 24 No. 2-3-4,importance of undertaking risk assessments and pp. 105-17. Home Office (1998), ``Business as usual: maximisingconsidering the need for business continuity business resilience to terrorist bombings, available at:planning when a company is exposed to networking. (1999), Information Security: A Practical Solution for Senior Management, available at: (The) Independent (2000), ``Floods may cost pub industryReferences £100m, The Independent, 8 November, p. 20. Jeffay, J. (1996), ``Come and find us, Manchester Metro3COM (2000), ``Research from 3Com reveals that over 75 News, 15 November, p. 1. per cent of SMEs currently have no IT strategy in Jenkins, R. (1999), ``Manchester rises from the rubble, place, 13 November, available at: The Times, 25 November, p. 19. news/prel_20001113_1.html Jolly, I. (2000), ``Murky future for flood hit firms,AT Kearney and SBAC (2000), ``The impact of global 2 November, available at: aerospace consolidation on UK suppliers, available english/business/newsid_998000/998734.stm at: Lang, J.C. (2001), ``Management of intellectual property pdf rights: strategic patenting, Journal of IntellectualBandyopadhyay, K., Mykytyn, P. and Mykytyn, K. (1999), ``A Capital, Vol. 2 No. 1, pp. 8-26. framework for integrated risk management in Lawless, N., Allan, J. and ODwyer, M. (2000), ``Face-to-face information technology, Management Decision, or distance training: motivating SMEs to learn, Vol. 37 No. 5, pp. 437-44. Education + Training, Vol. 42 No. 4-5, pp. 308-16.Biederman, D. (2000), ``The weak link, Traffic World, Millward, N., Stevens, M., Smart, D. and Hawes, W.R. 16 October, available at: (1992), Workplace Industrial Eelations in Transition: m0VOO/3_264/66277581/print.jhtml the ED/ESRC/PSI/ACAS Surveys, Dartmouth, Aldershot.Cicutti, N. (1996), ``Premiums to rise after IRA bomb costs Moyes, J. (1996) "Bombed, battered, unbowed, Manchester £400m, The Independent, 13 July, p. 20. gets back to business as usual, The Independent, (1999), ``NASA: human error caused loss of Mars 2 November, available at: www.rebuilding- orbiter, 10 November, available at: TECH/space/9911/10/orbiter.02/ Nairn, G. (2000), ``IT in retailing: retailers suppliers canDaily Telegraph (2000a), ``Businesses may never recover monitor product demand, 3 May, available at: from the floods, Daily Telegraph, 4 December, available at: National Computing Centre (NCC) (1996), ``How real is theDaily Telegraph (2000b), ``High street suffered in fuel crisis, threat?, NCC, available at: National Computing Centre (NCC) (2000), ``The business Daily Telegraph, 23 September, available at: http:// information security survey, NCC, available at:, T.K. and Teng, B.-S. (1999), ``Managing risks in National Criminal Intelligence Service (NCIS) (2000), ``2000 strategic alliances, The Academy of Management UK threat assessment, NCIS, available at: www.ncis. Executive, Vol. 13 No. 4, November, p. 50. org.ukDavies, L. (2000), ``This time its personnel, The Guardian, Rawstorne, T. (2001), ``Still more to come: the Met men 30 November, available at: www.guardianunlimited. warn things will only get wetter this weekend,,3858,4098219,00.html Daily Mail, 9 February, p. 9.Department of Trade and Industry (DTI) (2000), ``Small and Renton, J. (2000a), ``Textile makers must cut their cloth to medium enterprise (SME) statistics for the UK, 1999, suit the 21st century, Sunday Times, 7 July, Statistical News Release, DTI, 7 August, available at: available at: knowledge_store/Environment Agency (2001), available at: Renton, J. (2000b), ``Small suppliers must adapt to survive in aerospace shake-out, Sunday Times, 27 August,Ernst & Young (2001), Information Security Survey 2001, available at: Ernst & Young, available at: knowledge_store/Fearne, A. and Hughes, D. (1998), ``Success factors in the Roos, J. (1996), ``Intellectual capital: what you can measure fresh produce supply chain: some examples from the you can manage, Perspectives for Manager, IMD, UK, executive summary, Wye College, London. No. 10, November. 195
  • Supply chain risk management Supply Chain Management: An International Journal Peter Finch Volume 9 . Number 2 . 2004 . 183-196Rutstein, D. (2000), ``Narrow escape from floodwaters, Zsidisin, G.A., Panelli, A. and Upton, R. (2000), ``Purchasing available at: organization involvement in risk assessments, Supply news30.html Chain Management: An International Journal, Vol. 5Sullivan, S. (1999), ``Human error: bigger problem than No. 4, pp. 187-97. disasters, ENT, Vol. 4 No. 9, May, p. 3.Sunday Times (1998), ``Skills gap threatens nice little earner, Sunday Times, 22 November, available at: www.enterprise Further reading casestudy_detail. asp?d_id=4 AT Kearney (2000), ``Strategic information technology andSunday Times (2000a), ``Grants for flooding, Sunday Times, the CEO agenda, available at: 19 November, p. 20. Blackburn, R. and Athayde, R. (2000), ``Making theSunday Times (2000b), ``Intellectual property, Sunday connection: the effectiveness of Internet training in Times, 1 August, available at: www.enterprise small businesses, Education + Training, Vol. 42 No. 4-5, pp. 289-98.Tesco (2001), ``Tesco preliminary statement of results ± 52 Parkinson, G. (2000), ``Fuel crisis takes its toll across the weeks, 10 April, available at: board, Daily Telegraph, 13 September, available at: talkingTesco/corporateinfo.htm 005236261357609&Youett, C. (2001), ``Dont dig yourself into a hole, IBM rtmo=V15xP1wx&atmo=99999999&pg=/et/00/9/13/ Today, February, pp. 47-9. cxmktrep.html 196