The development of supply chain risk management over time: revisiting Ericsson

Andreas Norrman (Industrial Management and Logistics, Lund University, Faculty of Engineering, Lund, Sweden)
Andreas Wieland (Department of Operations Management, Copenhagen Business School, Frederiksberg, Denmark)

International Journal of Physical Distribution & Logistics Management

ISSN: 0960-0035

Article publication date: 29 June 2020

Issue publication date: 3 September 2020

Abstract

Purpose

This invited article explores current developments in supply chain risk management (SCRM) practices by revisiting the classical case of Ericsson (Norrman and Jansson, 2004) after 15 years, and updating its case description and analysis of its organizational structure, processes and tools for SCRM.

Design/methodology/approach

An exploratory case study is conducted with a longitudinal focus, aiming to understand both proactive and reactive SCRM practices using a holistic perspective of a real-life example.

Findings

The study demonstrates how Ericsson's SCRM practices have developed, indicating that improved functional capabilities are increasingly combined across silos and leveraged by formalized learning processes. Important enablers are IT capabilities, a fine-grained and cross-functional organization, and a focus on monitoring and compliance. Major developments in SCRM are often triggered by incidents, but also by requirements from external stakeholders and new corporate leaders actively focusing on SCRM and related activities.

Research limitations/implications

Relevant areas for future research are proposed, thereby increasing the knowledge of how companies can develop SCRM practices and capabilities further.

Practical implications

Being one of few in-depth holistic case studies of SCRM, decision-makers can learn about many practices and tools. Of special interest is the detailed description of how Ericsson reactively responded to the Fukushima incident (2011), and how it proactively engaged in monitoring and assessment activities. It is also exemplified how SCRM practices could continuously be developed to make them “stick” to the organization, even in stable times.

Originality/value

This is one of the first case studies to delve deeper into the development of SCRM practices through taking a longitudinal approach.

Keywords

Citation

Norrman, A. and Wieland, A. (2020), "The development of supply chain risk management over time: revisiting Ericsson", International Journal of Physical Distribution & Logistics Management, Vol. 50 No. 6, pp. 641-666. https://doi.org/10.1108/IJPDLM-07-2019-0219

Publisher

:

Emerald Publishing Limited

Copyright © 2020, Andreas Norrman and Andreas Wieland

License

Published by Emerald Publishing Limited. This article is published under the Creative Commons Attribution (CC BY 4.0) licence. Anyone may reproduce, distribute, translate and create derivative works of this article (for both commercial and non-commercial purposes), subject to full attribution to the original publication and authors. The full terms of this licence may be seen at http://creativecommons.org/licences/by/4.0/legalcode


Introduction

When entering the Ericsson headquarters in Stockholm, Sweden early in the morning of June 18, 2018, for the purpose of conducting interviews, we, the authors of this article coincidentally experienced the effectiveness of Ericsson's supply chain risk management (SCRM) approach in real time. One of the interviewees asked us whether we had heard about the 5.5Mw earthquake that had hit Osaka, Japan, the same morning at 7.58 a.m. Japan Standard Time. While we had not, Ericsson had already leveraged its SCRM processes. Shortly after the first alerts and before our arrival, Ericsson had analyzed the number of suppliers and sub-suppliers in the affected geographical area; investigated manufacturing sites; analyzed the potential financial influence on sold products (business interruption value) and whether there would be any supply disruption; discussed alternative suppliers; contacted suppliers in the affected area by local sourcing offices to garner information about people hurt, damages and affected flows that could prevent deliveries to Ericsson; evaluated whether Ericsson personnel were in the area and/or hurt; and received information from Japanese suppliers that they were not impacted. Ericsson's conclusion from this quick initial analysis process, in place since 2011, was that there was no need to “press the red button.” What we observed was not a major event for Ericsson, but it gave us a taste of the effectiveness and practical applicability of Ericsson's contemporary SCRM approach.

As Ho et al. (2015) found that most SCRM research is of a theoretical nature, they advise scholars to use primary data to investigate the practical applicability of SCRM models. They found the original article about the Ericsson case (Norrman and Jansson, 2004) to be one of very few articles that investigates SCRM with the aid of a real-life case. In addition, in their literature review, Fan and Stevenson (2018) identify a crucial research gap in the holistic approach that considers all four stages (identification, assessment, treatment and monitoring) of the SCRM process being almost absent in the academic literature. They identified only six articles, including Norrman and Jansson (2004), that have taken a holistic approach that covers all stages, with only two of them (Tummala and Schoenherr, 2011; Lavastre et al., 2012) having been published less than 10 years ago. Concentrating on only a few process stages comes with the downside of missing out on what practitioners have repeatedly highlighted as being the key to SCRM in an effective manner: the understanding of the interwoven connections between the identification, assessment, treatment and monitoring stages. What is missing in the literature, therefore, is an updated real-life approach with a holistic perspective.

A distinction can be made between proactive and reactive SCRM. The proactive approach requires decision-makers to be able to forecast possible future changes and resist these forecasted changes (Wieland and Wallenburg, 2013). Although ongoing technological developments might increasingly enable decision-makers to get closer to “total control” of the end-to-end supply chain, the expectation that this can at some point be possible is certainly too optimistic (Hoberg et al., 2020). Therefore, while necessary, proactivity alone is not sufficient for SCRM. Reactivity is also needed, i.e. the actions which are required after a risk has already been detected. Organizations need to be able to (1) recognize a risk and initiate a response; (2) put in place a disruption management team; (3) develop an initial plan; (4) review and revise the plan in light of new information; and (5) evaluate the reactive work, learning to improve for future risks (Hopp et al., 2012). An essential part of reactive practices is the protection of the reputation of the company, highlighting the importance of communication after a risk occurrence (Bland, 2013; Ponis and Ntalla, 2016). The resilience literature assumes that systems, like supply chains, constantly evolve, suggesting that systems should be able to adapt by coping with changes (Holling, 1996). Within SCRM, there needs to be the proper balance between proactive and reactive approaches.

To help to fill the research gap described regarding holistic real-life cases, the purpose of this invited article is to assess Ericsson's contemporary SCRM practices and how both its proactive and reactive SCRM procedures have developed over time. Thus, we returned to Ericsson to collect new data for a longitudinal case study and complement the original findings. Recommended steps for conducting rigorous case study research have been followed (e.g. Gibbert et al., 2008; da Mota Pedrosa et al., 2012). To study the focal unit of analysis (the SCRM practices of Ericsson) and the developments since 2004, a case study protocol including a semi-structured interview guide based on an initial research framework has been used (available on request). Different data sources were combined during the data collection process: archival data as well as interview data from multiple senior informants representing different involved functions and perspectives (Table 1). The interviews were recorded at the Ericsson head office on June 18 and 19, 2018, and took place as group interviews. The transcribed and summarized data were later shared and discussed with the main informants during multiple rounds to validate and complement the data. Also, our analysis was shared with Ericsson for the same purpose.

The article proceeds by presenting how Ericsson's SCRM practices have developed over time and across different eras. One incident, Fukushima in 2011, is highlighted to provide empirical details. Thereafter the analysis is presented, followed by a concluding discussion of implications and suggestions for future research.

Ericsson's SCRM practices throughout the course of time

Strategic profile of Ericsson's supply chains

Ericsson, founded in 1876 and now operating in around 180 countries, is a leading multinational provider of information and communication technology (ICT), including networks and digital services for mobile phones, 5G and the internet of Things (IoT). Net sales in 2018 were SEK 210.8 billion; the organization has over 95,000 employees worldwide, and roughly 40% of the world's mobile traffic is carried through its networks.

Notably, a series of supply chain decisions, partly made to mitigate risks, has over time contributed to the strategic profile. The manufacturing strategy was directed to an extension from mainly “engineer-to-order” and “make-to-order” by also including “make-to-stock” processes. Although one manufacturing site would be sufficient from an operational perspective, Ericsson operates three sites instead as a way to hedge risks. The sourcing strategy includes a strong focus on outsourcing to contract manufacturers, called electronics manufacturing services (EMS), which are employed for the final assembly of products with the purpose of increasing agility and financial flexibility. To reduce network complexity, Ericsson has restricted their number to two. Again, based on volume, only one EMS would be sufficient, but two were chosen to reduce dependence risk. While volumes were historically concentrated on just one EMS, tasks are now split. Each EMS operates multiple plants with similar processes, which allows Ericsson to decide which EMS should be utilized. While Ericsson buys manufacturing capacity from the EMS, it buys components directly from second-tier suppliers based on its own contracts. Ericsson uses a very active postponement strategy when working with modularized products and using software for the late differentiation of products. While the distribution strategy was previously characterized by local subsidiaries holding localized stocks in their warehouses, the ownership and responsibility with regards to those stocks are now handled by a central supply unit, and non-localized stock is held in regional supply hubs.

The SCRM eras of Ericsson

We begin by analyzing Ericsson's SCRM practices that were in place around 2002/2003. A matrix-oriented organization was outlined involving both corporate functions for Corporate Risk Management and Security, with Corporate Supply (including logistics), Corporate Sourcing (including purchasing), and different business areas representing commercial line organization. A dedicated supply chain risk manager was responsible for the development of processes and tools. The SCRM process included the steps of risk identification/analysis, risk assessment, risk treatment/management, risk monitoring as well as incident handling and contingency planning. Many, primarily manual, tools and templates were developed, such as responsibility grids, supply chain risk and structure maps, risk management evaluation tools, risk assessment diagrams, risk matrices, schemes for calculating business interruption values (BIV) and business recovery times (BRT), templates for risk assessment and contingency plans, processes and task forces (crisis management teams) for incident handling, “toolboxes” on the Intranet to develop contingency plans, guidelines for suppliers implemented in frame agreements, and many more (see Norrman and Jansson, 2004).

Much has happened since. The development of Ericsson's SCRM practices is summarized in a rough timeline (Appendix) and described for different time periods, hereinafter called “eras” (Table 2). Appendix also summarizes important triggers, such as major risk incidents. Although the incidents seldom impacted Ericsson's output, they were managed and yielded valuable experiences. Changes in corporate governance influencing SCRM are described, because they proved important. Developments in SCRM processes and tools are presented in horizontal bands representing the most involved functions, specifically Supply, Sourcing and Security, as they have been most important but also developed at a different pace. Changes in major enablers, such as information system (IS) and learning capabilities, are also indicated because they have been needed to take SCRM practices to the next level.

The “fine-tuned proactivity but re-functionalizing” era (2002–2007)

Between 2002 and 2007, only a few major risk incidents affected Ericsson. Most notably, however, Kista, the area of Stockholm where Ericsson's headquarters, and during that time, some smaller plants and suppliers were located, was hit by a couple of power shortages. The most severe occurred in 2002, although with just a limited impact on supply chain flows.

At the corporate level, there was a revitalized use of the SCOR model for defining processes and metrics. Further, the distribution network started to become consolidated. The responsibilities for local distribution centers were moved from the local sales subsidiaries to the corporate supply function, whose scope and responsibility thus increased.

Initially, a previous project-oriented approach for risk work (used for the major Y2K project to secure IS) was replaced by clearer organizational accountability. However, the risk culture that emerged after the 2000 Albuquerque accident (Norrman and Jansson, 2004) slowly faded, and SCRM, in retrospect, did not continue to apply to the day-to-day culture. This was partly because of the rather low exposure to risk incidents during this era. Moreover, it was partially because of the retirement of key actors, especially in Security, which at the time was a less operational department. Although a cross-functional organization was still in place, SCRM was increasingly siloed back to the respective functional areas.

SCRM initiatives were focused on the upstream supply chain and attempted to enhance, fine-tune and spread the use of existing tools and templates. Supply focused on the mapping and tracking of all supplier sites more formally, collecting data for risk identification and assessment more effectively, and implementing tools and templates for this across the organization. Within Sourcing, various key processes, such as category management and supply management, were improved. Clear plans and processes existed for risk handling, but they were hardly practiced owing to the low number of incidents.

Early in this era, Security, together with the Supply Chain Risk Manager, began to develop and use a survey tool known as Ericsson Blue. This tool was jointly developed with an external partner, and facilitated comparing risk-management performance for different internal plants on an annual basis. Very detailed requirements were utilized, often rather technical ones, such as the way sprinklers in buildings were dealt with. Performance was graded at four levels and, finally, results of different variables together formulated a weighted score that allowed sites to be ranked. Results were summarized in a report, aiming to provide feedback and suggest improvements.

After the Kista power outage (2002), Ericsson realized that not only one building, but multiple sites could potentially be affected simultaneously. Consequently, the Supply function at Ericsson headquarters installed a crisis-proof office room, using, for example, dual diesel generators as back-up power sources and having access to back-up satellite communication – features top management already had at their disposal for many years. At major plants, satellite communication was available together with charged mobile phones to secure crisis communication. Whereas all manufacturing sites used the same enterprise resource planning (ERP) system, other business functions (e.g. sales) were not globally aligned. Apart from basic spreadsheet tools, support tools for SCRM processes were rather limited. With the initially clearer organizational accountability, a better platform for learning emerged. Yet, the learning related to SCRM during this era relied mostly on a TQM-inspired, unstructured, continuous improvement approach.

The “enabling IS and extending the scope” era (2007–2009)

Between 2007 and 2009, no risk incidents occurred that would have affected Ericsson's SCRM processes. In this era, Ericsson improved the coordination between previously scattered sales companies. The focus and scope of Supply's SCRM now extended to flows downstream in the supply chain, including sales activities related to local distribution hubs, offices and flows across the globe. Another trigger that can spur SCRM are corporate IS improvements. After many years of isolated solutions, Ericsson's global consolidation of ERP systems led to an integration of the systems of sales companies into the One system, Ericsson's single instance of an ERP platform. The use of a business data warehouse was improved for supplier data, which together with increased employment of analytics tools, better supported SCRM templates with enhanced data while identifying bottlenecks for components. Process development during this era paralleled and leveraged the improvements made for IS capabilities.

The new IS capabilities enabled a transition from rather manual to more automated visualization practices. Supply developed an improved toolkit for bill-of-materials reporting that could list the components included in a final product based on its product number, which is not easy to implement for dynamic ICT products. The tool helped to generate one joint forecast and increase global visibility. Sites@Risk, an internally developed online tool from 2008, combined geo-mapping using Google Earth with Sourcing's risk database, including annually updated data on components, manufacturing and suppliers sites. By entering an incident's location (as Osaka in the Introduction), the Sites@Risk (Figure 1) would produce a visual map within minutes, identifying all plants and offices (internal, suppliers and sub-suppliers). By combining these systems, Ericsson could now quickly determine an incident's position to learn about the corresponding impact on finished products.

A corporate initiative based on ISO 9000 standards led to a stronger internal focus on assessments and management reviews.

The “developing and testing the tools” era (2009–2010)

The 2009–2010 era was dominated by a number of incidents that made Ericsson challenge, further develop, test and implement their SCRM practices. The most notable incidents were the global financial crisis, the 2010 volcano eruption in Iceland and an internal warehouse incident in 2010. The financial crisis caused troubles for both suppliers and EMS and created supply shortages, according to an Ericsson manager: “to close a wafer fab takes 15 min, but to restart it takes 2 years to get back in full production.” Wafer manufacturing capacity drastically dropped and competition for remaining capacity increased tremendously. Some suppliers filed for bankruptcy, and to secure supply, Ericsson even acquired and in-sourced one critical EMS with financial problems. As a lesson from the financial crisis, securing supply and reducing component recovery time were highly prioritized. The Icelandic volcano incident placed emphasis on transportation risks. Finally, the warehouse incident was brought about by software creating problems for finding existing material within the warehouse.

The Supply and Sourcing functions increased the amount of formalized cross-functional meetings, for example, to set targets on suppliers and single-sourced components. The Security function, previously affected by the retirements of key people, was bolstered by additional resources. Its organization re-matured and became more formalized and fine-grained, gaining Security positions in the global line organizations that were accountable for continuity management at the different locations and sites. The risk culture started to shift from “a few heroes to a formalized line.”

Data-driven processes designed to analyze and solve supply shortages also became more formalized during this period. The development of data-driven tools was a key priority, especially business intelligence and analytics tools, which enabled Ericsson to increase its reactive capacity owing to improved proactive mapping. With increased capability and visibility of forecasting and planning data, Supply developed a global planning tool that enabled a more proactive and reactive understanding of the impact of supply flow disruptions on the production output of finished products. By combining this system with the joint ERP, Ericsson could much quicker analyze when an incident would create a bottleneck and its final impact. This capability supported the allocation process of finished products to customers as well as decisions regarding customer communication. To handle shortages from the 2010 warehouse crash, a customer prioritization process was developed, implemented and used.

Sourcing focused again on developing category-management and supplier-management processes. Responsible sourcing became imperative, with mandatory ethical requirements (e.g. code of conduct) being instituted with suppliers and evaluated on an annual basis. A program for contract compliance was also rolled out. Additionally, the security function's scope for site assessments (Ericsson Blue) was extended to sub-suppliers.

IS developments were characterized by people learning how to effectively make use of the technical capabilities improved during the last era. Learning was based on experiences when tools were tested and refined during incidents.

The “learning from incidents and re-cross-functionalizing” era (2011–2015)

Probably the most influential era in Ericsson's SCRM journey commenced with a wave of severe risk incidents that challenged its existing SCRM setting. In the following, we use the 2011 earthquake and tsunami in Fukushima, Japan to illustrate how Ericsson's reactive processes and tools were deployed. Yet, another major incident tested the reactive SCRM processes in the same year: the 2011 Thailand floods. Although the impact on Ericsson's supplier base was less severe, the firm followed a similar pattern when taking action. More incidents occurred in 2012, including a series of earthquakes in Indonesia, the Philippines, Japan and China as well as Hurricane Sandy in the US, leading to a continuous refinement of the SCRM practices within just a short timeframe. A tissue factory located right next to an Ericsson plant also caught on fire, and while firewalls stopped the fire from spreading, the heat melted many Ericsson components. Additionally, political risks with potential supply implications, e.g. the Korea conflict, were taken into account.

Detailed example: Ericsson's reactive SCRM during the earthquake and tsunami in Japan (2011)

On March 13, 2011, at 6:46 CET, an 8.9-magnitude earthquake struck the coast of Japan about 17 miles below the Earth's surface. Dozens of aftershocks, some with a magnitude of 6.0 or higher, were experienced and a tsunami inflicted damage to the Fukushima Daiichi Nuclear Power Plant. As Japan is one of the major global suppliers of semiconductors and other relevant components, this accident had a huge impact on telecommunication and high-tech firms.

The Ericsson Supply Chain Crisis Management Task Force (ESCCMTF) was immediately activated and met Friday morning at 9:00 CET (i.e. two hours after the earthquake; Figure 2). The cross-functional task force of roughly ten persons was proactively established before, including a chairperson (Head of Inbound Supply), his substitute (from Sourcing) and a secretary (initially, the Supply Chain Risk Manager). Communication lines were directly established to Group Security, Corporate Communication and the Business Area Management Team, among others. The Supply Chain Risk Manager had developed a checklist with important control questions that were now used. At around 9:30 CET, a consequence analysis team started to map suppliers in the area, components at risk, affected products and their BIV. Geo-mapping based on the Sites@Risk tool and Sourcing Risk database (Figure 1) allowed for the identification of suppliers and their plants in Japan. The Sourcing Risk database determined 335 direct material suppliers of electronics and electro-mechanics components with volume production agreements. Of those were 305 non-Japanese suppliers and 30 Japanese suppliers, and in total, 58 had operations in Japan. Within two hours, critical suppliers were identified, and a first impact analysis was conducted. By employing real-time earthquake information connected to the tools, Ericsson could geographically limit the first scope of suppliers to 37 to concentrate on and later extend this set. These 37 suppliers had approximately 104 plants in the affected area and were delivering about 4200 components. Roughly 1000 components were mapped until 16:00 CET, and all 4200 until 14:00 CET the day after. Between 11:00 and 14:00 CET, prepared emails were sent to all suppliers, and between 15:00 and 16:00 CET, official letters were sent to selected suppliers. At 13:00 CET, a team of three people from Ericsson's Swedish headquarters (including the Supply chain risk manager) was sent to Japan to assist and arrived in Tokyo on Monday morning. The 37 suppliers were surveyed immediately by phone or e-mail: Eight of them confirmed a high-risk impact, 23 a low impact, and 19 did not reply. For example, one affected supplier had a factory close to the coast of the tsunami area, delivering 36 components whereof six were single-sourced and 30 dual-sourced. Based on already documented recovery plans from suppliers, and the output from the consequence analysis, Ericsson decided on its action plan.

The following day, Saturday, Ericsson contacted different logistics providers to investigate alternative routes out of Japan. After having evaluated component issues, orders were placed directly to dual sources of supply. Research and development (R&D) managers prepared for re-designing single-sourced components and qualifying new suppliers. The consequence analysis recommended orders to be re-directed and to buy six months of the demand for critical components from dual sources. Ericsson set up a special team to quickly purchase via spot markets, but was in parallel trying to find alternative solutions with its suppliers. For the critical components being single-sourced, the next steps were determined jointly with R&D, including re-design. Finally, the analysis recommended adding even more resources for communication. A pre-requisite for carrying out a consequence analysis and taking actions quickly was that component data related to manufacturing plants were proactively prepared and instantly accessible.

Supplying critical infrastructure for such a societal crisis, Ericsson decided to prioritize customers in Japan. It focused the next weeks on providing all needed support to Japanese customers to secure the vital telecom networks that were functioning. The company used helicopters to reach affected areas and satellite phones to enable communication. On March 17, Ericsson's top management sent a letter to customers giving a status update on the effects of the earthquake.

Within the first two weeks, Ericsson closely cooperated with its Japanese suppliers, having face-to-face meetings to better understand how local suppliers were impacted, including damaged suppliers, suppliers in the evacuation zone and suppliers with limited power and water. Ericsson sought to meet representatives from suppliers and Japanese society in a polite and humble way both to pay respect to the catastrophe, being aligned with the culture and to show Ericsson's will to cooperate with joint actions.

As a result of initial risk activities, several high-risk items were removed from Ericsson's list of critical components. The recovery phase depended on the overall situation in Japan, as well as the ability of dual sources to absorb additional volumes. Forecasts were made surrounding the delivery situation for finished products relative to their demand, both in the short term (April) and slightly more over the long term (May/June). The previously developed global planning tool was largely utilized. As learned from the 2010 warehouse incident, customer prioritization became crucial, and certain decisions (e.g. whether to request prolonged delivery dates) were escalated to a priority board. An outbound allocation-handling process was crucial, and Ericsson had it clearly defined with the purpose to “prepare and level supply flows in component constraint situations in order to minimize lost orders, keep projects rolling and meet financial forecast.” Allocation analysis was completed within the first weeks. The top management regularly delivered status updates to regional and local supply managers.

The production plan was evaluated using weekly data 25 weeks ahead. Over the short term (April), the analysis indicated there to be no, or only limited, impact on production, as enough items were stocked, while mid- and long-term production plans were dependent on the abilities of non-affected suppliers to ramp up production. Ericsson also mitigated the impact on its business: Customers were offered a replacement of certain systems by others; the company agreed with customers to halt installing systems in a certain region while focusing on and speeding up the installation in the most important regions. Ericsson sometimes gave away material free-of-charge to protect future sales.

In fact, by first using current inventory and then spot-market buying before alternative sources were in place, and later using redesigned products and building upon recovered suppliers from Japan, Ericsson's output met its committed plan fairly well. Only in one week, approximately happening ten weeks after the earthquake, deliveries were far from met, and backorders were later delivered. However, this bottleneck was foreseen, and customers were informed well in advance about delayed delivery dates.

The appointment of an insurance claim team during the impacted period turned out to be very important. This team cooperated closely both with suppliers and Ericsson's regional organization to capture mitigation costs and the loss of profit. First, people had to be coached in documenting invoices, customer emails, project plans, etc., and then the impact in terms of costs or revenue loss had to be determined. It took about one year to settle the claim successfully. As Ericsson was able to demonstrate that preventive actions had been in place and recovery processes had been pre-planned, the insurance money that was paid rose.

Reactive mitigation activities were recorded and later analyzed and used for internal learning. This also included potential improvements in proactive activities in terms of the involved processes, competences and organizational interfaces. Ericsson concluded from this evaluation that its SCRM processes were well-functioning in minimizing impact. A specific learning point was that not only components but also consumables used further upstream (i.e. critical indirect material) had to be assessed. Consumables can create bottlenecks and are often overlooked, as they are rarely part of the bill-of-materials. It also became clear that mitigation activities crossed business functions beyond Supply and Sourcing, and also included R&D. Previously developed tools operated efficiently when analyzing incidents impacting one specific supplier, but now there was a need for tools that could enable Ericsson to handle incidents that simultaneously impacted several suppliers. Also learned was the importance of event recovery and involving an insurance team to prepare for correct claims later on. The business impact analysis also provided new information to learn from as well as ways to improve customer communication. External communication with suppliers worked very well, but internal communication was later improved by a special role in the crisis team.

Changes in the corporate governance of Ericsson impacted its SCRM practices in this era. A new CEO, appointed in 2010, re-organized the company, moving goods further from local distribution hubs into centrally controlled hubs, thereby increasing the scope of Supply's SCRM responsibilities again. External requirements, filtered by the CEO, increasingly turned SCRM into a “part of the company brand.” The new CEO raised the focus on corporate social responsibility (CSR) by explicitly relating it to the UN Sustainable Development Goals under Ericsson's “Technology for Good” umbrella. Thereafter, risk management and responsible sourcing were included, which elevated attention at a corporate level. Standards like ISO 14000 and OHSAS 18000 were considered on all levels. Another area that received corporate focus was business continuity management (BCM), partly because of implicit or explicit requests from customers and other stakeholders. However, Ericsson also had a self-interest to ensure that no unforeseen interruptions of critical activities hurt the firm either financially or in terms of brand value. Ericsson defined BCM as “a management system that ensures the capacity to maintain critical activities at a tolerable level, regardless of what happens.” Corporate-level compliance to standards such as ISO 22301 and ISO 27000 became a focal point, leading to increased formalization and more assessments along with reviews.

To handle incidents, a cross-functional approach was needed and was developed accordingly. Security worked increasingly tighter with other areas internally related to BCM but also with external auditors and insurance companies. A new role, the BCM driver, was created. These BCM drivers, as they were appointed in different functions and sites in the organizations, were responsible for proactively implementing the BCM framework. In Supply, the Group BCM driver replaced the Supply chain risk manager. In the event of a crisis, an incident manager belonging to Group Supply was responsible for contacts with Operations and the ESCCMTF. Together with the ESCCMTF's chairperson, they decided whether an incident was serious enough to activate the team.

Based on experiences from the incidents, Supply fine-tuned action points, processes and structures for reactive SCRM. For example, a global stock view enabled Ericsson to further improve inventory control and visibility, going from previously having only high-level financial global values to monitor on an operational item level. Both the allocation process for customers and customer communication were further developed. They extended the scope of components analyzed from only direct material to also include consumables. In both Sourcing and Security, much separate development for SCRM started (see the following), also the cross-functional collaboration between all functions increased.

Early in 2011, Sourcing defined proactive risk avoidance as one of its four strategic priorities for 2011–2015, which included four goals: All risks should be known and understood; the supplier base mitigates risk proactively; alternative solutions should always be available; and risk should be considered in all actions and decisions. The multi-year strategic development program, initially called SCRM and later relabeled supply chain resilience, refined and developed sourcing strategies, processes and tools related to SCRM.

For all sourcing categories, very detailed risk reviews were performed on a quarterly, and then later bi-annual, basis from both a strategic and cross-functional perspective. The purpose of the reviews was to assess the implementation of the strategic SCRM program (Figure 3). Risk-avoidance parameters, such as age profile, security of supply and use of multiple sources, were added to previously utilized parameters when classifying components. These reviews featured an analysis of the following areas: getting the right suppliers (i.e. preferred and approved suppliers); having the right products, components and services (challenging specifications); having contractual protection (aligning customers and suppliers contracts and enforcing important issues, e.g. SCRM, BCM); and developing a robust supply. Monitoring the implementation of these areas (for different categories) received increased attention. Also monitoring how specific strategies taken developed over time, like shortening the suppliers' component recovery times (Figure 3) and developing dual sourcing, helped focus these risk-mitigation strategies. For all product designs, at least 80% of the volume should be at least dual-sourced, according to Ericsson. Another risk-mitigation strategy was to avoid single-country sourcing for components, for example, to reduce exposure to earthquake-affected Japan. In two years, the number of critical suppliers (with respect to component recovery times) was substantially reduced, and the percentage of risk class 1 (0–2 weeks' recovery time) increased by different risk-mitigation activities (like multiple sourcing, buffers or collaboration) without extra costs. While not new, this clearly revitalized SCRM, broadening its scope across all sourcing categories and making the work more proactive and structured.

Sourcing clearly re-focused on risk-mitigation strategies, such as multiple sourcing, thereby reviewing outsourcing activities, analyzing geographical exposure, introducing second manufacturing sites, investing in duplicates of critical manufacturing tools needed by suppliers, asking suppliers to build extra buffers, and turning from being mainly reactive to more proactive. A much more apparent supplier classification was implemented, involving risk dimension and supplier governance (e.g. frequency of meeting different levels), and better defined. Many of the tools used (e.g. supplier evaluations/risk card, explicit supplier requirements, supplier performance cards) were not novel ideas but could be improved, formalized further and adapted within their focus. Tools were employed more frequently, and their utility monitored explicitly.

Annual updates of the Sourcing risk database for 30,000 components (used with Sites@Risk) were formalized using a secure supply survey. It gathers data on the risk landscape, including geographical coordinates for all production sites (and their alternates), lead times for ramping up production or switching manufacturing sites and qualifying new processes or obtaining new tools, among other information. Component resilience was classified based on recovery time, which translated into a risk classification between 1 and 4.

The suppliers were encouraged to take the secure supply survey both for their own sites and for their general supply chain capabilities, including responsible sourcing and code of conduct. All data were summarized into a risk card for a supplier evaluation (Figure 4), which was reviewed via self-assessments but with audits utilized for new suppliers or when changes occurred at the supplier. The risk cards were followed up with suppliers, and warning signals initiated further assessments and audits. For example, the EMS acquisition in 2009 was initiated based on such signals. Supplier performance cards were updated quarterly for existing suppliers, with scores in the range of 1–100 based on data from different functions (e.g. R&D, Supply, Sourcing, Finance).

Security also strongly developed the SCRM processes in this era at the functional level. Before, Ericsson Blue (Figure 5), which included a self-assessment survey, audits and feedback, was primarily applied using a certified third-party auditor to assess internal sites exposed to high risk. Driven by Corporate Treasury, this approach was revisited in 2014 and, in collaboration with insurance companies, was enhanced as the auditor became involved in the annual assessments of sites. The scope of Ericsson Blue was extended to warehousing, late configurations, postponement, and distribution activities in order to also include supply hubs and external service providers' sites, such as EMS and third-party logistics providers. For each site, self-assessment questions were sent out for preparation two months ahead, and a team visited thereafter to investigate specific areas and discuss the self-assessment. The external certified auditor analyzed observed gaps and recommended ways to fill them. Each site was required to report its mitigation solutions quarterly within the auditor's system, and sites received feedback until the auditor had approved the mitigated risk level.

A proposed risk-mitigation strategy was then compared to cost to assess its suitability. For instance, there was a situation wherein a service provider's warehouse in a desert lacked a sprinkler system that Ericsson Blue required. However, with investment costs for sprinklers in the desert being too high, Ericsson instead changed the business model of the contract, thereby dispensing with that warehouse. Over time, the Supply function was more involved in Ericsson Blue, also focusing on supply flows rather than sites only.

BCM became even more formalized and implemented across the organization, with Security as the overall process owner. A six-step cyclical BCM framework was introduced (Figure 6). The first formal description of the role of a BCM driver (2010) was updated (fourth and latest revision: 2014). Both BCM drivers and BCM process owners were appointed at different sites across the organization, making the BCM organization more fine-grained, and placing a clear responsibility on an actor to assess its upstream process, both internal and external. Sales units should assess internal plants similar to those of suppliers, according to Ericsson. The resulting network organization, BCM Forum, provided a web platform that integrated frameworks, training materials and training modules, and these materials were available for all employees.

The cyclical BCM framework commences with the following steps: define the scope, perform high-level business impact analysis, develop and implement mitigation strategies (e.g. increase buffers, capacities, and competencies, splitting into different locations). It closes with a focus on training and assessment. The BCM drivers, together with the process owners, analyze processes and sub-processes as well as the resources and capabilities needed to run those processes. The focus is on the maximum tolerable outage, defined as the time it takes before the effects of a process interruption will lead to intolerable consequences, and defining critical resources. This represented a shift in concern from geographical sites to relevant processes and capabilities. BCM requirements were also assigned to EMS. Regarding IS, systems were mainly used, tested and refined during this era. Inventory control and visibility were especially improved, partly by better combining different systems.

Increased focus on assessment and learning has characterized this era, e.g. by problem-solving and “lessons learned” from the incidents. Assessment and learning were explicitly pointed out in the BCM framework, signaling its importance, and an approach to better learn from experiences was developed. To educate suppliers, information about responsible sourcing, code of conduct and training materials were provided on Ericsson's website. Exercises and tests were stressed for finding improvement opportunities, and continuous learning became based on assessment and reviews. Further, the increasing degree of monitoring, assessment and reviews, especially in Sourcing's SCRM program and Security's BCM rollout, contributed to better-developed and implemented SCRM practices. The increased formalization and assessment made the SCRM practices more embedded in each purchasers' ordinary way of working and raised attention in different cross-functional steering and decision-making boards. For newly developed products, R&D was measured based on the total risk of the components suggested in the bill-of-materials.

The “evaluation and learning” era (since 2015)

The most recent developments started in 2015, prompted by a corporate ISO 9000 update in 2015, leading to an inclusion of more continuous improvements and pushing evaluations and compliance (and a concurrent ending of Sourcing's strategic SCRM program). The scope of analyzed risks during this phase has continued to grow, now, for example, including various free trade issues that could impact global supply chain flows. Lately, a new situation of supply shortage and allocation risk of components has arisen, which is expected to have considerable implications over the long term. This was caused by a structural shift of increased demand, where other industries, e.g. automotive, increasingly use similar components and supply capacity that had mostly been the domain of ICT industries.

Having become the “major corporate umbrella” for work related to risk and resilience, BCM now goes beyond security risks, thereby incorporating categories such as “supply chain,” “cyber,” “financial,” “market” and “environmental.” BCM has also changed its explicit unit of analysis from “sites” to “capabilities and processes.”

Corporate projects, like the ISO 9000 update, have influenced Ericsson's BCM and SCRM practices, e.g. regarding evaluation and compliance. A new CEO (2017) has particularly concentrated on compliance. The increased importance of BCM is anchored by it recently becoming part of Ericsson's formalized business processes. Moreover, inter-organizational and cross-functional approaches were further pursued. One example is the joint steering committee meeting 2–4 times a year, where Sourcing defines category strategies together with Supply and R&D.

In this era, Supply focused its processes on BCM but also continued to extend its downstream scope. Supply also developed segmented approaches for component-buffer strategies, including suppliers' stocks. When auditing suppliers, Ericsson attempts to learn from its suppliers' SCRM and BCM practices by jointly discussing issues such as, “What are your plans?”, “How can we support you?” and “How can you support us?”

Although Sourcing has changed its strategic focus to areas outside SCRM, its SCRM practices are still embedded in daily working processes. Sourcing's three main risk-mitigation strategies are dual sourcing, buffer strategies and developing alternative bills-of-materials. Sourcing focuses less on a specific component's risk and more on a final product's risks and qualifying new sources with R&D. Sourcing plans extend cooperation with R&D, particularly when developing an alternative bill-of-materials. Transparency with suppliers has increased regarding evaluation to create incentives for suppliers to engage in the right actions, receive better risk classification and thus potentially be offered higher volumes.

Currently, Ericsson is among the many companies that improve its technical capabilities related to the use of big data through the implementation of new tools for analytics and increasingly working with process mining. This has enabled Ericsson to improve an increasing number of processes, e.g. when calculating the future impact of component allocations on its final products. For the future, Ericsson assumes SCRM to become increasingly proactive in nature – even weak signals will be interpreted and addressed early on.

The importance of assessments, management reviews and compliance as inputs for training and learning has clearly risen. Continuous improvement was included explicitly in BCM activities throughout 2015. The monitoring of BCM implementation has been concerned with the quarterly self-assessments requested as a basis for performance reviews (Figure 7). The assessment focus on two different KPIs: BCM framework compliance rate, and risk treatment. The BCM compliance rate monitors whether the scope of BCM is in place and updated, if a risk analysis has been conducted and documented, and if training and exercises have been held. This is measured both holistically as broken down on different functions. The KPI for risk treatment rate assesses and compares over time how well high and very high continuity risks (H/VH) are treated. In the annual compliance reviews of top management, BCM is now also included with performance indicators that focus on the following questions: “Do you have a BCM strategy in place?”, “Do you have BCM action plans in place?” and “Have you engaged in any tests?”

Based on resultant compliance diagrams and feedback, BCM frameworks have been improved and better trained. Training is more concentrated on keeping Ericsson's risk culture alive at times when the number of incidents is reduced and the importance of risk might thus easily be underestimated. Global scenarios are especially used for training. More training modules, templates and instructions for BCM have been developed and made publicly available online. There has also been more formalization with respect to how to collect takeaways and use concluding learning from training exercises as an input to improvement programs. As Ericsson's management teams take training seriously, they create awareness of its existence across the entire organization. Ericsson has established a strong network with different external partners, which are included in scenario analysis to increase learning, and there are plans to increase this.

Analysis of the developments

We now turn to an analysis of the general developments over time, this time not by distinguishing between eras, but by taking different management perspectives on SCRM, starting with Ericsson's governance mechanisms and organizational structure. This is followed by their processes and tools; systems; assessment and learning; and finally triggering events and enablers.

Corporate governance and organizational structure

The main organizing principles for SCRM are, and have been for 15 years, a cross-functional matrix including the different corporate functions of Supply, Sourcing and Security, with operational activities being performed in the business areas and in the operational parts of Supply, Sourcing and Security. While initially difficult to ensure, the risk culture was consistently integrated into the organization, and this has improved considerably since 2010. Both organizational and SCRM processes have become more formalized and cross-functional, but also more fine-grained as many operational positions have been appointed, for example, those related to Sourcing's strategic program and the BCM implementation performed by the BCM drivers. The scope of SCRM has largely been extended to include downstream processes and sites, more risk types and more external partners. While SCRM was also inter-organizational 15 years ago through cooperation with insurance companies along with supplier contracts and training, this has both increased and become more formalized over time.

Corporate governance initiatives, such as updating or implementing different ISO standards and focusing on CSR and compliance, turned out to be significant when elevating the level of formalization, expressing top management support and turning risk management into a “part of the corporate brand.” While all risk incidents between 2009 and 2013 resulted in a strengthened risk awareness across all levels, they also increased cross-functional activities related to both reactive and proactive SCRM.

Processes and tools

The general outline of the proactive SCRM process has not substantially changed, but its scope, depth, formalization and distribution across the organization have increased.

The risk-identification phase now includes a much larger set of risk sources (downstream activities, more types of materials, political and trade risk and cyber risk, to name just a few). Much more risk data can be handled much more rapidly owing to better IS support, more powerful databases and contemporary analytics tools. Accountability is more formalized, and risk mapping is carried out more frequently. Finally, compliance with the outlined process is measured and followed up.

Additionally, the risk-assessment phases relate to the original approach, still assessing BIV and BRT, but now also maximum tolerable outage and components' recovery time. What is new is the use of more sophisticated IS tools and the way knowledge and tools are cross-functionally combined, thereby building bridges, for example, between BCM and Sourcing. Meanwhile, more risk data are available, and tools have been developed, digitized and combined. Utilizing geographical coordinates as input, future business impact related to the demand of different customers can be computed. Functions such as R&D are involved much earlier, e.g. by assessing supply chain risks when developing a product.

The explicit use of clearly defined proactive risk-mitigation strategies has become greater partially related to Sourcing's strategic program to monitor compliance with its implementation plans. Currently, Ericsson uses most risk strategies from the literature proactively. First, hedging is employed by involving more manufacturing sites than needed and positioning at different geographical locations. Second, increased outsourcing is used to improve flexibility and agility, but only with a few contract manufacturers and service providers to enhance the level of collaboration. Third, standard processes are implemented to enable the transfer of activities between sites and providers. Fourth, dual and multiple sourcing is pursued, regarding both geographical sites and suppliers. Fifth, when possible, standardized components are used based on modular design and postponement strategies (via software to differentiate the delivered functionality at a late stage). Sixth, consolidated local inventory and stocks are utilized in regional supply centers where the final configurations are produced. Seventh, central control of inventory has been increased. Eighth, globally integrated information systems and analytics tools have been integrated. Ninth, segmented inventory and strategic positioning of stock within the supply chain (also including suppliers and sub-suppliers) have been implemented. Tenth, lead and response time have been reduced. Eleventh, there is enhanced collaboration with external partners. Finally, there is intensified communication surrounding the development of long-term relationships and trust with partners.

It is perhaps risk monitoring, both internal and external, that has been expanded the most. Compliance with SCRM processes, and implementation plans for projects or mitigation strategies, are frequently and formally measured and followed up (e.g. Figures 3–7). This relates to Supply, Sourcing and Security, but also to the means by which different business areas collaborate with BCM and how R&D takes risks into consideration when developing new products. Suppliers and providers are also monitored more extensively, often by external partners, such as third-party auditors or insurance companies (e.g. Figures 4 and 5).

Although the organizational structure and processes for reactive SCRM were outlined 15 years ago (Norrman and Jansson, 2004), this is another area where substantial developments took place. Many of these developments relate to Ericsson's capabilities surrounding the formalization of how it learns from incidents where processes and tools were first used and refined.

Incident recognition and response initiation have now become an integral part of Ericsson's “way of working,” with clear roles being defined that are supported by defined processes and tools (e.g. Sites@Risk). The incident manager, together with the chairman of the Supply Chain Crisis Management Task Force, decides, based on an initial analysis, whether to initiate a response. This sub-process has clearly been strongly developed.

A disruption management team was also appointed throughout subsequent to the Albuquerque accident. This taskforce, ESCCMTF, integrates members from different functions, has a clear organizational structure and roles, and can be activated within just a few minutes. After being involved in different types of incidents, over time, it has been fine-tuned, resulting in the current way of working.

Initial plans for how to react to an incident have emerged over time. Tools, processes, control questions, pre-formulated letters, etc. have been tested and honed. The last year's focus on BCM training and planning activities further enhanced this knowledge and awareness. Plans are reviewed as part of the ESCCMTF, e.g. by formalized meetings and consequence analyses.

Evaluation and learning for future improvements have become an important part of Ericsson's reactive SCRM through a more formalized and systematic approach for engaging in and documenting lessons-learned sessions. Knowledge from reactive SCRM work then gets implemented into proactive SCRM processes. Cross-functional training sessions related to risk, at different organizational levels, are now a formalized part of the BCM way of working.

Systems

Several improvements have been implemented for Ericsson's IT systems. General IS capabilities have developed over time, for example through improved business data warehousing, increased visibility through the joint ERP and improved analytics tools, all of which have strengthened functional tools and processes used within SCRM (e.g. mapping tools, joint forecasting, Sites@Risk, global planning tool). When employees understood how to leverage the improved systems and tools, and determined how to combine them cross-functionally to extend analysis and decision-making both proactively and reactively (e.g. regarding customer prioritization and communication), SCRM activities were further developed. While the corporate IS improvements of ten years ago served as an enabler of subsequent SCRM developments, the ongoing wave of improvements in general IS capabilities related to big data, improved analytics tools and process mining has the potential to serve as a platform for a next generation of SCRM activities.

Assessment and learning

Although Ericsson applied TQM-oriented learning activities 15 years ago, learning activities are now much more formalized and seen as important. Risk assessments of components, suppliers and sites have gradually been developed, while a larger change is the increased internal and external monitoring of, e.g. implementation projects, improvement plans, mitigation strategies and compliance with processes. This monitoring not only creates incentives for implementation and change but also yields a learning platform for analysis and reflections. Training and scenario analysis are now regularly conducted in cross-functional sessions at different organizational levels, thereby keeping the risk culture alive and preventing Ericsson from falling back into old patterns during periods when incidents or accidents are rare. Senior management's involvement through showing a commitment to training activities also helps develop such a risk culture. Learning sessions, both from risk incidents and planned training, have been more formalized, especially as the BCM framework stressed the pathway towards continuous improvements as one of its key steps.

Triggering events and enablers

The longitudinal development of Ericsson's SCRM practices seems to have taken place stepwise, and could be triggered by different events and enablers, both external and internal. Over time, development has shifted between a proactive or reactive focus; between more functional development or leveraging a cross-functional and inter-organizational combination; between putting corporate systems and standards in place, or using these to improve SCRM practices; and between more ad-hoc improvement or more formalized monitoring and development.

The Albuquerque accident (Norrman and Jansson, 2004) definitely sparked Ericsson's first development of proactive SCRM processes. Similarly, different waves of accidents and incidents triggered much of the development starting around 2010. Cynically, a lack of incidents could make proactive and reactive risk management sometimes seem less important, and development probably not as strong. Further, as SCRM processes would be less practiced in a time of no incidents (as seen before 2009), these processes would have problems with “sticking to the organization.”

Another external factor has been external stakeholders' increased interest in SCRM and BCM, e.g. customers, insurance companies, and authorities. Senior management has translated this via different corporate programs (e.g. CSR and Compliance) where SCRM aspects have been important components. Corporate governance has hence boosted the development of SCRM and updated and implemented different corporate standards (like ISO and OHSAS) that have made the corporate culture more accustomed to formalization and assessment, which have enabled SCRM development. The last year’s BCM focus on continuous improvement, exercises and training has further created a more solid platform for learning and knowledge management. Increased technical IS capability is another key enabler for the transformation, making it easier to handle large sets of risk data extremely quickly.

While functional development (e.g. within Supply, Sourcing, Security) of processes and tools is vital, in order to reach the next level, the enabling of cross-functional combinations of functional capabilities and tools is necessary. While founded in the original high-level matrix organization, this was accelerated when the operational organization became more formalized and fine-grained as well as when cross-functional work occurred during real incidents or trainings. The increased focus on assessment, learning, training and continuous development seems to be a final important enabler.

Conclusions, contributions and future research

This article contributes to the need for more holistic perspectives on the SCRM cycle (Fan and Stevenson, 2018) and incorporates both proactive and reactive practices in rather stable times as well as when incidents are emerging and ongoing. By studying the case of Ericsson as a real-life example and in continuation of the approach outlined 15 years ago in Norrman and Jansson (2004), the article also responds to the need for more investigation of how different SCRM models are used in practice (Ho et al., 2015), with many tools being described that have the potential to be useful in practice. Another contribution lies in the detailed empirical illustration of the consequences of the 2011 earthquake and tsunami in Japan for Ericsson, a situation that exemplifies Hopp et al.'s (2012) five parts of reactive SCRM practices (recognition; get a disruption management team in place; initial planning; reviewing and revising the reactive practices; and evaluating and using learning from the reactive work for improvement). The study also contributes to supply chain risk monitoring, an area that has almost certainly received the least attention in the SCRM literature (Berg et al., 2008; Fan and Stevenson, 2018), for instance, by describing how Ericsson assesses the implementations of SCRM projects, mitigation strategies and tools.

However, the main contributions are insights regarding the development of SCRM practices and capabilities over time, a matter that, to our knowledge, has not been investigated before. A longitudinal view is taken regarding the development of a large global corporation over 15 years. By extracting different eras, overall patterns have been found, including primary development activities, enablers and trigger points perceived as important for both the continuous development of SCRM and ensuring that an SCRM culture would stick in the organization.

In summary, over time, Ericsson has developed its SCRM practices by first formulating and improving functional processes and tools (technical as well as knowledge-based capabilities) within the Supply, Sourcing and Security functions, but then also combining them cross-functionally. This has been facilitated by improved technical information systems, but also through a more fine-grained and cross-functionally coordinated organization for SCRM. Another enabler is a strengthened focus on monitoring and compliance, which has supported implementation and served as a platform for a learning organization. In general, processes have been more formalized throughout time, bolstered by corporate governance wherein during the studied time period, many corporate projects were implemented that are aligned with, and hence enable, the development of SCRM.

Future research could further address the development of SCRM capabilities, for example, by investigating the dynamic capabilities (Teece et al., 1997) that are needed to modify ordinary SCRM capabilities, or the relationship between (inter-)organizational learning and generating resilient supply chains.

Future research could investigate the following eight enablers, which this study suggest to have a positive impact on SCRM outcomes. Four enablers relate to how relationships should be established within and across business functions and organizations: (1) Top management support: Ensure that the corporate senior management gives sufficient priority to SCRM practices and keeps being focused on SCRM also over longer periods when no major incidents occur; (2) Intra-functional processes: Simultaneously develop and fine-tune functional SCRM processes and tools, and integrate them across functional silos to reduce risks; (3) Cross-functional relationships: Implement and organize SCRM across business functions in a formalized and fine-grained fashion to make the risk culture “stick” to the whole organization; (4) Inter-organizational relationships: Collaborate with supply chain partners and other external actors across organizational boundaries to increase the visibility and speed of SCRM processes. The next four enablers support the implementation of SCRM internally: (5) Adaptability: Focus on continuous development and formalized learning from experiences, thereby offering training possibilities that can help to turn experiences from reactive actions into proactive processes; (6) Monitoring risk: Focus on monitoring and assessing the level of compliance with tools and the implementation of projects, and develop mitigation strategies to catch up with ongoing developments; (7) Risk-management scope: Extend the scope of SCRM by incorporating more types of risks – both downstream and upstream; (8) Technological capabilities: Develop and leverage technological capabilities (e.g. business analytics) to establish visualized, formalized and rapid SCRM practices that enable both proactive and reactive decisions. Regarded in isolation, each of these enablers might not be novel. However, it is the way successful companies like Ericsson integrate them that can turn them into powerful practices.

This study points to the need to formalize SCRM processes, integrate resources, and enforce compliance and measurement practices. A potential downside of this could be rigidity, bureaucracy and, in turn, even more vulnerability. Future research could therefore investigate how management practices could simultaneously be adaptive and formalized, thereby ensuring that SCRM is still open enough to cope with the “new normal.” It could be analyzed whether more formalized SCRM processes, compliance and “learning from history” can improve the capabilities to observe and understand new risk sources or whether this could create blinders, even impeding the manager's attention towards new risk scenarios. Overly rigid processes could even demotivate managers and prevent them from being experimental and creative.

Ericsson increased visibility by developing and combining IS (e.g. ERP, planning and analytics) within and between different business functions. An alternative approach is to buy and implement commercial “off-the-shelf” systems. Future research could focus on the best SCRM practices for different types of organizations, potential difficulties when establishing new IS, and potential challenges when leveraging already installed IS (internally and between supply chain partners).

This study highlights the importance of cross-functional SCRM approaches, but it also demonstrates the difficulty to maintain them and that they are often triggered by major incidents. More research could complement previous research on functional silos in SCM (e.g. Richey et al., 2010) by concentrating on what establishes and conserves such silos in the context of SCRM. Particularly worthwhile could be research on how organizations could, in both stable and turbulent times, proactively tear down functional silos that could impair successful SCRM.

Given that external stakeholders and corporate leaders turn out to be important triggers, more research could explore their interdependent influences on SCRM. Especially in supply chains with many independent decision makers and fragmented SCRM practices (e.g. critical infrastructure supply chains operated as public-private partnerships) holistic governance approaches can be crucial. Theories about risk governance and supply chain risk governance (Ahlqvist et al., 2020) could be further developed, especially related to what kind of governance mechanisms and incentives will align with different situations to increase the inter-organizational coordination of different stakeholders' and actors' SCRM behaviors.

The Ericsson case shows that organizations need to ensure that their proactive SCRM efforts do not loose pace. While incidents and other triggers can help to alert an organization, this should not be the main mechanism for creating a proactive SCRM culture. While this article points out that formalization, an increasingly fine-grained organization, monitoring, and a use of structured scenario-based training can keep an organization awake, more research could focus on investigating how different types of organizations can become, and stay, proactive also in relatively stable periods.

Finally, this case shows how perceptions of supply chain risks and the appropriate organizational structure change over time. An avenue for future research would be to deepen our understanding of the drivers of managers' risk perception to change, learning patterns regarding what solutions fits when, and ways of how lessons from one incident can be transferred to novel risk situations.

We hope that both the proposed practices and suggested avenues for future research will inspire SCRM in both practice and research, leading to the advancement of SCRM knowledge.

Figures

Ericsson's overall Supply Chain Crisis Management process

Figure 2

Ericsson's overall Supply Chain Crisis Management process

Examples of assessments of the SCRM program implemented by Sourcing

Figure 3

Examples of assessments of the SCRM program implemented by Sourcing

Supplier evaluation: Risk card

Figure 4

Supplier evaluation: Risk card

Ericsson's Blue assessment tool

Figure 5

Ericsson's Blue assessment tool

Ericsson's BCM framework

Figure 6

Ericsson's BCM framework

Ericsson's assessment of BCM implementation (figures are not real examples)

Figure 7

Ericsson's assessment of BCM implementation (figures are not real examples)

Informants' job titles and responsibilities

Job titleResponsibilities related to SCRM
Business Architect of the delivery process (Supply)Participated via the consequence analysis team during the Fukushima incident in 2011, working closely with the first SCR Manager from 2002
Supply Chain Manager – Supply StrategySecretary in the task force, e.g. during the 2011 Fukushima incident
Group Coordinator for Supply Business Continuity Management (BCM) driversReplaced the previous Supply Chain Risk Manager in 2011, member of the security network
Head of Hardware Category Management (Sourcing)Developer of the Sites@Risk tool, among others
Head of Category TMI Sourcing – Equipment (Testing, Manufacturing, Industrial)Ran the strategic program of Sourcing risk management; currently Sourcing BCM drivers

Observed Eras for Ericsson's SCRM procedures

Time period for eraMain characteristics of era
2002–2007Fine-tuned proactive SCRM procedures, but later re-functionalizing and getting more back into functional silo behavior
2007–2009Enabling information systems developed and extending the scope of SCRM
2009–2010Development of SCRM tools that are then tested in different incidents
2011–2015Learning from several major incidents, and re-cross-functionalizing again
Since 2015Increased evaluation of SCRM procedures and focused learning based on this

Appendix

Figure 1 Ericsson's Sites@Risk in action during the 2011 Japan earthquake (suppliers masked)

Figure 1

Ericsson's Sites@Risk in action during the 2011 Japan earthquake (suppliers masked)

References

Ahlqvist, V., Jahre, M. and Norrman, A. (2020), “Supply chain risk governance: towards a conceptual multi-level framework”, Operations and Supply Chain Management: An International Journal, Vol. 13 No. 4, pp. 382-395.

Berg, E., Knudsen, D. and Norrman, A. (2008), “Assessing performance of supply chain risk management programmes: a tentative approach”, International Journal of Risk Assessment and Management, Vol. 9 No. 3, pp. 288-310.

Bland, M. (2013), “Plans are useless”, Journal of Business Continuity and Emergency Planning, Vol. 7 No. 1, pp. 56-64.

da Mota Pedrosa, A., Näslund, D. and Jasmand, C. (2012), “Logistics case study based research: toward higher quality”, International Journal of Physical Distribution and Logistics Management, Vol. 42 No. 3, pp. 275-295.

Fan, Y. and Stevenson, M. (2018), “A review of supply chain risk management: definition, theory, and research agenda”, International Journal of Physical Distribution and Logistics Management, Vol. 48 No. 3, pp. 205-230.

Gibbert, M., Ruigrok, W. and Wicki, B. (2008), “Research notes and commentaries: what passes as a rigorous case study?”, Strategic Management Journal, Vol. 29 No. 13, pp. 1465-1474.

Ho, W., Zheng, T., Yildiz, H. and Talluri, S. (2015), “Supply chain risk management: a literature review”, International Journal of Production Research, Vol. 53 No. 16, pp. 5031-5069.

Hoberg, K., Thornton, L. and Wieland, A. (2020), “Editorial”, International Journal of Physical Distribution & Logistics Management, Vol. 50 No. 2, pp. 151-158.

Holling, C.S. (1996), “Engineering resilience versus ecological resilience”, in Schulze, P. (Ed.), Engineering within Ecological Constraints, National Academy Press, Washington, DC.

Hopp, W.J., Iravani, S.M.R. and Liu, Z. (2012) “Mitigating the impact of disruptions in supply chains”, in Gurnani, H., Mehrotra, A. and Ray, S. (Eds), Supply Chain Disruptions: Theory and Practice of Managing Risk, Springer, London, pp. 21-49.

Lavastre, O., Gunasekaran, A. and Spalanzani, A. (2012), “Supply chain risk management in French companies”, Decision Support Systems, Vol. 52 No. 4, pp. 828-838.

Norrman, A. and Jansson, U. (2004), “Ericsson's proactive supply chain risk management approach after a serious sub‐supplier accident”, International Journal of Physical Distribution and Logistics Management, Vol. 34 No. 5, pp. 434-456.

Ponis, S.T. and Ntalla, A. (2016), “Crisis management practices and approaches: insights from major supply chain crises”, Procedia Economics and Finance, Vol. 39, pp. 668-673.

Richey, R.G., Roath, A.S., Whipple, J.M. and Fawcett, S.E. (2010), “Exploring a governance theory of supply chain management: barriers and facilitators to integration”, Journal of Business Logistics, Vol. 31 No. 1, pp. 237-256.

Teece, D., Pisano, G. and Shuen, A. (1997), “Dynamic capabilities and strategic management”, Strategic Management Journal, Vol. 18 No. 7, pp. 509-533.

Tummala, R. and Schoenherr, T. (2011), “Assessing and managing risks using the supply chain risk management process (SCRMP)”, Supply Chain Management: An International Journal, Vol. 16 No. 6, pp. 474-483.

Wieland, A. and Wallenburg, C.M. (2013), “The influence of relational competencies on supply chain resilience: a relational view”, International Journal of Physical Distribution and Logistics Management, Vol. 43 No. 4, pp. 300-320.

Acknowledgements

The authors thank Alex Ellinger, IJPDLM's previous Editor-in-Chief, for inviting us to write this article and his successors Ben Hazen and Chee Yew Wong, the current Editor-in-Chief, for taking over and supporting the process. The authors also thank the anonymous referees and Christian F. Durach for their helpful comments. Finally, the authors thank Ericsson, especially Lars Magnusson and Ulrika Wikner, for their willingness to openly share their unique data with them. One of the authors was partly supported by CenCIP, financed by the Swedish Civil Contingencies Agency (MSB).

Corresponding author

Andreas Norrman is the corresponding author and can be contacted at: andreas.norrman@tlog.lth.se

About the authors

Andreas Norrman is Professor in Supply Chain Structure and Organization at Lund University, Faculty of Engineering, Sweden. He has a Ph.D. in logistics from Linköping University, Sweden. Andreas has worked as a management consultant at A.T. Kearney with supply chain management and sourcing issues. His research interests include supply chain risk management, omni-channel warehousing, supply chain incentive alignment, and change management. He publishes in leading logistics journal and he received multiple Emerald Highly Commended Awards for his work with IJPD&LM, both as author and reviewer. Fifteen years ago he authored the article Ericsson”s proactive supply chain risk management approach after a serious sub-supplier accident” which became one of the most cited articles ever published in IJPD&LM. At Lund University, he has been awarded Excellent Teaching Practice. He is a fellow of the Royal Physiographic Society of Lund (the Academy for the Natural Sciences, Medicine and Technology).

Andreas Wieland is an Associate Professor of Supply Chain Management at Copenhagen Business School. His current research reinterprets global supply chains as social-ecological systems. His articles have appeared in journals such as the International Journal of Logistics Management, International Journal of Physical Distribution and Logistics Management, Journal of Business Logistics, Journal of International Management, Journal of Supply Chain Management and Supply Chain Management: An International Journal. He is the European Co-Editor of the Journal of Business Logistics and Co-Chair of the Council of Supply Chain Management Professionals' (CSCMP) European Research Seminar.