Supplier risk assessment and monitoring

Transcription

1 The current issue and full text archive of this journal is available at wwwemeraldinsightcom/ htm assessment and for the automotive industry Jennifer V Blackhurst, Kevin P Scheibe and Danny J Johnson Logistics, Operations and MIS Department, College of Business, Iowa State University, Ames, Iowa, USA 143 Received September 2007 Revised December 2007 Accepted January 2008 Abstract Purpose This research aims to develop a supplier risk assessment methodology for measuring, tracking, and analyzing supplier and part specific risk over time for an automotive manufacturer Design/methodology/approach Supply chain risk literature is analyzed and used in conjunction with interviews from the automotive manufacturer to identify risks in the supply base These risks are incorporated into the development of a temporal risk system Findings A framework of risk factors important to the auto manufacturer is presented A multi-criteria scoring procedure is developed to calculate part and supplier risk indices These indices are used in the development of a risk system that allows the indices to be tracked over time to identify trends towards higher risk levels Research limitations/implications There are a number of operational issues identified in the paper that could be investigated in future research One such issue is the development of alternative risk assessment methods that would increase the sensitivity of the risk analysis Practical implications The framework is implementable in firms interested in understanding and controlling risk in their supply base The research stems from an industry project with an automotive manufacturer The method is designed to be practical and easy to implement and maintain The system also has a visual reporting mechanism designed to provide early warning signals for potential problems in the supply base and to show temporal changes in risk Originality/value This paper presents a dynamic risk analysis methodology that analyzes and monitors supplier risk levels over time Keywords Supplier chain management, Risk assessment, Supplier relations, Risk management, Automotive industry, United States of America Paper type Research paper 1 Introduction Supply chain disruptions are unplanned events that may occur in the supply chain which might affect the normal or expected flow of materials and components (Svensson, 2000) The management of supply chain risk has garnered an increased focus from supply chain managers due to the detrimental impact that supply chain glitches or disruptions can have on supply chain performance Supply chain disruptions can result in a variety of problems such as long lead-times, stock-outs, inability to meet customer demand, and increases in costs (Levy, 1995; Svensson, 2000; Riddalls and Bennett, 2002; Chopra and Sodhi, 2004) Ultimately, these problems have an adverse effect on the financial performance of the firm (Hendricks and Singhal, 2003, 2005) While the true The authors would like to thank Cliff Ragsdale for his help in improving this manuscript International Journal of Physical Distribution & Logistics Management Vol 38 No 2, 2008 pp q Emerald Group Publishing Limited DOI /

2 IJPDLM 38,2 144 costs and financial impact of these disruptions are difficult to quantify, research has shown them to be quite large in terms of both time and money For instance, in 1997 Boeing experienced a supplier delivery failure of two critical parts with an estimated loss to the company of $26 billion (Radjou, 2002) In 2002, less than 100 workers in a longshoreman union strike disrupted west coast port operations It took six months for some containers to be delivered and schedules to return to normal (Cavinato, 2004) In July 2007, Toyota Motor Corporation halted production in all Japanese factories due to an earthquake that severely damaged Riken Corporation, their major parts supplier for piston and seal rings Moreover, the damage to Riken affected other automotive manufacturers, prompting suspended production at facilities for Mitsubishi Motor Corporation, Suzuki Motor Corporation and Honda Motor Corporation, all of whom depend on Riken for engine parts (Hayashi et al, 2007) While the ability to manage risk effectively is critical to ensure a smooth flow of products through the supply chain, this area has only recently received attention in supply chain research (Jüttner et al, 2003) Traditionally, safety stock and safety lead time buffers were used to protect against risk and uncertainty in the supply chain However, such measures are less attractive than they used to be due to an increased focus on supply chain agility and responsiveness (Zsidisin et al, 2005) Consequently, a new focus on managing and mitigating risk which extends beyond the four walls of a plant is required (Peck and Christopher, 2004) This focus includes managing risk in the supply base and provides the motivation for this study A major US-based automotive manufacturer, henceforward called auto manufacturer for purposes of confidentiality, approached the authors with the challenge to develop a supplier risk methodology that could be used to track and analyze part and supplier risk over time The request for this methodology was motivated by recent disruptive events in the auto manufacturer s global supply chain that stopped production at a number of their facilities The auto manufacturer s requirements for the methodology included: it must be practical and not overly burdensome; it must be quick to implement and easy to maintain; it must have a visual reporting mechanism; and it must be able to provide early warning signals for potential problems in the supply base and capture temporal changes in risk In summary, the amount of data required must be manageable and relatively easy to obtain with results that are easy to understand and communicate across the company Additionally, the methodology must incorporate predictive and trend analysis capabilities Therefore, the focus of this research is the design of a methodology for measuring, tracking, and analyzing supplier and part specific risk indices over time As such, the methodology can be used to improve the prediction and management of supplier-based disruptive events in the supply chain This paper contributes to research in the area of supply chain risk management in three ways First, it presents a framework of risk categories and factors that are both important to the auto manufacturer and based in the current supply chain risk literature However, the categories used are flexible and can be adapted to fit the needs of other industry sectors and companies based on their own specific inherent risks Second, this research presents a

3 methodology using a multi-criteria scoring procedure to calculate risk assessment scores for the supply base Specifically, the methodology takes raw data and converts it into an appropriate form for supply risk managerial decision support for issues such as supply base reduction, contract awards, or contract renewals Third, the methodology is designed to allow part and supplier risk indices to be tracked in a dynamic nature over time to identify trends towards higher risk levels Managers can use this information to develop risk mitigation strategies in a proactive and preventative manner to help avoid disruptions before they occur or at the very least, lessen their impact The remainder of this paper is organized as follows In the next section, we review the research literature on managing supply chain risk and supplier risk assessment tools In Section 3, we present our proposed multi-attribute risk analysis methodology and describe its use Section 4 discusses operational issues related to the proposed methodology Section 5 serves to detail the auto manufacturer s feedback of the proposed methodology Finally, we present our conclusions, limitations of the methodology, and future work in Section Literature review In general, a supply risk management process consists of four components: (1) risk identification; (2) risk assessment; (3) risk management decisions and implementation; and (4) risk (Hallikas et al, 2004) Risk identification is a subjective component within this process Each organization is responsible for its own risks and must identify them according to the company s perspective In addition to those risks identified by specific organizations, there are risks common to companies within and across industries Chopra and Sodhi (2004) presented a high-level categorization of potential risks in a supply chain, their associated drivers, and methods for defining appropriate mitigation strategies Zsidison (2003) studied managerial perceptions of supply risk and used these to create a classification of supply risk sources Johnson (2001) discussed risks specific to the toy industry (such as very high seasonality and the short life cycle of fad toys) Once risks are identified, their impact and probability must be assessed The risk diagram shown in Figure 1 can be helpful in this respect (Hallikas et al, 2004) Very high High Probability Medium Minor None None Minor Medium Serious Catastrophic Impact Figure 1 Risk diagram for risk identification

4 IJPDLM 38,2 146 Zsidisin et al (2004) examined tools and techniques used by purchasing departments within organizations to assess supply risk Sinha et al (2004) investigated supplier risk in the aerospace industry and developed an integrated definition for function modeling (IDEF0) based risk management method IDEF0 is a structured modeling method for developing functional or activity models of systems or enterprises (Mayer et al, 1994) Once the model was developed, they employed failure modes and effect analysis (FMEA) to analyze and prioritize potential failures Pai et al (2003) developed a Bayesian network to assess and analyze supply chain risk Wu et al (2006) developed an analytic hierarchy process (AHP) based supplier risk assessment tool to determine the relative weights of individual risk factors Using these weights and the probability of each risk factor occurring for a supplier, an overall risk index was computed Methods for assessing risk are also contained in the growing literature bases on supplier selection (see Talluri and Narasimhan, 2002 for an overview of these methods) Once the risks are assessed, a number of strategies can be used to manage the risk These include: transferring risk, taking risk, eliminating risk, reducing risk and subdividing risk into individual levels for further analysis (Hallikas et al, 2004) Rice and Caniato (2003) classified mitigation techniques by failure mode in a supply chain Zsidisin et al (2005) examined how and why firms created business continuity plans to manage risk in the supply chain Zsidisin and Smith (2005) performed case study research focused on managing supply risk through early supplier involvement Johnson (2001) presented strategies for dealing with risks related to toys Faisal et al (2006, 2007) used graph theory and matrix methods to mitigate supply chain risk Finally, Nagurney et al (2005) used multi-criteria decision-making to manage risk of manufacturers and distributors The last step, risk, has received the least attention by supply chain risk researchers and the literature has shown little focus on the tools necessary for temporal risk While Hendricks and Singhal (2005) have noted an increased focus on developing tools to prevent or mitigate supply chain disruptions, we found only two papers that actually developed prototype methods The first methodology developed by Humphreys et al (2005) is a supplier assessment tool designed for new product development processes While the methodology does include a risk index as a part of the measurement system, its focus is on supplier capability to meet customer requirements The second methodology developed by Wu et al (2006) is an AHP-based supplier risk assessment tool While the method is comprehensive in its enumeration of risk types, it becomes more difficult to use as the number of suppliers being evaluated grows large In addition, AHP is designed to take into account judgment and personal values and has widespread applications for making decisions such as allocation of resources, analyzing the impact of a policy, and resolving a conflict (Saaty, 1990) However, it is not designed to be a temporal tool and consequently, does not focus on assessing supplier risk over time This same difficulty applies to the analytic network process (ANP) ANP is used to aid decision makers in making a choice from a myriad of options ANP has been successful in decision making in energy policy planning, product design, equipment replacement (Sarkis, 1998) and for selecting a logistics service provider (Jharkharia and Shankar, 2007) In summary, most supplier risk assessment research to date has concentrated on categorizing and assessing risk and/or provided general insights on mitigating risks

5 Of the two methodologies we did find to monitor risks, neither addresses measuring, assessing and supplier risk over time In addition, research that has examined supplier evaluation models has indicated that most methods are too mathematically complex to implement and understand, require excessive amounts of data, or are too subjective (Humphreys et al, 2005; Verma and Pullman, 1998) The system described in this paper gives managers an easy to use temporal methodology to measure, track, and analyze supplier and part specific risk indices This information can be used in a proactive fashion to manage and monitor risk and to develop strategies to mitigate potential supply disruptions Proposed risk assessment methodology To aid in understanding our proposed supplier risk assessment methodology, consider the disk brake system and related components for a car shown in Figure 2 This brake system contains three primary components: the caliper assembly, the brake rotor, and the hub assembly The rotor and the wheel (not shown) are mounted on the hub assembly The hub assembly is attached to the suspension system of the car, and it contains bearings that allow the hub and rotor to freely turn when the car is moving The caliper assembly is also mounted on the suspension system, and when the brakes are applied, it squeezes the rotor between the brake pads causing the car to stop Our supplier risk methodology uses a multi-criteria scoring procedure (also called a factor weighting procedure, see for example, Ragsdale, 2001) to develop risk indices for parts and suppliers Multi-criteria scoring models are often used for decision making in situations where a number of different factors must be considered, making it appropriate for use in this situation The disk brake system just described will be used in the following sections to illustrate the scoring procedure and our proposed methodology 31 Categories of risk In order to assess supplier risk, the risk categories must first be specified The categories included in our methodology are based on those proposed by Chopra and Hydraulic Brake Hose Bleeder Screw Disc Brake Rotor Hub/Bearing Assembly Caliper Assembly Disc Brake (Typical) Brake Pads Pad Wear Sensor Disc Brake Hardware Brake Pad Shim Source: wwwmidascom/midas_u/brakes_howitworksaspx Figure 2 Typical hub assembly, rotor, and caliper assembly for a disk brake system

6 IJPDLM 38,2 148 Sodhi (2004), as well as other supply chain risk assessment research (Zsidisin and Ellram, 1999; Zsidisin et al, 2004; Zsidisin and Smith, 2005), and interviews with the auto manufacturer Chopra and Sodhi s (2004) framework contained nine risk categories: disruptions, delays, systems, forecast, intellectual property, procurement, receivables, inventory, and capacity Because their risk assessment framework was general and not specific to the automotive industry, it was necessary to expand or add categories to address the specific risks for this research For example, in the Chopra and Sodhi framework there was a risk category called delays While this is a reasonable category in general terms to describe delays in material flows, it is insufficient to capture the necessary detail of risk elicited through our interviews with the auto manufacturer Consequently, we expanded delays into logistics, supplier dependence, and quality Another addition to Chopra and Sodhi s framework was the legal category While intellectual property captures one aspect of legal issues, it does not address such things as legislative action related to importing/global sourcing (Zsidisin et al, 2004) We also changed the systems category to information systems to remove ambiguity Lastly, two new risk categories management and security were added for completeness as necessitated by our interviews with the auto manufacturer and the supply chain risk literature Table I shows the categories of risk for the auto manufacturer and whether they are internal or external to the supplier firm The risk categories presented in Table I incorporate and summarize current supply chain risk research, as well as additional risks elicited from the auto manufacturer Each category is broken down into individual risk factors called subcategories These subcategories are then classified as either an internal or external risk An internal risk is one over which the supplier firm has control In contrast, a supplier firm has limited or no control over external risk For instance, in the disruptions/disaster category, the potential for a fire can be controlled by safety measures the supplier firm puts in place while political unrest in a region is generally uncontrollable While some risks are external, the firm can and should account for them in risk mitigation plans For example, firms in the Southeastern USA cannot control hurricanes; but they can certainly develop mitigation strategies to deal with the potential consequences of such storms While all of the risk categories shown in Table I ought to be considered in practice, due to space limitations, our example considers only the categories of quality and disruptions/disasters Finally, it should be noted that while this research presents a categorization of risk specific to the auto manufacturer based on the needs of the firm as well as supply chain risk literature, other firms adopting a supplier risk methodology will need to define risk categories based upon their own needs, industry type, supply chain type, etc In other words, there is no one size fits all approach to assessing risk 32 Data requirements In our proposed methodology, weights are used to indicate how important each risk category is with respect to disruptions affecting the company The weights can be based on the probability of each category of disruption occurring, the relative impact that each category of disruption has on supply, or any other factor considered important to the company The sum of all of the category weights must equal 100 percent In this example, quality was more important than disruptions/disasters

7 Subcategories Category of risk Internal risks External risks Disruptions/disasters Logistics Supplier dependence Quality Information systems Forecast Legal Intellectual property Procurement Receivables (accounting) Inventory Capacity Labor dispute Disaster events in plant such as fire Labor availability On-time delivery to customers Transportation and shipping Delivery responsiveness Ease of problem resolution Value of product Defects/million Timeliness of corrective actions Information infrastructure breakdown Level of system integration Inaccurate forecast Lead time variance Natural disaster such as earthquake, fire, flood, storm Labor dispute Supplier bankruptcy War and terrorism Political issues/unrest Border crossing and customs regulations Number of brokers Number of transfer points Vessel capacity and channel overload Port issues and infrastructure Product uniqueness On-time delivery from vendors Supplier location Supplier manufacturing capacity Flexibility of supply source Dependency on a single source of supply Product complexity Ability to share information with suppliers Product demand variations Legislative action related to importing/ global sourcing Vertical integration of supply Global outsourcing and markets chain Proprietary technology Part price Exchange rate risk Percentage of a key component or raw material procured from a single source Long-term versus short-term contracts Contract compliance Number of customers Financial strength of customers Responsiveness Inventory holding cost Rate of product obsolescence Storage requirements Product value Packing requirements and part size Cost of capacity Capacity flexibility Management Lack of visibility Communications Security IS system security Theft IT Hacking 149 Table I Categories of supply chain and we assigned a weight of 60 and 40 percent, respectively The individual factors that comprise each risk category (termed subcategories in Table I) and their relative weights must also be defined The weights indicate how important each subcategory is to the parent risk category The weights can also be based the subcategory s likelihood

8 IJPDLM 38,2 150 to disrupt the supply of material coming to the plant, or the disruption severity The subcategory weights for a given category must also sum to 100 percent Once the risk categories and subcategories are defined, a rating must be established for the performance of each supplier on each subcategory For example, in the case of the quality category, the rating given to a particular supplier on each subcategory would be part specific since defects per million, product complexity, value of product, etc will vary from part to part In this situation, separate ratings must be entered for each part purchased from a particular supplier In contrast, ratings for each subcategory for the disruption/disaster category are unlikely to vary for different parts from the same supplier unless the parts come from different plants owned by the supplier In other words, the disruption/disaster category is plant specific rather than part specific Thus, ratings for plant specific categories only need to be entered once for a given supplier (unless they have multiple plants) In our methodology, the rating for each subcategory was based on a scale from 0 to 100, with a higher number indicating the supplier performs worse on that subcategory For example, suppose under the quality category that defects for different parts generally range from 0 to 500 parts per million and that defect ranges above this amount substantially increase the probability of reducing the output of the assembly line or potentially shutting it down If the data indicate the hub from Supplier 2 has approximately 650 defects per million, a rating of 70 might be assigned to that subcategory, indicating the supplier quality is poor on that part The last item of data needed to begin the risk assessment calculations is the percent of total volume of each part purchased from a given supplier These data are calculated from transactional information contained in a database 33 Part risk assessment calculations The data for the risk assessment calculations used in this example are shown in Table II As illustrated, Suppliers 1 and 2 each supply 50 percent of the caliper assembly, Suppliers 2 and 3 supply 90 and 10 percent, respectively, of the hub assembly, and Suppliers 2 and 4 supply 40 and 60 percent, respectively, of the rotor The relative weights assigned to the categories and subcategories are shown, as are the ratings for each supplier for each part on each subcategory (as previously mentioned, due to space limitations, our example considers only the categories of quality and disruptions/disasters) A multi-criteria scoring procedure is used to calculate all risk assessment scores For each part, the risk assessment score for each subcategory is found by first multiplying each supplier s rating on that subcategory by the percent of production purchased from that supplier to get the individual supplier score on that part subcategory The subcategory suppliers scores are then added together to get the overall score for that part and subcategory For example, the calculation for the caliper assembly on the defects per million subcategory is (30 50 percent) þ (90 50 percent) ¼ 60 (see Appendix for the mathematical notation used for all risk calculations) Similarly, the calculation for the hub assembly on the timeliness of corrective action subcategory is (85 90 percent) þ (15 10 percent) ¼ 78 All scores will range from a minimum of zero to a maximum of 100, with a higher score indicating a worse risk assessment All scores are rounded off to one decimal place In order to quickly and easily visualize all of the risk assessment scores, the scores for each part and subcategory are shown on a heat graph (Figure 3) This heat graph

9 Caliper assembly Hub assembly Rotor Supplier Supplier 1 Supplier 2 Supplier 2 Supplier 3 Supplier 2 Supplier 4 Percentage of supply Category/subcategory Weight (percent) Rating Rating Rating Rating Rating Rating Quality 60 Defects/million Ease of problem resolution Product complexity Timeliness of corrective action Value of product Total weights 100 Overall supplier quality rating for each part Disruptions/disasters 40 Earthquake Fire Flooding Labor availability Labor dispute Political issues Supplier bankruptcy War and terrorism Total weights 100 Overall supplier disruption rating for each part Overall supplier rating for each part Table II Data for risk assessment calculations

10 IJPDLM 38,2 Overall Rating Quality Disturption/ Disasters Ease of Problem Resolution Product Complexity Timeliness of Corrective Action Value of Product Quality Mean Earthquake Fire Flooding Labor Availability Labor Dispute Political Issues Supplier Bankruptcy War and Terrorism Distribution/Disasters Mean 40% 60% 10% 15% 10% 100% 5% 100% 5% 30% 5% 15% 10% 25% 15% 25% Figure 3 Part heat graph Critical High Risk Medium Risk Low Risk Defects/Million Category Weighting Sub-Category Weighting 30% 600 Caliper Assembly 645 Hub Assembly 300 Rotot

11 concept is similar to that used by Norrman and Jansson (2004) for supply chain risk analysis Heat graphs use different colors to highlight the severity of a particular risk category or subcategory For example, in our proposed methodology, a critical risk score is one that is greater than 75 and is shown in red (black in Figure 3), a high-risk score is greater than 50 and less than or equal to 75 and shown in orange (diagonal lines in Figure 3), a medium risk score is greater than 25 and less than or equal to 50 and shown in yellow (horizontal lines in Figure 3), and a low-risk score is less than or equal to 25 and shown in white Thus, ease of problem resolution for the hub assembly falls in the critical risk range, defects/million for the caliper assembly falls in the high-risk range, etc Heat graphs of this type allow the analyst to focus quickly on the critical few (hopefully) high scores The heat graph also shows the mean score for each part within each category This mean is calculated by multiplying the scores for each subcategory for a particular part by the weight assigned to that subcategory and then summing the resulting products within that category For example, the quality mean calculation for the hub assembly is ( percent) þ ( percent) þ ( percent) þ ( percent) þ (35 5 percent) ¼ 645 All mean scores range from a minimum of zero to a maximum of 100, with a higher score indicating a worse risk assessment The overall score for each part across all categories is shown on the heat graph This score is computed by multiplying the category mean for each part by the weight for that category and then summing these products across all categories For example, the overall rotor risk assessment score is ( percent) þ ( percent) ¼ 367 As before, these overall mean scores will range from a minimum of zero to a maximum of 100, with a higher score indicating a worse risk assessment assessment calculations While the previous section illustrated how to analyze the risk for each part, it is also useful to analyze the risk for each supplier These calculations are slightly different than the calculations for each part If a supplier only supplies a single part, the risk assessment calculation for that supplier on any given subcategory is simply the supplier s rating on that part and subcategory For example, the risk assessment for Supplier 4 on product complexity is 15 In contrast, if a supplier provides multiple parts, the score is more heavily weighted towards those parts to which the supplier provides a greater percentage At the same time, the overall score must be normalized such that the minimum score is zero and the maximum score is 100 To achieve this objective, a supplier s rating on a particular subcategory is first multiplied by the percentage of that part provided by the supplier, these products are summed across all parts supplied by that supplier, and the resulting sum is divided by the sum of all the percentages of parts supplied For example, Supplier 2 supplies all three parts of the brake assembly The ease of problem resolution calculation for this supplier is [(70 50 percent) þ (85 90 percent) þ (75 40 percent)]/(50 percent þ 90 percent þ 40 percent) ¼ 786 All supplier risk assessment calculations for each subcategory are shown on a heat graph (Figure 4) The heat graph also shows the mean for each supplier within each category, in addition to the overall mean across all categories These calculations are performed in the same fashion as for the part heat graph

12 IJPDLM 38,2 Overall Rating Figure 4 Supplier heat graph Quality Disrptions/ Disasters Defects/Million Ease of Problem Resolution Product Complexity Timeliness of Corrective Action Value of product Quality Mean Earthquake Fire Flooding Labor Availability Labor Dispute Political Issues Supplier Bankruptcy War and Terrorism Disruptions/Disasters Mean Critical High Risk Medium Risk Low Risk 40% 60% Category Weighting 10% 15% 10% 100% 5% 100% 5% 30% 5% 15% 10% Sub-Category Weighting 30% 25% 15% 25% Supplier Supplier Supplier Supplier

13 35 Sensitivity of the methodology and critical part and supplier analysis In creating the proposed methodology for the auto manufacturer, one issue we needed to address was the sensitivity of the methodology for large and complex supply chains with potentially hundreds of suppliers and thousands of parts In order to address this issue, we propose focusing the tool on those suppliers and parts that have the potential to shut the supply chain down Such classification systems exist in the literature For example, Norrman and Jansson (2004) discussed how Ericsson classifies thousands of components used in their products into four categories of sourcing strategies: (1) product has multiple suppliers; (2) product has one supplier but others are on standby if needed; (3) product has one supplier but others are approved (but not ready to produce parts) if needed; and (4) product is sole sourced 155 This theme towards understanding critical suppliers and parts is found in other recent supply chain risk literature as well Craighead et al (2007) discussed the need to identify critical parts and their suppliers (such as parts that are procured from a single supplier) so that critical nodes in the supply chain can be found Once found, plans can be developed to deal with potential supply chain disruptions in these nodes While the heat graphs illustrated in the previous two sections provide a summary of the risk assessment for parts and suppliers as a whole, the part heat graph is averaged over all suppliers and the supplier heat graph is averaged over all parts provided by a particular supplier They do not indicate the cause of particular risk assessment averages, and a risk assessment analyzer would be unable to determine the causes of the risk from the heat graphs per se In addition, since the heat graphs are averaged, they may hide risk levels for particular subcategories that are unacceptably high What is needed is a way to drill down further in the data to determine what risk factors are at unacceptable limits Any risk assessment methodology should be able to develop a list of rank ordered critical parts (whether pre-specified or determined by the assessment tool); with critical risk parts at the top and low-risk parts at the bottom (Figure 5) Users can then drill down by clicking on the þ by the part in question to show suppliers for that part Each supplier should also be expandable to show the categories and subcategories, all with their respective risk levels This allows the user to determine the categories and subcategories that cause the high-risk rating For example, Figure 3 shows the hub assembly has a high-risk level Figure 5 shows this is primarily caused by high-risk ratings on several subcategories in both the quality and disruptions/disaster categories by Supplier 2 In a similar fashion, suppliers can be rank ordered according to their risk levels (Figure 6) To drill down, the user would click on the þ by the supplier in question and the list would expand to show the parts provided by that supplier Each part should also be expandable to show the categories and subcategories and their respective risk levels For example, Figure 4 shows Supplier 2 has the highest risk level As shown in Figure 6, when Supplier 2 is expanded it reveals that the caliper assembly has the highest overall risk level for the parts supplied by Supplier 2 This was not evident when looking at either the part or supplier heat graphs alone

14 IJPDLM 38,2 Part + Hub Assembly Risk Level 618 Part + Supplier + Category + Subcategory Hub Assembly Risk Level Caliper Assembly 435 Supplier Rotor 367 Quality Ease of Problem Resolution Timeliness of Corrective Action 850 Defects/Million 700 Value of Product 350 Product Complexity 300 Disruptions/Disasters 600 Labor Dispute 850 Fire 800 Labor Availability 700 Political Issues 600 War and Terrorism 600 Earthquake 350 Flooding 350 Supplier Bankruptcy 100 Figure 5 Critical parts list with drill down capabilities + Supplier 3 + Caliper Assembly + Rotor Further expansion of the caliper assembly shows the categories and subcategories responsible for this rating As illustrated, defects/million, timeliness of corrective action, labor disputes, and fire are at critical levels and these areas require attention Thus, the ability to drill down into the data provides essential information to decision makers in a very manageable fashion by aggregating and ordering a very large amount of information graphically 36 Predictive risk analysis One of the biggest challenges posed by the auto manufacturer was the need for the risk analysis methodology to predict disruptive events prior to their occurrence This was prompted by frustration on the part of the auto manufacturer having to shut down manufacturing lines due to unexpected disruptions in the supply chain The auto manufacturer wanted to change from a reactive supply risk management mode to one that was proactive To do this, risk ratings and/or risk indices must be tracked over

15 Supplier + Supplier 2 Risk Level 645 Supplier + Part + Category + Subcategory Supplier 2 Risk Level Supplier 3 + Supplier Caliper Assembly Quality Supplier Defects/Million 900 Timeliness of Corrective Action 900 Ease of Problem Resolution 700 Value of Product 300 Product Complexity 200 Disruptions/Disasters 600 Labor Dispute 850 Fire 800 Labor Availability 700 Political Issues 600 War and Terrorism 600 Flooding 350 Earthquake 350 Supplier Bankruptcy 100 Hub Assembly Quality Disruptions/Disasters 600 Rotor Disruptions/Disasters Quality Supplier Supplier Supplier Figure 6 Critical supplier list with drill down capabilities

16 IJPDLM 38,2 158 time and trends monitored to determine if they are reaching unacceptable levels In this way, the user can predict a problem before it occurs and offer mitigation strategies For instance, if a supplier is still within acceptable risk levels on a particular risk category but time-based data show a trend towards unacceptable risk levels, the supplier or part can be flagged, root causes identified by drilling down through the data as described in the previous section, and disruption mitigation strategies can be developed before the disruption occurs Figure 7 shows proactive risk analysis by looking at the overall risk for suppliers over time, while Figure 8 looks at overall risk for different parts over time Troublesome supplier and part risk trends could be flagged by: Specifying the maximum percentage change in risk allowed over a specified period Establishing control limits within which risk indices, individual risk subcategories, etc are allowed to fluctuate before corrective action is taken Similar graphs may be constructed to track risk for individual parts coming from individual suppliers as well Figure 7 trends over time Risk Score Supplier 1 Supplier 2 Supplier 3 Supplier Time Period Figure 8 Part risk trends over time Risk Score Caliper Assembly Hub Assembly Rotor Time Period

17 4 Operational issues There are a number of operational issues that must be addressed when using the risk methodology presented in this paper First, the number of categories and subcategories used becomes a balancing act Firms adopting this methodology should carefully assess which categories and subcategories of risk are most important for measuring problem areas in the supply base that can lead to supply disruption risk As more subcategories are added to a particular category, the relative impact each subcategory has on the score of the overall category declines Similarly, as more categories are added to the risk tool, the relative weight each category contributes to the overall risk index of a supplier or part declines In both cases, the risk indices become less sensitive to a large risk rating on any one factor As a result, the riskiness of a supplier can become lost in the morass of factors measured While the firm needs enough categories and subcategories to accurately measure risk, the number should be kept to a minimum Owing to the importance each category and subcategory has on the overall risk assessment, they should be established by higher-level management decision makers most familiar with assessing supplier risk and the factors that contribute to that risk Second, weights need to be established for each category and subcategory The relative weights indicate how important each category or subcategory is with respect to disruptions affecting the supply base of the firm A higher weight on a particular factor will cause that factor to have more impact on the calculated risk index As previously mentioned, the weights can be based on the probability of each category of disruption occurring, the relative impact each category of disruption has on supply, or any other factor considered important to the company Given the importance of the weights to the overall assessment process, they should also be established by higher-level management decision makers familiar with risk assessment Third, each subcategory must be rated Some factors such as war and terrorism, political issues/unrest, information infrastructure breakdown, level of system integration, etc are quite subjective and ratings on these factors should be made by higher level managers familiar with assessing these factors In contrast, factors such as on-time delivery, defects/million, value of the product, etc are more quantitative and definitive in nature Provided appropriate data entry forms are created (by upper level decision makers familiar with risk assessment) that allow the user to pick from a menu of available options, ratings for these factors can be made by purchasing agents, production control personnel, quality inspectors, production level employees, etc Depending on the relationships a firm has with its suppliers, some of these ratings may even be filled in by the individual suppliers via a web-based methodology To help prevent rating bias from occurring, the individuals rating each factor should not be able to view the weights applied to each category or subcategory Fourth, in order to use the methodology in a proactive manner, the ratings on each subcategory must be updated on a periodic basis and the data analyzed for patterns, high-risk levels, or trends that indicate potential problems If the methodology is updated too frequently, the job becomes too onerous and it will be difficult to get the employees, suppliers, etc to buy in and to use the methodology In contrast, if the methodology is updated too infrequently, too much time can elapse and the predictive capability of the methodology is reduced While the time interval between updates will vary from firm to firm, daily updates are likely too often, while monthly updates are 159

18 IJPDLM 38,2 160 probably not often enough Somewhere between these two periods is most likely to be effective Moreover, some subcategories should be updated more often than others For example, defects per million would be updated with each batch received, whereas earthquakes or other natural disasters would (hopefully) occur much less frequently Therefore, the time interval between updates will also vary from subcategory to subcategory As the operational issues just discussed indicate, the methodology described in this paper is capable of integrating information from a variety of individuals at various levels both within the company and between the company and its suppliers The categories, subcategories, weights, and ratings for subjective factors would be made by decision makers at higher managerial levels in the organization, while the actual recording of ratings for more quantitative and definitive factors such as defects/million could be made by purchasing managers, production level employees, etc Each of these data entry points can be secured to prevent unauthorized access Thus, the risk tool is capable of securely capturing and integrating risk information at varying levels, both within the organization and between the organization and its suppliers This is especially noteworthy since past research has primarily focused on risk analysis at the highest levels in the firm Next, if the company changes the weighting of a particular category or subcategory, it is not necessary to re-enter the specific data values This makes it easy to perform what-if analysis to investigate how different scenarios affect the riskiness of a supplier or a part It also makes it easy for managers to adjust the tool so that a particular risk index is sensitive to changes in categories which have the most impact on risk levels For example, a manager might want to increase the weight of the quality category to make the overall risk measure more sensitive to quality measures due to recent problems with a particular part Finally, the use of the tool as a cross-functional risk process must be considered Through our interviews with the auto manufacturer, the challenge is to have supply chain risk management become a part of the job responsibility across different functions with all functions involved collaborating and communicating effectively This is called for in the literature as well For example, Kiser and Cantrell (2006) stated that communication in effective supply risk management cannot be overemphasized Use of the supplier risk methodology in this paper allows for the understanding of risky parts of the supply base and provides a tool to better predict where disruptions have the potential to shut down portions of the supply chain 5 Feedback from the auto manufacturer The auto manufacturer needed the supply chain risk methodology to be practical, quick to implement, not overly burdensome, and easy to understand and maintain Risk managers at the company indicated that the methodology must be implementable by a variety of supply chain analysts without a steep learning curve or specialized skill set and it must be independently effective (ie not dependent on the user) It was also requested that the methodology have a visual reporting mechanism, provide early warning signals for potential problems in the supply base, and capture changes in risk over time The visual reporting mechanism is important to quickly identify risk without requiring complex analysis or sifting through large amounts of report data Moreover, the ability to view changes in risk over time would help identify early warning signs of potential disruptive events before the events disabled a portion of the supply chain

19 After reviewing the methodology proposed in this paper, the auto manufacturer was pleased with the result and indicated the methodology had met the criteria laid out at the start of the research project The straightforward and flexible manner of the methodology was well received and the auto manufacturer stated that it is too early to use overly sophisticated and brittle methods We need an easily employable and understandable method such as this The focus on operational risks rather than strategic risks was discussed and the auto manufacturer indicated an appreciation for that focus, saying we are looking at our existing supply chain and supply base for this method in order to better manage material flow on a daily basis They also indicated the methodology was an effective tool for managing current operational risk rather than future or strategic long-term risk The auto manufacturer discussed plans to implement a pilot version of the methodology on a small group of select parts and suppliers, but these plans have not yet been implemented The auto manufacturer was pleased that the foundation of the risk framework was based on current supply chain risk research They were satisfied with the risk categories, noting that the risks critical to their company were included They also agreed that the risk categories needed to be kept to a minimum so as not to dilute the power of the each category and subcategory The auto manufacturer discussed several ideas pertaining to the development of the risk weights and subcategory ratings They indicated the weights and ratings could be based on: information contained in a detailed event log of supply chain disruptions they maintain that can help determine how often risk events occur and how difficult they are to resolve; the number of people needed to resolve the problem, the number of days to fix the problem and how frequent the risks occurred; and the development of a method to measure leadership risk appetite to help determine acceptable levels of risk 161 Finally, the auto manufacturer mentioned that a change of culture was necessary to implement the methodology and that the company needed to develop a culture of cross functionally managing risk on a daily basis 6 Conclusions and future work This paper has presented the design of a proposed supplier risk methodology based upon a project with a US-based automotive manufacturer In the growing literature base on supply chain risk, researchers have presented supply chain risk management methodologies that emphasize the need for risk (Hallikas et al, 2004; Norrman and Jansson, 2004; Zsidisin and Ellram, 1999) In fact, Hallikas et al (2004) noted that risk is not a static measure and called for tools to identify trends This research is a first step towards filling that need The proposed methodology calculates part and supplier specific risk indices, can be used to analyze critical parts and suppliers to determine if and why they might be a cause for concern, and allows part and supplier risk indices to be tracked over time to identify trends towards higher risk levels This information can be used by the firm to proactively develop risk mitigation strategies to handle potential disruptions before they occur Additionally, the methodology proposed in this paper can serve a key function in a supply risk management process, namely risk, which has only received limited attention in the supply chain risk management research

20 IJPDLM 38,2 162 The proposed methodology in this paper is a first step in the development of methodologies to assess and monitor supply chain risk, especially in a temporal fashion As such, future research should concentrate on the following issues First, practical methods for determining risk weights need to be evaluated and examined For example, the feasibility of using the multi-attribute risk assessment (MARA) method should be considered (Butler and Fishbeck, 2002) The methodology is an additive-value model for use in multi-objective, compensatory decision problems Within the methodology, risk categories and levels are elicited from stakeholders, modeled, and simulated to determine tacit thresholds for threat levels that may differ from those explicitly stated by the stakeholders The multi-objective nature of MARA accommodates risks that may not be easily captured by financial measures (eg diminished reputation) While Butler and Fischbeck use the MARA methodology to determine information technology risks, its feasibility for use in assessing supplier risk should be examined Second, given the comment about the culture changed needed to properly implement our methodology, technology acceptance models such as TAM (Davis, 1989) could be used to investigate the willingness of stakeholders to adopt and use the model Third, working prototypes should be developed and tested in a number of different companies to assess the viability and usefulness of the proposed methodology This would likely involve developing and using simulation models based on data from the company to determine how well the methodology predicts the riskiness of suppliers and parts over time Fourth, further work must be done to determine how best to operationalize the methodology Finally, due to the time and resource requirements to enter data into our methodology, future research should explore the use of intelligent agents to automatically collect and enter some of the data required to use the model References Butler, SA and Fishbeck, P (2002), Multi-attribute risk assessment, Proceedings of the Symposium on Requirements Engineering for Information Security, Raleigh, NC Cavinato, JL (2004), Supply chain logistics risk, International Journal of Physical Distribution & Logistics Management, Vol 34 No 5, pp Chopra, S and Sodhi, M (2004), Managing risk to avoid supply-chain breakdown, MIT Sloan Management Review, Vol 46 No 1, pp Craighead, C, Blackhurst, J, Rungtusanatham, M and Handfield, R (2007), The severity of supply chain disruptions: design characteristics and mitigation capabilities, Decision Sciences Journal, Vol 38 No 1, pp Davis, FD (1989), Perceived usefulness, perceived ease of use, and user acceptance of information technology, MIS Quarterly, Vol 13 No 3, pp Faisal, MN, Banwet, DK and Shankar, R (2006), Mapping supply chains on risk and customer sensitivity dimensions, Industrial Management & Data Systems, Vol 106 No 6, pp Faisal, MN, Banwet, DK and Shankar, R (2007), Quantification of risk mitigation environment of supply chains using graph theory and matrix methods, European Journal of Industrial Engineering, Vol 1 No 1, pp Hallikas, J, Karvonen, I, Pulkkinen, U, Virolainen, V-M and Tuominen, M (2004), Risk management processes in supplier networks, International Journal of Production Economics, Vol 90, pp 47-58