The development of supply chain risk management over time: revisiting Ericsson

Strategic profile of Ericsson's supply chains

Ericsson, founded in 1876 and now operating in around 180 countries, is a leading multinational provider of information and communication technology (ICT), including networks and digital services for mobile phones, 5G and the internet of Things (IoT). Net sales in 2018 were SEK 210.8 billion; the organization has over 95,000 employees worldwide, and roughly 40% of the world's mobile traffic is carried through its networks.

Notably, a series of supply chain decisions, partly made to mitigate risks, has over time contributed to the strategic profile. The manufacturing strategy was directed to an extension from mainly “engineer-to-order” and “make-to-order” by also including “make-to-stock” processes. Although one manufacturing site would be sufficient from an operational perspective, Ericsson operates three sites instead as a way to hedge risks. The sourcing strategy includes a strong focus on outsourcing to contract manufacturers, called electronics manufacturing services (EMS), which are employed for the final assembly of products with the purpose of increasing agility and financial flexibility. To reduce network complexity, Ericsson has restricted their number to two. Again, based on volume, only one EMS would be sufficient, but two were chosen to reduce dependence risk. While volumes were historically concentrated on just one EMS, tasks are now split. Each EMS operates multiple plants with similar processes, which allows Ericsson to decide which EMS should be utilized. While Ericsson buys manufacturing capacity from the EMS, it buys components directly from second-tier suppliers based on its own contracts. Ericsson uses a very active postponement strategy when working with modularized products and using software for the late differentiation of products. While the distribution strategy was previously characterized by local subsidiaries holding localized stocks in their warehouses, the ownership and responsibility with regards to those stocks are now handled by a central supply unit, and non-localized stock is held in regional supply hubs.

The SCRM eras of Ericsson

We begin by analyzing Ericsson's SCRM practices that were in place around 2002/2003. A matrix-oriented organization was outlined involving both corporate functions for Corporate Risk Management and Security, with Corporate Supply (including logistics), Corporate Sourcing (including purchasing), and different business areas representing commercial line organization. A dedicated supply chain risk manager was responsible for the development of processes and tools. The SCRM process included the steps of risk identification/analysis, risk assessment, risk treatment/management, risk monitoring as well as incident handling and contingency planning. Many, primarily manual, tools and templates were developed, such as responsibility grids, supply chain risk and structure maps, risk management evaluation tools, risk assessment diagrams, risk matrices, schemes for calculating business interruption values (BIV) and business recovery times (BRT), templates for risk assessment and contingency plans, processes and task forces (crisis management teams) for incident handling, “toolboxes” on the Intranet to develop contingency plans, guidelines for suppliers implemented in frame agreements, and many more (see Norrman and Jansson, 2004).

Much has happened since. The development of Ericsson's SCRM practices is summarized in a rough timeline (Appendix) and described for different time periods, hereinafter called “eras” (Table 2). Appendix also summarizes important triggers, such as major risk incidents. Although the incidents seldom impacted Ericsson's output, they were managed and yielded valuable experiences. Changes in corporate governance influencing SCRM are described, because they proved important. Developments in SCRM processes and tools are presented in horizontal bands representing the most involved functions, specifically Supply, Sourcing and Security, as they have been most important but also developed at a different pace. Changes in major enablers, such as information system (IS) and learning capabilities, are also indicated because they have been needed to take SCRM practices to the next level.

The “fine-tuned proactivity but re-functionalizing” era (2002–2007)

Between 2002 and 2007, only a few major risk incidents affected Ericsson. Most notably, however, Kista, the area of Stockholm where Ericsson's headquarters, and during that time, some smaller plants and suppliers were located, was hit by a couple of power shortages. The most severe occurred in 2002, although with just a limited impact on supply chain flows.

At the corporate level, there was a revitalized use of the SCOR model for defining processes and metrics. Further, the distribution network started to become consolidated. The responsibilities for local distribution centers were moved from the local sales subsidiaries to the corporate supply function, whose scope and responsibility thus increased.

Initially, a previous project-oriented approach for risk work (used for the major Y2K project to secure IS) was replaced by clearer organizational accountability. However, the risk culture that emerged after the 2000 Albuquerque accident (Norrman and Jansson, 2004) slowly faded, and SCRM, in retrospect, did not continue to apply to the day-to-day culture. This was partly because of the rather low exposure to risk incidents during this era. Moreover, it was partially because of the retirement of key actors, especially in Security, which at the time was a less operational department. Although a cross-functional organization was still in place, SCRM was increasingly siloed back to the respective functional areas.

SCRM initiatives were focused on the upstream supply chain and attempted to enhance, fine-tune and spread the use of existing tools and templates. Supply focused on the mapping and tracking of all supplier sites more formally, collecting data for risk identification and assessment more effectively, and implementing tools and templates for this across the organization. Within Sourcing, various key processes, such as category management and supply management, were improved. Clear plans and processes existed for risk handling, but they were hardly practiced owing to the low number of incidents.

Early in this era, Security, together with the Supply Chain Risk Manager, began to develop and use a survey tool known as Ericsson Blue. This tool was jointly developed with an external partner, and facilitated comparing risk-management performance for different internal plants on an annual basis. Very detailed requirements were utilized, often rather technical ones, such as the way sprinklers in buildings were dealt with. Performance was graded at four levels and, finally, results of different variables together formulated a weighted score that allowed sites to be ranked. Results were summarized in a report, aiming to provide feedback and suggest improvements.

After the Kista power outage (2002), Ericsson realized that not only one building, but multiple sites could potentially be affected simultaneously. Consequently, the Supply function at Ericsson headquarters installed a crisis-proof office room, using, for example, dual diesel generators as back-up power sources and having access to back-up satellite communication – features top management already had at their disposal for many years. At major plants, satellite communication was available together with charged mobile phones to secure crisis communication. Whereas all manufacturing sites used the same enterprise resource planning (ERP) system, other business functions (e.g. sales) were not globally aligned. Apart from basic spreadsheet tools, support tools for SCRM processes were rather limited. With the initially clearer organizational accountability, a better platform for learning emerged. Yet, the learning related to SCRM during this era relied mostly on a TQM-inspired, unstructured, continuous improvement approach.

The “enabling IS and extending the scope” era (2007–2009)

Between 2007 and 2009, no risk incidents occurred that would have affected Ericsson's SCRM processes. In this era, Ericsson improved the coordination between previously scattered sales companies. The focus and scope of Supply's SCRM now extended to flows downstream in the supply chain, including sales activities related to local distribution hubs, offices and flows across the globe. Another trigger that can spur SCRM are corporate IS improvements. After many years of isolated solutions, Ericsson's global consolidation of ERP systems led to an integration of the systems of sales companies into the One system, Ericsson's single instance of an ERP platform. The use of a business data warehouse was improved for supplier data, which together with increased employment of analytics tools, better supported SCRM templates with enhanced data while identifying bottlenecks for components. Process development during this era paralleled and leveraged the improvements made for IS capabilities.

The new IS capabilities enabled a transition from rather manual to more automated visualization practices. Supply developed an improved toolkit for bill-of-materials reporting that could list the components included in a final product based on its product number, which is not easy to implement for dynamic ICT products. The tool helped to generate one joint forecast and increase global visibility. Sites@Risk, an internally developed online tool from 2008, combined geo-mapping using Google Earth with Sourcing's risk database, including annually updated data on components, manufacturing and suppliers sites. By entering an incident's location (as Osaka in the Introduction), the Sites@Risk (Figure 1) would produce a visual map within minutes, identifying all plants and offices (internal, suppliers and sub-suppliers). By combining these systems, Ericsson could now quickly determine an incident's position to learn about the corresponding impact on finished products.

A corporate initiative based on ISO 9000 standards led to a stronger internal focus on assessments and management reviews.

The “developing and testing the tools” era (2009–2010)

The 2009–2010 era was dominated by a number of incidents that made Ericsson challenge, further develop, test and implement their SCRM practices. The most notable incidents were the global financial crisis, the 2010 volcano eruption in Iceland and an internal warehouse incident in 2010. The financial crisis caused troubles for both suppliers and EMS and created supply shortages, according to an Ericsson manager: “to close a wafer fab takes 15 min, but to restart it takes 2 years to get back in full production.” Wafer manufacturing capacity drastically dropped and competition for remaining capacity increased tremendously. Some suppliers filed for bankruptcy, and to secure supply, Ericsson even acquired and in-sourced one critical EMS with financial problems. As a lesson from the financial crisis, securing supply and reducing component recovery time were highly prioritized. The Icelandic volcano incident placed emphasis on transportation risks. Finally, the warehouse incident was brought about by software creating problems for finding existing material within the warehouse.

The Supply and Sourcing functions increased the amount of formalized cross-functional meetings, for example, to set targets on suppliers and single-sourced components. The Security function, previously affected by the retirements of key people, was bolstered by additional resources. Its organization re-matured and became more formalized and fine-grained, gaining Security positions in the global line organizations that were accountable for continuity management at the different locations and sites. The risk culture started to shift from “a few heroes to a formalized line.”

Data-driven processes designed to analyze and solve supply shortages also became more formalized during this period. The development of data-driven tools was a key priority, especially business intelligence and analytics tools, which enabled Ericsson to increase its reactive capacity owing to improved proactive mapping. With increased capability and visibility of forecasting and planning data, Supply developed a global planning tool that enabled a more proactive and reactive understanding of the impact of supply flow disruptions on the production output of finished products. By combining this system with the joint ERP, Ericsson could much quicker analyze when an incident would create a bottleneck and its final impact. This capability supported the allocation process of finished products to customers as well as decisions regarding customer communication. To handle shortages from the 2010 warehouse crash, a customer prioritization process was developed, implemented and used.

Sourcing focused again on developing category-management and supplier-management processes. Responsible sourcing became imperative, with mandatory ethical requirements (e.g. code of conduct) being instituted with suppliers and evaluated on an annual basis. A program for contract compliance was also rolled out. Additionally, the security function's scope for site assessments (Ericsson Blue) was extended to sub-suppliers.

IS developments were characterized by people learning how to effectively make use of the technical capabilities improved during the last era. Learning was based on experiences when tools were tested and refined during incidents.

The “learning from incidents and re-cross-functionalizing” era (2011–2015)

Probably the most influential era in Ericsson's SCRM journey commenced with a wave of severe risk incidents that challenged its existing SCRM setting. In the following, we use the 2011 earthquake and tsunami in Fukushima, Japan to illustrate how Ericsson's reactive processes and tools were deployed. Yet, another major incident tested the reactive SCRM processes in the same year: the 2011 Thailand floods. Although the impact on Ericsson's supplier base was less severe, the firm followed a similar pattern when taking action. More incidents occurred in 2012, including a series of earthquakes in Indonesia, the Philippines, Japan and China as well as Hurricane Sandy in the US, leading to a continuous refinement of the SCRM practices within just a short timeframe. A tissue factory located right next to an Ericsson plant also caught on fire, and while firewalls stopped the fire from spreading, the heat melted many Ericsson components. Additionally, political risks with potential supply implications, e.g. the Korea conflict, were taken into account.

Detailed example: Ericsson's reactive SCRM during the earthquake and tsunami in Japan (2011)

On March 13, 2011, at 6:46 CET, an 8.9-magnitude earthquake struck the coast of Japan about 17 miles below the Earth's surface. Dozens of aftershocks, some with a magnitude of 6.0 or higher, were experienced and a tsunami inflicted damage to the Fukushima Daiichi Nuclear Power Plant. As Japan is one of the major global suppliers of semiconductors and other relevant components, this accident had a huge impact on telecommunication and high-tech firms.

The Ericsson Supply Chain Crisis Management Task Force (ESCCMTF) was immediately activated and met Friday morning at 9:00 CET (i.e. two hours after the earthquake; Figure 2). The cross-functional task force of roughly ten persons was proactively established before, including a chairperson (Head of Inbound Supply), his substitute (from Sourcing) and a secretary (initially, the Supply Chain Risk Manager). Communication lines were directly established to Group Security, Corporate Communication and the Business Area Management Team, among others. The Supply Chain Risk Manager had developed a checklist with important control questions that were now used. At around 9:30 CET, a consequence analysis team started to map suppliers in the area, components at risk, affected products and their BIV. Geo-mapping based on the Sites@Risk tool and Sourcing Risk database (Figure 1) allowed for the identification of suppliers and their plants in Japan. The Sourcing Risk database determined 335 direct material suppliers of electronics and electro-mechanics components with volume production agreements. Of those were 305 non-Japanese suppliers and 30 Japanese suppliers, and in total, 58 had operations in Japan. Within two hours, critical suppliers were identified, and a first impact analysis was conducted. By employing real-time earthquake information connected to the tools, Ericsson could geographically limit the first scope of suppliers to 37 to concentrate on and later extend this set. These 37 suppliers had approximately 104 plants in the affected area and were delivering about 4200 components. Roughly 1000 components were mapped until 16:00 CET, and all 4200 until 14:00 CET the day after. Between 11:00 and 14:00 CET, prepared emails were sent to all suppliers, and between 15:00 and 16:00 CET, official letters were sent to selected suppliers. At 13:00 CET, a team of three people from Ericsson's Swedish headquarters (including the Supply chain risk manager) was sent to Japan to assist and arrived in Tokyo on Monday morning. The 37 suppliers were surveyed immediately by phone or e-mail: Eight of them confirmed a high-risk impact, 23 a low impact, and 19 did not reply. For example, one affected supplier had a factory close to the coast of the tsunami area, delivering 36 components whereof six were single-sourced and 30 dual-sourced. Based on already documented recovery plans from suppliers, and the output from the consequence analysis, Ericsson decided on its action plan.

The following day, Saturday, Ericsson contacted different logistics providers to investigate alternative routes out of Japan. After having evaluated component issues, orders were placed directly to dual sources of supply. Research and development (R&D) managers prepared for re-designing single-sourced components and qualifying new suppliers. The consequence analysis recommended orders to be re-directed and to buy six months of the demand for critical components from dual sources. Ericsson set up a special team to quickly purchase via spot markets, but was in parallel trying to find alternative solutions with its suppliers. For the critical components being single-sourced, the next steps were determined jointly with R&D, including re-design. Finally, the analysis recommended adding even more resources for communication. A pre-requisite for carrying out a consequence analysis and taking actions quickly was that component data related to manufacturing plants were proactively prepared and instantly accessible.

Supplying critical infrastructure for such a societal crisis, Ericsson decided to prioritize customers in Japan. It focused the next weeks on providing all needed support to Japanese customers to secure the vital telecom networks that were functioning. The company used helicopters to reach affected areas and satellite phones to enable communication. On March 17, Ericsson's top management sent a letter to customers giving a status update on the effects of the earthquake.

Within the first two weeks, Ericsson closely cooperated with its Japanese suppliers, having face-to-face meetings to better understand how local suppliers were impacted, including damaged suppliers, suppliers in the evacuation zone and suppliers with limited power and water. Ericsson sought to meet representatives from suppliers and Japanese society in a polite and humble way both to pay respect to the catastrophe, being aligned with the culture and to show Ericsson's will to cooperate with joint actions.

As a result of initial risk activities, several high-risk items were removed from Ericsson's list of critical components. The recovery phase depended on the overall situation in Japan, as well as the ability of dual sources to absorb additional volumes. Forecasts were made surrounding the delivery situation for finished products relative to their demand, both in the short term (April) and slightly more over the long term (May/June). The previously developed global planning tool was largely utilized. As learned from the 2010 warehouse incident, customer prioritization became crucial, and certain decisions (e.g. whether to request prolonged delivery dates) were escalated to a priority board. An outbound allocation-handling process was crucial, and Ericsson had it clearly defined with the purpose to “prepare and level supply flows in component constraint situations in order to minimize lost orders, keep projects rolling and meet financial forecast.” Allocation analysis was completed within the first weeks. The top management regularly delivered status updates to regional and local supply managers.

The production plan was evaluated using weekly data 25 weeks ahead. Over the short term (April), the analysis indicated there to be no, or only limited, impact on production, as enough items were stocked, while mid- and long-term production plans were dependent on the abilities of non-affected suppliers to ramp up production. Ericsson also mitigated the impact on its business: Customers were offered a replacement of certain systems by others; the company agreed with customers to halt installing systems in a certain region while focusing on and speeding up the installation in the most important regions. Ericsson sometimes gave away material free-of-charge to protect future sales.

In fact, by first using current inventory and then spot-market buying before alternative sources were in place, and later using redesigned products and building upon recovered suppliers from Japan, Ericsson's output met its committed plan fairly well. Only in one week, approximately happening ten weeks after the earthquake, deliveries were far from met, and backorders were later delivered. However, this bottleneck was foreseen, and customers were informed well in advance about delayed delivery dates.

The appointment of an insurance claim team during the impacted period turned out to be very important. This team cooperated closely both with suppliers and Ericsson's regional organization to capture mitigation costs and the loss of profit. First, people had to be coached in documenting invoices, customer emails, project plans, etc., and then the impact in terms of costs or revenue loss had to be determined. It took about one year to settle the claim successfully. As Ericsson was able to demonstrate that preventive actions had been in place and recovery processes had been pre-planned, the insurance money that was paid rose.

Reactive mitigation activities were recorded and later analyzed and used for internal learning. This also included potential improvements in proactive activities in terms of the involved processes, competences and organizational interfaces. Ericsson concluded from this evaluation that its SCRM processes were well-functioning in minimizing impact. A specific learning point was that not only components but also consumables used further upstream (i.e. critical indirect material) had to be assessed. Consumables can create bottlenecks and are often overlooked, as they are rarely part of the bill-of-materials. It also became clear that mitigation activities crossed business functions beyond Supply and Sourcing, and also included R&D. Previously developed tools operated efficiently when analyzing incidents impacting one specific supplier, but now there was a need for tools that could enable Ericsson to handle incidents that simultaneously impacted several suppliers. Also learned was the importance of event recovery and involving an insurance team to prepare for correct claims later on. The business impact analysis also provided new information to learn from as well as ways to improve customer communication. External communication with suppliers worked very well, but internal communication was later improved by a special role in the crisis team.

Changes in the corporate governance of Ericsson impacted its SCRM practices in this era. A new CEO, appointed in 2010, re-organized the company, moving goods further from local distribution hubs into centrally controlled hubs, thereby increasing the scope of Supply's SCRM responsibilities again. External requirements, filtered by the CEO, increasingly turned SCRM into a “part of the company brand.” The new CEO raised the focus on corporate social responsibility (CSR) by explicitly relating it to the UN Sustainable Development Goals under Ericsson's “Technology for Good” umbrella. Thereafter, risk management and responsible sourcing were included, which elevated attention at a corporate level. Standards like ISO 14000 and OHSAS 18000 were considered on all levels. Another area that received corporate focus was business continuity management (BCM), partly because of implicit or explicit requests from customers and other stakeholders. However, Ericsson also had a self-interest to ensure that no unforeseen interruptions of critical activities hurt the firm either financially or in terms of brand value. Ericsson defined BCM as “a management system that ensures the capacity to maintain critical activities at a tolerable level, regardless of what happens.” Corporate-level compliance to standards such as ISO 22301 and ISO 27000 became a focal point, leading to increased formalization and more assessments along with reviews.

To handle incidents, a cross-functional approach was needed and was developed accordingly. Security worked increasingly tighter with other areas internally related to BCM but also with external auditors and insurance companies. A new role, the BCM driver, was created. These BCM drivers, as they were appointed in different functions and sites in the organizations, were responsible for proactively implementing the BCM framework. In Supply, the Group BCM driver replaced the Supply chain risk manager. In the event of a crisis, an incident manager belonging to Group Supply was responsible for contacts with Operations and the ESCCMTF. Together with the ESCCMTF's chairperson, they decided whether an incident was serious enough to activate the team.

Based on experiences from the incidents, Supply fine-tuned action points, processes and structures for reactive SCRM. For example, a global stock view enabled Ericsson to further improve inventory control and visibility, going from previously having only high-level financial global values to monitor on an operational item level. Both the allocation process for customers and customer communication were further developed. They extended the scope of components analyzed from only direct material to also include consumables. In both Sourcing and Security, much separate development for SCRM started (see the following), also the cross-functional collaboration between all functions increased.

Early in 2011, Sourcing defined proactive risk avoidance as one of its four strategic priorities for 2011–2015, which included four goals: All risks should be known and understood; the supplier base mitigates risk proactively; alternative solutions should always be available; and risk should be considered in all actions and decisions. The multi-year strategic development program, initially called SCRM and later relabeled supply chain resilience, refined and developed sourcing strategies, processes and tools related to SCRM.

For all sourcing categories, very detailed risk reviews were performed on a quarterly, and then later bi-annual, basis from both a strategic and cross-functional perspective. The purpose of the reviews was to assess the implementation of the strategic SCRM program (Figure 3). Risk-avoidance parameters, such as age profile, security of supply and use of multiple sources, were added to previously utilized parameters when classifying components. These reviews featured an analysis of the following areas: getting the right suppliers (i.e. preferred and approved suppliers); having the right products, components and services (challenging specifications); having contractual protection (aligning customers and suppliers contracts and enforcing important issues, e.g. SCRM, BCM); and developing a robust supply. Monitoring the implementation of these areas (for different categories) received increased attention. Also monitoring how specific strategies taken developed over time, like shortening the suppliers' component recovery times (Figure 3) and developing dual sourcing, helped focus these risk-mitigation strategies. For all product designs, at least 80% of the volume should be at least dual-sourced, according to Ericsson. Another risk-mitigation strategy was to avoid single-country sourcing for components, for example, to reduce exposure to earthquake-affected Japan. In two years, the number of critical suppliers (with respect to component recovery times) was substantially reduced, and the percentage of risk class 1 (0–2 weeks' recovery time) increased by different risk-mitigation activities (like multiple sourcing, buffers or collaboration) without extra costs. While not new, this clearly revitalized SCRM, broadening its scope across all sourcing categories and making the work more proactive and structured.

Sourcing clearly re-focused on risk-mitigation strategies, such as multiple sourcing, thereby reviewing outsourcing activities, analyzing geographical exposure, introducing second manufacturing sites, investing in duplicates of critical manufacturing tools needed by suppliers, asking suppliers to build extra buffers, and turning from being mainly reactive to more proactive. A much more apparent supplier classification was implemented, involving risk dimension and supplier governance (e.g. frequency of meeting different levels), and better defined. Many of the tools used (e.g. supplier evaluations/risk card, explicit supplier requirements, supplier performance cards) were not novel ideas but could be improved, formalized further and adapted within their focus. Tools were employed more frequently, and their utility monitored explicitly.

Annual updates of the Sourcing risk database for 30,000 components (used with Sites@Risk) were formalized using a secure supply survey. It gathers data on the risk landscape, including geographical coordinates for all production sites (and their alternates), lead times for ramping up production or switching manufacturing sites and qualifying new processes or obtaining new tools, among other information. Component resilience was classified based on recovery time, which translated into a risk classification between 1 and 4.

The suppliers were encouraged to take the secure supply survey both for their own sites and for their general supply chain capabilities, including responsible sourcing and code of conduct. All data were summarized into a risk card for a supplier evaluation (Figure 4), which was reviewed via self-assessments but with audits utilized for new suppliers or when changes occurred at the supplier. The risk cards were followed up with suppliers, and warning signals initiated further assessments and audits. For example, the EMS acquisition in 2009 was initiated based on such signals. Supplier performance cards were updated quarterly for existing suppliers, with scores in the range of 1–100 based on data from different functions (e.g. R&D, Supply, Sourcing, Finance).

Security also strongly developed the SCRM processes in this era at the functional level. Before, Ericsson Blue (Figure 5), which included a self-assessment survey, audits and feedback, was primarily applied using a certified third-party auditor to assess internal sites exposed to high risk. Driven by Corporate Treasury, this approach was revisited in 2014 and, in collaboration with insurance companies, was enhanced as the auditor became involved in the annual assessments of sites. The scope of Ericsson Blue was extended to warehousing, late configurations, postponement, and distribution activities in order to also include supply hubs and external service providers' sites, such as EMS and third-party logistics providers. For each site, self-assessment questions were sent out for preparation two months ahead, and a team visited thereafter to investigate specific areas and discuss the self-assessment. The external certified auditor analyzed observed gaps and recommended ways to fill them. Each site was required to report its mitigation solutions quarterly within the auditor's system, and sites received feedback until the auditor had approved the mitigated risk level.

A proposed risk-mitigation strategy was then compared to cost to assess its suitability. For instance, there was a situation wherein a service provider's warehouse in a desert lacked a sprinkler system that Ericsson Blue required. However, with investment costs for sprinklers in the desert being too high, Ericsson instead changed the business model of the contract, thereby dispensing with that warehouse. Over time, the Supply function was more involved in Ericsson Blue, also focusing on supply flows rather than sites only.

BCM became even more formalized and implemented across the organization, with Security as the overall process owner. A six-step cyclical BCM framework was introduced (Figure 6). The first formal description of the role of a BCM driver (2010) was updated (fourth and latest revision: 2014). Both BCM drivers and BCM process owners were appointed at different sites across the organization, making the BCM organization more fine-grained, and placing a clear responsibility on an actor to assess its upstream process, both internal and external. Sales units should assess internal plants similar to those of suppliers, according to Ericsson. The resulting network organization, BCM Forum, provided a web platform that integrated frameworks, training materials and training modules, and these materials were available for all employees.

The cyclical BCM framework commences with the following steps: define the scope, perform high-level business impact analysis, develop and implement mitigation strategies (e.g. increase buffers, capacities, and competencies, splitting into different locations). It closes with a focus on training and assessment. The BCM drivers, together with the process owners, analyze processes and sub-processes as well as the resources and capabilities needed to run those processes. The focus is on the maximum tolerable outage, defined as the time it takes before the effects of a process interruption will lead to intolerable consequences, and defining critical resources. This represented a shift in concern from geographical sites to relevant processes and capabilities. BCM requirements were also assigned to EMS. Regarding IS, systems were mainly used, tested and refined during this era. Inventory control and visibility were especially improved, partly by better combining different systems.

Increased focus on assessment and learning has characterized this era, e.g. by problem-solving and “lessons learned” from the incidents. Assessment and learning were explicitly pointed out in the BCM framework, signaling its importance, and an approach to better learn from experiences was developed. To educate suppliers, information about responsible sourcing, code of conduct and training materials were provided on Ericsson's website. Exercises and tests were stressed for finding improvement opportunities, and continuous learning became based on assessment and reviews. Further, the increasing degree of monitoring, assessment and reviews, especially in Sourcing's SCRM program and Security's BCM rollout, contributed to better-developed and implemented SCRM practices. The increased formalization and assessment made the SCRM practices more embedded in each purchasers' ordinary way of working and raised attention in different cross-functional steering and decision-making boards. For newly developed products, R&D was measured based on the total risk of the components suggested in the bill-of-materials.

The “evaluation and learning” era (since 2015)

The most recent developments started in 2015, prompted by a corporate ISO 9000 update in 2015, leading to an inclusion of more continuous improvements and pushing evaluations and compliance (and a concurrent ending of Sourcing's strategic SCRM program). The scope of analyzed risks during this phase has continued to grow, now, for example, including various free trade issues that could impact global supply chain flows. Lately, a new situation of supply shortage and allocation risk of components has arisen, which is expected to have considerable implications over the long term. This was caused by a structural shift of increased demand, where other industries, e.g. automotive, increasingly use similar components and supply capacity that had mostly been the domain of ICT industries.

Having become the “major corporate umbrella” for work related to risk and resilience, BCM now goes beyond security risks, thereby incorporating categories such as “supply chain,” “cyber,” “financial,” “market” and “environmental.” BCM has also changed its explicit unit of analysis from “sites” to “capabilities and processes.”

Corporate projects, like the ISO 9000 update, have influenced Ericsson's BCM and SCRM practices, e.g. regarding evaluation and compliance. A new CEO (2017) has particularly concentrated on compliance. The increased importance of BCM is anchored by it recently becoming part of Ericsson's formalized business processes. Moreover, inter-organizational and cross-functional approaches were further pursued. One example is the joint steering committee meeting 2–4 times a year, where Sourcing defines category strategies together with Supply and R&D.

In this era, Supply focused its processes on BCM but also continued to extend its downstream scope. Supply also developed segmented approaches for component-buffer strategies, including suppliers' stocks. When auditing suppliers, Ericsson attempts to learn from its suppliers' SCRM and BCM practices by jointly discussing issues such as, “What are your plans?”, “How can we support you?” and “How can you support us?”

Although Sourcing has changed its strategic focus to areas outside SCRM, its SCRM practices are still embedded in daily working processes. Sourcing's three main risk-mitigation strategies are dual sourcing, buffer strategies and developing alternative bills-of-materials. Sourcing focuses less on a specific component's risk and more on a final product's risks and qualifying new sources with R&D. Sourcing plans extend cooperation with R&D, particularly when developing an alternative bill-of-materials. Transparency with suppliers has increased regarding evaluation to create incentives for suppliers to engage in the right actions, receive better risk classification and thus potentially be offered higher volumes.

Currently, Ericsson is among the many companies that improve its technical capabilities related to the use of big data through the implementation of new tools for analytics and increasingly working with process mining. This has enabled Ericsson to improve an increasing number of processes, e.g. when calculating the future impact of component allocations on its final products. For the future, Ericsson assumes SCRM to become increasingly proactive in nature – even weak signals will be interpreted and addressed early on.

The importance of assessments, management reviews and compliance as inputs for training and learning has clearly risen. Continuous improvement was included explicitly in BCM activities throughout 2015. The monitoring of BCM implementation has been concerned with the quarterly self-assessments requested as a basis for performance reviews (Figure 7). The assessment focus on two different KPIs: BCM framework compliance rate, and risk treatment. The BCM compliance rate monitors whether the scope of BCM is in place and updated, if a risk analysis has been conducted and documented, and if training and exercises have been held. This is measured both holistically as broken down on different functions. The KPI for risk treatment rate assesses and compares over time how well high and very high continuity risks (H/VH) are treated. In the annual compliance reviews of top management, BCM is now also included with performance indicators that focus on the following questions: “Do you have a BCM strategy in place?”, “Do you have BCM action plans in place?” and “Have you engaged in any tests?”

Based on resultant compliance diagrams and feedback, BCM frameworks have been improved and better trained. Training is more concentrated on keeping Ericsson's risk culture alive at times when the number of incidents is reduced and the importance of risk might thus easily be underestimated. Global scenarios are especially used for training. More training modules, templates and instructions for BCM have been developed and made publicly available online. There has also been more formalization with respect to how to collect takeaways and use concluding learning from training exercises as an input to improvement programs. As Ericsson's management teams take training seriously, they create awareness of its existence across the entire organization. Ericsson has established a strong network with different external partners, which are included in scenario analysis to increase learning, and there are plans to increase this.

Corporate governance and organizational structure

The main organizing principles for SCRM are, and have been for 15 years, a cross-functional matrix including the different corporate functions of Supply, Sourcing and Security, with operational activities being performed in the business areas and in the operational parts of Supply, Sourcing and Security. While initially difficult to ensure, the risk culture was consistently integrated into the organization, and this has improved considerably since 2010. Both organizational and SCRM processes have become more formalized and cross-functional, but also more fine-grained as many operational positions have been appointed, for example, those related to Sourcing's strategic program and the BCM implementation performed by the BCM drivers. The scope of SCRM has largely been extended to include downstream processes and sites, more risk types and more external partners. While SCRM was also inter-organizational 15 years ago through cooperation with insurance companies along with supplier contracts and training, this has both increased and become more formalized over time.

Corporate governance initiatives, such as updating or implementing different ISO standards and focusing on CSR and compliance, turned out to be significant when elevating the level of formalization, expressing top management support and turning risk management into a “part of the corporate brand.” While all risk incidents between 2009 and 2013 resulted in a strengthened risk awareness across all levels, they also increased cross-functional activities related to both reactive and proactive SCRM.

Processes and tools

The general outline of the proactive SCRM process has not substantially changed, but its scope, depth, formalization and distribution across the organization have increased.

The risk-identification phase now includes a much larger set of risk sources (downstream activities, more types of materials, political and trade risk and cyber risk, to name just a few). Much more risk data can be handled much more rapidly owing to better IS support, more powerful databases and contemporary analytics tools. Accountability is more formalized, and risk mapping is carried out more frequently. Finally, compliance with the outlined process is measured and followed up.

Additionally, the risk-assessment phases relate to the original approach, still assessing BIV and BRT, but now also maximum tolerable outage and components' recovery time. What is new is the use of more sophisticated IS tools and the way knowledge and tools are cross-functionally combined, thereby building bridges, for example, between BCM and Sourcing. Meanwhile, more risk data are available, and tools have been developed, digitized and combined. Utilizing geographical coordinates as input, future business impact related to the demand of different customers can be computed. Functions such as R&D are involved much earlier, e.g. by assessing supply chain risks when developing a product.

The explicit use of clearly defined proactive risk-mitigation strategies has become greater partially related to Sourcing's strategic program to monitor compliance with its implementation plans. Currently, Ericsson uses most risk strategies from the literature proactively. First, hedging is employed by involving more manufacturing sites than needed and positioning at different geographical locations. Second, increased outsourcing is used to improve flexibility and agility, but only with a few contract manufacturers and service providers to enhance the level of collaboration. Third, standard processes are implemented to enable the transfer of activities between sites and providers. Fourth, dual and multiple sourcing is pursued, regarding both geographical sites and suppliers. Fifth, when possible, standardized components are used based on modular design and postponement strategies (via software to differentiate the delivered functionality at a late stage). Sixth, consolidated local inventory and stocks are utilized in regional supply centers where the final configurations are produced. Seventh, central control of inventory has been increased. Eighth, globally integrated information systems and analytics tools have been integrated. Ninth, segmented inventory and strategic positioning of stock within the supply chain (also including suppliers and sub-suppliers) have been implemented. Tenth, lead and response time have been reduced. Eleventh, there is enhanced collaboration with external partners. Finally, there is intensified communication surrounding the development of long-term relationships and trust with partners.

It is perhaps risk monitoring, both internal and external, that has been expanded the most. Compliance with SCRM processes, and implementation plans for projects or mitigation strategies, are frequently and formally measured and followed up (e.g. Figures 3–7). This relates to Supply, Sourcing and Security, but also to the means by which different business areas collaborate with BCM and how R&D takes risks into consideration when developing new products. Suppliers and providers are also monitored more extensively, often by external partners, such as third-party auditors or insurance companies (e.g. Figures 4 and 5).

Although the organizational structure and processes for reactive SCRM were outlined 15 years ago (Norrman and Jansson, 2004), this is another area where substantial developments took place. Many of these developments relate to Ericsson's capabilities surrounding the formalization of how it learns from incidents where processes and tools were first used and refined.

Incident recognition and response initiation have now become an integral part of Ericsson's “way of working,” with clear roles being defined that are supported by defined processes and tools (e.g. Sites@Risk). The incident manager, together with the chairman of the Supply Chain Crisis Management Task Force, decides, based on an initial analysis, whether to initiate a response. This sub-process has clearly been strongly developed.

A disruption management team was also appointed throughout subsequent to the Albuquerque accident. This taskforce, ESCCMTF, integrates members from different functions, has a clear organizational structure and roles, and can be activated within just a few minutes. After being involved in different types of incidents, over time, it has been fine-tuned, resulting in the current way of working.

Initial plans for how to react to an incident have emerged over time. Tools, processes, control questions, pre-formulated letters, etc. have been tested and honed. The last year's focus on BCM training and planning activities further enhanced this knowledge and awareness. Plans are reviewed as part of the ESCCMTF, e.g. by formalized meetings and consequence analyses.

Evaluation and learning for future improvements have become an important part of Ericsson's reactive SCRM through a more formalized and systematic approach for engaging in and documenting lessons-learned sessions. Knowledge from reactive SCRM work then gets implemented into proactive SCRM processes. Cross-functional training sessions related to risk, at different organizational levels, are now a formalized part of the BCM way of working.

Systems

Several improvements have been implemented for Ericsson's IT systems. General IS capabilities have developed over time, for example through improved business data warehousing, increased visibility through the joint ERP and improved analytics tools, all of which have strengthened functional tools and processes used within SCRM (e.g. mapping tools, joint forecasting, Sites@Risk, global planning tool). When employees understood how to leverage the improved systems and tools, and determined how to combine them cross-functionally to extend analysis and decision-making both proactively and reactively (e.g. regarding customer prioritization and communication), SCRM activities were further developed. While the corporate IS improvements of ten years ago served as an enabler of subsequent SCRM developments, the ongoing wave of improvements in general IS capabilities related to big data, improved analytics tools and process mining has the potential to serve as a platform for a next generation of SCRM activities.

Assessment and learning

Although Ericsson applied TQM-oriented learning activities 15 years ago, learning activities are now much more formalized and seen as important. Risk assessments of components, suppliers and sites have gradually been developed, while a larger change is the increased internal and external monitoring of, e.g. implementation projects, improvement plans, mitigation strategies and compliance with processes. This monitoring not only creates incentives for implementation and change but also yields a learning platform for analysis and reflections. Training and scenario analysis are now regularly conducted in cross-functional sessions at different organizational levels, thereby keeping the risk culture alive and preventing Ericsson from falling back into old patterns during periods when incidents or accidents are rare. Senior management's involvement through showing a commitment to training activities also helps develop such a risk culture. Learning sessions, both from risk incidents and planned training, have been more formalized, especially as the BCM framework stressed the pathway towards continuous improvements as one of its key steps.

Triggering events and enablers

The longitudinal development of Ericsson's SCRM practices seems to have taken place stepwise, and could be triggered by different events and enablers, both external and internal. Over time, development has shifted between a proactive or reactive focus; between more functional development or leveraging a cross-functional and inter-organizational combination; between putting corporate systems and standards in place, or using these to improve SCRM practices; and between more ad-hoc improvement or more formalized monitoring and development.

The Albuquerque accident (Norrman and Jansson, 2004) definitely sparked Ericsson's first development of proactive SCRM processes. Similarly, different waves of accidents and incidents triggered much of the development starting around 2010. Cynically, a lack of incidents could make proactive and reactive risk management sometimes seem less important, and development probably not as strong. Further, as SCRM processes would be less practiced in a time of no incidents (as seen before 2009), these processes would have problems with “sticking to the organization.”

Another external factor has been external stakeholders' increased interest in SCRM and BCM, e.g. customers, insurance companies, and authorities. Senior management has translated this via different corporate programs (e.g. CSR and Compliance) where SCRM aspects have been important components. Corporate governance has hence boosted the development of SCRM and updated and implemented different corporate standards (like ISO and OHSAS) that have made the corporate culture more accustomed to formalization and assessment, which have enabled SCRM development. The last year’s BCM focus on continuous improvement, exercises and training has further created a more solid platform for learning and knowledge management. Increased technical IS capability is another key enabler for the transformation, making it easier to handle large sets of risk data extremely quickly.

While functional development (e.g. within Supply, Sourcing, Security) of processes and tools is vital, in order to reach the next level, the enabling of cross-functional combinations of functional capabilities and tools is necessary. While founded in the original high-level matrix organization, this was accelerated when the operational organization became more formalized and fine-grained as well as when cross-functional work occurred during real incidents or trainings. The increased focus on assessment, learning, training and continuous development seems to be a final important enabler.