The Emerald Research Register for this journal is available at

www.emeraldinsight.com/researchregister

IJPDLM
34,5

434
Received July 2003
Revised February 2004
Accepted March 2004

The current issue and full text archive of this journal is available at
www.emeraldinsight.com/0960-0035.htm

Ericssons proactive supply chain

risk management approach after
a serious sub-supplier accident
Andreas Norrman
Department of Industrial Management and Logistics, Lund University,
Lund, Sweden, and

Ulf Jansson
Ericsson AB, Sweden, Core Unit Supply, Stockholm, Sweden
Keywords Supply chain management, Risk management, Business continuity, Insurance
Abstract Supply chain risk management (SCRM) is of growing importance, as the vulnerability
of supply chains increases. The main thrust of this article is to describe how Ericsson, after a fire at
a sub-supplier, with a huge impact on Ericsson, has implemented a new organization, and new
processes and tools for SCRM. The approach described tries to analyze, assess and manage risk
sources along the supply chain, partly by working close with suppliers but also by placing formal
requirements on them. This explorative study also indicates that insurance companies might be a
driving force for improved SCRM, as they now start to understand the vulnerability of modern
supply chains. The article concludes with a discussion of risk related to traditional logistics concepts
(time, cost, quality, agility and leanness) by arguing that supply chain risks should also be put into
the trade-off analysis when evaluating new logistics solutions not with the purpose to minimize
risks, however, but to find the efficient level of risk and prevention.

International Journal of Physical

Distribution & Logistics Management
Vol. 34 No. 5, 2004
pp. 434-456
q Emerald Group Publishing Limited
0960-0035
DOI 10.1108/09600030410545463

Introduction
Background
In industry, especially those industries moving towards longer supply chains (e.g. due
to outsourcing) and facing increasingly uncertain demand as well as supply, the issue
of risk handling and risk sharing along the supply chain is an important topic. The
leaner and more integrated supply chains get, the more likely uncertainties, dynamics
and accidents in one link affect the other links in the chain. Hence, the supply chain
vulnerability (Svensson, 2000; Christopher et al., 2002) increases, and it will increase
even more if companies, by outsourcing, have become dependent on other
organizations. A number of current business trends that increase the vulnerability
to risks in supply chains are:
.
increased use of outsourcing of manufacturing and R&D to suppliers;
.
globalization of supply chains;
.
reduction of supplier base;
.
more intertwined and integrated processes between companies;
.
reduced buffers, e.g. inventory and lead time;
.
increased demand for on-time deliveries in shorter time windows, and shorter
lead times;
.
shorter product life cycles and compressed time-to-market;

.
.

fast and heavy ramp-up of demand early in product life cycles; and
capacity limitation of key components.

Souter (2000) stresses that companies should not only focus on their own risks: they
must also focus on risks in other links in their supply chain. According to Lambert and
Cooper (2000) and Mentzer et al. (2001), for example, a key component for supply chain
management (SCM) is sharing both risks and rewards between the members of the
supply chain. This is often mentioned, but not further elaborated on, in traditional SCM
literature. The focus of supply chain risk management (SCRM) is to understand, and
try to avoid, the devastating ripple effects that disasters or even minor business
disruptions can have in a supply chain. Some examples of risk sources and such
supply chain rippling effects from the last few years are:
.
Hurricanes. Hurricane Floyd flooded a Daimler-Chrysler plant producing
suspension parts in Greenville, North Carolina (USA). As a result, seven of the
companys other plants across North America had to be shut down for seven
days.
.
Diseases. The foot-and-mouth disease in the UK in 2001 affected the agriculture
industry more than its last outbreak 25 years ago. The reason for this was that
former local and regional supply networks had become national and
international, and that the industry was much more consolidated (Juttner et al.,
2002). But many other industries were also affected: luxury car manufacturers
like Volvo and Jaguar had to stop deliveries due to lack of quality leather supply.
.
Fires. Toyota was forced to shut down 18 plants for almost two weeks following
a fire in February 1997 at its brake-fluid proportioning valve supplier (Aisin
Seiki). Costs caused by the disruption were estimated to be $195 million and sales
loss was estimated to 70,000 vehicles (, $325 million) (Converium, 2001).
.
Demand. Rapidly weakening demand coupled with locked-in supply agreements
made Cisco take a $2.5 billion inventory write-off in Q2 2001.
.
Supply. Inaccurate supply planning led Nike to an inventory shortage of hot
footwear models and the sales for Q3 2001 were $100 million off target.
.
Supply chain capacity risks. In a situation where demand is very uncertain, and
the capacity bottleneck is far upstream from the market place, the risk of
investing in more capacity could be a joint issue for the whole supply chain, and
different instruments for supply chain risk sharing can be used.
Purpose
Recently, the interest of supply chain risk management has increased in purchasing,
logistics and supply chain management research (e.g. Smeltzer and Siferd, 1998;
Zsidisin and Ellram, 1999; Hallikas et al., 2000; Ritchie et al., 2000; Lindroth and
Norrman, 2001; Johnson, 2001; Lamming et al., 2001; Christopher et al., 2002). This
article aims to extend current SCRM knowledge by describing and sharing insights of
a companys new organization, processes and tools focused on SCRM. The company is
Ericsson, a leading telecom company seriously affected by a fire at a sub-supplier some
years ago, an accident which has been widely reported (e.g. TheWall Street Journal,
2001).

Ericssons
proactive
approach
435

IJPDLM
34,5

436

The remainder of the paper is structured as follows. First, literature related to

supply chain risk management and business continuity planning in a supply chain
perspective will be summarized to give a background of the topic. Then there is a short
discussion of the methodology. Next, the case is introduced by a short description of
the Albuquerque incident that increased Ericssons focus on supply chain risk
management. The following section describes Ericssons current approach to SCRM,
and the paper ends with a concluding discussion.
Supply chain risk management
The underlying definition of SCRM in this article is:
Supply chain risk management is to [collaborate] with partners in a supply chain apply risk
management process tools to deal with risks and uncertainties caused by, or impacting on,
logistics related activities or resources (Norrman and Lindroth, 2002).

Supply chain risk management could of course deal with risks for a single company, or
even with the impact on a single logistics activity. But following the definition, the unit
analyzed should represent a buyer-seller relationship (a dyad) or, preferably, a supply
chain of three or more companies. Two important dimensions in the definition are risk
and uncertainties and the risk management process, which will now be further
elaborated on.
Risk and uncertainty
Deloach (2000) defines business risk as the level of exposure to uncertainties that the
enterprise must understand and effectively manage as it executes its strategies to
achieve its business objectives and create value. A more standard definition of risk is
risk is the chance, in quantitative terms, of a defined hazard occurring. It therefore
combines a probabilistic measure of the occurrence of the primary event(s) with a
measure of the consequences of that/those event(s) (The Royal Society, 1992, p. 4).
Hence, risk is a quality that reflects both the range of possible outcomes and the
distribution of respective probabilities for each of the outcomes. This quantitative
definition could be expressed: Risk Probability (of the event) * Business Impact (or
severity) of the event, often illustrated in a risk map or matrix (Figure 1). While risks
can be calculated, uncertainties are genuinely unknown.
But as soon as the quantitative definition is left for a broader and more business
oriented perspective, the term also gets fuzzier. Juttner et al. (2002) have also observed
that the use of the term risk can be confusing, and they argue that risk should be
separated from risk (and uncertainty) sources and risk consequences (equal to the
term risk impact). Risk sources are the environmental, organizational or supply chain
related variables that cannot be predicted with certainty and that affect the supply
chain-outcome variables. Juttner et al. (2002) suggest organizing risk sources relevant
for supply chains into three categories:
(1) Numbers: external to the supply chain.
(2) Internal to the supply chain.
(3) Network related.
External risk sources are exemplified by political risks, natural risks, social risks,
industry/market risks (e.g. volatility of customer demand). Internal risk sources

Ericssons
proactive
approach
437

Figure 1.
Risk map/matrix

range from labor (strikes) or production (e.g. machine failure) to IT system

uncertainties. Network-related risks arise from interaction between organizations
within the supply chain, e.g. due to insufficient interaction and cooperation. Risk
consequences/impacts are the focused supply chain outcome variables like costs or
quality (but also health and safety), i.e. the different forms in which the variance
becomes manifest. Other authors discussing similar types of risks are Johnson (2001)
and Zsidisin (2001). Johnson (2001) divides supply chains risks between supply risks
(e.g. capacity limitations, currency fluctuations and supply disruptions) and demand
risks (e.g. seasonal imbalances, volatility of fads, new products). Zsidisin et al. (e.g.
2000) focuses on supply risks related to design, quality, cost, availability,
manufacturability, supplier, legal, and environmental, health and safety.
We find supply chain risks to be related to the logistics activities in companies
flows of material and information. Consequently, it is only a part of all business risks.
(But, on the other hand, the supply chain perspective also implies a perspective not
only including your own company, but a chain of at least three entities: customers,
suppliers, sub-suppliers, etc.)
The stages of the risk management process
Risk management is the making of decisions regarding risks and their subsequent
implementation, and flows from risk estimation and risk evaluation (The Royal
Society, 1992, p. 3). The risk management process is focused on understanding the
risks, and minimizing their impact by addressing, e.g. probability and direct impact.
The stages of the risk management process discussed can vary from risk
identification/analysis (or estimation) via risk assessment (or evaluation) to different
ways of risk management (labels differ among authors although the steps are similar).
Parallel to risk management is the issue of how to mitigate the consequences of an
accident if it does happen: to deal with the situation in a way that minimizes business
impact. This is normally referred to as business continuity management (BCM) and
relates to those management disciplines, processes and techniques, which seek to
provide the means for continuous operations of essential functions under all
circumstances (Hiles and Barnes, 2001, p. 379). BCM aims at getting interrupted

IJPDLM
34,5

438

businesses restarted. In many ways, risk management and BCM are overlapping, and
some argue that business continuity plans development is the risk management action
to take for risks of low probability (such as fires and floods), but whose potential
impact is a business failure.
Supply chain risk analysis and assessment
Risk analysis/identification is an important stage in the risk management process.
Consequently, by identifying a risk, decision-makers become aware of events that may
cause disturbances. To assess supply chain risk exposures, the company must identify
not only direct risks to its operations, but also the potential causes or sources of those
risks at every significant link along the supply chain (Christopher et al., 2002). Hence,
the main focus of supply chain risk analysis is to recognize future uncertainties to
enable proactive management of risk-related issues.
There are many methods for risk identification and analysis. One important tool is
risk mapping, i.e. using a structured approach and mapping risk sources and thereby
understanding their potential consequences. Two commonly used techniques for
researching factors and causes contributing to accidental events are the fault tree
analysis (FTA) and the event tree analysis (ETA). Both are logic diagrams that
represent the sequences of failures that may propagate through a complex system.
FTA examines all potential events leading up to the critical event and is a graphical
diagram that shows how a system can fail. The analysis starts with top events, then
the necessary and sufficiently hazardous events, the causes and contributing factors of
which are identified together with their logical relationships by way of a backward
logic. The ETA is also a graphical logic diagram, but goes the other way. It focuses on
events that could occur after a critical event and identifies and quantifies possible
outcomes following initiating events by looking at potential consequences (e.g. Mullai
and Paulsson, 2002). For both techniques, quantitative data, such as probabilities for
events, could be used to get an idea of the final probability. Deloach (2000) proposes a
similar tool called risk driver map, where potential threats are mapped.
After the risk analysis, it is important to assess and prioritize risks to be able to
choose management actions appropriate to the situation. One common method is to
compare events by assessing their probabilities and consequences and put them in a
risk map/matrix (Figure 1). In theory, and when historical events are assessed, this
could be quite a straightforward and quantitative task, but in business this could be a
subjective process relying on specialists judgements. Hallikas et al. (2000), show an
example of this in a supply context. In practice, other risk assessment tools are also
used, which are not consistent with the theory of probability and impact but cover a
broader perspective instead. Zsidisin and Ellram (1999) summarize the supply risk
assessment process of a Fortune 500 high-tech company, and propose a ten-step
approach to risk assessment (Figure 2). Primarily, they are concerned with
material-related risks that could affect timely and cost-effective delivery of quality
products and services.
Risk management
Risk management is the process whereby decisions are made to accept a known or
assessed risk and/or the implementation of actions to reduce the consequences or
probability of occurrence. Generally used actions for risk management are to avoid,

reduce, transfer, share or even take the risk. To avoid is to eliminate the types of event
that could trigger the risk. To reduce applies both to reduction of probability and
consequence. Examples of how to reduce the impact could be to have an extra
inventory, multiple sources, back-up sites/resources identified, sprinklers in buildings,
having risk managers and emergency teams appointed, parallel systems or to
diversify. Probability could be reduced by improving risky operational processes, both
internally and in cooperation with suppliers, and to improve related processes, e.g.
supplier selection. Risk could also be transferred to insurance companies but also to
supply chain partners by moving inventory liability, changing delivery times of
suppliers (just-in-time deliveries) and to customers (make-to-order manufacturing), or
by outsourcing activities. Furthermore, contracts can be used to transfer commercial
risks. Finally, risks could be shared, both by contractual mechanisms (e.g. Tsay et al.
(1998) or Cachon (2002), for a review on supply chain contracts) and by improved
collaboration.

Ericssons
proactive
approach
439

Business continuity management

Business continuity management (BCM) is defined as:
. . . the development of strategies, plans and actions which provide protection or alternative
modes of operation for those activities or business processes which, if they were to be
interrupted, might otherwise bring about a seriously damaging or potentially fatal loss to the
enterprise (Hiles and Barnes, 2001).

Business continuity management includes crisis management (overall processes to

manage the incident), disaster recovery (recovery of critical systems, applications, data
and networks), business recovery (recovery of critical business processes) and
contingency planning (recovery from impact external to the organization) (CMI, 2002).
Developing action plans is important in BCM, and business continuity planning
(BCP) is a term often used. BCP is planning to ensure continued operations in case of a
catastrophic event. But it goes beyond disaster-recovery planning, since it includes the
actions to be taken, resources required, and procedures to be followed to ensure the
continued availability of essential services, programs and operations in the event of
unexpected interruptions. BCP has previously been mostly related to computers and
information technology-related disasters, especially before Y2K, but since then the
approach has moved towards more applications in other business contexts. However,
according to a study by CMI (2002), only about 30 percent of all companies studied
developed BCP jointly with suppliers. Only 9 percent of companies that have
outsourced activities (not only logistics) insist on their outsource suppliers having
business continuity plans.

Figure 2.
Supply risk assessment
process based on Zsidisin
and Ellram (1999)

IJPDLM
34,5

440

The first activities in developing business continuity plans are identifying the risks
and assessing their probability and impact the steps are hence identical to risk
management. Part of this is to understand what will be affected (damage potential
analysis). Then, strategies and recovery plans should be developed that could be
implemented both before the incident (similar to risk management strategies) and after
the incident. Post-incident strategies are implemented to maintain partial or total
product supply and could for manufacturing and logistics include (Musson, 2001):
.
use of spare capacity within the organization;
.
shutdown of marginal product lines and transfer of key products to those
production facilities;
.
assistance from competition;
.
outsourcing to sub-contractors, job shops, etc.;
.
re-labeling of competitors products (after consideration of all legal implications);
and
.
establishment of temporary facilities when production capabilities can be
established with off-the-shelf or second-hand equipment.
Methodology
Since only limited empirical research on how companies deal with supply chain risk
management has been found, an explorative approach has been chosen. Examples of
earlier case studies in the area are those of Zsidisin (2001), Zsidisin and Ellram (1999)
and Zsidisin et al. (2000), but they have focused more on purchasing and supply than
a supply-chain approach, consisting of the idea to work with risks along multiple
companies in a chain. In our study, a single case is used, which is an appropriate way of
establishing the field at the early stages of an emerging topic (Eisenhardt, 1989). To
capture and examine contemporary events, the case study approach is normally
preferred (Yin, 1994). The single case could give good enough insights on the breadth
of issues and a better opportunity to penetrate important issues. Ericsson has been
chosen for several different reasons: It is in a volatile industry that faces many of the
business trends described in the introduction; it has recently had a major supply chain
incident that has been widely reported; lately, it has worked hard to improve its supply
chain risk management; and, finally, the company has been willing to openly share its
experiences and has given good access to information and data.
Empirical data have initially been collected through semi-structured and open
interviews done by the academic co-author with about ten representatives from various
functions within Ericsson: corporate risk management, core unit supply (a both
strategic and operational SCM-function), sourcing, and supply chain risk management
(industry co-author). In addition, supplementary documents showing processes,
organizational structures and risk management tools were collected by the academic
co-author to verify and more detailed illustrate the findings from the interviews. By
using multiple sources of evidence and interviewees, construct validity improves (Yin,
1994). The joint writing process started with a structured synopsis developed by the
academic researcher, comparable with an interview guide, which was then filled with
facts and descriptions in a collaborative writing and analysis process. (The industry
co-author had of course meetings and written communication with colleagues to get
supplementary data and opinions). By this collaborative writing and analysis process

between an academic and industry co-author, we think that the richness of the case
study description can be improved as well as the construct validity increased (Yin,
1994, pp. 32-4). Further the final paper has been returned for comments and correction
to the other functions interviewed. As this research is an explorative single case study,
external validity and broad generalizability are difficult to address. One purpose has
been to describe pioneering practice for other practioneers to make it possible to
benchmark, and for academics to start a process of analytical generalization (Yin,
1994) by first doing replicate studies and pattern matching-analysis. Hence external
validity and generalizability could increase over time with more cases.
Ericsson and the sub-supplier accident
Ericsson is the largest supplier of mobile telecom systems in the world, active
worldwide since 1876 and currently employing approximately 61,000 people in more
than 140 countries. The worlds ten largest mobile-phone operators are among their
customers and some 40 percent of all mobile phone calls are made through Ericsson
systems. For the last ten years, Ericsson has outsourced a great deal of its assembly
and production to contract manufacturers and sub-suppliers. With Sony Ericsson
(including Ericssons old cellular phone business) it is also a top supplier of complete
mobile multi-media products. Like most companies, Ericsson has been exposed to a
number of risks and incidents in the last few years:, e.g. suppliers having quality and
delivery problem, industries general lack of capacity, and power disruption lasting a
few days. We will shortly describe the accident that can be seen as the major trigger for
Ericsson to improve its supply chain risk management.
The Albuquerque accident
A major accident from an Ericsson perspective was a fire on 18 March 2000 in a very
small production cell (small as a conference room for ten people) at a sub-suppliers
plant in Albuquerque, New Mexico (USA). The ten-minute fire was an effect of a
lightning bolt hitting an electric line in New Mexico, causing power fluctuations
throughout the state. The problem was that when the power was out, there was no
spare diesel motor to supply the fans with power, so the fans stopped. From a plant
perspective, the resulting fire was almost negligible, and when the fire brigade
arrived it was sent home as the fire already was out (The Wall Street Journal). But for
Ericsson, the impact was huge. In the spring of 2001, when the annual report from
Ericsson was announced, a major loss of about $400 million was indicated, primarily
due to gaps in the supply of radio-frequency chips from this supplier. The reason was
that the fire occurred in one of the plants clean rooms, where absolutely no dust is
tolerated. Due to the fire, and especially the smoke and sprinkler water, it took almost
three weeks until the production was up and running. After six months, the yield was
only 50 percent, and it would take years to get new equipment delivered and
installed. As this plant was Ericssons only source for this chip, Ericsson was not able
to sell and deliver one of its key consumer products during its booming market
window. The company lost many months of mobile phone production, and the
accident finally had a great impact on Ericssons decision to withdraw from the
mobile phone terminal business.
Later, Ericssons business interruption costs were calculated as approximately $200
million, which was compensated by insurance companies. This was one of the biggest

Ericssons
proactive
approach
441

IJPDLM
34,5

442

insurance payments that year (after the 9/11 disaster). The accident made Ericsson
realize the importance of not only understanding and managing risks internally but
also trying to better analyze, assess and manage risk along the supply chain and to
take immediate action when incidents are indicated. In a widespread analysis, The
Wall Street Journal argued that Ericsson did not take action quickly and powerfully
enough after the Albuquerque accident, and that it took too long before higher
management was aware of the incident. Further, Ericsson neither had alternative
sources nor was prepared for this kind of accident. Now, actions have been taken:
During the last few years, a formal SCRM organization has been put in place, and
many SCRM processes and tools have been developed and implemented. Todays
philosophy at Ericsson is that everyone is a risk manager.
Ericssons current supply chain risk management approach
In the last few years (after the Albuquerque accident and before the renewal of its
insurance), Ericsson has further developed and implemented processes and tools for
supply chain risk management. The purpose is minimizing risk exposure in the
supply chain. Its approach for this (Figure 3) is based on a process with
feedback-loops between the sub-processes. The risk management process includes risk
identification (similar to risk analysis), risk assessment, risk treatment (similar to risk
management) as previously discussed in theory, but it has also added a process step for
risk monitoring. In parallel (and central) to this, the company has put incident handling
and contingency planning.
Organizational principles and responsibility
Previously, risk management was handled by a corporate function, mostly dealing
with insurance companies (and later also security). In the last few years the
organisation for supply chain risk management has been developed and many people
and functions are involved. On a high level, the corporate function for risk
management, the SCM/logistics function (in Ericsson called the core unit supply) and
the purchasing function (core unit sourcing) are involved, as well as (Figure 4) the units
responsible for the different business areas (SBAs). They are working together in a

Figure 3.
Ericssons basic approach
to SCRM

Ericssons
proactive
approach
443

Figure 4.
Organization of risk
management on a
corporate level

matrix-oriented way, for example with a risk management council with representatives
from the different units. The roles of the main functions involved are:
.
corporate risk management has the overall responsibility for risk management in
the Ericsson group and has contact with the insurance companies and co-ordinates
risk management activities in the whole group, also developing directives;
.
core unit supply (CSUP) is responsible for the operative work and daily interface
with suppliers;
.
system business area (SBA) has the business perspective and owns the product;
and
.
core unit sourcing is responsible for the commercial interfaces with the supplier
and is therefore involved in evaluation of suppliers and when incidents occur.
A matrix approach is taken (Figure 5) on a more operational level within the
SCM/logistics function (CSUP), as well. A supply chain risk manager, placed within
core unit supply, is responsible for development and implementation of SCRM. He is
working closely together with corporate risk management, as well as with the line
people (supply chain managers), responsible for different supply chains and hence
also for the supply chains risks. Supply chain managers are also part of CSUP, but
interfacing the SBAs. Supply chain managers should use the tools and processes
developed by the SCR manager to analyze, assess and manage risk in their supply
chains. In this work purchasers are involved in the assessments of and contacts with
suppliers. The roles of the operational people involved in SCRM are:
.
Supply chain risk manager (SCR manager) at core unit supply runs and
coordinates the work to maintain an optimal balance between risk exposures and
costs for damages versus protection activities.
.
Supply chain managers (SCM) within CSUP are the interface to SBAs and have
full responsibility for the respective SBAs supply chain. They are responsible
for risk management as regards securing the reliability of supply chains and
their ability to deliver.
.
Core production: supports SCM with risk management issues.

IJPDLM
34,5

444

Figure 5.
Organization of SCRM
within the SCM/logistics
function core unit supply

The matrix approach means that many different players are involved in and sharing
responsibility for implementing and maintaining information regarding risk
management. This could make roles unclear, and hence responsibility grids
(Figure 6) are defined. However, the key responsibility lies with the SCMs that
should run the risk management work in their respective supply chain.
Risk identification process
Initially, Ericsson identifies and analyzes its supply chain risks by mapping the
supply chain upstream, looking at suppliers as well as products/services (Figure 7).

Figure 6.
Part of responsibility grid

Ericssons
proactive
approach
445

Figure 7.
Supply chain risk and
structure map

The purpose of this is verifying the business flow between Ericsson and the
supplier/service provider and defining the critical parts and risk sources in the
process, i.e. products, components, sites, etc. The goal is to get a better
understanding of what the probability and impact of the risks are. So far, more than
10,000 components have been analyzed, mainly of first and second tier suppliers.
First, each component is classified into four different classes depending on the
number of sources:
(1) The product is currently sourced from more than one approved source (e.g. two
or more manufacturers or one manufacturer with two or more sites).
(2) The product is currently sourced from one approved source; other sources are
approved and available but not used.
(3) The product is currently sourced from one approved source; other sources are
available and approved but no tools, masks or other equipment needed are in
place.
(4) The product is currently sourced from one supplier. No additional manufacturer
is available.
Ericsson then tries to understand the impact by looking at how long an accident will
affect deliveries. This is expressed by business recovery time (BRT). Components are
put into four different classes:
(1) It takes less than three months to get deliveries from an alternative source.
(2) Three to eight months to get approval and deliveries from an alternative source.
(3) Nine to 12 months, re-design the only alternative.
(4) 12 months, re-design of a unit/product of high complexity.
Risk assessment process
Then, an in-depth analysis is carried out of the suppliers and sub-suppliers of critical
products. For this, Ericsson has developed a tool called Ericsson risk management
evaluation tool (ERMET). ERMET (Figure 8) evaluates many different issues in detail,
e.g. business control, financial issues, hazards in the surroundings (external as well as

IJPDLM
34,5

446

Figure 8.
Overview of ERMET
Ericsson risk management
evaluation tool

man-made); hazards at the site; and business-interruption handling. The tool is used to
analyze both internal and external suppliers. Internally, the tool will be used in
combination with contingency planning.
When using ERMET, corporate risk managers and SCR managers often work
together, as the tool is complex and requires knowledge to use. Often, a representative
from sourcing is brought in, who is responsible for the supplier contacts. Each sub-area
in ERMET is thoroughly evaluated by looking into different aspects (see Figure 9),
trying to quantify the risk by looking at impact (consequence) and probability. The
suppliers total risk situation, and their forecasted development, is then summarized
into spider-web diagrams. Those evaluations are done regularly and are used to follow
up improvements and action plans.
ERMET is mostly focusing on operational accidents and catastrophes and how to
avoid business interruption. Ericsson uses other tools to try to identify and assess more
strategic uncertainties such as shifts in products or product generations. When a risk
or uncertainty source has been identified, the SCR manager facilitates workshops
attended by different functional and business specialists where events are discussed
that could lead to risks. For each event causes are identified, so that preventive actions
can be developed. (This methodology is similar to FTA). The analysis and actions are
then summarized into special templates that are later used for follow-up and
monitoring of the risks (Figure 10).
Ericsson tries to combine impact and probability in a risk map/matrix. But it has
found that the risk value (calculated by multiplying impact and probability) is not
always easy to use, as the probability could be difficult to get and the value is not
always understandable to business people. Therefore, Ericsson is focusing on the
financial impact when assessing which risks to prioritize and for which supplier or
components to take actions. To get a financial value of the impact on Ericssons own
business, the company calculates the business interruption value (BIV). Currently this
value is defined by gross margin multiplied by the business recovery time (BRT)
plus extra costs such as idle capacity labor and equipment, inventory carrying etc. Its
aim is to also consider values such as lost goodwill. This calculation is made by the

Ericssons
proactive
approach
447

Figure 9.
Examples of detailed risk
assessment and summary
diagrams

business control function in order to help the supply chain manager. To categorize the
risks, BIV is divided into four classes:
(1) Severe: BIV . , $100 million.
(2) Major: BIV , $50 million-$100 million.
(3) Minor: BIV , $10 million-$50 million.
(4) Negligible: BIV , , $10 million.

IJPDLM
34,5

448

Figure 10.
Risk map/matrix and
corresponding risk
management actions

This is then used as a basis for the risk matrix to compare the result from the risk
identification process to understand the impact if an interruption occurs (very high,
high, medium or low). For each of these risk levels, different actions are required
(Figure 11). Ericsson finds risks with high consequences/low probability more
important to handle from a risk management perspective than those with low
consequence/high probability.
Risk treatment/management
The third step in Ericssons process is called risk treatment, which includes both
developing risk mitigation strategies and deciding on those. This is a line
responsibility, and who is doing it depends on which tier the risk source is part of:
for higher tier, supplier sourcing is responsible, while for lower tier, the supply chain
manager (Figure 6), and for internal plants it is production. Standard templates and
tools for this (Figure 10) are developed by the SCR manager. Those templates start
with describing the risk source and its probability and consequence, and continue with
a summary of different mitigations strategies, their costs and how they affect the risk
situation. To compare the cost of different preventive actions with the business
interruption value is regarded as very important. Finally, responsible persons are
appointed.

Ericssons
proactive
approach
449

Risk monitoring and follow-up

If the risk level is very high, or high and not mitigated, risk monitoring is required. If
the residual risk, after mitigation, is not reduced to an acceptable risk level it must
continue to be monitored. Risk assessment and treatment templates (Figure 10) and
the spider web (Figure 9) are used to monitor who is responsible internally and how
different supply chain partners are developing compared to their commitments. For
suppliers and sub-suppliers, special attention is given to how their risk management
processes are developing.
Incident handling and business continuity planning
Ericsson is putting emphasis on developing procedures and templates for incident
handling and BCP to decrease the consequences of an accident. After the Albuquerque
accident, the process for incident reporting is very important and task
forces/emergency teams have been appointed. If an incident occurs, this should be
reported to either the sourcing task force (if external supplier) or the SCM task force
and production task force (if internal supplier). When an incident has been reported, it
should then be communicated to the other task forces as well as to the supply chain
risk manager and the corporate risk management (Figure 12). Also, related SBA and

Figure 11.
Templates for risk
assessment and treatment,
and contingency planning

IJPDLM
34,5

450
Figure 12.
Information flow and task
forces for incident
handling

market representatives that might potentially be affected should be notified. It is not

tolerated that suppliers not report incidents they should not first be reported by
newspapers or other sources. The task forces/emergency teams will be trained at least
once a year in different scenarios, for example a disruption in the supply chain due to a
disaster at a class four supplier. When an incident occurs, the three task forces should
work closely together, if necessary.
To develop contingency plans, a toolbox is available on the intranet. While the
previous contingency planning focus was on site recovery, it has now moved towards a
focus on the whole supply chain. If Ericsson cannot manage a risk by eliminating or
minimizing the consequences, the company makes a contingency plan to know what to
do if something happens. Ericsson has divided contingency planning into three steps
(Figure 10):
(1) Response plan: the response is the required reaction to an incident or emergency
to assess the level of containment and to control activity.
(2) Recovery plan: the recovery phase actions shall include the actions that are
needed to resume critical or essential business operations, functions or
processes.
(3) Restoration plan: the process of planning for and implementing full-scale
business operations again and to allow the organization to return to normal
service level.
For each risk source, a responsible person shall be appointed and actions for response,
recovery as well as restoration phase be developed.
The supply chain approach to risk management and business continuity management
Supply chain risk management is not only to analyze, assess and manage internal
risks and try to plan for business continuity for the own company. SCRM means
widening this approach to the chain of suppliers and suppliers suppliers. This could
be done by visiting suppliers and analyze and assess them, but more proactively to
make them implement a SCRM approach themselves, which guarantees a further
spread upstream.

Ericsson is implementing this approach both by soft discussion and by putting

the following guidelines as requirements into the frame contracts:
.
The supplier shall establish and maintain a secure sourcing plan including
regularly updated business continuity and business contingency plans.
.
The supplier shall identify a back-up site/resource for each relevant site.
.
A person responsible for initiating the secure sourcing plan activities shall be
appointed for each relevant site.
.
Key personnel at the supplier shall be appointed and reasonably trained on
Ericssons specific product requirements. Alternatively, personnel in the
facilities concerned shall be prepared to be transferred to the dedicated
back-up capacity.
.
The supplier shall report incidents.
.
The Ericsson entities placing orders should be allowed to review the plan.
.
The supplier shall have corresponding requirements on its suppliers and
contractors.
.
The supplier shall actively work with risk management with its contractors and
suppliers.
.
Ericsson shall at any time have the option to acquire some or all assets which are
unique for the production of Ericsson products by the supplier.

Ericssons
proactive
approach
451

To summarize Ericssons approach for SCRM (Figure 13) it starts with mapping all the
components and products many tiers upstream the supply chain and identifies critical
suppliers and sites that have to be prioritized in the further risk assessment. Suppliers,
first critical then others, are then analyzed and assessed with the Ericsson evaluation
tool (ERMET), which takes many different risk sources into account. By these two first

Figure 13.
Ericssons approach to
supply chain risk
management

IJPDLM
34,5

452

steps, a rough assessment is made on how a shortage of a material or product will

affect the supply chain and, finally, Ericssons invoicing. Based on a more thorough
investigation, risk probability and the impact of different accidents at each supplier
will be evaluated and the impact measured as business recovery time. The supplier
risk is then translated to the risk related to Ericssons business with the impact
measured in business interruption value. Based on this assessment, risk management
actions can be discussed and taken. A very important part in this last step is to find the
right trade-off between risk management (protection) cost and risk cost (impact
measured as BIV): a too high investment in safeguards is not good business practice,
either.
So far, most joint work has been with the next upstream tier, the contract
manufacturers. They have been very positive to and interested in the co-operative
approach to secure the supply chain and reduce supply chain risks. An important
part of the work has been to share tools and methods used in the risk management
process to analyze and assess risks.
Business impact of improved supply chain risk management
The new SCRM approach has so far contributed well to Ericsson. After the
Albuquerque accident, it was quite difficult to get new business-interruption
insurances. The insurance companies were skeptical and an increase of insurance costs
was flagged. Further, they demanded more and more information on risks in the
supply chain. With the current way of working with SCRM, this has changed again,
and lately, insurance companies have praised Ericssons way of working, and will
probably impose the same requirements on other companies. The insurance premium
offered was 50 percent lower than Ericsson first expected, due to its SCRM work.
Although the supply chains now are more secure and less vulnerable, there have
been incidents after Albuquerque (and always will be). During the implementation of
SCRM processes, a new incident occurred at a supplier. A small fire in a plating line
caused a disruption. This incident gave Ericsson the opportunity to test and verify the
processes with a real case. In their risk identification process, the business recovery
time for that component was estimated to approximately three months, which proved
to be correct. Based on BRT and previous experience, Ericsson could act and set up
enough resources to handle the incident. Ericsson quickly enough allocated
components, so there was no disruption in their inbound supply.
The SCRM tools have also started being used for other purposes than those they
were initially developed for. The supply chain risk and structure maps are now also
used to assess capacity and dimensioning risks in order to arrange buffers. Another
example is that a SBA uses the cause-event analysis for risks related to product
introduction, ramp-up and product changes. This indicates that the SCRM work has
been positively received by the organization.
Concluding discussion
Supply chain risk management seems to be of growing interest and importance both
from an academic and a practioner perspective. The development lately within
SCM/logistics has created long, lean and interconnected chains of companies
vulnerable to accidents and their rippling effects. In the last few years, there have been
many examples of such accidents, and in this article we have described Ericssons new

approach to SCRM after its supply chain accident in Albuquerque. Ericsson has now
developed and implemented improved organization, processes and tools for supply
chain risk management. It tries to identify, analyze and manage both internal and
external risk sources, related to the company as well as its suppliers and sub-suppliers.
By this, and an increased requirement on and cooperation with suppliers regarding
risk management, it also tries to avoid impact from network related risk sources.
According to Ericsson, an important success factor, to make SCRM work, is having an
open discussion with the suppliers, both during risk analysis and assessment, but
particularly when handling incidents. Many ideas and tools have been taken from
normal risk management practice, but have been applied with a supply chain
perspective, focusing not only on Ericssons own activities. As a result, risk
consequences have been reduced, Ericsson has been better able to handle incidents and
its insurance costs have been reduced. However, the approach is continuously
implemented and has still not come to its end (if it ever will). Although Ericssons
approach can be considered proactive, the company will stress the importance of
having reactive task forces prepared. Even if much resources are invested in risk
analysis and assessment, accidents might appear where and when least expected and
then an efficient crisis organization must be in place to minimize the consequences.
Ericssons work has, to some extent, been driven by a pressure from insurance
companies a pressure that most likely will be put on other companies and industries
too. What the insurance companies realized, with the Albuquerque accident as a
trigger, was that they did not understand the risks, risk sources and consequences that
the current long supply chains and their rippling effects had. Hence, a new driving
force for companies to work with SCRM could be that insurance companies will require
it to reduce insurance premiums or even to sell contingency insurances.
Current logistics and supply chain principles have been influenced by the attempts
in the last few decades, first to reduce costs, then time and quality, and have lately
focused on concepts of responsiveness, agility and leanness (Figure 14).
Those principles could lead to very vulnerable supply chains, and, consequently, the
interest in SCRM has increased lately. However, to safeguard logistics processes too
much could be both counteractive to current best practice in logistics as well as too
costly. Hence, we would argue that a balanced approach should be taken, where SCRM

Ericssons
proactive
approach
453

Figure 14.
Key focus areas within
logistics and SCM

IJPDLM
34,5

454

is one part of the equation. This could be done by trying to relate risk consequences to
time (business recovery time) and money (business interruption value) as Ericsson is
now doing. Further, it is possible to expand the risk management focus from the
companies own sites to suppliers and sub-suppliers by working together in risk
identification, assessment, management and business continuity planning, but also by
formal assessment of how suppliers are working with those issues and by putting
requirements into the contracts. Current and new logistics principles could be
evaluated from a SCRM perspective, and risk management actions must be evaluated
from a logistics perspective focusing on cost, time, quality etc. Some connections
between SCRM and the other areas (Figure 14) are:
.
Risk and costs: SCRM might create too high prevention costs (reducing
probability or impact by increased buffers, new processes, extra suppliers, etc) as
well as reduce cost for both business interruptions and insurances. The Ericsson
case is an example in which the risk is measured in money (BIV), prevention cost
is compared to risk costs, and insurance cost is decreased thanks to improved
SCRM.
.
Risk and time: SCRM might create buffers and processes delaying lead time
but through good and well thought out SCRM other actions should be found.
Time could also be reduced e.g. the reaction time when an incident or accident
happens. Ericsson is also an example of how a time measurement (BRT) is used
to assess risk impact.
.
Risk and quality: these two areas are most similar and should definitely work out
well in parallel both have a clear process orientation and a focus on avoiding
errors (Lee and Wolfe, 2003, elaborate on this issue).
.
Risk and agility, responsiveness and leanness: companies efforts to increase
agility, responsiveness and leanness have led to increased outsourcing and
reduced buffers and lead time and hence to increased vulnerability. Ericsson is
characterized by this aspiration and has implied a high risk exposure.
However, as these three concepts are very important in todays business, efficient
SCRM is important for managing the increased risk exposure.
The main contributions of this article have been to stress the supply chain approach
in SCRM as a complement to more purchasing oriented studies, and to give a quite
detailed description of how SCRM could work in practice. By using a case company
that only a few years ago was seriously affected by a sub-suppliers fire and hence
started to focus on SCRM, it should hopefully bring new insights both to academy and
practioners. The interrelation between supply chain risk management and current
logistic/supply chain management principles is not clear, and we find this to be an
interesting field for future research so that SCRM actions neither decreases supply
chain efficiency nor is seen only as costly and time consuming.

References
Cachon, G. (2002), Supply Chain Coordination with Contracts, The Wharton School of Business,
University of Pennsylvania, Philadelphia, PA.

Chartered Management Institute (CMI) (2002), Business Continuity and Supply Chain
Management, report available at: www.thebci.org/2809-01%20Bus%20Continuity%
20Summ.pdf
Christopher, M., McKinnon, A., Sharp, J., Wilding, R., Peck, H., Chapman, P., Juttner, U. and
Bolumole, Y. (2002), Supply Chain Vulnerability, Cranfield University, Cranfield.
Converium (2001), Suppliers extension or contingent business interruption insurance,
available at: www.converium.com/web/converium/converium.nsf/2a1b7a462af6c
00185256ad2000da28c/30c4e3ebc211d4f9c1256ad5004334b5?OpenDocument.
Deloach, J.W. (2000), Enterprise-wide Risk Management. Strategies for Linking Risk and
Opportunities, Financial Times/Prentice-Hall, London.
Eisenhardt, K.M. (1989), Building theories from case study research, Academy of Management
Review, Vol. 14 No. 4, pp. 532-50.
Hallikas, J., Virolainen, V.-M. and Tuominen, M. (2000), Risk analysis and assessment in
network environment a dyadic case study, Preprints of the 11th International Working
Seminar on Production Economics, pp. 255-70.
Hiles, A. and Barnes, P. (Eds) (2001), The Definitive Handbook of Business Continuity
Management, J. Wiley & Sons, Chichester.
Johnson, M.E. (2001), Learning from toys: lessons in managing supply chain risk from the toy
industry, California Management Review, Vol. 43 No. 3, pp. 106-24.
Juttner, U., Peck, H. and Christopher, M. (2002), Supply chain risk management: outlining an
agenda for future research, in Griffiths, J., Hewitt, F. and Ireland, P. (Eds), Proceedings of
the Logistics Research Network 7th Annual Conference, pp. 443-50.
Lambert, D.M. and Cooper, M.C. (2000), Issues in supply chain management, Industrial
Marketing Management, Vol. 29, pp. 65-83.
Lamming, R., Caldwell, N., Harrison, D. and Phillips, W. (2001), Transparency in supply
relationships: concept and practice, Proceedings of the 10th International IPSERA
Conference, pp. 585-94.
Lee, H.L. and Wolfe, M. (2003), Supply chain security without tears, Supply Chain Management
Review, January/February, pp. 12-20.
Lindroth, R. and Norrman, A. (2001), Supply chain risks and risk sharing instruments an
illustration from the telecommunication industry, Proceedings of the Logistics Research
Network 6th Annual Conference, Heriot-Watt University, 13-14 September, pp. 297-307.
Mentzer, J.T., DeWitt, W., Keebler, J.S., Min, S., Nix, N.W., Smith, C.D. and Zacharia, Z.G. (2001),
Defining supply chain management, Journal of Business Logistics, Vol. 22 No. 2, pp. 1-25.
resund Hazardous Events, Causes and Claims,
Mullai, A. and Paulsson, U. (2002), Oil Spills in O
Lund University, Lund.
Musson, M. (2001), BC strategies for manufacturing and logistics, in Hiles, A. and Barnes, P.
(Eds), The Definitive Handbook of Business Continuity Management, J. Wiley & Sons,
Chichester, pp. 163-70.
Norrman, A. and Lindroth, R. (2002), Supply chain risk management: purchasers vs planners
views on sharing capacity investment risks in the telecom iindustry, Proceedings of the
11th International Annual IPSERA Conference, Twente University, 25-27 March,
pp. 577-95.
Ritchie, B., Brindley, C., Morris, J. and Peet, S. (2000), Managing risk within the supply chain,
paper presented at the 9th International IPSERA conference, Ontario, May.
(The) Royal Society (1992), Analysis, Perception and Management, The Royal Society, London.

Ericssons
proactive
approach
455

IJPDLM
34,5

456

Smeltzer, L.R. and Siferd, S.P. (1998), Proactive supply management: the management of risk,
International Journal of Purchasing and Materials Management, Vol. 34 No. 1, pp. 38-45.
Souter, G. (2000), Risks from supply chain also demand attention, Business Insurance, Vol. 34
No. 20, pp. 26-8.
Svensson, G. (2000), A conceptual framework for the analysis of vulnerability in supply chains,
International Journal of Physical Distribution & Logistics Management, Vol. 30 No. 9,
pp. 731-50.
Tsay, A.A., Nahmias, S. and Agrawal, N. (1998), Modelling supply chain contracts: a review, in
Tayur, S. et al. (Eds), Quantitative Models for Supply Chain Management, Kluwer
Academic, Norwall, MA, pp. 299-336.
Wall Street Journal (2001), Trial by fire a blaze in Albuquerque sets off major crisis for
cell-phone giants, 29 January.
Yin, R.K. (1994), Case Study Research Design and Methods, Applied Social Research Methods
Series, Vol. 5, Sage Publications, Thousand Oaks, CA.
Zsidisin, G. (2001), Measuring supply risk: an example from Europe, Practix, Best Practices in
Purchasing and Supply Chain Management, June, pp. 1-6.
Zsidisin, G. and Ellram, L.M. (1999), Supply risk assessment analysis, Practix, Best Practices in
Purchasing and Supply Chain Management, June, pp. 9-12.
Zsidisin, G., Panelli, A. and Upton, R. (2000), Purchasing organization involvement in risk
assessment, contingency plans, and risk management: an exploratory study, Supply
Chain Management: An International Journal, Vol. 5 No. 4, pp. 187-97.
Further reading
A.T. Kearney and European Logistics Association (1999), Insight to Impact. Results of the 4th
Quinquennial European Logistics Study, ELA, Brussels.
Lonsdale, C. (1999), Effectively managing vertical relationships: a risk management model for
outsourcing, Supply Chain Management: An International Journal, Vol. 4 No. 4, pp. 176-83.