Integration of ISO 31000 : 2009 and Supply Chain Risk Management

Supply chain risk management (SCRM) can provide companies with a long-term competitive advantage, particularly if it is integrated with enterprise risk management (ERM). Current SCRM research frameworks do not explicitly examine this integration, potentially hindering a deeper understanding of SCRM. This research uses survey data and follow-up interviews to suggest that ISO 31000:2009 provides a foundation for advancing future SCRM research, and to more successfully execute SCRM. It is also determined that ISO 31000:2009 encompasses existing SCRM frameworks, but is more exhaustive. It includes two critical steps generally omitted from SCRM frameworks: 1) developing a strategic context for SCRM, and 2) performance monitoring. Finally, it was found that firms recognize the importance of SCRM, but SCRM integration and skills are lacking.


Introduction
Enterprise risk management (ERM) is a critical component of business strategy [1].Despite ERM's importance, ERM implementation is limited [2].The International Organization for Standardization (ISO) released ISO 31000:2009 Risk Management Principles to provide ERM implementation guidance [3].
A key component of ERM is supply chain risk management (SCRM) [4,5].A well designed, risk-oriented supply chain provides a strong competitive position and reliable long-term benefits to all stakeholders [6].For SCRM to be most effective, it should be integrated with ERM.However, SCRM is often implemented in an ad-hoc manner.
SCRM research is in its infancy stage [7].SCRM research might advance more readily if research is linked to practitioner needs, and if a standard SCRM framework is developed [8].This research has two primary goals: 1) determine whether ISO 31000 provides the framework to reach consensus on SCRM scope and definition, which in turn could accelerate SCRM research, and 2) determine whether ISO 31000 provides the foundation for planning and executing SCRM.
To pursue these goals, survey data and follow-up interviews were used.Findings suggest that ISO 31000 provides researchers a framework for developing a consensus on SCRM terms and scope, and provides practitioners with a foundation for linking ERM and SCRM, and then planning and executing SCRM.The findings also suggest that though companies recognize the importance of SCRM, SCRM is not generally linked to ERM and that key SCRM skills are lacking.

Literature Review
SCRM research gaps include a lack of agreement regarding SCRM scope and definition, and a lack of empirical research focused on current practices [8].This research accepts the perspective that empirical research focused on developing frameworks may advance research [8].The total quality management (TQM) discipline provides an example.TQM research advancements were supported by operational definitions and standardized frameworks, which provided a foundation for theory building and testing [9][10][11][12][13].
While TQM research has reached a "mature" stage, SCRM research is in an "early" stage.For example, [7] suggested that SCRM research regarding crisis situations was in its "infancy" stage, then examined the literature and conducted interviews to develop a theoretically grounded framework for examining supply crisis man-agement [7].Driven by the suggestions that SCRM research is in an early stage, that a standard SCRM framework may advance research, and that SCRM is a subset of ERM, this exploratory research examines SCRM relative to the ISO 31000 framework.

ISO 31000:2009
ERM has received attention as a way to gain competitive advantage, yet has not gained much traction [14].The International Organization for Standardization (ISO) published ISO 31000:2009 Risk Management Principles and Guidelines [3] to provide a foundation for ERM implementation.It is anticipated that ISO 31000 will become an international norm for ERM [15].This research focuses on ISO 31000, Clause 5 Risk Management Process, which consists of five integrated segments [16] (Figure 1).
Communication and consultation (5.2) requires engagement of stakeholders to determine objectives, secure involvement, and to disseminate risk information.Establishing the context (5.3) sets objectives, identifies factors that influence success, appraises stakeholder relationships, and identifies the risk management environment.This essential step precedes risk assessment.
Risk assessment (5.4) consists of three interrelated steps."Risk identification" defines risks, and identifies risk drivers and risk categories."Risk analysis" evaluates risk, including potential business consequences and occurrence likelihood."Risk evaluation" prioritizes risks from acceptable to unacceptable, and identifies which risks require treatment.
Risk treatment (5.5) identifies options for treating risks, including: accepting risk to achieve competitive advantage; avoiding risk; reducing or removing the likelihood or consequence of risk; and sharing or transferring risk.Monitoring and review (5.6) analyzes changes in risks and the emergence of new risks that result from changes in the external environment, risk treatment, or corporate objectives.It also assesses the success of risk treatments.

SCRM Frameworks
SCRM frameworks [17][18][19] share common elements with each other and with ISO 31000.However, Table 1 identifies a lack of consensus regarding what constitutes SCRM, and indicates that ISO 31000 is more comprehensive than SCRM frameworks.ISO 31000 emphasizes that the first critical step for enabling holistic risk management is establishing the context.It also explicitly recognizes the need for stakeholder engagement and communication, and emphasizes continuous monitoring, review, and improvement.

Research Method
This exploratory research selected a purposeful sample to pursue the research objectives [30].Targeted participants were known to support supply research and education, and were active in professional supply associations.The survey was sent to 58 firms.A 66% response rate was achieved.Early-to-late respondent survey comparisons were made to analyze potential nonresponse bias [31].No statistically significant differences were found.The

Data Analysis
Results are categorized relative to the segments of ISO 31000:2009.In all tables, the "agree/disagree" questions are scaled from "1 = strongly disagree" to "7 = strongly agree", and the "extent of use" questions are scaled from "1 = not used" to "7 = extensively used".

Communication and Consultation
Table 6 suggests that firms attempt to create communication channels supported by extensive information gathering.Though information visibility was relatively high, there are concerns regarding information reliability and timeliness.

Establishing the Context
Contextual factors were categorized as needed, approach, budget, and organization (Table 7).Although SCRM is strategic, there is a challenge to implement SCRM, because no single set of tools exists for managing all risks.SCRM personnel lack insights into ERM efforts and may lack critical skills for managing global risk.Organizational structures and capabilities, as well as the allocation of resources and budgets, appear to be misaligned with strategic objectives.

Risk Assessment
Risk assessment consists of the interrelated steps of identification, analysis, and evaluation.Specific risk factors (e.g., supplier reliability) are carefully evaluated (Table 8).However, few firms extensively document the likelyhood and impact of risks, and SCRM tends to focus on "negative risks" rather than exploiting "positive risks".Firms face a wide range of supply risks (Table 9).Supplier failure/reliability was the top risk, followed by supplier bankruptcies, natural disasters, commodity cost volatility, and logistics failure.Table 10 summarizes responses regarding whether supply risks would increase, stay the same, or decrease in the next 1 -2 years.Many of the risk factors identified as increasing (e.g., currency exchange, government regulations) highlight that many risks are outside of supply's direct control, suggesting that successful treatment of such risks will require integrated SCRM and ERM.

Risk Treatment
Risk treatment options include acceptance, reduction, and sharing (Table 11).Inventory buffering remains a key acceptance option.Qualifying suppliers to reduce risk and partnering with suppliers to share risk are also extensively used.

Monitoring and Review
Firms use a range of processes to monitor outcomes (Table 12).However, few firms benchmark SCRM relative  13), though there is room for improvement, particularly in terms of managing commodity and material price volatility.

Communication and Consultation
Communication and consultation provide visibility so that supply chain members may access reliable information.Specific operations information, such as inventory and quality, was generally available.However, data centralization seemed lacking, causing visibility and accuracy problems.One manager stated that inadequate information flow was a significant supply risk: "Demand variation, extending supply chains, and information speed that is too reactive, will all continue to be major failure modes".Perhaps limited information visibility and timeliness reinforces the practice of mitigating negative risks, rather than enabling proactive exploitation of positive risk opportunities.For some firms, there was a lack of information technology (IT) integration throughout the value chain.One manager commented that the most significant failure mode he faced was "companies failing to use up-to-date MRP systems, and not accepting change.By relying on old procedures, companies are missing a lot of information that can be accurate and readily available".As companies continue to use new and global suppliers, IT integration can become a significant challenge.

Establishing the Context
Respondents use many of the individual processes suggested by ISO 31000, but it appears that integration is limited and that SCRM approaches are ad-hoc rather than systematic.One manager commented, "We currently do not possess or utilize any tools to identify and analyze risk within the supply chain.All activities currently practiced are from the working knowledge of the buyers".This was not universally true, as one manager indicated: "Top management at my company recognizes supply risk by investing capital into our systems, training, and people.Our stock price is a direct correlation to our supply chain success, thus it has a very high level of visibility".
Leaders have responsibility for establishing the context from which supply risk will be managed and for defining the responsibilities and scope of risk management processes.Despite recognizing a need for integrated SCRM, many firms did not establish a supportive organizational context for SCRM.One manager stated: "What is lacking is clear ownership of the supply chain at an executive level.The supply chain group of 200 employees has belonged to the CEO, the head of operations, and the head of purchasing at different times".
Supply chain managers need to present a business case in order to "get a seat at the table" and to secure requisite SCRM resources.Another manager stated: "As managers, you are the voice for your associates and those who may not get the face time with the people who can affect change.The metrics speak for themselves, so managers need to be able to relate the needed resources to areas in the supply chain that need improvement".
If persuasion does not work, it may take a catastrophe for firms to realize SCRM's importance.One manager commented: "We did not have anyone devoted to risk management in the past, but due to the Japan earthquake, tsunamis, Thailand floods, and other large-scale issues, risk management has now become very important.We now have someone dedicated to mitigate risk on all fronts for purchasing due to risks globally".
Despite evidence that supply personnel lack some of the necessary risk management skills, and that supply managers have limited linkage to corporate risk managers, few firms intend to outsource SCRM (though components of SCRM may be outsourced).One manager commented: "Most of our risk management resources are from within.We rely on the supply chain professionals at a working level to meet with the global supply chain group, as well as plant management.We do outsource some of our financial analysis of our suppliers, where they do an in-depth financial analysis and come back with a letter grade and summary".

Risk Assessment
Respondents agreed that many things can go wrong in a supply chain without a systematic process for assessing risk, and that they lack a comprehensive supply risk assessment process.One manager commented: "The biggest challenge is that most of the risk assessment relates to financial performance and standing.It does not take into account really the key operational risk issues at the supplier, which impact supplier performance.That really then falls on the supply chain team as part of their vendor selection and ongoing performance evaluations."Most companies reported a high level of activity devoted to supplier measurement, visiting supplier operations, and consistent monitoring of a supplier's processes.Only a few firms used dashboards or scorecards to predict risk trends in advance.Most firms prioritize risks, and then allocate resources to manage the most significant risks.Though a Pareto approach is common, one manager cautioned that firms may lose sight of seemingly "minor" risks and the interaction of those risks: "We need additional sustained allocation of resources to address individual items further down the Pareto that have a lower amount of impact as an individual issue, but can have significant impact when all individual items are combined." Increasing government regulations were a concern across many industries.Companies recognize the value of complying with regulations, though there is concern that compliance with so many regulations consumes resources that might be better allocated to risk efforts.One manager noted: "Compliance risk management activity is taking precedence over an overall supplier risk approach.This challenge is created by regulatory agencies and pushing resources towards certain areas of risk mitigation such as FDA, DOJ, AdvaMED, Sarbanes Oxley, etc.Without some of these distractions, we would be able to free up additional resources to develop and deploy updated supplier risk processes that would allow for future risk mitigation and support further growth."

Risk Treatment
Many of the highest-rated current and future risk factors e.g., natural disasters) are not directly controlled by the ( Banking regulations and tighter financing conditions 9 27 Government regulations (SOX, SEC, Clean Air Act, OSHA, EU) 14 24 Supplier failure/reliability 14 17 Geopolitical event (e.g., terrorism, war) 22 16 Energy/raw material shortages and power outages 21 16 Customs acts/Trade restrictions and protectionism 19 16 Logistics failure 17 16 Bankruptcy, ruin, or default of suppliers, shippers, etc. 16 16 Customer related (demand change, system failure, payment delay) 21 15 Diminishing capacities (financial, production, structural, etc.) 18 15 Return policy and product recall requirements 23 14 Port/cargo security (information, freight, vandalism, sabotage, etc.) 24 13 Legal liabilities and issues 24 13 Insurance coverage 26 12 Tax issues (VAT, transfer pricing, excise, etc.) 27 11 Natural disasters or accidents (tsunamis, hurricanes, fires, etc.) 26 11 Intellectual property infringement 28 9 Attracting and retaining skilled labor 22 9 Language and educational barriers 11 18 9 Strikes (labor, buyers, or suppliers) 26 8 Property development (local codes and requirements) 30 7 Unfamiliar business and property laws 29 7 Weaknesses in the local infrastructures 26 7 Contract failure 25 7 Contamination exposures (food, germs, infections) 29 6 Ethical issues (working practices, health, safety, etc.) 27 6 supply organization, so reacting quickly through contingency planning is required.One manager commented: "I believe there is no clear solution for every situation.
Having thorough contingency plans for each part is a must, and based from that assessment, a decision needs to be made by management.Having a budget for supply security is a must even though you may never use it."One respondent indicated that his firm now requires key suppliers to develop contingency plans for their own supply chains as well.
Inventory buffering was a commonly used treatment when companies accepted supply risks.Inventory carrying costs must be assessed relative to the benefits, as one manager stated: "Pursuit of a long-distance supply chain to leverage low-cost country suppliers necessarily results in higher localized inventory storage near production sites to buffer long lead time demand variation risk.This creates higher inventories, and longer overall supply chain lead times, but achieves overriding delivered material cost savings to the organization." Risk reduction efforts emphasized qualification of preferred suppliers.However, one manager pointed out that many of the supplier assessment measures are generic and are not linked with a specific sourcing situation or risk condition.Thus, though a supplier may be approved, the specific needs and risks of each sourcing project should be assessed prior to defaulting to an approved supplier.
Development of strong buyer/supplier relationships was a common way to share risk.Some managers expressed concerns that developing relationships on a "personal" basis is increasingly difficult.Challenges to developing "personal" ties included physical distance, imited budget for travel, and the constant switching to l   volvement may be limited: "The supply chain group is taking too long in the analysis of the supply chain decisions, thus risking product development/sourcing leadtime.This is created when supply chain cannot finalize supplier analysis in the 3 -4 weeks that are provided.Eventually the company will move without supply chain because product development needs to continue.This can be resolved by hiring efficient people and also measuring supply chain employees on turning around analysis in less than two weeks."

Monitoring and Review
Many firms were satisfied with specific supply chain performance outcomes, though such positive outcomes are not universal and there is room for improvement.It is not clear if these outcomes are achieved more directly through proactive risk management processes or through reactively battling problems.One manager suggested it was the latter: "Results are achieved through daily firefighting instead of continuous improvement due to shortage of resources, inaccurate focus of efforts, and inadequate long-term planning."It is difficult to directly assess risk management's impacts through anything other than final supply performance, as one manager commented: "In the end, you only know if you made the right decision if you are maintaining the level of supply you need to service your customers."Regardless, firms monitor supply chain performance and risks through supplier visits and assessment systems, ongoing supplier scorecards, and financial risk analysis for example.Few firms benchmark risk management processes relative to external competitive levels.One respondent suggested that being able to specifically measure "risk management success" was not critical: "Our only measure is whether or not our assembly lines were impacted.If not, our contingency plans were successful.I believe that measuring the success of the plan isn't as important as the thought and ideas generated by having a plan."

Managerial Implications
Managerial implications were suggested throughout the discussion section above.Supply managers are putting effort into SCRM, yet few managers integrate SCRM with ERM.ISO 31000 provides a foundation for supply managers to make the business case for linking SCRM and ERM, and to secure the resources needed to implement SCRM.
Companies often focus on frequently occurring risks or the rare but catastrophic risks.Managers should not lose sight of less frequently occurring risks that perhaps in combination drive significant supply problems.Multiple respondents suggested that complex sourcing systems require advanced SCRM approaches, such as process failure mode effects analysis and design of experiments for risk.Supply personnel would require training to effectively use such tools.
Information technology (IT) continues to advance and become ubiquitous.Companies should proactively develop strategies and plans for using IT to identify and manage supply risks.They should also consider how IT usage impacts the development of "personal" supply relationships.Perhaps new methods of developing supply "relationships" will be required, and the skill set of supply personnel will need to expand.
As companies expand their global reach, supply personnel will need to develop a better understanding of corporate strategy, ERM practices, and financial techniques to manage risks.Such understanding and skills are currently lacking.
Supply risks might be most effectively addressed at early-stage product design.However, compressed development times limit the time allowed for supply risk assessment.Supply managers may consider adopting rapid risk assessment techniques to provide support during early stage design.Companies should also examine the extent to which supplier qualification processes explicitly examine a supplier's SCRM capabilities.Standard qualification measures provide some indication of risk management, but fail to explicitly explore if risk management or contingency plans are in place.

Future Research Questions
The following future research questions were developed based on the interviews and survey data: 1) Over the long term, does a formal integrated strategy and structure for SCRM and/or ERM provide appropriate returns?Perhaps SCRM programs that only use contingency budgets provide better returns, even when in the short term they might recover more slowly from rare major disruptions.Situational factors have already been proposed that influence the level of investment in risk management systems [32].
2) Should SCRM adopt a standard ERM framework in future SCRM research?This research identified that ISO 31000:2009 provides a comprehensive framework for examining SCRM.Has it reached the point that researchers should agree to a common framework such as ISO 31000:2009?Will practitioners also find adoption of ISO 31000 useful?
3) How can IT better support SCRM? Though respondents used IT to support risk management, there was limited use of IT to model and manage supply risks.IT applications, such as internet-based systems, cloud computing, and mobile devices are becoming more secure and ubiquitous.Research questions might include: What are the most effective tools and how can they most efficiently be adopted in a value chain?What are the barriers to adoption and how can firms overcome the barriers?4) What is the most effective SCRM organizational structure?Six Sigma requires that quality is everybody's business, yet establishes different levels of expertise.Lean systems also establish a hierarchy of responsibility.Would it be more effective to have people manage risk as part of their everyday responsibility, or would a hierarchy of "risk experts" prove more effective?Further, would it be more effective for firms to focus on their core competencies and to outsource SCRM? 5) Should companies include "design for supply risk management" in product design processes?Most new product development processes already assess risk, though it is not clear if longer-term supply risks are considered.Research suggests that addressing supply risk

Table 6 . Communication and consultation.
Visibility (detailed knowledge of what goes on in other parts of the supply chain-e.g., finished goods inventory, material inventory, WIP, pipeline inventory, actual demands and forecasts, production plans, capacity, yields, and order status)

Table 8 . Clause 5.4: Risk assessment.
to best practices, or use training and design optimization tools to monitor and review SCRM processes.Firms are generally satisfied with key supply performance outcomes (Table