How to assess and manage risk in supply chains

1. Introduction

The current trend of outsourcing to low cost countries combined with supplier base reduction has provided significant cost reductions for businesses. However, globalization and implementation of more streamlined supply chains have increased risks for companies when acquiring goods and services needed for their operations. By the term risk is meant a chance of facing undesired consequences such as damage, loss, or injury. More scientifically, risk is defined as the combined probability for an undesired event and the potential damage the event might cause. This definition, or variations of this definition, has been applied by a number of researcher investigating risk (March and Shapira, 1987; Zsidisin, 2003; Spekman and Davis, 2004; Wagner and Bode, 2006; Ritchie and Brindley, 2007). The detrimental effects does not have to be existential to the companies, but typically they cause lost sales, decreased market share and large contractual penalties for the parties affected (Zsidisin, 2003).

A very well-know example of such a detrimental effect is the $400 mill loss suffered by the Swedish cell phone manufacturer Ericsson due to a lightning bolt which struck their sub-supplier of semi-conductors (Latour, 2001). Another example is the battle against the foot-and-mouth disease in the UK agricultural industry during the year 2001. This event temporarily paralyzed the agricultural industry, while the tourism industry suffered great losses. Even luxury car manufacturers such as Volvo and Jaguar were affected since deliveries of quality leather used in various parts in the car compartment were temporarily stopped (Norrman and Jansson, 2004). A general ban on sale and export of British pigs, sheep and cattle was introduced during the outbreak. The tourism industry also suffered as many tourists changed their vacation plans due to transport bans and detergent washing of cars, boots and clothing in affected regions.

Similarly, the fruit company Dole lost over $100 million dollars when a hurricane caused massive damage to the area in Central America where their banana suppliers were located (Griffy-Brown, 2003). The outbreak of SARS in Southeast Asia affected various industries such as the electronics industry, retailing, tourism, and the airline industry with losses at the national level stipulated to $38 billion just for Hong Kong, Singapore, Taiwan, and Thailand (Overby et al., 2004). The economic impact of the hurricane Katrina is stipulated to $100-125 billion. More than half of that amount is due to the flooding of New Orleans which paralyzed industry and disrupted normal living conditions in the affected areas (Boettke et al., 2007). However, the most famous of such disruptive events is probably the 9/11 terrorist attack in 2001, which caused immediate financial losses and initiated a massive restructuring of the airline industry (Bhadra and Texter, 2004).

The above mentioned examples illustrate that supply chains may not be well prepared for dealing with unanticipated events causing disruption in sub-systems of supply chain networks. The traditional cost-efficiency focus of supply chain systems have led companies to eliminate buffers in the form of inventories and multiple sourcing throughout the network. However, this has also led them to remove mechanisms in the supply chain which previously moderated the effects of undesired, disruptive events in the chain. An alternative approach is to introduce more agility in the supply chain. This approach has successfully been applied as a response to the fact that more and more market places in the twenty-first century require a proliferation of products and services, shorter product life cycles and increased demand for innovation (Narasimhan, Swink and Kim, 2006). In agile supply chains, stock out penalties occur immediately in the form of lost sales and the key performance measure is no longer productivity or cost, but customer satisfaction. Traditional stable partnerships are substituted with more fluid clusters where partners enter and leave the network at a more rapid pace. In general, there is also a focus on operator self-management to maximize the actors' autonomy (Mason-Jones, Naylor and Towill, 1999).

The actors' higher level of autonomy in agile supply chains makes them better able to respond to changes in supplies upstream as they have no or few bindings keeping them from changing to alternative sources of supply. However, supply chain companies dealing with commodity goods rather than fashion goods can not necessarily be expected to have the same degree of freedom. Their day-to-day competition would require them to eliminate all forms of waste to remain competitive. Any cost driving measure to mediate or avoid risk such as excess production capacity, excess inventory, and increased supplier base would therefore have to be weighed against the expected costs of future unknown disruptive events. To do this, a proactive identification of potential supply and demand hazards is required at a strategic level. The point is to identify where unanticipated risk events have the biggest impact on the supply chain network, identify the type and number of risks, their associated costs, and assess alternative counter-measures to improve the resilience of the supply chain.

The intent of this conceptual paper is to establish a decision framework in order to aid the proactive identification and management of potential upstream and downstream supply and demand hazards. The framework is developed based on a broad variety of literature integrating multiple perspectives on risk from supply chain management, marketing, and organizations theory. The risk framework presented separates itself from previous efforts in its comprehensiveness, and it has been designed to match the supply chain management framework developed by the Global Supply Chain Forum (GSCF). Previous categorization attempts have usually only presented sub-sets of risk factors and have not paid much attention to how supply chain risks can be dealt with proactively.

For instance, Zsidisin (2003) listed a number of useful supply risk characteristics and classified them into characteristics belonging to items, markets and suppliers based on the results of a case study. Item characteristics included impact on profitability and the newness of product application, while market characteristics involved global sourcing, capacity constraints, market price fluctuation, and number of qualified suppliers. Risks associated with suppliers were capacity constraints, inability to reduce costs, incompatible information systems, quality problems, cycle times, and volume and mix requirements changes. However, Zsidisin's list of supply risk characteristics did not contain important risk elements such as behavioral appearance of supply chain actors and risks associated with skills and qualities of the individual supply chain organizations, nor did it pay much attention to mitigation of risk events. In addition, the network perspective of supply chain management was not evident in the sense that an event can appear several tiers away from the focal organization but still damage the organization via an unknown dependence.

Spekman and Davis (2004) also discussed a typology for categorizing risks. They found that risk lies inherent in every supply chain flow of goods, information, and money and they mentioned many of the same risk characteristics as in Zsidisin (2003). In addition, criminal acts and breach of norms were included as risk elements in the supply chain. However, they did not focus much on actions to minimize or avoid the effects of undesired events. Dealing with risk was eventually reduced to the introduction of buffers or building trust. An exception is made for the management of security risks where they briefly mention the necessity of proactive planning to avoid such risks.

Another example is Peck (2005) who reported from an empirical study where the sources and drivers of supply chain vulnerability were investigated. She used the knowledge achieved to develop a multi-level framework for risk analysis and did not put much emphasis on identifying individual risk characteristics and tactics to improve the supply chain's resilience. However, the framework illustrated in an intuitive manner how unanticipated and undesirable events at other nodes in a network could influence and cause problems at different levels for a focal company via dependencies. Kleindorfer and Saad (2005) also attempted to provide a conceptual framework to assess risk and introduced three tasks as the foundation of risk management. These were "Specifying sources of risk and vulnerabilities, Assessment, and Mitigation". The sources of risk and vulnerability were thereafter divided into operational contingencies, natural hazards, and terrorism and political instability. Kleindorfer and Saad (2005) did not elaborate in much detail on which risks to include in each of these categories, thus from a practical risk assessment point of view, the model becomes less interesting.

In a similar vein, Ritchie and Brindley (2007) developed a framework to encapsulate the main strands of supply chain risk management. They distinguished between seven sources of risk, but were not specific about which risks to expect in each category and they were not very detailed in their description of risk avoidance or mediation tactics. In stead, they used their general model as a guide in an exploratory case study where the purpose was to focus on supply chain members' degree of awareness of supply chain risks, and how supply chain members identified and responded to identified risks.

Ring and Van De Ven (1992) developed a framework for structuring cooperative relationships between organizations based on varying degree of risk and reliance on trust. They based their paper on the assumption that the degree of risk inherent in any transaction depends in the direct proportion to decreases in time, information, and control. Examples provided were commercial risk (risk of not finding a price-performance niche in the market), technological risk (probability of bringing the technology to market), scientific risk (lack of knowledge), engineering uncertainty (will the technology work?), and corporate risk. By corporate risk they referred to the risk of wrong allocation of resources in the organization. However, these types of risk are strongly connected with internal managerial and organizational skills of the focal company, and thus cover only a small portion of the risk concept from a supply chain management perspective. Risks arising from process sharing and network inflicted risks were barely mentioned.

In summary, a higher level of precision in supply chain risk assessment frameworks combined with normative guidelines for risk avoidance seems present in extant literature. This call has formally been put forth by Harland, Brenchley and Walker (2003) who provided an easy-to-follow procedure for risk assessment in supply chain networks. They concluded that "more managerial guidance is required to support risk management and redesigning of supply strategies to incorporate risk strategies ". An attempt to answer this call has been made in the following sections. Mapping of risks in the supply chain has been emphasized combined with a discussion of tactics for risk mitigation and risk avoidance. In essence, this covers steps two to four in the model by Harland, Brenchley and Walker (2003) (Figure 1). Guidance for mapping of the supply chain is the main goal for many of the supply chain management frameworks recently developed. Mapping of the supply chain has therefore only received limited attention in this paper, but references to some well-known supply chain frameworks are provided. Steps five and six have been left for the managers to decide as the strategy formation and implementation would be situation specific and dependent on the outcome of steps one to four.

2. Research method

The framework is developed based on a literature review where multiple perspectives on risk from marketing theory, organizations theory, and supply chain management have been integrated into a composite supply chain risk framework. Relevant contributions were identified through library searches and key word searches in Proquest and ScienceDirect databases. Search words were used either alone or in combination to find contributions which could bring added insight about risk from different theoretical perspectives. Key word searches typically included words such as supply chain management, marketing, or organization theory, and words such as risk, framework, uncertainty, vulnerability, resilience, etc. A large number of research contributions were identified from this procedure and contributions were further selected based on a qualitative assessment of the title and abstract of each identified contribution.

A guideline for the literature review was to find an answer to the question "what do we know from theory which could be relevant for supply chain managers in their efforts to identify and reduce the level of risk in their supply chains?" The emphasis on theory was decided since an exploratory empirical investigation would be descriptive of current practices which would not fit with the normative purpose of this investigation. Ex post empirical testing of the entire framework in a single study were also considered difficult to accomplish due to the amount of risk factors included. However, a varying degree of empirical validity is offered through the previous empirical testing performed by the researchers referenced. Some empirical guidance and initial face validity was also provided through discussions with the general director of a sub-supplier to the Norwegian oil and gas industry.

3. Supply chain management and risk

The term 'supply chain management' (SCM) has primarily been linked to the study of either internal supply chains integrating internal business functions, the management of two party relationships with tier one suppliers, the management of a chain of businesses or with the management of a network of interconnected businesses (Harland, 1996). Transaction cost analysis (TCA), organization theory (OT) and relational marketing (RM) literature have contributed substantially to the development of SCM research (Croom, Romano and Giannakis, 2000). However, a definition of SCM given by the members of the Global Supply Chain Forum states that 'Supply chain management is the integration of key business processes from end user through original suppliers that provides products, services, and information that add value for customers and other stakeholders'. This distinguishes SCM from the previous mentioned theories since it is the network or chain perspective which is emphasized (Lambert, Cooper and Pagh, 1998).

3.1. Mapping the supply chain

In order to be able to assess risk in a focal company's supply chain, a thorough insight is required about how the supply chain is configured. A number of frameworks have been developed for the purpose of achieving such knowledge, but Lambert, García-Dastugue and Croxton (2005) identified only five frameworks which recognized the need to implement business processes among supply chain actors. Such implementation is considered a key area where supply chain management can offer improvement to supply chain actors (Hammer, 2001). However, only two of the five frameworks provided sufficient details to be implemented in practice (Lambert, García-Dastugue and Croxton, 2005). On the other hand, these two frameworks are both supported by major corporations which indicate a high level of face validity.

The first framework is the SCOR model developed by the Supply-Chain Council (SCC, 2008). The SCOR model focuses on five different processes which should eventually be connected across firms in the supply chain. These are the plan, source, make, deliver, and return processes. The second framework was developed by the Global Supply Chain Forum in 1996 and was presented in the literature in 1997 and 1998 (Cooper, Lambert and Pagh, 1997; Lambert, Cooper and Pagh, 1998). Similar to the SCOR model, the GSCF model focuses on a set of distinct business processes to be shared among business organizations. However, a main difference between the two supply chain frameworks is their linkage to corporate strategy. While the SCOR framework emphasizes operations strategy, little reference is made to organizations' corporate strategies. The GSCF framework, on the other hand, directly links with the corporate and functional strategies of the companies and thus offers a wider scope (Lambert, García-Dastugue and Croxton, 2005). Since risk is inherent at every level of an organization, and should be considered also at the strategic level, the GSCF framework was chosen as a starting point for our development of a supply chain risk management framework.

3.2. Identify risk and its location

In the GSCF framework, supply chain management consists of three inter-related elements: 1) the structure of the supply chain network, 2) the management components governing the shared supply chain processes, and 3) the different types of processes linked among supply chain actors. Who to link with, which processes to link, and what level of integration and management should be applied are considered key decisions for successful management of supply chains (Lambert, Cooper and Pagh, 1998).

From a supply chain risk management perspective, these managerial questions make way for three propositions regarding risk and the focal company. The first proposition concerns the unpredictability of human nature when processes are shared with others. The second concerns the vulnerabilities created because of dependencies between multiple network actors, and the third refers to the skills and qualities of the different supply chain actors' organization and management. Stated formally:

P1: A focal company's exposure to supply chain risk depends on the level of human behavior unpredictability in the supply chain and the impact such unpredictability can have on the company's supply chain.

P2: A focal company's exposure to risk depends on the number and strength of dependencies in its supply chain and the impact an external risk event may have on the company.

P3: A focal company's exposure to risk depends on the supply chain actors' skills and qualities to identify potential risks in advance and to solve risk situations once they occur.

Although they address different aspects of risk to a focal company, the propositions are closely related. For instance, without the existence of network dependencies, behavioral unpredictability at another supply chain actor becomes irrelevant. Similarly, the focal company does not have to worry about the skills and qualities of other supply chain actors because there is always another alternative to select. Also, an increase in the supply chain actors' skills and qualities will indirectly reduce the level of human unpredictability since it rules out some of the mistakes humans can make; however, it does not rule out the focal company's uncertainty about other supply chain actors' intended strategic actions. The relationship between the propositions has been outlined as arrows in Figure 2. Each category between the arrows refers to a more precise definition of the risks mentioned in the propositions. The categories follow the naming convention in the GSCF framework, and together, they constitute a holistic representation of supply chain risks relevant for successful supply chain management.

The formal definitions for the three types of supply chain risk in Figure 2 are provided below and explained in the subsequent sections:

Supply chain processes risk refers to the perceived risk of other companies in the supply chain behaving - intentionally or unintentionally - in a manner which could be harmful to the company.

Supply chain structure risk is closely linked with the total number and type of dependencies in the network. It is a measure for the level of significant detrimental effects an undesired and unanticipated event can have on a company's supply chain network. This event can occur externally or internally to a local market or industry and affect either a single node or a multitude of nodes simultaneously.

Supply chain components risk refers to the technical, managerial and organizational abilities each supply chain actor has developed in order to embrace opportunities, detect and avoid potential supply chain disruptions, and to mediate the effects of a disruption once it has occurred.

3.3. Supply chain processes risk

A focal company's exposure to supply chain risk will, according to proposition one, depend on the level of human behavior unpredictability and the impact such unpredictability can have on the company's supply chain. When companies begin to explore the competitive advantage of accessing and managing processes belonging to other companies in the chain, they therefore need to identify how the sharing of a process can change its vulnerability to unanticipated events and agree on strategic actions to reduce the processes' vulnerability. The main factors to consider when processes are shared with other actors are shown in Figure 3 and explained below.

In general, the sharing of processes across tiers in a network can be problematic since it simultaneously makes the focal company more vulnerable to risk. Under working market conditions, each actor is free to choose its trading partner for every transaction. A natural moderating effect on risk therefore exists since there is no dependency on other specific actors in the network. However, when companies begin to integrate processes, as prescribed by supply chain management literature, they distance themselves from the market by creating lock-in effects with selected partners due to the specificity of tangible and intangible assets deployed.

From a transaction cost theory point-of-view (Williamson, 1975, 1985), specific investments in shared processes must be protected against the risk of possible opportunistic behavior from the other actor in each partnership. Opportunistic behavior refers to actors' "self-interest seeking with guile" (Williamson, 1975) where guile means "lying, stealing, cheating, and calculated efforts to mislead, distort, disguise, obfuscate, or otherwise confuse" (Williamson, 1985). In practice, this type of supplier behavior would materialize in hazards like broken promises, production delays, increased costs, production shortcuts, and masking of inadequate or poor quality (Provan and Skinner, 1989; Wathne and Heide, 2000). Any uncertainty of whether the suppliers behave, or would attempt to behave, opportunistically therefore increases the impression of risk to the actor performing the risk assessment[1]. However, transaction cost theory has been criticized for its assumption of opportunistic decision makers.

Critics argue that it is a too simplistic and pessimistic assumption about human behavior, and that opportunism represents the exception rather than the rule (Macneil, 1980; Granovetter, 1985; Chisholm, 1989). John (1984) also argued that undesired attitude such as "hard bargaining, intense and frequent disagreements, and similar conflictual behaviors do not constitute opportunism" unless an agreement has been reached of not to do so. In addition, even well-meant behavioral actions by one party may have negative effects for another party in the supply chain. The perception of risk linked with human behavior where processes are shared can therefore not be restricted to a matter of opportunism alone, but needs to include any kind of undesired human behavior - whether it is opportunistic, undesirable or well-intended, but still potentially harmful.

It has been suggested that behavioral uncertainty can be reduced with the introduction of formal and informal safeguards to the relationship. In a successful relationship, relational rules of conduct work to enhance the well-being of the relationship as a whole and take explicit account for the historical and social context within which an exchange takes place (Heide and John, 1992). Flexibility among the parties, solidarity, information exchange, and long-term orientation are norms typically associated with, and referred to, as relational safeguarding mechanisms in contemporary research (Ivens, 2002). The presence of these norms in a relationship has been found to improve the efficiency of relationships and to reduce parties' behavioral uncertainty (Heide and John, 1992).

Alternatively, ownership, or some form of contractual command-obedience authority structure can be used to protect against inherent behavioral uncertainty. Vertical integration has traditionally been prescribed by transaction cost literature as an answer to handle uncertainty in repeated transactions when there are specific investments involved (Williamson, 1975, 1985). However, Stinchcombe (1985) found that the safeguarding features of hierarchical relationships can be built into contracts as well. These features included "authority systems, incentive systems, standard operating procedures, dispute resolution procedures, and non-market internal pricing". It should be noted that advanced pricing mechanisms used can include agreed risk sharing and paying an insurance premium to a third party to protect against the financial consequences of a business interruption (Li and Kouvelis, 1999; Doherty and Schlesinger, 2002). However, a prerequisite for risk transfer mitigation to work is the ability to clearly define the type, cause and boundaries for when the agreed risk transfer applies. Also, well defined standard operating procedures are particularly important since they indirectly describe the non-conformance cases. Breaches in quality performance or EHS procedures, shipment inaccuracies, delivery times, etc. by the focal company or another party are indications of reduced control over the supply chain. Hence, an increased frequency of such incidents in other nodes in the network will lead to an impression of greater behavioral uncertainty and supply chain risk.

The impression of risk when processes are shared would naturally depend on the degree of lock-in which exists between two parties. A second risk factor in supply chain processes risk therefore refers to the criticality of specific nodes in the network (Craighead et al., 2007). More precisely, critical nodes are actors in the supply chain responsible for delivery of critical components or important subsystems where the number of supplier choices is limited. However, a node can be critical even though there may be little dependence in day-to-day operations. The increased popularity of outsourcing to third parties necessarily increases other actors' involvement in the company's material and information flow. But, since both information and materials represent a form of capital investment, this also means that other actors in some cases handle large parts of a company's tied-up capital - either in the form of information or in the form of goods. This risk is called degree of capital seizure in the framework.

For instance, it is generally not very difficult to switch from one supplier of IT-server capacity to another, but the dependence on the supplier of server capacity can prove severe if sloppy routines at the supplier destroy the electronic database stored. A similar logic applies for other actors with control over much of the company's information and material flow. Large distribution centers are one example. A typical risk event would be a fire causing damage to much of the company's goods stored; however, such an event would not be attributable to the processes shared and is therefore not a supply chain process risk. Instead, such a risk event has been characterized as external to the network and described under supply chain structure risk. However, another example would be the distribution centre not informing the focal company of a changed general staff leave. This would be a breach in the "supplier relationship management" process because it is a deviation from expected service levels in that particular period.

3.4. Supply chain structure risk

The decision of who to link with in a network requires an explicit knowledge and understanding of the supply chain network configuration. According to proposition two, this includes a thorough comprehension of the risk inflicted upon the company because of dependencies established in relationship with other network actors. Therefore, the supply chain manager needs to assess how vulnerable the company is to unanticipated changes in the network and its exogenous environment.

Dependencies are created with individual partners in the network and the level of dependency must therefore be assessed for each node. However, attributes of the network configuration itself may increase or reduce the impression of risk. A 'field risk' category and a 'network complexity risk' category have been created to reflect this duality. Field risk includes risk factors which are exogenous to the network, and not endogenously created as in supply chain process risk. Field risk is assessed for each node, but supply chain structure risk must also take the complexity of the network into consideration. For instance, geographically dense nodes within a network may represent a great risk to a company even though each actor itself may not be very important. This is similar to the Dole example mentioned in the introduction where a hurricane destroyed the banana harvest in the area where Dole had most of its suppliers (Griffy-Brown, 2003).

Network complexity risk refers to decision makers perceiving large networks as more uncertain since the involvement of more actors and more people implicitly includes more things which can go wrong (Craighead et al., 2007). This perception naturally becomes even stronger when the number and strength of identified critical nodes under supply chain processes risk is high. However, if a focal company is engaged in several sub-networks of supply and demand, this would moderate the perception of risk similar to the basic idea of diversification in modern portfolio theory. The reason is that the company can rest on several independent business pillars and prosper with the remaining pillars while the problem in the failing supply chain is sorted out.

Field risk factors such as currency fluctuations, political or legal changes, environmental, and social risks are external to the supply chain network, and refer to the country or region where suppliers, or clusters of suppliers, are located (Jütner, Peck and Christopher, 2002). Climate changes, in particular in combination with population growth, should receive attention since such changes may alter and threaten the living conditions in large regions of the world with serious effects on both the supply side and demand side to companies (Gilland, 2002; Yea, 2004; Leroy, 2006).

An undesirable side-effect of global trade is that supply chains have become significantly more vulnerable to both organized and unorganized crime. Although cargo thefts have not yet caused major supply chain disruptions, the extent of such crime is steadily increasing and should receive attention from a proactive risk management perspective - particularly if shipment of critical components is part of the day-to-day operations (Caton, 2006; Barnett, 2007).

Another type of crime is abduction of key personnel for ransom money. Kidnappings are mentally challenging to the abducted and the organizations they work for, and can strain organizational resources for a substantial amount of time after a kidnapping incident. In addition, if a decision to pay ransom money is made, the amount required could be financially problematic to smaller companies. This type of crime has generally been associated with Latin America; however, experts have anticipated that such kidnappings will spread to other parts of the world (O Hare, 1994). Although no scientific follow-up study has been identified, recent news indicate that kidnapping for ransom is a serious risk in certain parts of Africa, but it has also occurred in European countries such as Northern Ireland and Denmark (Anonymous, 2007; Coughlan, 2007; Anonymous, 2008; Rankin, 2008).

A more sophisticated version has emerged with the spreading and increased use of Internet. Instead of kidnapping CEOs and other leading business executives, technically skilled criminals have developed cyber extortion. Either a ransom is claimed by a hacker to stop breaking up a company's IT system, or a "protection fee" is demanded in order not to attack the company's system in the first place (O'Rourke, 2004).

Companies assessing field risks should also consider internal risk to the local industry or market. Volatility in demand for capacity, or rapid changes in customer demands due to for instance season, fads or new products, can cause stock outs or price increases if the local industry is not able to handle the fluctuations. Particular attention should be given to signs of the bullwhip problem. This problem is characterized by a significant variability in demand which can not be explained by end-customer demand fluctuations alone. The problem has a tendency to propagate upstream with great variations in demand causing capacity problems and/or price volatility several tiers away from the end-customer (Lee, Padmanabhan and Whang, 2004). Also, labour strikes are typically internal to the industry and are country or region specific (Johnson, 2001; Jütner, Peck and Christopher, 2002).

A third type of industry or market related risk is coupled with the innovative ability of the local region. Innovation might be considered an internal task by some companies, or something which is only shared with a few selected partners where strong relational norms exist. However, a considerable amount of researchers have identified that innovation can also be network specific. Porter (1990) identified mutual learning among related and supporting industries as one factor which leads to international success for particular geographical regions or nations. Baptista and Swann (1998) and Fosfure and Ronde (2004) found that firms were more innovative if located in regions where the cluster of related industries were more densely populated. Eradin and Armatli-Koroglu (2005) also found a similar positive linkage between local networking and innovativeness; however, firms with an expanded global network had an even higher number of innovations than firms with more local profiles. This could indicate that companies with a strong presence in one selected regional cluster might face the risk of a lower innovation rate compared to companies in other competing clusters. As a consequence, the innovative capability of local clusters should be assessed and benchmarked to avoid the risk of missed cluster innovation opportunities. However, to many companies such a risk would be perceived as given and uncontrollable due to strong site specific investments and little influence over activities in competing enterprises.

3.5. Supply chain components risk

Assessment of supply chain components risk is important in nodes where dependencies have been identified during the investigation of supply chain process risk and supply chain structure risk. Although preventive measures such as cultivation of relational norms, creating and auditing standard operating procedures and establishment of an authority system can reduce uncertainty to the focal company, such measures may sometimes offer little help when it comes to undesired, disruptive events. In such cases, organizations must have developed skills and qualities to solve the problem when it occurs, or, even better, be able to foresee it and avoid the potential crisis altogether as amplified in proposition three.

For instance, a supply chain actor may appear highly flexible and creative when it comes to meeting a focal company's changing delivery desires, but prove less able to change when a situation requires more fundamental alterations in the actor's organization. Such an organization has developed favorable relational norms to the focal company, but is lacking the necessary skills to solve the unwrapping crisis. Consequently, a holistic risk framework must also include the risk of supply chain actors lacking skills and qualities to identify, prevent, and handle risk events once they have occurred.

Supply chain actor inertia is one type of risk associated with the supply chain actors' skills and qualities. Inertia may come from two sources in the supply chain actor's organization. Either, inertia can be caused by specific qualities of an affected group of employees, or it can be a trait specific to decision makers failing to respond or alternatively responding in a manner which does not create constructive solutions.

'Organizational inertia' and 'managerial risk depicts these two types of risk in Figure 5. In total, five factors have been identified in the literature which can explain why management fails to respond or responds incorrectly. These are managers' level of education, experience, their risk propensity, herd mentality and the degree of management self-justification.

An underlying assumption in organizations theory is that people are generally bounded rational (Simon, 1951) which means that decision makers can only decide based on what they know. Similarly, their conception of reality will be based on the cognitive schemas they have developed from previous knowledge (Daniels, 1996). In other words, decision makers' ability to identify and tackle risk situations is dependent on previous encounters with similar risk situations. Managers with little prior experience and education can therefore be expected to have poor qualifications for tasks such as successful recognition and management of a new and developing supply chain disturbance. Several researchers confirm this as they have found that companies' risk of failure is greater in the adolescent stage of their lifespan (Cooper, Dunkelberg and Woo, 1988; Thornhill and Amit, 2003). Empirical evidence also shows a positive correlation between the education level and work experience of the management and the long-term survival of firms (Bruderl, Preisendorfer and Ziegler, 1992).

Education and experience are not the only two factors influencing managers' ability to identify and tackle risk. Decision makers' underlying attitudes towards risk are usually pictured as stable properties of individuals, and it is common to assume either risk averse or, in the case of transaction cost theory, risk neutral actors. However, empirical evidence indicates that this may not always be true. Managers' risk propensity is influenced by as diverse factors as cultural background, age, mood, feelings, authority, firm size, internal norms and incentives, and type of industry (March and Shapira, 1987; Williams and Narendran, 1999). The consequence is that decision makers must be mapped with regards their propensity to take risk since such propensity may increase the focal company's exposure to risk. This may be particularly important when companies operate on a global scale. For instance, Hofstede (1983) investigated national culture patterns and found that people's uncertainty avoidance is culture specific. People from cultures with strong uncertainty avoidance were generally made more anxious by unclear or unpredictable situations, and made greater efforts to avoid such situations by establishing strict codes of behavior and belief in absolute truths. Cultures with weaker uncertainty avoidance were more tolerant and accepting of personal risk, and responded with less aggressiveness and security-seeking.

On the other hand, management's propensity to take risk should be interpreted in relationship with the need for innovation and necessity of seeking opportunities for the business in order to survive and prosper (Porter, 1990). If the management becomes too risk averse, it could fail to bring new technology to the market and lag behind in the competition. However, such opportunity seeking may have a negative side-effect. Ottesen and Grønhaug (2006) found that some firms have a higher risk of failure because of management being blinded by the success of other firms and a pressure to follow the herd. Ring and Van De Ven (1992) similarly mention that fear of loosing first-mover advantage can drive a firm to prematurely release a new product to the market even when demand uncertainty is high.

Another potential risk linked with supply chain actors' management is a possible unwillingness or lack of ability to recognize own failures. According to Festinger's (1957) theory of cognitive dissonance, decision makers may show an unwillingness to admit that their prior allocation of resources to a chosen course of action was in vain. Instead, the best way for them to (re)affirm the correctness of those previous decisions is to become even more committed to them. Although such a risk could be difficult to identify, it could misguide the focal company to adapt to the failing course of action by the supply chain actor, which would later bring loss to the company. The greatest likelihood of such a behavior is predicted with the presence of a) negative feedback concerning the outcomes of an original resource allocation, and b) there exists a high need to justify the correctness of the initial resource allocation (Brockner, 1992).

Whereas the risk of failures due to managerial errors naturally decline with the management's learning curve, organizations might also fail to react to supply chain disturbances due to their general inability to change (Thornhill and Amit, 2003). This inertia may not necessarily be caused by attributes of the management, but can be due to attributes of the organization and the organization's employees.

For instance, older businesses will have had time to formalize their relationships and standardize a much greater portion of their routines. According to Stinchcombe (1965), changes to such formalized routines would be much harder to implement than in newer organizations where roles frequently change. Similarly, when organizations increase in size, they also have a tendency to strengthen the emphasis on control systems, formalized roles, and predictability. Again, implementation of change to the organization becomes more difficult (Downs, 1967; Hannan and Freeman, 1984; Kelly and Amburgey, 1991). Steps to reduce behavioral uncertainty in supply chain process risk can therefore become a risk factor themselves through the bureaucratization and rigidness they create. Indeed, Hannan and Freeman (1984) argued that organizational members, investors and clients would normally favor organizations that exhibits such stability. The reason is that any organizational change would disrupt stability and thereby also create a greater risk of organizational failure.

Resistance against organizational change can also occur in an organization because of possible large sunk cost from previously acquisitioned equipment, training of personnel, etc. If such investments are affected to a non-significant degree, this can lead the organization to postpone the decision of implementing a necessary change due to internal dependencies and uncertainty of the future outcome (Hannan and Freeman, 1984).

Another source of organizational inertia is more agents specific and can occur at all levels of a supply chain actor - from top-management decision makers to the shop floor. Different opinions in the organization of whether a change is required or not can for instance stall necessary organizational modifications which can lead to supply chain disruptions for the focal company (Brunsson and Olsen, 1997).

Organizational change can also produce anxiety among a supply chain actor's members. This anxiety can then cause opposition and steal attention away from the negative consequences failing to change may have on the remaining supply chain and the focal company. Fear of loosing ones job (Helliwell and Fowler, 1994), fear of loosing identity (Bolman and Deal, 1991), and fear of becoming outdated (Appelbaum, 1990; Davidson, 2002) are some reasons for such anxiety identified in literature. Another factor is fear of losing personal privileges, social status and power (Mintzberg, 1983; Stinchcombe, 1986; Rosseau, 1995).

A more rational reason for organizational inertia is resistance against the temporary extra workload organizational modification requires (McHugh, 1997). Organizational change involves learning and adapting to something new for the individuals. This demands additional resources from each member affected - including the management. Necessary changes to avoid supply chain disruptions can therefore be delayed or not implemented if the dislike to take on extra work becomes significant among the supply chain organization's members.

Also, it is reasonable to expect that the financial power of the organization influences its ability to handle risk. Inadequate financial resources may hinder necessary organizational or technological development to mediate future risk events. This argument is supported by several authors. Headd (2003), Gaskill, Van Auken, and Manning (1993), and Hall (1992) all found evidence indicating that firm failure was closely connected with poor financial management and under-capitalization. The equity ratio and the liquidity ratio were therefore introduced to the framework since these are two standard and well-known measures of financial health. However, other financial measures may be applied as well to complement the impression of the supply chain actors' financial strength.

A final factor to consider when assessing supply chain components risk is the equipment used to produce the parts required by the focal company. Burton (1988) studied industrial robots and identified a number of undesirable and unplanned situations where production were interrupted due to accidents with robots. Many of the accidents were caused by employees deviating from standard operating procedures, and some disruptions were caused by unexpected malfunctioning of the technical system (mechanical, electrical, software etc.) without any apparent human interaction. The likelihood of unprovoked technical malfunctions at a supply chain actor thus poses a risk factor to the focal company, while deviations from standard operating procedures are already covered by supply chain process risk. However, the machines' design could aid to reduce or avoid human errors. Machine robustness against human error should therefore be considered as a separate factor when assessing supply chain risk.

For example, a machine that is encaged in glass during production would represent a much lower risk to the focal company than another machine with no such protective measures. Another example is machines programmed to stop before faulty operator programming can cause any damage to the tool used, the machine itself, or the operator. In addition, repair time, spare part availability and existence of shop floor alternatives are important factors to consider since they influence the time delay inflicted upon the focal company if a technical malfunction occurs. In a study of safety lead time and safety inventory, Buzacott and Shanthikumar (1994) found that "safety time was usually only preferable to safety stock when it is possible to make accurate forecasts of future required shipments over the leadtime". Safety stock was otherwise found to be more robust to customer demand fluctuations. Suppliers' level of (finished goods) safety stock should therefore be considered a factor to focal companies when assessing the risk of suppliers not being able to meet demand.

However, lack of safety stock is not important alone unless it negatively affects the supply chain actors' ability to deliver at agreed due dates under normal operation or when a risk event has occurred. On the other hand, balanced plants (when capacity equals demand) have been mathematically proven to create highly unreliable delivery times and the problem escalates the closer the plant is to its capacity limit (Goldratt and Cox, 1992). Therefore, production crowding, defined here as distance to production capacity limit, should be considered an important factor when assessing risk at a supply chain actor. In addition, running below the capacity limit ensures that there is free capacity to catch up if a risk event should occur.

A focal company assessing the risk level in its supply chain should also consider points of differentiation and decoupling at each supply chain actor. Postponement of product differentiation and decoupling points increases the supply chain's responsiveness by reducing the risk of long term stock-outs together with the risk of holding undesired products (Ben Naylor, Naim and Berry, 1999; Herer, Tzur and Yucesan, 2002). This provides the supply chain with greater responsiveness supply chain volatility while maintaining focus on low cost profile. Consequently, if the point of differentiation is far from the customer side, this will reduce the actor's responsiveness to supply chain risk events. Indirectly, this will also negatively affect the responsiveness of the focal company because of the existing dependence with the specific supply chain actor.

4. Discussing the framework's appropriateness for risk management

The main purpose of this research was to establish a decision framework in order to aid the proactive identification and management of risk in a focal company's supply chain. The framework was developed based on a synthesis of existing literature on risk from different theoretical disciplines and designed to match the supply chain management framework developed by the Global Supply Chain Forum (GSCF). While previous risk frameworks have covered only a selected sub-set of risks, or have lacked sufficient details to be put to practical use by supply chain managers, this framework is rich in details and categorize risk into three proposed and testable risk categories. The composition of each category demonstrates that supply chain risk has many different origins which each must be assessed in detail with respect to their likelihood of occurrence, likely triggers and potential impact on the focal company (Harland, Brenchley and Walker, 2003). The managerial decisions and tactics to avoid or mediate the effects of undesired risk events will then be based on the output of this assessment procedure.

A number of risk factors in the supply chain risk framework will both be a cause for risk and a solution to reduce the risk perceived in the supply chain. This is natural because solutions often become evident once a problem has been properly deduced. For instance, a firm may perceive behavioral uncertainty to be a problem in their supply chain, but not understand what to do with it until it starts to refurbish and enforce an updated set of standard operating procedures. The latter is a much easier task to solve than the former, but the cause of the behavioral uncertainty (lack of routines) and solution may not have been clear until the problem was analyzed.

In other words, a focal company's impression of supply chain risk and the supply chain's resilience would be negatively correlated according to the existing lack of risk preventive measures. As a manager, three groups of suggested tactics for supply chain risk management seem to emerge when inspecting the framework. These are risk transfer tactics, proactive tactics, and reactive tactics.

Risk transfer tactics are related to the pricing mechanisms applied in the supply chain and are a special case of proactive risk management. The reason is that no actions are taken to reduce the actual risk level in the supply chain. Instead, potential financial costs of pre-defined risks are transferred to another supply chain party, typically an insurance company, or shared among transacting parties according to a predefined agreement. However, a prerequisite for risk transfer mitigation to work would be the ability to clearly define the type, cause and boundaries for when the agreed risk transfer applies. Otherwise, the level of behavioral uncertainty will increase since the distribution of responsibility is left unclear. Risk transfer mitigation can hence be successfully applied against most types of structure risk, but be problematic with supply chain process risk and supply chain components risk.

Proactive risk management tactics represent the largest group of risk avoidance and risk mitigation tactics. In its simplest and most common form, proactive risk management involves the introduction of strategically placed buffers in the supply chain according to supply chain risks identified in the model. Adjusting the level of safety stock, keeping spare production capacity, and introduction and development of several choice alternatives are all managerial responses at the operational level reducing risks coming from various internal and external dependencies in the supply chain (Buzacott and Shanthikumar, 1994; Zsidisin and Ellram, 2003; Mishra and Raghunathan, 2004; Sheffi and Rice, 2005; Humair and Willems, 2006; Tomlin, 2006).

In many supply chains, dealing with dependencies is not a matter of choice, and inventory buffers can only help during a relatively limited period of time if supply or demand is interrupted or disturbed. Also, relying solely on passive risk mitigation strategies could easily be mistaken as a pretext for doing nothing or very little else to prevent risk in the supply chain, and to take the size of risk in the supply chain for granted. Postponement of differentiation points or re-engineering of the supply chain is mentioned in the framework as an alternative to such strategies. However, while postponement increases the responsiveness of the supply chain, it would not be able to protect against a long-term supply disruption from key supply chain actors, and the focal company still faces risks coming from supply chain actors' making wrong managerial decisions, their inability to implement necessary changes, or other intended or unintended negative behavior. Examples of consequences of such risks could be direct cost increases, negative company reputation, and future lost sales for the focal company. Also, moving decoupling points and points of differentiation does not make the focal company able to detect the risk of loosing innovation opportunities which again lead to a loss of future income.

To address these remaining risks in the framework, a more fundamental approach is required. Sheffi and Rice (2005) pinpoints that supply chain disruptions often appear innocent in the beginning because reassuring information is released from different interest groups. It is therefore important that supply chain managers work to develop a shared supply chain culture where maverick information is allowed to be heard, understood and acted upon by the organizations. Supply chain disruptions often require organizations to act quickly and differently from what has been described in prevailing working procedures. Because of this, a shared culture with distributed decision-making power and dedicated employees is considered important for a supply chain's resilience. In resilient organizations, front-line workers are empowered and trusted to take initiative and actions quickly based on the facts on the ground. The alternative is passive transfer of information upwards in the organizational hierarchy where information easily drowns before it reaches the decision makers.

Necessary information also needs to be shared between the supply chain actors and acted upon to avoid propagation effects in the event of a beginning disruption. Craighead et al. (2007) refers to this as the warning capability of the supply chain. But, information sharing is also required proactively in order to promote the continuous improvement of the supply chain's resilience. However, an apparent problem with this is that risk information can be considered confidential to the companies when weaknesses within own organization and management are exposed. Supply chain managers aiming to reduce the total level of risk in the supply chain therefore need to develop a trust-based culture among the involved companies. Strong relational norms is an important building block of trust and is essential to lower behavioral uncertainty and assure that shared information is not misused to achieve opportunistic advantages (Heide and John, 1992; Morgan and Hunt, 1994; Doney and Cannon, 1997).

According to Ring and Van De Ven (1992) two different definitions of trust are frequently used in literature: confidence or predictability in one's expectations (Zucker, 1986) and confidence in the other's goodwill (Friedman, 1991). Introduction of formal authority and relational norms are both ways to increase predictability, while relational norms say something about the intentionality of the other party in each supply chain relationship.

Doney and Cannon (1997) derived five trust building processes which can be used as a guideline for supply chain managers to develop trust in the supply chain: (1) Trust can be calculative and based on an estimate of the reward for an actor of behaving trustworthy against the reward for behaving opportunistically. (2) A focal company can develop confidence and predict the behavior of a supply chain actor based on the actor's previous actions. (3) Trust can be evidence-based regarding a supply chain actor's ability to fulfill its promises. (4)Trustworthiness and motivation of a supply chain actor can be assessed from the degree of shared relational norms, and (5) the focal company can rely on trusted sources which it closely identifies with the supply chain actor.

Zsidisin and Ellram (2003) refer to the implementation of quality management programs and supplier development activities to successfully improve the supply chain actors' technical capabilities, quality capabilities, and delivery capabilities, reduce costs, and promote continuous improvement. This could include assessing the qualitative attributes of supply chain components risk belonging to other supply chain actors, but does not necessarily cover the components risks originating in the focal company itself. A joint trust-based supply chain risk management culture would benefit from reciprocal feedback in both directions together with a benchmarking assessment of the innovation capabilities of cluster and organizations.

The final group of mitigation tactics identified from the framework is reactive mitigation tactics. Reactive mitigation tactics only applies after a disruptive event has occurred to cushion the damaging effects of the disruption. Rerouting and responsive pricing are two such reactive mitigation tactics (Chod and Rudi, 2005; Sheffi and Rice, 2005; Tomlin, 2006). However, both the rerouting of supplies from other sources, and responsive pricing to move demand away from affected areas, depend on available volume flexibility in the supply chain (Tomlin, 2006). Thus, the effectiveness of such reactive risk management tactics relies heavily on the available technology's ability to meet the change in demand, the supply chain actors' willingness to accommodate the focal company's desired changes, and the remaining dependencies in the chain. Managers should therefore be careful relying too much on reactive mitigation tactics without combining them with previously mentioned proactive mitigation tactics.

5. Conclusion

This paper has provided a conceptual framework for risk identification and risk assessment in supply chains which adapts well to the supply chain management framework developed by the Global Supply Chain Forum. It has been argued that supply chain risks should be assessed according to human behavior unpredictability, dependencies established in the supply chain network, and skills and qualities of each actor in the supply chain. Management of supply chain risk should hence involve actions to reduce such behavioral unpredictability and network dependencies, while increasing the skills and qualities of the supply chain actors with respect to risk identification, risk avoidance and risk situation handling.

In summary, a combination of risk management tactics seems required to cover all three risk categories. The simplest steps to introduce resilience are risk transfer tactics and proactively introducing operational redundancy. However, strategic re-engineering of the chain and changed culture can give competitive edge and sometimes help to avoid the cause of a supply chain disruption altogether if resilience is emphasized as part of a continuous improvement or quality management program.

6. Managerial Implications

This paper shows that the origins of supply chain risk are manifold and should be assessed and reassessed over time. Short-term focus on contractual risk should be supplemented with a long-term network perspective on risk. Through the reduction of human behavior unpredictability and network dependencies, combined with a continuous effort to increase risk reduction skills and qualities of supply chain actors, the focal company's total exposure to risk can be reduced. As a consequence, managers should begin to develop risk profiles for their supply chains in order to identify where the risk potential is the greatest and develop strategies for how to reduce the current level of supply chain risk. Dealing with networks, such strategy development includes both the assessment of and the involvement of other network actors. This is what is understood by Harland, Brenchley and Walker's (2003) formation and implementation of collaborative supply chain strategies. Such collaborative risk reduction strategies could for instance involve examination and formalization of standard operating procedures in the supply chain; development of trust-based strategic relationships with selected supply chain actors; encouragement of management training programs; and stimulation of a greater HSE focus in the supply chain. In another case, it could be improvement of financial strength of supply chain actors, combined with efforts to increase the organizational flexibility (reduced bureaucratization) at selected key supply chain members.

In summary, managers can utilize the information presented in this paper to better understand the nature of risk in their supply chains and use the information gained to develop strategies for the creation of more resilient supply chains.

7. Limitations and directions for future research

The risk framework presented in this paper has been developed based on a review of literature from supply chain management, marketing, and organizations theory. However, development of a measurement instrument and empirical validation of the framework remains. Also, an important follow-up for future research would be to examine trade-offs between the different types of risk in the framework and the rewards of being able to prevent or mediate future risk events. For instance, increased inventory buffers may be a less costly solution to prevent against demand fluctuations compared to postponement, but postponement may create added value to customers and thus increase the reward side.

Introduction of risk preventive and risk mediation measures may lead to an increased cost level to some of the actors in the supply chain. Others again may receive a greater benefit from a reduced exposure to risk. An interesting area for future research could therefore be to investigate how the sharing of risk related costs can be matched to the rewards of reduced risk exposure gained in the supply chain.

A great number of risks have been categorized in this framework, and while supply chain management is by nature cross-functional, so will supply chain risk. An interesting question then is: "What are the boundaries of supply chain risk?" An attempt has not been made in this paper to clearly define these boundaries, but it seems reasonable that the boundaries of supply chain risk must at least be partially context specific. For instance, an insurance company will have a different perspective on damages caused by a flooding than the company being insured. However, if the insurance claims of the flooding amounts to an unusual high level, the flooding may also be perceived as a risk to the insurance company.

References

AKERLOF, G. (1970) The Market for 'Lemons'. Quarterly Journal of Economics, 84,August 488-500.

ANONYMOUS (2007) Banker's kidnap family 'brave'. BBC News.

ANONYMOUS (2008) Two more arrests in connection with kidnapping of 5-year-old. M&C News.

APPELBAUM, S. H. (1990) Computerphobia: Training Managers to Reduce the Fears and Love the Machines. Industrial and Commercial Training, 22,6 9.

BAPTISTA, R. and SWANN, P. (1998) Do firms in clusters innovate more? Research Policy, 27,5 525.

BARNETT, C. (2007) Security Gets Certified. Traffic World, 1.

BEN NAYLOR, J., NAIM, M. M. and BERRY, D. (1999) Leagility: Integrating the lean and agile manufacturing paradigms in the total supply chain. International Journal of Production Economics, 62,1-2 107.

BHADRA, D. and TEXTER, P. (2004) Airline Networks: An Econometric Framework to Analyze Domestic U.S. Air Travel. Journal of transportation and statistics, 7,1.

BOETTKE, P., CHAMLEE-WRIGHT, E., GORDON, P., IKEDA, S., LEESON, P. T. and SOBEL, R. (2007) The Political, Economic, and Social Aspects of Katrina. Southern Economic Journal, 74,2 363.

BOLMAN, L. G. and DEAL, T. E. (1991) Reframing Organizations. Artistry, Choice and Leadership, San Francisco, Jossey-Bass.

BROCKNER, J. (1992) The Escalation of Commitment to a Failing Course of Action: Toward Theoretical Progress. Academy of Management. The Academy of Management Review, 17,1 39.

BRUDERL, J., PREISENDORFER, P. and ZIEGLER, R. (1992) Survival Chances of Newly Founded Business Organizations. American Sociological Review, 57,2 227.

BRUNSSON, N. and OLSEN, J. P. (1997) The Reforming Organization, Oslo, Fagbokforlaget.

BURTON, J. (1988) Industrial Robotics: Hazards, Accidents, Safety Application. Professional Safety, 33,11 28.

BUZACOTT, J. A. and SHANTHIKUMAR, J. G. (1994) Safety stock versus safety time in MRP controlled production. Management Science, 40,12 1678.

CATON, R. F. (2006) The other cargo-security threat. Journal of Commerce.

CHISHOLM, D. (1989) Coordination Without Hierarchy: Informal Structures in Multiorganizational Systems, Berkeley, CA, University of California Press.

CHOD, J. and RUDI, N. (2005) Resource Flexibility with Responsive Pricing. Operations Research, 53,3 532.

COOPER, A., DUNKELBERG, W. and WOO, C. (1988) Survival and Failure: A Longitudinal Study, Wellesley, MA, Frontiers of Entrepreneurship Research, Babson College.

COOPER, M. C., LAMBERT, D. M. and PAGH, J. D. (1997) Supply Chain Management: More Than a New Name for Logistics. The International Journal of Logistics Management, 8,1 1-13.

COUGHLAN, G. (2007) Dutch lose aid worker ransom case. BBC News.

CRAIGHEAD, C. W., BLACKHURST, J., RUNGTUSANATHAM, M. J. and HANDFIELD, R. B. (2007) The Severity of Supply Chain Disruptions: Design Characteristics and Mitigation Capabilities. Decision Sciences, 38,1 131.

CROOM, S., ROMANO, P. and GIANNAKIS, M. (2000) Supply Chain Management: an analytic framework for critical literature review. European Journal of Purchasing & Supply Management, 667-83.

DANIELS, H. (1996) An introduction to Vygotsky, London, Routledge.

DAVIDSON, J. (2002) Overcoming resistance to change. PM. Public Management, 84,11 20.

DOHERTY, N. A. and SCHLESINGER, H. (2002) Insurance contracts and securitization. Journal of Risk and Insurance, 69,1 45.

DONEY, P. M. and CANNON, J. P. (1997) An examination of the nature of trust in buyer-seller relationships. Journal of Marketing, 61,2 35.

DOWNS, A. (1967) Inside bureaucracy, Boston, Little, Brown.

ERADIN, A. and ARMATLI-KOROGLU, B. (2005) Innovation, networking and the new industrial clusters: the characteristics of networks and local innovation capabilities in the Turkish industrial clusters. Entrepreneurship and Regional Development, 17,4 237.

FESTINGER, L. (1957) A theory of cognitive dissonance, Evanston, IL, Row, Peterson.

FOSFURI, A. and RONDE, T. (2004) High-tech clusters, technology spillovers, and trade secret laws. International Journal of Industrial Organization, 22,1 45.

FRIEDMAN, R. A. (1991) Trust, understanding, and control: Factors affecting support for mutual gains bargaining in labor negotiations. A paper presented at the Annual Meeting of the Academy of Management. Miami, FL.

GASKILL, L. R., VAN AUKEN, H. E. and MANNING, R. A. (1993) A factor analytic study of the perceived causes of small business failure. Journal of Small Business Management, 31,4 18.

GILLAND, B. (2002) World population and food supply: can food production keep pace with population growth in the next half-century? Food Policy, 27,1 47.

GOLDRATT, E. and COX, J. (1992) The Goal: A Process of On-going Improvement, New York, North River Press.

GRANOVETTER, M. (1985) Economic Action and Social Structure: The Problem of Embeddedness. American Journal of Sociology, 91,November 481-510.

GRIFFY-BROWN, C. (2003) Just-in-time to just-in-case. Graziadio Bus. Rep., 6.

HALL, G. (1992) Reasons for insolvency amongst small firms - A review and fresh evidence. Small Business Economics, 4,3 237.

HAMMER, M. (2001) The Superefficient Company. Harvard Business Review, 68,8 82-91.

HANNAN, M. T. and FREEMAN, J. (1984) Structural inertia and organizational change. American Sociological Review, 49.

HARLAND, C., BRENCHLEY, R. and WALKER, H. (2003) Risk in supply networks. Journal of Purchasing and Supply Management, 9,2 51.

HEADD, B. (2003) Redefining business success: Distinguishing between closure and failure. Small Business Economics, 21,1 51.

HEIDE, J. B. and JOHN, G. (1992) Do Norms Matter in Marketing Relationships. Journal of Marketing, 56.

HELLIWELL, J. and FOWLER, A. (1994) Introducing IT into a Mature Production Related Work Environment: The Human Resource Factor. Journal of Information Technology, 9.

HERER, Y. T., TZUR, M. and YUCESAN, E. (2002) Transshipments: An emerging inventory recourse to achieve supply chain leagility. International Journal of Production Economics, 80,3 201.

HOFSTEDE, G. (1983) The Cultural Relativity of Organizational Practices and Theories. Journal of International Business Studies, 14,2 75.

HUMAIR, S. and WILLEMS, S. P. (2006) Optimizing Strategic Safety Stock Placement in Supply Chains with Clusters of Commonality. Operations Research, 54,4 725.

IVENS, B. S. (2002) Governance Norms in Relational Exchange: What We Do Know and What We Do Not Know. 18th Annual IMP Conference. Dijon, France.

JOHN, G. (1984) An Empirical Investigation of Some Antecedents of Opportunism in a Marketing Channel. JMR, Journal of Marketing Research, 21,3 278.

JOHNSON, M. E. (2001) Learning from toys: Lessons in managing supply chain risk from the toy industry. California Management Review, 43,3 106.

JÜTNER, U., PECK, H. and CHRISTOPHER, M. (2002) Supply chain risk management: outlining an agenda for future research. IN GRIFFITHS, J., HEWITT, F.and IRELAND, P. (Eds.) Proceedings of the Logistics Research Network 7th Annual Conference.

KELLY, D. and AMBURGEY, T. L. (1991) Organizational Inertia and Momentum: A Dynamic Model of Strategic Change. Academy of Management Journal, 34,3 591.

KLEINDORFER, P. R. and SAAD, G. H. (2005) Managing Disruption Risks in Supply Chains. Production and Operations Management, 14,1 53.

LAMBERT, D. M., GARC?A-DASTUGUE, S. J. and CROXTON, K. L. (2005) AN EVALUATION OF PROCESS-ORIENTED SUPPLY CHAIN MANAGEMENT FRAMEWORKS. Journal of Business Logistics, 26,1 25.

LAMBERT, L. M., COOPER, M. C. and PAGH, J. D. (1998) Supply chain management: Implementation issues and research opportunities. International Journal of Logistics Management, 9,2 1.

LATOUR, A. (2001) Trial by fire: A blaze in Albuquerque sets off major crisis for cell-phone giants. Wall Street Journal.

LEE, H. L., PADMANABHAN, V. and WHANG, S. (2004) Information Distortion in a Supply Chain: The Bullwhip Effect/Comments on "Information Distortion in a Supply Chain: The Bullwhip Effect". Management Science, 50,12 1875.

LEROY, S. A. G. (2006) From natural hazard to environmental catastrophe: Past and present. Quaternary International, 158,1 4.

LI, C.-L. and KOUVELIS, P. (1999) Flexible and risk-sharing supply contracts under price uncertainty. Management Science, 45,10 1378.

MACNEIL, I. R. (1980) The New Social Contract, New Haven, CT, Yale University Press.

MARCH, J. G. and SHAPIRA, Z. (1987) Managerial Perspectives on Risk and Risk Taking. Management Science, 33,11 1404.

MASON-JONES, R., NAYLOR, B. and TOWILL, D. R. (1999) Agile, or leagile: matching your supply chain to the marketplace. Proceedings of the 15th International Conference on Production Research. Limerick.

MCHUGH, M. (1997) The stress factor: another item for the change management agenda? Journal of Organizational Change Management, 10,4 345.

MINTZBERG, H. (1983) Power In and Around Organizations, Englewood Cliffs, Prentice Hall.

MISHRA, B. K. and RAGHUNATHAN, S. (2004) Retailer- vs. Vendor-Managed Inventory and Brand Competition. Management Science, 50,4 445.

MORGAN, R. M. and HUNT, S. D. (1994) The Commitment-Trust Theory of Relationship Marketing. Journal of Marketing, 58,3 20-38.

NARASIMHAN, R., SWINK, M. and KIM, S. W. (2006) Disentangling leanness and agility: An empirical investigation. Journal of Operations Management, 24,5 440.

NORRMAN, A. and JANSSON, U. (2004) Ericsson's proactive supply chain risk management approach after a serious sub-supplier accident. International Journal of Physical Distribution & Logistics Management, 34,5 434.

O'ROURKE, M. (2004) Cyber-Extortion Evolves. Risk Management, 51,4 10.

O HARE, D. (1994) Target: CEO. Risk Management, 41,7 83.

OTTESEN, G. G. and GRØNHAUG, K. (2006) Pursuing opportunities: Why so many fail and so few succeed. European Journal of Marketing, 40,1/2 100.

OVERBY, J., RAYBURN, M., HAMMOND, K. and WYLD, D. C. (2004) The China Syndrome: The Impact of the SARS Epidemic In Southeast Asia. Asia Pacific Journal of Marketing and Logistics, 16,1 69.

PECK, H. (2005) Drivers of supply chain vulnerability: an integrated framework. International Journal of Physical Distribution & Logistics Management, 35,3/4 210.

PORTER, M. E. (1990) The Competitive Advantage of Nations, New York.

PROVAN, K. G. and SKINNER, S. J. (1989) Interorganizational Dependence And Control As Predictors Of. Academy of Management Journal, 32,1 202.

RANKIN, N. (2008) No vessel is safe from modern pirates. BBC News.

RINDFLEISCH, A. and HEIDE, J. B. (1997) Transaction Cost Analysis; Past, Present, and Future Applications. Journal of Marketing, 61,October 30-54.

RING, P. S. and VAN DE VEN, A. H. (1992) Structuring Cooperative Relationships Between Organizations. Strategic Management Journal, 13,7 483.

RITCHIE, B. and BRINDLEY, C. (2007) Supply chain risk management and performance. International Journal of Operations & Production Management, 27,3 303.

ROSSEAU, R. M. (1995) Psychological Contracts in Organizations. Understanding Written and Unwritten Agreements., Thousand Oaks, Sage.

SCC (2008) Supply-Chain Operations Reference-model: SCOR Overview Version 9.0.

SHEFFI, Y. and RICE, J. B. J. (2005) A Supply Chain View of the Resilient Enterprise. MIT Sloan Management Review, 47,1 41.

SIMON, H. A. (1951) A Behavioral Model of Rational Choice. The Quarterly Journal of Economics, 69,1 99-118.

SPEKMAN, R., E. and DAVIS, E., W. (2004) Risky business: expanding the discussion on risk and the extended enterprise. International Journal of Physical Distribution & Logistics Management, 34,5 414.

STINCHCOMBE, A. L. (1965) Organizations and social structure. IN MARCH, J. G. (Ed.) Handbook of Organizations. Chicago, IL, Rand-McNally.

STINCHCOMBE, A. L. (1985) Contracts as Hierarchical Documents. IN STINCHCOMBE, A. L.and HEIMER, C. (Eds.) Organization Theory and Project Management. Oslo, Norwegian University Press.

STINCHCOMBE, A. L. (1986) On Social Factors in Administrative Organization. IN STINCHCOMBE, A. L. (Ed.) Stratification and Organization. Selected Papers. Cambridge, Cambridge University Press.

THORNHILL, S. and AMIT, R. (2003) Learning about failure: Bankruptcy, firm age, and the resource-based view. Organization Science, 14,5 497.

TOMLIN, B. (2006) On the Value of Mitigation and Contingency Strategies for Managing Supply Chain Disruption Risks. Management Science, 52,5 639.

WAGNER, S. M. and BODE, C. (2006) An empirical investigation into supply chain vulnerability. Journal of Purchasing and Supply Management, 12,6 301.

WATHNE, K. H. and HEIDE, J. B. (2000) Opportunism in Interfirm Relationships; Forms, Outcomes, and Solutions. Journal of Marketing, 64,4 (October) 36-51.

WILLIAMS, S. and NARENDRAN, S. (1999) Determinants of managerial risk: Exploring personality and cultural influences. The Journal of Social Psychology, 139,1 102.

WILLIAMSON, O. E. (1975) Markets and Hierarchies: Analysis and Antitrust Implications, New York, The Free Press.

WILLIAMSON, O. E. (1985) The Economic Institutions of Capitalism: Firms Markets, Relational Contracting, New York, The Free Press.

YEA, S. (2004) Are we prepared for world population implosion? Futures, 36,5 583.

ZSIDISIN, G. A. (2003) Managerial perceptions of supply risk. Journal of Supply Chain Management, 39,1 14.

ZSIDISIN, G. A. and ELLRAM, L. M. (2003) An agency theory investigation of supply risk management. Journal of Supply Chain Management, 39,3 15.

ZUCKER, L. G. (1986) Production of trust: Institutional sources of economic structure. IN STAW, B. M.and CUMMINGS, L. L. (Eds.) Research in Organizational Behavior.39

[1] See the moral hazard problem and the adverse selection problem in

AKERLOF, G. (1970) The Market for 'Lemons'. Quarterly Journal of Economics, 84,August 488-500. and

RINDFLEISCH, A. and HEIDE, J. B. (1997) Transaction Cost Analysis; Past, Present, and Future Applications. Journal of Marketing, 61,October 30-54.