U7

Vulnerability and Risk Management

This unit provided a series of interesting and intriguing concepts  on vulnerability and risk management in the assigned readings and media.  After you have completed the text and article readings and viewed  the videos, it is time for application to your selection Fortune 1000  company.

In this discussion, assess the vulnerability and risk to the supply  chain of your selected company. Your first step is deciding the scope  of the evaluation. Which global supply chain will be evaluated? Then,  based on the unit readings, assess risk and vulnerability, using the  using the concepts of supply chain as an interactive system model from  Figure 13.1 on page 266 in your Global logistics and Supply Chain Management  text, and/or the risk framework from Figure 1 in Liu and Daniels’s 2017  article, “Towards a Value-Based Method for Risk Assessment in Supply  Chain Operations.” 

 Your initial post must include all the assigned readings and must be a minimum of 250 words in length, with no maximum.  

13

Supply Chain Vulnerability,

Risk

, Robustness and Resilience

with Helen Peck

LEARNING OBJECTIVES

Provide working definitions for key concepts.

Explain why supply chain risk, robustness and resilience have emerged as important themes in SCM.

Address the problems surrounding interpretations and the treatment of ‘risk’ in management.

Highlight the need for a holistic approach to managing supply chain vulnerabilities.

Provide a structured framework for the identification and management of supply chain risk and resilience.

INTRODUCTION

In the mid-1990s the subject of supply chain risk or vulnerability would have been of little interest to anyone but professional logisticians and supply chain managers. Even then they would likely have interpreted ‘risk’ as simply the financial or competitive disadvantage resulting from a failure to implement ‘best practice’ SCM concepts. But times have changed. It is no longer unacceptable to acknowledge that bad practice may still flourish elsewhere in the network or that even well-managed operations can, and occasionally do, fail. This chapter provides an introduction to the complex, but fascinating subject of supply chain risk, and the related concepts of vulnerability, robustness and resilience.

Chapter 13 comprises five core sections:

Some working definitions

Changing times and an uncertain world

The shortcomings of risk management

The need for holistic approaches

A simple framework for a wicked problem

SOME WORKING DEFINITIONS

Chapter 1 of this book highlighted an enduring problem in logistics and SCM – confusion over key terms, even amongst specialists and academics. Things become doubly difficult when we begin to look at matters of supply chain risk, robustness and resilience.

Risk

The main problem stems from multiple meanings of the term ‘risk’. In decision theory it is a probability or a measure of the range of possible outcomes from a single totally rational decision and their values, in terms of upside gains and downside losses. The concept tends to be illustrated by examples from gambling. Alternatively, ‘risk’ is sometimes used to refer to a particular type of hazard or threat, for example technological risk or political risk. Finally, ‘risk’ may describe the downside-only consequences of a rational decision in terms of the resulting financial losses or number of casualties. The latter can be traced back to risk management disciplines, notably the safety and engineering literature.1 The reasoning behind each of these interpretations and why they matter in a logistics or SCM context will be visited later in this chapter.

Supply chain vulnerability

In the meantime we will use the term ‘risk’ as it relates to vulnerability as our point of embarkation; that is, ‘at risk: vulnerable; likely to be lost or damaged’. In Chapter 1 of this book we adopted a definition of a supply chain as ‘the network of organisations that are involved through upstream and downstream linkages in the different processes and activities that produce value in the form of products and services in the hands of the ultimate customer’.2 Given that supply chains comprise many different elements and that SCM embraces many different functions, it is perhaps useful to ask the question ‘What is it that is vulnerable, in other words at risk?’ Is it a product or service, the performance of a process or specific activities, the well-being of an organisation, a trading relationship or the wider networks as a whole? Or is it the vulnerability of one or more of these to some external malevolent force that should be the focus of our consideration? In fact, supply chain vulnerability takes in all of these.

Ideally we should strive to identify and manage known vulnerabilities by asking questions such as:

What has disrupted operations in the past?

What known weaknesses do we have?

What ‘near misses’ have we experienced?

Recording near misses is something that all organisations should do. Unfortunately, it does not always happen. Sometimes no one was aware that a near miss took place, and often they go unreported because people feel that the incident might reflect badly on them or their department. The willingness to report events of this kind is often dependent on the culture of the department or wider organisation. Forward-thinking organisations recognise that near misses are often warnings of worse to come.

Taking a more proactive stance, a good supply chain manager should also be asking ‘effects’ based questions, such as:

What would be the effect of a shortage of a key material?

What would be the effect of the loss of our distribution site?

What would be the effect of the loss of a key supplier or customer?

Robust SCM

Whilst individual managers might focus on the effects of a range of eventualities, some argue that everyday SCM strategy also plays a part. In Chapter 4 reference was made to the work of Christopher Tang,3 who identifies key elements of a robust SCM strategy. The dictionary definition of ‘robust’ is ‘strong in constitution, hardy, or vigorous’.4 Tang suggests that a robust strategy should enable a firm to manage regular fluctuations in demand efficiently under normal circumstances regardless of the occurrence of a major disruption. It might be supposed that any organization would actively seek to ensure such a position. However, as Tang points out, for a variety of reasons, this is not always the case. What is more, even if your own organization has implemented the tenets of best practice SCM, does this mean that your supply chain will not fail? Have other organizations in the supply chain all done the same? Even if they have, will that be enough to ensure operations continue? Research by Cranfield University, for example, into the UK food and drink industry suggests that there are instances when they will not.5 A robust strategy has much to commend it but does not in itself make a resilient supply chain.

Resilience

The term resilience is used to mean ‘the ability of a system to return to its original (or desired) state after being disturbed’. Based on a dictionary definition borrowed from the science of ecosystems,6 this definition has been adopted in much of the research into supply chain vulnerability, risk and resilience7

It encourages a whole system perspective

It explicitly accepts that disturbances happen

It implies adaptability to changing circumstances

If we are really to embrace the notion of global inter-organizational supply chains within a complex and dynamic environment, then this whole system-wide perspective is the position we should adopt when considering matters of supply chain risk or vulnerability.

CHANGING TIMES AND AN UNCERTAIN WORLD

In a complex inter-organizational supply chain it would of course be difficult if not impossible for anyone to identify every possible hazard or point of vulnerability. Moreover, it must be remembered that ‘known’ problems are only part of the picture.

Known unknowns, knowable unknowns and unknowable unknowns

To illustrate the point, we will look at some of the high profile events that have propelled supply chain vulnerability, risk and resilience onto the political and corporate agendas. First, though, we turn to the words of former US Secretary for Defense Donald Rumsfeld,8 whose famous and much derided quote9,10 brought to wider public attention the idea of ‘known unknowns’, ‘knowable unknowns’ and ‘unknowable unknowns’. These are useful touchstones to bear in mind when considering the wider subject of supply chain vulnerability, risk and resilience.

Reports that say that something has not happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; we know there are some things we do not know. But there are also unknown unknowns – the ones we do not know we don’t know. And if one looks throughout the history of our country and other free countries, it is the latter category that tends to be the difficult ones (Donald Rumsfeld, 12 February 2002)

Contrary to popular belief, Rumsfeld did not invent the concepts himself in an off-the-cuff attempt to justify the case for US military action against Iraq. He was in fact drawing directly on concepts used by researchers such as Chris Demchak, who drew on high reliability organisations11 and complex systems theory when working in the field of military logistics.12 Demchak investigated the underlying thinking behind the technology-driven idea of a ‘managed battle space’ in which all battlefield weapons systems are synchronised in real time with just-in-time logistics and supply. She concluded that this optimistic vision tends to ignore organisational implications and the uncertainties of the battlefield environment.

Y2K: the millennium bug

Y2K highlighted how dependent the societies of the developed world had become on information and communications technologies. In the UK, the government launched a public information campaign to encourage businesses to take the necessary measures to prevent systems crashes as dates rolled over to the year 2000, and to engage in business continuity planning13 just in case systems failures arose. Y2K was a ‘known known’, a discrete, known threat, within engineered systems. Once identified, the ‘millennium bug’ could be controlled and eliminated. As a result, the widely anticipated disruptions to supply chains never occurred. The government was delighted, believing that business continuity planning had saved the country from disaster, but the non-event left many managers sceptical as to whether the costly preventative measures had really been necessary.

Y2K highlights one of the intractable problems about proactive measures to improve organisational and supply chain resilience: if successful, preventative measures mean that nothing happens, which inevitably leads to questions of value or cost/benefits justification. Moreover, managers are highly unlikely to be promoted for spending money to prevent a non-event!.

It is very difficult to make a business case for proactive ‘just-in-case’ measures to improve resilience.

Creeping crises

Having survived Y2K with minimal problems, the UK economy fared less well in September 2000, when a small number of protestors blockaded some of the country’s oil refineries, causing chaos at the petrol pumps. The protests were an outpouring of simmering resentment among farmers and transport operators over rising fuel costs, driven in part by the government’s ‘fuel price escalator’. The escalator increased prices annually by 6% over and above the general rate of inflation. Within days the fuel crises escalated, resulting in serious disruptions to the operations of countless companies and to the national economy as a whole. The outbreak of foot and mouth disease in British livestock herds in February 2001 again resulted in damage to whole sectors of the economy.

What made these events so memorable was that even those who were aware of threats did not anticipate the scale of their impact across the UK economy. A survey undertaken by Cranfield University14 in 2002, involving 137 senior managers from both public and private sector companies, found that 82% of the organisations represented had been affected by the fuel protests, with 49% experiencing some impact from foot and mouth. Both these events could arguably be said to have been caused by ‘knowable unknowns’. There were clear warnings that farmers and transport companies were aggrieved over fuel duties and that some form of protest was a real possibility. Foot and mouth was a known threat to livestock, albeit one that had not been seen in the UK for a generation.

The impact of livestock diseases is something that might reasonably be expected to be included in the supplier monitoring activities of companies engaged in the production and distribution of food. But what about car manufacturers or high fashion apparel companies? The shortage of high-quality leather following the foot and mouth outbreak affected automotive manufacturers and fashion houses across Europe. It also had a catastrophic effect on the British tourism industry.

The scale and extent of the disruptions prompted the UK government to seek a better understanding of what are now sometimes referred to in emergency planning circles as creeping crises. During the fuel protests and the foot and mouth outbreak it was industry and government – not the usual ‘blue light’ emergency services – that found themselves in the unfamiliar role of ‘first responders’. These ‘creeping crises’ were remarkable in one other respect – they represented systemic supply chain disruptions.

Creeping crises illustrate the fact that supply chains are more than value-adding mechanisms underlying competitive business models. Supply chains link organisations, industries and economies. They are part of the fabric of society. Back in 1958, Jay Forrester, a Professor at Massachusetts Institute of Technology, predicted that ‘there will come a general recognition of the advantage enjoyed by the pioneering management who have been the first to improve their understanding of the interrelationships between separate company functions and between the company and its markets, its industry and the national economy’.15 Forrester is widely regarded as one of the founding fathers of SCM and of the study of industrial dynamics. SCM has made some progress towards Forrester’s vision, but the creeping crises of recent years suggest there is still work to be done.

Few realise that it was the creeping crises of 2000–2001, together with the outbreak of bovine spongiform encephalopathy (mad cow disease) in the 1990s, and increased incidences of flooding (not the threat of international terrorism) that prompted the most extensive review of UK national emergency planning policy since World War II. The inability of civil authorities to overcome the collapse of vital supply chains providing food, water, medicine, money, transport and communications to the citizens of New Orleans following Hurricane Katrina in 2005 is a clear example of why such work is necessary.

Post-9/11 security matters

More than any other event, the 9/11 terrorist attacks on New York and Washington marked the beginning of a change in attitude towards the whole notion of supply chain vulnerability. The events of 9/11 were so far outside the risk managers’ field of reference that they can arguably be classed as ‘unknowable unknowns’. It is widely recognised that the terrorist attacks did not themselves cause any significant disruption to global supply chains or even North American industry. But the reaction of the US authorities did.16 The closure of US borders and the grounding of transatlantic flights dislocated international supply chains making supply chain vulnerability front page news.

After 9/11, new security measures were hurriedly introduced at US border posts, ports and airports, affecting inbound freight to the USA, including the Container Security Initiative (CSI) and customs-trade partnership (C-TPAT). Chapter 6 detailed these and other initiatives and discussed the topic of transport security.

Corporate scandals, operational risk and business continuity

Societies around the globe reeled from the shock of 9/11, but within a few months, supply chain risk was once more synonymous with the perils of poor performance. However, in the world of corporate risk management, events were unfolding that would push ‘operational risk’ (i.e. internal threats to organisational well-being) to the very top of the corporate agenda.

The Enron Corporation, once held up as a model of best practice corporate risk management, collapsed in late 2001. Inadequate internal management controls were blamed. Another North American giant, WorldCom, quickly followed. In Europe, Dutch retailer Royal Ahold and Italian dairy conglomerate Parmalat Finanziara did the same. In a bid to protect shareholders and ultimately the well-being of the financial markets, regulators hurried to bring in their own more rigorous reporting requirements. The international banking community had faced the same stark realities only a few years earlier, when the unchecked activities of Singapore-based ‘rogue trader’ Nick Leeson led to the collapse of London-based Barings Bank, threatening irreparable damage to Singapore’s reputation as a financial centre.

These financial scandals highlighted the need for more diligent corporate governance in general. They also increased the appetite for measures to monitor, manage and control operational risk. The Basel Accords in International Banking (1998, 2004), and the introduction of new stock-market regulations formalised the requirements.

Among the wave of new regulations, the Sarbanes-Oxley Act 2002 (SOX) is particularly noteworthy. Applied to all US quoted companies in 2002, and a year later to their overseas suppliers, SOX requires full disclosure of all potential risks to corporate well-being within the business. Importantly it also requires disclosure of potential vulnerabilities that might once have been considered to be beyond the legal boundaries of the firm. Among its many requirements is an obligation to declare all ‘material off-balance sheet transactions’ including ‘contingent obligations’ and ‘interests transferred to an unconsolidated entity’. These encompass some inter-organisational risk sharing and risk transfer activities, including fixed volume shipping service contracts, vendor managed inventory (VMI), and outsourcing agreements.

SOX also demands that providers of outsourced services (including LSPs) must be able to demonstrate the existence of appropriate internal process controls. Finally, it requires consideration to be given to other possible externally induced disruptions. Externally induced disruptions include disruptions to transport and communications. Failure to identify and disclose any of the above may result in a jail sentence for the company’s chief executive. As a result, board members have became much more interested in identifying ‘knowable unknowns’ and have turned to risk management and to business continuity management (BCM) to help them prove that they have acted with ‘due diligence’.

BCM efforts tend to start with the preparation of a business continuity plan (BCP). A business continuity plan is defined as ‘a documented collection of procedures and information that is developed, compiled and maintained in readiness for use in an incident to enable an organisation to continue to deliver its critical products and services’.17 Continuity planning is part of the wider BCM discipline which overlaps SCM, operational risk management, corporate governance and other associated concerns. Current best practice BCM would include an ongoing programme of training, rehearsals and reviews of the initial plans to cope with various eventualities as well as careful consideration to the management of an after-the-event recovery phase.

BCM is rooted in IT disaster recovery, but its remit has expanded greatly. In the months before Y2K it focused on protecting ‘mission critical computer data’. In more recent years it has moved on to encompass the protection of all ‘mission critical corporate assets’. These assets include: data and information; high-value physical items; people and their experience; knowledge; commercial contracts; and, ultimately, corporate reputation. More recently still, best practice BCM has looked beyond traditional tangible asset-based approaches to risk management, to focus on maintaining ‘mission critical activities’. This is particularly so for service sectors such as retailing, banking and other financial services. Financial services is also the sector where many of the ‘classical’ approaches to risk management have been developed over the last century. It is also the area where they have recently failed so badly, triggering arguably the biggest and most far-reaching creeping crisis to date. The risk management approaches used by banks to satisfy the requirements of the Basel Accords failed catastrophically in 2008, when the collapse of US-based investment bank Lehman Brothers triggered a global financial crisis. Only direct interventions by governments prevented the total collapse of the global financial system, though the shock-waves will be felt across economies for years to come.

OURCES OF EXTERNAL SHOCKS TO THE SUPPLY CHAIN

In this chapter, we have given various examples of shocks to the supply chain. These and yet other examples are summarised below. Can you think of others?

Weather and other extreme events – for example the impact on air transport of ash clouds from Icelandic volcanoes in 2011

Protests, blockades, strikes – as supply chains become more stretched with product moving over greater distances they are also more exposed to potential delays from external sources

Terrorism and other security threats such as piracy and kidnapping (Chapter 6 dealt more fully with transport security)

Corporate accounting scandals, fraud

Bio-threats – earlier in the chapter we discussed the foot and mouth livestock crisis in the UK; another more recent example is the crisis caused by the discovery of horsemeat in the beef (cattle) supply chain in Europe

Shortages of key supplies – these could be caused by supplier failure but other causes also exist such as political disputes between countries

Actions by upstream suppliers tarnishing the consignee’s image – examples include the collapse of a garment factory in Bangladesh in 2013 with the loss of over 1000 lives and protests in Asia about labour conditions at contract manufacturers who service technology supply chains

Uncertainty caused by shifts in technology – the classic example being the Y2K millennium bug discussed earlier.

THE SHORTCOMINGS OF RISK MANAGEMENT

Earlier in this chapter we mentioned that the term risk has several different meanings. All are used, often indiscriminately, in the context of SCM. This is not simply a shortcoming of managers working in SCM. Scholars have been grappling with the nature of risk for centuries, but risk management is a far from mature discipline, with significant disagreements raging over some of its basic tenets.

VUCA

This acronym emerged in the military in the 1990s and has since attracted interest in other sectors, too:

From Volatility to Vision

From Uncertainty to Understanding

From Complexity to Clarity

From Ambiguity to Agility

Decision theory and managerial tendencies

The starting point for many discussions of risk is as it is presented in the gambling-dominated thinking of classical decision theory.18 Some years ago, researchers James March and Zur Shapira defined risk – from a financial decision theory perspective – as ‘variation in the distribution of possible outcomes, their likelihoods and their subjective values’.19 In their seminal paper on managerial perceptions of risk and risk taking, the same writers observed that even in financial management circles this much cited interpretation had actually been under attack for many years. Their own research showed that the rational assumptions of classical decision theory do not reflect how managers see risk, nor do they reflect managers’ behaviours or the social norms that influence them. March and Shapira cited findings that showed that managers adopt and apply only selected elements of the total risk equation. The managers concerned paid little attention to uncertainty surrounding positive outcomes, viewing risk in terms of dangers or hazards with potentially negative outcomes. Moreover it was the scale of the likely losses associated with plausible outcomes, rather than the range of possible outcomes, that tended to qualify for consideration.

Furthermore, March and Shapira observed that individual managers’ risk-taking behaviour changed with circumstances. ‘Attention factors’ such as performance targets and questions of survival are likely to have the greatest impact. In comfortable circumstances managers are likely to be risk-averse, but when staring failure in the face – in terms of shortfalls in performance targets – research shows that this tendency reverses and they become risk-prone. Of course when a person is faced with a proposition with upside incentives for him or her and no downside consequences (known or otherwise), then there is no risk for the decision maker. It becomes a ‘one-way bet’. The same decision can become problematic when the downside exposure is borne by someone else, either in the same organisation or across the wider network.

This leads us into the question of risk appetites in organisations. There is often an assumption that an organisation has a single definable risk appetite and risk strategy, yet more recent research suggests that risk strategies can and do vary between functions within the same business.20 For example, a propensity for risk taking was found to be acceptable in the areas of core competencies, but much less tolerated in non-core activities within the same firm.

In the real world, where managers routinely deal with imperfect information, these behavioural characteristics may not be as irrational as it might first seem. That is because managers are for the most part making decisions under uncertainty. Risk and uncertainty are terms that in practice are often used interchangeably, but back in the 1920s Knight made a helpful distinction: ‘If you don’t know for sure what will happen (e.g. when throwing dice) but you know the odds, that’s risk and if you don’t even know the odds, that’s uncertainty’.21 Uncertainty is, according to Knight, ‘the realm of judgement’.

Managers focus on the possible losses associated with plausible outcomes

Decisions involving risk are heavily influenced by their impact on the manager’s own performance targets

There is unlikely to be a single unified attitude to risk taking within a large organisation

Objective risk and perceived risk

Despite the wisdom of Knight, the words of Rumsfeld, and the canon of research to date, the dominant paradigm in risk management remains that of the cold logic of ‘objective risk’. Objective risk reflects a view of risk set out by the engineers and physicists of the Royal Society in a report published in London in 1983.22 The report stated that risk was ‘the probability that a particular (known) adverse event occurs during a stated period of time, or results from a particular challenge. As a probability in the sense of statistical theory, risk obeys all formal laws of combining probabilities’.

Furthermore, the report made a clear distinction between objective risk as determined by experts applying quantitative scientific means, and perceived risk – the imprecise and unreliable perceptions of ordinary people. This ‘objective’ position, combined with the Royal Society’s definition of ‘detriment’ as ‘the numerical measure of harm or loss associated with an adverse event’ reflects the compound measure of risk widely encountered within the engineering, health and safety literature, and frequently within SCM. It is a position supported by the work of other prestigious institutions such as the National Academy of Sciences and the National Academy of Engineering in the USA in the 1980s and 1990s.23

However, it is also a position that has been vehemently contested by social scientists. Social scientists contend that, where people were involved, objective and perceived risk become inseparable. They argue that risk is not a discrete or objective phenomenon, but an interactive culturally determined one, that is inherently resistant to objective measurement. The essential problem is, as distinguished writers such as John Adams point out, that people modify their behaviour and thereby their likely exposure to risk in response to subjective perceptions of that risk, subtly balancing perceived costs and benefits.24

Nevertheless proponents of ‘objective risk’ continue to champion the view that we should promote the scientific management ideal, of a rational, predictable world, populated by rational predictable people. As a result Adams observed that ‘virtually all the formal treatments of risk and uncertainty in game theory, operations research, economics and management science require that the odds be known, that numbers be attachable to the probabilities and magnitudes of possible outcomes.’ In these disciplines, risk management still strives to identify, quantify, control and where possible eliminate specific narrowly defined known threats. The same disciplines continue to underpin much of SCM theory and best practice.

Many of the commonly used tools, techniques and concepts used to identify, evaluate and estimate risk remain rooted in the ‘divide and conquer’ thinking of engineering and scientific management. Consequently it has been argued that they fail to consider that failures and accidents may be ‘emergent properties’; that is, unexpected and often undesirable effects, arising within the wider system as a whole.25 In this instance the systems we are talking about are the multi-organisational networks that characterise contemporary supply chains.

Even in enterprise risk management, it is clear to some that risk management models have failed to keep pace with the realities of our networked world. They have been slow to account for operational interdependencies between firms brought about by the trend to outsourcing. Consequently they underestimate the range and severity of risks faced by a company.26 The Sarbanes–Oxley Act has helped to highlight this shortcoming.

Why this all matters from a practical supply chain risk management perspective is that if supply chains are only seen from a business process engineering and control perspective, then the selective (downside only) engineering-derived views of objective risk sit quite well. However, if we also accept that supply chains involve relationships that link organisations, populated by people, then there is an equally persuasive argument for perceived risk, with supply chains viewed as open interactive societal systems. If we also accept that these may be global supply chains, then those culturally determined perceptions of risk could vary greatly from one region to another. Along the way the forces of nature can demonstrate just how far removed from the controlled environment of the casino this all might be.

It is important to recognise that ‘objective risk’ and ‘perceived risk’ both have places in logistics and SCM.

THE NEED FOR HOLISTIC APPROACHES

Chapter 1 underlined the fact that SCM is integrative and interdisciplinary, and that logistics is just one of several established sub-disciplines that fall under the SCM umbrella. It is therefore important to recognise that managers from many interacting disciplines as well as from different organisations will have interests in supply chain risk management. Each will likely be viewing risk management decisions in relation to their own performance measures, sometimes using quite different assumptions and interpretations of risk as points of reference. The result is that in practice supply chain risk management is likely to be a patchwork of sometimes complementary, but often conflicting or competing efforts. This means that supply chain risk management can be expected to display all the characteristics of a ‘wicked problem’.

Wicked problems

A ‘wicked problem’ is a technical term first coined back in the early 1970s by Horst Rittel and Melvin Webber, two professors from Berkeley, who produced a paper on ‘Dilemmas in a General Theory of Planning’.27 Rittel and Webber’s contribution was to produce a lucid explanation of why societal problems are inherently different from the problems that scientists and some engineers tackle in their daily work.

Scientists and engineers deal with discrete identifiable problems (Y2K is a good example), where the desired outcome is known, providing clarity of mission and an easily recognisable desired end state.

Wicked problems are different, because they involve multiple stakeholders, each with slightly different interests and value sets. As a result, there is no single common definitive goal, no clarity of mission and no universal solution. Rittel and Webber observed that, ‘with “wicked problems” … any solution, after being implemented, will generate waves of consequences over an extended – virtually an unbounded – period of time. The next day’s consequences of the solution may yield utterly undesirable repercussions … If the problem is attacked on too low a level, then successful resolution may result in making things worse, because it may become difficult to deal with the higher problems.’

Therefore to understand a wicked problem you must understand the wider context. To that end Rittel and Webber recommend that problems should be considered within ‘valuative’ frameworks, where multiple and differing perceptions are retained. Such frameworks recognise problems as the links tying open systems into large and interconnected networks of systems, and that the outputs from one become the inputs from another.

A SIMPLE FRAMEWORK FOR A WICKED PROBLEM

Taking Rittel and Webber’s advice, Figure 13.1 shows a supply chain broken down into its component parts, hopefully without losing the sense of dynamic interaction. Looking at supply chains in this way enables the inclusion of many different functional and hierarchical perspectives, their respective interpretations of risk, as well as an opportunity to position some of the management tools and techniques currently available.

Level 1 – process engineering and inventory management

Level 1 in the figure concentrates on a process engineering or inventory management perspective. It focuses on what is being carried – work, cash and information flows – and process design within and between organisations. This perspective underlies lean manufacturing and the ‘end-to-end’ view required for the ‘agile’ supply chain concept. Risk management is largely about improved visibility (of demand and inventory), velocity (to reduce the likelihood of obsolescence and optimise asset utilisation) and control. If processes are tightly monitored and controlled, then nonconformance to plan can be quickly detected. Risk reduction tools are often borrowed from total quality management. Related process improvement and control methodologies such as ‘six sigma’ are also favoured by some, as are automated event management systems, which readily alert managers to deviations from plan and minimise human intervention.

In the ideal world of scientific management, mastery of process control methodologies would facilitate the identification, management and elimination of risk. Unfortunately we do not live in an ideal world, so levels 2, 3 and 4 of the model bring in a host of other factors that often intervene.

Level 2 – assets and infrastructure dependencies

Level 2 considers the fixed and mobile assets used to source, produce or carry the goods and information flows addressed at level 1. When viewed at this level, nodes in the networks may be farms, factories, distribution centres, commercial retail outlets, or public service delivery points such as schools or hospitals. Alternatively they may be facilities housing IT servers and call centres. Links in the network are the transport and communications infrastructure; that is, roads, railways, flight paths and sea lanes, pipelines and grids, plus mobile assets – boats, trains, trucks and planes. The transport and communications networks have their own nodes in the form of ports, airports and satellites.

Well-known asset-based approaches to risk management, developed in insurance for tangible assets or other insurable interests (e.g. a building, a life or a vehicle), are appropriate and commonly used in this context. These actuarial approaches draw on plentiful historical data to provide some indication of for example the likelihood of fire, flood and many other eventualities affecting the insured asset. They tend to define risk along the lines of the Probability (likelihood of a given event) × Severity (negative impact should it occur) within a given timeframe. In a wider vein it is helpful to explore the impact on operations of the loss of links or nodes in the production/distribution and infrastructure networks, through network modelling.

Mitigating the impacts of potential disruptions to nodes and links is where business continuity planning (BCP) also has a place. As often as not level 2 disruptions are not the result of catastrophic failures caused by the phenomena that have exercised generations of actuaries. The disruptions are just as likely to be the results of poorly managed IT upgrades or physical network reconfigurations. Planned site closures and relocations are often to blame. Nevertheless it is perhaps worth noting that cross-sector surveys suggest that loss of key skills is actually a more frequently encountered problem than either loss of site or IT systems.29

Level 2 is of course the territory of unglamorous ‘trucks and sheds’ logistics – an early candidate for outsourcing (along with IT support) in most manufacturing and retail organisations. The increase in global sourcing and supply that we discussed earlier in the book means that, for much of the developed world, the transport element of SCM and the associated resource requirements are increasing. It also means that more shipments are travelling further than ever before, increasing the possibility that assets (and their goods) may be damaged, stolen or simply mislaid along the way. To reduce the likelihood of this happening RFID is sometimes used in asset and consignment tracking.

Naturally, technological solutions, or any other aspect of operations at this level, need appropriately trained personnel, though this simple fact is often overlooked. The case below provides a real example of why consignment tracking matters and why staff training is so vitally important.

RFID AND THE COST OF LOSING TRACK

Hundreds of thousands of people met violent and untimely deaths in Iraq in the years following the invasion in 2003. Few of these individual tragedies have been so well investigated as the death of a British soldier, Sgt Stephen Roberts, who died in action after being hit in the chest by a wayward bullet. A shortage of essential body armour meant that he had been required to hand his over to a fellow serviceman who was judged to be more ‘at risk’. The tragedy of this incident was that an investigation by the UK National Audit Office would later reveal that 200,000 components of body armour had been purchased by the Ministry of Defence, but misplaced somewhere within the logistics system. The scandal made an indisputable case for the extension of RFID within the UK defence logistics system.

RFID was used to track consignments by US forces and to a limited extent by UK forces during the 2003 invasion of Iraq. However, even tagged consignments appeared to be going missing. The root cause was a training failure. Back at base, enthusiastic logisticians were aware of the potential benefits of RFID technology and its operating requirements. Unfortunately neither US nor UK forces fully recognised the need to inform their frontline troops, who had no idea what the tags were, or what should be done with them when they reached their destination. As a result many were simply unclipped and thrown into buckets when the containers were unloaded. Some were shot off the containers by US troops believing them to be improvised explosive devices.

Level 3 – organisations and inter-organisational networks

Level 3 looks at supply chain risk at the strategic level of organisations and inter-organisational networks. These are the organisations that own or manage the assets and infrastructure, that create or carry the freight, information or cash flows. At this level, risk is likely to be perceived as the financial consequences of an event or decision for an organisation – particularly its impact on budget or shareholders. This is where strategic management concerns, corporate governance requirements and conflicts of interest in risk management become most evident.

From a purely SCM perspective, risk at this level is the downside financial consequences of a specific event. The loss of a sole supplier or customer is the most obvious danger here. The trading relationships that link organisations and power dependencies between them should also be watched carefully.

Low margins are likely to encourage consolidation within industry. Consolidation can change the balance of power between organisations in a supply chain, reversing dependencies, changing service priorities, negotiating positions and risk profiles. Post-takeover or merger, once compliant suppliers may no longer be willing to dance to a customer’s tune. They may wish to concentrate on other bigger customers, or have completely different strategic priorities. Consolidation also heralds network reconfigurations and the associated disruptions described at level two.

Partnering, dual sourcing and outsourcing are likely to be put forward as risk management solutions, backed up by contractual obligations. However, anecdotal evidence abounds to suggest that in times of shortage contractual guarantees become unreliable, with suppliers diverting scarce resources to their largest customers, regardless of contractual requirements. Software is available that allows companies to divert supplies automatically to service their most valuable accounts.

Best practice strategic management and corporate governance tend to see risk differently from SCM. Here risk retains the upside as well as downside connotations of decision theory. Strategic management is likely to encourage managers to take ‘big bets’ to maintain competitive advantage in core competencies. The high-risk big bets are offset by a requirement for lower risk taking in non-core activities. This line of logic encourages strategists and corporate risk managers (few of whom have operational SCM experience) to attempt to transfer risks associated with non-core activities off balance sheets to suppliers. One pitfall associated with this reasoning is that the definition of what is and is not a core capability may be too narrowly drawn, with key elements of SCM falling by the wayside. Outsourcing and contractual means are nevertheless seen as legitimate methods employed to reduce exposure to financial risk. The option is even more tempting if short-term cost savings can be realised. However, when liability for risk management is transferred in this way, the operational consequences of failure remain.

The industrial relations battle between Swiss-based, North American-owned airline catering company Gate Gourmet and its UK workforce in the summer of 2005 illustrates the point. The Gate Gourmet dispute was a landmark case in that it marked the return of secondary industrial action, not seen in the UK for decades.30 It also illustrates why supply chains should also be viewed as interactive societal systems.

GATE GOURMET

Gate Gourmet was sole supplier of in-flight catering services to British Airways (BA). Many of the staff had been BA workers until a cost reduction programme prompted the airline to outsource the activity in 1997 to Swiss-owned company Gate Gourmet. The move had been financially beneficial to BA, which, in a competitive environment, had continued to pursue further cost reductions through its supply chain. The pressure to continually cut costs was in turn cited by some as the root cause of the Gate Gourmet dispute.

In the post-9/11 climate of fear, demand for transatlantic air travel dropped and oil prices rose. These were hard times for the airline industry and its suppliers. The catering business went into loss. In 2002 Gate Gourmet was sold on to US-based private equity firm Texas Pacific Group (TPG). At this point BA exercised an option within the original outsourcing agreement to renegotiate the contract for more favourable terms. The new owners improved productivity and increased management pay, but continued to lose money on the BA contract. In 2005 the new owners sought to cut its costs with redundancies amongst catering staff, and by imposing less generous terms and conditions on those who remained. At the same time the company took on 130 seasonal workers on lower rates of pay. The resulting dispute and 670 sackings – involving mostly women drawn from the local Asian community – did not on the face of it represent a significant threat to BA. The airline could operate its core business without in-flight meals. However, when about 1000 BA ground staff – many of them with family ties to the sacked catering workers – decided to walk out in sympathy, the consequences for BA were unavoidable. The four-day strike halted BA flights out of its Heathrow hub, damaging the airline’s reputation, and costing BA (and its shareholders) an estimated £40 million in cancelled flights and the cost of food and accommodation for 70,000 stranded passengers.

With bankers threatening to move against TPG and TPG threatening to take Gate Gourmet into administration, BA was forced to intervene. The airline agreed to renegotiate its catering contract, and to donate about £7 million towards the cost of enhanced redundancy packages, but did so on the condition that Gate Gourmet settled its own labour dispute. On 27 September 2005 an agreement was reached between the trade unions and Gate Gourmet. About 700 catering staff volunteered to accept the new redundancy offer, slightly over the number required. In March 2007, TPG sold its holding in Gate Gourmet to bankers Merill Lynch.

Level 4 – the macro-environment

The fourth and final level of analysis is the macro-environment, within which the assets and infrastructure are positioned and organisations do business. The ‘PEST’ (political, economic, social and technological) analysis of environmental changes, used in strategic management, is appropriate here. Sometimes ‘green’ environmental and legal/regulatory changes are included in the basic analysis or given separate treatment. Socio-political factors, such as action by pressure groups (e.g. environmentalists or fuel protestors) can be identified by routine ‘horizon scanning’ using specialist or general media sources, allowing measures to be put in place to mitigate the impact. Geo-political factors, such as war, often take time to build, but the extent to which they can influence demand for all manner of goods and services should not be underestimated. For example, the 2003 invasion of Iraq coincided with a drop in business confidence, leading to a fall in advertising, and a marked reduction in demand for high-quality paper. The war had the reverse impact on the demand for oil as fears of oil shortages swept the world, and on oil prices, which are critical for the global economy.

Beyond a controlled ‘casino’ or even factory environment, there are the forces of nature – meteorological, geological and pathological – to contend with. Most are likely to be far beyond the control of supply chain managers, so risk avoidance or contingency planning are appropriate courses of action. Meteorological events include the effects of extreme weather. Geological disturbances can involve the devastation to communities and dislocation to supply chains caused by earthquakes, tsunamis or volcanic activitiy. The widespread closure of areas of European airspace due to the ash cloud during the 2010 eruptions of the Icelandic volcano Eyjafjallajökull is an example, as is the similar such event in 2011. However, one category – pathogens – such as contaminants and diseases – is worth particular attention here. Whether it is foot and mouth, a human pandemic, the computer viruses that mimic them, or even ‘toxic assets’ in the banking system, what makes pathological factors so dangerous is that they are mobile. They have the ability to hitch a ride with the flows of products and information (and people) that logisticians and supply chain managers work so hard to speed around the globe. Once inside the system, they have the potential to bring it down from within. With more goods, information and money travelling further and faster than ever before the potential for this to happen cannot be ignored.

The creeping crises referred to earlier in this chapter could all be regarded as level 4 disruptions, but it would be wrong to regard them only as external threats to the supply chain. Their potency as disruptive challenges is a reflection of our interconnected, interdependent societies and the efficiency of our supply chains.

LEARNING REVIEW

This chapter provided an introduction to the complex, but fascinating subject of supply chain risk, and the related concepts of vulnerability, robustness and resilience. It has tackled some of the competing concepts of risk, the shortcomings of risk management and their relevance to a logistics and SCM context. The chapter draws on earlier writings in open systems theory to explain why supply chains should be viewed as open societal systems as well as engineered processes. How, when and why the different concepts of risk fit with some elements of supply chains but not others were explained. Throughout, the chapter has endeavoured to provide a holistic overview of supply chain vulnerability, providing a multi-level framework, based on a simple exploded model of a supply chain. Within this framework appropriate supply chain risk management tools are positioned.

QUESTIONS

What is meant by supply chain vulnerability?

Why is a robust supply chain not necessarily a resilient supply chain?

Distinguish objective and perceived risk.

Discuss the relevance of the Sarbanes–Oxley Act 2002 (SOX) to logistics.

Outline how risk might be dealt with in levels 1, 2 and 3 of Peck’s model of the supply chain.

THE IMPACTS OF CREEPING CRISES

We discussed above the role of creeping crises in today’s uncertain and changing world. Can you think of other creeping crises in addition to the ones mentioned in this chapter?

Taking either your own examples or the ones described in this chapter, outline the impacts these crises had on economies and societies.

MEASURING RISK EXPOSURE AND TIME TO RECOVERY

Given the multiplicity of sources of shocks to the supply chain, a key focus now of supply chain managers is gauging how exposed the supply chain is and how long it will take to recover from any disruptions. With this in mind Professor David Simchi-Levi and colleagues at MIT have developed a model for determining the impact a disruption of each node in a company’s supply chain would have, regardless of its cause or likelihood.31

The IUP Journal of Operations Management, Vol. XVI, No. 2, 201736Towards a Value-Based Methodfor Risk Assessmentin Supply Chain OperationsLingzhe Liu* and Hennie Daniels**© 2017 IUP. All Rights Reserved.*Ph.D. Candidate, Department of Decision and Information Sciences, Rotterdam School ofManagement, Erasmus University, Rotterdam, Netherlands; and is the corresponding author.E-mail: lliu@rsm.nl**Professor of Knowledge Management, Department of Information Management, Tilburg Schoolof Economics and Management, Tilburg University, Netherlands. E-mail: hdaniels@rsm.nlIntroductionThe supply chain risk management is emerging to be a new research area, as themarket place is becoming more and more globalized and the business is increasinglysusceptible to various vulnerabilities, which range from supply chain disruption,organized crime, to terrorists attack. This paper addresses the problem of riskmanagement in supply chain operations from the perspectives of the business and thegovernment, and proposes a research road-map.On the business perspective, a supply chain company is usually affected by theoperation of other related organizations in its business network, as its business modelhas to be built on cooperation with the other organizations. The cooperation is bolsteredby economy reciprocity, i.e., for all the economy value or value object (service or product)that one organization provides to another, the former organization should get in returnan object of equal value (Weigand et al., 2006). Otherwise, at least one party in theexchange runs the risk of economic losses and the cooperation is then unsustainable.This gives rise to the requirements of controlling the value exchange and monitoringthe operations in the related organizations for managing the operational risks(Kartseva, 2008). Moreover, business operations have to comply with the legalThis paper proposes a risk assessment framework as a research road-map, withthe aim of developing a protocol that integrates the risk managementrequirements from the perspectives of the business and the government. Thepaper considers the viewpoint of value modeling and interprets the riskmanagement problem as a control problem. Four steps of risk assessment areidentified in the framework, forming the risk management cycle.

3 7Towards a Value-Based Method for Risk Assessment in Supply Chain Operationsregulations enforced by the government authorities (the change of regulation mayalso imply business disruption).On the government perspective, the supply chain-related authorities (like customs,police, and quality inspection agencies) have their specific responsibilities of riskcontrolling and monitoring by means of inspection and supervision, so as to minimizethe potential hazards in the border-crossing supply chain and to ensure the publicsafety. Meanwhile, they need to maximize the detection hit rate with minimuminspection activities, so that both the inspection costs and the interruption to the normalsupply chain operations are minimized.The distinction in these two objectives of risk management is obvious, but still itwould be beneficial to integrate them into the same risk management framework: inthat, in either the business-to-business relationship or the business-to-governmentrelationship, one party can have confidence in the counterparty when it is able tomonitor the counterparty’s operation according to the norm of economy reciprocityand to control (or to coordinate) the counterparty’s relevant behavior.In the case of regulation compliance, mutual trust between the government and thebusiness can be established, when the government has more confidence in theinformation quality of the declaration from the business, and when its risk assessmentbehavior is (to certain extent) transparent to the business. In this way, the businesswould have better cooperation with its business partner and with the government,while the government could be more effective in the inspection tasks.The risk assessment framework, proposed in this paper, aims at developing suchan integrated risk management protocol. We take the viewpoint of value modeling. Asthe first step, we try to identify the risk sources from a ‘map’ of the supply chainsystem with the value constellation, value exchange events and processes, and thecontrol mechanism in the system. The risk level of these sources can be further evaluatedwith certain computation methods, like Dempster-Shafer theory and Bayesian belieffunction.Risk Assessment ProblemGiven the complexity of the supply chain operations, there has not been a generallyagreed definition of supply chain risk management (Sodhi et al., 2011), yet we considerthat effective management is based on proper assessment. Supply chain risk managementis for the moment interpreted as a control problem in this paper (Leeuw, 1979).The term risk is generally defined as “the effect of uncertainty on an organization’sobjectives” in the standard ISO 31000:2009. In supply chain operations, risk ariseswhen physical or human factors make it hard to expect whether the execution of activitiesin transaction cycles deviates from the operation plan.For analyzing risks in the supply chain system, we are interested in the risk level(or ‘trustworthiness’) of an organization, i.e., whether the organization under question