The Emerald Research Register for this journal is available at www.emeraldinsight.

com/researchregister

The current issue and full text archive of this journal is available at www.emeraldinsight.com/0960-0035.htm

IJPDLM 34,5

Ericssons proactive supply chain risk management approach after a serious sub-supplier accident
Andreas Norrman
Department of Industrial Management and Logistics, Lund University, Lund, Sweden, and

434
Received July 2003 Revised February 2004 Accepted March 2004

Ulf Jansson
Ericsson AB, Sweden, Core Unit Supply, Stockholm, Sweden
Keywords Supply chain management, Risk management, Business continuity, Insurance Abstract Supply chain risk management (SCRM) is of growing importance, as the vulnerability of supply chains increases. The main thrust of this article is to describe how Ericsson, after a re at a sub-supplier, with a huge impact on Ericsson, has implemented a new organization, and new processes and tools for SCRM. The approach described tries to analyze, assess and manage risk sources along the supply chain, partly by working close with suppliers but also by placing formal requirements on them. This explorative study also indicates that insurance companies might be a driving force for improved SCRM, as they now start to understand the vulnerability of modern supply chains. The article concludes with a discussion of risk related to traditional logistics concepts (time, cost, quality, agility and leanness) by arguing that supply chain risks should also be put into the trade-off analysis when evaluating new logistics solutions not with the purpose to minimize risks, however, but to nd the efcient level of risk and prevention.

International Journal of Physical Distribution & Logistics Management Vol. 34 No. 5, 2004 pp. 434-456 q Emerald Group Publishing Limited 0960-0035 DOI 10.1108/09600030410545463

Introduction Background In industry, especially those industries moving towards longer supply chains (e.g. due to outsourcing) and facing increasingly uncertain demand as well as supply, the issue of risk handling and risk sharing along the supply chain is an important topic. The leaner and more integrated supply chains get, the more likely uncertainties, dynamics and accidents in one link affect the other links in the chain. Hence, the supply chain vulnerability (Svensson, 2000; Christopher et al., 2002) increases, and it will increase even more if companies, by outsourcing, have become dependent on other organizations. A number of current business trends that increase the vulnerability to risks in supply chains are: . increased use of outsourcing of manufacturing and R&D to suppliers; . globalization of supply chains; . reduction of supplier base; . more intertwined and integrated processes between companies; . reduced buffers, e.g. inventory and lead time; . increased demand for on-time deliveries in shorter time windows, and shorter lead times; . shorter product life cycles and compressed time-to-market;

. .

fast and heavy ramp-up of demand early in product life cycles; and capacity limitation of key components.

Souter (2000) stresses that companies should not only focus on their own risks: they must also focus on risks in other links in their supply chain. According to Lambert and Cooper (2000) and Mentzer et al. (2001), for example, a key component for supply chain management (SCM) is sharing both risks and rewards between the members of the supply chain. This is often mentioned, but not further elaborated on, in traditional SCM literature. The focus of supply chain risk management (SCRM) is to understand, and try to avoid, the devastating ripple effects that disasters or even minor business disruptions can have in a supply chain. Some examples of risk sources and such supply chain rippling effects from the last few years are: . Hurricanes. Hurricane Floyd ooded a Daimler-Chrysler plant producing suspension parts in Greenville, North Carolina (USA). As a result, seven of the companys other plants across North America had to be shut down for seven days. . Diseases. The foot-and-mouth disease in the UK in 2001 affected the agriculture industry more than its last outbreak 25 years ago. The reason for this was that former local and regional supply networks had become national and ttner et al., international, and that the industry was much more consolidated (Ju 2002). But many other industries were also affected: luxury car manufacturers like Volvo and Jaguar had to stop deliveries due to lack of quality leather supply. . Fires. Toyota was forced to shut down 18 plants for almost two weeks following a re in February 1997 at its brake-uid proportioning valve supplier (Aisin Seiki). Costs caused by the disruption were estimated to be $195 million and sales loss was estimated to 70,000 vehicles (, $325 million) (Converium, 2001). . Demand. Rapidly weakening demand coupled with locked-in supply agreements made Cisco take a $2.5 billion inventory write-off in Q2 2001. . Supply. Inaccurate supply planning led Nike to an inventory shortage of hot footwear models and the sales for Q3 2001 were $100 million off target. . Supply chain capacity risks. In a situation where demand is very uncertain, and the capacity bottleneck is far upstream from the market place, the risk of investing in more capacity could be a joint issue for the whole supply chain, and different instruments for supply chain risk sharing can be used. Purpose Recently, the interest of supply chain risk management has increased in purchasing, logistics and supply chain management research (e.g. Smeltzer and Siferd, 1998; Zsidisin and Ellram, 1999; Hallikas et al., 2000; Ritchie et al., 2000; Lindroth and Norrman, 2001; Johnson, 2001; Lamming et al., 2001; Christopher et al., 2002). This article aims to extend current SCRM knowledge by describing and sharing insights of a companys new organization, processes and tools focused on SCRM. The company is Ericsson, a leading telecom company seriously affected by a re at a sub-supplier some years ago, an accident which has been widely reported (e.g. TheWall Street Journal, 2001).

Ericssons proactive approach 435

IJPDLM 34,5

436

The remainder of the paper is structured as follows. First, literature related to supply chain risk management and business continuity planning in a supply chain perspective will be summarized to give a background of the topic. Then there is a short discussion of the methodology. Next, the case is introduced by a short description of the Albuquerque incident that increased Ericssons focus on supply chain risk management. The following section describes Ericssons current approach to SCRM, and the paper ends with a concluding discussion. Supply chain risk management The underlying denition of SCRM in this article is:
Supply chain risk management is to [collaborate] with partners in a supply chain apply risk management process tools to deal with risks and uncertainties caused by, or impacting on, logistics related activities or resources (Norrman and Lindroth, 2002).

Supply chain risk management could of course deal with risks for a single company, or even with the impact on a single logistics activity. But following the denition, the unit analyzed should represent a buyer-seller relationship (a dyad) or, preferably, a supply chain of three or more companies. Two important dimensions in the denition are risk and uncertainties and the risk management process, which will now be further elaborated on. Risk and uncertainty Deloach (2000) denes business risk as the level of exposure to uncertainties that the enterprise must understand and effectively manage as it executes its strategies to achieve its business objectives and create value. A more standard denition of risk is risk is the chance, in quantitative terms, of a dened hazard occurring. It therefore combines a probabilistic measure of the occurrence of the primary event(s) with a measure of the consequences of that/those event(s) (The Royal Society, 1992, p. 4). Hence, risk is a quality that reects both the range of possible outcomes and the distribution of respective probabilities for each of the outcomes. This quantitative denition could be expressed: Risk Probability (of the event) * Business Impact (or severity) of the event, often illustrated in a risk map or matrix (Figure 1). While risks can be calculated, uncertainties are genuinely unknown. But as soon as the quantitative denition is left for a broader and more business ttner et al. (2002) have also observed oriented perspective, the term also gets fuzzier. Ju that the use of the term risk can be confusing, and they argue that risk should be separated from risk (and uncertainty) sources and risk consequences (equal to the term risk impact). Risk sources are the environmental, organizational or supply chain related variables that cannot be predicted with certainty and that affect the supply ttner et al. (2002) suggest organizing risk sources relevant chain-outcome variables. Ju for supply chains into three categories: (1) Numbers: external to the supply chain. (2) Internal to the supply chain. (3) Network related. External risk sources are exemplied by political risks, natural risks, social risks, industry/market risks (e.g. volatility of customer demand). Internal risk sources

Ericssons proactive approach 437

Figure 1. Risk map/matrix

range from labor (strikes) or production (e.g. machine failure) to IT system uncertainties. Network-related risks arise from interaction between organizations within the supply chain, e.g. due to insufcient interaction and cooperation. Risk consequences/impacts are the focused supply chain outcome variables like costs or quality (but also health and safety), i.e. the different forms in which the variance becomes manifest. Other authors discussing similar types of risks are Johnson (2001) and Zsidisin (2001). Johnson (2001) divides supply chains risks between supply risks (e.g. capacity limitations, currency uctuations and supply disruptions) and demand risks (e.g. seasonal imbalances, volatility of fads, new products). Zsidisin et al. (e.g. 2000) focuses on supply risks related to design, quality, cost, availability, manufacturability, supplier, legal, and environmental, health and safety. We nd supply chain risks to be related to the logistics activities in companies ows of material and information. Consequently, it is only a part of all business risks. (But, on the other hand, the supply chain perspective also implies a perspective not only including your own company, but a chain of at least three entities: customers, suppliers, sub-suppliers, etc.) The stages of the risk management process Risk management is the making of decisions regarding risks and their subsequent implementation, and ows from risk estimation and risk evaluation (The Royal Society, 1992, p. 3). The risk management process is focused on understanding the risks, and minimizing their impact by addressing, e.g. probability and direct impact. The stages of the risk management process discussed can vary from risk identication/analysis (or estimation) via risk assessment (or evaluation) to different ways of risk management (labels differ among authors although the steps are similar). Parallel to risk management is the issue of how to mitigate the consequences of an accident if it does happen: to deal with the situation in a way that minimizes business impact. This is normally referred to as business continuity management (BCM) and relates to those management disciplines, processes and techniques, which seek to provide the means for continuous operations of essential functions under all circumstances (Hiles and Barnes, 2001, p. 379). BCM aims at getting interrupted

IJPDLM 34,5

businesses restarted. In many ways, risk management and BCM are overlapping, and some argue that business continuity plans development is the risk management action to take for risks of low probability (such as res and oods), but whose potential impact is a business failure. Supply chain risk analysis and assessment Risk analysis/identication is an important stage in the risk management process. Consequently, by identifying a risk, decision-makers become aware of events that may cause disturbances. To assess supply chain risk exposures, the company must identify not only direct risks to its operations, but also the potential causes or sources of those risks at every signicant link along the supply chain (Christopher et al., 2002). Hence, the main focus of supply chain risk analysis is to recognize future uncertainties to enable proactive management of risk-related issues. There are many methods for risk identication and analysis. One important tool is risk mapping, i.e. using a structured approach and mapping risk sources and thereby understanding their potential consequences. Two commonly used techniques for researching factors and causes contributing to accidental events are the fault tree analysis (FTA) and the event tree analysis (ETA). Both are logic diagrams that represent the sequences of failures that may propagate through a complex system. FTA examines all potential events leading up to the critical event and is a graphical diagram that shows how a system can fail. The analysis starts with top events, then the necessary and sufciently hazardous events, the causes and contributing factors of which are identied together with their logical relationships by way of a backward logic. The ETA is also a graphical logic diagram, but goes the other way. It focuses on events that could occur after a critical event and identies and quanties possible outcomes following initiating events by looking at potential consequences (e.g. Mullai and Paulsson, 2002). For both techniques, quantitative data, such as probabilities for events, could be used to get an idea of the nal probability. Deloach (2000) proposes a similar tool called risk driver map, where potential threats are mapped. After the risk analysis, it is important to assess and prioritize risks to be able to choose management actions appropriate to the situation. One common method is to compare events by assessing their probabilities and consequences and put them in a risk map/matrix (Figure 1). In theory, and when historical events are assessed, this could be quite a straightforward and quantitative task, but in business this could be a subjective process relying on specialists judgements. Hallikas et al. (2000), show an example of this in a supply context. In practice, other risk assessment tools are also used, which are not consistent with the theory of probability and impact but cover a broader perspective instead. Zsidisin and Ellram (1999) summarize the supply risk assessment process of a Fortune 500 high-tech company, and propose a ten-step approach to risk assessment (Figure 2). Primarily, they are concerned with material-related risks that could affect timely and cost-effective delivery of quality products and services. Risk management Risk management is the process whereby decisions are made to accept a known or assessed risk and/or the implementation of actions to reduce the consequences or probability of occurrence. Generally used actions for risk management are to avoid,

438

reduce, transfer, share or even take the risk. To avoid is to eliminate the types of event that could trigger the risk. To reduce applies both to reduction of probability and consequence. Examples of how to reduce the impact could be to have an extra inventory, multiple sources, back-up sites/resources identied, sprinklers in buildings, having risk managers and emergency teams appointed, parallel systems or to diversify. Probability could be reduced by improving risky operational processes, both internally and in cooperation with suppliers, and to improve related processes, e.g. supplier selection. Risk could also be transferred to insurance companies but also to supply chain partners by moving inventory liability, changing delivery times of suppliers (just-in-time deliveries) and to customers (make-to-order manufacturing), or by outsourcing activities. Furthermore, contracts can be used to transfer commercial risks. Finally, risks could be shared, both by contractual mechanisms (e.g. Tsay et al. (1998) or Cachon (2002), for a review on supply chain contracts) and by improved collaboration. Business continuity management Business continuity management (BCM) is dened as:
. . . the development of strategies, plans and actions which provide protection or alternative modes of operation for those activities or business processes which, if they were to be interrupted, might otherwise bring about a seriously damaging or potentially fatal loss to the enterprise (Hiles and Barnes, 2001).

Ericssons proactive approach 439

Business continuity management includes crisis management (overall processes to manage the incident), disaster recovery (recovery of critical systems, applications, data and networks), business recovery (recovery of critical business processes) and contingency planning (recovery from impact external to the organization) (CMI, 2002). Developing action plans is important in BCM, and business continuity planning (BCP) is a term often used. BCP is planning to ensure continued operations in case of a catastrophic event. But it goes beyond disaster-recovery planning, since it includes the actions to be taken, resources required, and procedures to be followed to ensure the continued availability of essential services, programs and operations in the event of unexpected interruptions. BCP has previously been mostly related to computers and information technology-related disasters, especially before Y2K, but since then the approach has moved towards more applications in other business contexts. However, according to a study by CMI (2002), only about 30 percent of all companies studied developed BCP jointly with suppliers. Only 9 percent of companies that have outsourced activities (not only logistics) insist on their outsource suppliers having business continuity plans.

Figure 2. Supply risk assessment process based on Zsidisin and Ellram (1999)

IJPDLM 34,5

440

The rst activities in developing business continuity plans are identifying the risks and assessing their probability and impact the steps are hence identical to risk management. Part of this is to understand what will be affected (damage potential analysis). Then, strategies and recovery plans should be developed that could be implemented both before the incident (similar to risk management strategies) and after the incident. Post-incident strategies are implemented to maintain partial or total product supply and could for manufacturing and logistics include (Musson, 2001): . use of spare capacity within the organization; . shutdown of marginal product lines and transfer of key products to those production facilities; . assistance from competition; . outsourcing to sub-contractors, job shops, etc.; . re-labeling of competitors products (after consideration of all legal implications); and . establishment of temporary facilities when production capabilities can be established with off-the-shelf or second-hand equipment. Methodology Since only limited empirical research on how companies deal with supply chain risk management has been found, an explorative approach has been chosen. Examples of earlier case studies in the area are those of Zsidisin (2001), Zsidisin and Ellram (1999) and Zsidisin et al. (2000), but they have focused more on purchasing and supply than a supply-chain approach, consisting of the idea to work with risks along multiple companies in a chain. In our study, a single case is used, which is an appropriate way of establishing the eld at the early stages of an emerging topic (Eisenhardt, 1989). To capture and examine contemporary events, the case study approach is normally preferred (Yin, 1994). The single case could give good enough insights on the breadth of issues and a better opportunity to penetrate important issues. Ericsson has been chosen for several different reasons: It is in a volatile industry that faces many of the business trends described in the introduction; it has recently had a major supply chain incident that has been widely reported; lately, it has worked hard to improve its supply chain risk management; and, nally, the company has been willing to openly share its experiences and has given good access to information and data. Empirical data have initially been collected through semi-structured and open interviews done by the academic co-author with about ten representatives from various functions within Ericsson: corporate risk management, core unit supply (a both strategic and operational SCM-function), sourcing, and supply chain risk management (industry co-author). In addition, supplementary documents showing processes, organizational structures and risk management tools were collected by the academic co-author to verify and more detailed illustrate the ndings from the interviews. By using multiple sources of evidence and interviewees, construct validity improves (Yin, 1994). The joint writing process started with a structured synopsis developed by the academic researcher, comparable with an interview guide, which was then lled with facts and descriptions in a collaborative writing and analysis process. (The industry co-author had of course meetings and written communication with colleagues to get supplementary data and opinions). By this collaborative writing and analysis process

between an academic and industry co-author, we think that the richness of the case study description can be improved as well as the construct validity increased (Yin, 1994, pp. 32-4). Further the nal paper has been returned for comments and correction to the other functions interviewed. As this research is an explorative single case study, external validity and broad generalizability are difcult to address. One purpose has been to describe pioneering practice for other practioneers to make it possible to benchmark, and for academics to start a process of analytical generalization (Yin, 1994) by rst doing replicate studies and pattern matching-analysis. Hence external validity and generalizability could increase over time with more cases. Ericsson and the sub-supplier accident Ericsson is the largest supplier of mobile telecom systems in the world, active worldwide since 1876 and currently employing approximately 61,000 people in more than 140 countries. The worlds ten largest mobile-phone operators are among their customers and some 40 percent of all mobile phone calls are made through Ericsson systems. For the last ten years, Ericsson has outsourced a great deal of its assembly and production to contract manufacturers and sub-suppliers. With Sony Ericsson (including Ericssons old cellular phone business) it is also a top supplier of complete mobile multi-media products. Like most companies, Ericsson has been exposed to a number of risks and incidents in the last few years:, e.g. suppliers having quality and delivery problem, industries general lack of capacity, and power disruption lasting a few days. We will shortly describe the accident that can be seen as the major trigger for Ericsson to improve its supply chain risk management. The Albuquerque accident A major accident from an Ericsson perspective was a re on 18 March 2000 in a very small production cell (small as a conference room for ten people) at a sub-suppliers plant in Albuquerque, New Mexico (USA). The ten-minute re was an effect of a lightning bolt hitting an electric line in New Mexico, causing power uctuations throughout the state. The problem was that when the power was out, there was no spare diesel motor to supply the fans with power, so the fans stopped. From a plant perspective, the resulting re was almost negligible, and when the re brigade arrived it was sent home as the re already was out (The Wall Street Journal). But for Ericsson, the impact was huge. In the spring of 2001, when the annual report from Ericsson was announced, a major loss of about $400 million was indicated, primarily due to gaps in the supply of radio-frequency chips from this supplier. The reason was that the re occurred in one of the plants clean rooms, where absolutely no dust is tolerated. Due to the re, and especially the smoke and sprinkler water, it took almost three weeks until the production was up and running. After six months, the yield was only 50 percent, and it would take years to get new equipment delivered and installed. As this plant was Ericssons only source for this chip, Ericsson was not able to sell and deliver one of its key consumer products during its booming market window. The company lost many months of mobile phone production, and the accident nally had a great impact on Ericssons decision to withdraw from the mobile phone terminal business. Later, Ericssons business interruption costs were calculated as approximately $200 million, which was compensated by insurance companies. This was one of the biggest

Ericssons proactive approach 441

IJPDLM 34,5

442

insurance payments that year (after the 9/11 disaster). The accident made Ericsson realize the importance of not only understanding and managing risks internally but also trying to better analyze, assess and manage risk along the supply chain and to take immediate action when incidents are indicated. In a widespread analysis, The Wall Street Journal argued that Ericsson did not take action quickly and powerfully enough after the Albuquerque accident, and that it took too long before higher management was aware of the incident. Further, Ericsson neither had alternative sources nor was prepared for this kind of accident. Now, actions have been taken: During the last few years, a formal SCRM organization has been put in place, and many SCRM processes and tools have been developed and implemented. Todays philosophy at Ericsson is that everyone is a risk manager. Ericssons current supply chain risk management approach In the last few years (after the Albuquerque accident and before the renewal of its insurance), Ericsson has further developed and implemented processes and tools for supply chain risk management. The purpose is minimizing risk exposure in the supply chain. Its approach for this (Figure 3) is based on a process with feedback-loops between the sub-processes. The risk management process includes risk identication (similar to risk analysis), risk assessment, risk treatment (similar to risk management) as previously discussed in theory, but it has also added a process step for risk monitoring. In parallel (and central) to this, the company has put incident handling and contingency planning. Organizational principles and responsibility Previously, risk management was handled by a corporate function, mostly dealing with insurance companies (and later also security). In the last few years the organisation for supply chain risk management has been developed and many people and functions are involved. On a high level, the corporate function for risk management, the SCM/logistics function (in Ericsson called the core unit supply) and the purchasing function (core unit sourcing) are involved, as well as (Figure 4) the units responsible for the different business areas (SBAs). They are working together in a

Figure 3. Ericssons basic approach to SCRM

Ericssons proactive approach 443

Figure 4. Organization of risk management on a corporate level

matrix-oriented way, for example with a risk management council with representatives from the different units. The roles of the main functions involved are: . corporate risk management has the overall responsibility for risk management in the Ericsson group and has contact with the insurance companies and co-ordinates risk management activities in the whole group, also developing directives; . core unit supply (CSUP) is responsible for the operative work and daily interface with suppliers; . system business area (SBA) has the business perspective and owns the product; and . core unit sourcing is responsible for the commercial interfaces with the supplier and is therefore involved in evaluation of suppliers and when incidents occur. A matrix approach is taken (Figure 5) on a more operational level within the SCM/logistics function (CSUP), as well. A supply chain risk manager, placed within core unit supply, is responsible for development and implementation of SCRM. He is working closely together with corporate risk management, as well as with the line people (supply chain managers), responsible for different supply chains and hence also for the supply chains risks. Supply chain managers are also part of CSUP, but interfacing the SBAs. Supply chain managers should use the tools and processes developed by the SCR manager to analyze, assess and manage risk in their supply chains. In this work purchasers are involved in the assessments of and contacts with suppliers. The roles of the operational people involved in SCRM are: . Supply chain risk manager (SCR manager) at core unit supply runs and coordinates the work to maintain an optimal balance between risk exposures and costs for damages versus protection activities. . Supply chain managers (SCM) within CSUP are the interface to SBAs and have full responsibility for the respective SBAs supply chain. They are responsible for risk management as regards securing the reliability of supply chains and their ability to deliver. . Core production: supports SCM with risk management issues.

IJPDLM 34,5

444

Figure 5. Organization of SCRM within the SCM/logistics function core unit supply

The matrix approach means that many different players are involved in and sharing responsibility for implementing and maintaining information regarding risk management. This could make roles unclear, and hence responsibility grids (Figure 6) are dened. However, the key responsibility lies with the SCMs that should run the risk management work in their respective supply chain. Risk identication process Initially, Ericsson identies and analyzes its supply chain risks by mapping the supply chain upstream, looking at suppliers as well as products/services (Figure 7).

Figure 6. Part of responsibility grid

Ericssons proactive approach 445

Figure 7. Supply chain risk and structure map

The purpose of this is verifying the business ow between Ericsson and the supplier/service provider and dening the critical parts and risk sources in the process, i.e. products, components, sites, etc. The goal is to get a better understanding of what the probability and impact of the risks are. So far, more than 10,000 components have been analyzed, mainly of rst and second tier suppliers. First, each component is classied into four different classes depending on the number of sources: (1) The product is currently sourced from more than one approved source (e.g. two or more manufacturers or one manufacturer with two or more sites). (2) The product is currently sourced from one approved source; other sources are approved and available but not used. (3) The product is currently sourced from one approved source; other sources are available and approved but no tools, masks or other equipment needed are in place. (4) The product is currently sourced from one supplier. No additional manufacturer is available. Ericsson then tries to understand the impact by looking at how long an accident will affect deliveries. This is expressed by business recovery time (BRT). Components are put into four different classes: (1) It takes less than three months to get deliveries from an alternative source. (2) Three to eight months to get approval and deliveries from an alternative source. (3) Nine to 12 months, re-design the only alternative. (4) 12 months, re-design of a unit/product of high complexity. Risk assessment process Then, an in-depth analysis is carried out of the suppliers and sub-suppliers of critical products. For this, Ericsson has developed a tool called Ericsson risk management evaluation tool (ERMET). ERMET (Figure 8) evaluates many different issues in detail, e.g. business control, nancial issues, hazards in the surroundings (external as well as

IJPDLM 34,5

446

Figure 8. Overview of ERMET Ericsson risk management evaluation tool

man-made); hazards at the site; and business-interruption handling. The tool is used to analyze both internal and external suppliers. Internally, the tool will be used in combination with contingency planning. When using ERMET, corporate risk managers and SCR managers often work together, as the tool is complex and requires knowledge to use. Often, a representative from sourcing is brought in, who is responsible for the supplier contacts. Each sub-area in ERMET is thoroughly evaluated by looking into different aspects (see Figure 9), trying to quantify the risk by looking at impact (consequence) and probability. The suppliers total risk situation, and their forecasted development, is then summarized into spider-web diagrams. Those evaluations are done regularly and are used to follow up improvements and action plans. ERMET is mostly focusing on operational accidents and catastrophes and how to avoid business interruption. Ericsson uses other tools to try to identify and assess more strategic uncertainties such as shifts in products or product generations. When a risk or uncertainty source has been identied, the SCR manager facilitates workshops attended by different functional and business specialists where events are discussed that could lead to risks. For each event causes are identied, so that preventive actions can be developed. (This methodology is similar to FTA). The analysis and actions are then summarized into special templates that are later used for follow-up and monitoring of the risks (Figure 10). Ericsson tries to combine impact and probability in a risk map/matrix. But it has found that the risk value (calculated by multiplying impact and probability) is not always easy to use, as the probability could be difcult to get and the value is not always understandable to business people. Therefore, Ericsson is focusing on the nancial impact when assessing which risks to prioritize and for which supplier or components to take actions. To get a nancial value of the impact on Ericssons own business, the company calculates the business interruption value (BIV). Currently this value is dened by gross margin multiplied by the business recovery time (BRT) plus extra costs such as idle capacity labor and equipment, inventory carrying etc. Its aim is to also consider values such as lost goodwill. This calculation is made by the

Ericssons proactive approach 447

Figure 9. Examples of detailed risk assessment and summary diagrams

business control function in order to help the supply chain manager. To categorize the risks, BIV is divided into four classes: (1) Severe: BIV . , $100 million. (2) Major: BIV , $50 million-$100 million. (3) Minor: BIV , $10 million-$50 million. (4) Negligible: BIV , , $10 million.

IJPDLM 34,5

448

Figure 10. Risk map/matrix and corresponding risk management actions

This is then used as a basis for the risk matrix to compare the result from the risk identication process to understand the impact if an interruption occurs (very high, high, medium or low). For each of these risk levels, different actions are required (Figure 11). Ericsson nds risks with high consequences/low probability more important to handle from a risk management perspective than those with low consequence/high probability. Risk treatment/management The third step in Ericssons process is called risk treatment, which includes both developing risk mitigation strategies and deciding on those. This is a line responsibility, and who is doing it depends on which tier the risk source is part of: for higher tier, supplier sourcing is responsible, while for lower tier, the supply chain manager (Figure 6), and for internal plants it is production. Standard templates and tools for this (Figure 10) are developed by the SCR manager. Those templates start with describing the risk source and its probability and consequence, and continue with a summary of different mitigations strategies, their costs and how they affect the risk situation. To compare the cost of different preventive actions with the business interruption value is regarded as very important. Finally, responsible persons are appointed. Risk monitoring and follow-up If the risk level is very high, or high and not mitigated, risk monitoring is required. If the residual risk, after mitigation, is not reduced to an acceptable risk level it must continue to be monitored. Risk assessment and treatment templates (Figure 10) and the spider web (Figure 9) are used to monitor who is responsible internally and how different supply chain partners are developing compared to their commitments. For suppliers and sub-suppliers, special attention is given to how their risk management processes are developing. Incident handling and business continuity planning Ericsson is putting emphasis on developing procedures and templates for incident handling and BCP to decrease the consequences of an accident. After the Albuquerque accident, the process for incident reporting is very important and task forces/emergency teams have been appointed. If an incident occurs, this should be reported to either the sourcing task force (if external supplier) or the SCM task force and production task force (if internal supplier). When an incident has been reported, it should then be communicated to the other task forces as well as to the supply chain risk manager and the corporate risk management (Figure 12). Also, related SBA and

Ericssons proactive approach 449

Figure 11. Templates for risk assessment and treatment, and contingency planning

IJPDLM 34,5

450
Figure 12. Information ow and task forces for incident handling

market representatives that might potentially be affected should be notied. It is not tolerated that suppliers not report incidents they should not rst be reported by newspapers or other sources. The task forces/emergency teams will be trained at least once a year in different scenarios, for example a disruption in the supply chain due to a disaster at a class four supplier. When an incident occurs, the three task forces should work closely together, if necessary. To develop contingency plans, a toolbox is available on the intranet. While the previous contingency planning focus was on site recovery, it has now moved towards a focus on the whole supply chain. If Ericsson cannot manage a risk by eliminating or minimizing the consequences, the company makes a contingency plan to know what to do if something happens. Ericsson has divided contingency planning into three steps (Figure 10): (1) Response plan: the response is the required reaction to an incident or emergency to assess the level of containment and to control activity. (2) Recovery plan: the recovery phase actions shall include the actions that are needed to resume critical or essential business operations, functions or processes. (3) Restoration plan: the process of planning for and implementing full-scale business operations again and to allow the organization to return to normal service level. For each risk source, a responsible person shall be appointed and actions for response, recovery as well as restoration phase be developed. The supply chain approach to risk management and business continuity management Supply chain risk management is not only to analyze, assess and manage internal risks and try to plan for business continuity for the own company. SCRM means widening this approach to the chain of suppliers and suppliers suppliers. This could be done by visiting suppliers and analyze and assess them, but more proactively to make them implement a SCRM approach themselves, which guarantees a further spread upstream.

Ericsson is implementing this approach both by soft discussion and by putting the following guidelines as requirements into the frame contracts: . The supplier shall establish and maintain a secure sourcing plan including regularly updated business continuity and business contingency plans. . The supplier shall identify a back-up site/resource for each relevant site. . A person responsible for initiating the secure sourcing plan activities shall be appointed for each relevant site. . Key personnel at the supplier shall be appointed and reasonably trained on Ericssons specic product requirements. Alternatively, personnel in the facilities concerned shall be prepared to be transferred to the dedicated back-up capacity. . The supplier shall report incidents. . The Ericsson entities placing orders should be allowed to review the plan. . The supplier shall have corresponding requirements on its suppliers and contractors. . The supplier shall actively work with risk management with its contractors and suppliers. . Ericsson shall at any time have the option to acquire some or all assets which are unique for the production of Ericsson products by the supplier. To summarize Ericssons approach for SCRM (Figure 13) it starts with mapping all the components and products many tiers upstream the supply chain and identies critical suppliers and sites that have to be prioritized in the further risk assessment. Suppliers, rst critical then others, are then analyzed and assessed with the Ericsson evaluation tool (ERMET), which takes many different risk sources into account. By these two rst

Ericssons proactive approach 451

Figure 13. Ericssons approach to supply chain risk management

IJPDLM 34,5

452

steps, a rough assessment is made on how a shortage of a material or product will affect the supply chain and, nally, Ericssons invoicing. Based on a more thorough investigation, risk probability and the impact of different accidents at each supplier will be evaluated and the impact measured as business recovery time. The supplier risk is then translated to the risk related to Ericssons business with the impact measured in business interruption value. Based on this assessment, risk management actions can be discussed and taken. A very important part in this last step is to nd the right trade-off between risk management (protection) cost and risk cost (impact measured as BIV): a too high investment in safeguards is not good business practice, either. So far, most joint work has been with the next upstream tier, the contract manufacturers. They have been very positive to and interested in the co-operative approach to secure the supply chain and reduce supply chain risks. An important part of the work has been to share tools and methods used in the risk management process to analyze and assess risks. Business impact of improved supply chain risk management The new SCRM approach has so far contributed well to Ericsson. After the Albuquerque accident, it was quite difcult to get new business-interruption insurances. The insurance companies were skeptical and an increase of insurance costs was agged. Further, they demanded more and more information on risks in the supply chain. With the current way of working with SCRM, this has changed again, and lately, insurance companies have praised Ericssons way of working, and will probably impose the same requirements on other companies. The insurance premium offered was 50 percent lower than Ericsson rst expected, due to its SCRM work. Although the supply chains now are more secure and less vulnerable, there have been incidents after Albuquerque (and always will be). During the implementation of SCRM processes, a new incident occurred at a supplier. A small re in a plating line caused a disruption. This incident gave Ericsson the opportunity to test and verify the processes with a real case. In their risk identication process, the business recovery time for that component was estimated to approximately three months, which proved to be correct. Based on BRT and previous experience, Ericsson could act and set up enough resources to handle the incident. Ericsson quickly enough allocated components, so there was no disruption in their inbound supply. The SCRM tools have also started being used for other purposes than those they were initially developed for. The supply chain risk and structure maps are now also used to assess capacity and dimensioning risks in order to arrange buffers. Another example is that a SBA uses the cause-event analysis for risks related to product introduction, ramp-up and product changes. This indicates that the SCRM work has been positively received by the organization. Concluding discussion Supply chain risk management seems to be of growing interest and importance both from an academic and a practioner perspective. The development lately within SCM/logistics has created long, lean and interconnected chains of companies vulnerable to accidents and their rippling effects. In the last few years, there have been many examples of such accidents, and in this article we have described Ericssons new

approach to SCRM after its supply chain accident in Albuquerque. Ericsson has now developed and implemented improved organization, processes and tools for supply chain risk management. It tries to identify, analyze and manage both internal and external risk sources, related to the company as well as its suppliers and sub-suppliers. By this, and an increased requirement on and cooperation with suppliers regarding risk management, it also tries to avoid impact from network related risk sources. According to Ericsson, an important success factor, to make SCRM work, is having an open discussion with the suppliers, both during risk analysis and assessment, but particularly when handling incidents. Many ideas and tools have been taken from normal risk management practice, but have been applied with a supply chain perspective, focusing not only on Ericssons own activities. As a result, risk consequences have been reduced, Ericsson has been better able to handle incidents and its insurance costs have been reduced. However, the approach is continuously implemented and has still not come to its end (if it ever will). Although Ericssons approach can be considered proactive, the company will stress the importance of having reactive task forces prepared. Even if much resources are invested in risk analysis and assessment, accidents might appear where and when least expected and then an efcient crisis organization must be in place to minimize the consequences. Ericssons work has, to some extent, been driven by a pressure from insurance companies a pressure that most likely will be put on other companies and industries too. What the insurance companies realized, with the Albuquerque accident as a trigger, was that they did not understand the risks, risk sources and consequences that the current long supply chains and their rippling effects had. Hence, a new driving force for companies to work with SCRM could be that insurance companies will require it to reduce insurance premiums or even to sell contingency insurances. Current logistics and supply chain principles have been inuenced by the attempts in the last few decades, rst to reduce costs, then time and quality, and have lately focused on concepts of responsiveness, agility and leanness (Figure 14). Those principles could lead to very vulnerable supply chains, and, consequently, the interest in SCRM has increased lately. However, to safeguard logistics processes too much could be both counteractive to current best practice in logistics as well as too costly. Hence, we would argue that a balanced approach should be taken, where SCRM

Ericssons proactive approach 453

Figure 14. Key focus areas within logistics and SCM

IJPDLM 34,5

454

is one part of the equation. This could be done by trying to relate risk consequences to time (business recovery time) and money (business interruption value) as Ericsson is now doing. Further, it is possible to expand the risk management focus from the companies own sites to suppliers and sub-suppliers by working together in risk identication, assessment, management and business continuity planning, but also by formal assessment of how suppliers are working with those issues and by putting requirements into the contracts. Current and new logistics principles could be evaluated from a SCRM perspective, and risk management actions must be evaluated from a logistics perspective focusing on cost, time, quality etc. Some connections between SCRM and the other areas (Figure 14) are: . Risk and costs: SCRM might create too high prevention costs (reducing probability or impact by increased buffers, new processes, extra suppliers, etc) as well as reduce cost for both business interruptions and insurances. The Ericsson case is an example in which the risk is measured in money (BIV), prevention cost is compared to risk costs, and insurance cost is decreased thanks to improved SCRM. . Risk and time: SCRM might create buffers and processes delaying lead time but through good and well thought out SCRM other actions should be found. Time could also be reduced e.g. the reaction time when an incident or accident happens. Ericsson is also an example of how a time measurement (BRT) is used to assess risk impact. . Risk and quality: these two areas are most similar and should denitely work out well in parallel both have a clear process orientation and a focus on avoiding errors (Lee and Wolfe, 2003, elaborate on this issue). . Risk and agility, responsiveness and leanness: companies efforts to increase agility, responsiveness and leanness have led to increased outsourcing and reduced buffers and lead time and hence to increased vulnerability. Ericsson is characterized by this aspiration and has implied a high risk exposure. However, as these three concepts are very important in todays business, efcient SCRM is important for managing the increased risk exposure. The main contributions of this article have been to stress the supply chain approach in SCRM as a complement to more purchasing oriented studies, and to give a quite detailed description of how SCRM could work in practice. By using a case company that only a few years ago was seriously affected by a sub-suppliers re and hence started to focus on SCRM, it should hopefully bring new insights both to academy and practioners. The interrelation between supply chain risk management and current logistic/supply chain management principles is not clear, and we nd this to be an interesting eld for future research so that SCRM actions neither decreases supply chain efciency nor is seen only as costly and time consuming.

References Cachon, G. (2002), Supply Chain Coordination with Contracts, The Wharton School of Business, University of Pennsylvania, Philadelphia, PA.

Chartered Management Institute (CMI) (2002), Business Continuity and Supply Chain Management, report available at: www.thebci.org/2809-01%20Bus%20Continuity% 20Summ.pdf ttner, U. and Christopher, M., McKinnon, A., Sharp, J., Wilding, R., Peck, H., Chapman, P., Ju Bolumole, Y. (2002), Supply Chain Vulnerability, Craneld University, Craneld. Converium (2001), Suppliers extension or contingent business interruption insurance, available at: www.converium.com/web/converium/converium.nsf/2a1b7a462af6c 00185256ad2000da28c/30c4e3ebc211d4f9c1256ad5004334b5?OpenDocument. Deloach, J.W. (2000), Enterprise-wide Risk Management. Strategies for Linking Risk and Opportunities, Financial Times/Prentice-Hall, London. Eisenhardt, K.M. (1989), Building theories from case study research, Academy of Management Review, Vol. 14 No. 4, pp. 532-50. Hallikas, J., Virolainen, V.-M. and Tuominen, M. (2000), Risk analysis and assessment in network environment a dyadic case study, Preprints of the 11th International Working Seminar on Production Economics, pp. 255-70. Hiles, A. and Barnes, P. (Eds) (2001), The Denitive Handbook of Business Continuity Management, J. Wiley & Sons, Chichester. Johnson, M.E. (2001), Learning from toys: lessons in managing supply chain risk from the toy industry, California Management Review, Vol. 43 No. 3, pp. 106-24. ttner, U., Peck, H. and Christopher, M. (2002), Supply chain risk management: outlining an Ju agenda for future research, in Grifths, J., Hewitt, F. and Ireland, P. (Eds), Proceedings of the Logistics Research Network 7th Annual Conference, pp. 443-50. Lambert, D.M. and Cooper, M.C. (2000), Issues in supply chain management, Industrial Marketing Management, Vol. 29, pp. 65-83. Lamming, R., Caldwell, N., Harrison, D. and Phillips, W. (2001), Transparency in supply relationships: concept and practice, Proceedings of the 10th International IPSERA Conference, pp. 585-94. Lee, H.L. and Wolfe, M. (2003), Supply chain security without tears, Supply Chain Management Review, January/February, pp. 12-20. Lindroth, R. and Norrman, A. (2001), Supply chain risks and risk sharing instruments an illustration from the telecommunication industry, Proceedings of the Logistics Research Network 6th Annual Conference, Heriot-Watt University, 13-14 September, pp. 297-307. Mentzer, J.T., DeWitt, W., Keebler, J.S., Min, S., Nix, N.W., Smith, C.D. and Zacharia, Z.G. (2001), Dening supply chain management, Journal of Business Logistics, Vol. 22 No. 2, pp. 1-25. resund Hazardous Events, Causes and Claims, Mullai, A. and Paulsson, U. (2002), Oil Spills in O Lund University, Lund. Musson, M. (2001), BC strategies for manufacturing and logistics, in Hiles, A. and Barnes, P. (Eds), The Denitive Handbook of Business Continuity Management, J. Wiley & Sons, Chichester, pp. 163-70. Norrman, A. and Lindroth, R. (2002), Supply chain risk management: purchasers vs planners views on sharing capacity investment risks in the telecom iindustry, Proceedings of the 11th International Annual IPSERA Conference, Twente University, 25-27 March, pp. 577-95. Ritchie, B., Brindley, C., Morris, J. and Peet, S. (2000), Managing risk within the supply chain, paper presented at the 9th International IPSERA conference, Ontario, May. (The) Royal Society (1992), Analysis, Perception and Management, The Royal Society, London.

Ericssons proactive approach 455

IJPDLM 34,5

456

Smeltzer, L.R. and Siferd, S.P. (1998), Proactive supply management: the management of risk, International Journal of Purchasing and Materials Management, Vol. 34 No. 1, pp. 38-45. Souter, G. (2000), Risks from supply chain also demand attention, Business Insurance, Vol. 34 No. 20, pp. 26-8. Svensson, G. (2000), A conceptual framework for the analysis of vulnerability in supply chains, International Journal of Physical Distribution & Logistics Management, Vol. 30 No. 9, pp. 731-50. Tsay, A.A., Nahmias, S. and Agrawal, N. (1998), Modelling supply chain contracts: a review, in Tayur, S. et al. (Eds), Quantitative Models for Supply Chain Management, Kluwer Academic, Norwall, MA, pp. 299-336. Wall Street Journal (2001), Trial by re a blaze in Albuquerque sets off major crisis for cell-phone giants, 29 January. Yin, R.K. (1994), Case Study Research Design and Methods, Applied Social Research Methods Series, Vol. 5, Sage Publications, Thousand Oaks, CA. Zsidisin, G. (2001), Measuring supply risk: an example from Europe, Practix, Best Practices in Purchasing and Supply Chain Management, June, pp. 1-6. Zsidisin, G. and Ellram, L.M. (1999), Supply risk assessment analysis, Practix, Best Practices in Purchasing and Supply Chain Management, June, pp. 9-12. Zsidisin, G., Panelli, A. and Upton, R. (2000), Purchasing organization involvement in risk assessment, contingency plans, and risk management: an exploratory study, Supply Chain Management: An International Journal, Vol. 5 No. 4, pp. 187-97. Further reading A.T. Kearney and European Logistics Association (1999), Insight to Impact. Results of the 4th Quinquennial European Logistics Study, ELA, Brussels. Lonsdale, C. (1999), Effectively managing vertical relationships: a risk management model for outsourcing, Supply Chain Management: An International Journal, Vol. 4 No. 4, pp. 176-83.